Skip to content

Latest commit

 

History

History
95 lines (47 loc) · 2.78 KB

VulnNet: Roasted.md

File metadata and controls

95 lines (47 loc) · 2.78 KB

VulnNet: Roasted:

Video Demo:

https://www.youtube.com/watch?v=5x76bdWU3q0

ENUMERATION

NMAP:

I run NMAP to see all port in state open are in this machine:

image

Kerbrute User Enum:

I use UserEnum Module from Kerbrute to Enumerate users via Kerberos Open Service

image

Samba:

I need to Enumerate de Shared Resources From This Domain.

image

And This is Interesting, when machine have SMB open and IPC$ Open with Minium Read Access it's vulnerable to other User Enumeration.

Let's Go to See The Permisions of IPC$ with smbmap:

image

Read Permisions!!!

Let's Go to Enumerate Users:

image

I put Only UserNames in the file users.txt

image

Now i go to see if any user don't have a good security authentication.

GetNPUsers:

image

User "t-skid" have UF_DONT_REQUIRE_PREAUTH set!!

John The Ripper

image

Samba With t-skid User:

image

I enter to NETLOGON:

image

ResetPassword.vbs

image

Credentials founded for a-whitehat User

Let's Go to Connect Via evil-winrm:

image

I found User Flag:

image

Secrets Dump

image

I have Admin Hash, Let's Go to the Pass The Hash with Admin Account:

Works!!!

Root Flag

image

Thanks!

Demo:

https://www.youtube.com/watch?v=5x76bdWU3q0