Vintage

Enumeration

LDAPSearch
ldapsearch -x -H ldap://10.129.255.247 -b "dc=vintage,dc=htb" -w Rosaisbest123 -D p.rosa@vintage.htb "(objectClass=user)" sAMAccountName
To get the usernames in a text file
ldapsearch -x -H ldap://10.129.255.247 -b "dc=vintage,dc=htb" -w Rosaisbest123 -D p.rosa@vintage.htb "(objectClass=user)" sAMAccountName | grep sAMAccountName: | cut -d " " -f 2 > users
Save the output to a file and dind the DC name dc01.vintage.htb
Run Bloodhound to map the AD environment
python3 bloodhound.py -u P.Rosa -p 'Rosaisbest123' -d vintage.htb -c All -ns 10.129.255.247 --zip -dc dc01.vintage.htb
Load the Zip file into bloodhound
$ sudo neo4j console $ bloodhound

Bloodhound Analysis

notion image
Two accounts stand out
  1. C.NERI_ADM has AllowedToAct permissions on DC01.Vintage.HTB, which means you can call dcsync with mimikatz
  1. C.NERI who can PS remote into DC01.Vintage.HTB
  1. L.BIANCHI_ADM who is part of DA
From the usernames gotten from ldapsearch, we go through nodes and find interesting outbound control rights.
Administrator Guest DC01$ krbtgt gMSA01$ FS01$ M.Rossi R.Verdi L.Bianchi G.Viola C.Neri P.Rosa svc_sql svc_ldap svc_ark C.Neri_adm L.Bianchi_adm

GMSA01$

notion image
This account can add itself to SERVICEMANAGERS, which has GenericAll permissions on SVC_SQL