MANAGER (HTB) - JA Smith

# Lessons Learned - xxx --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260604192356.png]] - `nmap` scan - light ![[images/Pasted image 20260604192719.png]] - `nmap` scan - detailed ![[images/Pasted image 20260604193439.png]]![[images/Pasted image 20260604193458.png]] - `nmap` scan - UDP --- # Service Enum ## Port 445 (smb): service_name ver. xxx - null auth - `guest: `reveals shares ![[images/Pasted image 20260604193746.png]] - confirm with `smbmap`![[images/Pasted image 20260604194105.png]] - nothing in `IPC

![[images/Pasted image 20260604194215.png]] - enum users ![[images/Pasted image 20260604194438.png]] - indications of a DB groups and an ADCS group - create users list ![[images/Pasted image 20260604194849.png]] - Try same username same password > nothing ## Port 80 (http): IIS 10.0 - Visit page ![[images/Pasted image 20260604194943.png]] - Page is divided into `index.html`, `about.html`, `service.html`, and `contact.html` - `contact.html` may be useful to get someone to click something and disclose an NTLM hash ![[images/Pasted image 20260604195250.png]] - test run > nothing happens --> dead-end - Web fuzzing - directory fuzzing ![[images/Pasted image 20260604200009.png]] - page fuzzing ![[images/Pasted image 20260604200623.png]] - subdomain fuzzing ![[images/Pasted image 20260604201103.png]] - vhost fuzzing ![[images/Pasted image 20260604201219.png]] ## Port 1433 (mssql) - NSE check ![[images/Pasted image 20260604201428.png]] - Maybe `xp-cmdshell` is available once we have creds --- # AD Enum ## ASREP Roasting - Nothing ![[images/Pasted image 20260604200120.png]] ## Kerberoasting ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password --kerberoasting kerb.out ``` ## ADCS ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password -M adcs certipy-ad find -target DC.FQDN -u username -p password ``` ## BloodHound - Run remote ingestor ```bash /opt/rusthound-ce -d inlanefreight.local -u inlanefreight@username -p password -z ``` - Spin up container for bloodhound GUI ```bash cd /opt/bloodhound docker compose up -d ``` --- # AD Attack Chain ___ # Revisit Service Enum