root:$6$YIFGN9YscCV72BjFtx/tehbc7sQTJp09c5.:18277:0:99999:7::: So use the highlighted part as the password. So password = YIFGN9YscCV72BjFtx/
For Windows
Use ntlm hash
Example Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c:::ย
password = 31d6cfe0d16ae931b73c59d7e0c
Old methods
For linux
1- cat /etc/shadow 2-copy whole hash(root) root:$6$YIFGN9YscCV72BjFtx/tehbc7sQTJp09c5.:18277:0:99999:7::: 3-Then find it's MD5 sum and that's your password for writeup
For windows
1-Find root hash with hashdump.exe or any other tool. 2-Then convert that also into MD5 sum 3-That's your password for the Writeup
Steps: Nmap Scan. Enumerating user names. Exploiting Kerberos Decryption of hash.txt. Login with Evil-winrm(user) Uploading Blood hound Adding User to group. Escalating the privilages. DCSync attack via secretsdump Login with wmiexec.py(root) Tools used Impacket(GetNPUsers.py,ntlmrelayx.py ,secretsdump.py) Evil-winrm Bloodhound. Commands used nmap -sC -sV -oV 10.10.10.161 enum4linux -a 10.10.10.161 GetNPUsers.py HTB.local/ -usersfile /root/Desktop/htb/forest/user.txt -format john -outputfile hashes.txt…
It is a great box from Hackthebox it starts with rpc enumeration followed by the brute forcing of smb login.For the privilege escalation DC sync attack was the easy way.
