😷Behind the mask
Red team time!
This was a series of offensive Active Directory challenges hosted during CDDC 2021. The challenges must be solved in order.
This is my personal favourite category, as it is the most similar to traditional red teaming, with domain enumeration, ASREP-Roasting, credential dumping and a bit of looting SMB shares.
I was looking forward to gaining code execution so that I could practice some lateral movement and test some of my custom post exploitation agents, but no code execution was obtained, even using the valid credentials with WinRM, PsExec and other common techniques. This category also faced some stability issues, especially on the last challenge. However, the challenges themselves were relatively well made, covering some basic offensive windows techniques.
Challenge #1: Light
Points: 200
Challenge Text:
It’s time to expose the GDC! We have successfully obtained the IP address of their AD server. First, try to list the different users that are configured on the server.
Solution
The first step to enumerating the DC is to find the local domain name. This was found by an nmap scan.
The list of users from the DC can then be obtained with the following command:
The flag is in the description for one of the users. I just opened the enumAD.txt file and ctrl+F'ed for the flag format.
Challenge #2: Get a Ticket
Points: 300
Challenge Text:
We must find a way to access the shared folders configured on this server. I don’t see anyway, but maybe you can figure it out…
Solution
Since these challenges are locked in order, I assume that each challenge is dependant on the solution to the previous one. Since the previous challenge was to get a list of users, I originally assumed the solution was to find a service account and kerberoast it.
However, no accounts vulnerable to kerberoasting were found. We eventually solved the challenge by ASREP-Roasting user accounts found in the previous challenge for kerberos tickets. The following command was used:
python GetNPUsers.py gdc.local/ -usersfile usernames.txt -format hashcat -outputfile tickets.txt
Kerberos tickets for the user liam.a were obtained. The tickets were roasted and the password for liam.a was obtained.
Using the password p@ssw0rd and the user liam.a, I listed the network shares.
Flag obtained!
Challenge #3: Old Memories
Points: 300
Challenge Text:
(original challenge text was forgotten :( but it talked about a memory dump in the DC)
Solution
Since the challenge text talked about a memory dump in the DC, I enumerated the shares I could access using liam.a and found the "Forensics" share which contained a file named lsass.dmp. This was obviously a dump of the lsass.exe process, which windows uses to store credentials. Mimikatz was used to extract credentials (and the flag).
2 sets of interesting credentials were recovered.
The first password was the flag, but there was also a second password to a user named John. Lets save that for later.
Challenge #4: Alternate Way
Points: 500
Challenge Text:
You’re doing great! We almost there, but we need to find a way to take control of this server. What about the backup folder?
Solution
The backup folder was not accessible by the user liam.a. At first, I authenticated to the share using the credentials for the "John" user discovered in the memory dump.
The share contained a file named "creds.txt", which was an empty file. After quite a while trying to figure out if the box had been tampered with (again), I used the "allinfo" command in smbclient to see if there were any Alternate Data Streams, since the challenge name was "Alternate Way", which was hinting at an ADS. Sure enough, there was the flag!
Last updated