Full Compromise of Parent Domain

Summary

From our attack machine and the VPN server, we begin by starting a web server to deliver Mimikatz and other tools to the corpdc domain controller, which we'll use to compromise the parent domain. We start by deactivating the antivirus.

Initially, we attempt to retrieve the Administrator hash from rootdc using lsadump::dcsync in Mimikatz with our Domain Admin credentials, but this attempt is unsuccessful.

Despite this, we manage to collect all the required information to craft a Golden Ticket that allows us to impersonate the Administrator. Using this impersonated Administrator account, we gain access to the directories on rootdc and successfully retrieve the flags, fully compromising the parent domain.

The next phase involves creating a user on ROOTDC using. This step will be covered in the following section.

Breaching ROOTDC (10.200.XXX.100)

Starting a Python web server on the attack machine to distribute tools across the network.

Downloading the tools to the VPN machine.

Running a Python webserver on the VPN machine to provide the CORPDC with the tools we need.

To begin, we open PowerShell with administrative privileges on the corpdc.

We then disable the antivirus using the appropriate command. After that, we download Mimikatz from the VPN server.

set-mppreference -disablerealtimemonitoring $true

Next, we execute Mimikatz and verify our privileges.

To specifically target the local Administrator of the rootdc, we first retrieve the unique Security Identifier (SID) for the Administrator account on the rootdc. With this identifier, we can precisely repeat the process of dumping the credentials, ensuring we are targeting the correct Administrator account on the rootdc.

To craft a Golden Ticket and impersonate the Administrator, we need to gather the following key pieces of information:

The FQDN of the domain:

corp.thereserve.loc

The SID of the child domain controller (CORPDC), which we will impersonate in our forged TGT:

S-1-5-21-170228521-1485475711-3199862024-1009

Get SID of CORPDC:

Get-ADComputer -Identity "CORPDC"

The username of the account we want to impersonate:

Administrator

The KRBTGT password hash:

0c757a3445acb94a654554f3ac529ede

From https://tryhackme.com/room/exploitingad

kerberos::golden /user:Administrator /domain:za.tryhackme.loc /sid:S-1-5-21-3885271727-2693558621-2658995185-1001 /service:krbtgt /rc4:<Password hash of krbtgt user> /sids:<SID of Enterprise Admins group> /ptt

With that information, we are able to craft a golden ticket and impersonate the administrator.

kerberos::golden /user:krbtgt /domain:corp.thereserve.loc /sid:S-1-5-21-170228521-1485475711-3199862024-1009 /service:krbtgt /rc4:0c757a3445acb94a654554f3ac529ede /sids:S-1-5-21-1255581842-1300659601-3764024703-519 /ptt

From there we are able to reach the directories of rootdc.

Flags 15 - 16

NOTE: We are now able to obtain the following flags by following the instructions on the e-citizen platform:

  • Flag 15: Foothold on Parent Domain

  • Flag 16: Administrative access to Parent Domain

Last updated

Was this helpful?