⇒ Sync is an hard active directory machine that taught us :
- Identifying valid users using kerbrute and seclist wordlist
- Kerberoasting the users
- Performing SCF attack to steal sysadmin hash
- DCSync Attack.
Enumerating and Kerberoasting
⇒ There’s an interesting SMB share named Department , we can read all the files in this share but we can’t write to it.
⇒ So after enumerating for a while we didn’t find anything useful in smb share. So we decided to run kerbrute to find valid users and then kerberoast the users which has DONT_REQ_PREAUTH set :
- Finding valid users using kerbrute and wordlist from seclist
./kerbrute_linux_amd64 userenum -d sync.csl –dc 172.31.3.6 names.txt
- Kerberoasting the valid users using the tool GetNPUsers by impacket
python3 GetNPUsers.py -dc-ip 172.31.3.6 sync.csl/ -usersfile valid_users.txt
⇒ So now we have credentials for user manager but we couldn’t still evil-winrm to the machine. We are able to write files to the Department share as this user.
⇒ It is not new that SCF (Shell Command Files) files can be used to perform a limited set of operations such as showing the Windows desktop or opening a Windows explorer. However a SCF file can be used to access a specific UNC path which allows the penetration tester to build an attack.
- Creating the scf file with .url extension
- Running responder
responder -I tun0 -v
- We uploaded the file to every single folder in the Department share
⇒ After waiting for a while the file is triggered and we recieve the hash for the user which triggered it , in our case it is sysadmin
sysadmin : sEsshOUmArU25-159
⇒ We connected to the box using evil-winrm with sysadmin credentials:
Privilege Escalation to DA [ DCSync Attack ]
⇒ So after running bloodhound we see that manager user has GetChanges and GetChangesAll which will allow us to perform DCSync attack to get password hash of Administrator User
DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller (DC) in order to retrieve password data via domain replication. Once an attacker has access to a privileged account with domain replication rights, the attacker can utilize replication protocols to mimic a domain controller.
⇒ We can perform dcsync attack using mimikatz or secretsdump which is an impacket tool :
Administrator : a72e3fae34d37ec6f82d7f2c3a72bc04
⇒ We can use the Administrator NTLM hash for authentication with evil-winrm