mpgn

Scrambled vs NetExec

Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading Scrambled writeup from 0xdf_ when I read this:

smbclient won’t work, and I wasn’t able to get crackmapexec to work either.

To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :)

Note: I will pass the web part where we get one username : ksimpson

In progress

First we get the domain name to edit our etc hosts file

netexec smb 10.10.11.181                                                          
SMB         10.10.11.181    445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)

Domain name: absolute.htb
Netbios name: DC

Jab vs NetExec

Original writeup: https://0xdf.gitlab.io/2024/06/29/htb-jab.html
Video writeup: https://www.youtube.com/watch?v=tprP-GDW_6c

This writeup only highlights some part of the writeup of @0xdf that can be done with netexec instead of using another tool :)

This is not a full writeup of the JAB machine ! Bug fix on dcom is not fully merge into main !

Thanks to @ippsec for the bug report on mmcexec method !

	# https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
	# https://twitter.com/richinseattle/status/1354296177743679489

	# if true on powershell command or no error on reg query output you are infected !

	reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\KernelConfig'
	reg query 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverConfig'
	reg query 'HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSL Update'
	[System.IO.File]::Exists('C:\Windows\System32\Nwsapagent.sys')
	[System.IO.File]::Exists('C:\Windows\System32\helpsvc.sys')