TUTORIAL Apt tutorial FREE
by mrleetx - November 06, 2020 at 06:01 PM
#37
(November 14, 2020 at 09:11 AM)ARhOmOuTEd Wrote: Does someone have an idea of root?
Well, I'm already stuck at the user part. Looking for the "_adm" user, but there is no one in the ntdis.dit.
I don't just wanna grab the flags, I'll try to understand these things.
#38
(November 12, 2020 at 10:39 PM)raidmail2020 Wrote:
(November 12, 2020 at 08:47 PM)Boomer447 Wrote:
(November 12, 2020 at 07:34 PM)davedk Wrote: I did not login, I have a bunch of users and ntlm hashes but can't figure out how to login

Check the users.. there are some designated _adm (admin) ....  then you can use that NTLM hash maybe against the open ports.. maybe there are multiple interfaces offering different services ;)


There are no *_adm users in the dump! I don't have any! How did you get to that "_adm" suffix?

secretsdump.py -ntds Active\ Directory/ntds.dit -system registry/SYSTEM LOCAL
in my local mission or in victim machine
#39
Was someone able to figure out why we add "_adm" suffix?
#40
You can find that user via rpcclient after you have henry.vinson and the working hash.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[henry.vinson] rid:[0x451]
user:[henry.vinson_adm] rid:[0x452]
#41
(November 17, 2020 at 09:57 PM)ragnarokhype Wrote: You can find that user via rpcclient after you have henry.vinson and the working hash.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[henry.vinson] rid:[0x451]
user:[henry.vinson_adm] rid:[0x452]

Thanks you bro !
Correct me if i am wrong ! So first we get henry.vinson password hash through winrm bruteforcing using ntds extracted hashes.
Then get into rpc and discover henry.vinson_adm user?
#42
(November 18, 2020 at 09:14 AM)UltraMagnus Wrote:
(November 17, 2020 at 09:57 PM)ragnarokhype Wrote: You can find that user via rpcclient after you have henry.vinson and the working hash.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[henry.vinson] rid:[0x451]
user:[henry.vinson_adm] rid:[0x452]

Thanks you bro !
Correct me if i am wrong ! So first we get henry.vinson password hash through winrm bruteforcing using ntds extracted hashes.
Then get into rpc and discover henry.vinson_adm user?

I'm not sure, if I get it right: Try to use cme to brute force the correct hash, but it won't work against IPv6 und no result for the IPv4 adress. Any suggestions?
#43
(November 18, 2020 at 12:58 PM)mandoline Wrote:
(November 18, 2020 at 09:14 AM)UltraMagnus Wrote:
(November 17, 2020 at 09:57 PM)ragnarokhype Wrote: You can find that user via rpcclient after you have henry.vinson and the working hash.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[henry.vinson] rid:[0x451]
user:[henry.vinson_adm] rid:[0x452]

Thanks you bro !
Correct me if i am wrong ! So first we get henry.vinson password hash through winrm bruteforcing using ntds extracted hashes.
Then get into rpc and discover henry.vinson_adm user?

I'm not sure, if I get it right: Try to use cme to brute force the correct hash, but it won't work against IPv6 und no result for the IPv4 adress. Any suggestions?

You can test the hashes from the ntds.dit with the user henry.vinson with the tool impacket-getTGT.
#44
testing the ntlm hashes in ntds.dit with getTGT.py -> pre auth information was invalid
#45
(November 18, 2020 at 07:14 PM)ARhOmOuTEd Wrote:
(November 18, 2020 at 12:58 PM)mandoline Wrote:
(November 18, 2020 at 09:14 AM)UltraMagnus Wrote:
(November 17, 2020 at 09:57 PM)ragnarokhype Wrote: You can find that user via rpcclient after you have henry.vinson and the working hash.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[henry.vinson] rid:[0x451]
user:[henry.vinson_adm] rid:[0x452]

Thanks you bro !
Correct me if i am wrong ! So first we get henry.vinson password hash through winrm bruteforcing using ntds extracted hashes.
Then get into rpc and discover henry.vinson_adm user?

I'm not sure, if I get it right: Try to use cme to brute force the correct hash, but it won't work against IPv6 und no result for the IPv4 adress. Any suggestions?

You can test the hashes from the ntds.dit with the user henry.vinson with the tool impacket-getTGT.

Could you share the hash for user henry.vinson? I am asking because all my bruteforce have failed till now, Or if it's ok I would like to DM you and understand where i went wrong. Thanks
#46
(November 18, 2020 at 08:42 PM)UltraMagnus Wrote:
(November 18, 2020 at 07:14 PM)ARhOmOuTEd Wrote:
(November 18, 2020 at 12:58 PM)mandoline Wrote:
(November 18, 2020 at 09:14 AM)UltraMagnus Wrote:
(November 17, 2020 at 09:57 PM)ragnarokhype Wrote: You can find that user via rpcclient after you have henry.vinson and the working hash.

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[henry.vinson] rid:[0x451]
user:[henry.vinson_adm] rid:[0x452]

Thanks you bro !
Correct me if i am wrong ! So first we get henry.vinson password hash through winrm bruteforcing using ntds extracted hashes.
Then get into rpc and discover henry.vinson_adm user?

I'm not sure, if I get it right: Try to use cme to brute force the correct hash, but it won't work against IPv6 und no result for the IPv4 adress. Any suggestions?

You can test the hashes from the ntds.dit with the user henry.vinson with the tool impacket-getTGT.

Could you share the hash for user henry.vinson? I am asking because all my bruteforce have failed till now, Or if it's ok I would like to DM you and understand where i went wrong. Thanks

the hash from henry.vinson is e53d87d42adaa3ca32bdb34a876cbffb
#47
(November 18, 2020 at 10:26 PM)ARhOmOuTEd Wrote:
(November 18, 2020 at 08:42 PM)UltraMagnus Wrote:
(November 18, 2020 at 07:14 PM)ARhOmOuTEd Wrote:
(November 18, 2020 at 12:58 PM)mandoline Wrote:
(November 18, 2020 at 09:14 AM)UltraMagnus Wrote: Thanks you bro !
Correct me if i am wrong ! So first we get henry.vinson password hash through winrm bruteforcing using ntds extracted hashes.
Then get into rpc and discover henry.vinson_adm user?

I'm not sure, if I get it right: Try to use cme to brute force the correct hash, but it won't work against IPv6 und no result for the IPv4 adress. Any suggestions?

You can test the hashes from the ntds.dit with the user henry.vinson with the tool impacket-getTGT.

Could you share the hash for user henry.vinson? I am asking because all my bruteforce have failed till now, Or if it's ok I would like to DM you and understand where i went wrong. Thanks

the hash from henry.vinson is e53d87d42adaa3ca32bdb34a876cbffb

This hash for aine.stafford
#48
(November 18, 2020 at 10:33 PM)seminartestik Wrote:
(November 18, 2020 at 10:26 PM)ARhOmOuTEd Wrote:
(November 18, 2020 at 08:42 PM)UltraMagnus Wrote:
(November 18, 2020 at 07:14 PM)ARhOmOuTEd Wrote:
(November 18, 2020 at 12:58 PM)mandoline Wrote: I'm not sure, if I get it right: Try to use cme to brute force the correct hash, but it won't work against IPv6 und no result for the IPv4 adress. Any suggestions?

You can test the hashes from the ntds.dit with the user henry.vinson with the tool impacket-getTGT.

Could you share the hash for user henry.vinson? I am asking because all my bruteforce have failed till now, Or if it's ok I would like to DM you and understand where i went wrong. Thanks

the hash from henry.vinson is e53d87d42adaa3ca32bdb34a876cbffb

This hash for aine.stafford
if you use impacket-getTGT with the user henry.vinson and try to logon to the server with all hashes from the dump, this is the right one. That means, he has the same password as aine.stafford.

Possibly Related Threads…
Thread Author Replies Views Last Post
FLAG || APT - Detailed Writeup || burjukakabubu 48 8,038 March 02, 2021 at 08:19 PM
Last Post: sparrow1985
TUTORIAL apt.htb ARhOmOuTEd 71 17,834 March 02, 2021 at 07:03 PM
Last Post: sparrow1985
FLAG free no credits Breadcrumbs admin ssh + description tutorial paulwatson42016 5 2,278 March 01, 2021 at 07:12 AM
Last Post: JackThePippers

 Users browsing this thread: 1 Guest(s)