Enumeration

Nmap

The Nmap scan revealed open ports for SMB, LDAP, and Kerberos, which likely indicates that the target is a Domain Controller.

00 - nmap

SMB

Enumerating SMB shares revealed that a null session login was permitted. Among the accessible shares was a ZIP file, which appeared to be encrypted.

01 - smb shares

Cracking with John

Using zip2john followed by john with the rockyou.txt wordlist, the password for the ZIP file was successfully cracked, revealing a .pfx file. Then, by applying pfx2john and cracking it again with john, the password for the PFX file was recovered.

02 - cracked zip

03 - cracked pfx

This allowed the extraction of the certificate and the associated private key.

04 - certificate

05 - key

Exploitation

Next, I reviewed the available options for Evil-WinRM. Since the service was running over HTTPS on port 5986, I used the -S flag. To authenticate using the previously extracted credentials, I supplied the private key and certificate with the -k (private key) and -c (certificate) options respectively.

06 - options

By running Evil-WinRM with the extracted certificate and private key over HTTPS (-S), access was successfully obtained to the remote system, resulting in a shell as the user.

07 - user

Privilege Escalation

Initially, I was unable to run WinPEAS on the target system due to execution restrictions. However, by leveraging one of the techniques described in this article on creative UAC bypass methods, I successfully executed WinPEAS. The tool revealed the presence of a PowerShell history file, which could potentially contain sensitive commands or credentials.

08 - uac

The PowerShell history file contained credentials for a service account, which were stored in plaintext. These credentials provided an opportunity to further escalate privileges or access additional resources within the environment.

09 - history

10 - svc

After obtaining the service account credentials, I ran BloodHound to analyze Active Directory permissions. The analysis revealed that the service account had the ability to read LAPS (Local Administrator Password Solution) passwords, which could be leveraged to obtain local administrator credentials on domain-joined machines.

10 - svc group

1st Way: Windows

At this point, I had two potential paths for privilege escalation. However, due to Windows Defender actively blocking PowerView, I opted for a simpler and stealthier method. Using the service account credentials, I executed the following command to retrieve the LAPS-managed local administrator password for the domain controller (DC01):

Get-ADComputer DC01 -Properties ms-Mcs-AdmPwd

This successfully returned the plaintext local administrator password, enabling full access to the domain controller.

12 - windows way

2nd Way: Linux

As an alternative method, I could use the pylaps.py script on my Linux machine to retrieve the LAPS password. By supplying the service account credentials, the script can query Active Directory for LAPS-managed local admin passwords.

11 - linux way

Using the retrieved LAPS password, I was able to log in as the local administrator on the domain controller, effectively gaining full administrative access to the system.

13 - root

Pwned

The machine was fully compromised.

pwned

<
Previous Post
Blackfield - Hack The Box
>
Next Post
Return - Hack The Box