Skip to content

Objective #5: AD Privilege Discovery

Problem

Using the data set contained in this SANS Slingshot Linux image (https://download.holidayhackchallenge.com/HHC2018-DomainHack_2018-12-19.ova), find a reliable path from a Kerberoastable user to the Domain Admins group. What’s the user’s logon name? Remember to avoid RDP as a control path as it depends on separate local privilege escalation flaws. For hints on achieving this objective, please visit Holly Evergreen and help her with the CURLing Master Cranberry Pi terminal challenge.

Hints

Holly Evergreen provides the following hint:

Have you ever used Bloodhound for testing Active Directory implementations?

It's a merry little tool that can sniff AD and find paths to reaching privileged status on specific machines.

AD implementations can get so complicated that administrators may not even know what paths they've set up that attackers might exploit.

Have you seen anyone demo the tool before?

Holly also provides a link to a Bloodhound demo: https://youtu.be/gOpsLiJFI1o

Solution

Kerberoasting is a technique that allows us to discover the passwords of often highly-privileged service accounts in Active Directory, using information available to any authenticated domain user. Since Active Directory domains can be quite large, this process can be time-consuming. Bloodhound is a tool that helps focus our efforts by mapping out which accounts are most likely to provide the elevated rights we're looking for.

The provided SANS Slingshot Linux virtual machine has Bloodhound pre-installed with data already extracted from an Active Directory domain. Our job is to use the tool to identify an account that gives us the best chances of gaining domain admin rights.

Start up the Slingshot image (if it doesn't boot, change the VM settings from 32-bit to 64-bit), then open BloodHound by double-clicking its icon on the desktop. Inside the application, select Queries > Shortest Paths to Domain Admins from Kerberoastable Users.

Screenshot

Our target will be the user Leanne Dubej (LDUBEJ00320@AD.KRINGLECASTLE.COM). Her account is a member of a group called IT_00332, which has local admin access to a computer named COMP00185. Jen Betak (JBETAK00084@AD.KRINGLECON.COM) is a domain admin, and has a session open on COMP00185. If we can obtain access to COMP00185 using Leanne's account, then we can steal Jen's password hash out of memory and use that to gain domain admin rights.

Screenshot

Alternatives

There may be an alternate path to domain admin rights. Change the query to "Shortest Paths from Kerberoastable Users" from the perspective of LDUBEJ00320. In addition to the path through Jen Betak's account, there's a similar path through Elvin Basque (EBASQUE00032). This doesn't change the answer to the challenge objective, but in a real world scenario it gives the attacker more options to compromise the domain.

Screenshot

Answer: LDUBEJ00320@AD.KRINGLECASTLE.COM