Enumeration
From nmap result, my port of interest was 445 on which smb runs.
I tried smb enumeration using “smbclient” to see if there are any shares
command: smbclient -L //10.10.11.35/
Tried to access shares most of them denied access since i had no credential, only HR share was accessible. So i listed contents in HR shares and i found one interesting file
After downloading the file i found a password for a new hire, but no username was specified on the note
Now, the next challenge was to find valid users on the AD. There are number of tools that can accomplish enumeration of valid users, personally i preferer “cramapexec” and “netexec”
cmmand: crackmapexec smb <dc-ip> -u <user> -p <password> — rid-brute
command: netexec smb <dc-ip> -u <user> -p <password> — rid-brute
NOTE: for no cred enumeration use username as “guest” and password as blank
After successful enumerating valid users, tried to find correct combination of username and password by doing password spraying. Also there are many ways of doing this but i used metasploit using “smb_login” module . First i made a .txt list of all valid usernames and load it on msfconsole
After password spraying process, turns out that password found in on HR note was for user “michael.wrightson”. From here i tried to login with these credentials with no any success so i decided to do further enumeration.
First i used “crackmapexec” with the credential found but i found no results so i switched to “netexec” with the credentials i found, from its results i found a text looked like a password
Turns ot it was a password for user “david.orelious”. i tried to login again with these credentials but no any success, so decided to keep enumerating .
I tried to use netexec with new credentials found but no results, also tried crackmap no results found , tried to access shares with these credentials and i got a hit on one of shares and guess what i found :)
So there was a backup script there , downloaded it to my machine, after opening it found password, it was emily’s
I tried again to use these credentials for login, but this time it was a success :), also found user flag
Privilege Escalation
I tried to check current user permissions
I did some google search on things that listed, specific on PE advantages , So “sebackup” and “serestoration” was helpful for PE , I used this arrticle: https://starlox.medium.com/windows-privesc-with-sebackupprivilege-enable-b9e949219caf
Using the article step by step i was able to get use full information for PE .