CyberSecLabs Dictionary Walkthrough

Introduction

Dictionary is another Active Directory challenge from CyberSecLabs.  We will be leveraging some wordlist creation, as well as the rpcclient tool to enumerate domain users that were otherwise undiscovered.  Finally, an exploit I showcased in the Gatekeeper machine makes a return here, and we are able to enumerate Firefox credentials to gain system access.  Let's get to work!

Scanning

We begin the engagement by running Threader3000, my custom made threaded port scanner (available here).  The ports we discover are common for Active Directory environments, and we run Nmap against it to confirm.

 threader3000 172.31.3.4

nmap -A 172.31.3.4

We confirm that the common Active Directory services are present.  Additionally we find that the domain uses dictionary.csl, which we need to add to our hosts file.

Adding dictionary.csl to hosts file

 Enumeration

Enumeration on the machine will begin with using Kerbrute, as we know that AD environments use Kerberos.  

kerbrute userenum --dc dictionary.csl -d dictionary.csl kerbruteuser.txt -t 1000 

Now that we have usernames we can check to see if any of them do not require pre-authentication (another Windows "feature").  This is called ASREProasting, and we use the GetNPusers tool to do it.

 GetNPUsers.py -dc-ip 172.31.3.4 dictionary.csl/username -no-pass

We do successfully get a ticket from the Kerberos authority, which we can crack using John the Ripper.

john tocrack --wordlist='Custom Wordlists/rockyou.txt'

Exploitation

Having found some usernames we were unable to actually log in with them. Unfortunately we find that the password we discovered cannot be used to log in to the account directly.

evil-wimrm -i 172.31.3.4 -u username -p password

Reaching back to my PTP days, I remembered that I can use rpcclient to enumerate domain users as well.  We have a username and a password, so we attempt it.

rpcclient -U "username" 172.31.3.4

 We find additional users, but the passwords do not work.  However, seeing as the password is a month:year combination, we can try constructing a random spray list utilizing popular combinations of months, seasons, and years.  I used a tool called Exrex for this, which uses RegEx to construct the list.

exrex tool usage

We can now use the Crackmapexec tool to spray the passwords at the usernames we found, and attempt to use them to log in.  This is successful.

 crackmapexec smb 172.31.3.4 -u username -p datespray.txt

evil-winrm -i 172.31.3.4 -u username -p password

Now that we are logged in we can grab the access.txt flag from the user desktop.

more access.txt

We can upload winPEAS to the machine to enumerate it and find any vulnerabilities that may be present.  We find one that provides credentials from Firefox.

 Upload and run winPEAS.exe

Firefox credential availability feedback

 In order to decrypt the credentials, we need to go to the directory they are located in and download four files - key4.db, cert9.db, cookies.sqlite, and logins.json.  Additionally, we need a tool called Firefox_Decrypt (https://github.com/unode/firefox_decrypt), and save it to your machine.  After that we can run it with the directory you saved the files to.

Downloading files

python3 firefox_decrypt.py /root/Desktop/

 The tool automatically scrapes the Firefox application files and compiles them into sets of available credentials.  A quick /net users run on the target machine confirms our user names, and we are able to find one that works for us, granting access via psexec.

psexec.py username:password@172.31.3.4

 Final Thoughts

The folks over at CyberSecLabs continue to turn out quality Active Directory challenges, which is a nice additional to their platform.  This challenge was a good test of wordlist creation and usage of lesser-used tools, and was an all around enjoyable challenge.  I hope that you all were able to learn something today, and I look forward to seeing you again soon!