This article represents a detailed walkthrough of a penetration testing task on a machine hosted on VulnLab, where various enumeration techniques are used to discover user credentials through SMB, LDAP, and Kerberos. The author effectively uses tools like NetExec and Evil-WinRM to gain access and ultimately escalate privileges. Affected: Active Directory, Windows Server 2022, SMB, LDAP
Keypoints :
- Mohamed Eletrepy guides readers through a penetration testing exercise on a VulnLab machine.
- The initial assessment utilized Nmap to identify open ports and services.
- Key services identified include SMB, Kerberos, and LDAP, providing opportunities for enumeration.
- The author emphasizes using various tools for effective enumeration of SMB and LDAP services.
- Successful enumeration of users was done using LDAP, and results were saved for further checks.
- NetExec was used to check the validity of users, successfully revealing a valid user and password mishap.
- Privilege escalation opportunities were identified based on permissions and privileges of the user.
- SeBackupPrivilege was exploited to dump NTDS.dit for credential extraction.
- The final step involved using Evil-WinRM to gain root access.
MITRE Techniques :
- T1078.001 β Valid Accounts: The author checks for valid user accounts using NetExec.
- T1069 β Permission Groups Discovery: The use of whoami /all to check permissions indicates this technique.
- T1003.003 β Credential Dumping: SeBackupPrivilege is leveraged to dump NTDS.dit from the server.
- T1069 β Permission Groups Discovery: The enumeration of user groups from LDAP is conducted.
Indicator of Compromise :
- No IoC Found
Full Story: https://infosecwriteups.com/vulnlab-baby-b890987a9b7c?source=rssβ-7b722bfd1b8dβ4