# TAKEAWAYS - xxx --- # BLUF - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260327194107.png]] - `nmap` scan - light ![[images/Pasted image 20260327194133.png]] - `nmap` scan - detailed ![[images/Pasted image 20260327194500.png]] - convert with `xsltproc` and view html output ![[images/Pasted image 20260327194723.png]] - Note: DC with ports 80 and 8443 open - Port 8443 is `tomcat` instance - Add `authority.htb.corp` to `/etc/hosts` - Note: 4hr clock skew - `nmap` scan - UDP --- # Service Enum ## Port 445 (SMB) ## Null Auth - both ` : ` and `guest: ` work ![[images/Pasted image 20260327195028.png]] ## Password Policy - Cannot enum ![[images/Pasted image 20260327195101.png]] ## Shares - guest works but not blank username ![[images/Pasted image 20260327195136.png]] - `Development` share looks interesting - Connect with `smbclient` ```bash smbclient -U authority.htb/guest //10.129.229.56/Development ``` ![[images/Pasted image 20260327195623.png]] - `.travis.yml` has an interesting base64 string ![[images/Pasted image 20260327200000.png]] - this decodes as gibberish - so far we have potential users: `travis`, `svc_pwm` - run `-M spider_plus` ![[images/Pasted image 20260327202654.png]] - grab all files in the `Development` share - files dumped into `/home/jacob/.nxc/modules/nxc_spider_plus` ```bash nxc smb 10.129.229.56 -u "guest" -p "" -M spider_plus -o DOWNLOAD_FLAG=True ``` - `PWM/templates/tomcat-users.xml.j2` caught my eye ![[images/Pasted image 20260327203020.png]] - `PWM/defaults/main.yml` has some interesting leads ![[images/Pasted image 20260327203241.png]] - maybe we can crack these ## Users - Cannot enum local users; limited domain users ![[images/Pasted image 20260327202145.png]] ## Port 80 (HTTP): IIS ver. 10.0 - default IIS page ## Port 8443 (HTTPS): PWM v2.0.3 bc96802e - Very interesting ![[images/Pasted image 20260327200700.png]] ![[images/Pasted image 20260327200730.png]] - Found a version PWM v2.0.3 bc96802e ![[images/Pasted image 20260327201152.png]] - Most recently `svc_pwm` logged in ![[images/Pasted image 20260327201516.png]] - Looks like I found the associated github: https://github.com/wolfd/pwm?tab=readme-ov-file ![[images/Pasted image 20260327200933.png]] --- # AD Enum ## ASREP Roasting ```bash nxc ldap TARGET -d inlanefreight.local -u users.txt -p '' --asreproast ``` - Try again later ![[images/Pasted image 20260327201818.png]] ## Kerberoasting ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password --kerberoasting ``` ## ADCS ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password -M adcs ``` - We saw and ADCS dir int he `Devcelopment` share and users enum showed a `Cert Pubkishers` group > maybe we cannot enum this yet because we don't have creds for a domian user ![[images/Pasted image 20260327201628.png]] ## BloodHound - Run remote ingestor ```bash /opt/rusthound-ce -d inlanefreight.local -u inlanefreight@username -p password -z ``` - Spin up container for bloodhound GUI ```bash cd /opt/bloodhound docker compose up -d ``` --- # AD Attack Chain ___ # Revisit Service Enum