EnumerationLDAPSearch
ldapsearch -x -H ldap://10.129.255.247 -b "dc=vintage,dc=htb" -w Rosaisbest123 -D p.rosa@vintage.htb "(objectClass=user)" sAMAccountName
To get the usernames in a text file
ldapsearch -x -H ldap://10.129.255.247 -b "dc=vintage,dc=htb" -w Rosaisbest123 -D p.rosa@vintage.htb "(objectClass=user)" sAMAccountName | grep sAMAccountName: | cut -d " " -f 2 > users
Save the output to a file and dind the DC name dc01.vintage.htb
Run Bloodhound to map the AD environment
python3 bloodhound.py -u P.Rosa -p 'Rosaisbest123' -d vintage.htb -c All -ns 10.129.255.247 --zip -dc dc01.vintage.htb
Load the Zip file into bloodhound
$ sudo neo4j console
$ bloodhound
Bloodhound Analysis
Two accounts stand out
C.NERI_ADM
has AllowedToAct
permissions on DC01.Vintage.HTB
, which means you can call dcsync
with mimikatz
C.NERI
who can PS remote into DC01.Vintage.HTB
L.BIANCHI_ADM
who is part of DA
From the usernames gotten from ldapsearch
, we go through nodes and find interesting outbound control rights.
Administrator
Guest
DC01$
krbtgt
gMSA01$
FS01$
M.Rossi
R.Verdi
L.Bianchi
G.Viola
C.Neri
P.Rosa
svc_sql
svc_ldap
svc_ark
C.Neri_adm
L.Bianchi_adm
GMSA01$
This account can add itself to SERVICEMANAGERS
, which has GenericAll
permissions on SVC_SQL