Posts: 6 Threads: 0 Joined: N/A April 20, 2022 at 12:23 PM What also seems to work is using certain Powershell functions as the BM user:
$passwd = ConvertTo-SecureString 'RETRACTED' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('windcorp\RETRACTED', $passwd)
Get-ADComputer -Identity Hathor -Credential $cred Posts: 30 Threads: 0 Joined: N/A April 20, 2022 at 12:33 PM c:\Get-bADpasswords\Accessible\CSVs>type exported_windcorp-05102021-183949.csv
Activity;Password Type;Account Type;Account Name;Account SID;Account password hash;Present in password list(s)
active;weak;regular;BeatriceMill;S-1-5-21-3783586571-2109290616-3725730865-5992;9cb01504ba0247ad5c6e08f7ccae7903;'leaked-passwords-v7'
i got this. i cracked the hash. [!!!!ilovegood17] what is the next step? Posts: 48 Threads: 0 Joined: N/A April 20, 2022 at 12:46 PM (April 20, 2022, 12:33 PM)___user___ Wrote: c:\Get-bADpasswords\Accessible\CSVs>type exported_windcorp-05102021-183949.csv
Activity;Password Type;Account Type;Account Name;Account SID;Account password hash;Present in password list(s)
active;weak;regular;BeatriceMill;S-1-5-21-3783586571-2109290616-3725730865-5992;9cb01504ba0247ad5c6e08f7ccae7903;'leaked-passwords-v7'
i got this. i cracked the hash. [!!!!ilovegood17] what is the next step? Read what meta have found! :D think it's password spraying the next step but no luck Posts: 30 Threads: 0 Joined: N/A April 20, 2022 at 12:52 PM (April 20, 2022, 10:24 AM)meta Wrote: I found an AD user account with a non-empty description. The description is the same as the name of the HTB machine creator.
(April 20, 2022, 10:10 AM)cavour12 Wrote: I had found BM account and the password ! i tried go ldapsearch winrm and also kerberos ! nothing seems to be working ... also tried smb
This works for me:
ldapsearch -x -h 10.129.44.3 -D 'windcorp\RETRACTED' -w 'RETRACTED' -b "CN=Users,DC=windcorp,DC=htb" how did u find this cred. i have tired password spraying but failed. Posts: 6 Threads: 0 Joined: N/A April 20, 2022 at 1:00 PM (April 20, 2022, 12:52 PM)___user___ Wrote: (April 20, 2022, 10:24 AM)meta Wrote: I found an AD user account with a non-empty description. The description is the same as the name of the HTB machine creator.
(April 20, 2022, 10:10 AM)cavour12 Wrote: I had found BM account and the password ! i tried go ldapsearch winrm and also kerberos ! nothing seems to be working ... also tried smb
This works for me:
ldapsearch -x -h 10.129.44.3 -D 'windcorp\RETRACTED' -w 'RETRACTED' -b "CN=Users,DC=windcorp,DC=htb"
how did u find this cred. i have tired password spraying but failed. It's the same cred you have. I simply replaced "BeatriceMill" with "RETRACTED" and the same for the password before posting here. I don't like posting passwords, SSH keys and such. Posts: 48 Threads: 0 Joined: N/A April 20, 2022 at 1:02 PM i enumerated all the users and i tried the same password for all ad users.... no luck also that wich name is similar to creator Posts: 30 Threads: 0 Joined: N/A April 20, 2022 at 1:47 PM any one know how to dump all the users,computer,domain for blood-hound.
i used bloodhound-python and ldapdomaindump both showing invalid cred Posts: 6 Threads: 0 Joined: N/A April 20, 2022 at 2:13 PM (April 20, 2022, 01:47 PM)___user___ Wrote: any one know how to dump all the users,computer,domain for blood-hound.
i used bloodhound-python and ldapdomaindump both showing invalid cred I couldn't get bloodhound-python to work either. But ldapdomaindump works with --authtype SIMPLE. Posts: 0 Threads: 0 Joined: N/A April 20, 2022 at 2:16 PM thnaks Posts: 30 Threads: 0 Joined: N/A April 20, 2022 at 2:21 PM (April 20, 2022, 02:13 PM)meta Wrote: (April 20, 2022, 01:47 PM)___user___ Wrote: any one know how to dump all the users,computer,domain for blood-hound.
i used bloodhound-python and ldapdomaindump both showing invalid cred
I couldn't get bloodhound-python to work either.
But ldapdomaindump works with --authtype SIMPLE. thanks man. did u find the next step? |
