Welcome to the CRTP prep series, aimed at the Certified Red Team Professional certification from PentesterAcademy.
You can access my Gitbook repository here for all the commands.
Let's get started!
Reconnaissance
Let's begin with a full port scan using threader3000. I find it as a faster alternative for the initial full port scan as compared to nmap.
Let's run an aggressive nmap scan to enumerate the services on all open ports.
-A : Enable OS detection, version detection, script scanning, and traceroute.
-Pn : Skip host discovery [Don't ping].
-oA : Save output to file.
Notes:
Looking at ports 389(LDAP) and 88(Kerberos), our target is likely a Domain Controller.
Domain Name : Brute.csl | Hostname: BRUTE-DC
Add "brute.csl 172.31.3.3" >> /etc/hosts, so that we can reference the target via domain name.
Enumeration
The SMB service(Port 445) does not have anonymous read access.
Let's attempt to identify valid users using kerbrute. I explain how this technique works in the Spray writeup.
Notes:
We've identified 4 users.
Let's see if any of the users have Kerberos-Pre-authentication disabled. If yes, we could grab the user's crackable AS-REP and brute-force it offline.
Using GetNPUsers.py, we're able to extact the AS-REP for offline-cracking. To know more about how this works check out the Toast write-up.
Using john with a wordlist such as rockyou.txt helps us crack the password.
Initial Foothold
Now that we have credentials for User 'tess', let's use WinRM to establish a connection to BRUTE-DC.
As always, enumerate all you can with:
Bloodhound (Sharphound.exe)
But right away, the DNSAdmins group membership strikes a note! Let's take a deeper look!
Abusing DNSAdmins privilege for escalation
It is possible for the members of the DNSAdmins group to load an arbitrary DLL with the privileges of dns.exe (SYSTEM).
By default, domain controllers are also DNS servers.
According to Microsoft protocol specification, the “ServerLevelPluginDll” operation enables us to load a dll of our choosing (with no verification of dll path).
A malicious DLL can be created using msfvenom, which when loaded, executes OS commands on the DC.
To load a DLL: dnscmd.exe /config /serverlevelplugindll \\path\to\dll
When executing this dnscmd.exe command as a user that is a member of DNSAdmins, the following registry key is populated: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll
Restarting the DNS service will load the DLL in this path [sc stop dns && sc start dns].
The DLL needs to be available on a network share that the Domain Controller’s computer account can access.
Creates an Event ID 770 on server [dll loaded from location.dll]
References:
Privilege Escalation
User 'tess' is part of the 'DNSAdmins' group. With these privileges, we can load a malicious DLL onto the DC and restart the DNS service to obtain OS command execution.
Generate the malicious DLL
Load the DLL to populate the registry key.
3. Restart the DNS service.
4. Delete the registry value for stealth.
5.Now that we have privileges of the Domain Admins group, we can remotely access all the secrets of BRUTE-DC using secretsdump.py(impacket)
We have access to the SYSTEM flag!
To Summarize:
Valid usernames were enumerated.
User Tess had Kerberos-Pre-authentication disabled and a weak password configured. This enabled us to grab the AS-REP and crack the hash offline.
User Tess was misconfigured with elevated privileges. Ensure only admin accounts are members of the DNSAdmins group. Regularly review the DNS server object permissions for any group/account that shouldn’t have privileged access.
Abuse of DNSAdmin privileges allowed us to load a malicious DLL, leading to access to Domain Admin credentials. Eventually resulting in complete system compromise!