It’s been a while…

So, it’s been literally over a year since my last blog post. Yeah, I suck at blogging. Also, Life happened, so there’s that.  In the middle of 2018 I decided I needed out of the help desk jail, and looked at  becoming a Digital Forensics Specialist. Thanks to Brett Shavers, Stu, and the awesome people at The Many Hats Club Discord server I may have a fighting chance.

So, to keep me motivated, and help me practice the skills I’m learning, I’ll try and  put write-ups of some of the CTFs and Challenges from root-me.org as well as Hack The Box. A word of warning, though. If you think you can use these to game the system and pick the flags out of the write-up, you’re out of luck.  I’ll be sanitizing all the flags in the solutions.

 

That being said, lets get stuck in

 

Root-me.org: Active Directory GPO

This is one of the first challenges I’ve attempted on the root-me.org site. In this exercise, we’re required to find the Administrator’s password from the PCAP of a workstation during a network boot.

Now with Active Directory, you can use the Group Policy Object (GPO) to automate the deployment and management of Local Admin accounts on workstations. This means you can apply the same Admin account and password across all the machines listed in the domain. Now using the GPO in this manner is a quick and dirty way of getting things set up, but does leave a rather large attack surface for The Bad Guys.

Since the description on the challenge website isn’t too exciting, lets “hollywood” it up a little:

The sysadmin of Globomantics has thrown a wrench in the works and changed the admin password on all units on the domain as revenge for being fired. Luckily they used GPO to set the password, so it shouldn’t be too hard to find it.

First, we’ll get a PCAP of the network boot from a machine on the domain

screenshot at 2019-01-10 05-48-03

Next, we set the filter to SMB2 and look for the groups.xml file that’s used by the GPO.

screenshot at 2019-01-10 06-34-05

Right clicking on the packet and selecting “Follow TCP stream” we can scroll down to the contents of the groups.xml file, and find the admin password

screenshot at 2019-01-10 05-53-39

Now, Microsoft has used AES to encrypt the password, however they have helpfully supplied the 32-byte hard coded encryption key here.  Now, I could sit down and program a python script to decode the password, however I subscribe to the “Work smarter, not harder” philosophy.

A quick search on github brings us to gpocrack.py by Martin Ingson. After validating the code, we download the zip file.

screenshot at 2019-01-10 06-33-02

Running the script with the encrypted password supplied we get the unencrypted password. We can now pass that on to the new sysadmin.

 

If you’ve made it this far, I want to thank you for your time.

And remember….

ppsr44ur

 

 

 

 

 

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s