(April 19, 2022, 07:18 PM)user534915 Wrote: I've got the username and the hash. Which tool do you use for password spraying?

Trying via CME with the  pwd files listed in the ps1 .. but no joy on smb

look at the csvs ;)

Flip it, no need to use CME,  take the hash and push it thorough crackstation to get the password.

Got username and plaintext password, but the creds can't login with smb, winrm.

(April 20, 2022, 04:36 AM)F4nny Wrote: Got username and plaintext password, but the creds can't login with smb, winrm.

where u got this creds.

(April 20, 2022, 04:55 AM)___user___ Wrote:

(April 20, 2022, 04:36 AM)F4nny Wrote: Got username and plaintext password, but the creds can't login with smb, winrm.

where u got this creds.

CSVs :)

I get the feeling you need to use the creds in a specific way, but havent had time to test yet..

(April 20, 2022, 04:36 AM)F4nny Wrote: Got username and plaintext password, but the creds can't login with smb, winrm.

I couldn't login either, but the credentials work when using ldapsearch (port 389) and kerbrute (port 88).

I had found BM account and the password ! i tried go ldapsearch winrm and also kerberos ! nothing seems to be working ... also tried smb

I found an AD user account with a non-empty description. The description is the same as the name of the HTB machine creator.

---

(April 20, 2022, 10:10 AM)cavour12 Wrote: I had found BM account and the password ! i tried go ldapsearch winrm and also kerberos ! nothing seems to be working ... also tried smb

This works for me:

ldapsearch -x -h 10.129.44.3 -D 'windcorp\RETRACTED' -w 'RETRACTED' -b "CN=Users,DC=windcorp,DC=htb"