OSCP Practice Lab: Active Directory Attack Path #1
ฝัง
- เผยแพร่เมื่อ 29 มิ.ย. 2024
- Putting this out there as I searched around and didn't find a lot of content on practicing Active Directory attacks in a home lab. This walks through one of the paths to complete domain compromise I practiced for passing the OSCP.
The link to setting up this lab environment is here: • OSCP Practice Lab: How...
If there's enough interest I may generate some videos of my other AD attacks also.
0:00 Intro
1:30 OpenVPN
3:21 Start the Attack!
5:20 MS01 Enumeration
21:55 MS01 Application Exploit
28:16 MS01 Initial Foothold
33:35 MS01 Priv Esc Hunting
38:25 MS01 Priv Esc
47:50 Notes
50:33 Active Directory Enumeration
55:45 Pivoting with Ligolo-NG
1:05:04 Domain Controller Enumeration
1:14:10 Kerberoasting and AS-REP Roasting
1:19:27 Password Cracking with Hashcat
1:25:50 Credential Spraying with CrackMapExec
1:29:37 Crack Encrypted Zip File with JohnTheRipper
1:36:08 Credential Spraying with CrackMapExec
1:37:28 MS02 Initial Foothold with PSExec
1:45:05 MS02 Enumeration
1:46:40 MS02 Credential Dump with secretsdump
1:49:35 Domain Pwnage with evil-winrm
1:54:54 Recap
Gotta say, more than being good informative and easy on the ears, the video is just entertaining to watch which is more than you can say for any other video like this, keep it up and we will keep watching!!
These playthroughs are worth it, very nicely explained, even the thought process!
Awesome video!!! One of the best i have ever seen!! keep going for next videos!!!
great video. I think the way you go through it is both entertaining and very informational.
Hey man! I just watch your oscp AD and I got impressed with your explaination. Its' 10 out of 10. Hope to see more of you in upcoming days💌🥰
How wonderful knowledge ! Love this every minute
Outstanding content and well explained! I'm all for fresh content! Thanks so much for sharing. It's greatly helpful for a fellow student like myself prepping for the OSCP.
Without a doubt the most helpful thing I've seen! Taking your time and explaining "why" you're running commands was awesome. Thank you so much. I will be watching more of your content.
Really nice and helpful. Thanks a lot for your awesome content.
Derron, you've got to do more of these!! You're an amazing teacher man. Thank you!
This is a fantastic walk through. Very detailed and you did a good job of explaining your methodology and thought process. I am retaking the OSCP in December, this video will help me succeed and I would love to see more attack paths from you.
thanks so much, I'm glad it helps. Best of luck on your retake!! I'll try and post another attack path soon.
Do you have the eJPT cert? also did u pass the OSCP?
Watched it all, Insane video Man !! Much appreciated.
Thank you . Learned about some new tools and more about windows . Great content
Future Offsec teacher right here man! This is the second video of yours I've watched and 2/2 your killing it man. Pure GOLD!!!! Your helping at least one person out beyond measure! Have my sub :)
Very detailed Explained , I Enjoyed every bit of it !
Thanks man now I have an idea! Just having an idea what tools will be used and you should think, and how you should write notes is awesome! Now I have a full clear understanding and idea keep up the work!!!
Well explained and demonstrated. Followed through till the end. Thank you
Really awesome topic really well covered. Instant sub. Looking forward to working through this.
Actual GOAT, watched video start to finish! Seeing your step by step process and methodology completing these 3 boxes was super inspiring! W video, please keep this content coming!
Thank you so much, I appreciate the compliment!! I'll try and post some more content soon
@@derronc Please make more awesome!
This walk through is amazing thank you a lot
Very fantastic walktrough🎉 Superman 😮
I don't often comment on videos but I simply have to say that your material is absolutely phenomenal. Am preparing to take the OSCP and wanted to really get practice in and you came through in such a big way (in the way that there's no way I can go forward in cybersecurity without acknowledging how important your guides have been). I adapted your setup to run on proxmox and I wanted to say thank you very much :)
Thank you for such great insight into the scenario loved every bit of it
Subscribed within the first minute, i can't believe this stuff is free. Thank you!
Thanks for the sub! I'm so glad you appreciate the content
I love the methodology ! Thank you for this amazing content
my pleasure! I'm glad you enjoy it
Thank you for this. Very helpful!
THIS IS PURE GOLD! THANK YOU MASTER! 🙏
Great shot!
i learn lot new stuff about Windows enumeration from this video
This is fantastic!
A perfect video really ! Very inspiring and useful thank you so much :)
That was just awesome 👌 👏 👍🏾 🔥 🔥
thank you very much for the video very clear loved every minute
You're very welcome and thanks for the feedback!
Love it! Good job.
Very fantastic and helpful. Thank you so much ✨
Top content. Congratulations.
Love your mindset!
keep it up bro keep making this kind of videos
This is So ispiring man. Keep Going
man man man thanks for the content once again
I'm so glad it was helpful!
Thank you for sharing ‼️
This is a great walkthrough. I watched your previous video about setup and I ran in to a lot of perm issues when getting foothold on this video
oh no! can you elaborate on the permission issues? I will do my best to help
@@derronc essentially everything is caught by the av even if tamper is turned off.
This was a great lesson for me..
Your. Ideas are so valuable for helping to develop and fine tune methodologies, I appreciate this greatly and look forward to more from you! Also a small recommendation, consider picking up a mic as your keyboard comes through rather heavy 😉
I have my OSCP retempt comming up tomorrow and I have been using your videos the last few weeks to study with. Really great stuff, the way offsec explains AD seems overly complicated. I just needed DA then I think I had it my last attempt, so fingers crossed we get it this time :)
Thanks for the videos, please make more!
much thanks for those kind words and best of luck tomorrow!!! you got this
Were you able to make it brother?
Keep making these man! Loved it… I failed OsCP on first attempt because of AD section. I pawned the first one, created tunnel as well.. and forgot about routing! If I would have done routing, I would have passed! I knew all the things but didnt know about tunnel and routing properly. Thanks a lot 👍
When did you took your exam? Seems I can join some dots in your statement
@@elilanz End of July 2023.
@@romilthakkar404 aah okay okay
Great video, thank u ❤
Helpful thanks!
Please, continue!
Hell yeah!! Thank you!!
I have been watching this for two days writing up an attack plan and tool list on Obsidian
you are the best!
thank you
Better than my teachers at university...
Thank you!
Two strange things on this lab: 1) You find a .exe file and you're immediately suspecting that .exe is running on the server, I mean why? 2) Why would someone look for a .txt file specifically in one users folder? I mean, I could take it if you do it from c:\users, but in a specific user's folder? That was too specific. This kind of things makes me think if I'm in the right path. I don't think I would pass this test. Anyway, thank you for the video, it's great.
It's a new server install so there probably aren't random user files in an upload directory. It's not unreasonable to assume the admin uploaded it with the intention of running it on the server or somewhere proximal so that he wants easy access to it. That could be a wrong assumption, but it would make sense enough to look into. Esp with an exam or CTF, there can be a few red herrings but most unusual things you find are there to clue you onto something
Also, exams and CTFs usually have user and admin flags you're supposed to find in standard places. You should always rummage through any user files you have access to anyway because in real life people leave all kinds of important things lying around and challenge authors often try to mimick that
How does he immediately suspect the binary is running on the server? He takes the information received from the nmap scan which showed a port sending information that matches with the exploit code which gives reason to believe that the software is running on the server.
Excellent tutorial. Maybe the most useful AD tutorial for OSCP on youtube! Hopefully plan to give back once I pass. Thankyou for the effort you've put in here. Did you build the labs yourself?
so glad it has been helpful! I did build these myself, as a result of not finding much practice material out there.
2).Hey man don’t be discouraged, it comes from practicing and familiarity of common human habits.
I happen to work in a Windows IT environment, Most people save important documents right in their desktop or in documents folder (Linux users do too). This would spark my interest in checking those folders first if i get user access to a box
1)Working in windows you notice exe files and ps files often work without needing to install an outside source “bash” for example you need the pc to have bash to run bash scripts, if you don’t have admin priv it’s harder to install bash is my understanding
I still suck though so i still feel the same as you lol doubt ima pass lol
Nice vid
Great content. Correction @1.42 .zip file cracked with JTR
Really good run through; I am currently running through some courses with TCM to get up to a proficient standard to do my oscp. Any advice you would pass on and also how long did it take you to feel confident and what would you do differently now you are at this point? Thanks
Please make more vd for advanced techniques red team and ad attack good work bro ❤
thank you! I'm currently working on posting another attack path soon 😊
wow thank you
Bro. Your methodology and flow is much appreciated. Do you have a OSCP cheatsheet that you care to share?
I'm ducking love you
Hi @derronc, halfway in your vid and it is super nice so far. Do you have any tips for terminal logger? Or it is not that important with logger?
Great video! Your content is awesome and really informative. However, I'm currently stuck with the OpenVPN configuration. Any additional tips would be greatly appreciated. Thanks!
This is awesome. Is there a repo for your environment? e.g. docker-compose, terraform, anything so I can reproduce it?
Great work dude. Do you perhaps have the virtual machines as a setup I can use to practice with?
I ask because I have my own labs I use to teach students. I’m missing a good one for Active Directory.
Awesome walkthrough! Really interesting and engaging. Wanted to know, What is the configuration of your kali OS? How much RAM have you given it as well as memory? Also, how much RAM does your actual system have? Because my Kali lags so much when there is firefox, burp and other tools running simultaneously. Just curious as its really frustrating to work with a slow kali sometimes.
Thanks for the feedback! when it comes to the VMs... I've been deploying the .ova from kali.org/get-kali and 4cpu / 4GB memory. I've run into issues with vmware workstation and my macbook a few times and had to reinstall macOS just to get rid of glitchy behavior 😭
❤🔥❤🔥❤🔥
hey please make other attack path video as soon as possible
great video. did you create the vulnerable machines or were they premade?
thank you! I built all these machines from scratch and include the how-to guide in my video series. that way you can build them too :)
At DC machine, let pass the hash with 0:NT_hash . I think it works because you lost LM_hash in form of ntlm in set of exec tool
great catch! Yes, you can split the hash and only need to use the NT piece for pass-the-hash. LM is around for backwards compatibility and can't be passed but can be easily cracked (with the right wordlist/rules)
cool
Great content! Just one question, why no minimatz?
that's a great question! I do use mimikatz for many of my scenarios, but this one in particular I wanted to try and do a lot of things remotely from the kali machine. so I opted for impacket-secretsdump instead. I just think of it as remote mimikatz 😂
I appreciate the question, I think I'll make a future video with different tactics: including mimikatz
@@derronc kerberoasting and asreproasting part would a lot clear if u use bloodhound as for ms02 machine u have smb access. and that would be better when someone sees the gui and that kind of stuffs.
Thank you sir, can you do some cryphotgraphy ctf too?
ooo I hadn't really thought about that. I can't say I'm great at it, but I'll keep this in mind for the future. thanks for the suggestion!
Great walkthrough, but there is one thing I don't understand. @23:15 you modified the exploit to run certutil.exe with some arguments. How does this work when the string you are typing is not run in CMD or PowerShell? As far as I understood, you are typing in the start menu, so it's a search bar.
Really nice content , please where can i find a similiar environnement
Aside from my video on how to build the lab, I had a hard time finding this type of material as well. I was only able to find bits and pieces, but nothing that would take me through the entire process. I may share another scenario in the future.
nice video! what terminal emulator do you use?
thanks! I like iterm2 but the terminal I used in the video is just the default kali terminal
Nice video, just a reminder, cached domain hashes cant be used for PASS THE HASH
yes, there are so many nuances to pth that it can get confusing. I'm not sure if I misspoke in this video but just to be clear for anyone reading: NTLM hashes can be passed, NTLMv2 hashes can't. NTLM hashes can only be passed if the environment hasn't been secured against it, and even then there are caveats.
I think I'm going to include some examples in my next video to help illustrate. thank you for the feeback!
hi Derron, great work!! I have a doubt, in MS01 Priv Esc, you renamed the malicious payload to "Wise.exe" and put it in the "C:/apps/Wise/" folder...at this point why, after rebooting, the system executed the "Wise.exe" file?
great question! so this is abusing "unquoted service paths". basically the service for the Wise application is referenced without quotes, but there is a space in the folder structure. this allows us to place Wise.exe where the space break is and when the service is started it attempts to find an executable called "Wise.exe" as part of the way windows processes/enumerates an unquoted service path. rebooting the host forces the service to restart and kick off this vulnerability we have exploited.
for more info the PEN-200 course is here:
portal.offsec.com/courses/pen-200/books-and-videos/modal/modules/windows-privilege-escalation/leveraging-windows-services/unquoted-service-paths
otherwise a public post is here:
medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae
@@derroncthank you so much, another question, as written in a previous comment, everyone will now move to the cloud environment, how will all this impact cyber security and hacking in general?
@@matteosteksy7656 great question but also a loaded one :) the short answer is it is expanding the attack surface and is an addition to Active Directory on-premise. attackers and defenders are learning/exploring cloud identity (Azure AD/Entra), cloud infrastructure (IaaS), and SaaS/PaaS services. what this means for us is more lateral movement options (from on-premise to cloud, and vice-versa), and more attack surface (for example: password spraying against cloud services, in addition to on-premise services).
Have you used netexec in place of crackmap? thoughts?
so is evilwinrm considered a stable shell? for getting the point on oscp a winrm shell is enought or we should rev shell it via pivoting?
that's a great question, thank you for asking! I can tell you that I used evil-winrm in my OSCP exam and was given credit. That said, if you have the time and want to go the extra credit you could totally use evil-winrm to upload a reverse shell payload and then execute it to call back home. BUT if you do that you'll need to port forward through MS01 to get back to your kali machine. I might try that out in a future video just to show how to do it.
thanks for the answer, during my last attempt I spent 40minutes trying to rev shell via pivoting haha, this time I will go by evilwinrm, thanks@@derronc
i am wondering, you are not able to ping ms02, but able to do nmap without -Pn flag.
that's a great point and something I didn't think too much about at the time. but you're right, the Windows firewall was blocking icmp but somehow... nmap decided it didn't care and it ran the scan anyway 🤷♂️
Can you tell me why you have used the ligolo-ng and that ip route please
Absolutely! I use ligolo-ng to proxy my traffic (like nmap scans, evil-winrm, smbclient, etc) from kali through MS01 to attack MS02 and DC01. The ip route command is used to tell kali route to the oscp outside subnet (192.168.100.0) via the ligolo tunnel interface.
great vid, but -1 for nano
Is it possible to download your lab setup?
Are you allowed to run winpeas in OSCP exam?
you are! you can use any basically any automated enumeration tool, but you are NOT allowed to use any auto EXPLOIT tool. the exception is metasploit, which you are allowed to use against only one target.
It means that to are allowed to use enumerations tools like let's say like the way you grab the winpeas from the github are you allowed to use google to search things like that?? @@derronc
Makes path
i wanna see about OSWE, can you show please?😢
perhaps in the future; I don't have my OSWE but if/when I do go for it I'll try and share some insights :)
😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀
but but , everything is in the cloud now.
ur keyboard sounds like drum😂
it totally does!! my apologies for that, it annoys me too. I'm upgrading my mic to hopefully remove/reduce the drumming 😂
Is winpeas allowed in OSCP?
it is! It's actually the most used enumeration tool on the OSCP :)
Is there a similar box on htb or some other platform to practise the same stuff?
I've had a hard time finding this type of set up for free. I believe HTB might have some AD sets, but not quite like this/OSCP-like. THM has also had some AD sets in the past but they tend to become $$ options very quickly. These are some of the big reasons I decided to build out this content myself and share it. I just haven't found much of anything that helped me prepare more than building it and practicing myself.