Learning Objetive 1
Start a PowerShell session using Invisi-Shell to avoid enhanced logging. Run the below command from a command prompt on the student VM:
Bypassing PowerShell Security
Invisi-Shell
PowerShell stealth (AMSI + logging bypass)
bat C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat bat C:\AD\Tools\InviShell\RunWithPathAsAdmin.bat
RunWithPathAsAdmin
Invisi-Shell con privilegios de admin
bat RunWithPathAsAdmin.bat
RunWithRegistryNonAdmin
Invisi-Shell sin privilegios de admin
bat RunWithRegistryNonAdmin.bat
PowerView
Enumeraciรณn ofensiva de Active Directory
powershell . C:\AD\Tools\PowerView.ps1 powershell Get-DomainUser powershell Get-DomainGroup powershell Find-InterestingDomainAcl powershell Get-DomainObjectAcl -Identity administrador -ResolveGUIDs
ADModule
Mรณdulo oficial de Microsoft para administrar AD
powershell Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll powershell Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1 powershell Get-ADUser -Filter * powershell Get-ADGroup -Filter *
Using Invisi-Shell
โข With admin privileges: RunWithPathAsAdmin.bat โข With non-admin privileges: RunWithRegistryNonAdmin.bat โข Type exit from the new PowerShell session to complete the clean-up.
Once, we do the bypass of poweshell, we proceed to enumerate all...
All Enumerations
Domain-Enum
Users
Member Computers
Now, to enumerate member computers in the domain we can use Get-DomainComputer:
Domain Admins group
The most important:
samaccountname : Domain Admins
member : {CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local, CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local}
Members of the Domain Admins group
We can see the MemberName : svcadmin and Administrator withhis MemberSID
Members of the Enterprise Admins group
Since, this is not a root domain, the above command will return nothing. We need to query the root domain as Enterprise Admins group is present only in the root of a forest.
Using the Active Directory module (ADModule)
Using Invisi-Shell
โข With admin privileges: RunWithPathAsAdmin.bat โข With non-admin privileges: RunWithRegistryNonAdmin.bat โข Type exit from the new PowerShell session to complete the clean-up.
Let's import the ADModule. Remember to use it from a different PowerShell session started by using Invisi-Shell. If you load PowerView and the ADModule in same PowerShell session, some functions may not work:
Domain Users
Enumerate all the users in the current domain using the ADModule
List Properties
We can list specific properties. Let's list samaccountname and description for the users. Note that we are listing all the proeprties first using the -Properties parameter:
All Computers
For the next task, list all the computers:
The most important is the Name and SID
Enumerate Domain Administrators
Enumerate the Enterprise Administrators
BloodHound
For BloodHound, we will try with both the Legacy version and Community Edition.
BloodHound Legacy (To be done only after getting admin privileges)
BloodHound uses neo4j graph database, so that needs to be set up first.
Note: Exit BloodHound once you have stopped using it as it uses good amount of RAM. You may also like to stop the neo4j service if you are not using BloodHound.
BloodHound Instalation
We need to install the neo4j service. Unzip the archive C:\AD\Tools\neo4j-community-4.1.1-windows.zip
Install and start the neo4j service as follows, into:
For it, we need a admin user to continue with the installation
Once the service is started, browse to http://localhost:7474
Enter the username: neo4j and password: neo4j. You need to enter a new password. Let's use BloodHound as the new password.
Now, open BloodHound from C:\AD\Tools\BloodHound-win32-x64\BloodHound-win32-x64 and provide the following details:
bolt://localhost:7687
Username: neo4j Password: BloodHound
Run BloodHound ingestores to gather data and information about the current domain. Run the following commands to run Collector:
Once all the data is uploaded to BloodHound, search for shortest path to Domain Admins in dollarcorp domain. (press Ctrl to toggle labels).
BloodHound ingestores
Run BloodHound ingestores to gather data and information about the current domain. Run the following commands to run Collector:
Once all the data is uploaded to BloodHound, search for shortest path to Domain Admins in dollarcorp domain. (press Ctrl to toggle labels).
BloodHound CE of Web UI
We need to run a compatible Sharphound collector for BloodHound CE. Remember that you have Read-only access to the shared BloodHound CE UI in the lab. There is no need or way to upload the data collected to the shared instance.
As BloodHound CE consumes high amounts of RAM, in the lab, you have Read-only access to a shared BloodHound CE - https://crtpbloodhound-altsecdashboard.msappproxy.net/
Provide the following credentials to the Microsoft login page:
Username: crtpreader@altsecdashboard.onmicrosoft.com
Password: Are@d0nlyUsertO200kAtSecurityDashb0ardf0rL0g!n!A@ga!n
This would bring you to the BloodHound CE login page. Provide the same set of credentials as above to the BloodHound login page and you will be able to access the UI.
Always double-check the credentials in the lab portal - https://adlab.enterprisesecurity.io
This instance of BloodHound CE already has the database populated. Feel free to play with the data! To solve the task in the Learning Objective, proceed as follows.
In the Web UI, click on Cypher -> Click on the Folder Icon -> Pre-Built Searches -> Active Directory -> (Scroll down) -> Shortest paths to Domain Admins
File share where studentx has Write permissions
We will use PowerHuntShares to search for file shares where studentx has Write permissions.
We will not scan the domain controller for Writable shares for a better OPSEC.
Invisi-Shell & PowerHuntShares exec
Run the following commands from a PowerShell session started using Invisi-Shell:
After this, we need save into a file txt in C:\AD\Tools, all Domain Computer, extract its using:
It generate us a .htlm in the same folder
You need to copy the summary report to your host machine because the report needs interent access, which is not available on the student VM.
The Summary Report page shows, well, the summary.
The Critical and High findings will be for dcorp-adminsrv as studentx has admin privileges there. Another interesting observation is in the Medium findings that shows that there is a directory named 'AI' on dcorp-ci where 'BUILTIN\Users' has 'WriteData/Addfile' permissions.
Go to ShareGraph -> search dcorp-ci -> Right click on dcorp-ci node -> Click expand. Tt turns out that 'Everyone' has privileges on the 'AI' folder.
Last updated