How I gained Domain Admin rights without fancy tools…

…like responder, mitm6 or others kerberos related methods.

This is the story of a lucky boy.

Responder didn’t work at all, it just didn’t get anything interesting for two days so I gave up. Then a colleague told me to try with mitm6. Same results. Later I confirmed with admins that IPv6 was disabled for the entire domain. ¿Password spraying? Nope. Just few tries to lock out the entire directory, too risky.

Ok, I’ve to admit it, I lost this first battle shamefully. There was no choice, so I asked for a regular user without groups or rights, just a user on DC. I was confident I would reach Domain Admin in a few hours. Youtube is full of tutorials of kerberoastable stuff, SNPs, as-rep roasting things, you already know. Those methods are a win-win way for newbies like me. So Sharphound did its things and I get an entire map of the whole directory in a few seconds. Bloodhound bring me bad news: there wasn’t users on which I could use kerberos or as-rep methods, and there wasn’t a highway to take me to Admin. I know that feel bro, so sad. Youtube tutorials didn’t tell you about what to do when you’ve test it all it’s suposed to be tested.

I forgot the DC and I came back to check the rest of services, specially all the shared SMB folders. I’ve found some juicy creds on config files for some databases but nothing that would bring me the Holy “Admin” Grail. Then I remember that I could also check for cpassword value on XML GPP files, but I failed again.

Then my eureka moment arrived. Why not to mount those SYSVOL shared folders and search along them for terms like pass, user or credential. No sooner said than done I launched my plan:

¬sudo mount -t cifs -o “user=<username>” //dc-ip /SYSVOL /mnt/my_target

Then find things:

¬sudo find /mnt/my_target -xdev -type f -exec cat {} \; | grep -ia pass

As result of this I get a strange variable name on a config file that contained pass string but no useful value. Then I decided the check the correlative results, just in case:

¬sudo find /mnt/my_target -xdev -type f -exec cat {} \; | grep -ia pass -A 20 -B 20

Lucky me! Next to these result there was some files and Active Directory scripts with hard-coded credentials. Those credentials were related on a local admin account. The rest of the story it’s just procdump on LSA and mimikatz, nothing fancy or new. And then Domain Admin stored on LSA. Finally, I won!

That’s the moral tale: No matter how high or depth are the walls of your castle if it’s full of TNT. It went off sooner or later.