Enumeration

Nmap

The Nmap scan revealed open ports for SMB, LDAP, and Kerberos, which strongly suggests that the target is a Domain Controller.

00 - nmap

LDAP Anonymous

Anonymous LDAP was enabled, so using ldapsearch did anonymous search which revealed list of users. Then using kerbrute validated them.

01 - anon ldap userList

02 - valid users

Did some brute force but got nothing. Then returned to the ldapsearch and tried to grep ‘passw’, ‘pwd’ and it returned a legacyPwd option. Then using -A and -B options got the username for that passwords.

03 - ldapsearch

03 - ldapsearch 2

Exploitation

SMB Shares

This user did not have PSRemote permissions so I could not get a shell, but it could read some unusual shares.

04 - smb shares with thompson

Inside the Data share I found some log and html files. The one html file revealed that ‘TempAdmin’ user was deleted but its password was same as Administrator’s.

05 - TempAdmin

VNC Decrypt

Then again inside the Data share under the s.smith user’s directory, found a VNC log file. It included VNC password as HEX value. So I used this technique to decrypt VNC password and get cleartext of s.smith.

06 - vnc password can be decrypted

07 - decrypted vnc password

Evil-WinRM

This user had PSRemote permission. So I got the shell and user flag.

08 - got the user

Lateral Movement

Checking User

Using ‘net user’ command, I found out that the user has logon script.

09 - logon script

So by default, logon scripts are stored in NetLogon share. I connected the share, downloaded the script and analyzed it. It revealed new share called ‘Audit$’.

09 - logon script 2

SQLite

The Audit share contained an SQLite DB. I downloaded that DB and analyzed it. It revealed encrypted password for the ArkSvc user.

10 - Audit DB

11 - ldap encrypted

Reverse Engineering

The Audit share also included .NET executable and a DLL file. Using ILSpy, I reverse engineered them. It contained Decryption algorithm for the password that I got from the SQLite DB.

12 - reversed

13 - reversed dll

So using the same logic, I applied decryption on cyberchef and got the cleartext password.

14 - decrypted

Privilege Escalation

AD Recycle Bin

The ArkSvc user was in ‘AD Recycle Bin’ group which has permissions to read properties of deleted objects. (You can checkout this site)

15 - adrecyclebin

So, I ran the command to read the properties of ‘TempAdmin’ which I know it had same password as Administrator.

16 - 0 ad bin

16 - Temp Admin

Got The Root

Then simply logged in as Administrator and got the root flag.

17 - gg

Pwned

The machine was fully compromised.

pwned

<
Previous Post
Intelligence - Hack The Box
>
Next Post
Jeeves - Hack The Box