Skip to content

10.10.10.182

Recon

Port scan

PORT      STATE SERVICE       REASON          VERSION                                                                                                                        53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)                                                                 | dns-nsid:                                                                                                                                                                  |_  bind.version: Microsoft DNS 6.1.7601 (1DB15D39)                                                                                                                          

88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-02-03 14:15:04Z)                                                                 

135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          

139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn                                                                                                  

389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)                                 

445/tcp   open  microsoft-ds? syn-ack ttl 127                                                                                                                                

636/tcp   open  tcpwrapped    syn-ack ttl 127                                                                                                                                

3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: cascade.local, Site: Default-First-Site-Name)                                 

3269/tcp  open  tcpwrapped    syn-ack ttl 127                                                                                                                                

5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                                                                                        |_http-server-header: Microsoft-HTTPAPI/2.0                                                                                                                                  |_http-title: Not Found                                                                                                                                                      

49154/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          

49155/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          

49157/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0                                                                                            

49158/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          

49170/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                                                                                                          

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port                                                                        Device type: general purpose|phone|specialized                                                                                                                               Running (JUST GUESSING): Microsoft Windows 8|Phone|2008|7|8.1|Vista|2012 (92%)                                                                                               OS CPE: cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8.1 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1 cpe:/o:microsoft:windows_server_2012                                                                                    OS fingerprint not ideal because: Missing a closed TCP port so results incomplete                                                                                            

Aggressive OS guesses: Microsoft Windows 8.1 Update 1 (92%), Microsoft Windows Phone 7.5 or 8.0 (92%), Microsoft Windows 7 or Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 (91%), Microsoft Windows Server 2008 R2 or Windows 8.1 (91%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (91%), Microsoft Windows 7 (91%), Microsoft Windows 7 Professional or Windows 8 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 R2 (91%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (91%)   No exact OS matches for host (test conditions non-ideal)

This one appears to be one of the AD boxes (Kerberos is running on port 88).

Enumerate Attack Surface

From reviewing the port scan, we see the following structure start to emerge:

This box definitely is AD related. - 88: Kerberos
- Maybe Kerberoast? - Maybe MS14-068? - 389: LDAP - Might be able to dump everything, or even write data with Manual Enumeration - LDAP can be used without SSL - should sniff this - 636: tcpwrapped (typically LDAPs) - 3268: LDAP (Global Catalog for LDAP) - 3269: tcpwrapped (Global catalog for LDAPs)

dnsHostName: CASC-DC1.cascade.local ldapServiceName: cascade.local:casc-dc1$@CASCADE.LOCAL
serverName: CN=CASC-DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cascade,DC=local

Service Info: - Host: CASC-DC1 - OS: Windows 2008 R2

Definitely a domain controller, also DNS running: - 53: Microsoft DNS 6.1.7601 (Windows Server 2008 R2 SP1) - Manual digging

Also it appears to have a fileshare: - 139: Netbios-ssn - Anonymous Login - 445: Microsoft-ds - RPC running on multiple ports

And finally, a few HTTP servers: - 5985: Microsoft HTTPAPI httpd 2.0 - WinRM? check _manual_commands.txt - 49157: ncacn_http - RPC over HTTP 1.0

Public Exploits

Pasted image 20220203095239.png

Maybe one of the Eternal exploits would work for Initial foothold? Would need to verify anon login for SMB first. Searchsploit agrees (based on Windows version reported by DNS)

Pasted image 20220203095718.png

Weaponization

Exploit planning

  1. Check SMB anon login
    • Nope
  2. Check MS17-010 EDB-42031
    • Nope
  3. Try LDAP manual enumeration (above)
    • Got some users, but nothing major.
  4. WinRM! Better dive into this.

PrivEsc Planning

  1. Kerberoast
  2. Check MS16-032

Exploit

Eternal Blue

Couldn't get EDB-42031 working - it's python 2 and my version of Kali is missing impacket for 2. Tried porting to 3, but I would have to go through and call out the byte strings. THIS NEEDS TO BE ADDRESSED BEFORE THE EXAM! I should probably use an older version of Kali which still has support for python2.

So, I'll be using my ONE metsaploit for this one......SHIT

Pasted image 20220203200117.png

FML Pasted image 20220203200330.png

Playing with LDAP

I was able to dump everything from LDAP with this:

>>> import ldap3
>>> server = ldap3.Server('x.X.x.X', get_info = ldap3.ALL, port =636, use_ssl = True)
>>> connection = ldap3.Connection(server)
>>> connection.bind()
True
>>> server.info

>> connection.search(search_base='DC=DOMAIN,DC=DOMAIN', search_filter='(&(objectClass=person))', search_scope='SUBTREE', attributes='userPassword')
True
>>> connection.entries

Pasted image 20220203203057.png

I should also check if I can write data.

WinRM

Will follow this WinRM Hacking Guide