[punt0]

Did you find what to do with those credenciales? I've tried too many things but nothing success.

same here, just found the tstark domain account but can't do much with that. Tried to bruteforce more users and nothing

[tiresomeenergy]

use creds to enum shares

[tiresomeenergy]

Is it possible to decrypt TLS from .pcap without keylog file?

i don't think so.

i've tried PCredz and it didn't come up with anything

[tiresomeenergy]

use creds to enum shares

I found a lot of users in the domain but with brute force I didn't get the password of any of them (I tried to log in also in the joomla panel)? anyone give me a hint what else to try?

try finding the password

[tiresomeenergy]

{
      "type": "application",
      "id": "224",
      "attributes": {
        "user": "root",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "password": "H0lOgrams4reTakIng0Ver754!",
        "id": 224
      }

Niceeeeeeeeeee

use kerbrute for find a user and use thit password with connect to smb and download pcap and analyze with wireshark

Found nothing with kerbrute 

2024/02/17 15:04:28 >  Using KDC(s):
2024/02/17 15:04:28 >  10.129.110.54:88

2024/02/17 15:09:11 >  [+] VALID USERNAME:      administrator@office.htb
2024/02/17 15:26:32 >  [+] VALID USERNAME:      dlanor@office.htb
2024/02/17 15:52:44 >  [+] VALID USERNAME:      etower@office.htb

what's the user you found ?

use a different list from seclists repo (Users directory) pick a big one and let it run for a while.

[peRd1]

Any hint how to get something useful from .pcap?

kerberos preauth packets... such as cipher?

[gtastav]

I got this hash, what can I do with it, I can't crack it:
PPotts::OFFICE:**********cf1:88A5179C475***************:010100000000000080343341E961DA01AEFB3A43CC0F6B20000000000200080034004B004300530001001E00570049004E002D005600560035004400320037004100340056005A00520004003400570049004E002D005600560035004400320037004100340056005A0052002E0034004B00430053002E004C004F00430041004C000300140034004B00430053002E004C004F00430041004C000500140034004B00430053002E004C004F00430041004C000700080080343341E961DA010600040002000000080030003000000000000000010000000020000092045276E645B09888B4D****************************
If you want to get the hash , find the resume.php file and interact with it

[chillywilly]

nah bro use wireshark

[gtastav]

I got this hash, what can I do with it, I can't crack it:
PPotts::OFFICE:**********cf1:88A5179C475***************:010100000000000080343341E961DA01AEFB3A43CC0F6B20000000000200080034004B004300530001001E00570049004E002D005600560035004400320037004100340056005A00520004003400570049004E002D005600560035004400320037004100340056005A0052002E0034004B00430053002E004C004F00430041004C000300140034004B00430053002E004C004F00430041004C000500140034004B00430053002E004C004F00430041004C000700080080343341E961DA010600040002000000080030003000000000000000010000000020000092045276E645B09888B4D****************************
If you want to get the hash , find the resume.php file and interact with it

how you access the internal site ?

port forward 8083
also when you get a shell you can find C:\xampp\htdocs\internal\resume.php

[skyfallizhard]

how are y'all getting a shell? i got the tstark creds on my own but then i hit a wall