Access Walkthrough
Active Directory Machine on Proving Grounds (PG Practice)
Last updated
Active Directory Machine on Proving Grounds (PG Practice)
Last updated
This is a pretty cool Intermediate-level Active Directory box by Enox! This was my very first Windows box I did from TJNull's OSCP Prep List and I was really satisfied with the box quality!
I also wanted to learn Sliver as I was only comfortable with Cobalt Strike and wanted to try out some other C2 frameworks.
The box starts off with a standard file upload bypass on a website which, providing initial access as svc_apache.
Following which, you can kerberoast the svc_mssql
user for a TGS, crack the hash offline and authenticate as svc_mssql where you'll have more privileges.
Lastly, abuse the SeMangeVolumePrivilege on svc_mssql
to escalate your privileges to NT AUTHORITY\SYSTEM.
We can start off by running an nmap scan on the box.
The service scans are as follows:
This tells me that the box is likely the Domain Controller, so we can query the DC for potential domain users that we can password spray later on.
I like to identify the domain name and other general information about the domain by querying LDAP with ldapsearch
And, we find some useful information, the domainsaccess.offsec
and SERVER.access.offsec
should be added to /etc/hosts.
Since SMB is open, we can try listing shares with a null and guest session.
After running our initial enumeration, it seems pretty unlikely that the entry point is in any of the common active directory services. The entry points are likely via password spraying the domain controller or via the web application.
We'll start by directory fuzzing, and leaving this running in the background.
Browsing around the website for bit, the only functionality is the buy tickets feature, which gives us a couple fields to fuzz.
SSTI Fuzz: ${{<%[%'"}}%.
Unfortunately, we can't see the result of the name and email parameter to validate for our SSTI- but let's try and find where that download.jpeg
image I uploaded went to.
Looking at the results of the directory fuzz we did earlier, it's likely that uploaded files are sent to the uploads
directory, we can easily validate it by visiting the endpoint.
I tried uploading a PHP webshell called p0wny-shell
Unfortunately, PHP extensions are likely flagged by the website.
Let's inspect the upload content to try and figure out how exactly the server is filtering the uploaded file.
Changing the Content-Type
from application/php-x
to application/json
didn't help.
Changing the uploaded filename extension from .php
to .jpeg
did the trick
But this wouldn't render/execute the php shell as the file is interpreted as an image.
At this point, I started looking around for file upload bypasses and stumbled across this artlcle: https://thibaud-robin.fr/articles/bypass-filter-upload/ which went indepth on file upload bypasses with an arbitrary .htaccess
file upload.
This would overwrite the apache configuration on the uploads
directory to interpret all files ending with .bruh
as php
files.
Let's upload the PHP webshell again, but change the name to powny.bruh
A general thing I like to do before running any complex commands is just to ensure that the box has allowed outbound HTTP connections, to a port on my attacker machine.
This saves me a lot of headaches, and is an important part of my methodology.
We now have validation that the victim is able to callback to our webserver over Port 1337, incase we find any firewall headaches- we can always return back to this port.
Sliver is started as a system service listening on localhost:31337
This just hosts a webserver that delivers files from my current working directory, see: https://github.com/sc0tfree/updog
this is pretty much identical to
python3 -m http.server
C:\Windows\Tasks is almost always world-readable and writeable.
We can interact with our session with: sessions -i <id>
The first thing I like to enumerate is what privileges my user is allowed to do, if I'm lucky- I could make the whole Potato suite happy with an SeImpersonatePrivilege.
Next, let's try to see exactly where I am in the network and orient myself with my environment.
And, let's check if there are any internal networks that I can pivot to or internal services that I can start a port forward to.
SharpView is an OPSEC-Safe C# implementation of PowerView from the PowerSploit suite of tools that can be executed in memory via the .NET CLR, which means you don't have to drop any offensive tooling to disk or worry about AMSI.
the sliver agent patches amsi.dll by default
This confirms that we live in the access.offsec
forest. Let's enumerate domain users so we can identify where to laterally move to next
The output is a little long, and not filterable as the SharpView port doesn't allow for the same piping ability as Powershell, I've collated the information in the table below:
Administrator
CN=Administrator,CN=Users,DC=access,DC=offsec
Administrator
Guest
CN=Guest,CN=Users,DC=access,DC=offsec
Guest
krbtgt
CN=krbtgt,CN=Users,DC=access,DC=offsec
krbtgt
Apache
CN=Apache,CN=Users,DC=access,DC=offsec
svc_apache
MSSQL
CN=MSSQL,CN=Users,DC=access,DC=offsec
svc_mssql
It's quite likely that the svc_mssql user has an SPN, so we can try to kerberoast the user.
Sure enough, the svc_mssql
user is kerberoastable! We can try to crack his hash locally with:
That cracked pretty quickly, the account credentials are:
With the new credentials found, we can spawn a new beacon as the svc_mssql
user. Let's start by starting a sliver mTLS listener.
And, generate a new implant for the mTLS listener.
At this point, I thought it would be trivial to use sliver's runas
to spawn a cmd.exe process in the context of the svc_mssql
user and spawn a beacon that way.
But, uh yeah this didn't work- and I couldn't figure out why it didn't work either. Someone please help. I also was unable to sanity check by creating a file in C:\Windows\Tasks
. I have a feeling it's because I'm missing a flag D:
Next, I tried to convert svc_mssql
's password into an NTLM hash and pass it to Rubeus' asktgt to obtain his TGT that I can then pass into a cmd.exe session and spawn a beacon that way.
At this point, I realized that you need SYSTEM privileges on the machine to continue.
2/2/2024: This is likely due to me trying to import a ticket into another cmd.exe process, this would have worked if I had imported it into the context of my current session.
--
rubeus.exe ptt /ticket:doIFNDCCBTCgAwI...bA==
RunasCs.exe needs an interactive shell, so we'll need to pop a PS shell.
And it works, let's run our sliver agent.
We are svc_mssql
now
Doing the same enumeration checks as earlier, let's find out our privileges:
After seeing the new privileges, I suddenly felt like I had seen this before...
After sending FSCTL_SD_GLOBAL_CHANGE
to replace S-1-5-32-544
with S-1-5-32-545
, our user will be able to create files within protected directories (e.g C:\Windows\System32)- following which there are a bunch of ways to get malicious DLLs to load with SYSTEM privileges.
We are now able to write in C:\Windows\System32
And upload our payload to trusty C:\Windows\Tasks (which shouldn't matter, if we are SYSTEM)
Let's generate our malicious DLL with msfvenom.
We can upload this DLL to C:\Windows\System32\wbem\tzres.dll
and force it to execute with systeminfo
as that Windows built-in likely calls the DLL in execution.
Let's catch the shell with Sliver.
Overall, I think this box is slighly overrated. But, was really fun to do and pretty stable. This was probably one of the better Windows/Active-Directory boxes on PG Practice.
A video walkthrough was published by Offensive Security: https://www.youtube.com/watch?v=h1Br5umYxwc