Hacking Active Directory
I recently broke into an Active Directory domain controller service account. They were running old software that was both publicly accessible and vulnerable. (I’ll take this moment to remind everyone about the importance of patching your software!) I simply ran an appropriate exploit on the public-facing software’s UI and gained access to the service account. Unfortunately this service account didn’t have access to anything useful nor did I have the service account password or really anything hard coded in a config file to pivot from so I take another approach.
Running Impacket’s smbserver.py with smb2support allows me to mount a drive to access a fake SMB server that gives me a Kerberos key in the process:
$krb5asrep$23$bob@redacted:3e156ada591263b8aab0965f5aebd837$007497cb5…
I then use Hashcat's Kerberos 5 cracking with option 18200, eventually my GPU cracks the password, and from there Evil-WinRM logs me into the server using that service account.
Anytime you are working with Active Directory. You are going to run bloodhound. Bloodhound illustrates how to privilege escalate active directory. Bloodhound is awesome.
I loaded SharpHound.ps1 up into Evil-WinRM running the command:
“Invoke-BloodHound -CollectionMethod All”
Downloading the zip file via Evil-WinRM is very easy and imported it into bloodhound. Below is a redacted path i take to escalate my privileges. I take advantage of the WriteDACL permission associated with this default Exchange group to take my first step towards a brave new world.
Now I use PowerView.ps1 to give myself exploit permissions and then abuse newly added DCSync rights using Mimikatz. Running this command…
lsadump::dcsync /user:domain\administrator /domain:domain.local
…gives me the NTLM hash for Administrator:
SAM Username : Administrator
User Principal Name : Administrator@
Password last change : 12/18/2019 9:19:08 AM
Credentials: Hash NTLM: b4b9b02e6f09a9bd760f388b67351e2b
Unfortunately HashCat either cannot crack this password or I wasn’t patient enough to wait it out. Regardless I don’t actually need to crack the password because I can pass the hash with Back to Impacket:
python3 wmiexec.py -hashes :b4b9b02e6f09a9bd760f388b67351e2b administrator@domain
I now have an administrator shell on the domain controller - consider this Active Directory hacked!
Quick note about Github’s master channel vs dev channel: I was having a lot of issues using the master channel while researching this blog. I was continuously finding Constraint Violations from the PowerView.ps1 script in master but when I switched to dev it worked without issue. If you use Github frequently and have had similar issues, try changing your channel!