Hello everyone I hope you are doing well , in this post I will be sharing my walk through of TryHackMe’s Ustoun which was Active Directory machine but we didn’t really had to do any crazy stuff with AD just needed to brute force user using rid through “crackmapexec”
Rustscan
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-04-03 18:57:34Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
1433/tcp open ms-sql-s? syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: ustoun.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ssl/ms-wbt-server? syn-ack ttl 127
| rdp-ntlm-info:
| Target_Name: DC01
| NetBIOS_Domain_Name: DC01
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: ustoun.local
| DNS_Computer_Name: DC.ustoun.local
| DNS_Tree_Name: ustoun.local
| Product_Version: 10.0.17763
|_ System_Time: 2021-04-03T19:00:24+00:00
| ssl-cert: Subject: commonName=DC.ustoun.local
| Issuer: commonName=DC.ustoun.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-31T19:39:34
| Not valid after: 2021-08-02T19:39:34
| MD5: fce5 375e 0190 ebc1 bf6e f384 468f 69f6
| SHA-1: dbe7 28d6 1980 1221 c9cb 712a 911e 99b2 303e 5de7
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQWPJp5aVu8JlPCbMkI/U6AjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9EQy51c3RvdW4ubG9jYWwwHhcNMjEwMTMxMTkzOTM0WhcNMjEw
| ODAyMTkzOTM0WjAaMRgwFgYDVQQDEw9EQy51c3RvdW4ubG9jYWwwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDErxES6mfg1M0Ur5tZJHE8BKV+voQAWLa4
| gKJfNi0av9nZ80wp2gJnQmHmZC0ACVpQUufMU9vlaCnk35rqsyM0/igqigSqWXAM
| OY/876ZWGbo5R1g3PjH4bE3mdPtPAJF0wfS8aZ8CdHlmuGDFlJmnu6qFEP/PoACC
| tf1S/vky+8GVs4uLFyxZOY5mam5PNULQvsMz2ycOPwj2CYwgWnrnA52N6m/6O9v7
| XK+K6XBSGHamrHR5EYFXG+u1vItwm4qpUZerUhZl2/WVKIIN4pDXWDCrS59nsVvc
| UC3fDPcgzruHIVJcA+g+CsEYdidS+E1NO3e3ZnWBeWE77ZCSDyTNAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAj9XeCOtYI4LrmeM7qZVQYuuDHIDosWkIw0LMpin4/gt0CDaEB1/uXUnX
| JnBUEHWMDdjzC22hTsTdUIntZgJAk81aQbPm3qMvSE1AXPCCfsN7GehA4kX/n42X
| xiz2rwZo/5DYH0JOWj8iCZyFMiXqSwQm3GWbG4LuTOct+x/rv0UwhyCvdllVRtwz
| P9BM/9qZqy3LecKtJh6UUo8FZ8zkekT9nsJ9/vCv3/THRUMOtEtSXdZUUqccXwRm
| 0HVLxT09wdGGbwdOzzdQSQfLmewi3rSZQf9liaXDtpkK60qrzj4zcyGG2QvX+9EI
| pZV0B4rzCUDWrpaTOsv8z7Qlgeb2GA==
|_-----END CERTIFICATE-----
|_ssl-date: 2021-04-03T19:01:07+00:00; +1m25s from scanner time.
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49709/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49712/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49726/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCFrom the scan we can see a domain name
PORT 445 (SMB)
We can only access $IPC as anonymous but there is no use of it. So using crackmapexec we can use RID brute force which will enumerate all AD objects including users and groups by guessing every resource identifier (RID)
Here you can see SVC-Kerb might be a user we can try to brute force as MS-SQL is running we can try there
PORT 1433 (MS-SQL)
The database is Microsoft SQL so let’s brute force credentials using hydra
We found the password so we can use metasploit’s module for code execution use admin/mssql/mssql_exec
So there’s a command execution alternatively we can try do sqsh which is an opensource program for getting a interactive database shell
Here -S indicates the server where we put the IP address or the port if MS-SQL was on a different port
-U specifies the username
-P specifies the passowrd
Now to execute windows commands we are going to use xp_cmdshell which spawns a windows command shell . xp_cmdshell is an extended stored procedure provided by Microsoft and stored in the master database. So the whole command will be EXEC master ..xp_cmdshell'whoami' , here EXEC is used to execute stored procedure on a database and stored procedures are kinda like functions in mysql /mssql.
We can find the user.txt in C:\Users\SVC-Kerb.DC01
But when I tried to read it I get access denied
So first to get a proper shell I uploaded ncat64.exe you can download it from here
https://github.com/int0x33/nc.exe
Now we got a shell at least so to see what permissions does SVC-kerb has we can do net user SVC-kerb
It tells that we are just a domain user also this looks like a service account and we won’t be able to with it much since this is a Active Directory we can try to run SharpHound.ps1 to gather everything it could find about the domain
I transferred the file onto target machine but before run it let’s find the domain name we already know it from the nmap scan but just to be sure spawn a powershell by running powershell and run Get-ADDomain this will show you the information of the domain
Now we will import sharphound.ps1 and use it’s functions
We need to transfer this on to our local machine so we can analyze the data through BloodHound
To transfer it I tried creating a smb share on my local machine and copying the zip file there but windows gave an error that it wasn’t allowing to transfer the file so I thought of trying to get a meterpter shell through which I can download the zip file
Run neo4j console
Then starting bloodhound
I imported that zip file in blood hound but didn’t find anything interesting, so can now upload PowerUp.ps1 to enumerate for mis-configurations or privilege escalation techniques
PowerUp
You can download the script from here
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Also read the documentation from here
https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/
Now importing the powershell script and running Invoke-AllChecks
So here we have 2 ways of getting admin first let’s try abusing the service UsoSvc
Service Abuse
Looking at the documentation
We can abuse a service by creating a local administrator by creating a new user and then adding it into local administrator group or by using the current user
Creating a new user and adding it to local administrator
To see if this user was added
Now to switch to this user we can evil-winrm to login since winrm service is running
SeImpersonatePrivilege
Running whoami /all to see what privileges the user has
Now we can abuse this service by through PrintSpoofer
Download printspoofer 64 bit verison
https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
And we can access Administrator’s directory
