Poseidon
Network
Given:
- 192.168.167.0/24
Found:
- 192.168.167.162 DC
- 192.168.167.163
- 192.168.167.161
Creds
eric.wallows:EricLikesRunning800 (creds for .163)
lisa:905ae9b4d957545fb7b9ea0c4333247b (hash from mimikatz on .163)
chen:freedom (AS-REP roastable user from .163)
lisa:905ae9b4d957545fb7b9ea0c4333247b (from .163)
administrator:3bcdd818f7ec942ac91aa30d8db71927 (from .162)
Enumeration
Ping sweeping the subnet reveals three machines.
192.168.167.163
Enumeration
Initial Access
Using the provided credentials, we access the machine via WinRM.
Privilege Escalation
Eric has the SeImpersonatePrivilege, so we use PrintSpoofer. Create an MSFVenom reverse shell, upload it to the machine, and start a listener.
Post Exploitation
Get the flags
Transfer Mimikatz and extract credentials.
We have Lisa's hash. Let's try Hashcat, but it doesn't yield results.
Transfer ADPEAS and WinPEAS for further enumeration.
Using Hashcat:
We retrieve chen:freedom.
Transfer SharpHound and analyze the results in BloodHound.
Lisa has AllExtendedRights over Jackie, so we can change the password using pth-net:
We can now access the machine via WinRM.
192.168.167.162 DC02
Enumeration
Initial Access
We use Evil-WinRM to access the machine after changing Jackie's password.
Get the flag
Privilege Escalation
The first thing we notice is Jackie's permissions and group membership, including SeBackupPrivilege and Backup Operators. We can use ShadowCopy to retrieve ntds.dit.
Create and transfer a DiskShadow script like this:
Now retrieve ntds.dit using Robocopy along with the SYSTEM hive.
Using secrets-dump:
We can re-enter the machine with the administrator hash using Evil-WinRM.
Post Exploitation
Get the flag
192.168.167.161 DC01
Enumeration
Initial Access
With the krbtgt hash, we can forge a Golden Ticket to access the machine. We need the parent SID, which can be retrieved using Mimikatz:
Add the subdomain and domain to the hosts file.
Create the ticket and export it.
Access DC01.
Post Exploitation
Get the flag
