Compromising Domain Admin via Web Application




TL;DR :  You can be a domain admin if you are doing internal pentesting of web application. Give that application has feature to connect internal network.

There are always new challenges when you get an opportunity to prove yourself (NEW JOB :P).
Just like that for me, only thing to prove myself is to take the "Domain Admin" .

In Pentesting world if you are gaining "Domain Admin" rights that means you own the universe. Only Pentersters can feel this :P

For others below is the reason for this feeling :-
  • Domain Admins is the AD group that most people think of when discussing Active Directory administration. This group has full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory. 
  • A Domain Administrator is a domain account that has administrative access to all machines in the domain, clients as well as servers.
  • In short  Members of this group have full control of the domain.

My new assignment was pentesting Internal web application. And for me challenge was Web application to domain admin ?  but how ?

NOTE :- Different modes of being domain admins are :- [Considering the fact that you are doing Internal Pentesting Assessment - Network]

Attack Techniques to go from Domain User to Domain Admin:
1. Passwords in SYSVOL & Group Policy Preferences
2. Exploit the MS14-068 Kerberos Vulnerability on a Domain Controller Missing the Patch
3. Dumping NTLM hash via mimikatz

And many more .....

BUT via web application shall we become Domain Admin ?  Hence thought to share this finding with you all. 

STORY :- 

Recently we have been on Internal Web Application Pentesting with goals of finding juicy bugs.
For me target was domain admin.

This application has different roles i.e. Normal user and Admin user with WAF  welcoming in front of the door. When trying every single payload, WAF comes into the picture.

We successfully bypassed the WAF and got the alert(1) popup. (Not for this blog post)

Still my target was domain admin.

1x1 CSRF the Game Changer

I noticed that application does not have any protection in placed against CSRF.
Next what, I was able to escalate my normal user account privileged to admin user account.

<html>
  <body>
    <form action="http://test:portnumber/Something.do" method="POST">
      <input type="hidden" name="NoramUserID" value="" />
      <input type="hidden" name="group" value="12121" />
      <input type="hidden" name="category" value="" />
      <input type="hidden" name="subCategory" value="" />
      <input type="hidden" name="item" value="1346" />
      <input type="hidden" name="emailCC" value="" />
      <input type="hidden" name="urgency" value="3" />
      <input type="hidden" name="reqID" value="44444" />
      <input type="hidden" name="reqName" value="user1" />
      <input type="hidden" name="selectedCIs" value="" />
      <input type="hidden" name="siteID" value="2222" />
      <input type="hidden" name="resourcesInfo" value="" />
      <input type="hidden" name="resourceModified" value="false" />
      <input type="hidden" name="addWO" value="addWO" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

I am admin now.  XD

Lets understand the roles given to admin :-
  1. Access all the assets handled by the IT Team. 
  2. Access Virtual Hosts and VMs
  3. Access Credentials Library which has the admin account username and password which is been used to scan the different machine inside the network. 
The password was hidden and I was not able to view, neither inspect element trick worked here. 
No worries I changed the password :P 


Point 3 looks interesting. Being admin if I can scan any network devices(Desktop/Server) then shall I takes its access ?  RDP ? Answer is YES.

2x2 Recon the Checkmate 

From the list of inventory assets I randomly started poking different IP address to see its privileged.  I  found one and I was able to RDP the remote desktop machine. I used the same credentials which is being used to scan the internal machine. 

And found the Domain Admin account.  

Mission Accomplished ...XD

PS :- Wrote this blog post just to share,  you can become a domain admin via Web application assessment.

Happy Hunting.

Share this

Related Posts

Previous
Next Post »