Laser
Network
Given:
- 192.168.195.0/24
Found:
- 192.168.195.173 MS01
- 192.168.195.174 MS02
- 192.168.195.172 DC01
Creds
Enumeration
Ping sweep the subnet to find four machines.
192.168.195.173 MS01
Enumeration
Using the provided credentials, we can access a shared folder called Apps in SMB.
We can see shortcuts and a task scheduler one. It seems that a user clicks those shortcuts to open the apps. So, we can capture the hash by replacing the shortcut with a UNC path.
First, create the shortcut with ntlm_theft.py
Put the file into the share.
Create an SMB server and wait.
We can use it to relay to another host. Using ntlmrelay, we point to another host without SMB signing. We can check the signing with nxc.
So, we have to point to .174.
The execution of the shell doesn't work, so let's dump hashes.
We have a hit from carl.dean.
And got the hash of Administrator:15759746f66f2da88d58f0160f8ee676.
192.168.195.174 MS02
Enumeration
Initial Access
Using the hash from MS01, we can enter as administrator.
Post Exploitation
Get the flag.
In the documents folder, there is a pcapng file that we can open with Wireshark. Use "Find Packages" and select "String," and by searching for "login," we find credentials.
We have yulia.weber:Yulia@Laser777.
With nxc, we can see that Yulia can RDP to DC.
192.168.195.172 DC01
Enumeration
Initial Access
Using Yulia's credentials, we RDP into the machine.
Privilege Escalation
Read the flag on the desktop.
Using bloodhound-python, we can see that Yulia has GenericWrite to Boris, so we can make a targeted Kerberoast.
Using hashcat, we have boris.crawford:zxcvbnm.
Post Exploitation
Now we can perform a DCsync attack to get the domain admin's password.
Enter with evil-winrm and get the flag.
