We cannot obtain any information by scanning the website with tools such
as gobuster etc. But the content of the website gives us some clues.
David Anderson, Olivia Martinez, Kevin Turner, Amanda Walker, Marcus
Harris, Lauren Clark and Ethan Rodriguez are the main employees of this
company.
Based on the Nmap scan, these users must have accounts connected to the
Domain Controller.
We can perform an automatic scan by making a wordlist that will scan
these users.
Target people and domain are known, user accounts can be
[email protected] or [email protected].
Enum4linux couldn’t find anything useful, however kerbrute found the
users.
When a brute force attack is performed on users other than l.clark user,
“Invalid Password” is output while l.clark user gives “Got AS-REP (no
pre-auth) but couldn’t decrypt — bad password” output. This shows that
the l.clark user accepts plaintext password entries, so we can perform a
brute force attack.
In netstat command we can barely see there is a server running name Output Messenger.
If you take a look at the contents of the C:\AppData folder, there are
many files containing information about the Output Messenger server. If
you examine the files stored as .zip, you can get a lot of information
about the MySQL server to which the server is connected.
Using Chisel we can access the Output Messenger server running on these
ports from our local computer. To do this, we first need to download
Chisel both to the target machine and to our own machine. You can easily
do this with meterpreter’s upload command.
- T1585
- T1078
- T1059.003
- T1068
- T1550.003
- T1558.003
- T1087.002
- T1615
- T1046
- T1069.002