Nara Walkthrough (Practice-W)+TJ
Keywords: hashgrab and responder, net rpc and evilwinrm, PassTheCert,
We start with the port scanning, the machine runs SMB, web, DNS, Kerberos, LDAP
With these types of the machines, I follow a systematic way of enumeration
SMB:
enum4linux, smbmap, crackmapexec
enum4linux:
Nothing useful
smbmap:
We found shared drivers called “nara”
smbclient:
This confirmed the findings of smbmap
I tried to access the shared drive nara
I opened the Important.txt file and found this message
This means that users will access the Documents shared folder and check any new items. So, what Ill do is to create a shared link and use responder to capture the authenticated access attempt when someone clicks the item
To do so, I will use hashgrab here
Start responder
Now, Ill add the file as a link inside the documnts folder of SMB
Back to responder, we have hashes for users
We capture the hash and use hashcat to crack it
I got the password for user tracy.white
Now, knowing these creds, Ill try to access using winrm (port 5985)
The attempt was not successful
I checked online for the error message and it means that user is not part of the ‘Remote Management’ group, so we cannot log in with evil-winrm.
In order to proceed, I will need to add the user to the remote management group, after hours of researching, I decided to use Chatgpt to help out and it suggested using net rpc command as
net rpc group addmem "Remote Access" "tracy.white" -U "tracy.white%zqwj041FGX" -S 192.168.164.30And we are in now :)
Inside there was a document with a hash
I did not know whether this was a rabbit hole or not, so initially I ignored it and tried different things such as powerup, winpeas, etc but there seems to have AMSI removing these files. So i decided to go back and have a deeper look to the code in the automation.txt. My initial thought was this is HEX encoding but it was not, I threw to cyberchef -magic but was not useful.
I finally resorted to my AI buddy and it mentioned that “DPAPI-encrypted blobs typically start with 01000000 (which is present in your data). This is a signature of DPAPI-encrypted data, indicating the data was encrypted with the user's or machine's security context.” So I went ahead with this theory and asked for a PowerShell code to decrypt this and had the following:
$pw = Get-Content enc | ConvertTo-SecureString
$bstr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw)
$unsecuredpassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($bstr)Where enc is the name of the file containing the encrypted data
I run each command on its own and managed to get a password
I then used impacket-samrdump to get a list of users and put them in a text file
Now, I used crackmapexec to run a password spraying attack
And we have new creds : jodie.summers:hHO_S9gff7ehXw
I tried RunAs, but it was blocked by the AV
I resorted to evil-winrm once again. This time the user was in the remote management group
Installed certipy
Then reuested a certificate for the Administrator account
Now having the certificate, I tried to authenticate
The error means that This happens “when a domain controller doesn’t have a certificate installed for smart cards”, according to this post from Specterops. Specifically, it happens because “the DC isn’t properly set up for PKINIT and authentication will fail”.
I followed the steps here
Installed PassTheCert
and run it
Now, will add the user to the administrators group
Now, will evilwinrm again
And we could access the Administrator account
Reference: