Proxmox AD Lab: Adding and Configuring Users on the Domain

# Adding Users If we access the Active Directory Users and Computers on our DC, we would see something that looks like this (if sorted according to type). ![image](https://hackmd.io/_uploads/S159MerZA.png) We have 2 or 3 users of type, "user". We want to add more users and configure a few of them to be Kerbroastable or ASREProastable. Rather than do this manually like some sort os schlepper schlepping along, we are going to be adding users using the following PowerShell script. However, because our DC is currently isolated and I can't copy and paste into it due to [limitations of noVNC](https://youtu.be/y6EDlD_fWn0?si=DY7q3-2N7sy3DpXh)(something I only learned when I started on this Proxmox journey having never really used noVNC before) - we will be staging the file in the Kali VM, transferring it over to the Vulnerable Machine, and then transferring that over to the DC. ## PowerShell Script Some of these passwords are found in rockyou and some of them are not. So some will be easily crackable, others not so much. This will be similar to what you might find in the OSCP. ```! #not in rockyou New-AdUser -Name "Emmet Brickowski" -GivenName "Emmet" -Surname "Brickowski" -SamAccountName "emmet" -UserPrincipalName "emmet@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "R3xRul3z!" -Force) -Enabled $true # in rockyou New-AdUser -Name "Wyldstyle" -GivenName "Wyldstyle" -Surname "" -SamAccountName "wyldstyle" -UserPrincipalName "wyldstyle@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Awesome24!" -Force) -Enabled $true # in rockyou New-AdUser -Name "Batman" -GivenName "Batman" -Surname "" -SamAccountName "batman" -UserPrincipalName "batman@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "#1BlackBelt" -Force) -Enabled $true #not in rockyou New-AdUser -Name "Vitruvius" -GivenName "Vitruvius" -Surname "" -SamAccountName "vitruvius" -UserPrincipalName "vitruvius@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Bl0ckM@g!c" -Force) -Enabled $true #not in rockyou New-AdUser -Name "Benny" -GivenName "Benny" -Surname "" -SamAccountName "benny" -UserPrincipalName "benny@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Sp@c3Sh1p!" -Force) -Enabled $true #not in rockyou New-AdUser -Name "Uni-Kitty" -GivenName "Uni" -Surname "Kitty" -SamAccountName "uni-kitty" -UserPrincipalName "uni-kitty@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Un!K!tty!!" -Force) -Enabled $true #not in rockyou New-AdUser -Name "MetalBeard" -GivenName "Metal" -Surname "Beard" -SamAccountName "metalbeard" -UserPrincipalName "metalbeard@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Metal_9488!" -Force) -Enabled $true #not in rockyou New-AdUser -Name "Lord Business" -GivenName "Lord" -Surname "Business" -SamAccountName "lord_business" -UserPrincipalName "lord_business@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "TAKOstuesday!" -Force) -Enabled $true # in rockyou New-AdUser -Name "IIS Service" -GivenName "IIS" -Surname "Service" -SamAccountName "svc_iis" -UserPrincipalName "svc_iis@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Portland7@" -Force) -Enabled $true #New-AdUser -Name "" -GivenName "" -Surname "" -SamAccountName "" -UserPrincipalName "@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "" -Force) -Enabled $true #New-AdUser -Name "" -GivenName "" -Surname "" -SamAccountName "" -UserPrincipalName "@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "" -Force) -Enabled $true # in rockyou #New-AdUser -Name "" -GivenName "" -Surname "" -SamAccountName "" -UserPrincipalName "@oscp.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "" -Force) -Enabled $true ``` ## Transferring to Vulnerable Machine We have the file in our folder ![image](https://hackmd.io/_uploads/rkvm5yrZC.png) Start SMB Server ![image](https://hackmd.io/_uploads/SkqVcJB-C.png) Access from Vulnerable Machine ![image](https://hackmd.io/_uploads/BJ01jJHZR.png) Download and save into the setup folder on C: which also has the Autologon executable ![image](https://hackmd.io/_uploads/SkkoblSWR.png) Share the folder ![image](https://hackmd.io/_uploads/BJCGGeHW0.png) ## Downloading to Domain Controller Access the share through file explorer ![image](https://hackmd.io/_uploads/r1BYNeBW0.png) Because we haven't added the vulnerable machine to the domain yet, we will need to enter credentials (Vulnerable Machine user credentails) ![image](https://hackmd.io/_uploads/S146VgrZC.png) ![image](https://hackmd.io/_uploads/HkbxSxS-A.png) Access the shared folder ![image](https://hackmd.io/_uploads/B1MWBlBbR.png) We can create a new folder "setup" in the C: drive of the DC, and paste the file there ![image](https://hackmd.io/_uploads/S1RrBerb0.png) ## Running the script Open up PowerShell as administrator and go to the setup directory ![image](https://hackmd.io/_uploads/SkANLxrWA.png) Run the script ![image](https://hackmd.io/_uploads/ry6jUgHbR.png) Click refresh in the Active Directory Users and Computers window ![image](https://hackmd.io/_uploads/SJQCLgH-0.png) Observe the glory of the new users ![image](https://hackmd.io/_uploads/SkYJvxHZR.png) ## Configuring Groups ### Service Accounts Create a new group and call it "Service Accounts" ![image](https://hackmd.io/_uploads/H1PFfbHZ0.png) ![image](https://hackmd.io/_uploads/SkHRGZrbR.png) #### Add Members Right-click > Properties ![image](https://hackmd.io/_uploads/rkbL7WBZC.png) Members > Add ![image](https://hackmd.io/_uploads/ryLDQWrbR.png) ![image](https://hackmd.io/_uploads/ry3iM7rbR.png) Check Names ![image](https://hackmd.io/_uploads/rkAhGXH-C.png) Apply ### IT Admins Create a new group and call it "IT Admins" ![image](https://hackmd.io/_uploads/BJ2Tm7SbR.png) #### Add Members Add Emmet and Lord Business ![image](https://hackmd.io/_uploads/ry1fEXHZA.png) - The semi-colon separates multiple names Check names for autocomplete ![image](https://hackmd.io/_uploads/HyiNEmS-A.png) ## Configuring Users ### Lord Business - Path to compromise Lord Business is also going to be a member of Domain Admins - he shall be the one we compromise. ![image](https://hackmd.io/_uploads/BJ1X8mBZR.png) ![image](https://hackmd.io/_uploads/BkYXUXSbC.png) ![image](https://hackmd.io/_uploads/BkUHI7rZA.png) ### MetalBeard - AS-REP Roastable We are going to make MetalBeard AS-REP Roastable ![image](https://hackmd.io/_uploads/rJs8DQS-R.png) ### IIS Service - Kerbroastable Add Service Principal Name ![image](https://hackmd.io/_uploads/r1fruQr-0.png) We can check it with ![image](https://hackmd.io/_uploads/H1VtOmSWR.png) # Password File to be discovered ## Directory Settings Create a folder in C: called "backups" Share with everyone (because it is the security permissions that matter) ![image](https://hackmd.io/_uploads/rJks1BH-C.png) Change security permissions by disabling inheritance to make it *a little more* secure. ![image](https://hackmd.io/_uploads/HJY9eBS-C.png) Edit > Remove Users ![image](https://hackmd.io/_uploads/rk6KQHS-A.png) Add > Service Accounts group ![image](https://hackmd.io/_uploads/B1AR7HSWC.png) Let Service Accounts have modify permissions ![image](https://hackmd.io/_uploads/HJh-VSBWC.png) ## Making the password file Create a text file with some credentials - only one of these will be a "current" set of credentials ![image](https://hackmd.io/_uploads/Sy9_8BSbA.png) Zip it behind a password (in this case, one that is also found in rockyou) ![image](https://hackmd.io/_uploads/H1IRnBH-0.png) Transfer it over using the same technique we used with everything else - SMB share on Kali > Vulnerable Machine > Domain Controller - Kali VM ![image](https://hackmd.io/_uploads/S1eFwISZ0.png) - Vulnerable Client ![image](https://hackmd.io/_uploads/BkeJd8HZC.png) - DC ![image](https://hackmd.io/_uploads/Sk0KO8H-A.png)