7/5/2023 0 Comments Windows admin center 2103If you know the service/version, please submit the following fingerprint at : NET Message Framingġ service unrecognized despite returning data. |_http-server-header: Microsoft-HTTPAPI/2.0ĩ389/tcp open mc-nmf. |_ssl-date: T17:40:39+00:00 +7h00m00s from scanner time.ģ268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)ģ269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name)ĥ985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_ssl-date: T17:40:40+00:00 +6h59m59s from scanner time.ĥ93/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0Ħ36/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=dc.absolute.htb Nmap done: 1 IP address (1 host up) scanned in 8.50 nmap -sCV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 10.10.11.181Ĩ0/tcp open http Microsoft IIS httpd 10.0Ĩ8/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 17:38:06Z)ġ39/tcp open netbios-ssn Microsoft Windows netbios-ssnģ89/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: absolute.htb0., Site: Default-First-Site-Name) Nmap finds a bunch of open TCP ports, typical of a Windows domain nmap -p-min-rate 10000 10.10.11.181 To get administrator access, I’ll abuse relaying Kerberos, showing both KrbRelay to add a user to the administrators group, and KrbRelayUp to get the machine account hash and do a DC sync attack. This user is able to modify a group and from there modify a user to add a shadow credential and finally get a shell on the box. Access to a share provides a Nim binary, where some dynamic analysis provides yet another set of creds. LDAP enumeration leads to the next set of creds. I’ll figure out the username format for the domain, and AS-REP-Roast to get creds. Still, even today, it’s a maze of Windows enumeration and exploitation that starts with some full names in the metadata of images. At that time, many of the tools necessary to solve the box didn’t support Kerberos authentication, forcing the place to figure out ways to make things work. Absolute is a much easier box to solve today than it was when it first released in September 2022.
0 Comments
Leave a Reply. |