Room: Advent of Cyber 2023 Day 11

These intro’s get me every time 😂

Primarily focused on cutting-edge climate research rather than prioritising robust cyber security measures.

What is a Pass-The-Hash attack?

In computer security, pass the hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password to gain access with stealing the hash.

Luckily there are a lot of people making a lot of great tools, that will make our lives and therefore this challenge quite easy today.

But still, everytime Active Directory comes in to play. I feel like I’m being overloaded with information that doesn’t really stick for long. Let’s hope this time will be different and above all fun!

Starting off by going to the Desktop folder, since this is where the tools are.

We’ll also bypass the default policy for arbitrary PowerShell script execution and load the PowerView script into memory.

Piping together commands to find which user in the Active Directory is vulnerable, meaning who has the right privileges.

Find-InterestingDomainAcl -ResolveGuids | Where-Object { $_.IdentityReferenceName -eq “hr” } | Select-Object IdentityReferenceName, ObjectDN, ActiveDirectoryRights

It seems like that person would be Vansprinkles.

We’ll use Whisker to get Vansprinkles’s certificate, password, etc…

.\Whisker.exe add /target:vansprinkles

Next we will Pass-The-Hash that we found to Rubeus. To retrieve the NTLM.

Make sure you are in the desktop folder and add ./ at the start. (or the directory where Rubeus is)

This will provide us with the NTLM hash of the user account. Which we can use for a pass-the-hash attack.