Machine Accounts in Pentest Engagement
In my recent Pentest Engagement, we encountered the small infrastructure with pretty good at patching and implementation of security mechanism like LAPS too.
Since the assessment was blackbox, we started enumerating ranges and live machine in network. Then we tried the bruteforcing set of local admin credentials usually found in most infrastructures. But no luck, LOGON_FAILURE in all places.
Then suddenly in between the CME hack log we saw Pwn3d!. It was strange initially why local admin credentials worked on only one machine and not other machines (is it LAPS implemented?)
Next usual step was to RDP of the machine and look for any below possibilities
But no luck with either of them and we just have Machine account hashes (ends with $ sign) found using Mimikatz on first compromised machine.
Then after trying all possibilities on compromised machine and googling landed on Adam's post of trying Machine Account along with Mimikatz.
So lets fire up the Mimikatz on the our first compromised machine and disable AV (Misconfiguration :- Local admin was allowed to disable AV). So using Pass-the-hash attack in Mimikatz we got the shell with machines accounts (EPM$) domain privileges and fire all domain level commands. Lets dump all the users in the Active Directory.
So next setup was to bruteforce guessable passwords or combination with company names keeping in mind of Account Lockout Policy. Next path of attack was pretty straightforward.
Password Spraying on Domain Users --> Got access to Credentials of Valid users on domain --> Used Sharphound along with SessionLoop --> Figured out where all privileged accounts and Domain Admins are logged-in --> Mapped the Attack path --> Pwned --> Post Exploitation --> Crown Jewels stolen ;)
This was first time for we fall in such scenario where initial foothold didn't yield any credentials/hashes of domain user. It was later discovered LAPS was implemented in entire infrastructure and one one machine was left over (our first pivot) ;)