88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-15 09:37:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49676/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49862/tcp open unknown
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows
```
From port 88 this tells us that this is an active directory because on this port `kerberos` runs which is responsible for authenticating users so knowing this will help us in our enumeration and what steps we should take
## SMB/LDAP
Since smb is enabled we can try to login as anonymous user if it's disabled
<imgsrc="https://i.imgur.com/lrb6YVR.png"/>
now we can try to enumerate LDAP as from there we can get some information of what are user names , group names and domain name of the machine using either `enum4linux-ng` or `windapsearch`
<imgsrc="https://i.imgur.com/p3pALUm.png"/>
<imgsrc="https://i.imgur.com/Dc0LQVd.png"/>
We have the usernames just need to grep for `username` and then use these names against `kerbrute` to find which are valid domain users and we one of these users have pre-authentication disabled then we can get a user hash which we can crack
<imgsrc="https://i.imgur.com/WdBCxC1.png"/>
We can sort this only to grab username by using `awk`
<imgsrc="https://i.imgur.com/xsniwoV.png"/>
So running kerbrute we found 24 usernames that are valid out of 27
Import the json files that this script generates and after that search the username so that we can mark it as `pwned` and see if we can find a path to higher targets by running the pre-built query
But if we look at `ryan` user , he's in the group `Contractors`
<imgsrc="https://i.imgur.com/oYcnW78.png"/>
And if we further explore this group , that is a member of `DNSAdminsGroup`
<imgsrc="https://i.imgur.com/OEtflR8.png"/>
## Privilege Escalation (ryan)
Getting on the machine through `evil-winrm` we can see a hidden directory called `PSTranscripts` through `dir -Force`
<imgsrc="https://i.imgur.com/1wPL6En.png"/>
<imgsrc="https://i.imgur.com/ZMPo5XC.png"/>
We can find a text file by going into this directory
<imgsrc="https://i.imgur.com/YgnBDJM.png"/>
Reading this file we will be able to get the password for ryan
<imgsrc="https://i.imgur.com/RYv9KHy.png"/>
<imgsrc="https://i.imgur.com/02hnInm.png"/>
<imgsrc="https://i.imgur.com/s9SMP2b.png"/>
## Privilege Escalation (Administrator)
We know that ryan is a member of contractors group and that group is a member of DNSAdmins group so that makes ryan a member of that group
<imgsrc="https://i.imgur.com/WLP5Wk5.png"/>
This can lead to privilege escalation to SYSTEM user as having the permission to control dns service we can load a malicious dll file by generating it through `msfvenom` and hosting it through smb share and then loading it with `dnscmd` then stopping the dns service with `sc.exe stop dns` and restarting it with `sc.exe start dns` to start dnsservice with our malicious dll file
Generating the dll file
<imgsrc="https://i.imgur.com/tABGHF8.png"/>
Using impacket's smbserver to start smbserver
<imgsrc="https://i.imgur.com/SXn4wup.png"/>
Now there was an issue with this box , don't know if it's the same with other users, when I was following this article for abusing DNSAdmins group it wouldn't give me the reverse shell neither it would execute commands from the payload `msfvenom -p windows/x64/exec cmd='net group "Administrator" melanie /add' -f dll > dns.dll`
Also when we download the dll on the machine it would be removed under a minute so we needed to be quick , so the way I got SYSTEM was , I stopped the dns service first then loaded the dll then started the dns service and saw the response on smbserver and got a shell on netcat
<imgsrc="https://i.imgur.com/vYsSEy8.png"/>
<imgsrc="https://i.imgur.com/PmNKGfy.png"/>
<imgsrc="https://i.imgur.com/dJ45hFI.png"/>
To get a proper shell we can now just add ryan to `Domain Admins` group or local group `Administrators`
<imgsrc="https://i.imgur.com/hOnzAO4.png"/>
We can verify it with `net user ryan`
<imgsrc="https://i.imgur.com/dJkDSBB.png"/>
Again , we need to be quick to dump hashes and perform pass the hash attack because it will revert back the changes
