Machine Initial Vulnerability

WorkStation01 LLMNR Poisoning

UATServer Credential Usage
Bank-DC Vulnerable GPO
Trusted-DC Local Admin from a different trusted domain
Protect-DC MSSQL Instance
1. Recommendations

It is strongly recommended to implement proper network segmentation to better isolate the hosts
and prevent lateral movement between systems. A firewall should be enabled on all systems with a
configuration that minimizes the unnecessary exposure of services. For each identified vulnerability,
mitigation recommendations are provided in the following chapters.

Methodologies

I utilized a widely adopted approach to performing penetration testing that is effective in testing
how well the ElearnSecurity Labs and Exam environments are secured. Below is a breakdown of how
I was able to identify and exploit the different systems and includes all individual vulnerabilities
found.

Information Gathering

The information-gathering portion of a penetration test focuses on identifying the scope of the test.
During this penetration test, the objective was to exploit the exam network. One IP range was in
scope: 172.16.80.0/0

Penetration

The penetration testing portions of the assessment focus heavily on gaining access to a variety
of systems. During this penetration test, I was able to successfully gain access to 5 out of the 5
systems.
 Workstation 01

Vulnerability Exploited LLMNR Poisoning

Vulnerability Explanation By responding to LLMNR/NBT-NS network traffic, adversaries may
spoof an authoritative source for name resolution to force
communication with an adversary-controlled system. This activity
may be used to collect or relay authentication materials.
Vulnerability Mitigation Disable LLMNR and NetBIOS in local computer security
settings or by group policy if they are not needed within an
environment.
Reference https://attack.mitre.org/techniques/T1557/001/

Steps to Reproduce

1. First, I perform host discovery using Ping Sweep and found that host 172.16.80.100 is up
2. I ran NMAP on the target and found that Port 139 and 445 were open

3. Enumerating the SMB shares, I found that share “Shared” is open for anonymous access
4. Accessing the open share and seeing that there is a file by the name “Bookmark.url”, so I
download it to my local machine and then checking the contents, it is an internet shortcut
link that is linking towards the SMB share of the Workstation-01 machine

5. I edited the Bookmark.url file and changed the location to my local machine IP and then
deleted the original file in the SMB share and uploaded the edited one
6. I set up responder listener and found that it captured NetNTLMv2 hash of the user
blasdelezo

7. Using john, I was able to crack the password successfully with the wordlist rockyou.txt

8. Using RDP to connect to the target machine

 Workstation 01

Vulnerability Exploited AS-REP Roastable User

Vulnerability Explanation AS-REP Roasting is an attack against Kerberos for user accounts
that do not require preauthentication.
Vulnerability Mitigation Strong protection from this type of attack is to leverage long,
complex passwords that will not be found in breached password
dictionaries.
Reference https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

Steps to Reproduce

1. While using the Rubeus tool, I found out that there is a user michaelwalsh who is an AS-REP
Roastable, so I used the Rubeus tool to get the AS-REP hash of the user

2. After getting the hash of the user, I again used john to crack the hash successfully
3. Connecting to the user michaelwalsh through RDP
 Workstation 01

Vulnerability Exploited ForceChangePassword

Vulnerability Explanation The ability to change the password of a user account without
knowing their existing password
Vulnerability Mitigation Remove the permission from the group or if necessary, make a
proper permission system for the
users
Reference https://www.active-directory-security.com/2014/06/Active-
Directory-Account-Password-Security-101-For-Regulatory-
Compliance-Auditors-The-Difference-Between-Change-Password-
and-Reset-Password.html

Steps to Reproduce

1. Running SharpHound, I found out that the user michaelwalsh is a member of the group
HELPDESK L1 which has the ForceChangePassword enabled on the user lawrencecohen
2. Changing password for the user lawrencecohen
 Workstation 01

Vulnerability Exploited GenericWrite

Vulnerability Explanation Provides write access to all properties. The right to read
permissions on this object, write all the properties on this object,
and perform all validated writes to this object.
Vulnerability Mitigation Remove RC4 encryption via group policy and perform regular
audits
Reference https://adsecurity.org/?p=3658

Steps to Reproduce

1. Running SharpHound on the user lawrencecohen, I found out that the user has GenericWrite
permissions on two of the users clarkdevereaux and richardwang, and is also a member of
the group Helpdesk L2
2. Using Powerview to clear the SPNs of both the users and adding our fake one

3. Using the Rebeus tool to perform Kerberoasting

4. Copying the hashes of both the user and cracking it using john

5. Looking more into the new users I found out that both the users were local admin in
Workstation01
6. Connecting to the user richardwang through RDP

7. Connection is successful through RDP and got system shell using PsExec
 10.100.11.130 / UAT Server

Vulnerability Exploited Credential Reuse

Vulnerability Explanation the attacker can obtain valid credentials for one system and then
tries to use the same credentials to compromise other
accounts/systems.
Vulnerability Mitigation Avoid using the same credentials in different places
Reference https://www.enzoic.com/8-ways-to-mitigate-credential-stuffing/

Steps to Reproduce

1. Looking more into the machines available on the domain, I found out that there were 4
machines available but out of the 4 one of the machine name exchange.els.bank was
not reachable
2. Getting the users available on the domain
3. Trying the credentials which I got before, it was found that the credentials of user
richardwang were working on the UAT server machine

10.100.11.130 / UAT Server

Vulnerability Exploited Privilege Escalation using Vulnerable Program
Vulnerability Explanation A privilege escalation attack is a type of network intrusion that
takes advantage of programming errors or design flaws to grant
the attacker elevated access to the network and its associated
data and applications.
Vulnerability Mitigation Avoid using untrusted programs
Reference https://searchsecurity.techtarget.com/definition/privilege-
escalation-attack

Steps to Reproduce

1. Exploring more into the uatserver.els.bank, I found a vulnerable program inside the
Capcom directory. The capcom directory contains two files, one of which is a
readme.txt which says, “I’m running as SYSTEM every 5 minutes!” and the other is the
RunForrestRun.exe file which is getting executed by the SYSTEM every 5 minutes
2. Decompiling the .net binary using dnSpy, I found that the main function of the code
reads all the bytes from a file called lookmama on the temp directory and then executes
it
3. Then I modified the code a little bit so that it can add the current user to the
Administrators group

4. Replacing the original lookmama file with the modified lookmama file on the temp
directory
5. Waiting for 5 minutes, to check if the command got executed successfully

6. Confirming that the current user is in the Administrator’s group

 10.100.10.253 / Bank-DC

Vulnerability Exploited Vulnerable GPO

Vulnerability Explanation The attacker can gain access with full privileges over the DC
Vulnerability Mitigation Avoid giving permissions to the GPOs
Reference https://www.csoonline.com/article/3561616/local-attackers-can-
use-group-policy-flaw-to-take-over-enterprise-windows-
systems.html

Steps to Reproduce

1. While searching about the UATServer machine on BloodHound, it turns out that
there is a vulnerable GPO named “Additional DC Configuration” which had
permissions that can be used to access the DC

2. So, I used mimikatz to get the system UATServer’s NTLM hash

3. Using the UATServer’s hash in Rubeus to perform pass the ticket attack

4. Through SharpGPOAbuse, adding the richardwang user to the Administrator’s group

in the Bank-DC machine
 5. Accessing Bank-DC via RDP and confirming that the user is a local admin

6. Due to my DC Admin privileges, I can use mimikatz to conduct a DCSync attack on

the domain and obtain all the NTML hashes.

As the current user was made the local administrator directly on Bank-DC, no Local
Privilege Escalation was required here.
 10.100.9.253 / Trusted-DC

Vulnerability Exploited Local Admin from a different trusted domain

Vulnerability Explanation The attacker was able to gain remote access to the target
domain’s DC by abusing the domain trust
Vulnerability Mitigation Remove local admin rights from low privileged users in the
domain, disable WinRM service if not required and if the service is
necessary
Reference https://serverfault.com/questions/936007/add-an-account-from-
a-trusted-domain-to-domain-admins/936024

Steps to Reproduce

1. Using BloodHound to determine domain trust relationships, I found that els.bank and
trusted.corp are bidirectionally trusting each other
2. I recognized that clarkdevereaux is a local Administrator on the trusted.corp domain by
obtaining the shortest path to the trusted.corp domain.

3. Then, checking that the default WinRM port was closed, I was not able to connect
4. I performed a port scan and discovered that Port 6666 was opened on the target, but the
RDP port was closed

5. It is confirmed that port 6666 is in use by the WinRM service

6. While trying PS-Remoting on Trusted-DC it was erroring out as untrusted host

7. Then I added all host as trusted host and then reconnected to the Trusted-DC through PS-
Remoting
8. Since I had the local admin user on the Trusted-DC, I am using mimikatz to conduct a DCSync
attack on the domain and obtain all the NTML hashes
 10.100.10.252 / Protect-DC

Vulnerability Exploited MSSQL Instance

Vulnerability Explanation We observed the UATServer machine was running an instance of
MSSQL, from there we were able to abuse the instances running
on the Protect-DC machine.
Vulnerability Mitigation If the TRUSTWORTHY database setting is OFF, then Microsoft SQL
Server does not trust the database and the contents within the
database.
Reference https://www.tektutorialshub.com/sql-server/what-is-a-sql-server-
instance/

Steps to Reproduce

1. Enumerating further on UATServer, there was an SQL Instance with database UAT_DB1
found which has link towards the other domain Protect-DC’s UAT_DB2 database
2. Setting up a database connection by using HeidiSQL software which was already installed on
the machine

3. Enabling the xp_cmdshell on the UATDB2 database on Protect-DC

4. Using an executable which will help me get a reverse shell with evading the AV

5. While using Netcat listener, I got reverse shell successfully on the Protect-DC machine as
user svcsql user
 10.100.10.252 / Protect-DC

Vulnerability Exploited Privilege Escalation through Vulnerable Application

Vulnerability Explanation There is a vulnerable application on the target system which was
running as Administrator every certain
time and that application can be manipulated in such a way that
we can run an arbitrary command as Administrator.
Vulnerability Mitigation Avoid using untrusted applications as high privileged user
Reference https://searchsecurity.techtarget.com/definition/privilege-
escalation-attack

Steps to Reproduce

1. Taking a look at the system's directories, I found a folder by the name Microsoft on the
directory Program files which is a misspelling of Microsoft, so it made me doubtful
2. Looking more into the folder I found an executable file called Service.exe and also another
file by the name of Commands

3. Decompiling the executable using dNSpy and saw that the executable is reading bytes from
the file commands and then executing it

4. Changing the password in the previous code and recompiling the binary will add a new user
XXX to the Administrator’s group on the DC.
5. We waited a little while and confirmed that the user had been created and made a member
of the Administrator's group on the DC.
6. Connecting to the machine using my newly created user XXX

7. Connection is successful and the user is a Local Admin of Protect-DC

8. Since I had the local admin user on the Protect-DC, I am using mimikatz to conduct a DCSync
attack on the domain and obtain all the NTML hashes
 4.0 Getting the Flag

The flag was found on the main root directory of Bank-DC (10.100.10.253) machine as flag.txt

Flag: Trust No One…