Throwback — Part 7 — THROWBACK-DC01, CORP-DC01, CORP-ADT01
After we have access to the Domain Controller, it is time to extend our privileges.
DCSync
With a DCSync attack attacker can retrieve data on a domain controller by behaving like a domain controller. With a DCSync attack it is possible to retrieve for example the password hashes of users.
To successfully do this attack, the attacker will first discover a Domain Controller. After that the attacker will request for user replication. Finally the targetted domain controller will send back user data, including password hashes.
In order to perform this attack, the attacker needs Replicating Directory Changes and Replicating Directory Changes All rights. Normally, Domain Admins and Enterprise Admins have these rights. But there is also a Bloodhound query, that will show us accounts with these rights.
In this case the Backup user has rights to perform a DCSync attack, even though he is not Administrator. This can be done because the needed rights can be given to any account individually. The credentials for the Backup account can be found in the Documents folder of JeffersD:
Now we can perform the DCSync attack by utilizing “secretsdump.py” from impacket. With the following command it is possible to retrieve password hashes:
proxychains python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -dc-ip 10.200.70.117 THROWBACK/backup@10.200.70.117
Cracking the hashes
I have put the hashes into a file called hash.txt and tried to crack them with hashcat and the rockyou.txt wordlist as well as the OneRuleToRuleThemAll ruleset:
hashcat.exe -m 1000 -a 0 hash.txt rockyou.txt -r rules\OneRuleToRuleThemAll.ruleThe mode for the hashes is 1000, because these hashes are NTLM hashes. I was able to crack the password for MercerH. After analyzing the account on Bloodhound, we can see that this is a domain admin and has a flag in his description property:
Enumeration
In Bloodhound I have also looked into the domain trusts. We can see that THROWBACK.local and CORPORATE.local have a bidirectional trust:
Next I have connected to the domain controller with Evil Winrm as MercerH:
proxychains evil-winrm -u MercerH -H MERCERH_HASH -i 10.200.70.117Then I could retrieve the root flag:
Next I have started a Ping Sweep to discover which hosts we can connect to. I was able to discover a new host: 10.200.70.118:
1..255 | % {"10.200.70.$($_): $(Test-Connection -count 1 -comp 10.200.70.$($_) -quiet)"}
After getting the hostname of the machine, it looked like it was inside the other domain “CORPORATE.local”:
[System.Net.DNS]::GetHostByAddress('10.200.70.118')
Crossing the trust
I have connected to the Throwback DC via RDP by using xfreerdp:
proxychains xfreerdp /v:10.200.70.117 /u:THROWBACK\\MercerH /p:MERCERH_PASSWORD +clipboardAfter I was on the host, I have connected via RDP to the Corporate DC by using MercerH user:
Then I could get the user and root flag on the Corporate DC:
During enumeration I was able to find an interesting file called “server_update” inside the Administrator’s Documents directory:
CORP-ADT01
In Part 6, we was able to retrieve DaviesJ credential inside a Git repository. I have used these credentials to SSH from CORP-DC01 to CORP-ADT01. This was successful and I was able to retrieve the user and root flag:
During enumeration of the host, I was able to spot an interesting file called “email_update.txt” inside DosierK’s documents folder:
Hey team! Hope you guys are having a good day!
As all of you probably already now we are transferring to our new email service as we
transition please use the new emails provided to you as well as the default credentials
that can be found within your emails.Please do not use these emails outside of corporate as they contain sensitive information.
The new email format is based on what department you are in:
ESM-Example@TBHSecurity.com
FIN-Example@TBHSecurity.com
HRE-Example@TBHSecurity.com
ITS-Example@TBHSecurity.com
SEC-Example@TBHSecurity.comIn order to access your email you will need to go to mail.corporate.local as we get our
servers moved over.If you do not already have mail.corporate.local set in your hosts file please reach out to
IT to get that fixed.Please remain patient as we make this transition and please feel free to email me with any
questions you may have regarding the new transition: HRE-KDoiser@TBHSecurity.comKaren Dosier,
Human Relations Consulatant
Remediation
Credentials, for example for the Backup user, should not be saved in plain text on the disk. It is better to use password managers. There are also password managers available for team that can be accessed by multiple users.
MercerH should use a more complex password.
