4# CRTP Series | CyberSecLabs : Dictionary Write-up

Welcome to the 4th write-up from the CRTP Series. This series is aimed at prepping for the Certified Red Team Professional certification from PentesterAcademy.

You can access my Gitbook repository for all the commands.

Let's get started!

Reconnaissance

I recently stumbled upon my new go-to scanner, threader3000 which serves as a faster alternative for the initial full port scan. The whole scan took less than 2 min, and output is automatically channeled to an nmap detailed scan.

Let's run a more comprehensive nmap scan to enumerate the services on all open ports.

• -sV : Version detection.

• -sC: Script scanning.

• -T4: Timing template(Aggressive)

• -Pn: No host discovery(Don't ping)

• -oA: Save to file

Notes:

• Looking at ports 389(LDAP) and 88(Kerberos), our target is likely a Domain Controller.

• Domain Name : Dictionary.csl | Hostname: DICTIONARY-DC

• Add "dictionary.csl 172.31.3.4" >> /etc/hosts, so that we can reference the target via domain name from now on.

Enumeration

• The SMB service(Port 445) does not have anonymous read access.

• Let's attempt to identify valid users using kerbrute.

Notes:

• We've identified 1 user.

• Using GetNPUsers.py, we're able to extact the AS-REP for offline-cracking. To know more about how this works check out the Toast write-up.

• Using john with a wordlist such as rockyou.txt helps us crack the password.

With a set of valid credentials, we further enumerate Active Directory using RPC, LDAP and SMB. We have more users!

Initial Foothold

Notes:

• We've identified 4 usernames now.

• Spraying weak passwords with crackmapexec didn't get me anywhere.

• Taking the hint from the cracked password & name of the box, we may have to improvise on the wordlist.

• Let's use exrex to create more words from the same 'Month:Year' pattern as the cracked password. It uses Regex

• Use crackmapexec to password spray on all the users.

We're in as user 'BACKUP-Izabel'! In order to run scripts, we may need to bypass AMSI. I've explained this in detail in the Toast Write-up.

As always, enumerate all you can with:

• winPEAS.exe

• PowerUp.ps1

• Powerview.ps1

• dsacls

• Bloodhound (Sharphound.exe)

Privilege Escalation

From the output generated by winPEAS.exe, we see something interesting.

Notes:

• Mozilla passwords (Firefox, Thunderbird) are protected by using contents of files key4.db and logins.json.

• The passwords stored in logins.json are encrypted, but the encryption key is stored in key4.db [Encryption used: triple-DES].

• Without a master password you merely need to place the two files in a directory and decrypt them by using firepwd.

• Copy key4.db and logins.json from the target onto the attacker's box.

• Decrypt using firepwd. Credentials format : ['username' 'password']

We know these usernames do not exist from our RPC enumeration. Let's add these passwords into a wordlist and spray against all users using crackmapexec.

We have a successful login as Administrator and gain access to the SYSTEM flag!

To Summarize:

• Valid usernames were enumerated.

• User 'izabel' had Kerberos-Pre-authentication disabled and a weak password configured. This enabled us to grab the AS-REP and crack the hash offline.

• User 'BACKUP-Izabel' had a weak password configured which allowed us to guess the password pattern and gain access to.

• Firefox saved logins were accessible due to system compromise. One could use a master password to locally encrypt the files on their computer as a last line of defense.