Assalaam'Alaikum fam, In the name of Allah, the Most Merciful and Most Beneficent, I’m super excited to share another cool AD walkthrough with y'all, and it’s a good one! So, let’s jump right into the fun, shall we? I mean, who doesn’t love a little adventure? Let’s dig in!
Enumeration
Alright, folks! You know we can’t resist a good enumeration, right? So let’s kick things off with those juicy points and start with the little ones. Let’s see what surprises they have in store for us! Muahahaha!
Wow, there’s so much good stuff to dive into, especially starting with the SMB port! And don’t forget to add the DNS computer name and domain name using this handy command echo "ip domain" | sudo tee -a /etc/hosts
I covered a similar tip in my last walkthrough, so feel free to check that out for more details.
Now, let’s move in on the SMB port and see if it allows anonymous access—that’s where our trusty tools come in. You can use either netexec
or crackmapexec
, whichever you prefer. Let’s see what secrets we can uncover.
We can authenticate as a guest user, but checking for shares? Who needs that when we can use smbclient
later? First, let’s focus on retrieving all the users on the server. Since we can authenticate as a guest, this is where impacket-lookupsid
comes into play to get the job done.
Now, let’s grab those users and save them in a file called users.txt
. Trust me, this will come in handy later.
Back to smbclient
and see what we have.
Let try and access nara
and see if we could.
We managed to access the nara shares, and we downloaded the important.txt
file from the SMB shares. We checked out two documents in the shares, but they were empty. But wait—let’s see what that important txt file has in store for us.
Based on the message we received, it looks like the shared document folder is where files are kept and executed quickly. This means we have read and write permissions,pretty cool, right? This is where ntlm_theft
comes into play. If you don’t have the tools yet, you can grab them using this link-here.
Now, use the command below to generate files with different extensions using ntlm_theft
.
We will be using the .lnk
extension so, let head back to the shared document and don't forget to start your responder to capture the ntlmv2 hash.
sudo responder -I tun0
We can see that our file as been uploaded, so let check our responder and see if we get any response.
Ok, the response indicating that the hash has been previously captured, that’s accurate, that's why the ntlmv2 hash didn't showed up. But no worries. Another way to capture the hash is by using impacket-smbserver
.
impacket-smbserver -smb2support share .
We’ve identified that the hash belongs to the user Tracy.White
. Let’s save it in a file and use hashcat
to crack it.
hashcat -m 5600 hash /opt/wordlists/rockyou.txt
Boom! We’ve got the password! Now, let’s try it out on SMB and see if it works. Here comes the moment of truth.
Woohoo! We can see the shares now, but it turns out they’re the same ones we found as a guest—so not much use to us. I double-checked everything, but no luck. I even tried password spraying smb with the other users, but still nothing.
Let’s give it another shot and use netexec
for a password spray. Who knows, maybe we can log in with evil-winrm this time.
sudo nxc winrm nara-security.com -u users.txt -p <password>
No luck but we still have plenty things to try, so let check ldap
out.
Seems like we can authenticate with ldap
so this is where ldapsearch
comes in hehe.
ldapsearch -H ldap://nara-security.com -D 'Tracy.White@nara-security.com' -w 'zqwj041FGX' -b 'dc=nara-security,dc=com' | tee ldap.txt
Using ldapsearch
to authenticate worked. As we can see it in the image above, we saved the output of ldapsearch into a file called ldap.txt
. Now, let’s use cat to check its contents and grep pass to see if we can find any passwords hidden in there.
Unfortunately, there are no passwords in the ldap.txt file, even after going through it manually. I also tried Impacket-GetUserSPN
and Impacket-GetNPUsers
, but no luck there either. But don’t worry, this isn’t the end. This is where bloodhound-python
comes into play, so let’s give that a shot too.
Nice, bloodhound-python has delivered some useful information. Now, this is where the BloodHound GUI comes into play. We need to upload the files we gathered from bloodhound-python to the BloodHound GUI.
First, start your neo4j in a separate terminal, and do the same for BloodHound using the command below
sudo ne04j console
bloodhound --no-sandbox
Make sure to run this in a separate terminal, and you should see the BloodHound GUI pop up.
All you have to do is authenticate then upload all the .json
file retrieved from bloodhound-python
.
Now, let’s move to the search bar and search up the user we own Tracy.White
. Let’s see what information we can get from it.
Right click and mark user as own.
After marking it as user own, click on the user to open a side panel. Then, scroll down to Outbound Object Control
and select Transitive Object Control
.
User Tracy Whit
has the privilege to be added as a group member of Remote Access. To gain a better understanding, I’ll move my cursor to GenericAll
between the two options and right-click. From there, I’ll select Help
. This will provide guidance on how to exploit this privilege and offer a detailed explanation.
Absolutely, that’s why BloodHound is so highly regarded, it provides clear explanations and commands for exploitation. I tried using the provided command, but it didn’t work, possibly due to incorrect settings at my end. Since I'm comfortable with ldapmodify
, I’ll use that to change the user’s group membership. First, let’s check our previous LDAP file to see which group Tracy.White
belongs to.
Next, I create a file named groupadd.ldif
, and this is what I include inside the file.
This is how our complete command will look using ldapmodify
below. After executing the command, we'll attempt to log in as Tracy White using her password to see if we can access Evil-WinRM after changing her group membership.
FootHold
So let try netexec on it and see.
Finally, it’s working! Now let’s dive in and explore freely.
evil-winrm -i nara-security.com -u Tracy.White -p '<pass>'
The excitement is overwhelming. Let’s take a look around, starting by checking the automation file in the Documents directory.
Hmmm window automation hash, that pretty cool we will come back for it, for now let read the user.txt
content.
From here, I decided to explore further. However, after checking the PowerShell history and other areas, I couldn't find anything useful. Additionally, any files I uploaded to the machine were flagged as malicious, with the antivirus deleting everything. So, I decided to focus on the Windows automation hash instead.
So I decided to copy the hash and then use echo
to write it into a file abzee.txt
which I think is cool and did a little research on how to crack windows automation hash and this is the step I use to successfully crack it.
Then, bam gabooom. We decrypted it, but we still don’t know which user owns it. This is where password spraying comes in, using the usernames we gathered earlier.
Yes, We found the user owner. Let’s use it to log into Evil-WinRM.
I also checked around with the new user but didn’t find anything useful. However, when I ran whoami /all
, I noticed something interesting.
Noticing the Certificate Service DCOM Access
made me think about exploiting ADCS. But how can we determine if it’s truly vulnerable? Unfortunately, downloading anything onto the machine gets flagged and deleted, even tools like Certify.exe
.
However, this shouldn’t be a problem. We can use certipy-ad
to check for vulnerabilities and retrieve the template locally, especially since we have the user credentials.
We can clearly see the message indicating that ESC4 has dangerous permissions.
Privilege Escalation
Now time to exploit and get the administrator
hash since we have gotten the template name let request to receive a certificate.
Boom, there we fVcking go guys, that's it and only one thing left to get the hash.
Just look at that hash it’s practically smiling at us 😂. so let comfirm with netexec.
sudo nxc winrm nara-security.com -u administrator -H d35c4ae45bdd10a4e28ff529a2155745
Let log in with evil-winrm
.
If you’ve made it this far, thank you for reading! If you have any questions or feedback about my write-up, feel free to reach out to me on Twitter or LinkedIn.
Happy Hacking!