# Lessons Learned - xxx --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260614194211.png]] - `nmap` scan - light ![[images/Pasted image 20260614194224.png]] - create comma separated `ports.txt` ![[images/Pasted image 20260614194241.png]] - `nmap` scan - detailed ![[images/Pasted image 20260614195259.png]] - `nmap` scan - UDP ![[images/Pasted image 20260614214342.png]] --- # Service Enum ## Port 445 (SMB) ### Null Auth - old OS version ![[images/Pasted image 20260614194623.png]] ### Shares - need creds ![[images/Pasted image 20260614195038.png]] ### Users - nothing yet ![[images/Pasted image 20260614194939.png]] ## Port 80 (HTTP): IIS 10.0 - Visit page (both `printer.return.htb` and `return.htb` look the same) ![[images/Pasted image 20260614195530.png]] - Only `/settings.php` has content ![[images/Pasted image 20260614195715.png]] - Try to steal an NTLMv2 hash - Setup `responder` with an LDAP server ![[images/Pasted image 20260614195832.png]] - insert Kali IP addr into `settings.php` > we have a cleartext password for `svc_printer` ![[images/Pasted image 20260614200003.png]] - confirm creds ![[images/Pasted image 20260614201305.png]] ## Revisit Authenticated Port 445 (SMB) ### Shares - wow we have serious access ![[images/Pasted image 20260614201548.png]] - `smbmap` shows different access ![[images/Pasted image 20260614202027.png]] ### Users - limited users ![[images/Pasted image 20260614202622.png]]![[images/Pasted image 20260614202629.png]] ### Password Policy ![[images/Pasted image 20260614203124.png]] ### `[xxx]exec.py` - `psexec.py`, `wmiexec.py`, and `smbexec.py` do not work --- # AD Enum ## ASREP Roasting - nothing ![[images/Pasted image 20260614202752.png]] ## Kerberoasting - nothing ![[images/Pasted image 20260614202758.png]] ## ADCS nothing ![[images/Pasted image 20260614202732.png]] ## BloodHound - try later if necessary ## WinRM - this must be the way in ![[images/Pasted image 20260614202906.png]] - we have `SeBackupPrivilege` ![[images/Pasted image 20260614202954.png]] --- # Privesc ## Attempt A: `SeBackUpPrivilege` Route - grab `HKLM\SAM` and `HKLM\SYSTEM` ![[images/Pasted image 20260614203852.png]] - download files ![[images/Pasted image 20260614203926.png]] - extract secrets with `pypkatz` - seek help ![[images/Pasted image 20260614204127.png]] - run ![[images/Pasted image 20260614204402.png]] - `evil-winrm` PtH as `administrator` > failure ![[images/Pasted image 20260614204613.png]] - maybe because we do not have `HKLM\SECURITY` ? - having issues grabbing this hive ![[images/Pasted image 20260614204603.png]] - try `secretsdump.py` > more issues ![[images/Pasted image 20260614204823.png]] - try local `secretsdump.py` hash dump ![[images/Pasted image 20260614204923.png]] - try to crack the NThash > exhausted ## Attempt B: `Server Operators` Route - check the either `vss` or `vmtoolsd` start as SYSTEM ```powershell sc.exe qc vss sc.exe qc vmtoolsd ``` ![[images/Pasted image 20260614212542.png]] - plan for leveraging `server operators` group to add `svc-printer` to `administrators` group ```powershell net user svc-printer net localgroup Administrators sc.exe config vss binPath= "cmd /c net localgroup Administrators svc-printer /add" sc.exe stop vss sc.exe start vss net user svc-printer ``` - run initial checks ![[images/Pasted image 20260614212617.png]] - execute plan with `sc.exe` - it's expected to get error code 1053 ![[images/Pasted image 20260614212710.png]] - `svc-printer` is now in the `administrators` group ![[images/Pasted image 20260614212716.png]] - cannot immediately read `\users\adminstrator\desktop\root.txt` ![[images/Pasted image 20260614212934.png]] - restart `evil-winrm` session for new group membership to take hold > there we go