jaccostraathof

crtp-01

Learning Object 1

Tasks

1 – Enumerate following for the dollarcorp domain:

  • Users

  • Computers

  • Domain Administrators

  • Enterprise Administrators

2 – Use BloodHound to identify the shortest path to Domain Admins in the dollarcorp domain. 3 – Find a file share where studentx has Write permissions.

Flag 1 [Student VM] – SID of the member of the Enterprise Admins group 🚩

Solutions
1 – Enumerate following for the dollarcorp domain

Start InviShell and PowerView

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
. C:\AD\Tools\Powerview.ps1
1.1. – dollarcorp.moneycorp.local Domain Users

Get-DomainUser -Domain dollarcorp.moneycorp.local | select samaccountname

samaccountname
--------------
Administrator
Guest
krbtgt
sqladmin
websvc
srvadmin
appadmin
svcadmin
testda
mgmtadmin
ciadmin
sql1admin
studentadmin
devopsadmin
student861
student862
1.2 – dollarcorp.moneycorp.local Domain Computers

Get-DomainComputer -Domain dollarcorp.moneycorp.local | Select-Object -ExpandProperty dnshostname

dcorp-dc.dollarcorp.moneycorp.local
dcorp-adminsrv.dollarcorp.moneycorp.local
dcorp-appsrv.dollarcorp.moneycorp.local
dcorp-ci.dollarcorp.moneycorp.local
dcorp-mgmt.dollarcorp.moneycorp.local
dcorp-mssql.dollarcorp.moneycorp.local
dcorp-sql1.dollarcorp.moneycorp.local
dcorp-stdadmin.dollarcorp.moneycorp.local
dcorp-std861.dollarcorp.moneycorp.local
1.3 – dollarcorp.moneycorp.local Domain Administrators

Get-DomainGroupMember -Domain dollarcorp.moneycorp.local -Identity "Domain Admins" -Recurse

GroupDomain             : dollarcorp.moneycorp.local
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberDomain            : dollarcorp.moneycorp.local
MemberName              : svcadmin
MemberDistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberObjectClass       : user
MemberSID               : S-1-5-21-719815819-3726368948-3917688648-1118

GroupDomain             : dollarcorp.moneycorp.local
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberDomain            : dollarcorp.moneycorp.local
MemberName              : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
MemberObjectClass       : user
MemberSID               : S-1-5-21-719815819-3726368948-3917688648-500
1.4 – dollarcorp.moneycorp.local Domain Enterprise Administrators

Get-DomainGroupMember -Identity "Enterprise Admins" -Domain dollarcorp.moneycorp.local

No results, we need to check if it’s present into a forest, check it:

Get-DomainTrust

SourceName      : dollarcorp.moneycorp.local
TargetName      : moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 5:59:01 AM
WhenChanged     : 4/19/2025 4:04:35 AM

SourceName      : dollarcorp.moneycorp.local
TargetName      : us.dollarcorp.moneycorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 6:22:51 AM
WhenChanged     : 4/25/2025 5:08:47 AM

SourceName      : dollarcorp.moneycorp.local
TargetName      : eurocorp.local
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FILTER_SIDS
TrustDirection  : Bidirectional
WhenCreated     : 11/12/2022 8:15:23 AM
WhenChanged     : 4/25/2025 5:03:33 AM

Great, now we can update our command adding monycorp.local and retrieve Enterprise Admins:

Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local

GroupDomain             : moneycorp.local
GroupName               : Enterprise Admins
GroupDistinguishedName  : CN=Enterprise Admins,CN=Users,DC=moneycorp,DC=local
MemberDomain            : moneycorp.local
MemberName              : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=moneycorp,DC=local
MemberObjectClass       : user
MemberSID               : S-1-5-21-335606122-960912869-3279953914-500
2 – Use BloodHoundCE ( http://127.0.0.1:8080/ ) to identify the shortest path to Domain Admins in the dollarcorp domain
┌──(puck㉿kali)-[~/CRTP]
└─$ sudo docker-compose -f /opt/bloodhoundcepuck/docker-compose.yml up

 

Using the pre-built search filter we can identify quickly the shortest path to Domain Admin

.
or use pathfinding
3 – Find a file share where studentx has Write permissions

First to all enumerate all computer of current domain displaying relative dnshostname and save them in a file

Get-DomainComputer | select -ExpandProperty dnshostname | Out-File -FilePath "C:\AD\Tools\servers.txt"

dcorp-dc.dollarcorp.moneycorp.local
dcorp-adminsrv.dollarcorp.moneycorp.local
dcorp-appsrv.dollarcorp.moneycorp.local
dcorp-ci.dollarcorp.moneycorp.local
dcorp-mgmt.dollarcorp.moneycorp.local
dcorp-mssql.dollarcorp.moneycorp.local
dcorp-sql1.dollarcorp.moneycorp.local
dcorp-stdadmin.dollarcorp.moneycorp.local
dcorp-std861.dollarcorp.moneycorp.local

Load PowerHuntShares tool importing PowerHuntShares.psm1 module and run HuntSMBShares:

Don’t run HuntSMBShares after starting PowerView

Import-Module C:\AD\Tools\PowerHuntShares.psm1
Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools\ -HostList C:\AD\Tools\servers.txt



PS C:\Users\student98> Import-Module C:\AD\Tools\PowerHuntShares.psm1
PS C:\Users\student98> Invoke-HuntSMBShares -NoPing -OutputDirectory C:\ad\Tools\ -HostList C:\ad\Tools\servers.txt
 ===============================================================
 INVOKE-HUNTSMBSHARES
 ===============================================================
  This function automates the following tasks:                                                                                                                                                                                                    o Determine current computer's domain   
o Enumerate domain computers                                                                                                                                                         
o Enumerate SMB shares                                                                                   
o Enumerate SMB share permissions   
o Identify shares with potentially excessive privieleges 
etc...                                                                                                                                                                                                                                                                                                  Note: This can take hours to run in large environments.                                                               
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ---------------------------------------------------------------
 SHARE DISCOVERY
 ---------------------------------------------------------------
 [*][10/02/2025 03:43] Scan Start
 [*][10/02/2025 03:43] Output Directory: C:\ad\Tools\\SmbShareHunt-10022025034303
 [*][10/02/2025 03:43] Importing computer targets from C:\ad\Tools\servers.txt
 [*][10/02/2025 03:43] 8 systems will be targeted
 [*][10/02/2025 03:43] - Skipping ping scan.
 [*][10/02/2025 03:43] Checking if TCP Port 445 is open on 8 computers
 [*][10/02/2025 03:43] - 8 computers have TCP port 445 open.
 [*][10/02/2025 03:43] Getting a list of SMB shares from 8 computers
 [*][10/02/2025 03:43] - 29 SMB shares were found.
 [*][10/02/2025 03:43] Getting share permissions from 29 SMB shares
 [*][10/02/2025 03:43] - 52 share permissions were enumerated.
 [*][10/02/2025 03:43] Identifying potentially excessive share permissions
 [*][10/02/2025 03:43] - 23 potentially excessive privileges were found on 6 shares across 4 systems.
 [*][10/02/2025 03:43] Getting directory listings from 6 SMB shares
 [*][10/02/2025 03:43] - Targeting up to 3 nested directory levels
 [*][10/02/2025 03:43] - 32 files and folders were enumerated.
 [*][10/02/2025 03:43] Scan Complete
 ---------------------------------------------------------------
 SHARE ANALYSIS
 ---------------------------------------------------------------
 [*][10/02/2025 03:43] Analysis Start
 [*][10/02/2025 03:43] - 6 shares can be read across 4 systems.
 [*][10/02/2025 03:43] - 5 shares can be written to across 4 systems.
 [*][10/02/2025 03:43] - 6 shares are considered non-default across 4 systems.
 [*][10/02/2025 03:43] - 2 shares are considered high risk across 1 systems.
 [*][10/02/2025 03:43] - Identified top 200 owners of excessive shares.
 [*][10/02/2025 03:43] - Identified top 200 share groups.
 [*][10/02/2025 03:43] - Identified top 200 share names.
 [*][10/02/2025 03:43] - Identified shares created in last 90 days.
 [*][10/02/2025 03:43] - Identified shares accessed in last 90 days.
 [*][10/02/2025 03:43] - Identified shares modified in last 90 days.
 [*][10/02/2025 03:43] - Identified 3 subnets hosting shares configured with excessive privileges.
 [*][10/02/2025 03:43] Finding interesting files...
 [*][10/02/2025 03:43] Grabbing secrets for parsing...

Select : Property "OperatingSystem" cannot be found.
At C:\AD\Tools\PowerHuntShares.psm1:2812 char:89
+ ... arget445Comp | Select OperatingSystem -ExpandProperty OperatingSystem
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (@{ComputerName=...oneycorp.local}:PSObject) [Select-Object], PSArgumen
   tException
    + FullyQualifiedErrorId : ExpandPropertyNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

 [*][10/02/2025 03:43] Creating ShareGraph nodes and edges...
 [*][10/02/2025 03:43] Analysis Complete
 ---------------------------------------------------------------
 SHARE REPORT SUMMARY
 ---------------------------------------------------------------
 [*][10/02/2025 03:43] Domain: SmbHunt
 [*][10/02/2025 03:43] Start time: 10/02/2025 03:43:03
 [*][10/02/2025 03:43] End time: 10/02/2025 03:43:56
 [*][10/02/2025 03:43] Run time: 00:00:53.3860288
 [*][10/02/2025 03:43]
 [*][10/02/2025 03:43] COMPUTER SUMMARY
 [*][10/02/2025 03:43] - 8 domain computers found.
 [*][10/02/2025 03:43] - 0 (0.00%) domain computers responded to ping. (No Ping)
 [*][10/02/2025 03:43] - 8 (100.00%) domain computers had TCP port 445 accessible.
 [*][10/02/2025 03:43] - 4 (50.00%) domain computers had shares that were non-default.
 [*][10/02/2025 03:43] - 4 (50.00%) domain computers had shares with potentially excessive privileges.
 [*][10/02/2025 03:43] - 4 (50.00%) domain computers had shares that allowed READ access.
 [*][10/02/2025 03:43] - 4 (50.00%) domain computers had shares that allowed WRITE access.
 [*][10/02/2025 03:43] - 1 (12.50%) domain computers had shares that are HIGH RISK.
 [*][10/02/2025 03:43]
 [*][10/02/2025 03:43] SHARE SUMMARY
 [*][10/02/2025 03:43] - 29 shares were found. We expect a minimum of 16 shares
 [*][10/02/2025 03:43]   because 8 systems had open ports and there are typically two default shares.
 [*][10/02/2025 03:43] - 6 (20.69%) shares across 4 systems were non-default.
 [*][10/02/2025 03:43] - 6 (20.69%) shares across 4 systems are configured with 23 potentially excessive ACLs.
 [*][10/02/2025 03:43] - 6 (20.69%) shares across 4 systems allowed READ access.
 [*][10/02/2025 03:43] - 5 (17.24%) shares across 4 systems allowed WRITE access.
 [*][10/02/2025 03:43] - 2 (6.90%) shares across 1 systems are considered HIGH RISK.
 [*][10/02/2025 03:43]
 [*][10/02/2025 03:43] SHARE ACL SUMMARY
 [*][10/02/2025 03:43] - 52 ACLs were found.
 [*][10/02/2025 03:43] - 52 (100.00%) ACLs were associated with non-default shares.
 [*][10/02/2025 03:43] - 23 (44.23%) ACLs were found to be potentially excessive.
 [*][10/02/2025 03:43] - 13 (25.00%) ACLs were found that allowed READ access.
 [*][10/02/2025 03:43] - 5 (9.62%) ACLs were found that allowed WRITE access.
 [*][10/02/2025 03:43] - 5 (9.62%) ACLs were found that are associated with HIGH RISK share names.
 [*][10/02/2025 03:43]
 [*][10/02/2025 03:43] - The most common share names are:
 [*][10/02/2025 03:43] - 6 of 6 (100.00%) discovered shares are associated with the top 200 share names.
 [*][10/02/2025 03:43]   - 1 stdadmin-gp
 [*][10/02/2025 03:43]   - 1 studentshareadmin
 [*][10/02/2025 03:43]   - 1 std89-gp
 [*][10/02/2025 03:43]   - 1 C$
 [*][10/02/2025 03:43]   - 1 AI
 [*][10/02/2025 03:43]   - 1 ADMIN$
 [*] -----------------------------------------------
 [*][10/02/2025 03:43]   - Generating HTML Report
 [*][10/02/2025 03:43]   - Estimated generation time: 1 minute or less
 [*][10/02/2025 03:43]   - All files written to C:\ad\Tools\\SmbShareHunt-10022025034303
 [*][10/02/2025 03:43]   - Done.

 

.

Lab Machine hasn’t a network connection, so transfer file generated into our local machine using SMB tools folder share and open it via browser.

Checking into ShareGraph the AI share has the write permission for everyone:

.

AI

Flag 1 [Student VM] – SID of the member of the Enterprise Admins group 🚩

Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local

GroupDomain             : moneycorp.local
GroupName               : Enterprise Admins
GroupDistinguishedName  : CN=Enterprise Admins,CN=Users,DC=moneycorp,DC=local
MemberDomain            : moneycorp.local
MemberName              : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=moneycorp,DC=local
MemberObjectClass       : user
MemberSID               : S-1-5-21-335606122-960912869-3279953914-500
Previous0 – Lab InstructionsNext2 – LO2️