π€Trusted
You will learn about getting a foothold through a web vulnerability, escalating privileges and then moving laterally between domains
IPs in scope:
10.10.232.181
10.10.232.182Enumeration
These two machines are two domain controllers for two different domains
They probably have a trust relation trusteddc.trusted.vl
labdc.lab.trusted.vl
This machine has XAMPP and MySQL
With Gobuster we find a /dev directory with a php page that is vulnerable to LFI
This reveals nothing of interest
Enumerating the /dev directory we find a db.php file
We can use the LFI to display this php file by encoding it in base64
http://10.10.232.182/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\\xampp\\htdocs\\dev\\db.php
root:SuperSecureMySQLPassw0rd1337. In the news database we can find the users and hashed passwords
rsmith:IHateEric2 We cannot login with RDP and we don't find anything interesting in the shares
We can upload a php webshell via the MySQL shell
Then i use a powershell reverse shell to get a shell back on my machine
Then i upgraded to a beacon
I created persitance by adding an account to the Administrator group
Exploiting domain trust
Now to check the domain trust we can use PowerView
To abuse the bidirectional trust we can create a Golden Ticket and DCSync the root Domain controller
Now we craft and inject a Golden Ticket
We now DCSync the root domain controller and we get the hash of the Administrator
Note: all of this needs to be done using a Graphical session with RDP or VNC WinRM does not work.
Last updated
Was this helpful?