Forst from HackTheBox is a Windows box, in which we first enumerate users via SMB and then use ASREP Roasting to get AD credentials of a service account. After that, we can add that account to an Exchange group that allows the assignment of DCSync privileges in order to dump NTLM hashes. Port Scanning The open TCP ports indicate that we’re dealing with a domain controller for the htb.local domain running Windows Server 2016: Read more

Active from HackTheBox is an easy Windows box, in which we first find AD credentials in Group Policy Preferences and subsequently do a kerberoasting attack to get domain administrator. Port Scanning The open TCP ports indicate that we’re dealing with an AD domain controller running Windows Server 2008 R2: PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39) 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-02 11:16:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5722/tcp open msrpc Microsoft Windows RPC 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows Port 47001 reveals the hostname dc.active.htb, which we can verify using nslookup: Read more

Recently, I couldn’t access a machine within another VLAN anymore, because Docker on that machine used a subnet within the 192.168.x.x range for an internal network, that led to packets not finding the way back to me. Docker apparently uses the following ranges by default: 172.[17-31].0.0/16 192.168.[0-240].0/20 The routes on the machine were as follows. Unifi provides my machines with a default gateway, e.g. 192.168.20.1 and the route for the local subnet 192.168.20.0/24 was automatically added by the kernel. The third one is the one created by Docker which conflicted with the other VLAN. Read more

The scenario is described as follows: In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali at http://demo.ine.local Objective: Exploit both the target and find all flags! Dictionaries to use: /usr/share/metasploit-framework/data/wordlists/common_users.txt /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt Read more

The scenario is described as follows: In this lab environment, the user will access a Kali GUI instance. A vulnerable application can be accessed using the tools installed on Kali at http://demo.ine.local Objective: Exploit both the target and find all flags! Read more