Professional Documents
Culture Documents
CRTE Latest
CRTE Latest
CRTE Latest
ed
Certified Red Team Expert
ak
Le
ed
ak
Le
ed
ak
Le
Leaked
Table of Contents
1.0 Certified Red Team Expert Exam Report ........................................................................ 3
1.1 Introduction .................................................................................................................... 3
1.2 Objective ......................................................................................................................... 3
1.3 Requirements .................................................................................................................. 3
ed
2.0 High-Level Summary ......................................................................................................... 4
2.1 Recommendations .......................................................................................................... 5
3.0 Methodologies ..................................................................................................................... 5
ak
3.1 Information Gathering ................................................................................................... 5
3.2 Penetration .................................................................................................................... 5
Le
1. Fortress-secure.fortress.corp ............................................................................................. 8
2. Fortress-privdb.fortress.corp ........................................................................................... 12
3. Palace-dbsrv2.palace.corp ................................................................................................ 18
4. Fortress-dc.fortress.corp ................................................................................................... 20
ed
5. Palace-dc.palace.corp ....................................................................................................... 21
ak
Le
ed
ak
Le
Leaked
1.0 Certified Red Team Expert Exam Report
1.1 Introduction
The Pentester Academy Lab exam report contains all efforts that were conducted in order to
ed
pass the Pentester Academy Certified Red Team Professional ("CRTE") Exam. This report will be
graded from a standpoint of correctness and fullness to all aspects of the Exam Lab. The purpose of this
report is to ensure that the student has a full understanding of penetration testing methodologies as well
ak
as the technical knowledge to pass the qualifications for the Certified Red Team Professional.
1.2 Objective
Le
The objective of this assessment is to perform an internal penetration test against the Pentester
Academy Exam network. The student is tasked with following a methodical approach in obtaining
access to the objective goals. This test should simulate an actual penetration test and how you would
ed
start from beginning to end, including the overall report.
1.3 Requirements
ak
The student will be required to fill out this penetration testing report fully and to include the following
sections:
Le
The author of this report was tasked with performing an internal penetration test towards the
Pentester Academy Exam Lab environment. An internal penetration test is a dedicated offensive
simulation against internally connected systems. The focus of this test is to perform attacks, like those
of a malicious hacker and attempt to infiltrate Pentester Academy’s internal Exam Lab systems. The
overall objective was to evaluate the network, identify systems, and exploit vulnerabilities, ultimately
ed
reporting findings back to Pentester Academy.
During the assessment, several alarming vulnerabilities were identified on Pentester Academy’s exam
network. When performing the attacks, the author was able to gain access to multiple machines,
ak
primarily due to poor security configurations. During the tests, four systems were successfully
compromised, granting full control over most systems in the network.
- fortress-secure.fortress.corp
Le
- fortress-privdb.fortress.corp
- palace-dbsrv2.palace.corp
- fortress-dc.fortress.corp
- palace-dc.palace.corp
ed
ak
Le
ed
ak
Le
Leaked
2.1 Recommendations
ed
3.0 Methodologies
ak
testing how well the Pentester Academy Labs and Exam environments are secured. Below is a
breakdown of how I was able to identify and exploit the different systems and includes all individual
vulnerabilities found.
Le
3.1 Information Gathering
The information gathering portion of a penetration test focuses on identifying the scope of the
ed
test. During this penetration test, the objective was to exploit the exam network.
3.2 Penetration
ak
The penetration testing portions of the assessment focus heavily on gaining access to a
variety of systems. During this penetration test, I was able to successfully gain access to 5 out
Le
of the 5 systems.
ed
ak
Le
Leaked
INITIAL STEPS
1) I started by logging in to the lab env with the provided student credentials and started to enumerate
multiple objects (users, computers) using PowerView tool in order to discover enough information
about the Active Directory Environment. First, I observed that I wasn’t able to execute powerview
ed
commands because of the AMSI (Anti-Malware Scan Interface) so I used an one-liner script in
order to bypass the restrictions.
ak
[Ref].Assembly.GetType('System.Management.Automation.'+$("41 6D 73 69 55 74 69 6C 73".Split("
")|forEach{[char]([convert]::toint16($_,16))}|forEach{$result=$result+$_};$result)).GetField($("61 6D 73
69 49 6E 69 74 46 61 69 6C 65 64".Split("
Le
")|forEach{[char]([convert]::toint16($_,16))}|forEach{$result2=$result2+$_};$result2),'NonPublic,Static').S
etValue($null,$true)
2) First, I enumerated the domain, users and computers, where I found some interesting stuff from
ed
Get-NetDomain, Get-NetForest, Get-NetUser -SPN and Get-NetComputer (-Unconstrained), that
made me think about new steps.
ak
Le
ed
Figure 2 - Get-NetDomain
ak
Le
Figure 3 - Get-NetForest
Leaked
Figure 4 - Get-NetUser
ed
ak
Figure 5 - Get-NetComputer
Le
3) First I tried to escalate the privileges from studentuser to get local admin and for this I tried
multiple tools like winpeas, powerup and seatbelt, but all of them returned only false positives so
I continued the enumeration part till I found the password of the secureservice user into user
description field – UseThisToRunSvcs!23.
ed
ak
Le
delegation enabled.
ak
Le
5) Then I tried to create a remote PSSession to fortress-secure VM, but I got access denied for both
studentuser and secureservice users.
6) After a password spraying process I found that secureservicebkp user has the same password as
secureservice, logged in and tried to create that PSSession again and it worked ->
secureservicebkp has Administrator privielege on fortress-secure.fortress.corp.
Leaked
Figure 8 - Retrieve Remote PSSession on fortress-secure
In order to mitigate this issue I recommend to configure servers to require delegation with
Constrained Delegation (don’t use Kerberos Unconstrained Delegation) and also to configure all elevated
administrator accounts to be like “Account is sensitive and cannot be delegated”.
1. Fortress-secure.fortress.corp
ed
• Another important information is that the VM has Application Whitelisting (AWL) and
running in Constrained Language Mode (CLM). I checked C:\maintenancescripts folder and I
found a script called “checkserverstatus.ps1”, it uses administrator credentials in student machine
ak
to run “hostname” command via Invoke-Command.
Le
ed
ak
Le
ed
• I used the credentials in the script to add my user “studentuser” to administrator’s group.
Le
ed
ak
Le
Figure 11 - Dump hashes for users on fortress-secure
• After this I also added maintenancesvc user to Administrators group. Then I performed Pass-The-
ed
Hash attack with maintenancesvc and connected to fortress-secure.fortress.corp, where I was able
to validate the Applocker policy.
ak
Le
ed
ak
Le
ed
ak
Le
ed
ak
Le
• After retrieving all relevant information I refined a little bit the invoke-mimikatz parameters and
added vault::cred /patch option in order to retrieve more useful information – the credentials for
securesrvadmin user
ak
Le
ed
ak
Le
Figure 16 - Reconnaissance for SQL instances
ed
ak
Le
ed
ak
Le
Leaked
2. Fortress-privdb.fortress.corp
• Using HeidiSQL.exe I connected to the SQL instance on fortress-privdb.fortress.corp.
ed
ak
Le
ed
Figure 17 - Establishing connection to fortress-privdb
ak
• I started the SQL server abuse, first I checked logged on user if is “sysadmin” or “db owner”. It return ‘0’
for “sysadmin” and ‘0’ for “db_owner”.
Le
ed
ak
•
Le
Then I did some reconnaissance and tried to look for privileges for every database.
Leaked
ed
ak
Le
Figure 20 - Reconnaissance for privileges
ed
ak
Le
ed
ak
• After doing some discovery regarding user and privileges, I found a way to impersonate privileges
to sa in order to enable xp_cmdshell using priv_db database.
Leaked
ed
ak
Le
Figure 22 - Get privileges for priv_db database
ed
ak
Le
ed
ak
EXECUTE AS USER='dbo'
ALTER SERVER ROLE [sys
• Finally I was able to impersonate as sysadmin and I enabled “xp_cmdshell” to execute OS
Commands
Leaked
ed
• After running whoami command on fortress-privdb I added studentuser into Administrators
group:
ak
Le
ed
REFERENCE: HTTPS://SECURE360.ORG/WP-CONTENT/UPLOADS/2017/05/SQL-SERVER-HACKING-ON-SCALE-
USINGPOWERSHELL_S.SUTHERLAND.PDF
Leaked
As mitigation on fortress-privdb.fortress.corp, I recommend to remove EXECUTE privileges on the
XP_CMDSHELL procedure for non administrative logins and public roles. using the following SQL
command: REVOKE EXECUTE on xp_cmdshell to Public.
• After getting a remote session on fortress-privdb.fortress.corp machine via PSSession I was able to
run my own compiled version of mimikatz in order to retrieve privdbmanager hash.
ed
ak
Le
ed
ak
Le
• Then I tried to get a RDP session in order to be much easier to do the reconnaissance by enableing
with the following command: Set-ItemProperty
'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name
ed
“fDenyTSConnections” -Value 0
ak
• I did some recon by looking for the Domain GPO on palace.corp domain and found that the machine
should have access to palace.corp domain via GPO.
Le
ed
ak
Figure 28 - Checked for GPLinks
Le
• I run Sharphound collector and Bloodhound tool to analyze collected data in order to gather more
information about the domains, Domain controllers, Users and privileges in the context of
fortress-privdb$ and found that fortress-privdb machine has can force password change on
dbmanager@palace.corp and to change GPO on palace.corp
ed
ak
Le
ed
ak
Le
ed
Figure 30 - FORTRESS-PRIVDB machine HASH
ak
Le
ed
ak
• After this step I’ve changed the password of the dbmanager user with the Set-
DomainUserPassword cmdlet from Powerview tool.
ed
• After this, I’ve added dbmanager user to DatabaseMasters group using following commands:
ak
ed
Figure 34 - Remote PSSession on palace-dbsrv2 and run OS commands
ak
• Here I’ve run my own compiled version of mimikatz in order to retrieve user hashes, and I found
trustuser hash which has Administrator rights on fortress-dc.fortress.corp.
Le
[palace-dbsrv2.palace.corp]: PS C:\temp> Invoke-Mimikatz -Command ' "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"'
mimikatz(powershell) # sekurlsa::logonpasswords
Domain : PALACE
Logon Server : PALACE-DC
Logon Time : 3/29/2021 2:30:43 PM
SID : S-1-5-21-3220691889-3703580063-924024866-1105
msv :
[00000003] Primary
* Username : trustuser
Le
* Domain : PALACE
* NTLM : bf26e8a371339924ce631f2ec40b1b87
* SHA1 : f5e3eb38e742deba5066f43a28ecbd2a4ab30104
* DPAPI : 1144fed6a68eb85f3d76afa3a52f3598
tspkg :
wdigest :
* Username : trustuser
* Domain : PALACE
* Password : (null)
kerberos :
* Username : trustuser
ed
* Domain : PALACE.CORP
* Password : (null)
ssp :
On the same machine I was able to find the credentials for companyadmin user. After running Bloodhound Ingestor I was able to
see what privileges has this user and observer that he has rights to PS-Remote on Palace-DC machine :
ak
Le
Leaked
ed
ak
Le
Figure 35 - Retrieving trustuser password from vault and also the Hash
ed
4. Fortress-dc.fortress.corp
• Using pass the hash I was able to login to fortress-dc.fortress.corp as trusteduser where I’ve
ak
ed
ak
Figure 38 - Lsadump::dsync output
• Last step was to add studentuser to Domain admins group and also to Enterprise Admins group
Le
using the following commands:
5. Palace-dc.palace.corp
ed
Using pass the hash I was able to login to palace-dc.fortress.corp as companyadmin user where I was
able to run commands on this machine.
ak
Le