CyberSecLabs - Sync

⇒ Sync is an hard active directory machine that taught us :

  • Identifying valid users using kerbrute and seclist wordlist
  • Kerberoasting the users
  • Performing SCF attack to steal sysadmin hash
  • DCSync Attack.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled.png

NMAP

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%201.png


Enumerating and Kerberoasting

⇒ There’s an interesting SMB share named Department , we can read all the files in this share but we can’t write to it.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%202.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%203.png

⇒ So after enumerating for a while we didn’t find anything useful in smb share. So we decided to run kerbrute to find valid users and then kerberoast the users which has DONT_REQ_PREAUTH set :

  • Finding valid users using kerbrute and wordlist from seclist

./kerbrute_linux_amd64 userenum -d sync.csl –dc 172.31.3.6 names.txt

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%204.png

  • Kerberoasting the valid users using the tool GetNPUsers by impacket

python3 GetNPUsers.py -dc-ip 172.31.3.6 sync.csl/ -usersfile valid_users.txt

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%205.png

Brende11

⇒ So now we have credentials for user manager but we couldn’t still evil-winrm to the machine. We are able to write files to the Department share as this user.


SCF Attack

⇒ It is not new that SCF (Shell Command Files) files can be used to perform a limited set of operations such as showing the Windows desktop or opening a Windows explorer. However a SCF file can be used to access a specific UNC path which allows the penetration tester to build an attack.

  • Creating the scf file with .url extension

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%206.png

  • Running responder

responder -I tun0 -v

  • We uploaded the file to every single folder in the Department share

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%207.png

⇒ After waiting for a while the file is triggered and we recieve the hash for the user which triggered it , in our case it is sysadmin

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%208.png

sysadmin : sEsshOUmArU25-159

⇒ We connected to the box using evil-winrm with sysadmin credentials:

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%209.png


Privilege Escalation to DA [ DCSync Attack ]

⇒ So after running bloodhound we see that manager user has GetChanges and GetChangesAll which will allow us to perform DCSync attack to get password hash of Administrator User

DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%2010.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%2011.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%2012.png

⇒ We can perform dcsync attack using mimikatz or secretsdump which is an impacket tool :

./secretsdump.py sync.csl/manager:’Brende11’@172.31.3.6

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%2013.png

Administrator : a72e3fae34d37ec6f82d7f2c3a72bc04

⇒ We can use the Administrator NTLM hash for authentication with evil-winrm

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sync%20Machine%20037a6ee1c15a47c48662f8f6a4ece78b/Untitled%2014.png