Enumeration

Nmap

Initial nmap scan revealed common ports for Active Directory.

00 - nmap output

DNS Enumeration

Enumerating DNS records revealed the name of the DC.

01 - 0 dc name

LDAP Anonymous

Anonymous LDAP connection was enabled and enumerating the LDAP with ldapsearch revealed a default password.

01 - ldap anonymous

Exploitation

Then I created a userList and applied password spraying but it did not work. I tried to password spray ldap, smb, wmi, winrm and none of them was successful.

02 - userList

Later, while checking the ldapsearch output I found another user which did not have any data attached to it so I could not grep the SamAccountName.

03 - new suer

Trying this password with the found user worked but the password was expired. So I use smbpasswd to update the user’s password.

04 - pass update

Then using evil-winrm, I got the shell and user flag.

05 - user

Privilege Escalation

The user had SeBackupPrivileges.

06 - privs

So it was an easy exploit. I followed exact steps in k4sth4/SeBackupPrivilege repository, copied ntds.dit and SYSTEM files to my kali machine. Then used impacket’s secretsdump to get Administrator’s password hash.

07 - dump

Then using impacket’s psexec, I got the SYSTEM shell and root flag.

08 - root

Pwned

The machine was fully compromised.

pwned

<
Previous Post
AI Red Teaming CTF - HTB
>
Next Post
Forgotten - Hack The Box