One of the highlights of the end of the calendar year is the SANS Holiday Hack Challenge. This year, I took the time to work through the challenges. It was fun!
In the next couple of posts, I’ll write up some solutions to the 2018 challenges.
Challenge: Using the data set contained in this SANS Slingshot Linux image, find a reliable path from a Kerberoastable user to the Domain Admins group. What’s the user’s logon name? Remember to avoid RDP as a control path as it depends on separate local privilege escalation flaws. For hints on achieving this objective, please visit Holly Evergreen and help her with the CURLing Master Cranberry Pi terminal challenge.
Solution: This question confused me the most. It took a while before I caught on to what was expected. Much of this confusion came from my lack of familiarity with the Bloodhound tool on which this challange was based. That’s on to me, because the most recent pentest that I commissioned also used the tool heavily. To great success too, might I add.
Anyway, Bloodhound is a tool that can be used to navigate the complex structures formed by many Active Directory domains. The tool does this through visualization, much like our now long dead (and lost to history) ConceptBrowser tool. In addition, Bloodhound supports querying through a number of useful predefined queries, or by running custom work.
It took a little practice to get somewhat proficient with the tool, but once I managed to figure out how to run it, the query “Shortest path to domain admins from Kerberostable Users” and removing all RDP links, leaves two users (LDUBEJ00320 and JGUMBEL00486).
Note: the submission required the username to be fully qualified and in all
Bigger Picture: CISOs can learn the following lessons:
Opening up your AD domain so that any user can query (and browse) it is probably not a great idea. I found this out the hard way during our latest pentest as well. Lesson learned: restrict visibility. Security through obscurity does not work, but it sure helps.
Stay up-to-date with tools. Bloodhound has been around for years, but I had never heard of it. There is more than Metasploit out there, and while knowledge of tools is second to knowledge of methods and techniques, one can lead to the other.