Heist from Proving Grounds Practice is a hard rated Windows Active Directory (AD) machine, in which we first exploit a Server-Side Request Forgery (SSRF) vulnerability to retrieve an NTLMv2 handshake via Responder. Cracking the hash provides us with credentials for the AD user enox. We then discover that the enox user has permission to read the password hash of a group Managed Service Account (gMSA) named svc_apache$. This account has the SeRestore privilege assigned, which we can leverage to gain SYSTEM-level access by replacing the Utility Manager (utilman. Read more

Access from Proving Grounds Practice is an intermediate rated Windows Active Directory (AD) machine, in which we first get a shell through a file upload vulnerability in a web application running in the context of a low privileged domain user svc_apache. Within that shell we perform a kerberoasting attack using Rubeus and obtain the credentials of the user svc_mssql. In order to get a shell as svc_mssql, we make use of a tool called RunasCs. Read more

The MyCloud NAS device can be configured to automatically redirect to HTTPS when browsing it’s web interface. The URL it is redirecting to is of the form https://device-local-<GUID>.remotewd.com:8543/. I was wondering if I can use my own certificate, and it actually worked out after digging a bit into the inner workings. First of all, I checked which tool is listening on port 8543. The name is nasAdmin: root@WDMyCloudEX2100 ~ # netstat -tulpen | grep 8543 tcp6 0 0 :::8543 :::* LISTEN 0 16738 4455/nasAdmin It’s started with a configuration located at /etc/nasAdmin. Read more

Sauna from HackTheBox is an easy rated machine, in which we first identify an Active Directory user through a list of team members on a web page and get credentials for it through ASREP Roasting. We then identify a service account and find its password in the AutoLogon credentials. That user has DCSync privileges, which we can use to dump the hash of the Administrator and use that hash to get Administrator access. Read more

Forst from HackTheBox is a Windows box, in which we first enumerate users via SMB and then use ASREP Roasting to get AD credentials of a service account. After that, we can add that account to an Exchange group that allows the assignment of DCSync privileges in order to dump NTLM hashes. Port Scanning The open TCP ports indicate that we’re dealing with a domain controller for the htb.local domain running Windows Server 2016: Read more