This is a write-up for the medium-difficulty “ShareThePain” machine from Hack Smarter’s new lab platform. This room is located at courses.hacksmarter.org and is available on a “pay what you can” basis as of the time of writing. I am documenting the process I used to find all information in this writeup WITHOUT including any flags, in the spirit of the game. However, following this process exactly should result in a full compromise of the target system.
Recon, Scanning, and Enumeration #
My first step was to ping the box to ensure that it was alive and ready for enumeration.
Next, I ran a quick nmap scan to see which ports were responding on the host:
This looks (mostly) like basic domain controller stuff, so next I added the machine’s hostname and domain name (found in the nmap output for RDP in this case) to my /etc/hosts file, since we’ll likely be interacting with Kerberos:
Since we don’t have any help with initial access, let’s check if the “Guest” account is enabled:
Lateral Movement and Initial Machine Access #
To see if we can brute-force user accounts, we’ll need to see if we can read the “IPC$” share. However, when listing shares, we find that the “Guest” account has interesting share access:
However, it seems like this share is currently empty:
However, there are a handful of watering-hole attacks we can pull off with write access to a share. This one uses the slinky module in netexec to write a malicious .LNK file to the share:
When a user opens the share, we can force the user into accidentally authenticating to a responder listener and capture a NetNTLMv2 hash for this user:
We can crack this user’s hash easily with ‘hashcat’ and ‘rockyou.txt’, and we can confirm these credentials using ’netexec’:
Now that we have valid domain user credentials, we can run a ‘BloodHound’ collector like ‘bloodhound-ce-python’:
Now we can use ‘BloodHound’ to view paths from owned objects:
MATCH p=shortestPath((s:Base)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|GPLink|AllowedToDelegate|CoerceToTGT|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|SyncedToEntraUser|CoerceAndRelayNTLMToSMB|CoerceAndRelayNTLMToADCS|WriteOwnerLimitedRights|OwnsLimitedRights|ClaimSpecialIdentity|CoerceAndRelayNTLMToLDAP|CoerceAndRelayNTLMToLDAPS|ContainsIdentity|PropagatesACEsTo|GPOAppliesTo|CanApplyGPO|HasTrustKeys|Contains|DCFor|SameForestTrust|SpoofSIDHistory|AbuseTGTDelegation*1..]->(t:Base))
WHERE COALESCE(s.system_tags, '') CONTAINS 'owned' AND s<>t
RETURN p
LIMIT 1000
Because the “bob.ross” user has ownership of the “alice.wonderland” user, there are a handful of ways we can gain access to this account. Unfortunately, the more responsible methods don’t work in this configuration, so we’ll have to resort to changing the password for this account:
Because the “alice.wonderland” user is a member of the “Remote Management Users” group, we can connect to the domain controller using WinRM:
Escalating Privileges #
After most other Active Directory and local privilege escalation enumeration attempts have failed, checking out the local file system will give us some hints:
So it looks like SQL is running somewhere, although we didn’t see this in our nmap scans:
However, we can use netstat to see if the process is listening internally. Here, we can see the default MSSQL port listening on the loopback IP:
So, let’s see if we can use a port-forwarding tool like Chisel to forward a connection that we can reach externally. We’ll first need to start the chisel server locally:
Then, we’ll need to upload the Windows version of the chisel binary and have it connect back to our server, forwarding the internal port 1433 to our server’s port 1433:
We can see that we get a connection back on our chisel server:
Now, we can run commands against our local port 1433 and they will be tunneled through chisel to run as though they are being run from inside the target machine:
Luckily, the “alice.wonderland” user is an SQL administrator on our target. This means that we can use netexec (again, targeting localhost to tunnel through to the internal-facing service) to run commands using xp_cmdshell:
We can see that the SQL service is running as the “nt service\mssql$sqlexpress” account. Let’s check local permissions:
Note the critical “SeImpersonatePrivilege” is enabled in this session. We can use this to run a “Potato” attack. Using our evil-winrm session as the “alice.wonderland” user, we’ll upload GodPotato and nc64, each of which I’ve renamed locally for convenience:
Since we have command execution as a user with “SeImpersonatePrivilege,” we can run GodPotato, which will run a specified command as root. We can use this to run the nc64 binary to facilitate a reverse shell, which we’ll catch in a handler on our local machine:
Now that we have a shell as the “NT AUTHORITY\SYSTEM” account on the domain controller, we could technically read the root.txt file and get all the points for the challenge. However, there is one more step before we have a full compromise of the domain, so let’s hold off momentarily.
Since the “NT AUTHORITY\SYSTEM” account has full permissions on the system, we can dump the SYSTEM and SAM registry hives, which we can then download using our evil-winrm session as the “alice.wonderland” user:
Now that we have the registry hives saved locally, we can run impacket-secretsdump against them to dump the SAM:
Now that we have the hashes, we can use the local Administrator’s account to DCSync the domain:
NOW we have a full compromise of the domain, so let’s grab our flag:
Thank you to Hack Smarter and the lab creator, Ryan Yager, for the development and distribution of this challenge!