βͺMethodology
OBJECTIVES
Learning Objective 1:
β’ Enumerate following for the dollarcorp domain: β Users β Computers β Domain Administrators β Enterprise Administrato
Learning Objective 2:
β’ Enumerate following for the dollarcorp domain: β List all the OUs β List all the computers in the StudentMachines OU. β List the GPOs β Enumerate GPO applied on the StudentMachines OU.
Learning Objective 3:
β’ Enumerate following for the dollarcorp domain: β ACL for the Domain Admins group β All modify rights/permissions for the studentx
Learning Objective 4:
β’ Enumerate all domains in the moneycorp.local forest. β’ Map the trusts of the dollarcorp.moneycorp.local domain. β’ Map External trusts in moneycorp.local forest. β’ Identify external trusts of dollarcorp domain. Can you enumerate trusts for a trusting forest?
Learning Objective 5:
β’ Exploit a service on dcorp-studentx and elevate privileges to local administrator. β’ Identify a machine in the domain where studentx has local administrative access. β’ Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 -the dcorp-ci serve
Learning Objective 7:
β’ Identify a machine in the target domain where a Domain Admin session is available. β’ Compromise the machine and escalate privileges to Domain Admin β Using access to dcorp-ci β Using derivative local admin
Learning Objective 8:
β’ Extract secrets from the domain controller of dollarcorp. β’ Using the secrets of krbtgt account, create a Golden ticket. β’ Use the Golden ticket to (once again) get domain admin privileges from a machine.
Learning Objective 9:
β’ Try to get command execution on the domain controller by creating silver ticket for: β HOST service β WMI
Learning Objective 10:
β’ Use Domain Admin privileges obtained earlier to execute the Diamond Ticket attack.
Learning Objective 11:
β’ Use Domain Admin privileges obtained earlier to abuse the DSRM credential for persistence.
Learning Objective 12:
β’ Check if studentx has Replication (DCSync) rights. β’ If yes, execute the DCSync attack to pull hashes of the krbtgt user. β’ If no, add the replication rights for the studentx and execute the DCSync attack to pull hashes of the krbtgt user.
Learning Objective 13:
β’ Modify security descriptors on dcorp-dc to get access using PowerShell remoting and WMI without requiring administrator access. β’ Retrieve machine account hash from dcorp-dc without using administrator access and use that to execute a Silver Ticket attack to get code execution with WMI.
Learning Objective 14:
β’ Using the Kerberoast attack, crack password of a SQL server service account.
Learning Objective 15:
β’ Find a server in the dcorp domain where Unconstrained Delegation is enabled. β’ Compromise the server and escalate to Domain Admin privileges. β’ Escalate to Enterprise Admins privileges by abusing Printer Bug!
Learning Objective 16:
β’ Enumerate users in the domain for whom Constrained Delegation is enabled. β For such a user, request a TGT from the DC and obtain a TGS for the service to which delegation is configured. β Pass the ticket and access the service. β’ Enumerate computer accounts in the domain for which Constrained Delegation is enabled. β For such a user, request a TGT from the DC. β Obtain an alternate TGS for LDAP service on the target machine. β Use the TGS for executing DCSync attack.
Learning Objective 17:
β’ Find a computer object in dcorp domain where we have Write permissions. β’ Abuse the Write permissions to access that computer as Domain Admin.
Learning Objective 18:
β’ Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using the domain trust key.
Learning Objective 19:
β’ Using DA access to dollarcorp.moneycorp.local, escalate privileges to Enterprise Admin or DA to the parent domain, moneycorp.local using dollarcorp's krbtgt hash.
Learning Objective 20:
β’ With DA privileges on dollarcorp.moneycorp.local, get access to SharedwithDCorp share on the DC of eurocorp.local forest.
Learning Objective 21:
β’ Check if AD CS is used by the target forest and find any vulnerable/abusable templates. β’ Abuse any such template(s) to escalate to Domain Admin and Enterprise Admin.
Learning Objective 22:
β’ Get a reverse shell on a SQL server in eurocorp forest by abusing database links from dcorp- mssql.
Enumeration
Domain , Domain Controller , Forest & Trust-Mapping
Users & computers
Group & Group member
Privesc 'own user' => Local Admin
Learning Objective 5
Privesc Local Admin => Domain Admin
Learning Objective 7--------------------------------------------domain admin session
Learning Objective 17--------------------------------------------Abusing Write permission (ACL)
Domain Admin presistance
Learning Objective 8--------------------------------------------golden ticket
Learning Objective 9--------------------------------------------silver ticket
Learning Objective 10-------------------------------------------diamond ticket
using Domain Admin exploiting other services
Learning Objective 11--------------------------------------------Abusing DSMR
Learning Objective 12--------------------------------------------DCsync rights replication
Learning Objective 13------------------------security descriptors & machine account hash from DC
Learning Objective 14--------------------------------------------Kerberoast attack
Learning Objective 15--------------------------------------------Constrained Delegation
Learning Objective 16--------------------------------------------UnConstrained Delegation
Cross Forest Attacks
Learning Objective 18----------------------------Domain Admin => Forest DC or EA using Trust key
Learning Objective 19---------------------------Domain Admin => Forest DC or EA using krbtgt user
Learning Objective 20----------------------------Domain Admin => Eurocorp DC sharedwithDCorp
Last updated