Enumeration

Nmap

Nmap scan results showed services like LDAP and Kerberos, which are commonly used in Active Directory. This indicates the target is likely a Domain Controller.

00 - nmap

SMB Shares

An unusual SMB read access was observed through a null session.

01 - smb shares

Using smbclient, I connected to the share and found numerous Windows executable files; however, one of them appeared unusual.

02 - smbclient

Reverse Engineering

I downloaded the UserInfo.exe file and reverse engineered it using ILSpy. The analysis revealed a hardcoded username and an encrypted password, along with the decryption algorithm embedded within the binary.

03 - user and passw

04 - encrypted password

I re-implemented the decryption algorithm in Python to successfully recover the user’s plaintext password.

05 - decrypted password

Exploitation

BloodHound

Since obtaining a shell was not possible, I used the recovered credentials to run BloodHound-python for further enumeration.

06 - bloodhound python

After analyzing the BloodHound data, I discovered that the ‘support’ user has GenericAll privileges over the Domain Controller computer object.

07 - generic all

08 - found target

LdapSearch

BloodHound did not reveal any further actionable information. I then used ldapsearch with the recovered user credentials to query information related to the ‘support’ account. Within the info attribute, I identified an unusual string, which I later confirmed to be the password.

09 - got the user password

10 - user flag

Privilege Escalation

First Way

At this point, it was confirmed that the user had PSRemote access and GenericAll privileges over the Domain Controller computer object. I proceeded to exploit this using an administrator delegation attack. By following the necessary steps and leveraging tools such as PowerMad, PowerView, and Rubeus, I was able to obtain a Kerberos TGT for the administrator account.

11 - privesc part 1

12 - privesc part2

Using the obtained Kerberos ticket, I authenticated with psexec.py via Kerberos and successfully gained a shell on the Domain Controller, ultimately retrieving the root flag.

13 - got the admin

Second Way

An alternative privilege escalation method involved resetting the Domain Controller computer account password, authenticating using the updated credentials, dumping the NTDS.dit database, and then performing a pass-the-hash attack to obtain administrator access.

14 - second way

15 - dump

16 - gg

Pwned

With full administrative access achieved, the machine was effectively compromised.

pwned

<
Previous Post
Monteverde - Hack The Box
>
Next Post
StreamIO - Hack The Box