In this article, the author, Maverick, recounts a black-hat hacking adventure using a vulnerable web application as the entry point to exploit Active Directory (AD). The narrative details techniques for bypassing RDP restrictions, taking advantage of AD trust relationships, and performing various attacks including Kerberoasting and LFI (Local File Inclusion) to escalate privileges. After gaining significant access, the author employs tools like Mimikatz for privilege escalation and hash dumping. The exploration emphasizes effective enumeration techniques and the importance of careful mapping in AD environments. Affected: web applications, Active Directory, RDP services
Keypoints :
- Maverick returns for another hacking adventure focused on exploiting a machine from VulnLab.
- The initial access is gained through a web application, signaling the importance of web vulnerabilities.
- RDP bypass techniques are applied to gain unauthorized access to the AD environment.
- Multiple techniques such as Kerberos magic, token manipulation, and AD trust abuse are showcased.
- Local File Inclusion (LFI) is exploited to retrieve MySQL credentials for further access.
- Privilege escalation and domain admin access are achieved through smart techniques like DCSync and Mimikatz.
- The article highlights the importance of methodical enumeration of services like SMB and LDAP in AD environments.
- Trust attacks are emphasized as a key strategy for exploiting weak domain configurations.
MITRE Techniques :
- T1075 – Pass the Hash: Used to authenticate to services with hashed credentials.
- T1078 – Valid Accounts: Gained access using a compromised MySQL account.
- T1069 – Permission Groups Discovery: Enumerated AD user and group memberships.
- T1086 – PowerShell: Used in the attack to execute scripts for enumeration and exploitation.
- T1550 – Use Alternate Authentication Material: Leveraged stolen credentials for accessing different services.
Indicator of Compromise :
- [IP Address] 10.10.231.181
- [IP Address] 10.10.231.182
- [Domain] trusted.vl
- [Domain] lab.trusted.vl
- [Email Address] [email protected]