So, it’s been literally over a year since my last blog post. Yeah, I suck at blogging. Also, Life happened, so there’s that. In the middle of 2018 I decided I needed out of the help desk jail, and looked at becoming a Digital Forensics Specialist. Thanks to Brett Shavers, Stu, and the awesome people at The Many Hats Club Discord server I may have a fighting chance.
So, to keep me motivated, and help me practice the skills I’m learning, I’ll try and put write-ups of some of the CTFs and Challenges from root-me.org as well as Hack The Box. A word of warning, though. If you think you can use these to game the system and pick the flags out of the write-up, you’re out of luck. I’ll be sanitizing all the flags in the solutions.
That being said, lets get stuck in
Root-me.org: Active Directory GPO
This is one of the first challenges I’ve attempted on the root-me.org site. In this exercise, we’re required to find the Administrator’s password from the PCAP of a workstation during a network boot.
Now with Active Directory, you can use the Group Policy Object (GPO) to automate the deployment and management of Local Admin accounts on workstations. This means you can apply the same Admin account and password across all the machines listed in the domain. Now using the GPO in this manner is a quick and dirty way of getting things set up, but does leave a rather large attack surface for The Bad Guys.
Since the description on the challenge website isn’t too exciting, lets “hollywood” it up a little:
The sysadmin of Globomantics has thrown a wrench in the works and changed the admin password on all units on the domain as revenge for being fired. Luckily they used GPO to set the password, so it shouldn’t be too hard to find it.
First, we’ll get a PCAP of the network boot from a machine on the domain
Next, we set the filter to SMB2 and look for the groups.xml file that’s used by the GPO.
Right clicking on the packet and selecting “Follow TCP stream” we can scroll down to the contents of the groups.xml file, and find the admin password
Now, Microsoft has used AES to encrypt the password, however they have helpfully supplied the 32-byte hard coded encryption key here. Now, I could sit down and program a python script to decode the password, however I subscribe to the “Work smarter, not harder” philosophy.
A quick search on github brings us to gpocrack.py by Martin Ingson. After validating the code, we download the zip file.
Running the script with the encrypted password supplied we get the unencrypted password. We can now pass that on to the new sysadmin.
If you’ve made it this far, I want to thank you for your time.