This article recounts a simulated Active Directory (AD) attack, detailing enumeration steps after conducting a network scan using Nmap. The attacker uses tools like Kerbrute and BloodHound to identify and exploit vulnerabilities in the AD environment, ultimately gaining administrator access through password spraying and privilege escalation techniques. Affected: Active Directory, Windows Server
Keypoints :
- Nmap scanning reveals open ports and services on the target server.
- Successful enumeration of SMB and Kerberos services to gather user credentials.
- Utilized tools such as Kerbrute for user enumeration and NetExec for credential cracking.
- Found vulnerable SMB shares allowing access to user directories and files.
- Modified a login script to facilitate a reverse shell connection for initial access.
- BloodHound was used for privilege escalation by exploiting group policy misconfigurations.
- Successfully gained administrator access after leveraging weak permissions in AD.
MITRE Techniques :
- TA0001 Initial Access – Phishing: Exploiting legitimate user accounts to gain access to the system.
- T1190 Exploit Public-Facing Application: Attacker exploiting misconfigurations in the AD environment.
- T1078 Valid Accounts: Utilizing valid account credentials for authentication.
- T1203 Exploitation for Client Execution: Modifying scripts to execute malicious code.
- T1059 Command and Scripting Interpreter: Using PowerShell to execute commands and scripts for malicious purposes.
Indicator of Compromise :
- [IP Address] 10.10.96.97
- [Domain] baby2.vl
- [URLs] http://10.8.5.124:8888/nc.exe
- [Hash] VL{f0205b652}
- [Email Address] [email protected]
Full Story: https://infosecwriteups.com/baby2-vulnlab-gpo-misconfiguration-a1b14d6a3929?source=rss—-7b722bfd1b8d—4