Home Capture The Flag Write-ups SANS Holiday Hack 2018: Objective 5: AD Privilege Discovery

SANS Holiday Hack 2018: Objective 5: AD Privilege Discovery

Posted on Posted in Capture The Flag Write-ups, SANS Holiday Hack 2018

Objective: Using the data set contained in this SANS Slingshot Linux image, find a reliable path from a Kerberoastable user to the Domain Admins group. What’s the user’s logon name? Remember to avoid RDP as a control path as it depends on separate local privilege escalation flaws. For hints on achieving this objective, please visit Holly Evergreen and help her with the CURLing Master Cranberry Pi terminal challenge.

Answer: LDUBEJ00320@AD.KRINGLECASTLE.COM

Analysing the SANS Slingshot Linux image
Downloading the OVA file HHC2018-DomainHack_2018-12-19.ova and then opening with VMware Workstation Player (couldn’t get it to work with Oracle Virtual Box), provides a Slingshot Linux Environment.

Straight away on the desktop I saw the link to Bloodhound and recognised it from one of the Kringlecon talk.

I’d never used Bloodhound before so the reference to the demo, supplied as a hint from Holly Evergreen, was really useful:

https://www.youtube.com/watch?v=gOpsLiJFI1o&feature=youtu.be

So I opened up Bloodhound, it was already configured, and straight away I was welcomed by a visualisation of the users who are members of the Domain Admins group:


I was unsure if these were any of the users we were looking for, but it seemed a bit too easy. We needed a “path from a Kerberoastable user to the Domain Admins group”, so doing a bit of digging and following tutorials we found the predefined queries and in particular “Shortest Paths to Domain Admins from Kerberoastable Users” (which looks useful):

Clicking on this query provided the lovely visualisation graph below:

Now within this graph we were looking for a user that has links to the Domain Admins remembering “to avoid RDP as a control path”.

So out of the paths we have the shortest one from a user at one end to the Domain Admins at the other, without a CanRDP relationship is the user:

LDUBEJ00320@AD.KRINGLECASTLE.COM

I really need to read-up on Active Directory to understand what this all actually means. But Bloodhound appears to be a powerful visualisation and graphing tool to view routes through these networks.