Hashcat is one of those tools where I feel like I'm just scratching at the surface with respect to all of its capabilities.  Normally, I'm attempting to crack hashes with a wordlist to prove the strength of a password.  Or I'm playing some CTF where I need to retrieve a password.  In each case, I'm not brute forcing a password, I'm providing a wordlist which makes the process light years faster.  That being said, there are times when I've wanted to use a brute force attack but have shied away when confronted with reading the manual.  RTFM!

    Dare I say this box was easy?  Maybe not for everyone, of course, but I will say this could be the quickest HtB box I've ever rooted.  There's a little bit of hunting and a little be of creativity required.  Aside from that, take a look at what's in your hand and do some Googling, you can figure this one out quickly.

    We kick off with Nmap:

    I'm not even sure how I ended up down this rabbit hole but I strayed off the path for a talk that I'm giving next month.  I'm trying to show how to leverage PowerShell into doing the many things we do with various tools.  To some degree, you don't really need those tools. 

    So this doesn't pluck the credentials out of memory or from the file system, we're going the old fashioned way -- we're tricking the user.  Imagine this -- a user is trying to work and Windows continues to prompt them for their credentials.  Will they ignore it?  No, they will enter their credentials. 

    If you're on the local machine performing this trick, you don't need to specify domain\username.  However, if you end up on this machine through other means -- say Responder, you'll want to use the domain\username because it will throw an error prior to spawning the credential prompt.  Maybe that's not a bad thing but I'd rather do without it. 

    I think at some point, I started this box but didn't finish it.  That's been known to happen -- I only allot so much time to this kind of thing.  As I wrapped up the box from yesterday, I saw this one, took a quick look and down the rabbit hole I went.  This box is interesting because I don't have a huge amount of experience with Node and I did a little bit of extra hunting.  Perhaps if I were more familiar with Node, I would have honed in on one piece sooner than later.

    Anyway, I don't want to spoil anything so let's get rolling.  We kick off with Nmap:

    © 2020 sevenlayers.com