The MyCloud NAS device can be configured to automatically redirect to HTTPS when browsing it’s web interface. The URL it is redirecting to is of the form https://device-local-<GUID>.remotewd.com:8543/. I was wondering if I can use my own certificate, and it actually worked out after digging a bit into the inner workings. First of all, I checked which tool is listening on port 8543. The name is nasAdmin: root@WDMyCloudEX2100 ~ # netstat -tulpen | grep 8543 tcp6 0 0 :::8543 :::* LISTEN 0 16738 4455/nasAdmin It’s started with a configuration located at /etc/nasAdmin. Read more

Sauna from HackTheBox is an easy rated machine, in which we first identify an Active Directory user through a list of team members on a web page and get credentials for it through ASREP Roasting. We then identify a service account and find its password in the AutoLogon credentials. That user has DCSync privileges, which we can use to dump the hash of the Administrator and use that hash to get Administrator access. Read more

Forst from HackTheBox is a Windows box, in which we first enumerate users via SMB and then use ASREP Roasting to get AD credentials of a service account. After that, we can add that account to an Exchange group that allows the assignment of DCSync privileges in order to dump NTLM hashes. Port Scanning The open TCP ports indicate that we’re dealing with a domain controller for the htb.local domain running Windows Server 2016: Read more

Active from HackTheBox is an easy Windows box, in which we first find AD credentials in Group Policy Preferences and subsequently do a kerberoasting attack to get domain administrator. Port Scanning The open TCP ports indicate that we’re dealing with an AD domain controller running Windows Server 2008 R2: PORT STATE SERVICE VERSION 53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1) | dns-nsid: |_ bind.version: Microsoft DNS 6. Read more

Recently, I couldn’t access a machine within another VLAN anymore, because Docker on that machine used a subnet within the 192.168.x.x range for an internal network, that led to packets not finding the way back to me. Docker apparently uses the following ranges by default: 172.[17-31].0.0/16 192.168.[0-240].0/20 The routes on the machine were as follows. Unifi provides my machines with a default gateway, e.g. 192.168.20.1 and the route for the local subnet 192. Read more