Target Experience:
My observations while working this target:
· Enumeration: Life-like
· Vulnerabilities: Life-like
· Exploitation: Life-like
· Foothold Difficulty: Hard
· Privilege Escalation Difficulty: Medium
Tools:
The recommended tools for this lab were:
· Nmap
· CrackmapExec
· SMBClient
· GetNPUsers
· Hashcat
· PowerView (Windows)
· RPCClient
· Pypykatz
· Evil-WinRM
· Diskshadow (Windows)
· Secretsdump
Vulnerabilities:
· Exposed Usernames
· Kerberos Pre-Authentication not requried
· ACE Privilege Abuse
· Sensitive File Information
· Backup Privilege Abuse
Information Gathering:
Using Nmap, I saved the output while scanning for service version detection, OS detection, script scanning, and verbose mode of the target system.
Since the target was identified as a Windows system, and most likely a domain controller, I decided to use CrackMapExec to further enumerate SMB.
After discovering a few shares, I enumerated the profiles$ share and found what appeared to be user account names.
Foothold:
Part 1:
After identifying that the enumerated share was more than likely valid user accounts, I created a user list in preparation for password spraying.
I tried a few different spraying techniques, but none of them were successful. So, I used the user list with the Impacket GetNPUsers to identify if I could ASREPRoast any of the accounts.
Reviewing the output of the ASREPRoast, I was able to obtain the Kerberos hash for the support account.
A quick trip to my cracking machine, I was able to use Hashcat to crack the hash.
Next, I returned back to my Attacker system and validated that the credentials were valid. However, the credentials did not have remote access privileges.
Part 2:
I’ll have to admit that I had issues with trying to figure this part out. And by far, this was the most difficult part for me. I would usually execute a SharpHound collector, but those attempts returned with no visible results within BloodHound. I attempted a few other enumeration attempts, but was not having any luck. I turned to the forums and folks commented “what can a support account due?”
I had my suspicion that an ACL/ACE was enabled on the audit2020 account for the support account. However, I was just not finding a tool nor did I have the knowledge of a tool on my Attacker system to prove my suspicion. So, I blindly moved on and eventually pwn3d the target.
I came back to this point and continued to rework this step until I was able to come up with proof. Doing so, forced me to use my Windows system to load the PowerView module. Since my Windows system was not on the Blackfield Domain, I used a runas /netonly command to load a new PowerShell window as the blackfield.local\support user.
Once the new window launched, I loaded PowerView and then executed the Invoke-ACLScanner function to only scan the audit2020 account. After a few errors regarding the current domain, the returned results indicated that the audit2020 account had an ACL/ACE applied.
At this point, I returned to my Attacker system and launched a RPCClient session as the support account. Once connected, I performed a lookupsids to view the ObjectSID and IdentitySID.
With the above enumeration results, I was confident that the support account had AD Rights over the audit2020 account based on the AccessControlType. Although, I did not know the exact rights. It was not until after I obtained Administrator privileges that I was able to definitely identify that the ACEType was a User-Force-Change-Password as well as User-Change-Password.
In performing an Internet search, I was able to find an example of how to change a user password. However, I needed to identify the current password policy that was being utilized first.
Knowing that the domain credentials had to be a minimum of eight characters, with complexity, I used RPCClient to change the password for the audit2020 account. I then validated the password change with CME. However, I still was not able to obtain PS-Remote access.
Part 3:
Using the audit2020 account, I enumerated the shares with CME. I noted that the audit2020 account had read access to the forensics folder.
After connecting to the forensics share with SMBClient, I started reviewing the data to find anything that would be interesting. I ended up discovering a lsass.zip file within the memory_analysis directory and downloaded it to my Attacker system.
Once the lsass.zip file download completed, I extracted the zip and then launched pypykatz to view the contents of the file; which contained the svc_backup account NTLM hash.
Next, I launched CME to validate the credentials and validated remote access privileges.
Privilege Escalation:
With validated credentials, I launched Evil-WinRM to connect to the target and enumerated privileges.
Once again, I used an Internet search to research how to privilege escalate with the SeBackupPrivilege. I found a couple of articles that explained how to use diskshadow to make a shadow copy of the Active Directory database. Since the file was backed up with SeBackupPrivileges, it could only be copied by the svc_backup account using Robocopy or Copy-FileSeBackupPrivilege to a writable location.
To prepare for compromising the target, I created a CMD file (shadowcopy.cmd) and a text file script (shadow.txt) that executed commands within the binary of diskshadow. These commands would create a shadow copy of ntds.dit, and save it to a mapped drive. Then the script would call the CMD file to copy the file to a World-Writable location of C:\Window\System32\spool\drivers\color.
With the files uploaded, I executed diskshadow with the /s flag to use the script of shadow.txt. In addition, I used the /l flag to log the output to log.txt. As a side, it was not required to create the log file.
As an alternate copy method, I found two special .dll’s for the SeBackupPrivilege copy process. The first validated the SeBackupPrivilege settings and the second enabled copying files with SeBackupPrivilege. Both of these files needed to be uploaded onto the target. If the .dll’s were flagged by AV, the author had provided raw code for obfuscation and re-compiling.
Next, I extracted the SYSTEM key from the registry and then downloaded the Active Directory database and the SYSTEM key. Once the files downloaded successfully, I cleaned up by deleting the files, scripts, and any logs that I used.
With ntds.dit and system.hive successfully downloaded to my Attacker system, I used Impacket secretsdump to extract the hashes from the Active Directory database.
Using the extracted contents of the Active Directory database, I used Evil-WinRM to connect to the target as the Domain Administrator.
References:
https://malicious.link/post/2017/reset-ad-user-password-with-linux/
https://github.com/giuliano108/SeBackupPrivilege
https://ethicalhackersacademy.com/blogs/ethical-hackers-academy/active-directory
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
