Corp : TryHackMe WriteUp
Corp is an assumed breach Active Directory room. To solve this machine, we will first bypass an application called AppLocker that restricts which programs we can execute. Then, we will move laterally on the domain by performing kerberoasting. After that, we’ll escalate our privileges by exploiting the unattended.xml file and establish persistence on the domain by forging a golden ticket.
Reconnaissance
Nmap
As mentioned earlier, this is an assumed breach room which means that we already have an initial access to the target network.
Initial Access
RDP Login
Here is a quick explanation of the different options used in the xfreerdp command :
/u : the username
/p : the user’s password
/v : the server IP or domain name
+clipboard : enables clipboard support
/cert-ignore : skips cert verification
/dynamic-resolution : allows us to resize the window, adjusting the resolution of the target in the process
/drive : creates a shared drive between our kali machine and the target. This switch is insanely useful as it allows us to easily use our toolkit on the remote target, and save any outputs back directly to our own hard drive. In essence, this means that we never actually have to create any files on the target. For instance, to share the /usr/share/windows-resources in a share called toolkit, you could use: /drive:toolkit,/usr/share/windows-resources .
When creating a shared drive, this can be accessed either from the command line as \\tsclient\, or through File Explorer under "This PC":
Bypassing Applocker
AppLocker is an application whitelisting technology introduced with Windows 7. It allows restricting which programs users can execute based on the programs path, publisher, and hash.
Let’s check that by trying to run whoami.exe :
As you can notice, due to AppLocker restrictions, we cannot execute whoami.exe.
Nonetheless, they are many ways to bypass AppLocker.
If AppLocker is configured with default AppLocker rules, we can bypass it by placing our executable in the following directory: C:\Windows\System32\spool\drivers\color. This is whitelisted by default.
Let’s give it a shot ! Shall we ?
Awesome, we’ve been able to bypass AppLocker’s execution restriction.
Note : Powershell saves all previous commands into a file called ConsoleHost_history. This file is located at $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
Well, let’s check dark’s privileges on the domain :
As you can see, dark does not enough privileges. Therefore, we will need to move laterally if we want to compromise the DC.
Kerberoasting
Kerberos is the authentication system for Windows and Active Directory networks. There are many attacks against Kerberos, in this room we will use a Powershell script to request a service ticket for an account and acquire a ticket hash. We can then crack this hash to get access to another user account !
setspn -T omega -Q */*Omega is the DC’s hostname.
Well, now that we found a user with an SPN, we can try to perform kerberoasting attack using a powershel script called Invoke-Kerberoast.
However, let’s first transfer this script to the target machine :
Once connected to the smb server, we can copy the powershell script in the target’s temporary directory, then execute the script :
Here, I saved the output in a file with the hope that I will be able to remove the spaces as well as the blank lines from the command’s output but unfortunately, it did not work as you can see on the image below :
If you face the same issue, refer here.
After a few modifications, I finally obtained the desired result :
Well, let’s try to crack the hash now.
Fantastic! Let’s check if we can connect to fela’s account using winrm. For that, I use crackmapexec (feel free to use netexec instead) :
Great! We can login to the account using winrm :
We could have also used runas command to connect to fela’s account :
Well, once done, let’s check if we can dump the credentials. Prior that, we can check the privileges of the compromised user using the ‘net user’ command :
Amazing! fela is part of the Domain Admins group which means that we have the keys to the kingdom. Simply put, with this privilege, we can do everything on the DC such as dumping hashes, creating new domain admins’ users, etc. Sky is the limit!
For the sake of simplicity, we’re just going to dump the hashes using cme :
After that, we can connect to the domain’s administrator account via pass-the-hash technique.
Nevertheless, let’s keep on with the room instructions.
Privilege Escalation
In this section, we will use a PowerShell enumeration script called PowerUp to examine the Windows machine. We can then determine the best way to get Administrator access.
After that, I executed PowerUp’s Invoke-AllChecks cmdlet :
The script has identified several ways to get Administrator access. We will be exploiting the UnattendPath way.
Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode.” Read more about it here.
It is also where users passwords are stored in base64 encoding.
Let’s navigate to C:\Windows\Panther\Unattend\Unattended.xml
The same result could be obtained by using winpeas as well :
Let’s decode the administrator’s encoded base64 password using the base64 command on our Kali machine :
Once done, we can then log into the administrator account. Here, I used psexec :
Well, we compromised the domain. So what’s next ?
Persistence
This is not part of the room but I decided to do it because I found interesting to talk about it.
Basically we will forge a kerberos Ticket-Granting Ticket (TGT) also known as a golden ticket. With that ticket, we will be able to get access to any service or machine within the domain as the impersonated user.
Last but not least, what makes this attack really dangerous is that the krbtgt account’s credentials are never automatically updated.
That said, to perform this attack, we’re going to proceed as follows :
1/ Acquire the krbtgt password’s hash
2/ Find the domain’s SID
impacket-lookupsid [DOMAIN/DomainUser@DomainController] 0
3/ Generate a golden ticket
impacket-ticketer -nthash [NTHASH] -domain-sid [SID] -domain [DOMAIN] [USER]
4/ Export the ticket
export KRB5CCNAME=[USER.CCACHE]
Note : klist is a command used to list cached kerberos tickets. To install it on your kali, you can use : apt-get install krb5-user
5/ Add the DC’s IP to the resolv.conf file
6/ Authenticate with the created ticket to the domain controller
impacket-psexec [REALM]/[USER]@[HOST] -k -no-pass
# Host is the DC's hostname
For those interested to do the same using mimikatz, you can refer to the resources below.
Wrapping Up
That’s it guys. Congrats for having made it so far 👏.
I hope you enjoyed the writeup.
If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.
Resources
https://pentestlab.blog/tag/unattend/
https://systemweakness.com/runas-for-hackers-6b2243633091
- Golden tickets (impacket)
https://www.youtube.com/watch?v=pbneELowUSA
https://attack.mitre.org/techniques/T1558/001/
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket
https://ttp.parzival.sh/pentesting/infrastructure/active-directory/domain-dominance/create_golden_ticket
https://www.thehacker.recipes/ad/movement/kerberos/forged-tickets/golden
- Golden tickets (mimikatz)
https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/credential-access/steal-or-forge-kerberos-tickets/golden-ticket
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-golden-tickets
https://blog.netwrix.com/2022/08/31/complete-domain-compromise-with-golden-tickets/
https://pentestlab.blog/2018/04/09/golden-ticket/
Contact
GitHub : https://github.com/0liverFlow
