search

🀝Trusted

You will learn about getting a foothold through a web vulnerability, escalating privileges and then moving laterally between domains

IPs in scope:

10.10.232.181
10.10.232.182

hashtag
Enumeration

These two machines are two domain controllers for two different domains

They probably have a trust relation trusteddc.trusted.vl

labdc.lab.trusted.vl

This machine has XAMPP and MySQL

With Gobuster we find a /dev directory with a php page that is vulnerable to LFI

This reveals nothing of interest

Enumerating the /dev directory we find a db.php file

We can use the LFI to display this php file by encoding it in base64

http://10.10.232.182/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\\xampp\\htdocs\\dev\\db.php

root:SuperSecureMySQLPassw0rd1337. In the news database we can find the users and hashed passwords

rsmith:IHateEric2 We cannot login with RDP and we don't find anything interesting in the shares

We can upload a php webshell via the MySQL shell

Then i use a powershell reverse shell to get a shell back on my machine

Then i upgraded to a beacon

I created persitance by adding an account to the Administrator group

hashtag
Exploiting domain trust

Now to check the domain trust we can use PowerView

To abuse the bidirectional trust we can create a Golden Ticket and DCSync the root Domain controller

Now we craft and inject a Golden Ticket

We now DCSync the root domain controller and we get the hash of the Administrator

Note: all of this needs to be done using a Graphical session with RDP or VNC WinRM does not work.

PreviousDataNextBaby

Last updated