1. Starting with the Nmap scan, the ports that are open are:
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-08 07:43:49Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
2. Anonymous login in SMB is disabled. So I decided to enumerate the users and domain information through LDAP(python module).
>from ldap3 import Server,Connection,ALL
>server = Server('10.10.10.169',get_info=ALL)
>conn = Connection(server)
>conn.bind()
>server.info
####### this gives Domain name and other details ######
>conn.search(search_base='DC=MEGABANK,DC=LOCAL',search_filter='(&(objectClass=user))',search_scope='SUBTREE',attributes='')
>conn.entries
####### this enumerate all the objects and their attributes ###########
Adding these users(only first name) under user.txt.
3. Then I added the domain name that is Resolute.megabank.local in hosts(/etc/hosts).
4. For further more enumeration, I used a tool called enum4linux. This tool shows the password for marcus is Welcome123!.
But when I tried to log in with this creds I got authentication error. So I brute-forced this password with other users using smb_login (Metasploit). This gave me the correct user ‘melanie’.
5. now taking shell as ‘melanie’ through evil-winrm and finally owning user flag.
6. This user does not have much privileges. With furthermore enumeration, I found a hidden file under C:/PSTranscripts/20191203. This contains credentials of another user ‘Ryan’.
Command: get-childItem -force or ls -force.
Creds:
Username: ryan
Password: Serv3r4Admin4cc123!
Megabank/Dnsadmins.
8. Now I googled about this and I found a way to take rce through DLL injection. I came across some beautiful blogs.
These blogs are sufficient to escalate the root privileges.
blogs:https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2
9. From HTB forum I found The anti-virus or firewall on the machine deletes the DLL file when you try to store it over the disks, so instead of storing, create an smb share on your host machine and then access and executes the dll from the box. For this I took the help of impacket tool Smbserver.py
follow the article properly and boom you got the shell.
References:
1. LDAP Enumeration: https://v1ew-s0urce.blogspot.com/2020/04/ldap-exploitation-with-python.html2. DLL Injection: https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2
Comments
Post a Comment