Enumeration

Nmap

Initial Nmap scan revealed FTP, SMB, LDAP, Kerberos and WinRM ports open, which indicates target is Domain Controller.

00 - nmap

After nmap scan I did try many things such as SMB Enumeration, LDAP Search, Rid Brute, AS-REP Roasting and none of them worked. So I ran bloodhound.

Exploitation

Exploitation phase included many lateral movements. So I am going to explain them step by step.

Getting Michael

Current user olivia had generic all permissions over michael. So I force-changed michael’s password.

04 - michael

05 - force change

Getting Benjamin

Michael can change benjamin’s password forcibly. So I changed benjamin’s password.

06 - bejamin

07 - update benjamin

FTP

Benjamin had permission to login and read from FTP server.

08 - benjamin ftp

PwSafe

The downloaded backup file was encrypted. So using pwsafe2john I decrypted it.

09 - backup decrypted

And using pwsafe I got the emily’s password.

10 - got it

Got The User

11 - got the user

Privilege Escalation

Targeted Kerberoasting

Checking bloodhound again, I found emily had generic write permissions over ethan. So we can apply targeted kerberoasting attack.

12 - path

Simply we assign a random SPN to target user then apply kerberoasting.

13 - assign spn

14 - ticket

15 - cracked

DCSync

After cracking the ticket I know that ethan can apply DCSync attack. So simply I ran secretsdump and got the administrator shell.

16 - dcsync

Got The Admin

17 - got the root

Pwned

The machine was pwned.

18 - pwned

<
Previous Post
Mailing - Hack The Box
>
Next Post
Certified - Hack The Box