AD Enumeration & Attacks - Skills Assessment Part II
Last updated
Last updated
Our client Inlanefreight has contracted us again to perform a full-scope internal penetration test. The client is looking to find and remediate as many flaws as possible before going through a merger & acquisition process. The new CISO is particularly worried about more nuanced AD security flaws that may have gone unnoticed during previous penetration tests. The client is not concerned about stealth/evasive tactics and has also provided us with a Parrot Linux VM within the internal network to get the best possible coverage of all angles of the network and the Active Directory environment. Connect to the internal attack host via SSH (you can also connect to it using xfreerdp
as shown in the beginning of this module) and begin looking for a foothold into the domain. Once you have a foothold, enumerate the domain and look for flaws that can be utilized to move laterally, escalate privileges, and achieve domain compromise.
Q1) Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?
Let's begin with starting responder with the default settings
Let's review the Responder logs to determine if any hashes were captured.
Answer: AB920
Q2) What is this user's cleartext password?
Let's save the hash to a file and attempt to crack it using Hashcat in order to retrieve the plaintext password.
Answer: weasal
Q3) Submit the contents of the C:\flag.txt file on MS01.
Let's check which hosts are alive in the domain first
Let's save these IP addresses to a file and use Nmap to enumerate them, identifying which one corresponds to MS01.
172.16.7.3: DC01
172.16.7.50: MS01
172.16.7.60: SQL01
172.16.7.240: Our Parrot machine
Let's verify whether the user ab920
can log in to 172.16.7.50
, and determine which authentication protocol is supported for the connection.
Let's use Evil-WinRM
to authenticate with the ab920
account.
Answer: aud1t_gr0up_m3mbersh1ps!
Q4) Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.
It is now time to create a list of target users to be used in the upcoming password spraying attack.
We now have 2,904 valid usernames in the domain. Let's now proceed with the password spraying attack.
Answer: BR086
Q5) What is this user's password?
Answer: Welcome1
Q6) Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?
Let's perform share enumeration to identify any shared resources on which we may have read access.
I found a shared folder named 'Department Shares' to which we have read access. Let's proceed to review its contents.
I found a file named web.config
in the results. Let's review its contents to identify any relevant information.
Answer: D@ta_bAse_adm1n!
Q7) Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
Next, we will use the obtained credentials to authenticate to SQL01 via mssqlclient.
We have successfully accessed SQL01; however, we do not have the necessary permissions to read the flag. Let's review our current permissions.
We have the SeImpersonatePrivilege enabled, which can be leveraged for privilege escalation by exploiting the PrintNightmare vulnerability.
Let's generate a payload using msfvenom, and also obtain PrintSpoofer.exe. We will download both files to the SQL01 server.
Next, let's downlaod the two files onto the sql server
Let's initiate the Meterpreter listener and proceed with the privilege escalation attack.
It is now time to retrieve the flag.
Answer: s3imp3rs0nate_cl@ssic
Q8) Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
We now have system-level privileges on the SQL01 server; the next step is to attempt to retrieve the administrator's hash.
Next, we will use this hash to attempt a connection to the MS01 server.
Answer: exc3ss1ve_adm1n_r1ights!
Q9) Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?
Let's proceed to download PowerView.ps1 on MS01 to enumerate Access Control Lists (ACLs).
I encountered an error while attempting this, so let's proceed using our Meterpreter session instead.
Let's apply a filter for the GenericAll permission.
Next, let'sconvert the security identifier (SID) to a username to identify the associated user.
Answer: CT059
Q10) Crack this user's password hash and submit the cleartext password as your answer.
For this task, we will use Inveigh on MS01 to conduct a man-in-the-middle attack in an attempt to capture the NTLM hash of the target user.
Let's save this to a file and attempt to crack it using Hashcat.
Answer: charlie1
Q11) Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
The user CT059 now has the GenericAll permission. Therefore, we can proceed to add this user to the Domain Admins group and initiate a DCSync attack.
Let's configure the proxychains configuration file (/etc/proxychains.conf
) on the Parrot host to route traffic through a SOCKS4 proxy on port 9050. This setup will allow us to authenticate to the MS01 machine via RDP using the credentials of the user CT059.
Next, establish an SSH connection and create a SOCKS proxy on local port 9050.
Let's now authenticate to the MS01 server via RDP using the credentials of user CT059
.
Let's proceed to add this account to the Domain Admins group.
It is now time to migrate to DC01.
Answer: acLs_f0r_th3_w1n!
Q12) Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise.
Now, let's authenticate to DC01 and execute a DCSync attack.
Answer: 7eba70412d81c1cd030d72a3e8dbe05f