Taking On PWC's Active Directory Challenges Again
Iβm back from another incredible round of PwCβs Capture the Flag (CTF) competition! Held on November 11 as part of PwC Hong Kongβs 8th Annual Hack A Day. As someone who participated in this CTF last year too, it was exciting to see familiar faces, new challenges, and more cutting-edge cybersecurity tools. For this year, it was my redemption arc for last year's mistake when solving the Active Directory challenges. In context, in jeopardy style Capture the Flag competitions, it is rare to see Boot2Root challenges. However, it is even rarer to find Active Directory challenges.
Now, reflecting on last year's Active Directory challenges, what went wrong? First of all, unlike TryHackMe, HacktheBox or even Proving Grounds, the CTF did not provide a VPN connection to the network. Hence, the IP address that the organisers gave us was a public IP address. What does that mean for the attacker? In simple terms, the attacker must either port forward several ports through the router or use ngrok as a medium for catching a reverse shell, which will take a lot of configuration. For that reason, this year I made a Sliver C2 server on the cloud since I will be taking the OSEP certification and wanted to learn Sliver for that.
C2 Preparation
On AWS, I configured a t2.medium EC2 instance with Kali Linux installed. Once I got the instance up and running, I ran the following commands to get the C2 server setup.
I configured Sliver as a service by putting the following contents into /etc/systemd/system/sliver.service
Finally, enabling it with:
I started the server by entering the following commands:
Once the server is up, I entered sliver-server to start configuring the necessary tools and creating an operator.
After creating an operator, a configuration file was generated and I imported it into sliver-client by using:
Easy Initial access - 1
Category : Red Team
Points : 50
Two easily accessible external-facing services are there for obtaining initial access! If you have flags from external servers, attempt to input them into either Easy Initial Access - 1 or Easy Initial Access - 2. Both entry points offer identical information to assist you in hacking into the corporate internal network!
Flag format for red team: Hack{[sha256string]}
So, I started by enumerating a web service, which I guessed existed. By the way, never assume this, I just assumed there was a web service lol.
These were the results of the scan:
Within all of these, I paid attention to the uploads directory. Inside that directory, there was a file called upload.php. Right here is where users are able to upload ANY kind of file onto the server.
So, I uploaded a simple PHP backdoor and it printed out that the file was within the /inventory_files directory.
Going there, sure enough, our file is there!
Doing a simple whoami shows that our backdoor works!
Getting a Reverse Shell
So, to get a reverse shell on Sliver, an implant must be generated:
Once the implant has been generated, let's start listening to incoming connections with
The implant was uploaded with upload.php and executed using the backdoor that was uploaded previously. With that, we got initial access, and by searching around, we got the flag!
Internal Server - starting point
Category : Red Team
Points : 50
Good job and welcome! Easy flag
Now that we have foothold, let's see what privileges we have. As shown below, we have SeImpersonatePrivilege privilege. Now, my go-to tool for escalating my privileges with this misconfiguration is PrintSpoofer. My second go-to tool is GodPotato, but that only works if the target has .NET installed.
By uploading PrintSpoofer and executing it along with our existing implant, we got a session with NT AUTHORITY\SYSTEM privileges. Note that to execute commands from the implant, you have to prefix the command with execute and if you want to see an output of the command you can add a -o switch after the execute command.
Going into the user, tester's Desktop, the second flag was found.
Internal Server β Jump!
Category : Red Team
Points : 100
Dont stay in one machine, try to jump out of the box!
Doing ipconfig /all reveals the compromised machine's network information which can be used to access the internal network. As you can see, Web-SRV01 has the internal IP address of 172.31.43.219 and has a pointer to a DNS server of the IP address 172.31.36.211. The DNS IP address of a domain-joined machine is most likely the IP address of the Domain Controller.
Uploading mimikatz.exe to see if there are any cached credentials that revealed nothing.
With that let's configure Ligolo for pivoting into the internal access. Start by adding a new interface on the attacker machine.
Enable the new interface
Start the pivoting server
On the compromised machine, upload the Ligolo agent and execute it to connect back to the attacker's machine.
Once that is done, a connection will appear on Ligolo, which you have to interact with it with the command session and followed by the command start to start tunneling through Web-SRV01.
Before anything else, let's start by enumerating the users on the domain, if possible. This can be done with net users /domain. To enumerate a specific user, use net user <USERNAME> /domain
alexwong
thomaschan
stevenho
webservice
tester
Analysis
If you notice within the user tester, the user's credential is stored within the description. With that we have our first set of credentials!.
Bloodhound
The next thing to do once you get credentials, which is literally a hack, is to run bloodhound-python to enumerate the domain to find other users, groups, policies and even machines. bloodhound-python instead of Sharphound is because the execution and collection of the Bloodhound results can be done all on the attacker's machine. You can install it with the following command:
As said before, the domain controller has the IP address of 172.31.36.211 and the domain as shown in the enumeration of the users is corp.darklab.local. With that bloodhound-python is run with the following parameters.
Looking at the results, there are 4 machines, including the Domain Controller:
DEV-SRV01.CORP.DARKLAB.LOCALPROD-SRV01.CORP.DARKLAB.LOCALWEB-SRV01.CORP.DARKLAB.LOCAL
By using nslookup on the compromised machine, we are able to get the IP addresses of these machines.
Now that we have all the IP addresses of the machines, add them as a route in the new network adapter.
Now that we can tunnel through the network and have a set of credentials, let's first start by trying Kerberoasting using impacket-GetUserSPNs. This impacket script will allow you as the user to request for a Ticket-Granting-Ticket (TGT) from the Kerberos server. When the user receives the TGT, the script will then use it along with the name of the service the user wants to access to request for a Ticket-Granting-Service (TGS). The TGS will be encrypted with the service account's password hash. As you can see, the following service returned a Kerberos hash which can be cracked using hashcat.
Using hashcat to crack the hash, the results show that the credential is myspace1.
Now that we have a second set of credentials, NetExec can be used to spray the credentials in the domain to check whether the user can access any of the internal machines. Learn from Counter-Strike, always SPRAY AND PRAY. The credentials can be sprayed using the following command:
As shown below, the set of credentials was able to access DEV-SRV01.
By using evil-winrm, the 2nd set of credentials was used to access DEV-SRV01 using the following command:
By doing whoami /all, we are a Local Admin within DEV-SRV01.
Again, mimikatz was uploaded and used to check for cached credentials but nothing was found.
Note: I lost the flag and the screenshot for it, but trust me, we got it
Easy Initial Access - 2
Category : Red Team Points : 50
Two easily accessible external-facing services are there for obtaining initial access! If you have flags from external servers, attempt to input them into either Easy Initial Access - 1 or Easy Initial Access - 2. Both entry points offer identical information to assist you in hacking into the corporate internal network!
Flag format for red team: Hack{[sha256string]}
Going nowhere with DEV-SRV01, I went back to WEB-SRV01 to find the second flag for initial access. Stumbling around I found it within C:\xampp\htdocs.
That got us the flag which saved us for a short time.
Mistakes Made This Year
So, with that said what went wrong this time? Credential reuse. Remember the user tester? We did not reuse that set of credentials anywhere. The second thing that went wrong was that we were the Local Administrator of DEV-SRV01, meaning we could have dumped out domain cached credentials from the SAM and SYSTEM hive which I did. However, cracking those credentials took ages and my laptop was becoming hot. In conclusion, even though I did not complete all of the Active Directory challenges, I was proud that I was able to do the challenges properly this time with my knowledge that I gained while preparing for my OSCP. Also, that I was able to learn how to use the Sliver C2 for my OSEP which I am currently preparing for. I hope you learned something from this write-up. Now, let me check my costs for running an instance on AWS the whole day...
Last updated