APT29a Security Blog: 2020

tltr;

The Active Directory Lab from Pentester Academy is an awesome course and I can highly recommend it. The course is really cheap for the amount of information and practice you get. In my opinion it should become a standard like OSCP for the infosec community.

Link to the course

Intro:

Mid of November 2019 I bought the lab. I asked Nikhil Mittal (creator of the lab) if I can get the videos immediately, but start the lab later and it was no problem (please try this one time with OSCP..). Whenever I had time I watched the next video. Since I had a lot of work to finish (delivering customer projects, exams at university and doing stuff for my master thesis) it took me 2 months to watch all videos (and read again the huge amount of all Windows Active Directory blog posts which I collected over the last years). I wrote the support team in a late Saturday night after Christmas to start the lab time and next morning I already had the access credentials in my mailbox (the support team is really awesome!).

The material (videos & slides):

The videos are in a good pace, however, I already knew a lot about Active Directory exploitation and I therefore watched the videos in 1,5 speed using VLC (Videos can be downloaded from Google Drive).

I didn't thought that stuff will be covered which is new to me, but I was convinced otherwise. For example, I didn't know the DNS Admin exploitation before and I never studied the silver ticket attacks in this depth. I already read about most of the persistence techniques but since I'm not doing them during audits it was a good refresher. The practical exploitation of the persistence techniques was therefore also new to me and I really liked the exercises (especially the constrained delegation exploitation exercises).

Stuff which is "not covered":

The course is a really, really good introduction to the topic, a lot better than I expected. It must also be mentioned that the course is for beginners and therefore doesn't cover everything (but it covers already a huge amount!). For example, NTLM relaying is not covered in the course. Another example is the exploitation of unconstrained delegation (or kerberoasting attacks). Both attacks are covered but there are some newer techniques which are not covered (but from reading other reviews I know that they are covered in the later labs from Nikhil Mittal ;) ). And as far as I can remember resource based constrained delegation is not covered (but you can learn this by just reading one blog post after the course).

The lab:

The lab is accessible either via VPN+RDP or via a website. I used 99% of the time the website because it is fast, works perfectly and you don't have resolution or keyboard problems (english vs. german keyboard). You can also make quickly screenshots using the Windows 10 shortcut windows+shift+s. You need to click on the taskbar first and then press the shortcut, however, I noticed that the quality of the stream decreases when you don't focus the browser. But when you click on the taskbar, click on the browser and click again on the taskbar the desktop is still shown in high quality and you can make a screenshot. The only downside of the website is that copy&paste into the lab is not working. However, I think that's good because it forces you to type the commands manually which helps a lot to remember the commands. Copying the commands afterwards from the VM to the host system is working without a problem (e.g. to save all required commands in a cheatsheet textfile).

I bought 30 days lab access, however, my father had to go to hospital during my lab time (and I therefore visited him / my mother several times), my girlfriend had an operation in this time and I had to learn because I had all exams at university in this month. So in the end I just used like 5 days of the lab access but it was enough to finish all tasks (I really wish I had more time to play around in the lab).

The lab documentation (solutions):

The lab guide is good, I solved most of the tasks alone but when I was stuck I just checked the PDF solutions. Sometimes some stuff is missing in the PDF (e.g.: the DAMP script must be fixed or sometimes you need to purge your kerberos tickets first), but then you still have the video walk-through where everything is exactly shown.

The only suggestions I have:

There is no overall picture of all executed attacks. For example, it can be possible that task 10 builds on something you obtained in task 3 and in task 14 you depend on stuff from task 6. So it's sometimes a little bit confusing to follow the complete attack path from start to end. But maybe that's intentional so that the student creates such a mindmap for himself.
Sometimes it's hard to know if we should use PowerView.ps1 or PowerView_dev.ps1, but you can just try both and see which one works (in the lab solution; in the slides it's marked).

Tips:

For some ticket related operations a reboot of the system is required to clear the tickets from memory. "klist purge" is maybe not enough. You can also see this in one of the videos from the author where he has suddenly SMB access to the domain controller although he purged the tickets. So if you try different attacks in a row make a reboot in between so that you can start the next attack from a fresh state.

If you use the browser to access the machine just reboot the system, then a 15 second counter starts and after that you are connected again to the rebooted system.

When doing the lab I always spawn two shells, one loaded with the old PowerView code and one with the dev PowerView code. You can rename the shell titles using the following commands to not lose track:

$host.ui.RawUI.WindowTitle = "Old PowerView"
$host.ui.RawUI.WindowTitle = "Dev PowerView"

In the Jenkins and the MSSQL exploitation tasks the Invoke-PowerShellReverseTcp.ps1 script was detected in my lab (but not in the video walk-through / pdf solutions). With Jenkins it's simple to bypass AMSI, in the MSSQL task it's more tricky and in my opinion the exploitation was not reliable working. Really strange things happened here, but I have an assumption. I used PowerUpSQL to execute the OS command "powershell -c amsiutils" to check if AMSI is enabled and I think after that everything was screwed up. Executing the same command like 8 times resulted 7 times in the AMSI error message being shown, and suddenly worked the 8th time (without modification!). After that the command was working every time without a problem but just changing one character in the payload (e.g.: filename on a webserver from x.ps1 to y.ps1) resulted again in the AMSI message. Executing just the command "powershell whoami" also already triggered AMSI then. Really strange stuff, I didn't had time to further investigate into this but I assume that my initial AMSI test screwed the stuff up (but I really don't know how this could be the case but it was what I observed).

Task 23 (DCShadow) was initially not working for me. When I executed the lsadump::dcshadow /push command nothing happened. I identified the source of the problem is a missing DNS entry on the DC because the DC can't resolve the hostname of our workstation (which I put into another domain at the start of the task). To solve this just connect to the DC of moneycorp.local and execute the following command (replace "XXX" with your ID/IP):

dnscmd.exe 127.0.0.1 /RecordAdd moneycorp.local mcorp-stdXXX 10 A 172.16.100.XXX

In task 23 (DCShadow) your computer name is something like mcorp-stdXXX instead of mcorp-studentXXX (which is the name in the video walk-through and the PDF solution). Keep the "std" name instead of the "student" name when you join the other domain. Moreover, notice that re-joining the computer back to the original domain can lead to problems. Re-joining requires that you enter the same credentials as initially used which are not your student credentials. So you can't re-join the original domain with the same hostname (you can maybe try with the domain admin credentials, I didn't test this). But if you choose a different hostname you will lose access to the workstation after 1 day when the DC is reverted because the DC won't have the machine account password of the new host. I recommend that you add first a local administrator so that you can still login when this happens to re-join the computer to the domain.

The output of Find-LocalAdminAccess was often unreliable for me (e.g.: it showed sometimes random results which were not true). Don't trust 100% this output.

Here is a small script which can be used to find websites (especially Jenkins) in the lab:

. .\PowerView.ps1  # load the old version, not the _dev version
Get-NetComputer | foreach {
$a = Test-NetConnection -ComputerName $_ -Port 8080 -WarningAction SilentlyContinue -InformationLevel Quiet
if($a -eq "True") {Write-Host "Jenkins:"$_}
}

Create a "mindmap" of the attacks / the lab. I think it can help a lot to see how all the tasks are connected with each other and what you are currently doing and which attacks can be replaced by other attacks which achieve the same result. I created nodes for computers, user credentials and domains. And I used edges like the used attack/tool to compromise the system or the typical bloodhound edge names. This map will also give you a good idea how the exam network can look like.

I created two cheatsheet textfiles during my lab time. One file contained all commands required to solve all challenges + notes when I had to reboot the system or purge tickets. I used this text file to quickly solve again all tasks some days before my exam took place (with this file and copy&paste you can solve all tasks in 1-2 hours). And another file with the most important commands like my initial commands (PowerView queries, BloodHound invocation, Opening a PowerShell session + AMSI Bypass and loading Mimikatz into the remote session, Over-pass-the-hash attack, ..). You can copy this file to the provided workstation using RDP and then copy&paste the commands instead of typing them.

The exam:

I scheduled the exam for 2 PM so that I can work like 10 hours, go to sleep to recover and still have half of a day left for the exam. This time I wanted to stick to my plan and start exploitation just as soon as I have a very clear picture in mind from the initial enumeration. In my OSCP exam I was doing a lot of different things in parallel, jumping from one command prompt to another and didn't finish something which I started because I thought another attack is more promising. This resulted in a lot of chaos and I wanted to avoid the chaos this time. So my plan was to finish enumeration even though I already knew pretty soon the first attack steps. And I tried to do everything slow and relaxed so that I don't make stupid flaws and I double checked everything twice. In the end it paid off. After approximately 3 hours in the exam I didn't had a single system owned but I finished my enumeration and I already knew exactly how I can compromise the whole lab. Around that time my girlfriend came home and I was so relaxed that I made a break and watched a TV series with her. After this short break I compromised the first system and did another break at 6 pm because some friends asked me to play counter strike. Good enumeration is really useful because there is no pressure if you already have a clear picture in mind. Around 7:15 pm I continued and at 9 pm I had the other 4 systems owned (again, with a lot of breaks in between like two phone calls and I cooked and eat). At 9pm I decided to play again for 2 hours and at 11 pm I started to write the report. I already documented a lot during enumeration (I basically took screenshots of every executed command) so I already had a report of 44 pages at that time. It took me two hours to remove the not required stuff and write some text with explanations. In the end the report was 25 pages long because a lot of enumeration output was not required. The last 30 minutes I did some proof reading and finally sent the report at 1:30 am.

On the next day I received at 2 pm (exactly when my exam time would had ended) the confirmation that I cleared the examination :)

Some tips for the exam:

I got an e-mail with VPN credentials 30 minutes before my exam started with the note that exam starts in 30 minutes and I should test the credentials. However, theoretically I could had started immediately because I already had access to the workstation (but I didn't wanted to cheat ; maybe the other systems were not booted at that time?). And it surprised me a little bit because I didn't receive instructions at the start of the exam, so I just had the RDP access to the system from the previous e-mail. Another thing which confused me was that I just got VPN+RDP access but I did my full lab preparation using the website. Doing screenshots via RDP sucks because the Windows 10 shortcut "windows+ shift +s" does not work inside the RDP connection, so I had to make the RDP-Window smaller which is annoying because I used on the target system the same resolution as on my host system which means that I always had to scroll around in the RDP window. I highly recommend that you use another application for screenshots.

In the end I think you can solve the lab in 1 - 2 hours if you really want to be fast and by automating the enumeration, however, I think you will have more fun doing it manually and you will also learn more.

I would also like to mention that while I associate with my OSCP exam the term "pressure", I associate with the Active Directory Lab the word "fun". I think I had during the whole exam a big smile on my face because it really made a lot of fun.

APT29a Security Blog

Dienstag, 4. Februar 2020

Pentester Academy - Active Directory Lab Review