Before doing this machine, definitely make sure you have worked through Flag_C because it describes the use of the ‘rpcclient’ utility in more detail with an explanation as to why it works.
Even though most of these writeups don’t start with an nmap, that is always step one. Here’s what that looks like this time:
nmap -sC -sV 172.25.0.60
We have a domain controller here it looks like.
- The Domain Name is attackme.local
There are a couple of group policies set on this machine that make it vulnerable to two different attacks:
Here is an inside look at some group policies on the box:
This machine clearly has some issues. Anonymous enumeration of shares and users is enabled and ‘Everyone’ permissions will apply to anonymous users. Of course attackers wouldn’t have access to this group policy report, but it’s very easy to test whether or not this type of anonymous access is allowed.
We also see the term ‘named pipes’ above. A named pipe is a shared region of memory that can be read from and written to by more than one application. The ‘samr’ named pipe is the region of shared memory (named pipe) that contains the list of users on the system.
Although this isn’t super important to know for this exploit, it’s good to think about the fact that users and user password hashes will be stored in memory somewhere. Multiple applications will need access to this information. Therefore, securing shared memory access like this is important!
Use rpcclient to take advantage of this anonymous named pipe access via the SMB service on the machine.
rpcclient -U '' -N 172.25.0.60
enumdomusers
- U ‘’ (No Username)
- -N (No Password)
After using the rpcclient built-in enumdomusers command, we can see we have a user on the system john.smith. Username found!
As far as Mr. Beck is concerned there are two types of people in the world:
- Those who have beat themselves over the head thinking about the steps involved with Kerberos Authentication.