{"id":280,"date":"2019-01-17T05:45:02","date_gmt":"2019-01-17T05:45:02","guid":{"rendered":"https:\/\/mrjsec.co.uk\/blog\/?p=280"},"modified":"2019-01-17T06:14:48","modified_gmt":"2019-01-17T06:14:48","slug":"objective-5-ad-privilege-discovery","status":"publish","type":"post","link":"https:\/\/mrjsec.co.uk\/blog\/objective-5-ad-privilege-discovery\/","title":{"rendered":"
Objective 5: AD Privilege Discovery<\/center>"},"content":{"rendered":"\n

Objective 5 wants us to use the already made VM image<\/a>and find the user’s login name.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

(You can download the file here<\/a>, if you wish to use it) <\/p>\n\n\n\n

If we have completed CURLing Master Cranberry Pi terminal challenge by Holly Evergreen, then we can get a hint which is.
\n“Unencrypted HTTP\/2? What was he thinking? Oh well.
\nHave you ever used Bloodhound for testing Active Directory implementations?
\nIt’s a merry little tool that can sniff AD and find paths to reaching privileged status on specific machines.
\nAD implementations can get so complicated that administrators may not even know what paths they’ve set up that attackers might exploit.
\nHave you seen anyone demo the tool before?”<\/p>\n\n\n\n

Also, a hint link<\/a>.<\/p>\n\n\n\n

Well, let’s get started. First thing first we need to import the VM image into our favourite VM software, VirtualBox, VMware Workstation Pro, VMware Workstation Player and many others out there!
I’m going to be using VMware Workstation Pro to import this VM image, use file – open and find the downloaded (.ova) file, or double click on it (depending on how you set up your VM software)
<\/p>\n\n\n\n

(Note: Some users have reported issues with it not starting, and have said changing the setting to 64-bit fixed it).<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Once you have the (.ova) imported start it up and wait for it to load.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

As we can see, there isn’t much here, on the desktop we have the following Trash, File system, Home and a link to starting Bloodhound.
I did look around the file system, and there isn’t anything here, but if you want a copy of the wallpaper here you go<\/a>!<\/p>\n\n\n\n

The hint by Holly Evergreen and the URL link all links together about Bloodhound, so that’s what we use.
BloodHound loads itself, and you see this screen once done.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

“BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.” Bloodhound is a significant tool! So I won’t be covering it in this guide. However, Raphael Mudge has a great starter video on it here.<\/a><\/p>\n\n\n\n

Let’s get this challenge compleated! Click on the three lines, then head over to queries, find the “shortest paths to domain admins from kerberoastble users” and then select the domain admin group “Domain Admins@ad.kringlecastle.com.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Once you have done all of this, you then be on this screen, as long as everything has gone correctly!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Remember the challenge details? “Remember to avoid RDP as a control path as it depends on separate local privileges escalation flaws” So, RDP just forget about it in this challenge, and the task itself is for us to “find a reliable path from a kerberoastble user to the domain admin group”.
\nWe need to find a reliable path from a kerberoastble user to the domain admin group; this is where we need to get too.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

Looking at the BloodHound again and if we remove the RDP paths, we can see were only left with one way to the admin groups.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

So that path is called “LDUBEJ00320@AD.KRINGLECASTLE.COM” it’s the shortest route to admin groups and doesn’t have any RDP on the way either.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

LDUBEJ00320@AD.KRINGLECASTLE.COM is our answer!<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"

Objective 5 wants us to use the already made VM imageand find the user’s login name. (You can download the file here, if you wish to use it) If we have completed CURLing Master Cranberry…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10],"tags":[13,14,12],"class_list":["post-280","post","type-post","status-publish","format-standard","hentry","category-kringlecon-2018","tag-13","tag-ctf","tag-kringlecon"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/paD3U6-4w","_links":{"self":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=280"}],"version-history":[{"count":3,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/280\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/posts\/280\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mrjsec.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}