Tag: Windows-Exploitation | Yw4rf

2024-11-23

Responder - LFI/RFI Chain to NTLMv2 Hash Capture and WinRM Access

Technical writeup detailing the initial compromise of the Responder machine. The attack chain involves exploiting a Local File Inclusion (LFI) vulnerability in a PHP application, escalating it to an RFI-style attack by injecting a UNC path to force an SMB authentication attempt. The resulting NTLMv2 hash is captured using the Responder tool, cracked with Hashcat, and used to gain full remote access via Evil-WinRM on port 5985.

HackTheBox WinRM LFI RFI UNC-Path-Injection SMB-Relay NTLMv2-Hashcat Responder Evil-WinRM PHP-Exploitation Windows-Exploitation
2024-09-05

Dancing - Exploiting Unauthenticated SMB Shares

Technical writeup detailing the initial compromise of the Dancing machine. The methodology focuses on thorough Nmap scanning to identify exposed SMB services (ports 139, 445), leveraging the 'smbclient' tool to enumerate and gain unauthorized access to publicly accessible network shares (WorkShares), and retrieving sensitive data (flags/notes) due to weak share permissions.

HackTheBox Windows-Exploitation SMB-Vulnerability Port-445 Unauthenticated-Access smbclient Enumeration