Official Administrator Discussion

HTB Content Machines
87

Hey, any idea why targetedKerberoast gives me a different hash every time I run it against the Michael user?

88

Turns out his password is getting changed. You have to change it instead of cracking it in order to progress

89

See what michael can do, and though him which user can be compromised. Also look for common protocol. Rest is easy

90

Thanks!

91

Good day everyone!

looks like iā€™m unable to DCSyncā€¦ trying to do this via PSRemote. I always get ā€œERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)ā€ā€¦ so Iā€™m not allowed?? Iā€™m trying as user michaelā€¦

any hints here? Iā€™m missing sometging here iā€™m sure

thanks alot

92

Thats the only response I ever got so I stopped trying that method. I moved on to another user that michael is connected to.

93

Go check out bloodhound and see what different users can do.

94

I didnā€™t look further into the backup-file I foundā€¦ that was the right pathā€¦thanks anyways :slight_smile:

95

Hi,

Pwned, if you need a tip feel free to DM :slight_smile:

97

PWNED!!
Comparatively easy than other medium difficulty machines
If anyone need help, then DM

98

Kerberos is also very time-dependent, so itā€™s possible the results you get change because the current time is different each time you fetch the hash.

99

Can i please get a hint in how to move laterally from user B. to user E. ? I actually know how to compromise the whole Domain (Thanks to BloodHound). But canā€™t find a way to own or pwn that user E.

100

This helped me, Thanks @MEGAZORDII

101

hmmā€¦ did not work ntpdate

ā”Œā”€ā”€(kalić‰ækali)-[~/lab/Administrator]
ā””ā”€$ date                                                     
Sat Nov 16 12:52:49 PM JST 2024
                                                                                                                                                                                                                                                                                                                            
ā”Œā”€ā”€(kalić‰ækali)-[~/lab/Administrator]
ā””ā”€$ sudo ntpdate -b 10.10.11.42                                                              
2024-11-16 19:39:42.483551 (+0900) +24410.345334 +/- 0.088977 10.10.11.42 s1 no-leap
CLOCK: time stepped by 24410.345334
                                                                                                                                                                                                                                                                                                                            
ā”Œā”€ā”€(kalić‰ækali)-[~/lab/Administrator]
ā””ā”€$ date                                                     
Sat Nov 16 12:52:55 PM JST 2024
102

https://www.virtualbox.org/manual/UserManual.html#fine-tune-timers
I tried it, so clock issue was fix.
But can not kerberoastingā€¦

103
104

Thank you so much!!! Iā€™ve been searching for this very thing. This is going to help me with another box I was working on. Thank you again!!!

105

I stacked itā€¦
Help meā€¦
I did

  • bloodhound
  • Some users owned
  • Crack pass with hashcat
  • Attempted to connect, but could notā€¦(smb/winrm/ldap)
106

One of the users has access to the FTPā€¦ you might find something in thereā€¦

107

Thanks! I got it, and cracked it!
But can not use passā€¦