# Vault

## Information Gathering

`sudo nmapAutomator.sh 192.168.131.172 all`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F6PHtBAJivbnZiI6L24VJ%2Fimage.png?alt=media\&token=430d70b2-3c48-4586-a410-ca6a30c25d4a)

### Service Enumeration

### SMB (Port 139/445)

Seems like we have anonymous access to shares. But there doesn't seem to be any useful files in the share.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FZyK7FhqiSuPycFhYPf77%2Fimage.png?alt=media\&token=b0a5cd2f-4823-4215-89ef-968b984e8b86)

Let's use of impacket's lookupsid which performs brute-forcing of Windows SID’s to identify users/groups on the remote target.

`lookupsid.py Anonymous@192.168.131.172`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FjTYSc4a9AfoDRhASoQK9%2Fimage.png?alt=media\&token=5ad26ea6-e1dd-4aba-a667-c546d47d2399)

Using some vim magic, we extract the users only.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FWavMLHK6IJeOgjCDKpZK%2Fimage.png?alt=media\&token=9bdf6699-2cf8-48d2-b8f5-0784440a2fdc)

Next, we can try kerberoasting with the usernames we have. However, we get nothing.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FPtiNVEASwSQqEd7czdlW%2Fimage.png?alt=media\&token=73cafe43-427d-4d3c-9292-c728b4c1785c)

So I actually missed out on the fact that `DocumentsShare` is writeable.

## Exploit

{% embed url="<https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks>" %}

As we are attacking a windows machine, we can upload a file through the SMB Share as a Windows shortcut to specify an icon that points to our attacking machine. Whenever the user accesses this file, it will try to load the icon and cause a request to be sent to our attacking machine to look f e with the user account's username. This request will contain the NTLM hash of the account.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FkAH2dFS9s6vkceo3C7oR%2Fimage.png?alt=media\&token=813edb6d-e5f7-4e2a-addf-2bdf51163202)

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FdOYscDd3KMT8M4VysgGQ%2Fimage.png?alt=media\&token=7fad1f58-beee-4377-a9b0-29d2b1170865)

Let's start a responder to listen for the request.

`sudo responder -I tun0 -v`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F0gep8cDGwUmHlRsVjhna%2Fimage.png?alt=media\&token=efdf4f89-e113-406c-950b-39dd577f553c)

We can then copy the hash into a file and crack it using john.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F7jC3wnmFN95asFWkqPYF%2Fimage.png?alt=media\&token=7e3b00cf-bdbb-4782-a4ca-88f401b14173)

Then we are able to get anirudh credentials.

`evil-winrm -i 192.168.131.172 -u anirudh -p SecureHM`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FF3mQToWKJsWfGQwqx98m%2Fimage.png?alt=media\&token=1cd97237-2cc2-44cf-b3c9-4e53b4492a7e)

## Privesc

We see that there is already a `KillExplorer.ps1` file, however, this just seems like a script to access the writeable SMB share earlier

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FLSehAjOKXXmD1aQ3QSQD%2Fimage.png?alt=media\&token=ae880766-bec0-4b76-b152-a2fcba1d7bde)

Tried using `winPEAS` however, I was unable to find anything useful.

{% embed url="<https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview>" %}

We can use the Get-NetGPO command from Powerview to get all the policies with details.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2Fy1SV2K3g9R8AUSbCb76R%2Fimage.png?alt=media\&token=f270ec49-0a2d-4cfd-84e5-1fb50a770928)

We then use the Get-GPPermission command to get the permission level for the security principals on the GPO.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2F1fLCWqnl4A0f3A9qjBUy%2Fimage.png?alt=media\&token=dafb7531-541e-4e9c-b8de-d7d8a4194b37)

Next, we can use [SharpGPOAbuse.exe](https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.0_x64/SharpGPOAbuse.exe) and specify to add `anirudh` account into the local admin group.

`./SharpGPOAbuse.exe --AddLocalAdmin --UserAccount anirudh --GPOName "Default Domain Policy"`

Then we update the local group policy.

`gpudate /force`

Let's see if this worked.

`net localgroup Administrators`

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FGS8hUBCJF6bjigQxBNJb%2Fimage.png?alt=media\&token=b63b675f-a05c-4733-83b1-e30af43324ea)

We use `psexec.py` from Impacket to gain access.

![](https://1575243701-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mg-SvuygW2bF4zu7kiy%2Fuploads%2FPQjJa1KifDAh8cTjfuIT%2Fimage.png?alt=media\&token=f44eb8cc-5fd9-4e32-b5b8-3731df35414b)