search

sitemapDC01

hashtag
Configuration:

We firstly click on Download button to download it:

Unzip it after downloading it:

Lets open it in virtualbox:

Then to configure the network we will go to network:

And create a new one in NAT:

Now we have to change the network interface for that DC machine and our kali machine so they can be reach to each other:

And we will start both of them:

When we see this pane in DC01, we leave it and go to our kali machine to start hacking:

hashtag
Enumeration:

Get our IP to perform SMB sweep to see what other IP is open:

Here is the IP of the target machine.

Before anything, lets add this IP to the hosts file:

Lets start nmap scan to scan all open ports on that target system:

  • nmap: Network Mapper to scan IPs, and ports.

  • -sC: Use default nmap scripts.

  • -sV: Service version enumeration.

  • --min-rate 4000: Speed up the scan.

  • -oN nmap/allports: Output the result in normal format.

  • -vv: Increase verbosity.

It is active directory machine.

Starting with smb (445):

Check if anonymous login is allowed:

  • smb: Protocol we want to use.

  • -u: Specify the username to authenticate with.

  • -p: Users' password.

Access denied.

Lets try with guest account:

We have access as the guest user.

Now lets see if we have shares that we have read/write access to:

We have read access to the IPC$ share which is default and not interesting.

Ok lets dump the users, since we have access to IPC:

It seems we can not, lets try --rid-brute:

  • --rid-brute: Perform RID (Relative Identifier) brute-forcing. (e.g. 500: administrator, 1103:bmark0, etc.).

We dumped the users:

Redirect the result to an output to get only the users.

At this moment, we can perform several attacks like password spraying if we have a password, or AS-REP Roasting to get TGTs.

hashtag
Exploitation:

Lets try password spray and the password is the same as the username:

  • --no-bruteforce: Just use the password in the same row with the username.

  • --continue-on-success: Do not stop the attack if we got a valid credentials.

We got these credentials.

Lets perform Kerberoasting attack since we have valid credentials:

We got clock skew too great, this is because if the system clock of the client and the KDC differ by more than the allowed limit (typically 5 minutes by default), the authentication fails with this error.

So we need to sync our kali system clock with the NPT IP of the target system:

Now perform the attack again:

We got those users TGS, now try to crack it:

It detected the hash types itself.

We have only one hash cracked which is for the user file_svc, and the password is Password123!!.

If we check the shares again with these credentials:

We have read access to the backup share, lets authenticate with smbclient to that share:

We only have that txt file which contains ntlm hashes.

hashtag
Post-Exploitation:

See if any of those are still valid:

We have fileserver machine which is admin.

Lets perform DCSync to dump all domain users hashes:

This is the domain administrator ntlm hash, we can authenticate via psexec or winrm or wmi:

Here is the root flag, the user flag is in ybob317 desktop folder.

PreviousQoutedNextDC02

Last updated