Writeup: Scrambled

Descripción

Maquina con autenticacion NTLM deshabilitando en un entorno de AD. Esta maquina permite realizar diferentes tecnicas como kerberoating, silver ticket, enumeracion de bases de datos entre muchas mas tecnicas.

Temas

• Network and Portscannign

• Enumeration SMB Whit SMBClient and NetExec

• Web Enumeration

• Information Leakage

• Kerberos Enumeration

• User Enumeration with Kerbrute

• PasswordSprayain with Kerbrute

• Ldap Users Enumeration

• Ldap Enumeration - Kerberos Authentication [getTGT.py]

• ASREPRoast Attack - GetNPUsers.py

• Kerberoasting Attack - Netexec and GetUserSPNs.py

• Cracking Hashes

• Attempting to authenticate to the MSSQL service via kerberos (Failed)

• The creation of Silver Ticket Attack

• Forging a new TGS as Administrator user (NTLM Hash, Domain SID and SPN) [lookupsid.py, netexec, ticketer.py and mssqlclient]

• Connecting to the MSSQL service with the newly created ticket

• MSSQL Enumeration

• Enabling xp_cmdshell component in MSSQL [RCE]

• SeImpersonatePrivilege (JuicyPotatoNG for Windows Server 2019)

• MSSQL database Enumeration, User + Password Exfiltration

• Using PS-Session and Invoke-Command to Execute Commands as a Compromised user(User Pivoting)

• Evil-WinRM Configuration with TGT to Gain Server Access as a Compromised User (Method 2)[getTGT.py]

• Enumeration Server (APPs)

• Binary and DLL Analysis with DNSpy

• (Found a backdoor in the code)

• We realize that serialization and deserialization of data is being used

• Creating a malicious base64 serialized Payload with ysoserial.net in order to get RCE

• We send the serialized data to the server (Privilege Escalation)

Video Scrambled

Relaciones con otras máquinas

• Administrator

Recursos

Referencias