Ledger
This challenge simulates a real cyber-attack scenario where you must exploit an Active Directory. - by h4sh3m00
The following post by 0xb0b is licensed under CC BY 4.0
Recon
Nmap
We start with a Nmap scan, which revealed multiple services typical of an Active Directory environment, including DNS (53), HTTP/HTTPS (80, 443), Kerberos (88, 464), SMB (445), LDAP (389, 636), Global Catalog services (3268, 3269), and MSRPC/NetBIOS (135, 139). Additional services such as Remote Desktop Protocol (3389), Windows Remote Management (47001), Active Directory Web Services (9389), and a range of high-numbered ephemeral ports (49664–49716) commonly used for DCOM and RPC communication were also observed.
From the default script scan, we see that we have an IIS running on ports 80 and 443. Here we can identify the domain name thm.local, among others. We add this directly to /etc/hosts.
Web Server
Unfortunately, only IIS default pages are on the web servers available. There seems to be no entry point here. However, we can look at the issued certificate on the HTTPS page to possibly gain further important information.
Here we can identify there certificate authority. We add this to our /etc/hosts.
SMB
Since we have SMB available, we start enumerating it with NetExec (formerly CrackMapExec). It is an enumeration tool used for assessing and interacting with SMB and other network services. We use the built-in guest account and an empty password for an initial enumeration.
Initial connectivity was verified with the guest account without a password.
We are able to connect as guest. We then list the available shares for the guest account. This confirmed that the IPC$ share was readable.
To further enumerate domain users, we perform a RID brute-force, since the IPC$ share is readable.
With this user list we could try kerberoasting or bruteforcing the accounts, but this was unsuccessful.
LDAP
Next, we try an anonymous LDAP search against the domain controller at 10.10.161.74 on the default LDAP port (389), using the base DN dc=thm,dc=local. Since port 389 was found open during enumeration, this search helps gather valuable directory information such as users, groups, and organizational structure, which can aid in further attacks.
When looking through the results, the description fields of some users stand out. For quick tracking, the results can be searched out directly using grep.
For some users (IVY_WILLIS and SUSANNA_MCKNIGHT), there are instructions to change REDACTED. Probably the password of the users that was set.
We use Netexec to test whether the passwords are still valid and whether they also apply to other users that we had previously determined using RID Brute Force.
We can confirm that the passwords are still valid for both users.
Foothold
We are using bloodhound-python to enumerate Active Directory objects and relationships using the found credentials within the thm.local domain.
IVY_WILLIS is not part of the REMOTE MANAGEMENT USERS group, nor the REMOTE DESKTOP USERS group. But SUSANNA_MCKNIGHT. We also enumerated the credentials of this user.
User Flag
We use Remmina to get a RDP connection as SUSANNA_MCKNIGHT and we'll find the user flag on the Desktop of the user.
Privilege Escalation - ESC1
In addition to using BloodHound to enumerate objects and relationships within Active Directory, there are also tools specifically designed for enumerating certificate-related vulnerabilities. Notable examples include Certipy and SpecterOps' research, which help identify vulnerable certificate templates that can be exploited for privilege escalation.
We use the credentials of SUSANNA_MCKNIGHT to enumerate misconfigured templates using certipy-ad.
We receive a json output with the results. The certificate templates ServerAuth and Computer2 are misconfigured to allow any authenticated user to enroll and supply arbitrary subject names, enabling ESC1 attacks for impersonation via client authentication.
ESC1 is when a certificate template permits Client Authentication and allows the enrollee to supply an arbitrary Subject Alternative Name (SAN).
For ESC1, we can request a certificate based on the vulnerable certificate template and specify an arbitrary UPN or DNS SAN with the
-upnand-dnsparameter, respectively.
Results of Certipy:
On the machine we find the user BRADLEY_ORITZ.
Using Bloodhound, we have already identified the user as one of the domain admins. We could therefore impersonate BRADLEY_ORITZ or the Administrator using ESC1 to escalate our privileges. Let's continue with the ESC1 exploit.
We choose BRADLEY_ORTIZ. We follow the steps from the repository:
https://github.com/ly4k/Certipy?tab=readme-ov-file#esc1
We request a certificate as SUSANNA_MCKNIGHT, specify the Certificate Authority thm-LABYRINTH-CA, the machine labyrinth.thm.local and the vulnerable certificate template ServerAuth. Furthermore, the upn bradley_ortiz@thm.local to impersonate this identity. We receive a .pfx file.
Next, we authenticate as BRADLEY_ORTIZ using the certificate. This will give us the NT hash.
Root Flag
With the hash, we can use wmiexec to get an interactive session as BRADLEY_ORTIZ. We are able to reach the Administrator's Users folder, where the final flag is located at the Administrator's Desktop.
Privilege Escalation Alternative - Resource-Based Constrained Delegation
There is another way to extend the privileges. Let's take another look at the relationships and permissions in Bloodhound. Here we notice that the GUESTS group has a generic write permission on the computer object LABYRINTH.THM.LOCAL.
Found by Shortest Path to Domain Admins
This allows us a Resource-Based Constrained Delegation attack.
For more information on how to abuse this permission, simply right-click on the edge and click Help?:
The members of the group GUESTS@THM.LOCAL have generic write access to the computer LABYRINTH.THM.LOCAL.
Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user
Resource-Based Constrained Delegation
Resource-Based Constrained Delegation
First, if an attacker does not control an account with an SPN set, a new attacker-controlled computer account can be added with Impacket's addcomputer.py example script:
We now need to configure the target object so that the attacker-controlled computer can delegate to it. Impacket's rbcd.py script can be used for that purpose:
And finally we can get a service ticket for the service name (sname) we want to "pretend" to be "admin" for. Impacket's getST.py example script can be used for that purpose.
This ticket can then be used with Pass-the-Ticket, and could grant access to the file system of the TARGETCOMPUTER
So first, we need ot add a new computer object. In Active Directory, any authenticated user (by default) can add up to 10 computer objects to the domain. This can be abused to register a machine account that we control, which can later be used for attacks like Kerberoasting or Resource-Based Constrained Delegation (RBCD). We do this with the credentials previously obtained.
We now need to configure the target object so that our computer can delegate to it. We do not supply any credentials for the GUEST account.
rbcd.py requires a password:
rbcd.py with the empty password hash:
We finally get a service ticket for the service name (sname) we want to "pretend" to be.
We use the Kerberos ticket Administrator.ccache to authenticate with smbclient.py using the -k (Kerberos) and -no-pass options. This allowes to enumerate SMB shares on the domain controller LABYRINTH.THM.LOCAL without supplying a password as Administrator. We are able to read and write on all shares including the C drive. Here we will find the final flag at
C:\Users\Administrator\Desktop\root.txt.
We could also get and interactive session with wmiexec.py using the Kerberos ticket.
Last updated
Was this helpful?