Exploiting AD Users
Users and User Behaviour
Users are, unfortunately, often the weakest link in the security chain. Just think about weak passwords and bad habits, such as granting overly permissive permissions.
Credential Management - How users store their credentials.
Keylogging - Often, during exploitation, we need to understand how normal users interact with a system. Together with screengrabs, Keylogging can be a useful tool to gain this understanding from an attacker's perspective.
Hunting for Credentials
Now that we have compromised THMSERVER1, we should probably look around to see if there is any useful information. Have a look at the user directories and see if there is some useful information in any of them.
Your enumeration efforts should lead you to a .kdbx file. A quick Google should confirm our suspicion that this file is indeed very valuable! We can use Meterpreter's download command to recover this file.
Last time we dumped the SAM hash of THMSERVER1, so we can just login to any of them and look for the .kdbx file
Logging into ServerAdmin and using this regex:
SYSTEM is Sometimes Too Privileged
When we get our shell. It will be running as SYSTEM. Fortunately, Meterpreter provides us with a migrate feature, and since we are running as SYSTEM, we should be able to migrate to any process.
Apparently there is only one correct DB which is trevor.local's. Now we use msfvenom to generate the keylogger and send it
Setup listener
Host python server and download it on target machine
Execute the keylogger
After getting callback, find 'explorer' process
Migrate the process to run meterpreter as user's process
Start keyscan sniffer
After a few minutes dump the keystrokes and we get the password for the DB file
Download the DB file
Open keepass on attacker machine
Unlock using password that was keylogged
We can see there is a user and his password that may be useful later. We also find the flag
Last updated