Skip to main content

THM: Advent of Cyber 2023 - Day 11 - Jingle Bells, Shadow Spells

·469 words·3 mins
TryHackMe Active-Directory Ad Shadow-Credentials Msds-Keycredentiallink Pass-the-Hash Rubeus Evil-Winrm
eplots
Author
eplots
Systemcoordinator, Dabble in Cybersecurity, Self-hosting Hobbyist.
Table of Contents
Advent of Cyber 2023 - This article is part of a series.
Part 11: This Article
The eleventh day of AoC23 contains of a Active Directory task.
In the Active Directory there’s users with to many permissions. We’re going to exploit these permissions to get access to other users accounts.

Learning Objectives
#

  • Understanding Active Directory
  • Introduction to Windows Hello for Business
  • Prerequisites for exploiting GenericWrite privilege
  • How the Shadow Credential attack works
  • How to exploit the vulnerability

Overview
#

This is my key takeaways from today:

  • WHfB, Windows Hello for Business. A modern and secure way to replace conventional password-based authentication. It uses cryptographic keys for user verification. The users gains access using a PIN or biometrics connected to a pair of keys, public and private.
  • msDS-KeyCredentialLink is an attribute used by the Domain Controller (DC) to store the public key in WHfB for enrolling a new user device.
  • If an attacker are capable of overriding msDS-KeyCredentialLink of a vulnerable user, it can be compromised.
  • whisker is a application that can update the msDS-KeyCredentialLink of a vulnerable user.

Store new pair of certificates in WHfB
#

  1. Trusted Platform module (TPM) creates a public-private key pair for the account. The private key never leaves the TPM and should never be disclosed.
  2. The client initiates a certificate request to receive a trustworthy certificate. The organisation’s CA (Certificate Authority) receives the request and provides a valid certificate.
  3. The user account’s msDS-KeyCredentialLink attribute will be set.

Authentication Process
#

  1. The DC decrypts the client’s pre-authentication data using the raw public key stored in the msDS-KeyCredentialLink attribute of the user account.
  2. The certificate is created for the user by the DC and sent back to the client.
  3. The client can log in to the AD using the certificate.

Enumeration
#

We are specifically looking for any write privilege since the goal is to ovverwrite the msDS-KeyCredentialLink.

Start with bypassing powershell’s execution-policy: powershell -ep bypass. Then load PowerView into memory: . ./Powerview.ps1.

You can now enumerate privilages. The full command to find out what we’re looking for is:

Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq "hr" } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

We’re looking for GenericWrite in the ActiveDirectoryRights column.

If found, we can perform the Shadow Credentials attack.

Exploitation
#

Whisker is a C# application that can leverage a vulnerable user and simiulate the enrollment of a malicious device, updating the msDS-KeyCredentialLink attribute.

.\Whisker.exe add /target:NAMEOFTARGET

You get a new command to run with a C# application called Rubeus. This will get a NTLM hash to use as a pass-the-hash attack with a tool called Evil-WinRM.
evil-winrm -i 10.10.52.167 -u USERNAME -H HASH

Questions
#

  1. What is the hash of the vulnerable user?

Run Powerview, Whisker and Rubeus in order and you’ll get the hash.

  1. What is the content of flag.txt on the Administrator Desktop?

run evil-winrm and change directory to the administrators desktop and you’ll get the flag..

Advent of Cyber 2023 - This article is part of a series.
Part 11: This Article