Storming The Castle #1

Ep. #1 Across the Moat and into the Throne Room

Unauthenticated external access to complete internal domain compromise.

Our teams mission was a standard external penetration test, the team executed attacks from the internet, relying solely on public resources. During the reconnaissance phase, the team uncovered more than the typical Microsoft 365 Login Portal usage. An additional URL, identified as "https://[targetsite]/ews", hinted at the client's reliance on a Microsoft Exchange server, which is directly tied to their internal Active Directory environment. An easily guessable password for one of the service accounts facilitated our authentication to Exchange, allowing us to extract the Global Address List using the MailSniper script's Get-Global Address List Module.

Using our reconnaissance and building on the names gathered from the address list, the LTS team, conducted another sweep and compromised four additional accounts with weaker passwords. It was discovered that the target site's VPN could be accessed by appending a VPN to the URL: "https://vpn.[targetsite]". Leveraging the new credentials, we authenticated to the site and, after being prompted to download and configure multifactor authentication (not yet set up) and downloading the VPN software, the LTS team gained remote access to the internal network.

With access secured, our next move, following the clients permission, involved enumerating hosts on the internal network. We identified a VMWARE vCenter instance and immediately checked for the notorious Log4j vulnerability. Confirming the vulnerability, we set up a Metasploit listener on our Kali machine and utilized one of the widely available Log4j proof-of-concept scripts from Github with minimal editing. This allowed us to obtain a root Linux shell on the application's machine.

However, our eyes were still on the throne room and our objective was to infiltrate the Windows environment. After initial privilege escalation enumeration, we discovered a Kerberos ticket in the temporary directory on the Linux machine. Copying the ticket to the previously compromised Windows machine and leveraging the Impacket toolset and the secretsdump module, we authenticated to the domain controller. Subsequently, we dumped all domain accounts and hashes from the ntds.dit file. Offline cracking of the additional service accounts and admin account hashes using the password cracking tool Hashcat provided us with Domain Admin access.

Having access to the throne room we had complete control over the internal network.