Throwback — Part 7 — THROWBACK-DC01, CORP-DC01, CORP-ADT01

After we have access to the Domain Controller, it is time to extend our privileges.

DCSync

With a DCSync attack attacker can retrieve data on a domain controller by behaving like a domain controller. With a DCSync attack it is possible to retrieve for example the password hashes of users.

To successfully do this attack, the attacker will first discover a Domain Controller. After that the attacker will request for user replication. Finally the targetted domain controller will send back user data, including password hashes.

In order to perform this attack, the attacker needs Replicating Directory Changes and Replicating Directory Changes All rights. Normally, Domain Admins and Enterprise Admins have these rights. But there is also a Bloodhound query, that will show us accounts with these rights.

In this case the Backup user has rights to perform a DCSync attack, even though he is not Administrator. This can be done because the needed rights can be given to any account individually. The credentials for the Backup account can be found in the Documents folder of JeffersD:

Now we can perform the DCSync attack by utilizing “secretsdump.py” from impacket. With the following command it is possible to retrieve password hashes:

proxychains python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -dc-ip 10.200.70.117 THROWBACK/backup@10.200.70.117

Cracking the hashes

I have put the hashes into a file called hash.txt and tried to crack them with hashcat and the rockyou.txt wordlist as well as the OneRuleToRuleThemAll ruleset:

hashcat.exe -m 1000 -a 0 hash.txt rockyou.txt -r rules\OneRuleToRuleThemAll.rule

The mode for the hashes is 1000, because these hashes are NTLM hashes. I was able to crack the password for MercerH. After analyzing the account on Bloodhound, we can see that this is a domain admin and has a flag in his description property:

Enumeration

In Bloodhound I have also looked into the domain trusts. We can see that THROWBACK.local and CORPORATE.local have a bidirectional trust:

Next I have connected to the domain controller with Evil Winrm as MercerH:

proxychains evil-winrm -u MercerH -H MERCERH_HASH -i 10.200.70.117

Then I could retrieve the root flag:

Next I have started a Ping Sweep to discover which hosts we can connect to. I was able to discover a new host: 10.200.70.118:

1..255 | % {"10.200.70.$($_): $(Test-Connection -count 1 -comp 10.200.70.$($_) -quiet)"}

After getting the hostname of the machine, it looked like it was inside the other domain “CORPORATE.local”:

[System.Net.DNS]::GetHostByAddress('10.200.70.118')

Crossing the trust

I have connected to the Throwback DC via RDP by using xfreerdp:

proxychains xfreerdp /v:10.200.70.117 /u:THROWBACK\\MercerH  /p:MERCERH_PASSWORD +clipboard

After I was on the host, I have connected via RDP to the Corporate DC by using MercerH user:

Then I could get the user and root flag on the Corporate DC:

During enumeration I was able to find an interesting file called “server_update” inside the Administrator’s Documents directory:

CORP-ADT01

In Part 6, we was able to retrieve DaviesJ credential inside a Git repository. I have used these credentials to SSH from CORP-DC01 to CORP-ADT01. This was successful and I was able to retrieve the user and root flag:

During enumeration of the host, I was able to spot an interesting file called “email_update.txt” inside DosierK’s documents folder:

Hey team! Hope you guys are having a good day!

As all of you probably already now we are transferring to our new email service as we
transition please use the new emails provided to you as well as the default credentials
that can be found within your emails.

Please do not use these emails outside of corporate as they contain sensitive information.

The new email format is based on what department you are in:

ESM-Example@TBHSecurity.com
FIN-Example@TBHSecurity.com
HRE-Example@TBHSecurity.com
ITS-Example@TBHSecurity.com
SEC-Example@TBHSecurity.com

In order to access your email you will need to go to mail.corporate.local as we get our
servers moved over.

If you do not already have mail.corporate.local set in your hosts file please reach out to
IT to get that fixed.

Please remain patient as we make this transition and please feel free to email me with any
questions you may have regarding the new transition: HRE-KDoiser@TBHSecurity.com

Karen Dosier,
Human Relations Consulatant

Remediation

Credentials, for example for the Backup user, should not be saved in plain text on the disk. It is better to use password managers. There are also password managers available for team that can be accessed by multiple users.

MercerH should use a more complex password.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Data structure: Stack

Sudoku Game

Toolchains and targets in Rust!

UML Class Diagrams The simple Approach

Her so just important method.

Vietnam for offshore software development

Enterprise Content Management in the Public Sector

Summary of the AWS Solutions Architect Associate Exam

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

Throwback — Part 1 — pfSense

Mustacchio — TryHackMe CTF Walkthrough

Secret — Hackthebox Write-up

Hack The Box — Previse