Certified Red Team Professional: Exam - Garrison Domain

In this assessment we are given the task to compromise (get OS command execution) on
five different boxes starting with a compromised low privilege Windows Server 2016 and a
set of credentials (user and password).

Tools used in this assignment as well as documentation are provided at the end of the
report.

We start by running Bloodhound’s ingestor on our initial machine because it will allow us to
easily visualize relationships to discover a path in lateral movements; also is a very handy
tool to keep track of compromised objects in the domain.

We transfer the result zip file into our local machine for Bloodhound to analyze.
User.GARRISON.CASTLE.LOCAL - Local Privilege Escalation

We start by elevating our privileges in the initial machine, this will allow us to compromise
other users that have logged in, we could also add a folder exception in windows defender to
download our tools (mimikatz, powerview, powerup, etc) and manage fluently further lateral
movements.

We load PowerUp.ps1 into the machine; this tool lets us enumerate common Windows
privilege escalation vectors based on misconfigurations. It also provides a function to easily
abuse the service based on the identified weakness.
The SensorDataService service is spotted as modifiable service, this means we (as user
examAd) have the rights to modify the binPath for the service, and also the service run as
LocalSystem, giving us elevated privileges.

We can abuse the service by running the next command and adding our user into the local
administrators group.

We log out and proceed to log in again so we can see the changes reflected.
With our new privileges we can add an exception in Windows Defender and download some
tools to ease lateral movement.
DEVSRV.GARRISON.CASTLE.LOCAL - Abuse through ReportUser SQL instance

We start enumerating our Active Directory, and we spot a SQL instance by using
PowerUpSQL.ps1; we check our access.

This command scans SPN looking for SQL services, and redirects its output to get basic
information about the server if found any.

The output shows us that we are not Sysadmin on the MSSQL Server so we can not
execute local commands (which is our main goal).
We connect via HeidiSQL, an open source GUI software that allows to connect to SQL
servers and manipulate information via queries.

By enumerating a bit more we encounter a new user that is currently logged in our machine.
As we are local administrator we can get this new user’s NTLM hash to impersonate it.
We run Invoke-Mimikatz.ps1 locally which allows us to grab NTLM hashes of users currently
logged in.
We can now impersonate this user by using its NTLM hash into Invoke-Mimikatz.

We can now check again SQL instances in our Domain (by using PowerUpSql.ps1 once
again) but as reportuser.
We are Sysadmin so we can execute command on the machine if there is no additional
restrictions. We execute HeidiSQL as the current user (reportuser) and we login into
devsrv.garrison.castle.local to enable xp_cmdshell.

We can now execute commands on devsrv.

We can now host a remote command execution file (by using Invoke-PowerShellTcp from
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1​) to
get a reverse shell.
We set powercat.ps1 as listener and receive the remote connection. We get OS command
execution as devsqladmin which is local admin on DEVSRV.

AUTSRV.GARRISON.CASTLE.LOCAL - Abuse by SQLManagers GenericAll

permission

With this new user a new tree of possibilities has open. We can load PowerView.ps1 into our
reverse shell to enumerate more. Let’s load the Invoke-ACLScanner function from
PowerView to get interesting ACLs that the devsqladmin has.

SQLManagers is spotted as a group that devsqladmin has GenericAll rights on.

The description of the SQLManagers tells us that it used to manage UATSRV, a computer in
our domain. This shows us a path to get command execution on UATSRV if we add an user
to the SQLManager Group by abusing devsqladmin GenericAll privileges.

PowerView has the Add-NetGroupUser function that adds a user into a Group if we have the
privileges to do so. We execute the following command on the DEVSRV machine as
devsqladmin.
We (examAd user) are now part of the SQLManagers group. Let’s verify if we can access in
the UATSRV machine.

Find-LocalAdminAccess (function from Powerview) verifies if the current user local

administrator access on every computer on the domain.

We now have local admin access on UATSRV.

We can now run Invoke-Mimikatz on this new Session to get hashes of logged in users for
further lateral movement.
PRODSRV.GARRISON.CASTLE.LOCAL - Prodadmin’s password change by Batchuser
permit
In the last section we obtained uatadmin and batchuser’s hashes. Thanks to bloodhound we
can observe for any ACL this new users have.

Batchuser can change the password of Prodadmin without knowing its current password.
We can Invoke-Mimikatz to impersonate this user having its NTLM hash, so we can change
Prodadmin password and obtain its hash.

We are using Mimikatz even though we have batchuser’s password, because runas did not
worked on the assessment.
We load PowerView_dev.ps1 to execute the Set-DomainUserPassword function to abuse
this capability and set PRODADMIN’s password to “G@teTotheGarris0n!”.
As we have this password, we can generate a local NTLM hash to impersonate it.

We load PRODADMIN’s privileges using Invoke-Mimikatz.

We load PowerView’s function: Find-LocalAdminAccess to check if we can get a Session

into any new computer, in this case we can access PRODSRV and get OS command
execution as PRODADMIN.
GARRISON-DC.GARRISON.CASTLE.LOCAL - Getting serviceacct hash in PRODSRV

Bloodhound gives a hint about the PRODSRV we just accessed.

The user serviceacct has a session into PRODSRV, but also it is part of the Administrators
Group in our domain GARRISON.

Users that are part of the Administrators Group can access the Domain Controller as local
administrators, please note that the Administrators Group is not the same as the Domain
Admin Group.
This means that the user serviceacct only has local administrator access in the
garrison-dc.garrison.castle.local (Domain Controller) but no other machine (like Domain
Admins do).

By abusing this last access into PRODSRV we can load Mimikatz and get serviceacct’s
NTLM hash for lateral movement.

We get serviceacct’s NTLM hash so we can now impersonate it to access the Domain
Controller.

We can now access garrison-dc.

DomainAdmin

As final step if we have local administrator privileges on the Domain Controller, we can dump
NTLM hashes of the users that have a session in.

The only Domain Admin in the GARRISON domain, is logged in garrison-dc.

By executing Invoke-Mimikatz into the Domain Controller we can grab Administrator’s NTLM
hash and get its privileges.
Please note that we have executed the following commands before Invoke-Mimikatz in every
computer:

Set-MpPreference -DisableIOAVProtection $true

Set-MpPreference -DisableRealtimeMonitoring $true

This command disables temporarily Windows Defender protection on inspecting downloaded

and executed files.

As we get Administrator’s hash, we can now impersonate him.

And we get Domain Admin privileges.

Tools used
● PowerView.ps1 - Part of the powersploit’s recon suite. Powershell script with
functions to perform active directory enumeration.
https://github.com/PowerShellMafia/PowerSploit
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

● PowerView_dev.ps1 - In powersploit’s dev branch PowerView has some new

functions not included (or changed their name) that allow more abuses in
misconfigurations.
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

● PowerUp.ps1 - Script that is part of the PowerSploit suite. It can enumerate common
Windows privilege escalation vectors based on misconfigurations. It also provides
easy abuse functions based on the identified weakness.
https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

● Invoke-PowerShellTcp.ps1 - Basic script to manage reverse or bind connections,

including interactive powershell shells.
https://github.com/samratashok/nishang
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.p
s1

● PowerUpSQL.ps1 - Defined as a powershell toolkit for attacking SQL server.

Includes a variety of functions to discover, audit and abuse SQL services in an active
directory environment.
https://github.com/NetSPI/PowerUpSQL
https://github.com/NetSPI/PowerUpSQL/wiki

● Invoke-Mimikatz.ps1 - Part of the powersploit suite, it’s a powershell script to load

mimikatz 2.0 into memory and perform basic mimikatz commands like dump
credentials, manipulate kerberos tickets and perform pass-the-hash and
pass-the-ticket attacks.
https://github.com/PowerShellMafia/PowerSploit/tree/master/Exfiltration
https://github.com/gentilkiwi/mimikatz

● HeidiSQL - Open source project to connect and manipulate most popular SQL
services.
https://www.heidisql.com/

● HFS - Open source web server to send and receive files over the network. It can host
several files so we can download them via Invoke-WebRequest.
https://www.rejetto.com/hfs/