3# CRTP Series | CyberSecLabs : Spray Write-up
Updated: Nov 10, 2021
This is the 3rd and my favourite box, from the CRTP prep series aimed at
the Certified Red Team Professional certification from PentesterAcademy.
If you're new to Active Directory and it's terminology, this video covers everything you need to get started!
You can access my Gitbook repository for all the commands.
Let's get to it!
First we run an nmap scan to see which ports are open and the services running on them.
-Pn : Skip host discovery [Don't ping].
-p- : Scan all 65535 ports.
-oA : Save output to file.
Let's run an aggressive nmap scan to enumerate the services on all open ports.
-A : Enable OS detection, version detection, script scanning, and traceroute.
Looking at ports 389(LDAP) and 88(Kerberos), our target is likely a Domain Controller.
Domain Name : Spray.csl | Hostname: SPRAY-DC
Enumerating the SMB service(Port 445) as a guest did not reveal anything useful.
Let's attempt to identify valid users using kerbrute.
Taking a deeper look at how this works:
To enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.
We've identified 3 usernames.
It's important to use multiple wordlists to enumerate as many users as you can. I merged all the name wordlists from Seclists and used Vi editor to remove duplicates and other unusual usernames.
Using GetNPUsers.py, we've ruled out the possibility of AS-REP Roasting.
Taking the hint from the name of the box, let's password-spray all the accounts with their username as passwords.
Interestingly, we've got our ticket into SPRAY-DC!
With a set of valid credentials, we can further enumerate Active Directory using RPC, LDAP and SMB. Taking the LDAP route, we've identified 2 more users.
Enumerate the SMB service as johana.
We notice there's a password protected Word document. If we can crack it using office2john.py and john, we may gain access to sensitive information, credentials possibly!
Let's spray the extracted password on all the identified users to check for a valid login.
We've got foothold as user 'hackzzdogs'! In order to run scripts, we may need to bypass AMSI. I've explained this in detail in the Toast Write-up.
As always, enumerate all you can with:
We see user 'hackzzdogs' has a juicy ACL on the 'DCPOLICY' GPO.
With some digging, we understand that user 'hackzzdogs' has interesting write permissions on the 'DCPolicy' GPO, which is applied onto the 'Domain Controllers' OU.
Let's digress a bit to understand what a GPO is. Reference:adsecurity
Group Policy are saved as Group Policy Objects (GPOs) which enables administrators to manage computers and users in Active Directory. Group Policies are applied on Active Directory objects such as sites, domains, or organizational units (OUs).
Group Policies can include security options, registry keys, software installation, and scripts for startup and shutdown and domain members refresh group policy settings every 90 minutes by default (5 minutes for Domain Controllers).
This means that Group Policy enforces configured settings on the targeted computer.
Interesting article on GPO Abuse.
User 'hackzzdogs' has rights to roll out tasks to SPRAY-DC since he has Write permissions on the 'DCPolicy' GPO.
We will use SharpGPOAbuse to schedule a task on SPRAY-DC which will be executed by the Administrator.
Force immediate update of GPO policies using 'gpupdate /force'
The Scheduled Task will attempt to change the Administrator's password.
In order to use SharpGPOAbuse, upload SharpGPOAbuse.exe & CommandLine.dll to the target.
Schedule the task and force update policies.
Remove the task for stealth.
Successful login as Administrator with the new password and access the SYSTEM flag!
Valid usernames were enumerated.
User 'johana' and the password-protected word document had weak passwords configured. (Weak Password Policy)
User 'hackzzdogs' was configured with dangerous privileges. As a best practise, always practice the principle of least privilege.