- Регистрация
- 20.01.2011
- Сообщения
- 7,665
- Розыгрыши
- 0
- Реакции
- 135
Recently during a red team activity, i came across a situation where i had compromised domain admin of Domain A(let’s say abc.local)
and surprisingly there were no EA(enterprise admin) or trust relationships between the abc.local and my target domain (xyz.local) as you can see below, but i knew that the users of xyz.local are accessing the servers or resources of abc.local !
What to do now??
back to basics! i.e recon and enumeration
took few weeks and enumerated each and everything i.e. all their Windows servers, RHEL servers, VMWARE ESXI, SolarWinds Panel(managed to compromise all of them) etc.
Patched RDP on one of the server using mimikatz to enable multirdp over a particular server and enabled the Wdigest on them(in order to get the clear text credentials of other domain users who are logging to those windows servers via rdp)
and guess what
i started getting the cleartext creds of diff domain users logging to those servers
(i enabled wdigest cuz i was unable to login to the rdp via the NTLMhash on those servers)
After getting around 10–12 creds of the domain users, i started logging via rdp at night to check their saved progress and to enumerate more, at that time it was confirmed that users who are logging to domain A(abc.local) were also the member of xyz.local(after checking their Teams chats and messages)
To access the resources of abc.local they were connected to the vpn (Cisco Anyconnect) and the creds to login to the vpn were: DomainID@abc.local and the password(which we already got for few users via wdigest) .
What to do now???
We have the domain admin of abc.local
we have the clear text pass of few of the domain users
we can access the rdp servers
Left with the IP which has been allocated to them after connecting to the vpn in order to access machines or servers of abc.local
and to fetch the ip, it’s best to check the Windows event logs 4624(for successful rdp login)
As it is clearly visible that the users of xyz.local got the ip assigned of range 172.16.0.0/21 after connecting to vpn and through that they access the resources of abc.local(rdp server 10.1.140.33)
Wooottttt next???
Time for some crackmapexec
Performed dcsync, dumped hashes of all the domain users of abc.local
used crackmapexec to authenticate them over smb and domain xyz.local
and i started to get successful user pass for domain users who are using same password for abc.local and xyz.local!
BINGO
I simply waited for the results
got some domain users who are using same password for their xyz.local and abc.local domain id.
again performed a hash spray but on multiple IP(172.16.0.0/21)
and guess what :|
few of them had local administrator access on few machines in range 172.16.0.0/21
it’s time to use wmiexec or atexec
and as it is visible in the above screenshot
that particular user who was using vpn to connect to the abc.local from his xyz.local machine had two Network interfaces (one which was connected to abc.local and another connected to xyz.local)
in this way i performed lateral movement to the xyz.local without any trust relationship and managed to compromise the domain admin too(of xyz.local) after creating some tunnels and using reverse proxies or following the concept of pivoting.
TLDR;
compromised domain admin of abc.local
logged into the rdp servers
used mimikatz to patch the multirdp
turned on wdigest
got clear text creds of domain users
checked the windows event logs
got ip assigned to the domain users of xyz.local to access the resources of abc.local using vpn
performed hash spray over the xyz.local using hashes dumped from abc.local
and bingo
and surprisingly there were no EA(enterprise admin) or trust relationships between the abc.local and my target domain (xyz.local) as you can see below, but i knew that the users of xyz.local are accessing the servers or resources of abc.local !
What to do now??
back to basics! i.e recon and enumeration
took few weeks and enumerated each and everything i.e. all their Windows servers, RHEL servers, VMWARE ESXI, SolarWinds Panel(managed to compromise all of them) etc.
Patched RDP on one of the server using mimikatz to enable multirdp over a particular server and enabled the Wdigest on them(in order to get the clear text credentials of other domain users who are logging to those windows servers via rdp)
and guess what
i started getting the cleartext creds of diff domain users logging to those servers
(i enabled wdigest cuz i was unable to login to the rdp via the NTLMhash on those servers)
After getting around 10–12 creds of the domain users, i started logging via rdp at night to check their saved progress and to enumerate more, at that time it was confirmed that users who are logging to domain A(abc.local) were also the member of xyz.local(after checking their Teams chats and messages)
To access the resources of abc.local they were connected to the vpn (Cisco Anyconnect) and the creds to login to the vpn were: DomainID@abc.local and the password(which we already got for few users via wdigest) .
What to do now???
We have the domain admin of abc.local
we have the clear text pass of few of the domain users
we can access the rdp servers
Left with the IP which has been allocated to them after connecting to the vpn in order to access machines or servers of abc.local
and to fetch the ip, it’s best to check the Windows event logs 4624(for successful rdp login)
As it is clearly visible that the users of xyz.local got the ip assigned of range 172.16.0.0/21 after connecting to vpn and through that they access the resources of abc.local(rdp server 10.1.140.33)
Wooottttt next???
Time for some crackmapexec
Performed dcsync, dumped hashes of all the domain users of abc.local
used crackmapexec to authenticate them over smb and domain xyz.local
and i started to get successful user pass for domain users who are using same password for abc.local and xyz.local!
BINGO
I simply waited for the results
got some domain users who are using same password for their xyz.local and abc.local domain id.
again performed a hash spray but on multiple IP(172.16.0.0/21)
and guess what :|
few of them had local administrator access on few machines in range 172.16.0.0/21
it’s time to use wmiexec or atexec
and as it is visible in the above screenshot
that particular user who was using vpn to connect to the abc.local from his xyz.local machine had two Network interfaces (one which was connected to abc.local and another connected to xyz.local)
in this way i performed lateral movement to the xyz.local without any trust relationship and managed to compromise the domain admin too(of xyz.local) after creating some tunnels and using reverse proxies or following the concept of pivoting.
TLDR;
compromised domain admin of abc.local
logged into the rdp servers
used mimikatz to patch the multirdp
turned on wdigest
got clear text creds of domain users
checked the windows event logs
got ip assigned to the domain users of xyz.local to access the resources of abc.local using vpn
performed hash spray over the xyz.local using hashes dumped from abc.local
and bingo