Gathering Information with an Administrator Account
LDAP and RDP Enumeration
The LDAP and RDP protocols can also be used to enumerate the object and properties of a domain. The LDAP protocol requires the tester to be able to resolve the domain FQDN. We might need to add the FQDN of the domain controller to the /etc/hosts file.
Flags | Description | Notes |
---|---|---|
| Enumerate domain users | |
| Enumerate domain groups | |
| List of users with the flag PASSWD_NOTEREQD set | The users might not be subject to the current password policy. |
| List of computers and users with TRUSTED_FOR_DELEGATION | Test for Unconstrained Delegation |
| List of users with adminCount=1 | Can help to target high privileged accounts. |
| Get domain SID | |
| GMSA passwords | Some users can have right to read gMSA passwords. |
| Screenshot RDP if NLA is disabled | Can be useful to enumerate users based on the login screen. |
| Screenshot RDP | |
| Time to wait for Desktop image | |
| Resolution "width X height" format |
Interesting users properties
Some interesting properties of AD object can be identified using the LDAP protocol.
PASSWD_NOTREQD
Some users might not be subject to the password policy implemented. This means that those users having the PASSWD_NOTREQD
flag set, can have a shorter, more simple or no password at all.
Unconstrained Delegation
We can list accounts (service or users) that have the TRUSTED_FOR_DELEGATION
flag set using the --trusted-for-delegation
option. Accounts with unconstrained delegation can impersonate any users requesting a service. Kerberos unconstrained delegation is a real world attack scenario that can lead to the full compromise of a domain.
adminCount attribues
The adminCount
attributes aim to protect high privileges users. The SDProp function runs every 60 minutes by default and compare the ACL (permissions) of the protected users in the domain to those on the AdminSDHolder, which acts as a template for protected users. If the properties does not match, the ACL of the protected users are reset to match those on the AdminSDHolder. This mechanism aims to protect users from any permanent changes from an attacker or change of directory.
adminCount
attribute set to 1 means that the user is protected. This property can be used to target high privileges accounts.
gMSA
gMSA stands for Group Managed Service Account. gMSA can be create to run services over multipler servers (above or equal to Windows server 2012). gMSA has the advantage of having its password rotated and managed automatically by Active Directory. This type of account aim to help secure the services. More on gMSA here.
Only specific users have right to read the gMSA account clear text password. Powershell can be used to identify which accounts has right to read gMMSA account passwords.
The following output shows that the user engels
has read access to the gMSA account svc_inlaneadm$
.
Once a user with permission to read the gMSA password is compromise, CrackMapExec offers the --gmsa
option to retrieve the NTLM hash of the gMSA account.
RDP Screenshots
NLA enhances the authentication mechanism of RDP as it requires the users to authenticate before establishing a RDP session and be displayed the Windows logon screen. If NLA is disabled on the targeted systems, it is possible to take a screenshot of the logon prompt using the --nla-screenshot
option.
It is also possible to use the --screenshot
option to take a screen shot of the Windows logon prompt if we have user's credentials.
Command Execution
In the module, HackTheBox covers three protocols that can be used to remotely execute commands on a target system. Others protocols can also be used to execute command are specified in the official CME documentation.
When it comes for remote command execution, we might be restricted by some Windows configurations such as the UAC.
LocalAccountTokenFilterPolicy
This registry key is not set by default, but can have been set by the administrators. Note that this token only apply to local account and not domain accounts. Every domain accounts member of the Administrator group will be able to remotely execute administrative tasks.
Key set to 1
: All members from the Administrator group can execute remote commands with a High Level Integrity shell.
Key set to 0
: Only the built-in Administrator with RID 500 can execute tasks with administrative privilege.
We might want a local user member of the Administrative group to be able to execute administrative tasks remotely. To do so, we need to set the registry key to 1
.
The image below shows that the localadmin
user is member of the Administrators local group.
However, as seen below, the localadmin user can not perform any remote tasks because the LocalAccountTokenFilterPolicy is set to 0, granting only the built-in Administrator (RID 500) the right to perform administrative tasks remotely.
Since we have the credentials of the built-in Administrator user, we could change the value of the registry key to 1
, so any users member of the Administrators local group could execute administrative tasks remotely.
FilterAdministratorToken
This registry key, if set to 1
, can prevent the built-in administrator (RID 500) to perform administrative task remotely.
Command Execution with SMB
Command execution using SMB requires administrator privileges on the remote target
The SMB protocol requires administrators privilege to be able to execute command remotely. The SMB relies on different methods to execute commands on a remote system. Depending on the version of the operating system, one of these method, tried in order, will be used:
wmiexec
atexec
smbexec
mmcexec
We can explicitly tells CME to use one of the above method with the flag --exec-method
.
The SMB protocol supports both command line (-x
) and Powershell (-X
) commands. CrackMapExec will automatically perform an AMSI bypass and obfuscation of the payload when Powershell commands are executed.
AMSI Bypass
We might want to use a custom AMSI bypass using the --amsi-bypass
flag. HTB does not extend on what AMSI bypass refers to, but as demonstration, HackTheBox Academy executed the "Modified Amsi ScanBuffer Patch" on the target system. When the length of the payload is to big, it comes handy to execute it from a web server we host.
The script below download and execute the shantanukhande-amsi.ps1
on the remote system from our Python web server.
Command Execution Using WinRM
WinRM can be used to execute commands on a remote system whether or not we are member of the Administrator group.
In the image below, the user robert
could not perform any remote command on DC01 using SMB since he's not administrator on the target. However, the WinRM protocol could be used.
A user can execute commands using WinRM if he mets at least one of these conditions
member of the Remote Management Users group;
member of the Administrators group;
has Powershell Remoting permissions.
By default, WinRM runs over port 5985 and 5986. However, we can specify a custom port with the
--port
flag. Since SSL might or might not be in use, the flag --ssl
(connecting with SSL) and --ignore--ssl-cert
(ignore certificate verification) can come handy when working with this protocol.
Command Execution Using SSH
Can be used to execute command on both Windows and Linux
Supports public/private keys in OpenSSH format
Use the flag -p
"" if no passphrase is required to avoid any error
Last updated