zerodumb@hacking-journal:~/labs$

Fluffy: Active, no spoiler

· 3 min read
networkreconnaissanceeasynmapbloodhoundlinpeasBloodADpyWhisker

fluffy

Fluffy

Status = Active
Rank = Easy

Provided info from htb

box rating - easy box target machine - windows box ip - 10.129.232.88 target user creds - j.fleischman / J0elTHEM4n1990!

Tools Used

  • nmapquick
  • smbclient
  • Responder
  • Bloodhound
  • SharpHound
  • BloodyAD
  • pywhisker
  • evil-winrm
  • impacket
  • hashcat
  • ntpupdate

Now, set your /etc/hosts 10.129.232.88 DC01.FLUFFY.HTB and get going

Found via nmapquick

(nmapquick is just my personal nmap script)

box url - open ports on box ip -

PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: …) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP over SSL 3268/tcp open ldap Microsoft Windows Active Directory LDAP 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP over SSL 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

potential cve’s for box -

assumed os windows 2019 windows10

Ldap

initial scan presents several things. since it is an easy box, we are going to start with an instant attack and see if we can gain access with evil-winrm

evil-winrm -i 10.129.232.88 -u 'j.fleischman' -p 'J0elTHEM4n1990!' that didn’t work, ol’ j.fleischman aka joel, doesn’t have high enough creds

moving to ldapdomaindump

ldapdomaindump -u 'fluffy\\j.fleischman' -p 'J0elTHEM4n1990!' 10.129.232.88

(zerodumb@frogden) ╰─>[👾]~/htb/labs/fluffy/ldapdd $ ls  domain_computers.grep  domain_groups.json  domain_trusts.json  domain_computers.html  domain_policy.grep  domain_users.grep  domain_computers.json  domain_policy.html  domain_users.html  domain_computers_by_os.html  domain_policy.json  domain_users.json  domain_groups.grep  domain_trusts.grep  domain_users_by_group.html  domain_groups.html  domain_trusts.html

we run jq . domain_users.json | grep '"sAMAccountName"' -A 3 to find a fast attack surface

I am root

After having a few hiccups, and resetting the machine 3 times. We gain final boss access.

root

cd /users/Administrator
ls
cd Desktop
ls
cat root.txt

Full Lab

To see how we pwned our new user and became root, check back once the lab has been retired.

Question loudly so others can learn quietly. Stay curious. Stay loud.

Don’t Be A Skid -Zero

Buy Me A Coffee @iamnotaskid

Join HTB Academy

Related Posts

Nmap Full Port Scan Script

enumerationnmappentestingscriptingbashreconnaissance
tools

Nmap Quick Scan Script

enumerationnmappentestingscriptingbash
tools

Artificial: Active, no spoiler

networkreconnaissanceeasynmapbackrest
labs