Posts: 57
Threads: 1
Joined: Apr 2024
(Jun 02, 2024, 04:25 PM)iiNovaCore Wrote: im stuck with the passwords from the memory dump but cant seem to get a shell with either password that came out of it. how do I get a shell using these? i think the password isnt the exact same as either of these.
Grab the 3 hives and dump the passwords
impacket-secretsdump -sam SAM.reghive -system SYSTEM.reghive -security SECURITY.reghive local
Where it says "Unknown User" is the password for lorra199. You can use runascs again or evil-winrm.
I'm currently stuck doing the dcsync.
I have created a new machineaccount with msds-allowedtoactonbehalfofotheridentity and can create a ccache ticket with getST.
But secrets-dump keeps failing with STATUS_MORE_PROCESSING_REQUIRED.
Not sure if I'm doing something wrong or something is broken. I also keep having to sync clocks because of skew.
Any hints?
Posts: 37
Threads: 1
Joined: Dec 2023
I did slightly different, through lkazanof, not lorra199.
(Jun 02, 2024, 02:41 PM)meoami Wrote: webpage -> employer-> admin-> sql_rce-> sql_svc-> mikasa shell-> lorra199 --> AD Recycle Bin --> Generic Write to DC --> Dcsync to Domain ->root
Posts: 13
Threads: 1
Joined: Apr 2024
is zip corrupted for everytone??
Posts: 16
Threads: 3
Joined: Jan 2024
mimikatz + wingdb finds everything for me except lorra's password, volatility gives me the same error every time for 1h30, if anyone can help me because it's starting to bother me
Posts: 57
Threads: 1
Joined: Apr 2024
Jun 02, 2024, 05:49 PM
(This post was last modified: Jun 02, 2024, 05:50 PM by ritualist.)
(Jun 02, 2024, 05:41 PM)orwell1984 Wrote: How did you dump the hive? I've tried volatility2, volatility3 windbg, but i can't dump the hive, i can only get some hashes / passwords with windbg and mimilb
I have used this tool that somebody linked earlier:
https://github.com/ufrisk/MemProcFS
Then grabbed the ...MACHINE_SYSTEM.reghive etc. from registry\hive_files
Posts: 9
Threads: 0
Joined: Jun 2024
(Jun 02, 2024, 02:41 PM)meoami Wrote: webpage -> employer-> admin-> sql_rce-> sql_svc-> mikasa shell-> lorra199 --> AD Recycle Bin --> Generic Write to DC --> Dcsync to Domain ->root
any hint what to do with "AD Recycle Bin --> Generic Write to DC --> Dcsync to Domain" ?
Posts: 28
Threads: 1
Joined: Dec 2023
Posts: 9
Threads: 0
Joined: Jun 2024
(Jun 02, 2024, 06:50 PM)iiNovaCore Wrote: thats where im stuck too
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
This can give you list of deleted objects.
Then you may call Restore-ADObject -identity ***(ObjectGUID)***
i used that for each of from previous command and for me it works only for "liza.kazanof" and when i call it again it shows that its already restored. But now am stuck and can not find where it restored and how to use it
Posts: 124
Threads: 1
Joined: Apr 2024
(Jun 02, 2024, 06:58 PM)imhitt Wrote: (Jun 02, 2024, 06:50 PM)iiNovaCore Wrote: thats where im stuck too
Get-ADObject -filter 'isdeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects -property *
This can give you list of deleted objects.
Then you may call Restore-ADObject -identity ***(ObjectGUID)***
So you restore liza.kazanof - this is user in Backup Operators group - with it you could copy SYSTEM ntds.dit and use secretsdump. There is in forum password for user liza.k it could be sprayed for liza.kazanof as i think this is the same "person".
Posts: 1
Threads: 0
Joined: Jun 2024
(Jun 02, 2024, 06:22 PM)imhitt Wrote: (Jun 02, 2024, 02:41 PM)meoami Wrote: webpage -> employer-> admin-> sql_rce-> sql_svc-> mikasa shell-> lorra199 --> AD Recycle Bin --> Generic Write to DC --> Dcsync to Domain ->root
any hint what to do with "AD Recycle Bin --> Generic Write to DC --> Dcsync to Domain" ?
how do u get lorra?
|
