In this walkthrough, we will explore the step-by-step process to solve the Vintage machine from HackTheBox. This machine simulates a real-life Active Directory (AD) pentest scenario, requiring us to leverage various tools and techniques to uncover vulnerabilities and gain access. With credentials provided, we'll initiate the attack and progress towards escalating privileges.
As is common in many real-world scenarios, we start with initial credentials for an account. These credentials are:
These credentials allow us to authenticate to the target machine and explore further.
To solve this machine effectively, you'll need to install and set up the following tools:
Used for remote command execution on Windows machines.
apt install -y evil-winrm
A password cracking tool to analyze and exploit password hashes.
apt install -y john
A tool for managing Python-based applications.
pipx ensurepath
A DNS proxy to intercept and modify DNS requests.
git clone https://github.com/iphelix/dnschef
A collection of tools for working with SMB, LDAP, and other network protocols.
pipx install git+https://github.com/fortra/impacket
A tool to execute commands remotely.
pipx install git+https://github.com/Pennyw0rth/NetExec
A tool for Pre-Windows 2000 compatibility enumeration.
pipx install git+https://github.com/garrettfoster13/pre2k
Active Directory enumeration and exploitation tool.
pipx install git+https://github.com/CravateRouge/bloodyAD
A Kerberos brute-forcing tool to enumerate user accounts and passwords.
Download and set executable permissions:
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64 chmod +x kerbrute_linux_amd64
With the tools set up and credentials in hand, we are ready to begin our attack on the Vintage machine.
nmap -v -sCTV -p- -T4 -Pn -oN $IP.txt $IP
Not shown: 65515 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-04 10:20:40Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vintage.htb0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49664/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 59282/tcp open msrpc Microsoft Windows RPC 59287/tcp open msrpc Microsoft Windows RPC 59306/tcp open msrpc Microsoft Windows RPC 60688/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-12-04T10:21:37 |_ start_date: N/A |_clock-skew: -3m40s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required
Let's add administrator.htb to the /etc/hosts file:
echo "10.10.x.x vintage.htb dc01.vintage.htb" | sudo tee -a /etc/hosts
Access is restricted by HackTheBox rules#
The solution to the problem can be published in the public domain after her retirement.
Look for a non-public solution to the problem in the telegram channel .