Exploiting AD - Part 1 [Active Directory Hacking] -- TryHackMe LIVE!

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

this and we are live hey what is up everyone tyler answer here back with another live stream whether you're watching this on twitch or maybe after the fact on youtube hey it is good to have you hanging out with me i apologize if you meant to join me last night where i live we had a crazy storm come through um the last i heard dumped almost five inches of rain on us and an hour had upwards of 80 mile per hour wind so i lost power and yesterday was just kind of a mess but hey i'm back everyone's safe my house is good and we are back on stream so what we are going to begin working through today is the exploiting a.d room on trihackme this is created by amoeba man who was actually on my last stream teaching us how to set up our own a.d hacking lab with vagrant so if you don't watch that you can catch it on my youtube channel i think amoeba man might even jump in and join us at some point in time today for him this is early early morning where he lives i'm gonna go get twitch pulled up just to make sure everything is rocking hey what up d33x33 no idea how to say your name so i apologize if that's how you pronounce it um for those of you watching that stream if anything sounds off looks off go ahead and just holler at me when we do this we have so many different things that we're managing from obs to twitch to discord to our actual virtual machine so it is it is so easy to to miss something but hey i'm going to show you guys really from the beginning how to connect to this network and how to get everything set up so this will be from beginning to end no idea how far we'll make it tonight i think i will do this for about two hours and what i like to do is i'd like to work in 25 minute increments let me go ahead and share my screen with you and on my other monitor i'm going to set up my timer we're going to start working at 25 minutes and we'll take a five-minute break after 25 minutes so let's start the timer has started and so if you can see my screen the way that we are going to navigate to this is if you go to try hack me go ahead and log in i believe this room is for subscribers only but if you have not subscribed to try hack me it is well worth your time well with your money if you click learn on here and if we scroll all the way down there's networks down here so uh nate actually streamed throwback i think i did the first half into the second half and i have stream breaching id add lateral movement and pivoting and now we will begin exploiting a.d so if you miss any of those other rooms if you go to my youtube channel i have each one of those um completely done we got created by amoeba man thank you amoeba man as usual and so the first thing that we're going to have to do is download our access for this specific network so if you open little access tab and you do this within your vm you'll click networks over here because you're going to use a different open vpn file than you normally do for try hack me and we'll download my configuration file there we'll just hit save file and see if it came up there it did so open vpn beret93 exploiting that got our vpn pulled up set our new tab up and let's go ahead and cd to our try hackme folder and make directory and we'll call this exploiting ad go there okay let's rename this tab our terminal just to keep things clear and i'm gonna grab my other web browser right here and i'll zoom in a little bit so you guys can see the text a little bit better looks like the network is running so that is good and let's go ahead and dive into it and what i like to do as i do this is i'm learning this right alongside of you so i do not claim to be an expert you will watch me make silly mistakes especially on live stream i feel like trying to manage all these things think through it talk to it at the same time just puts my brain in a jumble but we're going to learn it together and what i like to do is i read the text in its entirety often when i do rooms on my own i skim through them and then i get stuck because i miss something so we're going to read through this in this entirety and work through the entire room and what i would like to say is the goal is not to go fast the goal is to learn so even when you do it yourself i encourage you to slow down learn and take in the content so that you learn something so let's go ahead and dive in introduction this network is the continuation of the breaching ad and a new brain ad networks please make sure to complete these networks before continuing with this one which we did also note that we will discuss ad objects extensively if you need a refresher have a quick reskim of this room that's the active directory basically i do encourage you to check that out i think when i was first getting into stuff i finished that room we'll just check keep me honest did i finish it i did yep so you can see i did this room back in the day now that we have breached a d and enumerate the structure the domains we will explore different methods that could be used to exploit misconfigurations that may have surfaced from our enumeration so ad exploitation now that we've performed our internal recon and understand the lay of the land regarding the ad structure and environment it is time for the exploitation phase this phase exploits misconfigurations to perform a combination of lateral movement and privilege escalation go over my music my music's really quiet turn this up a little bit oh leave me alone pearson view i'm taking the az900 cert for work seems pretty easy but that's what that was for hey what up skippy good to have you here all right this phrase exploits misconfigurations to perform a combination of lateral movement and privilege escalation until we reach a suitable position to execute our goals as shown in the diagram below this phase is usually combined with persistence to ensure that we can't lose the new position we gain which the room on persistence just came out today so i am behind i'll be playing catch up for a little bit on stream but this will be covered in the next room it is also usually combined with additional enumeration since our new position might allow us to acquire additional information about the lay of the land so you can see this we have our initial recon our initial compromise we establish a foothold we escalate privileges and there's a cycle as we accomplish our different goals we do internal recon move lateral maintain presence over and over again until we complete our mission so our learning objectives in this network we will cover several methods that can be used to exploit admiss configurations this is by no means a complete list as available methods are usually highly situational and dependent on the ad structure and environment however we will cover the following techniques for exploiting a d a d delegation force authentication relays group policy objects or gpos targeting ad users domain trust and silver and golden tickets go in willy wonka on them if you are using the web-based attack box you will be connected to the network automatically blah blah blah we are not using the attack box i always encourage people set up your own vm it helps with learning and getting tools configured you may have to restart the network server twice blah blah blah you should also take the time okay okay okay we have our own so if you're using cali this is where it walks through how to do it so if we scroll up here we should grab this ip of our dc so it's the dot 83.101 so let's go here we're going to open up network manager or advanced network configuration and then skippy said i love hacking so i'm going to see you until you finish sweet good to have you skippy and i always like to say you may not have been here when i first said it i'm i'm a total noob in my opinion so i'm i'm learning right alongside you and so you can watch me stumble through this and we can stumble through it together but our first step is we need to set our dns which i don't remember what it is but i can see it a little bit through my console so 10.200.83.101 that's just the domain controller that we're setting our dc to so we'll save that perfect then we have to restart it like that and now if we pull this guy up we should be able just to test to make sure it's working by doing ns lookup on that guy hey we are in luck so we are on the network so far so good i have not broke anything that's a good thing okay so requesting your credits simulating ad breach you'll be provided with your first set of creds once your network and setup has been completed navigate to here to request your credential pair this is the same in each one of these rooms usually of course this would you'd get these after you first hack or do a phishing email but we are already breached the network get creds who are we okay we are louis louis thornton it looks like so let's just g edit that and we'll save it as um creds.txt and we'll go like that and i'm just going to go like this boom not for cat creds there we are we have our username and our password pull this back up okay this credential provides you rdp and ssh access to this little jump server the thm work one can be seen as a jump host in the environment simulate a foothold that you have achieved you can use remna or any other similar remote desktop client connect to the salsa rdp remember to specify the domain when connecting for ssh access you can do this and i will want to do ssh access i feel like rdp can just be a little bit buggy so we can go ahead and copy this and go here actually you know before we do that we need to grab those creds one more time okay now we can paste that our ad username is going to be louise thornton everything else looks good we should be prompted for our password which is islr3423 okay islr3423 there we go i must have just typed it wrong there we go so we are logged into our jump box i wonder if we just do a quick dir see what we all got if we go to desktop if you have any cool flags nope okay all right let's pull this back up i am ready to start my journey that i am got some files to download that look like let's go ahead and download these task files on our vm [Music] let's go down here and we'll just throw them in our folder i'm guessing there might be bloodhound files or something along those lines [Music] i'm just gonna download for us there we go no not open that's not what i want to do come on yo download save thank you and we'll just call this show or maybe maybe it'd be more accurate to call it ssh and if we go to our downloads folder oh it is bloodhound i was right just based on my guess home cali try hack me exploiting ad we'll put it there and then we ourselves will go there as well so we got our blood at home bloodhound file we can unzip that beast actually i don't think you need to unzip it you upload it as a zip if i remember right oh well we'll fix that later all right active directory can delegate permissions and privileges through a feature called permission delegation not to be confused with kerberos delegation that will be discussed in the next task i'm just gonna check that okay delegation is what makes ad so powerful in organizations imagine we work for an organization that has 50 000 employees since we care about security we only have three users that have access to da credentials it would be impossible for those three users to field all requests from the user such as resetting their passwords using delegation we can delegate the permission to force change a user's password to the help desk team meaning they now have a delegated privilege for this specific function in principle to keep delegation secure the principle of least privilege should be followed however in large organizations that is easier said than done in this task we will look at exploiting some delegation and misconfigurations fun permission delegation permission delegation exploits are often referred to as acl-based attacks ad allows administrators to configure access controlled entities that populates discretionary access control lists hence the name acl-based attacks almost any ad object can be secured with ace which then describe the allowed and denied permissions that any other ad object has against the target object however if these aces are misconfigured it may be possible for an attacker to exploit them let's look at our example again if the it support team were granted the force change password ace over the domain users group this would be considered insecure sure they'd be able to reset the passwords of employees that forgot their passwords but this misconfiguration would allow them to also reset the passage of privileged accounts such as the accounts that are members of the domain admins group essentially allowing for privilege escalation a significant amount of aces can be misconfigured and the exploits for each vary the bloodhound documentation assists in explaining enumerated aces and how they can be exploited however we will look at a couple of notable ones here force change password we have the ability to set the user's current password without knowing their current password which explained above add members we have the ability to add users including their own account groups or computers to the target group so we can make our user account an administrator generic all we have complete control over the object including the ability to change a user's password register an spn or add an ad object to the target group generic right we can update any non-protected parameters of our target object this could allow us to for example update the script path parameter which would cause a script to execute the next time the user logs on cool right owner we have the ability to update the owner of the target object we would make ourselves the owner allowing us to gain additional permissions over the object right dacl we have the ability to write new ace to the target objects dacl we could for example write an ace that grants our account full control over the target object all extended rights we have the ability to perform any action associated with extended ad rights against the target object this includes for example the ability to force change a user's password in order to exploit these aces we will need a method to interact with ad to make these requests the two best options for this are adrsat powershell commandlets or powersploit depending on the breach the detection tools in the environment one option may be stealthier in this task we will show both bloodhound sharp hound has already been executed for you and attaches a task file start bloodhound on the attack box or cali machine and ingest the data you are however welcome to rerun sharp pound yourself using the steps provided in the numerator ad room note if you get unable to connect to ldap verify your creds make sure you have the domain set correctly we provided a sip zip of sharp pound data as a task file on the attack box you can find the zip file under there first we will need to start neo4j i wonder if i need to so sometimes if bloodhound doesn't work i know like some the newer version of bloodhound has some issues so we may have to download another version of bloodhound but let's go ahead and try this first and we're going to throw this to the side get kali linux pulled up on this side actually we may not do that i may make it big before we open bloodhound because i remember it might kind of screw up the way it looks if you do it this way but neo4j console start [Music] unmesh argument i guess it's neo4j council probably in the attack boxes neo4j council start yeah i'm right so let's let that be a startup the question friends is when i set my neo4j password because it requires you to set it do i remember what i set it to probably not so i may have to reset my password again um yeah we'll find out bloodhound no sandbox because you don't want to get sand everywhere what i don't have bloodhound hold up it's just not in my well interesting i assumed i had bloodhound i just used it let me check something if we go to was it lateral movement pivoting maybe oh no let's go to enumeration do i have that on here oh that's right i may have broke my vm and i restarted it i remade my my vm that might be my issue because i'm not seeing where i did enumeration on this machine yeah i bet i broke it and then i rebuilt it oh well okay i think default is neo4j and neo4j so we need to change the creds first so we can go to that in our web browser blah blah blah database leave empty for default authentication type so we'll use neo4j and neo4j and then it should prompt us to change our password okay new password we'll call it neo4j1 very secure neo4j one next time i use bloodhound i'll forget what that is that's okay okay now that we are connected now we should be able to go back to bloodhound and neo4j one maybe if i save password that'll work better for me okay now we're gonna go ahead and try to upload our data and if we go over to home no we're not we don't want to be that so let's go to oh not there home there cali try hack me exploiting a d and you can just use the zip i didn't mean why i unpacked it then i realized since i unpacked it you don't need to do that you can just use a zip this you should be able to here's where it might fail i know like the newer versions of bloodhound sometimes don't like some of these json files so it looks like we're doing okay okay once the data is ingested shoot i'm gonna break it is it gonna work yeah i don't wanna do it that way pull up discord okay we can clear finished let's pull up try hack me right here okay blah blah blah blah the default okay if we search for our user account that was assigned a task 1 and bloodhound we see that we don't have a lot of permissions we have the ability to rdp into that this on providers with low privilege access let's go ahead and do that if we pull this back up get our terminal pulled back up and uh looks like we got a few people online on twitch hey if you're watching on twitch go ahead and just share like why you're here how you stumbled across this would love to love to hear from you we'll we'll learn all this stuff together and as i've been telling people and i'll repeat it again i am no expert the reason i'm doing this is i want to learn so i'm learning right alongside of you so you can watch me make silly mistakes so you don't have to um i forgot what i was doing oh cat crabs i just don't remember my account name this one right here so let's open bloodhound up and if we go here is it analysis can i just search for myself i'm trying to remember all this nope okay it doesn't show any users interesting if i go to analysis what if i do this okay so it is working just click through a few of these pre-built ones no data return from that it's almost it doesn't have all the data in here would seem like oh what just happened let's exit this out i clearly need to brush up on my uh my bloodhound skills i don't know what the heck i'm doing i didn't have this many issues before let's glance at those files real quick maybe i missed something so we have computers we have we do have users it's gonna be a big file i'm probably gonna break g edit oh well what if we go like this [Music] home what version of bloodhound are you using amoeba man yeah so that's actually what i said if you're just joining i said if we have issues it may be i need a downgrade bloodhound i just installed bloodhound so i have the newest version of bloodhound i bet i have to downgrade right i think i can just download it and run it from a folder i'm almost certain that's probably my issue since i said that in the beginning i might run into that so amiibo man is the one who created this so i'm gonna go and grab another version of bloodhound and you should be able to just run it like you don't have to install it you can just run bloodhound from a folder if my memory serves me correct let me remove all this extra junk that i did much better oh shoot oh why isn't that switching okay let's go ahead and see what we all got for binaries make sure no one's on here with me and i wonder if he even says in his what version of bloodhound i should use no yeah just download version 4.0.1 should be the correct one newer seems to break on importing gotcha that's a that's that's what i said i should have followed my intuition when i first started so for those of you on youtube what amoeba man said yes just download version 4.0.1 should be the correct one newer seems to break on importing the users.json file and i know that because i ran to that issue i think on throwback and it worked once i used an older version of bloodhound so let's go and see if we can grab that that older version of bloodhound so blah blah blah let's go here and he said to use 4.0.1 so oh these are all the newer ones let's go to here 4.0.1 and we would be downloading i believe oh it is my five minute break y'all well i don't really feel like taking a five minute break but we'll take one i'll be back in five minutes i encourage you get up stretch out it's gonna take a break i'll be back in five minutes [Music] [Music] [Music] so my [Music] [Music] yo yo what's up everyone welcome back i'm going to share my screen out again hopefully you had a good five minute break let me go ahead and start my timer one more time we'll do another 25 minutes here we go get twitch pulled up and that is a good question hunterbot said amoeba man can you make a network without a walkthrough in the future sort of like a capstone of everything we learn on these networks and i think hunterbot tryhackme has that plan um oh yeah i mean man just answered that so i'm just gonna read that answer for those of you on youtube he said yeah that's a project that is planned for the future but it will not just be about a.d it will include other red team elements such as av evasion as well i'm taking a short break from ad after this focusing on devops security where we are now creating a network to simulate a devops pipeline for hacking but that capstone network will be coming awesome man all of that is exciting stuff okay so for those of you who are following along if you're running kali linux they need to grab bloodhound just to get the user.json file to import you just have to go to the bloodhound github and scroll down to the 4.0.1 and then go ahead and download it come on cali thank you we'll save it and we'll give it some time it's still downloading i'm gonna turn my music down a little tad we'll see if twitch yells at me for my music this time last time they muted my audio like scrubs and let's move our bloodhound whoops we'll just move it to home home cali try hack me and we call this exploiting ad and we ourselves a move there as well all right we got our zip file we got bloodhound so if we unzip unzip bloodhound like that give it a second okay we should be able to remove our our bloodhound zip file now and if we just cd to bloodhound we have the command there so we have to go ahead and relaunch neo4j because i think that close so just do that first like that give that a second to start up get a drink of water all right let's go ahead and just name some of our tabs here and my music's still too loud in my ear sorry y'all one second i like the music just to be nice and quiet plus i think twitch likes that more too because they don't yell at me for copyrighted music in the background alright so now we should just be able to bloodhound like that and was it no sandbox so far so good we saved our password to the neo4j database so it should log us in hey okay and now we have our data here so let's just check to see still have zero users let's go ahead and just sort of re-import that that specific one which we we would have to [Music] unzip it so let's try that if i go here open a new tab home cali try hack me exploiting ad and we'll just make a directory for blood well this is unzipping who cares who cares if it's messy and then let's open up bloodhound let's see if we can just upload that user.json file now to see if that does the trick for us not sure if it will or not but in my head it works which doesn't mean much alright users.json no data in file well that sucks maybe i need a different one you can re-import the entire zip again as well bh knows a check for existing objects okay cool let's try that so now i'm getting in invalid file type on containers and no data and file for users.json no i really broke it maybe i need to roll back an even older version let's just try that let's try to yeah i'm just gonna try to just for experimenting whoops let's try an older version and i'm going to go ahead and i am going to remove these so if we go like that that should do the trick and so if i move bloodhound and we'll just call dot 4.0.1 like that can i do that okay just to keep it clear and let's go back to the repository and we don't need azure hound we go all the way back to here you know let's let's just try this just just for testing and see what happens come on cali we might extend our 25 minute break this time just see if we can work our way through here give it a second okay there's that new one so if we unzip it dot zip okay and let's remove the zip file just keep it clean and if we move bloodhound and we'll call this one it was three something three point zero point five i'll get it one of these times if we cd to that do i need to restart neo4j i don't think so oh it has the other one open that's going to confuse me oh well we just won't navigate out of this until we upload the data so let's go and try to re-upload the data here grab our bloodhound.zip file looks like it's freaking out a little bit but if we go here and gosh it's still zero users if i click this one okay i'm pretty sure i'm just doing something wrong let's do this clear database it's going to re-upload it again so okay we'll get it one of these times guys still zero users here let's clear this database and let's also try to upload it here again oh apology seems to be version 4.1.0 oh i gotcha i just had the numbers mixed around there 4.1.0 i'm not 4.0.1 i think so if we scroll up 4.1.0 that's the one that we need okay cool so let's clean this up a little bit and we'll remove bloodhound like that rf try it that way okay we'll get it guys bloodhound 4.1.0 assets let's go ahead and make sure i grab the right one oh amoeba man says that was the version on the attack box that we used to create the zip with neo4j 4.4.2 okay gotcha all good i'm i'm glad my one win from this is when i first did this i said hey this might not work because i may have to use a different version of bloodhound so i'm learning i'm counting that as a win and then amoeba man said hoping that works otherwise you can execute sharp hound yourself as well it's on the jump box so yeah we'll figure out a way to make this work this is it's honestly good when things don't work right away because it you can troubleshoot and learn i even notice that in my my day job as well i don't know why i call my day job because this definitely isn't my night job i definitely don't make any money by doing this so it's my day job and my only job um let's go ahead and move bloodhound and we'll go home cali try hack me exploiting a.d and we ourselves will move there okay unzip bloodhound let's just remove bloodhound.zip and then cd to bloodhound and we'll do bloodhound no no sandbox okay there we go okay if we go here okay good there's nothing in the database suite i was going to clear just to start from scratch let's go and try to upload data try to grab that hit open is it going to work computers worked containers worked domains worked gpo's worked come on groups i believe in you okay it's probably a lot of groups but it took some time we're getting we're getting down to users drumroll [Music] oh it's doing it we'll get back on track right here good deal this this deserves a drink of water glad amoeba man you found that out i would have just been uh trying each version i would have eventually gotten it but it would have taken me a while it seems to be working it just takes some time over here everything uploaded from what i can see so if we clear finished should just be able to close this out um whoops groups users do i need to change my node i don't have a node to select my friends i'm just going to click through some of these so if i go to like i don't know if it matters what domain i choose hey this is starting to look a little more normal yeah it looks like we have some users in here from what i can see so if we do like kerberostable accounts yeah this is this is what it should look like our little puppy over there a little bloodhound apparently i broke it with that query can i just skip it if i go like that can i skip to that query find shortest path the domain admins okay cool cool so i forgot what it was even asking us to do in the room what are we supposed to do if we search for our oh search for our user account okay who was our user account again okay cool um let's shoot close that one rename this one bloodhound and open a new tab i don't remember my account to be honest oh i should probably look here ssh tab we are louis thornton so if we copy that go to bloodhound there we are so you can see a few different things here also press left control so it always loads note edges always showing node labels okay cool password last change last log on let's look at what we can look through here compromise false yeah you've been compromised pastor never expires cannot be delegated extra properties we have the distinguished name domain sid group membership so we are members of domain users and internet access enrolled group membership i suppose are the ones that we are not in right we can kind of see how they're connected first we don't have any of this stuff we have rdp privileges to that jump box so i suppose one way that you could do movement is if you got onto a user and had let's say we had access to another machine right an rdp access we could do that or set up the weird proxy chains we did in the one the one room where we could use our attack box for proxy and through that still doesn't make sense in my head but it was cool okay cool now that we glanced at ourselves let's look at what the room asked us to do we have the ability to rdp we saw that since the domain is tiered our first step will be to compromise tier 2 infrastructure we need to compromise the tier 2 admins group since this group has administrative privileges on all workstations let's ask bloodhound if there is perhaps a road that we can follow to compromise this group add your user account as the start position and the tier two admins group as the end position okay let's give that a shot so if we scroll up gosh my scroll never works in my virtual machine and is it heat path finding oh nope nope nope this i want to do tier 2 admin there we go so it's kind of like google maps eh it tells us the the way we get there so this is what we notice we have our user right here we're a member of domain users and domain users have generic write privilege which let's let's remind ourselves what that is generic right we can update any non-protected parameters of our target object this could allow us to for example update the script path parameter which would cause a script to execute the next time a user logs in so thinking ahead if we have generic right to i t support can we write some type of script that allows us to to essentially put ourselves in this group or something with that group because once we get into that group you can notice that we have the privilege to force change password if we can get these rights right here then we can compromise any one of these t2 admins accounts which therefore puts us in the t2 admin group and we accomplish our first goal that's how it looks in my head let's jump back to the machine and see if my thought process is close to what we're going to do bloodhound shows us a very interesting path it seems that there is a slight bit of permission delegation this domain an administrator has misconfigured the permission delegation of the it support group by providing the domain user group with the ad members ace this means that any member of the domain user group including our own account can add accounts to the it support group furthermore bloodhound shows the it support group has the force change password ace for the tier 2 adm and group members this is not really a misconfiguration since tier 2 admins are not that sensitive but it provides a very potent attack path when combined with the initial misconfigurations let's exploit it let's do it and actually one thing i want to show you guys that i discovered that kind of goes with this room and i edit it to my notes um if i go to active directory here i found this attack map on linkedin and it looked really cool just want to see how this kind of adds to this you'll notice on this attack map you kind of start with with where we're at right so if we look at this we have a user account this is really laggy when i'm streaming oh my goodness maybe this isn't going to work if i zoom in we don't want ntlm relay if i scroll up we find hash we have a valid username and we have a password so we have credentials and now look at this this is talking about using bloodhound right here enumerate adcs some stuff there this is cool things off to look into this more i just made sure i pulled into my nose but it kind of breaks all this down in this cool little flow chart so cool stuff i don't know where i got it if you want it message me and i'll just send you the screenshot it was somewhere on linkedin that i i ran across that all right let me jump back to what we were doing i get i get distracted easily if you can't tell okay the first step in this attack path is to add our ad account to the it support group we will use the add ad group member powershell commandlet from the adr set tool set for this cert powershell either idp or ssh on the thm jump host and run the following command to add your account whoops let's do that so we have our ssh session right here let's first open powershell and if we paste that in we're gonna go ahead and add our account num name here so we are lewis dot thornton hey so now if we do um something like net user louis thornton domain look at that if you look at our global group memberships we are now a member of it support which means we should be able to change the password of any of those t2 admins and then we have now compromised their account we can verify the command used by using the get ad group member that would be the proper way to do it in powershell i use the old school cmd way either way it shows us our group membership if everything works you should see your account as a member now that we're a member of the i.t support group we have inherited the force change password permission delegation over the tier two admins group first we need to identify the members of this group to select a target we can use the get ad group member command again to assist with this and of course we also can look at bloodhound right um bloodhound had all those members but we'll do it this way as well so you can see all of them there and then if you look at bloodhound you can see them all there as well bloodhound gives a little cleaner of a look but either way it works let's open this back up make note of the username of one of these accounts as the network is shared it might be best to select one further down in the list we will use the set ad account adrsat commandlet to force change the password okay so let's go ahead and go like this go like this let's make note of one of our accounts so if we do if i click it will it pull me up here so let's do leon francis leon french dude steal his stuff so we are let me scroll back down looks like we're setting a variable called password using the cool convert to secure string oops oh no i did that right secure string and what should we call this password how about password one two three exclamation mark very secure as plain text force so we're saved that as a variable called password now we're doing set a d account password identity and then our ad account t2 leon france reset new password that is our timer going off but let's just see if this goes through do i need a gp update or something no i wouldn't have to do that i don't think so system unauthorized blah blah blah permission denied let's try this again no case sensitivity shouldn't matter i don't think just in case it does i don't remember his account was yeah that's correct so access is denied let's just verify that we are in that group get um well we should have shown up honestly but if we was a powershell command get a d group yeah get ad group member i.t support members and we are lewis thornton check the note now that we we can use a get a d group member to assist with this make a note of the username since the network is shared oh i see if you get access to night error it's always good to read your permissions have not yet propagated through the domain this can take up to 10 minutes the best approach is determining your ssh your rdp session take a quick break and then re-authenticate and try again you could also run gp update force that was my thought in the disconnect and reconnect which in certain cases will cause the synchronization to have happen faster okay so that's the important of reading ahead um let me just clear this out so we are at our five minute break so what we can do so this can take up to 10 minutes the best approach is terminate your ssh session take a quick break okay let's go ahead and do that let's go ahead and take our five minute break and then we'll log back in and we'll see where things are at so let me pull this up and i will be back in five minutes [Music] do and we are back hey y'all before we jump back into it i want to share with you a little bit about discord i know there's a few of you new right now on twitch with me you may have been wondering during that break what the heck is this work smarter weekly accountability cult message that you have up let me share with you real quick what that is if i share my screen here is our discord it started with just really me and nate who's the other streamer on this channel we began meeting once a week to hold one another accountable as we study for the oscp eventually that grew from our facebook chat jack neely was a big part of it and he decided to turn it into discord and it kind of blew up from there so i think we're hitting maybe 200 maybe more than that members on discord what sets us apart is we have meetings every monday evening at 7 30 p.m central time where we share two things what did you accomplish this past week and what are your specific learning goals this week and then what we encourage people to do is to share those in the weekly goals thread which is right here so that you can look through your weekly goals and make sure you accomplish it and there's something about written goals having them down but it's just a cool place to hang out i'm on here all the time i am one of the admins on here but hey if you want to join this go ahead and just comment on twitch i'll post an invite link there if anyone's interested otherwise if you're watching this after the fact on youtube if you look at the description of the video you should be able to find an invite link there as well all right all that being said advertising is over let me jump back to twitch so i can monitor the chat and let's try the ssh again and see if we have have uh if we were able to get into the it support group properly so if we catacrez.txt okay i don't even remember the whoops whoops whoops i'm breaking stuff y'all let's go ahead and ssh again into this beast there we go i just didn't remember the name of the domain stuff so okay that worked that worked really good grab our ad username lewis thornton password is islr 3423 all right now we can go ahead and try to reset that person's password oops and if we real quick just check to make sure we are still in there nothing like broke in the meantime like that you can see we're in the it support group i should check the network time to make sure the network's not going to reset on me or anything oh eight minutes left okay let's extend it network almost died good thing we checked that and then we're going to start my 25 minute timer get that going okay let's go and try this again we'll just type it out i think it's good to type so we learn um so let's clear this just to make a little more clean so we're gonna set up parameter or variable and convert to secure string we're gonna set our password we'll call it password one two three exclamation mark because that's secure as plain text same password i use for my bank account actually and force okay set ad account password identity and our ad account was going to be what leon francis or something like that yeah let's just copy it there so we don't mess up his name copy that paste it there reset his new password and we're going to grab that variable so let's pass from one two three hey it worked that time uh always read ahead if you're stuck there's a note right there if i would have just read a few more paragraphs down if this step work you should now be able to authenticate the thm work one using this target account let's go ahead and give that a shot so i'd assume i can just log in here with that account with ssh access look at that we did it if this step work you should not be able blah blah you currently have admin access to the workstation congratulations you have officially escalated your privileges to tier 2 administrator by exploiting permission delegations good job guys which ace would allow you to update any non-protected parameter i remember seeing that i don't remember it it would be the all extended rights right to do anything we want nope update any non-pro oh that's what we did any non-protected parameter that was what was there so it was generic right and that's actually what our domain users had access to it support which is why we could add ourselves to that group what does value the flag store on the desktop of the administrator user on thm1 well let's find out shall we oh do i need to log into a different one was the value stored on the desktop of the administrator user on thmwork1 hold up do i need to do different account maybe i'm on thm1 right i am an administrator user well we could try to steal the different account i suppose oh no let's go here maybe that's what we need to do yeah i don't know what i'm thinking in my head there we go okay if i have some text or read through so let's go ahead and make this big make this remain focused for a second all right next we will take a look at kerberos delegation when you talk about a.d delegation this is usually what is being discussed not permission delegation kerberos delegation the practical and let's just let's just pause here and we can do a little bit of this legwork ourselves if you remember when we were looking at analysis there was a list of all kerberosible accounts so i have a feeling we might focus on this right here maybe took a grinding ticket account but probably the service account right here is my guess now i haven't done this room yet so we'll see if i'm close or i'm way off the practical use of kerberos delegation is to enable an application to access resources hosted on a different server an example of this would be a web server that needs to access a sql database some say it's sql i'm calling a sql hosted on the database server for the web application that is hosting without a delegation we would probably use an ad service account and provide it with direct access to the database when requests are made on the web application the surface account would be used to authenticate to the database and recover information however we can allow the service account to be delegated to the sql server service once the user logs into our web application the service account will request access to the database on behalf of that user this means that the user would only be able to access data in the database that they have the relevant permissions for without having to provide any database privileges or permissions to the service account itself constrain versus unconstrained there are two types of kerberos delegation in the original implementation of kerberos delegation unconstrained delegation was used which is the least secure method in essence unconstrained delegation provides no limits to the delegation in the background if a user was trusted for delegation flag said authenticates to a host of unconstrained delegation configured a ticket granting ticket for that user account is generated and stored in memory so it can be used later if needed suppose an attacker can compromise a host that has unconstrained delegation enabled in that case they could attempt to force a privileged account to authenticate to the host which would allow them to intercept the generated ticket granting ticket and impersonate the privileged service if you want to see an example of the exploitation of unconstrained delegation have a look here let's just look at this i think that makes sense in my head i'd encourage you to look that up i'll probably i'm actually going to leave that open i'll probably look at offline to combat the security failings of unconstrained delegation microsoft introduced constrained delegation in 2003. constrained delegation restricts what services and account can be delegated to limiting exposure and if account is compromised the following are examples of services that can be configured for delegation http of course web cfs common internet file system for file sharing ldap resetting the user's password host for activities on the host and ms sequel of the sequel service all right exploiting constrained delegation is usually more complex than exploiting unconstrained delegation since the delegated account can't just be used for everything however it can still be used for some powerful exploitation an example of this would be if we were able to compromise an ad account that had constrained delegation configured by knowing the plaintext password to even just the ntlm hash of this account we could generate a ticket granting ticket for this account then use a ticket granting ticket to execute a ticket grading server request for any non-sensitive user account in order to access the service as that user imagine impersonating an account with access to a sensitive database for example resource based constrained delegation so there are actually three types of kerberos delegation but this one deserves to be mentioned on its own introduced by microsoft in 2012 the same year the world ended if you guys remember resource based constrained delegation see if you guys get my thing i don't remember what year was supposed to end i remember in 2012 um end of world there's a movie called it beyond 20 that's right it's the may of prophecy where everybody thought the world's gonna end 2012. anyways i told you i get distracted easily all right introduced by microsoft 2012 resource based constrained delegation once again provided additional restrictions on kerberos delegation for security resource-based constrained delegation rbcd changes the delegation model entirely instead of specifying which object can delegate to which service the service now specifies which objects can delegate to it okay is this deciding which object can delegate to the service okay got it i had to reread that twice this allows the service owner to control who can access it in our web application example this means that instead of specifying the web service account and delegate to the database server we can now specify that on the database service that the web service account is allowed to delegate access to it let's say that we have a permission to configure rbcd for a service this means we have the ability to set the msds allowed to act on behalf of other identity attribute for the ad object we can populate this attribute with the details of an ad account that we have access to to now gain access to the service we can generate a ticket grading ticket for the account we control which will allow us to interact with the service if you want to detail the example of this take a look here i'm going to open that for later because i'm a little bit confused constrained delegation exploitation we will exploit constrained delegation for this task the first thing we need to do is enumerate available delegations let's use our new privilege user for the network couple of commands for the okay we can use get net user command of the power split for this enumeration by running the following command so if of course if you were attacking a box you'd first have to get power view on there it looks like amoeba man nicely put it in the tools for us and you know we might as well now that we're in our attack portion again let's go like this let's give kai linux a little more room let's scroll down and if we do get net user trusted to authenticate okay let's just glance at this real quick see if we can understand what's going on before we even read through it so i'm just looking over here okay msds allowed to delegate so we have thm server one thm service http ws man so it looks like we have the power to do some delegation on this thm server one try hackme which is uh maybe a web server let's look up here thm server one right there so we are on thm work one so we might have the power to do some of this stuff to this thm server one okay kind of makes sense in my head a little bit okay based on the output this command we can see that the service is account can delegate okay remember when i said that right there might be what we're exploiting i was i was i was on track can delegate the http and ws man services on thm server one you would think that this means we can only access websites on behalf of impersonated users however powershell remoting uses the http and wsman services as well powershell remote is like an ssh essentially the ideal option would be to impersonate tier one admin since this would provide us with admin access over thm server one if you were to perform proper post exploitation enumeration to thm work one you would find that there is a service on the host running as service iis user since we have administrative access now we can use this to dump lsa secrets part of the windows registry hive where credentials are stored for features such as windows services let's use mimikatz to dump this okay well let's use it so if we go here let's just do dir okay well it's gonna be messed up a little bit because of the way i have my screen set up but you can see mini caps there and we have uh let's see do we need to go to x64 yeah and we have mimicats.exe right there so i run it with any flags now we're just running manycast.exe okay whoops okay and now we are gonna do token don't we have to use privilege debug first maybe not let's just follow the steps here whoops i don't know how i managed to do that that was impressive okay token id sid name nt authority system cool cool cool so lsa dump secrets okay i see so let's run let me just make this big again so i can see it a little bit better so we have we did this we were able to impersonate nt authority system there and then dump secrets here and we have our domain and our sys key for thm work one we have machine default password vagrant i remember that from my other video um that mean amoeba met made it's best to do this from a user directory since you're going to drop files to disk using two tools oh i got you okay i see i see i see let's let's just go ahead because he said that if we exit out of that and let's go to our c c users even am i that's right and we'll just go to our desktop and now let's go ahead and follow those commands again it's just really to run mimicass i just don't remember the path whoops do it on the wrong window y'all okay let's just rerun mimi castle just redo this i'm gonna copy it this time we got i don't know what that was who's hanging out with me oh hey okay let's jump back to this okay mimi cats let's do token elevate i don't know if we have to do that command again or not there we go lsa dump secrets okay and we we see this service account right here and we see this password one at i'm guessing that's gonna come come in handy here so to run through the two commands we have token elevate to dump the secrets on the registry high we need to impersonate the system user and now let's say dump secrets moviecast interacts with the registry hive to pull the clear text passwords and you can see we have one there now that we have access to the password associated with the service iis account which let's make this big again [Music] service is this right here password one at just want to make sure i've seen that properly whoops did not want to do that windows just doesn't like me oh my gosh i swear i've used a computer before guys maybe maybe maybe i've used a computer before maybe i haven't it's it's anybody's guess right here um blah blah blah let's go back up here now they have access to that we can perform a kerberos delegation attack we will use a combination of kikio don't know how to say that and mimikats you can use another window from mimi cats but make sure to exit out of mimi cats after the token elevate command otherwise the tickets will be loaded okay password one at you guys think i can remember that here's what we're gonna do like you'd be surprised that i forget why i'm on stream so we're going to type in twitch so i can look over at twitch let's exit i said to exit after doing that otherwise the tickets will be loading the wrong contacts later we will use kikio to generate our tickets and then use memicas to load those tickets into memory so let's make some tickets let's start by generating tickets let's let's do it i'm just going to copy that path geekio cool we first need to generate a ticket grain ticket that can be used to generate tickets for the http and ws man services okay so let's give that a shot tgt ask user it's that service user that we we saw which remember saw this way back here that this was kerberostable right domain ga dot try hack me is it dot local yeah dot bloke and password is gonna obviously not be redacted that just means it was redacted okay i think it worked ticketing file okay parameters explain the user the user who has constrained delegation permissions right there the domain of course and our password now that we have the ticket granny ticket for the account that can perform delegation we can forge ticket granting service requests for the account we want to impersonate we need to perform this for both http and ws man to allow us to create a pa session on thm server one oh my goodness let's look at this slowly and carefully ticket grinding ticket service ies okay so that's we got ticket grain ticket and then we have the delegation right there the user we have the domain take a grain ticket service za hackme locate kirby user it looks like we're using trevor jones in this example but i bet we should use somebody else because if there's anyone else on the box they may have already done it i mean we can try this one first so if it doesn't work that's going to be the reason i don't feel like typing that out so just go like that looks like it worked parameters explained that long thing is just the name of your tiki granny ticket file oh i got it i suppose it would have told me right there so that's just the name of our tickering ticket file so our our tags that we're using is take grain ticket file name there obviously user service okay we provide this ingredient ticket yep the user want to impersonate we want t1 the service that we want to personate using delegation did i get that part on there yeah i did okay good run the command again this time for the ws man service now that we have two to grinding service tickets we can use memecast to import them okay so we did the same thing but for the ws man service so if we if we copy this let me do that and can i just change it to like that let's give that a shot shoot i did it wrong of course i did blah blah blah what air coal m kerberos s1 curb load coal m file data means nothing to me let's look back at what we did wrong [Music] oh do i have to go back and do this i do this first yeah i just got ahead of myself so if we do the ws man one which i didn't even look at the password for that oh it should still be service iis okay the ttg file stays the same okay thank you thank you thank you move a man so if we change our service i see tgg file stays the same should still be so let's go ahead and just recopy that up here here we go we recopy this and he said tgt file stays the same so it does so the only thing we're updating is that right there i believe then okay cool cool cool run the command this time now blah blah we can use mini cast to import them so now we're going to jump over to mimikatz i'm assuming i'm good to exit this now so now if we run c tools oops maybe cats shrunk x64 if my memory serves me right minicats exe yeah look at that just go like this again i really wish i could somehow stream two monitors and make my life a lot easier okay so now i always get lost where i'm at now that we have the tick grain ticket for the account that can perform delegation we can forge tg we already did that mimi cats here's where we need to do privilege to bug prove uh lidge i always spell that wrong for some reason okay you can type dirt to see your ticket files nice and copy these someplace else like using another host okay cool obviously can't do it when i'm in mimi cats but if i got out of mimi cats maybe let's just do that let's just see him so there's our tickets you guys can see those on there very cool okay kerberos ptt um i need to type all that out my five minute timer just went off i think i was like it's just screwed up because i have it minimized here we have to type this whole thing out obviously to grab the right ticket but it's time for a five minute break y'all let's go ahead and take a five minute break and i'll be back in five minutes i'll be right [Music] so [Music] so [Music] hey hey hopefully you had a good five minute break i know i did we are back this is our last 25 minute session i try to be done by midnight um because i have a job the next day and so what i think we'll do is we'll finish out this section and i notice the next section is exploiting automated relays and we might be at a good stopping point once we finish this up so pick up where we left off we just need to copy these commands whoops you kind of see what we're doing we're grabbing those tickets that we made i don't know if i'm using the correct terminology there but let's do that okay so far so good we're all doing this so we can do powershell remoting okay you can exit mimikat to run k list if you want to verify which let's do that all right so k list we have currently logged in we have cash tickets trevor jones which is a t1 admin we have the server there that we're going to access and trevor jones as well so yep it would appear that it worked and now we can go ahead and enter a powershell session so we're going to do a new pss session and then we're going to enter into the pss session okay let's give that a shot if you've never used this before it's cool thing i use it at work all the time it's almost like an ssh client built into powershell be the best way i can describe it okay so far so good so if we just enter into that pss session now we rt one tier one admin look at that which kerberos delegation type allows for delegation of all services is the unconstrained or whatever i think right of all services would be unconstrained delegation it's the least secure method i'm pretty sure that might be what the question is asking us which kerberos delegation type allows a service to specify that's the resource our back resource base something resource-based constrained delegation i was thinking of role-based access control for some reason which constrained delegation service allows access to file systems of the system via delegation it's on the tip of my tongue y'all it's the cifs right pretty sure [Music] what is the value of the flag stored in the desktop directory the administrator user on thm server one whoops this is just administrator that we need to go to constrained delegation can be very bad okay let's just kind of glance at this real quick permission we could be in a position on windows host okay so it's just another another way we're gonna do it i think this is probably a good stopping point what i'm gonna do though so i don't i wonder if i'm actually need this i'm gonna glance through here to see if i'm gonna need those tickets that we created because if i do i'm going to put them on my attack box so i don't have to repeat my work from before but i don't think we need to oh we're seeing your face shoot man that's rough y'all thank you amoeba man uh let's see what did i do let me just back through my work just in case you're following along maybe you're stuck at some part so alls i did during that time besides looking at my my beautiful face i just copy and pasted literally this ptt right there to grab these tickets to create them then i exited out of mimi cats and i did k list to verify that i did have uh t1 trevor jones and uh after that i just set up a ps session to get onto that server one we did new and then enter into it who am i that i verified and then i went and grabbed the flag so sorry about that guys this is why i'm always trying to be done by midnight because then that it start i started getting sloppy once we get close to midnight and now what i'm doing is i'm just looking at this next step and maybe maybe amoeba man if you're on here you can tell me do i need to uh exit out of here go back to where i have those tickets that i created should i put those on my kali linux machine to save time later or will i not have to reuse those it doesn't look like i have to reuse them for this exploiting automated relays it looks like it was just for that kerberos delegation which makes sense since they would all have to do with kerberos i don't think i'd have to use them for any of this you are sadly going after oh no matter what i do have to recreate them shoot okay that's fine good practice but not for automated relays okay maybe for exploiting ad users do i have to remake them or can i save the ones i have they will time out oh because it's tied to the specific network instance i have okay gotcha well that's fine so what i'll do um so for tomorrow night guys i'll be streaming again i don't know if we'll finish this room tomorrow night or not uh but tomorrow night will be kind of a unique stream i might go live a little bit later only because i'm going to reset some of this well i won't have to reset this up because tomorrow night we'll start with that and then if i get to the point where i have to remake them we'll just do it together and we'll we'll do the process twice i think the more you do it the more you learn but what makes tomorrow night unique is i'll stream uh up until about right now and then i actually have to jump into my day job which is then my night job i have to perform some upgrades that have to happen after hours and i'll be starting that at midnight for my job so i'll be jumping over to my work desk right here and i'll be doing that to like two or three in the morning so i'll have a long night tomorrow night but i do still plan on streaming so tomorrow night around 10 p.m central time i'm gonna jump back on twitch and we will go for about two hours like we did now and then i gotta jump to work um so tomorrow night will be unique for me should be the same here so we made it through uh test three we did good we were stuck for a little bit on bloodhound we made it through task three tomorrow night we'll see how far we get but like i said the goal is not to go fast right the goal is to learn and i learned good stuff today so hopefully you learned something as well hopefully you found this beneficial if not oh well i guess watch netflix or something um but thank you for hanging out i will catch you guys next time have an awesome night otherwise i know for some of you it's morning i know amoeba man this morning someone else a good morning so if it's morning for you have an awesome morning i will catch you guys tomorrow evening

Info

Channel: Tyler Ramsbey

Views: 8,553

Rating: undefined out of 5

Keywords: active directory, active directory hacking, bloodhound, exploiting ad, exploiting ad tryhackme, tryhackme live, tyler ramsbey, hackthebox, twitch, live hacking, offensive security, tcm security, cybersecurity

Id: KfbxgD9XK30

Channel Id: undefined

Length: 107min 45sec (6465 seconds)

Published: Thu Jul 07 2022