Professional Documents
Culture Documents
myhomeisquintoc-com-challenge-oscp-c-ad
myhomeisquintoc-com-challenge-oscp-c-ad
myhomeisquintoc-com-challenge-oscp-c-ad
OSCP, AD-C
Due to the rules set by Offensive Security in relation to OSCP certification, this content will be kept private.
Environment description
In this challenge, we are provided with three machines: One DC (DC01) and two workstations (MS01 and MS02).
The three machines are connected through an internal network and just MS01 is on the same network as our attacking machine.
Reconnaissance
As MS01 is the only reachable machine, we will start by performing a nmap enumeration on it:
RPC on port 135 (default port): As anonymous login is not enabled this is another cut road.
SMB on port 445 (default port): Same response as with RPC, same consequence.
A mysterious service running on port 5040 which means that further research has to be performed here.
WinRM on ports 5985 and 47001 (default and common ports): The same as with SSH.
HTTP on port 8000: Web services are a common entry point so it deserves a deeper inspection.
All this said, we only can take two different approaches: The HTTP service and the mysterious one.
HTTP enumeration
The main page is the default IIS server page. To see if there is something more we have to fuzz for hidden endpoints:
(URLs are case sensitive so, although the same endpoints written with different capitalization usually redirect to the same endpoint, it
may not be the case)
Some endpoints are revealed. Among them, the most interesting ones are:
/partner/changelog:
Contains the text “Moved partner portal to correct VHOST”. This can mean that we have to use another VHOST instead of the
raw IP.
/partener/db:
sqlite3 <DB_FILE>
.databases
.tables
PRAGMA table_info(<TABLE>);
For SSH:
We have been lucky as the credentials provided for user support are valid to login through SSH.
We have two hashes that we have not been able to crack. At this point it would be recommended to try spraying them as we
have done with the passwords.
When spraying both passwords and hashes through domain machines it is important to spray those credentials trying both
domain and non-domain usernames.
The following local users: Administrator, Administrator.OSCP, Mary.Williams, celia.almeda and web_svc.
Privilege escalation
If we try to run admintool.exe we will be prompted to enter the administrator password, after what, the tool returns an error
which contains both: our hashed password and the NTLM hash of the administrator:
As we have already done earlier, with CrackStation we can crack the administrator hash thus obtaining its password.
With this credentials we can get SSH access to MS01 as local ms01\administrator.
Credentials enumeration
Once we are administrator on a machine the job has not ended. We have to focus our efforts in retriving as much credentials as
we can from wherever they could be stored.
As ms01\adminsitrator we can launch WinPEAS again. This time, as our rights are more powerfull, we can have access to
information that when it was executed as the ms01\support user.
A piece of information that was hidden was the PowerShell history file of the ms01\administrator:
This file, that has been revealed by WinPEAS, can also be obtained following the steps enumerated in the Carve in the PowerShell
history section from the Windows Privilege Escalation guide.
Also, another mandatory task to perform as administrator is to inspect the lssas process and SAM database in search of
credentials. For this, the quintessential tool is Mimikatz.
In this case:
The are no other NTLM hashes and passwords stored in the LSASS process apart from the ones we already have.
[privilege::debug]
sekurlsa::logonpasswords
ksekurlsa::tickets /export
6. A new route rule is added so the intended traffic is directed to the newly created interface:
© 2024 myhomeisquintoc.com.