CPTS #08: Active Directory Enumeration & Attacks

Hint:

– Enumeration for initial access is very important!

– Remember! PtH is also a beautiful way.

Skill #1

In Skill #1, we were provided with a web shell to work with.

Due to the limited capabilities of this web shell, I decided to use a Meterpreter shell instead.

We can use fping to discover other hosts in this local subnet. However, by looking at the DNS Server, I can initially guess that the Domain Controller is at IP 172.16.6.3. We could use nltest to confirm the IP of the DC, or continue scanning with tools like fping.

Proceed to upload several tools such as Rubeus, PowerView, etc.

Use Rubeus to perform Kerberoasting on the user svc_sql.

Use Hashcat to crack the hash I just obtained; at this point, I successfully retrieve the plain-text password.

With the information I’ve gathered, let’s proceed to search for sensitive data to answer the questions. I’ll remotely execute a PowerShell script block on MS01 since I already have the credentials for the user svc_sql.

For convenience, I’ll use proxychains in combination with the jump host, which is the Kali Linux machine, to run secretdump (note: in a real-world pentest scenario, this may vary). Using secretdump, I will extract the cached logon credentials from the target machine. Then, I’ll proceed to crack these password hashes using hashcat. And I will have a new user that is tpetty

I will look for some interesting ACLs assigned to the user tpetty in the system — specifically, the DCSync rights. First, I need to convert this username into its corresponding SID.

Since we have DCSync rights, I will use secretdump against the Domain Controller. At this point, I will retrieve the hash of the Administrator account on the DC.

Cracking the hash did not yield good results, so I decided to perform Pass-the-Hash with the Administrator user on the Domain Controller. And now, we all done!

Skill #2

Initial enumeration using the LLMNR/NBT-NS poisoning technique allowed us to capture the hash of user AB920.

Use Hashcat to crack the hash we just obtained; at this point, we successfully retrieve the plain-text password.

Continue using fping to identify the alive hosts in this internal subnet, in which .240 is the IP address of our jump host.

Continuing the enumeration process, we will scan each IP to identify the exact services or NetBIOS Computer names associated with them, making the attack easier. Among them, the Domain Controller (DC) has the IP address 172.16.7.3.

Using various methods to remotely access the MS01 machine, I decided to use Evil-WinRM to establish the connection.

The question asks us to find additional credentials for another user. From the jump host, we use crackmapexec to list the user accounts.

We proceed to extract only the samAccountName from the list of users.

Continue using crackmapexec to enumerate the password policy, which will be helpful for password spraying.

Proceed to spray a few basic passwords, and we successfully identify the next user: BR086.

Proceed to enumerate this user by checking what directory permissions they have.

We’ve found a web.config file. Maybe something interested in there.

And yup! While reading the file, I found database credentials for the connection.

During the initial Nmap scan, we discovered that host .60 has the MSSQL port open, so we’ll use mssqlclient to access this database.

As shown in the database exploitation module, we proceed to enable xp_cmdshell and check the privileges of this user. We discover that the user has the SetImpersonatePrivilege right.

We can use Juicy Potato or PrintSpoofer to exploit this privilege escalation vulnerability. In this case, we’ll proceed with PrintSpoofer64. First, upload the payload to the MSSQL server, and don’t forget to also upload Netcat (nc.exe) to facilitate the reverse shell connection during exploitation.

We have enough tools for the exploit. Now, let’s break the door. Open a listener and execute the command prompt as shown below.

Here we go. Got the shell!

To speed up the enumeration process, I used Mimikatz on this server and obtained credentials for the user mssqlsvc. I tried cracking the password but it wasn’t effective, so we’ll proceed with a pass-the-hash attack using this account.

Performed a pass-the-hash attack on MS01 and successfully retrieved the Administrator flag from the MS01 machine.

Back on MS01, we will look for domain admin users who have GenericAll permissions.

We’ve obtained the user’s SID, now we just need to convert it into a readable format. And we got new a user: CT059

Let’s go back to MS01. We will continue to use the LLMNR/NBT-NS Poisoning technique with Inveigh to capture the hash of user CT059.

Crack this NTLMv2 hash and we got a clear-text password.

Since user CT059 is part of the Domain Admins group, it is highly likely that they have the privilege to reset passwords for other users. Therefore, I proceeded to reset the Administrator account’s password for quick access. (Note: In real-world scenarios or penetration testing environments, this approach is extremely risky. A safer and more professional method would be to create a new user and assign administrative privileges to that account, instead of directly modifying the Administrator or other active user accounts.)

After successfully changing the password, we can now simply log in to the Domain Controller using the Administrator account.

Since we already have the highest privileged user, dumping other hashes is no longer a challenge. It’s now just a matter of choosing the right tool to perform the task.