Support
Gaining Access
Nmap scan:
Null Session
I found that SMB accepts null credentials for this machine:
Viewing the support-tools share, we find that it contains multiple binaries.
There's only one that was interesting, and it was the UserInfo.exe
file. I took it back to my Windows VM and used dnSpy to open it.
dnSpy
When decompiled, it seems that the binary was sending LDAP queries:
Looking around, I also found this password
function.
We can decode this easily using some Python and following their logic.
This would output the password.
LDAPSearch
Then, since the binary does LDAP queries, I wanted to use the username and password given by the binary to query LDAP.
On analysing the output, I found a hidden password for the support
user.
We can then evil-winrm
in as this support
user.
Privilege Escalation
Once in, I started Bloodhound to enumerate for me. Upon reviewing the contents, I saw this interesting set of permissions over the DC.
We can use PowerMad and PowerView to abuse the GenericAll
privileges.
GenericAll Abuse
We can use this set of commands to create a new user:
This would spawn in a shell for us.
How it works is that we first create a new user that has the Constrained Delegation privilege. Then, we are able to impersonate the administrator and request a ticket that we can use to gain a shell with smbexec.py
.