PG Hutch: Active Directory
I was stuck on this box for two days. My MiTM attacks did not work. Traffic is dead. Restarting the box usually triggers the IPv6 poisoning MiTM. Does not work. Next step is Samba exploits. No vulns there. Which leaves us to 'what next'? This is a great box to collect more enumeration skills and attack vectors.
The obvious WebDav keeps screaming at me. It has a BasicAuth on it. I find out you can enumerate users with Kerbrute. I try that. I get "admin" (custom) and "Administrator" (default).
I don't know how to brute BasicAuth. I google "how to brute WebDav" which is a bad google. I corrected to "how to brute BasicAuth". I get a hydra command. I run that against multiple password lists with the user "admin". No luck. IT WOULD however work, and is good to keep for the future.
hydra -l fmcsorley -P passwords.txt 192.168.210.122 http-get / -I
Follow these two articles when enumerating LDAP:
https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
https://www.n00py.io/2020/02/exploiting-ldap-server-null-bind/
connection.search(search_base='DC=hutch,DC=offsec', search_filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') connection.entries
I do a whoami /priv and see ImpersonatePriv is on. I use my trusty PrintSpooferx64.exe to get Domain Admin. PrintSpoofer is my new favorite tool. It replaces JuicyPotato for Windows Server 2019.
Lessons Learned
- Kerberos good for enumerating usernames.
- LDAP can be queried just by entering a python shell.
- Have a BasicAuth command ready. Wireshark showed a username:password format.
- New attack-vector when things get tough.
Comments
Post a Comment