search

Resolute

hashtag
Recon

chevron-rightnmap_scan.loghashtag
Open 10.129.96.155:53
Open 10.129.96.155:88
Open 10.129.96.155:135
Open 10.129.96.155:139
Open 10.129.96.155:389
Open 10.129.96.155:445
Open 10.129.96.155:464
Open 10.129.96.155:593
Open 10.129.96.155:5985
Open 10.129.96.155:9389
Open 10.129.96.155:3269
Open 10.129.96.155:3268
Open 10.129.96.155:49664
Open 10.129.96.155:49666
Open 10.129.96.155:49665
Open 10.129.96.155:49668
Open 10.129.96.155:49671
Open 10.129.96.155:49677
Open 10.129.96.155:49676
Open 10.129.96.155:47001
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.96.155

PORT      STATE SERVICE      REASON  VERSION
53/tcp    open  domain       syn-ack Simple DNS Plus
88/tcp    open  kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-11-27 15:31:16Z)
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
389/tcp   open  ldap         syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds syn-ack Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?    syn-ack
593/tcp   open  ncacn_http   syn-ack Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap         syn-ack Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped   syn-ack
5985/tcp  open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       syn-ack .NET Message Framing
47001/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        syn-ack Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack Microsoft Windows RPC
49668/tcp open  msrpc        syn-ack Microsoft Windows RPC
49671/tcp open  msrpc        syn-ack Microsoft Windows RPC
49676/tcp open  msrpc        syn-ack Microsoft Windows RPC
49677/tcp open  ncacn_http   syn-ack Microsoft Windows RPC over HTTP 1.0
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 29273/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 45116/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 15172/udp): CLEAN (Failed to receive data)
|   Check 4 (port 24914/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2024-11-27T15:32:08
|_  start_date: 2024-11-27T15:29:42
|_clock-skew: mean: 2h46m59s, deviation: 4h37m10s, median: 6m58s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2024-11-27T07:32:10-08:00

hashtag
DNS

└─$ dig ANY megabank.local @10.129.96.155 +timeout=99 +tcp

; <<>> DiG 9.19.21-1-Debian <<>> ANY megabank.local @10.129.96.155 +timeout=99 +tcp
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3036
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;megabank.local.                        IN      ANY

;; ANSWER SECTION:
megabank.local.         600     IN      A       10.10.10.169
megabank.local.         3600    IN      NS      resolute.megabank.local.
megabank.local.         3600    IN      SOA     resolute.megabank.local. hostmaster.megabank.local. 154 900 600 86400 3600
megabank.local.         600     IN      AAAA    dead:beef::b803:885a:b665:b183

;; ADDITIONAL SECTION:
resolute.megabank.local. 3600   IN      A       10.129.96.155

;; Query time: 255 msec
;; SERVER: 10.129.96.155#53(10.129.96.155) (TCP)
;; WHEN: Wed Nov 27 10:26:39 EST 2024
;; MSG SIZE  rcvd: 173

hashtag
Enum4Linux

hashtag
SMB

There seems to be marko user with default password in LDAP description.

Creds: melanie:Welcome123!

hashtag
WinRM

hashtag
User.txt

hashtag
Privilege Escalation (ryan)

Hmm... nothing useable...

Also nothing is /Program Files*, but if we got to root (/) and list all files/directories we notice unusual folder PSTranscripts which winpeas didn't find..

hashtag
Privilege Escalation (Administrator)

Creds: ryan:Serv3r4Admin4cc123!

Enumerate AD

There seems to be second workstation on domain.

Writeup.png
Writeup-1.png

hashtag
DnsAdmin

I thought the DnsAdmins group was local to domain itself, but turns out it's builtin role for AD. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadminsarrow-up-right

Members of the DnsAdmins group have access to network DNS information. The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.

Tennable: DnsAdmins Exploitationarrow-up-rightRedTeamNotes: From DnsAdmins to SYSTEM to Domain Compromisearrow-up-rightDNSAdmin-DLLarrow-up-right

Oh well.. I tried compiling the application on victim, but no success.

MSF: DnsAdmin ServerLevelPluginDll Feature Abuse Privilege Escalationarrow-up-right

winpeas reported that AV was not found, but file kept getting deleted... Doesn't make sense, because winpeas should also have been removed.

Turns out we don't need to compile the previous project, we can use msf (hopefully)https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/privilege-escalation/dnsadminarrow-up-right

Binary still get's deleted, but we can try using DLL from smb.

hashtag
Root.txt

PreviousRedPandaNextReturn

Last updated