We demonstrated the steps taken to perform penetration testing for Windows machine with Active Directory installed. We escalated our privileges with Mimikatz and winrm. This was part of Cybeseclabs Secret walkthrough.
Highlights
The common ports are open. Kerberos is at number 88, and we can try bruteforcing it to get the user count. When the SMB ports are open, it’s usually a good idea to check here first. Another good area to check is if LDAP is operating, which is a good indication that this is an active directory box. 3389 is accessible and provides some domain and NetBIOS information.
SMB enumeration is where we begin, and it yields a cleartext password. We locate the user in the domain who is using the password by using a list of potential users. From there, it was found that the autologon credentials were present in the registry and that they were valid for a different user who, as a result of an overly liberal nested group membership, had replication privileges over the domain object.
Video Walkthrough
