Before we can exploit AD misconfigurations for privilege escalation, lateral movement and goal execution, you need initial access first. You need to acquire an initial set of valid AD credentials. Due to the number of AD services and features, the attack surface for gaining an initial set of AD credentials is usually significant.
When looking for that first set of credentials, we don’t focus on the permissions associated with the account; thus, even a low-privileged account would be sufficient. We are just looking for a way to authenticate to AD, allowing us to do further enumeration on AD itself.
We should find out which machine is a Domain Controller and then setup our ip of DNS server to one which belongs to our finding (AD DC).
nmap -p389 -sV -Pn ip_nnn.nnn.nnn.nnn/nn
nmap -p 389 -T4 -v --script ldap-rootdse -Pn nnn.nnn.nnn.nnn/nn
example:
nmap -p389 -sV 10.200.47.0/24 -PnIn this case I am only allowed to check host with IP: 10.200.47.101
Now we know that 10.200.47.101 has installed LDAP service .
In case of this TryHackMe room, before moving on we must verify if DNS works:
Two popular methods for gaining access to that first set of AD credentials is Open Source Intelligence (OSINT) and Phishing. These two won’t be discussed here.
During OSINT pentest team acknowledged that during password reset administrators assign one generic password: Changeme123
In the TryHackMe rooom there is a http login page setup on port 80, although I will try password spray on smb with crackmapexec:
Password spraying smb:
The valid user was found:
hollie.powell
Although, the script stopped after finding first user with valid credentials. I would like to iterate all users within the list. –exhaust option does not work in my version of CME. I decided to manually update txt list.
Usernames with Changeme123 password:
hollie.powell
heather.smith
gordon.stevens
georgina.edwards
Now I will check LDAP Bind Credentials disclosure. In this scenario we have access to printer which has default credentials and uses LDAP authentication.
Other interesting articles:
https://medium.com/r3d-buck3t/pwning-printers-with-ldap-pass-back-attack-a0d8fa495210
https://ivanitlearning.wordpress.com/2019/03/24/root-me-ldap-null-bind/
The supportedCapabilities response tells us we have a problem. It looks like credentials won’t be transmitted in cleartext. There is a need for authentication, to send credentials via network.
I will create Rogue LDAP server and configure it insecurely to allow sending credentials in plaintext.
sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd
Now I have to create olcSaslSecProps.ldif file
noanonymous: Disables mechanisms that support anonymous login
minssf: Specifies the minimum acceptable security strength with 0, meaning no protection
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
sudo tcpdump -SX -i tun0 tcp port 389
Authentication Relays listening:
MDT and SCCM abuse – PXE Boot
Large organisations use PXE boot to allow new devices that are connected to the network to load and install the OS directly over a network connection. MDT can be used to create, manage, and host PXE boot images. PXE boot is usually integrated with DHCP, which means that if DHCP assigns an IP lease, the host is allowed to request the PXE boot image and start the network OS installation process. The communication flow is shown in the diagram below:
TFTP doesn’t provide directory listing so the script tftp-enum from nmap will try to brute-force default paths.
Article which describes this attack:
https://www.riskinsight-wavestone.com/en/2020/01/taking-over-windows-workstations-pxe-laps
Example scenerio of abusing such a features is that we were able to connect to internal network which is not segmented and anyone can use network boot.
We will bypass the initial steps of this attack, where we attempt to request an IP and the PXE boot preconfigure details from DHCP. We will perform the rest of the attack from this step in the process manually.
The first piece of information regarding the PXE Boot preconfigure you would have received via DHCP is the IP of the MDT server. In our case, you can recover that information from the TryHackMe network diagram.
The second piece of information you would have received was the names of the BCD files. These files store the information relevant to PXE Boots for the different types of architecture. BCD files: are exposed at: http://pxeboot.za.tryhackme.com.
Configuration Files – getting AD credentials from database file
jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
