HackTheBox Vintage

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.45 -oG port

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127

Puertos abiertos.

❯ nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269 10.10.11.45 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 22:55 EDT
Nmap scan report for 10.10.11.45
Host is up (0.034s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-21 22:06:59Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-21T22:07:05
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -4h48m35s

Versiones y servicios que corren.

ldapsearch

❯ ldapsearch -x -H ldap://10.10.11.45 -s base | grep ldapServiceName
ldapServiceName: vintage.htb:dc01$@VINTAGE.HTB

Comprobamos el nombre del dominio y lo agregamos a nuestro etc/hosts.

ntpdate

❯ sudo ntpdate 10.10.11.45
2025-04-21 18:15:22.417376 (-0400) +0.491729 +/- 0.036268 10.10.11.45 s1 no-leap

Este comando sincroniza el reloj de tu sistema con un servidor NTP (Network Time Protocol), Estás sincronizando tu reloj del sistema con el de un servidor NTP confiable (idealmente el mismo que usa el servidor Kerberos). Esto elimina la “skew” (diferencia de tiempo) que puede romper Kerberos.

Bloodhound

Vamos a enumerar el dominio, pero antes vamos a configurar pa que no nos de problemas.

sudo nano /etc/krb5.conf

[libdefaults]
    default_realm = VINTAGE.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    VINTAGE.HTB = {
        kdc = dc01.vintage.htb
        default_domain = vintage.htb
    }

[domain_realm]
    .vintage.htb = VINTAGE.HTB
    vintage.htb = VINTAGE.HTB

Agregamos el dominio al archivo de cofiguracion de kerberos.

❯ kinit P.Rosa@VINTAGE.HTB

Password for P.Rosa@VINTAGE.HTB: 
❯ klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: P.Rosa@VINTAGE.HTB

Valid starting       Expires              Service principal
04/22/2025 06:25:36  04/22/2025 16:25:36  krbtgt/VINTAGE.HTB@VINTAGE.HTB
	renew until 04/23/2025 06:25:25

Obtenemos un ticket de kerberos pedirá contraseña (Rosaisbest123). Si todo está bien, no mostrará ningún mensaje (eso es buena señal).

nano /etc/resolv.conf

nameserver 10.10.11.45
search vintage.htb

Para no tener problemas de conectividad.

❯ nslookup dc01.vintage.htb

Server:		10.10.11.45
Address:	10.10.11.45#53

Name:	dc01.vintage.htb
Address: 10.10.11.45

Verificado, ahora vamos con Bloodhound.

Bloodhound

❯ bloodhound-python -u P.Rosa -p 'Rosaisbest123' -d vintage.htb -c All -dc dc01.vintage.htb
INFO: Found AD domain: vintage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 16 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: FS01.vintage.htb
INFO: Querying computer: dc01.vintage.htb
WARNING: Could not resolve: FS01.vintage.htb: The resolution lifetime expired after 3.106 seconds: Server Do53:10.10.11.45@53 answered The DNS operation timed out.
INFO: Done in 00M 12S

Hora si.

❯ ls -l
.rw-rw-r-- root root 6.5 KB Tue Apr 22 06:34:51 2025  20250422063439_computers.json
.rw-rw-r-- root root  24 KB Tue Apr 22 06:34:45 2025  20250422063439_containers.json
.rw-rw-r-- root root 3.1 KB Tue Apr 22 06:34:45 2025  20250422063439_domains.json
.rw-rw-r-- root root 3.9 KB Tue Apr 22 06:34:44 2025  20250422063439_gpos.json
.rw-rw-r-- root root  88 KB Tue Apr 22 06:34:43 2025  20250422063439_groups.json
.rw-rw-r-- root root 3.6 KB Tue Apr 22 06:34:44 2025  20250422063439_ous.json
.rw-rw-r-- root root  38 KB Tue Apr 22 06:34:43 2025  20250422063439_users.json

Ya tenemos los archivos ahora vamos a hecharles un ojo.

AnteriorHackTheBox Cicada SiguienteHackTheBox Sauna

Última actualización hace 4 días

HackTheBox Vintage

❯ nmap -sS -Pn -n -vvv --open --min-rate 5000 10.10.11.45 -oG port

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127

Puertos abiertos.

❯ nmap -sCV -p53,88,135,139,389,445,464,593,636,3268,3269 10.10.11.45 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-21 22:55 EDT
Nmap scan report for 10.10.11.45
Host is up (0.034s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-21 22:06:59Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-21T22:07:05
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -4h48m35s

Versiones y servicios que corren.

ldapsearch

❯ ldapsearch -x -H ldap://10.10.11.45 -s base | grep ldapServiceName
ldapServiceName: vintage.htb:dc01$@VINTAGE.HTB

Comprobamos el nombre del dominio y lo agregamos a nuestro etc/hosts.

ntpdate

❯ sudo ntpdate 10.10.11.45
2025-04-21 18:15:22.417376 (-0400) +0.491729 +/- 0.036268 10.10.11.45 s1 no-leap

Bloodhound

Vamos a enumerar el dominio, pero antes vamos a configurar pa que no nos de problemas.

sudo nano /etc/krb5.conf

[libdefaults]
    default_realm = VINTAGE.HTB
    dns_lookup_realm = false
    dns_lookup_kdc = false

[realms]
    VINTAGE.HTB = {
        kdc = dc01.vintage.htb
        default_domain = vintage.htb
    }

[domain_realm]
    .vintage.htb = VINTAGE.HTB
    vintage.htb = VINTAGE.HTB

Agregamos el dominio al archivo de cofiguracion de kerberos.

❯ kinit P.Rosa@VINTAGE.HTB

Password for P.Rosa@VINTAGE.HTB: 
❯ klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: P.Rosa@VINTAGE.HTB

Valid starting       Expires              Service principal
04/22/2025 06:25:36  04/22/2025 16:25:36  krbtgt/VINTAGE.HTB@VINTAGE.HTB
	renew until 04/23/2025 06:25:25

Obtenemos un ticket de kerberos pedirá contraseña (Rosaisbest123). Si todo está bien, no mostrará ningún mensaje (eso es buena señal).

nano /etc/resolv.conf

nameserver 10.10.11.45
search vintage.htb

Para no tener problemas de conectividad.

❯ nslookup dc01.vintage.htb

Server:		10.10.11.45
Address:	10.10.11.45#53

Name:	dc01.vintage.htb
Address: 10.10.11.45

Verificado, ahora vamos con Bloodhound.

Bloodhound

❯ bloodhound-python -u P.Rosa -p 'Rosaisbest123' -d vintage.htb -c All -dc dc01.vintage.htb
INFO: Found AD domain: vintage.htb
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: dc01.vintage.htb
INFO: Found 16 users
INFO: Found 58 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: FS01.vintage.htb
INFO: Querying computer: dc01.vintage.htb
WARNING: Could not resolve: FS01.vintage.htb: The resolution lifetime expired after 3.106 seconds: Server Do53:10.10.11.45@53 answered The DNS operation timed out.
INFO: Done in 00M 12S

Hora si.

❯ ls -l
.rw-rw-r-- root root 6.5 KB Tue Apr 22 06:34:51 2025  20250422063439_computers.json
.rw-rw-r-- root root  24 KB Tue Apr 22 06:34:45 2025  20250422063439_containers.json
.rw-rw-r-- root root 3.1 KB Tue Apr 22 06:34:45 2025  20250422063439_domains.json
.rw-rw-r-- root root 3.9 KB Tue Apr 22 06:34:44 2025  20250422063439_gpos.json
.rw-rw-r-- root root  88 KB Tue Apr 22 06:34:43 2025  20250422063439_groups.json
.rw-rw-r-- root root 3.6 KB Tue Apr 22 06:34:44 2025  20250422063439_ous.json
.rw-rw-r-- root root  38 KB Tue Apr 22 06:34:43 2025  20250422063439_users.json

Ya tenemos los archivos ahora vamos a hecharles un ojo.

AnteriorHackTheBox Cicada SiguienteHackTheBox Sauna

Última actualización hace 4 días