Muhammad Daffa Blog

Disclaimer: My post is for academic purposes only, How to use this information is the visitor’s responsibility.

Our team decided that for the Final Project, we want to try something different from the other groups. Since most of the lesson that is taught in the class is involving the Linux operating system as a target for our lesson, we try to dabble in Windows server operating system as our Final Project target. Since we have to found a third party, we try a target server from the Hackthebox website.

Since we are dealing with Windows Server, the tools that are taught in the class that is useful is effectively reduced, therefore we tried to learn from the ground up on how to enumerate a windows server. Upon further inspection, we are dealing with an Active Directory Server from our initial port scanning, therefore, we tried to search for tools that can help us on enumerating the server and we found 3 tools which are useful for our initial enumeration of the server which is Enum4Linux, rpcclient, and ldapsearch.

Enum4Linux is a tool for enumerating information from Windows and Samba systems. The tools can be used to search, for example, shares directory of a server, the username that is in the server as long as we provide a credential to the server. Since on the initial recon we did not get anything yet, I tried to use anonymous login and although we got the users for the server, we did not get any shares directories, but later on, after we got our first user credential we tired to enumerate the service again using the user credential and found the shares directory of the server.

rpcclient is utility initially developed to test MS-RPC functionality in Samba itself. I use rpcclient to enumerate the users of the server and like enum4linux I tried to use anonymous login and successfully got in with anonymous login. After we got in, we tried a lot of commands that listed on rpcclient but since we are using anonymous login, most of the command got denied and I only get the username on the server.

ldapsearch is a command-line tool that opens a connection to an LDAP server, binds to it, and performs a search using a filter. Since our first port scanning, we found an LDAP port on port 389 and 3268 and using ldapsearch we got to connect to the port and on port 389 I found a lot of information regarding of the users and after some sorting from the data, I found an encrypted password of a user and decrypt it.

Since our team got the first user, we tried to connect to the samba itself with smbclient using out newly obtained user credential.

smbclient is samba client with an “FTP like” interface. It is a useful tool to test connectivity to a Windows share. With the user credential, we successfully establish a connection to the windows share and on there we found an information on the second and third user credentials. But the third credentials can only be found on a window share that the 2nd user has access too so after we got the second user credential we enumerate again using the second credential with previously mentioned tools and smbclient and found an admin user. For decrypting the password of the 2nd user, I use msfconsole decrypt the 2nd user password, the details on how we do it is on https://github.com/frizb/PasswordDecrypts.

since we got all the credentials we need, we tried to establish a remote windows connection by using evil-winrm.

Evil-winrm is a WinRM(Windows Remote Management) shell for hacking/pen-testing since I don’t want to prepare a windows virtual machine i use this instead. Out of the three users, only two of the is capable os establishing windows remote management shell to the server and after some enumeration on previous window share file and checking each user privilege, I found that the third user has a delete function and we check the delete function and found that the deleted file contains the admin credentials by using Get-ADObjects.

The Get-ADObject cmdlet gets an Active Directory object or performs a search to get multiple objects. By using the cmdlet, we tried to restore the file but fail to do so and after some searching, on https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-adobject?view=win10-ps I found that we can try to look at the content of the deleted file without restoring it and on there we found the admin credentials. After that, I tried to establish a connection with the admin credential and we got into the shell with the admin credential.