Enumeration

Nmap

Initial Nmap scan revealed SMB, LDAP, Kerberos and WinRM Ports.

00 - nmap

SMB Null

SMB Null Session was enabled for HR Share which included default password for newcomers.

01 - share

02 - default password

Rid Brute

Because SMB Null session was enabled for IPC$ we could apply rid brute forcing then create a user list.

03 - userList

Exploitation

Brute Force

Using the user list and default password, I applied a brute force for SMB login and got a valid user.

04 - found user

Then using the found credentials, I ran an ldapsearch and found a password on description field.

05 - ldapsearch1

05 - ldapsearch2

SMB Enumeration

The new user had access to Dev shares which included a backup script. Inside the backup script there was a credentials.

06 - got the user and hsares

07 - got the emily

WinRM

This user had PSRemote privileges so I simply used evil-winrm and got a shell.

08 - user flag

Privilege Escalation

SeBackupPrivilege

The user had SeBackupPrivilege enabled.

09 - SeBackupPrivilege

So I simply followed this steps and got the Administrator hash.

10 - got it

And then using the psexec I simply got the shell.

11 - got the root

Pwned

The machine was fully pwned.

12 - pwned

<
Previous Post
Manager - Hack The Box
>
Next Post
Mailing - Hack The Box