1
00:00:00,210 --> 00:00:01,440
-: Welcome back.

2
00:00:01,440 --> 00:00:05,190
Let's perform the last two steps of our challenge.

3
00:00:05,190 --> 00:00:08,730
So we successfully compromised the active directory

4
00:00:08,730 --> 00:00:12,030
by getting access to the SVC admin account and

5
00:00:12,030 --> 00:00:14,370
towards the end of the last lecture we also saw

6
00:00:14,370 --> 00:00:16,379
that we can access the backup share

7
00:00:16,379 --> 00:00:19,020
and we got credentials out of that share

8
00:00:19,020 --> 00:00:23,820
since they were stored in a file that we had an access to.

9
00:00:23,820 --> 00:00:26,640
Once we decoded the file content

10
00:00:26,640 --> 00:00:30,900
we got the password for that account, which is right here.

11
00:00:30,900 --> 00:00:33,720
Now let's see how we can use that to our advantage.

12
00:00:33,720 --> 00:00:35,310
And let's move on to the next step

13
00:00:35,310 --> 00:00:37,860
which is domain privilege escalation

14
00:00:37,860 --> 00:00:40,470
elevating privileges within the domain.

15
00:00:40,470 --> 00:00:43,200
Okay, let's read what it says.

16
00:00:43,200 --> 00:00:45,780
Now that we have new user account credentials

17
00:00:45,780 --> 00:00:48,510
we may have more privileges on the system than before.

18
00:00:48,510 --> 00:00:50,010
Since if you remember

19
00:00:50,010 --> 00:00:52,980
as we see admin couldn't really access anything else

20
00:00:52,980 --> 00:00:54,840
but the backup share.

21
00:00:54,840 --> 00:00:56,790
But now we got the backup account as well.

22
00:00:56,790 --> 00:01:00,210
So the username of the account backup gets us thinking

23
00:01:00,210 --> 00:01:02,850
what is this backup account to?

24
00:01:02,850 --> 00:01:05,850
Well, it is the backup account for the domain controller.

25
00:01:05,850 --> 00:01:08,949
This account has a unique permission that allows

26
00:01:08,949 --> 00:01:12,030
all active directory changes to be synced

27
00:01:12,030 --> 00:01:14,310
with this user account.

28
00:01:14,310 --> 00:01:17,193
This includes password hashes.

29
00:01:18,090 --> 00:01:20,820
Knowing this, we can use another tool

30
00:01:20,820 --> 00:01:25,530
within impacket called Secrets dump.py.

31
00:01:25,530 --> 00:01:27,360
This will allow us to retrieve all

32
00:01:27,360 --> 00:01:31,590
of the password hashes that this user account has to offer.

33
00:01:31,590 --> 00:01:34,980
And exploiting this, we will effectively have full control

34
00:01:34,980 --> 00:01:37,440
over the active directory domain.

35
00:01:37,440 --> 00:01:38,820
Okay, awesome.

36
00:01:38,820 --> 00:01:40,560
So we know which tool to use.

37
00:01:40,560 --> 00:01:44,340
We got provided that tool in the impacket that we downloaded

38
00:01:44,340 --> 00:01:46,200
at the beginning of this challenge.

39
00:01:46,200 --> 00:01:50,793
So the file that we want to access is secretsdump.py.

40
00:01:52,050 --> 00:01:54,660
Let's clear this.

41
00:01:54,660 --> 00:01:56,250
And my impacket is

42
00:01:56,250 --> 00:01:59,490
in the opt directory and

43
00:01:59,490 --> 00:02:01,740
I should have secretsdump.py.

44
00:02:01,740 --> 00:02:06,240
And by the way, if you wonder how any of these files works

45
00:02:06,240 --> 00:02:09,750
you can just nano it to read the code.

46
00:02:09,750 --> 00:02:11,580
We already covered Python.

47
00:02:11,580 --> 00:02:14,190
Now this may be a little bit more advanced compared

48
00:02:14,190 --> 00:02:17,790
to what we coded since it does include classes,

49
00:02:17,790 --> 00:02:19,560
methods and all of that.

50
00:02:19,560 --> 00:02:21,450
But nonetheless, this is Python

51
00:02:21,450 --> 00:02:25,470
and you should be familiar with most of the code right here.

52
00:02:25,470 --> 00:02:26,303
Okay.

53
00:02:28,440 --> 00:02:30,990
Now that we know which tool to use,

54
00:02:30,990 --> 00:02:32,590
let's use it with sudos,

55
00:02:32,590 --> 00:02:35,890
since it probably does require sudo and

56
00:02:36,990 --> 00:02:39,180
let's see if it does provide anything to us

57
00:02:39,180 --> 00:02:41,520
once we specified dash H.

58
00:02:41,520 --> 00:02:44,040
So we do get the help manual right here

59
00:02:44,040 --> 00:02:46,800
and dash dc dash IP is what we want.

60
00:02:46,800 --> 00:02:48,810
It is the IP address of the domain controller.

61
00:02:48,810 --> 00:02:51,990
We want to specify it as with the previous commands

62
00:02:51,990 --> 00:02:56,990
the option or the IP address of our target to connect to.

63
00:02:58,140 --> 00:03:00,120
So let's specify it.

64
00:03:00,120 --> 00:03:00,953
First,

65
00:03:02,280 --> 00:03:03,540
paste the IP address,

66
00:03:03,540 --> 00:03:05,370
and after that,

67
00:03:05,370 --> 00:03:06,240
all we need to do is

68
00:03:06,240 --> 00:03:10,080
provide the backup account credentials on the domain.

69
00:03:10,080 --> 00:03:14,550
So it's spookysec dot local slash backup

70
00:03:14,550 --> 00:03:15,840
so it's no longer SVC admin.

71
00:03:15,840 --> 00:03:17,760
Now we want to access backup

72
00:03:17,760 --> 00:03:22,260
and the password is 'backup' and it's written right here.

73
00:03:22,260 --> 00:03:23,350
We can just

74
00:03:24,240 --> 00:03:27,780
copy it. So or since I already type backup

75
00:03:27,780 --> 00:03:29,670
2 5 1 7

76
00:03:29,670 --> 00:03:31,050
8 6 0.

77
00:03:31,050 --> 00:03:33,130
So 2 5 1 7

78
00:03:34,350 --> 00:03:36,243
8 6 0.

79
00:03:37,170 --> 00:03:40,620
Alright, so we specified the secret stamp

80
00:03:40,620 --> 00:03:43,770
which is the tool that we got provided with to use.

81
00:03:43,770 --> 00:03:47,190
We specified the IP address of our domain

82
00:03:47,190 --> 00:03:50,460
and then we specified the full path or full domain

83
00:03:50,460 --> 00:03:54,240
with the account and its password that we want to use.

84
00:03:54,240 --> 00:03:55,713
Let's press enter.

85
00:03:59,490 --> 00:04:02,670
Okay, so we do get some error.

86
00:04:02,670 --> 00:04:06,180
Let's see, why do we get the error?

87
00:04:06,180 --> 00:04:08,850
Remote operations failed connection

88
00:04:08,850 --> 00:04:12,513
error name or service not known.

89
00:04:13,875 --> 00:04:15,760
Okay, so we might need to

90
00:04:16,800 --> 00:04:17,980
also provide

91
00:04:19,170 --> 00:04:20,130
the IP address

92
00:04:20,130 --> 00:04:20,963
at the end.

93
00:04:24,000 --> 00:04:25,290
Let's try it like this.

94
00:04:25,290 --> 00:04:28,080
So once again, we did provide it right here

95
00:04:28,080 --> 00:04:30,240
but until it's also provided in the domain.

96
00:04:30,240 --> 00:04:32,880
So we use the backup account at this IP address

97
00:04:32,880 --> 00:04:36,450
which is once again the target's IP.

98
00:04:36,450 --> 00:04:38,733
And if I press enter,

99
00:04:43,110 --> 00:04:45,030
okay, now it works.

100
00:04:45,030 --> 00:04:47,100
Here we get the hash

101
00:04:47,100 --> 00:04:49,740
to all of the accounts on this active directory.

102
00:04:49,740 --> 00:04:52,980
And specifically we would most likely be interested

103
00:04:52,980 --> 00:04:55,683
in the administrator hash right here.

104
00:04:56,580 --> 00:04:58,470
Since with this hash

105
00:04:58,470 --> 00:05:02,760
we can actually use a different tool that we got told to use

106
00:05:02,760 --> 00:05:05,010
at the beginning of the challenge, which we will see

107
00:05:05,010 --> 00:05:08,490
in just a second to access the administrator account

108
00:05:08,490 --> 00:05:10,893
with just this hash.

109
00:05:12,150 --> 00:05:15,090
Now this entire line is not the entire hash.

110
00:05:15,090 --> 00:05:16,530
What we are mostly interested

111
00:05:16,530 --> 00:05:20,820
in or what the NTLM hash will be is just

112
00:05:20,820 --> 00:05:24,510
this third part right here, which starts with zero E.

113
00:05:24,510 --> 00:05:27,720
So we can just copy it zero E

114
00:05:27,720 --> 00:05:30,570
and then we can use a different tool to

115
00:05:30,570 --> 00:05:33,510
access the administrator account using this hash.

116
00:05:33,510 --> 00:05:37,420
So the tool that we want to use, let me just clear this

117
00:05:38,926 --> 00:05:40,410
is evil dash

118
00:05:40,410 --> 00:05:41,880
winrm.

119
00:05:41,880 --> 00:05:44,700
This tool will allow us to gain access

120
00:05:44,700 --> 00:05:46,542
to this active directory

121
00:05:46,542 --> 00:05:50,730
by just providing the username and the hash value.

122
00:05:50,730 --> 00:05:52,440
So if I type it

123
00:05:52,440 --> 00:05:54,990
I'll most likely need to use it with sudo.

124
00:05:54,990 --> 00:05:59,250
And then here I have the command auto complete it

125
00:05:59,250 --> 00:06:00,330
from before.

126
00:06:00,330 --> 00:06:05,220
But all I want to do is change the IP address

127
00:06:05,220 --> 00:06:07,110
because it's not the same.

128
00:06:07,110 --> 00:06:12,110
So this is the command sudo evil dash winrm dash I.

129
00:06:12,930 --> 00:06:16,050
I will be for the IP address of the target. Here

130
00:06:16,050 --> 00:06:20,070
we specify the IP then -u, which sends for username

131
00:06:20,070 --> 00:06:22,980
you want to specify the username and then dash

132
00:06:22,980 --> 00:06:27,980
capital H where you will specify the actual hash value

133
00:06:28,920 --> 00:06:30,840
for that account, which we got

134
00:06:30,840 --> 00:06:33,150
by using the secrets dump tool.

135
00:06:33,150 --> 00:06:35,163
Okay, let's press enter.

136
00:06:39,210 --> 00:06:42,120
It might take a few seconds to work

137
00:06:42,120 --> 00:06:45,390
and hopefully if it works, we will get access

138
00:06:45,390 --> 00:06:48,243
to the administrator account on the domain.

139
00:06:49,950 --> 00:06:51,420
Here it is.

140
00:06:51,420 --> 00:06:52,893
If I type, who am I?

141
00:06:53,820 --> 00:06:57,510
I am the THM-AD, which remember it's the net

142
00:06:57,510 --> 00:07:01,199
bios domain that we specified in the first or

143
00:07:01,199 --> 00:07:04,590
in the second enumeration of this machine.

144
00:07:04,590 --> 00:07:07,740
And then slash administrator, which is our account.

145
00:07:07,740 --> 00:07:11,460
And we are in the administrator directory.

146
00:07:11,460 --> 00:07:14,610
So we successfully escalated our privileges by

147
00:07:14,610 --> 00:07:16,050
getting this hash

148
00:07:16,050 --> 00:07:19,800
providing it to the evil winrm, which allowed us

149
00:07:19,800 --> 00:07:22,980
to actually get access to the administrator account.

150
00:07:22,980 --> 00:07:25,080
And now let's see why that is possible.

151
00:07:25,080 --> 00:07:28,590
Or in other words, let's answer these questions right here.

152
00:07:28,590 --> 00:07:31,860
So what method allowed us to dump

153
00:07:31,860 --> 00:07:33,033
NTDS.DIT?

154
00:07:34,770 --> 00:07:37,800
And for anyone who's wondering what that is

155
00:07:37,800 --> 00:07:38,633
let me just show you.

156
00:07:38,633 --> 00:07:41,670
I exited the session with the administrator

157
00:07:41,670 --> 00:07:46,670
once we ran the secrets dump with the backup account.

158
00:07:47,460 --> 00:07:51,130
Remember we got all the hashes, but we get answer

159
00:07:52,009 --> 00:07:54,131
to this question somewhere towards the beginning.

160
00:07:54,131 --> 00:07:55,770
So here it is, using the

161
00:07:55,770 --> 00:07:57,330
D R S U

162
00:07:57,330 --> 00:07:58,620
API method

163
00:07:58,620 --> 00:08:01,590
we got NTDS.DIT secrets.

164
00:08:01,590 --> 00:08:04,883
So we can specify the method DRSUAPI.

165
00:08:04,883 --> 00:08:07,800
And what is the administrator NTLM hash?

166
00:08:07,800 --> 00:08:10,440
NTM hash said it's the third part.

167
00:08:10,440 --> 00:08:12,960
So just copy paste it right here.

168
00:08:12,960 --> 00:08:14,550
Should be correct.

169
00:08:14,550 --> 00:08:17,220
What method of attack could allow us to authenticate

170
00:08:17,220 --> 00:08:21,360
as the user without password, which we saw one minute ago

171
00:08:21,360 --> 00:08:25,710
once we used the EVILWINRM is the pass the hash attack.

172
00:08:25,710 --> 00:08:27,240
So with the pass the hash attack

173
00:08:27,240 --> 00:08:29,760
or with the attack that we used right

174
00:08:29,760 --> 00:08:31,950
before going to answer these questions

175
00:08:31,950 --> 00:08:34,802
we successfully got access to the administrator account

176
00:08:34,802 --> 00:08:36,990
without even knowing their password.

177
00:08:36,990 --> 00:08:39,840
We only had their hash, We provided a hash

178
00:08:39,840 --> 00:08:43,440
and we logged in to the account with just the hash.

179
00:08:43,440 --> 00:08:45,390
Using a tool called evil WINRM

180
00:08:45,390 --> 00:08:47,040
which we just did.

181
00:08:47,040 --> 00:08:50,820
What option will allow us to use a hash?

182
00:08:50,820 --> 00:08:52,560
And here it's dash H

183
00:08:52,560 --> 00:08:55,890
and I believe that's also what we use the dash capital H

184
00:08:55,890 --> 00:08:57,806
which allowed us to pass the hash

185
00:08:57,806 --> 00:08:59,430
for the administrator account

186
00:08:59,430 --> 00:09:01,110
and get access to it like that.

187
00:09:01,110 --> 00:09:03,030
So let's do it once again

188
00:09:03,030 --> 00:09:05,643
and let's move on to the flag submission.

189
00:09:07,890 --> 00:09:10,620
So flag submission is simply just finding the flag

190
00:09:10,620 --> 00:09:13,860
for these three accounts on the domain.

191
00:09:13,860 --> 00:09:17,820
So as we are already logged in, like administrator account

192
00:09:17,820 --> 00:09:19,415
we can type there to see

193
00:09:19,415 --> 00:09:21,510
if there's anything in this directory.

194
00:09:21,510 --> 00:09:23,913
If I go back, type there here,

195
00:09:25,740 --> 00:09:29,160
and if I remember correctly

196
00:09:29,160 --> 00:09:31,560
the flag will be on the desktop.

197
00:09:31,560 --> 00:09:33,420
So let's go to the desktop directory.

198
00:09:33,420 --> 00:09:36,750
Here it is root.txt.

199
00:09:36,750 --> 00:09:41,163
We can use the type command to type it out, root.txt.

200
00:09:42,150 --> 00:09:46,140
And here's the flag for the administrator account

201
00:09:46,140 --> 00:09:47,460
which we can provide right here.

202
00:09:47,460 --> 00:09:50,940
Now you can log in as different accounts to get access

203
00:09:50,940 --> 00:09:54,330
to backup and SVC admin, but it is not needed.

204
00:09:54,330 --> 00:09:57,930
Remember we are admin, we can access these accounts as well.

205
00:09:57,930 --> 00:09:59,410
So all we need to do

206
00:10:02,100 --> 00:10:03,646
Oops

207
00:10:03,646 --> 00:10:07,260
Go back to the user's directory.

208
00:10:07,260 --> 00:10:09,567
So we go, went all the way back to the user's directory.

209
00:10:09,567 --> 00:10:12,840
And here the users, we have the SVC admin

210
00:10:12,840 --> 00:10:15,090
which is required right here.

211
00:10:15,090 --> 00:10:16,480
So let's get the svc-admin

212
00:10:20,040 --> 00:10:20,873
flag.

213
00:10:23,490 --> 00:10:26,760
Let's say that it might also be on desktop.

214
00:10:26,760 --> 00:10:30,390
And yes, if it even says right here, they can be located

215
00:10:30,390 --> 00:10:33,482
on each user's desktop.

216
00:10:33,482 --> 00:10:38,463
So there will tell us the name and if we type user.txt.

217
00:10:44,280 --> 00:10:47,040
Oh it's user.txt.txt.

218
00:10:47,040 --> 00:10:48,870
Here is the

219
00:10:48,870 --> 00:10:50,170
value or the

220
00:10:51,090 --> 00:10:52,020
flag.

221
00:10:52,020 --> 00:10:53,283
Let's copy it.

222
00:10:55,710 --> 00:10:57,700
Paste it under the svc-admin

223
00:10:58,740 --> 00:11:01,770
and we can submit it. Should be correct.

224
00:11:01,770 --> 00:11:05,460
And here is one more step for the backup account.

225
00:11:05,460 --> 00:11:07,143
We just do the same thing.

226
00:11:11,730 --> 00:11:14,313
Let's see if there's backup right here should be.

227
00:11:15,720 --> 00:11:17,163
There's the backup account.

228
00:11:18,180 --> 00:11:20,613
Let's go to the desktop there.

229
00:11:21,690 --> 00:11:22,523
Type

230
00:11:24,918 --> 00:11:26,193
PrivEsc.txt.

231
00:11:28,043 --> 00:11:30,390
And here is the flag

232
00:11:30,390 --> 00:11:32,670
for the backup account.

233
00:11:32,670 --> 00:11:37,530
We paste it right here and it should also be correct.

234
00:11:37,530 --> 00:11:41,550
So we successfully completed the entire challenge

235
00:11:41,550 --> 00:11:44,430
of hacking or compromising the active directory

236
00:11:44,430 --> 00:11:47,340
and also performing privilege escalation

237
00:11:47,340 --> 00:11:50,160
on it to gain access to the administrator account.

238
00:11:50,160 --> 00:11:51,360
And

239
00:11:51,360 --> 00:11:52,193
for the end

240
00:11:52,193 --> 00:11:55,050
we provided these three flags, which are needed.

241
00:11:55,050 --> 00:11:56,790
Okay, awesome.

242
00:11:56,790 --> 00:11:59,310
Now in case you didn't understand some

243
00:11:59,310 --> 00:12:01,350
of the stuff that we covered here,

244
00:12:01,350 --> 00:12:03,330
it's really important what I mentioned at the beginning

245
00:12:03,330 --> 00:12:06,600
of the challenge to learn about active directory,

246
00:12:06,600 --> 00:12:08,340
learn about how it works

247
00:12:08,340 --> 00:12:10,770
so you can fully understand this challenge.

248
00:12:10,770 --> 00:12:13,200
Now, this is not really a beginner challenge

249
00:12:13,200 --> 00:12:15,180
but it's also not too advanced.

250
00:12:15,180 --> 00:12:16,410
It's somewhere in the medium

251
00:12:16,410 --> 00:12:20,370
and I believe that's how it's ranked as well.

252
00:12:20,370 --> 00:12:21,880
I know somewhere here, yeah

253
00:12:22,762 --> 00:12:23,910
here it is, the difficulties medium.

254
00:12:23,910 --> 00:12:26,370
So it's not too hard, but it's also not

255
00:12:26,370 --> 00:12:29,250
for the beginners because it does require knowledge

256
00:12:29,250 --> 00:12:31,860
of using these different tools that we covered.

257
00:12:31,860 --> 00:12:33,150
And also knowledge

258
00:12:33,150 --> 00:12:37,020
of how active directory works and what type

259
00:12:37,020 --> 00:12:40,920
of the attacks we can perform on the active directory.

260
00:12:40,920 --> 00:12:43,020
So play with this a little bit more.

261
00:12:43,020 --> 00:12:45,120
You can redo this on your own

262
00:12:45,120 --> 00:12:47,940
if you think that will boost your skills

263
00:12:47,940 --> 00:12:50,640
but you can also cover other machines on

264
00:12:50,640 --> 00:12:51,840
Tri Hack Me platform.

265
00:12:51,840 --> 00:12:54,250
There are also free ones, there are paid ones

266
00:12:55,117 --> 00:12:56,610
and you can cover different machines

267
00:12:56,610 --> 00:12:58,620
and practice your skills

268
00:12:58,620 --> 00:13:01,980
whether that being attacking a different active directory

269
00:13:01,980 --> 00:13:04,920
or whether that being performing any other type

270
00:13:04,920 --> 00:13:07,680
of the attack that we covered throughout the course.

271
00:13:07,680 --> 00:13:09,420
Nonetheless, thank you for watching

272
00:13:09,420 --> 00:13:11,823
and I will see you in the next lecture.