Premise

In this walkthrough, we performed various techniques to get privileged access to an Active Directory box. We performed enumeration for the users and found a service account user that has misconfigured permissions where we were able to add it to the administrators’ group.

Machine Name: Roast

Operating System: Windows Server with Active Directory

Difficulty: Hard

Skills Learned

  • LDAP Enumeration
  • Kerberoasting
  • BloodHound
  • Service Accounts

Initial Reconnaissance and Port Scanning

I started with an Nmap scan, which is a common first step in any penetration test. This scan revealed several typical Active Directory ports, including DNS, Kerberos, LDAP, and RDP (port 3389). I also found that port 5985, used for WinRM (Windows Remote Management), was open. This was a good sign, as it suggested a potential way to gain remote access once I had some credentials.

LDAP Enumeration and Finding Credentials

Next, I focused on LDAP (Lightweight Directory Access Protocol) to find users and groups. I used an Nmap script to gather information from LDAP, and this is where I had my first breakthrough. I found the credentials for a user named David Smith (dsmith). The password was “welcome to roast dsmith@drost.csl”. I also identified other usernames like Kodi Roads (c.roads) and Steve Smith (s.smith), which I saved for later.

Digging Deeper with RPC Client

With dsmith’s credentials in hand, I used the rpcclient tool to query for more user information. This helped me find additional users, including administrator, guest, and roast_svc. I added these to my list of potential targets.

Trying WinRM and Kerberos Spraying

I then attempted to log in with dsmith’s credentials using evil-winrm, but I ran into an authorization error. So, I switched gears and tried a password spray attack with a tool called kerbrute. The idea was to see if any other users had the same password as dsmith. Although the tool gave me an error, I had previously determined that the user c.roads had the same password.

Gaining Initial Access

Armed with this knowledge, I successfully used evil-winrm to establish a PowerShell session as the c.roads user. This was my initial foothold on the system.

Escalating Privileges

Now that I was in, the next step was to escalate my privileges. I tried a few things, including running PowerShell scripts to check user and group properties and using a tool called accesschk.exe to check permissions, but I kept running into “access denied” errors.

My big break came when I used the net group command to add the roast_svc user to the “Domain Admins” group. This worked, which told me there was a misconfiguration in the roast_svc user’s permissions.

Dumping Hashes and Getting the Final Shell

With roast_svc now a domain admin, I tried to use mimikatz to dump password hashes, but that also failed. So, I turned to secretsdump.py, which successfully dumped the NTLM hash for the administrator account.

Finally, I used psexec.py with the administrator’s NTLM hash to get a shell as the administrator user. And with that, I had full administrative access to the machine!

Technical Commands Used

Here are some of the key commands I used in the terminal during this penetration test:

  • Nmap Scans:
    • nmap -p 5985 <IP_ADDRESS>
    • nmap -p 389 --script ldap-search <IP_ADDRESS>
  • RPC Client:
    • sudo rpcclient -U <USERNAME> <IP_ADDRESS>
    • enumusers
  • Evil-WinRM:
    • sudo evil-winrm -i <IP_ADDRESS> -u <USERNAME> -p <PASSWORD>
  • Kerberos Spray (Kerbrute):
    • kerbrute passwordspray -d <DOMAIN_NAME> <IP_ADDRESS> <USER_LIST_FILE> <PASSWORD>
    • GetNPUsers.py -dc-ip <IP_ADDRESS> -u <USERNAME> -p <PASSWORD> -request
  • Net Group:
    • net group "Domain Admins" <USERNAME> /add /domain
    • net group "Domain Admins" /domain
  • Secretsdump.py:
    • sudo python3 secretsdump.py <DOMAIN_NAME>/<USERNAME>:<PASSWORD>@<IP_ADDRESS>
  • PsExec.py:
    • sudo psexec.py <DOMAIN_NAME>/<USERNAME>@<IP_ADDRESS> -hashes <NTLM_HASH>

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles