(old) (to be deleted or finished )Resolute
Enumeration
As usual, I first run an nmap scan on all possible ports to see which ones are open in the first place, then a targeted one on all ports flagged as open ; here are the results.
# Nmap 7.91 scan initiated Fri May 7 09:23:38 2021 as: nmap -sC -sV -A -oA resolute 10.10.10.169
Nmap scan report for 10.10.10.169
Host is up (0.074s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-07 13:32:19Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped This is obviously a Windows Domain Controller machine (ports 88 for Kerberos and 389 for LDAP are open), and nmap's preliminary scan indicates its domain name is megabank.local. SMB is active on that machine (port 139 and 445), and I also notice an open TCP port on 135.
As usual, I always try the low-hanging fruits ; a very basic first look at both SMB and rpc, without credentials.
Oh, my. While trying to log in as anonymous on SMB gave us nothing of note, it seems like anonymous login was enabled on RPC, and that we can send queries. Time to enumerate domain stuff using this vector ! I will start with the basics (see the relevant page on this gitbook for more details).
After running querydispinfo, I see that the description for the user marko implies that the new default password for newly created users is "Welcome123!" ... the next logical step is of course to try it with every username I've scrapped using RPC. I will use crackmapexex for this task ;
It seems like the credentials are valid for user melanie ! And since port 5985 is open, this means I can login using evil-winrm using those, and go read the first flag ;
After logging in as melanie, I tried a few things pertaining to Active Directory and Windows enumeration that unfortunately didn't work. I realised afterward that I should have started with manually looking at potentially interesting directories. After looking more closely at the root directories, I find a PSTranscripts directory, with a powershell log file in it. After looking into said file, I notice that the user ryan tried (and failed) to map a share with his credentials.
I tried to log in with this credentials using evil-winrm, and bingo, it works ! I also find a note in ryan's home directory ;
Great. So whatever I do on the computer, a job runs in the background and resets everything every minute, except for the administrator account. I deduce from this that the expected path probably has something to do with said account. Probably modifying the password or something.
In the meantime, I take a look at the user I'm currently logged in as ;
Everything here seems pretty generic, but after a bit of googling, it seems like it is possible
Last updated
Was this helpful?