mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Update Resolute.md
This commit is contained in:
parent
5c192d6ab6
commit
72c6dea08c
1 changed files with 81 additions and 7 deletions
|
@ -61,6 +61,8 @@ So running kerbrute we found 24 usernames that are valid out of 27
|
||||||
|
|
||||||
<img src="https://i.imgur.com/63jbK6C.png"/>
|
<img src="https://i.imgur.com/63jbK6C.png"/>
|
||||||
|
|
||||||
|
## Foothold
|
||||||
|
|
||||||
If we go back to enum4linux result we see in the description a password for `marko` user
|
If we go back to enum4linux result we see in the description a password for `marko` user
|
||||||
|
|
||||||
<img src="https://i.imgur.com/qlh0Quy.png"/>
|
<img src="https://i.imgur.com/qlh0Quy.png"/>
|
||||||
|
@ -91,15 +93,87 @@ Then I realized that I didn't check `winrm`
|
||||||
|
|
||||||
And we can actually use it to get a remote session using `evil-winrm`
|
And we can actually use it to get a remote session using `evil-winrm`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
So to enumrate AD , we have two options either running `sharphound` powershell script or `python bloodhound injestor`
|
So to enumrate AD , we have two options either running `sharphound` powershell script or `python bloodhound injestor`
|
||||||
|
|
||||||
<img src="https://i.imgur.com/2pvClra.png"/>
|
<img src="https://i.imgur.com/2pvClra.png"/>
|
||||||
|
|
||||||
## References
|
Import the json files that this script generates and after that search the username so that we can mark it as `pwned` and see if we can find a path to higher targets by running the pre-built query
|
||||||
|
|
||||||
```
|
<imgs src="https://i.imgur.com/VTebdQn.png"/>
|
||||||
melanie:Welcome123!
|
|
||||||
```
|
Running the query we don't see anything interesting that we can do with this user
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/bvJ2g8t.png"/>
|
||||||
|
|
||||||
|
|
||||||
|
But if we look at `ryan` user , he's in the group `Contractors`
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/oYcnW78.png"/>
|
||||||
|
|
||||||
|
And if we further explore this group , that is a member of `DNSAdminsGroup`
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/OEtflR8.png"/>
|
||||||
|
|
||||||
|
## Privilege Escalation (ryan)
|
||||||
|
|
||||||
|
Getting on the machine through `evil-winrm` we can see a hidden directory called `PSTranscripts` through `dir -Force`
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/1wPL6En.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/ZMPo5XC.png"/>
|
||||||
|
|
||||||
|
We can find a text file by going into this directory
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/YgnBDJM.png"/>
|
||||||
|
|
||||||
|
Reading this file we will be able to get the password for ryan
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/RYv9KHy.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/02hnInm.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/s9SMP2b.png"/>
|
||||||
|
|
||||||
|
## Privilege Escalation (Administrator)
|
||||||
|
|
||||||
|
We know that ryan is a member of contractors group and that group is a member of DNSAdmins group so that makes ryan a member of that group
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/WLP5Wk5.png"/>
|
||||||
|
|
||||||
|
This can lead to privilege escalation to SYSTEM user as having the permission to control dns service we can load a malicious dll file by generating it through `msfvenom` and hosting it through smb share and then loading it with `dnscmd` then stopping the dns service with `sc.exe stop dns` and restarting it with `sc.exe start dns` to start dnsservice with our malicious dll file
|
||||||
|
|
||||||
|
Generating the dll file
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/tABGHF8.png"/>
|
||||||
|
|
||||||
|
Using impacket's smbserver to start smbserver
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/SXn4wup.png"/>
|
||||||
|
|
||||||
|
Now there was an issue with this box , don't know if it's the same with other users, when I was following this article for abusing DNSAdmins group it wouldn't give me the reverse shell neither it would execute commands from the payload `msfvenom -p windows/x64/exec cmd='net group "Administrator" melanie /add' -f dll > dns.dll`
|
||||||
|
|
||||||
|
Also when we download the dll on the machine it would be removed under a minute so we needed to be quick , so the way I got SYSTEM was , I stopped the dns service first then loaded the dll then started the dns service and saw the response on smbserver and got a shell on netcat
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/vYsSEy8.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/PmNKGfy.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/dJ45hFI.png"/>
|
||||||
|
|
||||||
|
To get a proper shell we can now just add ryan to `Domain Admins` group or local group `Administrators`
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/hOnzAO4.png"/>
|
||||||
|
|
||||||
|
We can verify it with `net user ryan`
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/dJkDSBB.png"/>
|
||||||
|
|
||||||
|
Again , we need to be quick to dump hashes and perform pass the hash attack because it will revert back the changes
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/q5n6Nzf.png"/>
|
||||||
|
|
||||||
|
<img src="https://i.imgur.com/V5IHOZS.png"/>
|
||||||
|
|
||||||
|
|
||||||
|
## References
|
||||||
|
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
|
||||||
|
|
Loading…
Reference in a new issue