Fusion Corp
Enumeration
nmap -v -A -O -p- -Pn fusion.corp -oN nmapPort 80
Running ffuf against the website hosted on port 80 we obtain juicy results:
If we navigate to /backup endpoint we can download the employee.ods file and read it carefully:
From this XML we can extract a useful list of usernames:
Port 445 (anonymous enumeration)
Trying to do some enumeration on port 445 we notice that it is not possible to list shares as anonymous/guest users:
Port 88
If we try to validate with Kerberos the previously extracted list of users using kerbrute we will get that only one user out of the 11 obtained is existing at domain: is the lparker user.
Trying to see if the lparker user is ASREProastable, we get in the AS_REP package the encripted TGS using the private key of the lparker user:
Trying to crack the hash with John The Ripper we will obtain the lparker password:
lparker <--> !!abbylvzsvs2k6!
Remote login using evil-winrm and obtain the first flag:
As lparker we don't have any interesting privilege:
Port 445 (enumeration as lparker)
Now if we try to list shares as lparker we will obtain these ones:
It doesn't seem so interesting as a result, so let's try with these credentials to enumerate better using enum4linux:
Awesome! 🎉 We've obtained another pair credential for the user jmurphy:
jmurphy <--> u8WC3!kLsgw=#bRY
Also we know now that jmurphy is part of the group Backup Operators and Remote Management Users:
Also we know that the only Domain Admin is the user Administrator that's also our final target account:
Again login remotely using evil-winrm and obtain the second flag:
In this case instead, as jmurphy we have some interesting privileges:
Info
Fusion-DC.fusion.corp
NetBIOS Domain Name: FUSION
Domain Sid: S-1-5-21-1898838421-3672757654-990739655
Privilege escalation (Administrator)
Membership in the Backup Operators group provides access to the domain controller file system due to the SeBackup and SeRestore privileges. These privileges enable folder traversal, listing, and file copying capabilities, even without explicit permissions, using the FILE_FLAG_BACKUP_SEMANTICS flag. This means Backup Operators can backup the DC’s hard drive, make a copy of NTDS.dit and the system registry hive from the backup, and then move both files offline and dump hashes.
On Kali machine create a backup.txt file containing these commands:
From the remote session as jmurphy create a temporary directory C:\Temp, upload the backup.txt to it and run diskshadow.exe in script mode:
Now copy the shadow copies to current directory (C:\Temp):
and finally download these files locally:
And like a charm we will decrypt hashes from ntds.dit using bootkey saved in registry hive with the help of the secretsdump.py tool:
Using the Pass-the-Hash attack we can authenticate as Administrator via evil-winrm using the hash in NTHash format and get the third flag by completing the room! 🎉
Last updated