Notes & Methodology
Start Here: Service Discovery
This includes my mistakes, reasoning, and rabbit holes — it’s not the most direct way to solve the box!
Findings
Summary of important findings.
Domain/Host Name
Add to /etc/hosts
ResourceDC.resourced.local
Summary
We gained an initial foothold by enumerating 135 MSRPC as an anonymous user, which exposed V.Ventz’s plaintext Active Directory password stored in their Description field. From a security perspective, the Description field in LDAP is effectively public to anyone with read access via LDAP or MSRPC; ideally it should never contain passwords, even temporarily.
After testing V.Ventz’s password, we used their account to enumerate SMB on the target. As a null user, we previously had no access. We discovered and were able to read a share named Password Audit containing a copy of the domain’s ntds.dit file as well as the SYSTEM and SECURITY registry hives. From these files, we extracted NTLM hashes for all domain users.
Using Pass-the-Hash, we authenticated to multiple services and successfully gained remote access as L.Livingstone via WinRM.
During Enumeration with SharpHound/BloodHound, we discovered that L.Livingstone had GenericAll permissions on the target computer, giving us full control. We then executed a Resource-Based Constrained Delegation (RBCD) attack: we created a new computer account with a chosen password, delegated control over the domain controller, requested the Administrator account’s service ticket, and authenticated via Pass-the-Ticket (PTT), ultimately achieving NT AUTHORITY\SYSTEM on the domain controller.
Vulnerabilities
- Credentials stored insecurely in user V.Ventz’s Description field: 135 MSRPC
- Insecure storage of
ntds.ditandSYSTEM/SECURITYregistry hives - Excessive permissions granted to unprivileged account L.Livingstone
Hashes
L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808
Credentials
v.ventz:HotelCalifornia194!
Flags
(Use https://github.com/vivami/SauronEye)
C:\Users\L.Livingstone\Desktop\local.txt: 3ce0746e76df5672b9a4b82caaa91033
C:\Users\Administrator\Desktop\proof.txt: 1c92f9215ce680355348bcae79600182
OSCP Note Template and Runbooks
This is my checklist of commands and methodologies to use while taking the OSCP. Feel free to use, adapt for your own use, or open a PR with suggestions!
- Clone this site’s repo, open ‘content’ in Obsidian, and copy the template’s directory for each machine
- Start with ‘Service Discovery’ and move between the other pages as applicable