Premise
In this walkthrough, we performed various techniques to get privileged access to an Active Directory box. We performed enumeration for the users and found a service account user that has misconfigured permissions where we were able to add it to the administrators’ group.
Machine Name: Roast
Operating System: Windows Server with Active Directory
Difficulty: Hard
Skills Learned
- LDAP Enumeration
- Kerberoasting
- BloodHound
- Service Accounts
Initial Reconnaissance and Port Scanning
I started with an Nmap scan, which is a common first step in any penetration test. This scan revealed several typical Active Directory ports, including DNS, Kerberos, LDAP, and RDP (port 3389). I also found that port 5985, used for WinRM (Windows Remote Management), was open. This was a good sign, as it suggested a potential way to gain remote access once I had some credentials.
LDAP Enumeration and Finding Credentials
Next, I focused on LDAP (Lightweight Directory Access Protocol) to find users and groups. I used an Nmap script to gather information from LDAP, and this is where I had my first breakthrough. I found the credentials for a user named David Smith (dsmith). The password was “welcome to roast dsmith@drost.csl”. I also identified other usernames like Kodi Roads (c.roads) and Steve Smith (s.smith), which I saved for later.
Digging Deeper with RPC Client
With dsmith’s credentials in hand, I used the rpcclient tool to query for more user information. This helped me find additional users, including administrator
, guest
, and roast_svc
. I added these to my list of potential targets.
Trying WinRM and Kerberos Spraying
I then attempted to log in with dsmith’s credentials using evil-winrm, but I ran into an authorization error. So, I switched gears and tried a password spray attack with a tool called kerbrute. The idea was to see if any other users had the same password as dsmith. Although the tool gave me an error, I had previously determined that the user c.roads had the same password.
Gaining Initial Access
Armed with this knowledge, I successfully used evil-winrm to establish a PowerShell session as the c.roads
user. This was my initial foothold on the system.
Escalating Privileges
Now that I was in, the next step was to escalate my privileges. I tried a few things, including running PowerShell scripts to check user and group properties and using a tool called accesschk.exe to check permissions, but I kept running into “access denied” errors.
My big break came when I used the net group
command to add the roast_svc
user to the “Domain Admins” group. This worked, which told me there was a misconfiguration in the roast_svc
user’s permissions.
Dumping Hashes and Getting the Final Shell
With roast_svc
now a domain admin, I tried to use mimikatz to dump password hashes, but that also failed. So, I turned to secretsdump.py, which successfully dumped the NTLM hash for the administrator account.
Finally, I used psexec.py with the administrator’s NTLM hash to get a shell as the administrator
user. And with that, I had full administrative access to the machine!
Technical Commands Used
Here are some of the key commands I used in the terminal during this penetration test:
- Nmap Scans:
nmap -p 5985 <IP_ADDRESS>
nmap -p 389 --script ldap-search <IP_ADDRESS>
- RPC Client:
sudo rpcclient -U <USERNAME> <IP_ADDRESS>
enumusers
- Evil-WinRM:
sudo evil-winrm -i <IP_ADDRESS> -u <USERNAME> -p <PASSWORD>
- Kerberos Spray (Kerbrute):
kerbrute passwordspray -d <DOMAIN_NAME> <IP_ADDRESS> <USER_LIST_FILE> <PASSWORD>
GetNPUsers.py -dc-ip <IP_ADDRESS> -u <USERNAME> -p <PASSWORD> -request
- Net Group:
net group "Domain Admins" <USERNAME> /add /domain
net group "Domain Admins" /domain
- Secretsdump.py:
sudo python3 secretsdump.py <DOMAIN_NAME>/<USERNAME>:<PASSWORD>@<IP_ADDRESS>
- PsExec.py:
sudo psexec.py <DOMAIN_NAME>/<USERNAME>@<IP_ADDRESS> -hashes <NTLM_HASH>