Enumeration

Nmap

The Nmap scan revealed open ports for SMB, LDAP, and Kerberos, which strongly suggests that the target is a Domain Controller. Additionally, an HTTP port was also found to be open.

00 - nmap

WEB Enumeration

While enumerating the website, I found some accessible documents. The naming scheme was YYYY-MM-DD-upload.pdf so I decided to brute force and download all available pdf files.

01 - naming scheme

02 - pdfs

ExifTool

Using the PDF url list, I downloaded all pdf files using WGET. Then using exiftool, I extracted all unique Creator names from metadata to create a user list.

03 - got a userList

Checking the list with kerbrute showed that all usernames are valid

04 - all of them are valid

Reading PDFs

Reading through PDFs, I found default password is available on one of them. But I could also get it using grep.

05 - default password

Exploitation

Password Spray

Using the default password and userList, I applied password spray attack and found a valid credential.

06 - got it

SMB Enumeration

Using the valid credentials, I enumerated smb shares. Users and IT shares were not default ones. So inside the user I got the user flag.

07 - smb shares

08 - got the user flag

Lateral Movement

ADIDNS Poisoning

Before continuing you can check out this post or this post to understand ADIDNS Poisoning.

IT Share contained a powershell script which sends authentication request to domains that starts with HTTP in active directory.

09 - script

By default all users are allowed to add new record that do not exists yet. So using our user credentials and dnstool, I added a new record.

10 - add a record web

Now all I had to do was setup a poisoner such as responder and wait for requests. After some time I got the NTLMv2 hash of the user.

11 - ted

Then using hashcat, I was able to crack the hash.

12 - got it

Privilege Escalation

Then using new credentials, I ran bloodhound-python.

13 - bloodhound python

Read GMSA Password

Our current user was in ITSupport group which can read GMSA (Group Managed Service Account) passwords. GMSA Passwords are passwords that are rotated every X day.

14 - gmsa

Using GMSADumper script I got the target users NT Hash.

15 - gmsa read

AllowedToDelegate

The service account hash delegation permissions over DomainController.

16 - delegate

So I used GetST script from impacket to request an Administrator ticket.

17 - get admin ticket

Then using psexec.py, I got the system shell.

18 - got the admin

Pwned

The machine was fully compromised.

pwned

<
Previous Post
Return - Hack The Box
>
Next Post
Cascade - Hack The Box