search

(old) (to be deleted or finished )Resolute

hashtag
Enumeration

As usual, I first run an nmap scan on all possible ports to see which ones are open in the first place, then a targeted one on all ports flagged as open ; here are the results.

# Nmap 7.91 scan initiated Fri May  7 09:23:38 2021 as: nmap -sC -sV -A -oA resolute 10.10.10.169                                                                                                                 
Nmap scan report for 10.10.10.169                                                                                                                                                                                 
Host is up (0.074s latency).                                                                                                                                                                                      
Not shown: 992 closed ports                                                                                                                                                                                       
PORT    STATE SERVICE      VERSION                                                                                                                                                                                
88/tcp  open  kerberos-sec Microsoft Windows Kerberos (server time: 2021-05-07 13:32:19Z)                                                                                                                         
135/tcp open  msrpc        Microsoft Windows RPC                                                                                                                                                                  
139/tcp open  netbios-ssn  Microsoft Windows netbios-ssn                                                                                                                                                          
389/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)                                                                                        
445/tcp open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)                                                                                                                  
464/tcp open  kpasswd5?                                                                                                                                                                                           
593/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0                                                                                                                                                    
636/tcp open  tcpwrapped

This is obviously a Windows Domain Controller machine (ports 88 for Kerberos and 389 for LDAP are open), and nmap's preliminary scan indicates its domain name is megabank.local. SMB is active on that machine (port 139 and 445), and I also notice an open TCP port on 135.

As usual, I always try the low-hanging fruits ; a very basic first look at both SMB and rpc, without credentials.

Oh, my. While trying to log in as anonymous on SMB gave us nothing of note, it seems like anonymous login was enabled on RPC, and that we can send queries. Time to enumerate domain stuff using this vector ! I will start with the basics (see the relevant page on this gitbook for more details).

After running querydispinfo, I see that the description for the user marko implies that the new default password for newly created users is "Welcome123!" ... the next logical step is of course to try it with every username I've scrapped using RPC. I will use crackmapexex for this task ;

It seems like the credentials are valid for user melanie ! And since port 5985 is open, this means I can login using evil-winrm using those, and go read the first flag ;

After logging in as melanie, I tried a few things pertaining to Active Directory and Windows enumeration that unfortunately didn't work. I realised afterward that I should have started with manually looking at potentially interesting directories. After looking more closely at the root directories, I find a PSTranscripts directory, with a powershell log file in it. After looking into said file, I notice that the user ryan tried (and failed) to map a share with his credentials.

I tried to log in with this credentials using evil-winrm, and bingo, it works ! I also find a note in ryan's home directory ;

Great. So whatever I do on the computer, a job runs in the background and resets everything every minute, except for the administrator account. I deduce from this that the expected path probably has something to do with said account. Probably modifying the password or something.

In the meantime, I take a look at the user I'm currently logged in as ;

Everything here seems pretty generic, but after a bit of googling, it seems like it is possible

PreviousTrashcan

Last updated