Trusted
You will learn about getting a foothold through a web vulnerability, escalating privileges and then moving laterally between domains
Last updated
Was this helpful?
You will learn about getting a foothold through a web vulnerability, escalating privileges and then moving laterally between domains
Last updated
Was this helpful?
IPs in scope:
These two machines are two domain controllers for two different domains
They probably have a trust relation trusteddc.trusted.vl
labdc.lab.trusted.vl
This machine has XAMPP and MySQL
With Gobuster we find a /dev directory with a php page that is vulnerable to LFI
This reveals nothing of interest
Enumerating the /dev directory we find a db.php file
We can use the LFI to display this php file by encoding it in base64
http://10.10.232.182/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\\xampp\\htdocs\\dev\\db.php
root:SuperSecureMySQLPassw0rd1337. In the news database we can find the users and hashed passwords
rsmith:IHateEric2 We cannot login with RDP and we don't find anything interesting in the shares
We can upload a php webshell via the MySQL shell
Then i use a powershell reverse shell to get a shell back on my machine
Then i upgraded to a beacon
I created persitance by adding an account to the Administrator group
Now to check the domain trust we can use PowerView
To abuse the bidirectional trust we can create a Golden Ticket and DCSync the root Domain controller
Now we craft and inject a Golden Ticket
We now DCSync the root domain controller and we get the hash of the Administrator
Note: all of this needs to be done using a Graphical session with RDP or VNC WinRM does not work.
