TL;DR Mishky’s AD Range now includes another forest, domain & forest trust relationships, AD CS, a few new attacker TTPs, and even more enumeration. Mishky’s AD Range is a ‘mini GOAD’ of sorts, only requiring Hyper-V to be enabled. The range’s expansion pack is here.
Background
Altered Security added a few attacker TTPs to CRTP since I first took it three years ago. Hence after taking the CRTP renewal exam I thought we should add to Mishky’s AD Range. The simplest way to do this expansion was to build a fresh domain in a second forest. This has the added benefit of stressing trust relationships both between domains and forests in the range.
One can simply run Pre-Reqs.ps1 on their host OS to enable Hyper-V, create the vSW, download a free Windows Server 2022 evaluation ISO, etc.
New-VMSwitch -Name "Testing" -NetAdapterName "Ethernet" ; Set-VMSwitch -Name Testing -AllowManagementOS $true
New-Item C:\VM_Stuff_Share\Lab\CousinDomain -ItemType Directory
New-Item C:\VM_Stuff_Share\ISOs -ItemType Directory
Invoke-WebRequest -Uri "https://software-static.download.prss.microsoft.com/sg/download/888969d5-f34g-4e03-ac9d-1f9786c66749/SERVER_EVAL_x64FRE_en-us.iso" -OutFile "C:\VM_Stuff_Share\ISOs\Windows Server 2022 (20348.169.210806–2348.fe_release_svc_refresh_SERVER_EVAL_x64FRE_en-us).iso"
Write-Host "Manually grab a x64 ISO from https://www.microsoft.com/en-us/evalcenter/download-windows-server-2022 if the download fails and save it in the ISOs folder."
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
Install-Module -Name Convert-WindowsImage
Write-Host "If the above fails to install Convert-WindowsImage then download it from https://github.com/x0nn/Convert-WindowsImage"
Write-Host "Save it in C:\VM_Stuff_Share\Convert-WindowsImage (from PS Gallery)"Folder structure
The IaC expects you to have a ‘root directory’ C:\VM_Stuff_Share\Lab with Mishky’s AD Range saved in it.
- There should be a sub folder C:\VM_Stuff_Share\Lab\CousinDomain with the IaC for the second forest in it.
- The Windows Server 2022 ISO goes in the folder named ISOs as shown below.
- Convert-WindowsImage goes in its own folder as shown below.
Range diagram
Research.local was built as an ‘expansion pack’ to Mishky’s AD Range. One is meant to start out in us.labl.local, gain initial access, enumerate, and escalate to Enterprise Admin in the parent domain Lab.local. The IaC for Research.local creates a trust relationship between the two domains and a path to pivot from the first forest to initial access in the second one.
Research.local can be used on its own however. If you want to do so then start with the username & password RGF2ZQ== \ UGFzc3dvcmRSZXVzZUlzRnVuIQ== . The username \ password are Base64 encoded so no one accidentally reads them and gets a plot spoiler. This account provides an initial toe hold in Research.local.
Attacker TTPs
I setup Research.local to stress DACL abuse on computer accounts and AD CS templates. The first forest, Lab.local, by contrast stresses the beginner stuff like Name Poisoning and Kerberoasting, as well as DACL abuse on user accounts, groups, and NTFS. Both stress enumeration, credential dumping, and password spraying. Research.local is not setup for brute force attacks.
I also threw a few knuckle balls in the configuration. I posted howtos earlier on abusing DACLs on a workstation to get a local admin shell and abusing a vulnerable AD CS template to escalate privileges. I tweaked a few things in the version I posted to GitHub, so further enumeration and pivoting is required to perform the same attacks that are outlined in those howtos.
Random notes
- The setup use 6 GB of RAM per VM. You could likely get away with as little as 2 GB per VM if you’re low on RAM. Adjust lines 33–34 in Create-Cousin.ps1 if you need to change the RAM allocation per VM.
- The setup installs a couple of modules on Research-Client. You’ll see a prompt and have to hit Yes or ‘Yes to All’ three or four times.
- Once the automated setup finishes spinning everything up, go into Hyper-V Manager, right click on Dave-PC & Research-Client, and hit Enter on the keyboard selection screen. You should be looking at a login screen. The VMs are ready to attack from Kali after that.
- Research.local is an expansion pack. If you are going to use both then run the setup for Lab.local first.
The escalation path
Mishky’s AD Range starts out easy enough in us.lab.local. I created a TryHackMe room that starts out the same way before doing a deep dive into DACL abuse. I noticed that a few users have tried it, but as of today no one has moved past the DACL abuse part.
The second forest, Research.local, was not meant to be easy. Getting a toe hold on it after pwning Lab.local is easy, as long as your enumeration skills are ok, but moving past that is tricky by design. I worked a certain vendor’s favorite part of DACLs into Research.local. Read this if you need a hint.
Hints
- Enumerate fully and move laterally into any user, group, computer, or AD CS template objects that you can. The path does not go straight from initial access to Domain Admin.
- If you access a system dump everything and try password spraying it with crackmapexec.
- xfreerdp, PowerMad, PowerView, Rubeus, PSTools, Certify, openssl, HFS, and Invoke-Mimikatz are your friends in Research.local. Much like CRTP, this forest is setup to be attacked from Windows. However certipy-ad and the Python HTTP server are also useful. It’s ‘shooter’s choice’.
- Brute force is unlikely to get you anywhere.
- Metasploit and/or Meterpreter are not required in this second forest. You can use them, but you’d be working harder than required.
- Defender, Windows Firewall, AMSI, etc are not disabled. It is up to you to bypass or disable them if your access is blocked.
- There is nothing in Mishky’s AD Range that is not on our Medium somewhere, in a howto, TryHackMe walkthrough, cheatsheet, etc. This range simply puts lots of attacker TTPs in one place for fun and educational practice.
Summary
I put a lot of late nights into both Mishky’s AD Range and the expansion. I learned a ton and got some really good Hyper-V and PowerShell Direct practice in, so even if no one else ever uses the range I still accomplished what I set out to do.
I told my buddy the other day that you haven’t really lived in IT until your screen looks like this on a Saturday night.
That’s our IaC spinning up the range again after I tested it out from Kali, found a glitch or a typo I’d made in the configs, fixed it, and am now re-building the range to test and validate it.
I’ll admit it, I am kind of proud of Mishky’s AD Range and Mishky’s free room on TryHackMe.
I only wish TryHackMe would let me create a free room with multiple VMs. I had wanted to bring Mishky’s multi domain, multi forest range that includes everything from credential dumping & spraying to DACL abuse to AD CS to TryHackMe, but alas I could not. Hence I put it on GitHub.
Bear in mind that although Microsoft is pushing Azure, Entra ID, Intune, and M365 now, about 90 — 95% of the Fortune 500 and damn near 100% of the Government/Military still run on Active Directory. Hence AD security is still vital.
References
AD attack cheat sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
Cybersecurity certs are dead: https://cybernoweducation.medium.com/cybersecurity-certs-are-dead-c6c90d59e1ff
Rough numbers on AD usage: https://www.cyberdefensemagazine.com/top-legacy-active-directory/#:~:text=Microsoft%20Active%20Directory%20(AD)%20has,companies)%20and%20its%20security%20vulnerabilities.
