OSCP A -> AD - HackMD

# OSCP A -> AD ## 0x1 Recon ### Rustscan * ![image](https://hackmd.io/_uploads/HyMUl18Mel.png) ### Nmap * 192.168.194.141(MS01) * ![image](https://hackmd.io/_uploads/HJT2gyUzee.png) * ![image](https://hackmd.io/_uploads/r1vaxJUzee.png) * ![image](https://hackmd.io/_uploads/BJcRe1IMxe.png) * ![image](https://hackmd.io/_uploads/HyOlbJIMgg.png) * 192.168.194.142(MS02) * ![image](https://hackmd.io/_uploads/SJI3JWUMxl.png) * 192.168.194.140(DC01) * ![image](https://hackmd.io/_uploads/rksoJW8fgx.png) * ![image](https://hackmd.io/_uploads/ryVjkZ8Gxe.png) ### Website * Maybe GPO setting script under `script` path * ![image](https://hackmd.io/_uploads/S1G7s1Izle.png) ### SMB * 192.168.194.141(MS01) * ![image](https://hackmd.io/_uploads/ByD3qy8Mxe.png) * Using rid brute got domain users * ![image](https://hackmd.io/_uploads/B1f60J8Mgg.png) * ![image](https://hackmd.io/_uploads/BkFaAkIMll.png) ## 141(MS01) ### Shell as `Eric.Wallows` * Use initial credential login to MS01(.141) * ![image](https://hackmd.io/_uploads/S1HRZeUzxg.png) * ![image](https://hackmd.io/_uploads/BJ10bx8Mxx.png) * User `Eric` has `SeImpersonatePrivilege` priv,so upload `Juicypotato` and `nc` * ![image](https://hackmd.io/_uploads/ryw8feLMxe.png) * ![image](https://hackmd.io/_uploads/r1LrQeLMxx.png) * Execute Juicypotato and got shell of admin * ![image](https://hackmd.io/_uploads/BJf94gUMxx.png) * ![image](https://hackmd.io/_uploads/ryxoVlIMgg.png) * Upload mimikatz and got user hash * ![image](https://hackmd.io/_uploads/SJGq8xLMee.png) * `secredump.py` got hash * ![image](https://hackmd.io/_uploads/HJimKeIfxl.png) ```bash= secretsdump.py administrator@192.168.194.141 -hashes :3c4495bbd678fac8c9d218be4f2bbc7b ``` ## 142(MS02) * Using winrm login to 142 as `celia.almeda` from `securdump` leaks password * ![image](https://hackmd.io/_uploads/HJsEBLqzxx.png) * ![image](https://hackmd.io/_uploads/ryUDrUcMlg.png) * A floder called `windows.old` under `C:\`, and it stored the SAM and SYSTEM allows we read * ![image](https://hackmd.io/_uploads/SyU45I9zlg.png) * ![image](https://hackmd.io/_uploads/rJWO9L9Mex.png) * Download with winrm, and use secretdump got the user credential * ![image](https://hackmd.io/_uploads/HJRjcUcGll.png) * ![image](https://hackmd.io/_uploads/H1ShcI9Mll.png) ## 140(DC01) * In bloodhound we saw the `tom_admin` is the domain admin on DC01, so I login with winrm and got proof.txt * ![image](https://hackmd.io/_uploads/SkqU3IqMxg.png) * `tom_admin:1001:aad3b435b51404eeaad3b435b51404ee:4979d69d4ca66955c075c41cf45f2` * ![image](https://hackmd.io/_uploads/Skav3I9Mxg.png)