Access from Proving Grounds Practice is an intermediate rated Windows machine, in which we first get a shell through a file upload vulnerability in a web application running in the context of a low privileged domain user svc_apache. Within that shell we perform a kerberoasting attack using Rubeus and obtain the credentials of the user svc_mssql. In order to get a shell as svc_mssql, we make use of a tool called RunasCs. Read more

The MyCloud NAS device can be configured to automatically redirect to HTTPS when browsing it’s web interface. The URL it is redirecting to is of the form https://device-local-<GUID>.remotewd.com:8543/. I was wondering if I can use my own certificate, and it actually worked out after digging a bit into the inner workings. First of all, I checked which tool is listening on port 8543. The name is nasAdmin: root@WDMyCloudEX2100 ~ # netstat -tulpen | grep 8543 tcp6 0 0 :::8543 :::* LISTEN 0 16738 4455/nasAdmin It’s started with a configuration located at /etc/nasAdmin. Read more

Sauna from HackTheBox is an easy rated machine, in which we first identify an Active Directory user through a list of team members on a web page and get credentials for it through ASREP Roasting. We then identify a service account and find its password in the AutoLogon credentials. That user has DCSync privileges, which we can use to dump the hash of the Administrator and use that hash to get Administrator access. Read more

Forst from HackTheBox is a Windows box, in which we first enumerate users via SMB and then use ASREP Roasting to get AD credentials of a service account. After that, we can add that account to an Exchange group that allows the assignment of DCSync privileges in order to dump NTLM hashes. Port Scanning The open TCP ports indicate that we’re dealing with a domain controller for the htb.local domain running Windows Server 2016: Read more

Active from HackTheBox is an easy Windows box, in which we first find AD credentials in Group Policy Preferences and subsequently do a kerberoasting attack to get domain administrator. Port Scanning The open TCP ports indicate that we’re dealing with an AD domain controller running Windows Server 2008 R2: PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6. Read more