Creating an Active Directory for OSCP Lab

Hi, welcome. Thanks for joining. I'm going to go through and document how I built out my Active Directory set for practicing my OSCP lab exam. As you can see here, we're sitting on our Kali box, freshly imaged. And I'm not going to cover Kali because there's plenty of documentation on how to install Kali. But we're going to have it connect through OpenVPN to an open... VPN server. I'm not going to cover that. It's relatively straightforward, but if there is enough, I guess, requests, maybe I can show that too as an addendum. But ultimately, after we are VPNed in, we're going to have access to the outside subnet. And what I'm going to walk through now is building out two Windows workstations, Windows 10 specifically, MSO1 and MSO2, and our Active Directory domain controller, which will be server 2016 or 2019, 2019, I believe. believe and it's going to be on the inside subnet so without further ado i do want to call out i am building this out i run well flip back over i run my cali box locally on my machine as a virtual machine just like i would on the lab exam and then what i'm doing is i'm actually running the open vpn server mso1 mso2 and dcl1 all on a intel nuc that is running es ESXi and specifically it's ESXi 6.7, but doesn't really matter what version and doesn't really matter What kind of hardware you're running it on? I just like ESXi as it allows me to centrally manage and control all of this stuff And it's not going to take up any of the resources on my box. They can be all allocated and dedicated to my Kali machine, so If we go over here and look at our virtual machines and just filter on OSCP You can see I've already got my open VPN box running now. We're going to going to start with, well, we'll start with building out about MSO1. It's going to be the most heavy duty of the machines. So we'll create a new virtual machine. And if you're already familiar and comfortable with setting up a VM and setting, well, installing Windows, then you can skip past all this. But for anyone that's not familiar, we're going to cover it briefly. So we'll call this LCP-MSO1 Windows 10 64-bit. Stick it on. SSD drive We'll give you two processors four gigs 32 gigs of hard drive space, but we're gonna thin provision that because I'm stingy and We're gonna our network interface one is gonna be on the outside I like to change it and use VMX net 3 a little bit more efficient. We need to add a second network adapter though because this is going to be a dual homed machine. Right you can see here MSL1 is going to have an interface on the outside subnet. and another interface on the inside subnet. So first interface will be outside, second interface will be inside. Same thing, let's make that a VMX net 3. And then now, of course, we need to actually have an ISO image to... install from so let's pick Windows 10 specifically I'm picking that build but generally speaking it doesn't matter what build you use it's just Windows 10 and the rest of this is fine nice summary that finishes go ahead and kick it off open up the console and reboot Yes, let's boot from the CD. Let's go ahead and make this full screen. Next, install now. I do not have a product key. We're just going to run on trial licenses. Let's do Windows 10 Pro. do accept the terms just do custom install and take up the whole hard drive space and we'll go ahead and let that install and i'm going to go ahead and pause the recording and we'll resume once it finishes the install and here we can see it finished the install it's going to reboot Okay, now, this is pretty boring standard. In the US, well, that's where we are. Yep, US keyboard, skip the layout. No, I don't have internet. Continue with limited setup. I'll just use delete me as a username with no password so it automatically logs in and I remember to delete that account and profile before we're done. We're going to decline everything because it just reduces the amount of tracking and data and requests that Windows makes and now we wait for the user profile to finish being created. Okay, we have gotten to our desktop. So first and foremost, let's do a couple basics like installing VMware tools or VM tools. So install VMware tools. Yes, please. Open up this PC and we'll see it mounts the VM tools on the CD drive here. While it's doing that, let's go ahead and change the computer name. MSL1, yep, no, we'll reboot later. There's our VM tools, yes, yes, yes, yes, install. Alright, finish and before it does that let's go ahead and change display for our sake. For recording let's make that 150%. Boom, it's all big again. And we'll reboot. Okay, so now that we're back up let's start with our network settings, so let's go to change adapter options See we've got two adapters Start with Ethernet one. Let's check out the status To verify we're looking at the right one so a two three echo alpha two three echo if we go here Take a look outside interface is alpha two three echo so that looks good So let's go ahead and go to properties and let's disable IPv6, edit v4 and this will be the 192.168.100.201.24. We don't need any other settings. Just to confirm Yep, that is the outside. 192.168.100.201. Next, inside interface is going to be 10.10.1.201. So we'll go to properties, disable v6, double click v4, 10.10.1.201, 255.255.255, if you can type. And we don't need a gateway, but we are going to use our Active Directory domain controller as our DNS server once it's up. So this will be 10.10.1.200. This guy. So, we'll go ahead and say OK, and OK, and our network settings are all set. Now, what we can do is, let's do some basic settings. So, System Settings, this, to take advantage of the vulnerable software, we're going to need to disable the screensaver, and disable Sleep Mode, keep this thing on. And then we're going to need to play with the security settings. We need to do this on all of them, and that is to disable the tamper protection. So Windows Security, Virus Threat Protection, and Manage Settings. And then we go down here to Tamper Protection and turn that off, because we are going to have that tampered with. Close. And close. Now what we need to do is add a route. Let's go ahead and open up our command prompt as admin to our VPN subnet so that way it's accessible. So to do that... Let's make sure we can ping our OpenVPN server. It's going to be 100.199. 192.168.100.199. Hooray, it's there. So now, let's take a look at our route table. We have no persistent routes, and we have no routes to the 172.16. 11 subnet, which is our VPN subnet here. So to get there we need to go through open VPN server. So let's add that route It's gonna be a route add sound to 16 11 0 mask 2 5 5 2 5 5 0 and It's gonna be available through or from 1 9 2 168, 100, 199. And we want to make this a persistent route, so we want to add a slash p. And it tells us okay. And now we can do route print. Sure enough, there's our persistent route. 172, 16, 11 through 100, 199. Alright, that looks good. So at this point... We are ready. Oh, we need to create a local user. So a couple ways to do that, but let's just right click on this PC, say manage, open up our computer management, local users, and let's create a new user called Lucy. And let's make the password something easy. It doesn't really matter. So password 123. And password never expires. Okay, Lucy is just going to be our local user. Limited privilege. Limited low privilege user. Alright, and now we're at the point where we're ready to start moving some software over and installing some software on here. So, to do that, we're going to use our Kali box to transfer this because this is not connected to the internet. Let's do that. Oh, we can go ahead and eject this So a couple things we need we need some vulnerable software. So for our Cali box that does have internet It's another interface coming off there. You can't see let's go ahead and go to exploit DB and I like to pick on something that is going to have an app. So let's just download the app Let's filter on, we need a remote exploit. We need something for the Windows platform. And let's just take a look. So we've got some verified. Let's take a look at the second page. Yeah, so I like this remote mouse, 3008, arbitrary remote command execution. So let's pick on that. Let's just download that vulnerable app. And then we are going to need something for privilege escalation. Let's make that something different. So same thing, has app. And I like to do, let's do something with an unquoted service path. Let's see what pops up here. Wise care. Okay, wise care, I believe, has a longer path and we can abuse that. So this one works well. Let's use this guy. We're also going to need a few pieces of software like a web server. So let's download XAMPP. It's an easy one. Go ahead and download that and use that. And we're also going to need autologon from sysinternals. So let's autologon. Download. Let's pull that down as well. Now we're going to need for MS01 and MS02 to have some auto-logged on users. Okay, so now let's go ahead and stage those files. We'll go ahead and open up command prompt, zoom this in a bit, and let's go to the desktop, make a directory called... We'll call it AD setup and in here let's go ahead and move Let's see if they're all done. They are. Great. Alright, got it all over here and now we need to connect. So I'm gonna connect to our OpenVPN server which is 12.168. from here it'd be 10 this is the outside interface that's not on the diagram how i vpn into it so that is 199 lscp and we're going to download the auto login profile there's our open vpn profile great Let's go ahead and open up a new instance because we're gonna run the open VPN and then move it to the background so Actually, let's just go to our downloads This is gonna get deleted anyway open VPN And here, sure enough, we can see our address that we get added to our tunnel interface is 172.16.11.11. And we'll minimize that. As you can see, that's our 172.16.11.11. So now we should be able to get to MSL1. and MSL1 should be able to get to us more importantly. So, I like to use mpacket SMB server just because it makes things easy and it's more Windows native. We'll add SMB to support and we'll call it setup. We'll share this directory. Alright, now that we're staged and we're set to give all those files over, let's go ahead and do that. So, to do this, we can just go up here to the address bar, backslash 172.16. 1111 there's our setup folder there's our files we'll copy and let's not go to downloads let's go to the C drive create a new folder called setup let's paste them in there Okay, so now let's go ahead and install some of these. Let's start with Zamp. That's a hefty one. We don't need all of the pieces in here, so we're just going to install the essentials. Yeah, go ahead. Bypass or disable UAC. It's always good security. Don't need MySQL or FTP or Tomcat or Perl. We can leave PHP MyAdmin. That's fine. And next, install into C drive XAMPP. So not in program files, which is not ideal, but that's fine. Doesn't matter for our purposes here. Now while that's running, let's go ahead and extract auto login or auto logon. Can't say that properly. Don't need to show them. And I'll delete that. And we really only need. The auto log on 64 is the ideal one since everything here is 64-bit. So we'll move that out here. We'll delete that. This thing's still installing. Alright, looks like it's finishing. This is where we can enable access by poking holes in the firewall. Yes, definitely do that, otherwise it's a web server that's only available on the local host. And once this finishes... Okay, and no I don't want to start it actually I'll show you why you can say no But if you do say yes It's gonna open up and you're gonna notice that these options are disabled because it didn't open as an admin so we want to close it and Then right click it and say more and run as admin Yes please. And then now you'll see there's a red X. We can click on that and it says, yep, do you want to install this as a service? We do. So now it says a service just for giggles. Let's make sure it runs. Yes, it does. Process ID and ports. And just for giggles, actually, let's Actually, no, that's fine. We'll leave this. Never mind. We're not going to touch that. We'll leave it as is. So, now that that's all set, we can install the rest of the software. So let's install the Remote Mouse software. Just double-click on that. Yes. Okay. Yes. And it's amazingly simple and easy to install. No, we don't need any instructions. We know what we're doing. And then let's go ahead and install the WiseCare. Yes. And in this case we're going to actually say custom install. We're going to show one of the reasons why you don't install to non-default or non-program files at locations. By putting it in apps it's even easier to take advantage of and exploit because it's more open on permissions. I'm going to go ahead and say install and sure you can go ahead and launch it. We're not going to actually do anything with it but we just want to make sure it's there. Okay. That looks good. And then at this point, we can delete the WiseCare. We can actually delete XAMPP as well. We don't need that. The remote mouse installer, however, we're going to change the name and make it a little bit more ambiguous. We'll just leave it as this hash here. And then we'll say cut. And we're going to relocate it. We're going to put it up in the web server. It's going to be part of our discovery process. So, htdocs, and then we'll create a folder called uploads, which is a word in the common as well as many other word lists that Durr Buster will use and they'll find it there. So, now we know once that file is found then it'll reveal some data on a vulnerable application that we might be able to take advantage of. And all we're left with is auto logon, which we will configure later. So at this point, we are ready to join this to the domain once the domain has been created. So we'll return back to this once we are ready with the domain controller. Oh, I stand corrected. We have one more thing we need to do, which is actually more of just a reliability thing. Go back to our computer management here, services, and... Our... where is it? There we go, our Wyze boot assistant. So this generally will work just fine if you're on local connectivity. I did notice every once in a while it can be problematic over VPN just for timing. So if we change this from automatic to automatic delayed start, that's been much more reliable in some testing. So we're just going to make that last change to the service. may not be necessary for your environment, but just for reliability and stability, that seems to make things a little bit easier. And now this thing is ready to be joined to the dummy. Now that we finished up with MS01, we're ready to build our domain controller. So we have something to join these machines to a domain. So let's go ahead and create a new virtual machine. In this case we'll call it oscp-dc01-windows. In this case we'll be doing a Windows server 2016 or later. Stick it on SSD again. Same thing, two processors, 4 gigs. A little bit more hard drive space, still thin provisioned because Darren is stingy. We're going to change the network adapter to VMXNet3. Still just going to be on the inside though. And we'll choose Datastore ISO. You can also just mount yours. And I'm going to pick this image and this build of server 2016. And we'll say next and finish. And then let's go ahead and run this bad boy. I'll make this full screen and similar you can skip ahead if you want to bypass you're familiar with installing Windows Server otherwise you'll see reinstall server 2019 and we're gonna go through the same process that we did with the Windows 10 workstation so make sure you choose standard eval desktop experience otherwise You're going to be left with the core, which is just basically a command shell. Next, custom, take the whole space, and go ahead and let it install. We'll return after the reboot, and when it's ready to prompt us, first thing it's going to prompt us for is, of course, credentials. And now we're doing the reboot. Okay, and as promised, here we go. First thing it wants is a domain administrator, well, a server administrator password. So I'm going to go with a Lego theme. So let's use Brickmaster. All right, let's log in. Alright, and first thing we're gonna do is some configuration, like changing that host name to DC01. Restart later, because before we restart, we would like to install some VMware tools as well. Yes and yes and yes and please install it all. And similarly... Let's go ahead and change our resolution. Well, let's keep our resolution. Let's change the scale to 150% easier for visibility for everyone and Yes, let's restart And now that we're back up. Let's go ahead and log in once more Good old Brickmaster. And can you guess what we're going to do next? If you guessed set some IP settings, you guessed correctly. So let's right click, open network and internet settings, change adapter options, right click in properties, disable IPv6, edit v4, 10.10.1.200, slash 24, and here we're going to set DNS to itself, loopback address. And we're good there. So now what's next? Let's promote this bad boy. Let's give him a job. Needs to do something other than just eat up compute power and electricity. So we're going to choose DC01, the only server we have here. Actually, no, before we do that, it hasn't picked up on the IP change. So just because of that, let's go ahead and restart one more time. Just because from a domain controller standpoint, if you don't have the right IP in there or the right DNS name, that can sometimes hose things. So just for giggles, we're going to reboot one more time. Make sure that it shows the proper IP address. Back up. Okay, now let's go ahead and go add roles and features. Let's try this again. Yep, there we go, 10.10.1.200, that's what I like to see. We're going to add Active Directory Domain Services. Next, next, next, restart if needed, which it won't be, but we'll give it the option. Who knows, you might have a different experience. Okay, it finished, configuration required, install succeeded, and sure enough it tells us... we need to promote this server to a domain controller. Well, thank you. I think I'll do just that. We're going to add a new forest called, in this case, oscp.lab. And it's going to ask us for the directory services restore mode password we want to set it to. I'm just going to use good old Brickmaster as well. Next. Here it's going to search for, does anybody have the OSCP NetBIOS domain name? It's going to wait for a response. And then once it does not get a response, it'll say, okay, cool, I'm going to take it. And default paths here are good. Prereq check. And sure enough, we pass. Click install to begin. Thank you. I think I will. And go ahead and let it do the install and once it's done it will want to reboot on its own and we'll pick up where it leaves off with a freshly installed Active Directory Domain Controller asking us to log on is administrator at oscp.lab. Sure enough, just as promised, it tells us we're gonna be rebooting and logging you out. Sure enough it does just that and we're up. Let's go ahead and log in as the domain admin with our favorite password. And now one of the things we're going to do is start by creating some users. So we'll go in here to Active Directory Users. Actually, you know what? Let's start with Group Policy. So go to Group Policy Management. There's a couple of basic things we need to fix on our machines as we join them to the domain. So if you're not familiar with Group Policy, it's just a way of centrally managing some computer and user settings on all your machines. Here's all of our Group Policy objects. We've only got two. We're going to go ahead and create a new one, link it here. We'll call it... OSCP lab policy and let's go ahead yep that's fine let's go ahead and edit that policy and here's the configuration and expand computer config policies Windows settings no I'm sorry administrative templates Windows components Let's go here to Windows Update, Configure Automatic Updates. We're going to disable. Down here it says, if you set this policy to disable, any updates that are available on Windows Update must be downloaded and installed manually. So that's what we want. We do not want it to try and keep calling home. So that's now disabled. And the other one is Defender Antivirus, Real-Time Protection, Turn Off Real-Time Protection. We're going to enable that. Sounds kind of weird. We're enabling turning off real-time protection. So basically we're turning it off. That's the fundamentals we need there. That way AV doesn't get in the way because that's not part of the OSCP. That would be part of the OSCE is bypassing antivirus. So now we've got a group policy applied to the whole domain so it'll affect everybody. We can close this. Now we're ready to start creating some users. So we'll open up... Active Directory Users and Computers. You saw I did that here. Tools, Users, and Computers. And from in here, let's go ahead and expand out our Users folder. And you can see here we have our list of default built-in users and groups. Put our users on top. See, we only have two users. Guest is disabled. Administrator is baked in. We're going to add a bunch. We're going to stick with the Lego theme. I have a PowerShell script that I... put together to just make my life a little easier and we're going to stage that back on our Kali box and then transfer it to MS01 and then transfer that over to DC01 since we kind of happen to move our way again put it on Kali stage it on MS01 and then transfer it over to DC01 so let's go ahead and create this real quick You can just say, well let's just do a new tab. Normally I would split vertically but we don't need to do that here. And this is where we're staging our data. So we already have a share to this. We can just say nano user add dot ps1. And I'm going to go ahead and just copy and paste. Problem is I can't copy and paste this directly into DCL1, otherwise I would. What are the limits of running through virtual machines on a distant host? So paste clipboard. Because I'm running Kali locally on my machine, I can share clipboard. So here's our list of users we're going to create and passwords. And some of them are in RockU, most of them are not. So some of these will be easily crackable. Some of them are not, just like you'd expect on the exam. So we'll save that, and then now we can go back over to MSL1. And let's go back to 72, 16, 11, setup, user add. Copy that here. Let's go ahead and share this. And then from there, you should be able to copy this on over. So let's go ahead and go up here. 192, nope this will be 10. 10. 1. 2. 0. 1. And because it's not on the domain yet, we're gonna have to do .backslash. Actually, this will be msl1.backslash. Let's use the Lucy account. password 123. Delete me won't work because it doesn't have a password set. And we'll say okay. Sure enough, lets us in, copy, paste, and let's open up PowerShell as an admin. Let's go to setup and let's go ahead and run the user ad. Let's see if I butchered it or if... Nope, looks like it worked. Theoretically it should have added 1, 2, 3, 4, 5, 6, 7, 8, 9 accounts. If we go back here to our users, refresh, we have 1, 4, 5, 6, 7, 8, 9 accounts. Looks good! Now let's go ahead and compromise some of these accounts. We can do that by, well, first of all, we can make, let's organize this actually. So let's go ahead and do new group. Call one of these service accounts because those definitely exist quite a bit in production. Members, add SVC IIS, check name. It does exist. Okay. Okay, so we've added IIS as a service account group member. Let's go ahead and create another one, another group, and let's call this IT Admins. Because IT Admins are always special people. Members, add. Let's add Emmett. And let's add, we'll do a semicolon, Lord Business. Let's do Lord. That should autocomplete. Check names. Yes. And one other thing is Lord Business is also going to be a member of... Da-da-da! Domain Admins. He's going to be our path to compromise here. Alright, now we need... how about an AS Rep Roastable account? Let's pick on Metal Beard account to make him Rep Roastable. Just say don't require Kerberos pre-authentication. Yeah, we don't need that. It's backwards compatible. And finally, let's go ahead and let's make a Kerberostable account. So let's do set AD user. I know capitals don't always matter, but we'll be picky here. SVC IIS, let's add a service principal name. Boy, I hope I spelled that right. At open bracket, add equals. Now we do our quotes. Let's make it an HTTP service principal name. And then it can be anything we want. I'll just call it web server. You could call it bogus, doesn't matter. OSCP.lab. Then let's close that. What? Service Prince... Of course, it's because I can't spell. See, I told you I'd misspell it. Prince Ippal. Boom. And now let's double check that with set SPN list service IIS. There it is. We have an SPN. So now this is considered a service account by the fact that it has a service... principal name attached which means we can play Kerberosting. At this point, Active Directory is good to go. There's one last thing that we want to make sure and do and that is to create the password file for the IT admins. So we're going to create a share, we'll call it backups. Let's go ahead and share this folder. Everybody gets share permissions because security permissions are really what matters. We'll go to advanced. We're going to want to disable. Not everybody's going to have access to this because it's going to be a little bit secured, right? So let's disable inheritance. We can convert them to explicit permissions. Say OK. Click on Edit. And let's delete or remove the users. But let's add the service accounts group that we made. So service accounts can have modify permissions. for a backup share that would make sense and then on here what we need to do is create some type of a password file we're just going to use a text file with credentials in it and do a password zip it up in a password protected zip file but you could just as easily use something else you could use a password protected word file or pdf or keypass database there's a number of options here You're going to want to stage this once again though on Kali and then transfer it over. So to do that, let's go ahead and we're going to leak Emmet's credentials, but we've got some other ones that we can provide just for adding some confusion, a little bit of uncertainty out there. So we'll call this it-users.txt. Alright, so we've got some fake accounts in here, and it is a real account with the correct password. Let's save that. Now let's zip it. So we'll say zip password, I believe is the flag. We're going to use kind of with the theme, we'll stick with brick. I know this is a password that's in the rocku text file, so again should be easily crackable. And we'll call this IT. We'll call it itusers.zip and we're going to include the itusers.txt file inside of it. Boom, done. And just to test it, we'll say 7zip test itusers.zip. Now it says ask for a password. Great. What happens if we put in a bad password? So empty one. You get an error. What happens if we give it the right password? t.brick14. Everything is okay. So it looks good. Let's go ahead and remove Itusers.txt that just leaves us with the zip file and once again we can go back here to MSL1 copy the zip file put it into our Setup share. I'm going to delete that and then we can go Back to DC01 and sure enough we go back to our share 10.10.201. There's our IT user zip file and we'll drop that into, oops, that should not go into our setup. Cut. We want to put that in backups. There it is, itusers.zip. We can go ahead and do show file name extensions. Okay, so now DC01 is good to go. It has a path to compromise, which is that share. And if we want, we can go ahead and go c drive setup. We do not need that anymore, so let's go ahead and delete that as well. And make sure recycle bin is empty. Alright, DC01 is all set. Now we're ready to join the machines to the domain. Alright, now that we've got MS01 and DC01, let's go ahead and do MS02. Keep this thing rolling. So create... OSCP-MS02, Windows, Windows 10, SSD, two CPUs, thin provisioned hard drive, 4 gigs, OSCP inside, network, but change the network adapter, and datastore ISO file for me, and we're going to pick Windows 10. Different build this time. Finish. There's MSO2. Let's kick it off. Let's get this full screen. Same thing. Skip ahead if you think you remember how to install Windows 10. Otherwise, watch along. Next, install. I don't have a key. Windows 10 Pro. I agree to your silly terms. I do a custom install and I say take all the hard drive space. And go ahead and let it push the files, expand them and install. We'll come back after it reboots and is asking us for the next step. Okay, once again, we're in the US. US keyboard, skip additional layouts. I don't have internet. Limited setup. Delete me, no password, no on everything, thank you for asking. Alright we made it to the desktop. Let's go ahead and change the computer name. MS02 and let's install our VMware Tools Next, next, install. Sure enough, finish and let's change our display 150% and yes we'll go ahead and reboot because we're overachievers. And we're back. Let's go ahead and set our IP settings. So change adapter options. Right click properties, disable v6, modify v4, 10.10.1.2.0.2. slash 24 and DNS is 10.10.1.200. Good old DC01. And we can confirm that shortly. and let's go ahead and also change a couple of settings here once again let's get rid of the screen and power savers and let's also turn off tamper protection which on this build might already be disabled Sure enough it is. Okay, so that is all set. At this point we're ready to join this to the domain. So let's go ahead and right click properties. Change settings. Change domain. In this case, we'll say oscp.lab. Okay. Prompts for give me some admin credentials to join you. We'll use our administrator and brick master to join this to the domain. Welcome to the domain. And restart. Okay, and we're back. I'm going to log back in as delete me. so at this point what we need is the auto log on so we should be able to go to mso1 and go by dns name now no permission of course because we have blank password so to get around that let's use the lucy account so let's do cmd net use x 192 actually we can just say mso1 slash setup it doesn't like that believe yep there it is so we can do slash user mso1 lucy password123 There we go completed successfully so now It's not going to show up here as Lucy so we can do dir x and we can say Copy X auto logon to Actually we need a place to put it there it showed up x drive Set up Sure enough there it is Double click yes, we agree. We want it to auto log on as Lord business and part of the oscp.lab domain and what was his password his pass oh yes his password was taco Tuesday see if that worked nope that was not right okay try that again Taco... ...tuesday It does not like that I like that one though Okay, third time's a charm So now that should auto log on as Lord Business who actually happens to be a domain admin so he'll have full admin privileges on here as well. And one other thing we want to do to make this vulnerable is actually we'll do it after it reboots. So we need to add IT admins as local administrators. so let's go ahead and reboot all right we're live to logged on as lord business let's go ahead and increase our screen resolution well there's scale 150 and Also need to add Go here to manage the PC and then we're going to need to add the IT Oops local users, so we're gonna go to the local groups open up local administrators We're gonna add It's already set to LSP lab the IT admins group Check names boom Okay So now IT admins will also be able to compromise, in this case, the machine MSO2. At this point, we're ready to move back to joining MSO1 to the domain and getting it established. So I think the last thing we need to do to clean this up is right-click and go to Properties, Advanced System Settings. And user profiles, click on settings, and let's delete, delete me. We do not need that account anymore or that profile. This just deletes the profile data. And then after that, we can actually go right back to manage local users and groups and delete, delete me. Yes. Okay. So now if we go to the C drive, users, there is no delete me profile, there is no delete me account, it is gone. Oh one thing, let's go back actually, one thing we need to do is on the C drive, back on here, setup, we need to enable a share and this will be something we can take advantage of later. When we exploit this we want to be able to leverage SMB. So Let's go ahead and just share the setup folder. Permissions can be everyone, that's fine. Or full for everyone. There we go. That's all we needed to do. So now we actually have a share. And the firewall will enable that as well. All set. MSO2 is ready to go. And we're back on MSO1. Looking at let's clean up and delete our IT users zip file that should not be on MSL one at all Let's go ahead. See we are currently Still logging on as the local delete me account. So at this point, let's go ahead and join this to the domain So let's say right click properties advance system settings computer name change domain OSCP.Lab, of course. So if you have a general network error, for the most part, it just means you need to restart. So let's go ahead and restart. Try that again when it comes back up. All right, so now we have gotten it rebooted. Still logged on as delete me. Let's go ahead and try changing our name. So right click properties, change settings, change domain oscp.lab and sure enough it prompts us for credentials. So domain administrator and good old brick master. Yes lets us on. Okay and see restart now. And we're back. Let's go ahead and log on once more as delete me. Because we're not done with delete me yet. Alright, so we're logged on as delete me. We are joined to the domain. There's a couple things we have left to do. One, first of all, let's go ahead and leave some breadcrumbs. So if we go to the C drive and users, we'll notice there's just a good old delete me account. We need to create some breadcrumbs for lateral movement. For that we're going to use good old PowerShell. So, I like using PowerShell history sometimes. I always look for it. It's a great wealth of information if you can find something in a CTF. So, here let's go ahead and run this as admin. Actually, I guess it didn't really matter. Because what we're going to do, we don't have to run it as admin. We're going to say run as slash user lscp backslash wild style. What are we going to run? PowerShell. prompts us for credentials the awesome 24 bang password and Sure enough here. We opened up PowerShell running as wild style who am I? wild style Now, let's go ahead, do a quick IP config, let's say host name. Now, let's leave a breadcrumb. So let's say we wanted a PS remote or do a PS session into another box, right? For example, we can do password equals convert to secure string. Here's our password. and as plain text enforce please great now let's create a cred variable that's going to be a new object oh get out of my way What kind of object is it? It's going to be a system management automation PS credential. Who is it? It's wild style. Is that a DJ? And password. Oops. Pass. For our variable. that looks good yep and then enter this will not work but we're just using it as the example breadcrumbs so computer we're going to try and PS session into a non-existent machine called mso3 using our credentials and sure enough failed when RM cannot process the request it verify that the computer exists on the network and that the name is spelled correctly cool that's it exit we now have breadcrumbs so if we look at users sure enough there's wild style and if we go to let's just go into wild style Derby star dot text. There it is. And there it is. That looks good to me. I guess one thing we could change is we can get rid of that save it there we go all right okay now we need to start leaving some breadcrumbs to do this though we're going to need to enable the local administrator account whoops so let's right-click manage because we want to get the profile created local users we're going to go ahead and enable the local administrator account okay so we're gonna have to right click and say set password first i'm just gonna set it to good old password one two three super top secret And now let's go ahead and re-enable it so we can use that to create some breadcrumbs and do some cleanup. The other thing we're going to do, since we have Lucy there, we are ready to do auto logon. So let's go ahead and go to setup, run auto logon, yes, as Lucy. The domain is msl1 because it's a local account. Use our password 123, yes. Okay so now we'll auto logon as Lucy when we reboot. But we have our local administrator. So let's go ahead and sign out and log on as the local administrator. So .backslash, you'll see changes it to MS01. Administrator. And the reason for this is I don't want it to... cache the domain admin credentials. So I want to be able to do this with the local admin. Okay, same as usual. No, no, no, no, no. And display. For everyone's sake, let's go back to 150. Okay, now at this point, we are logged on as the local admin. Go to C drive, Users, sure enough there's an administrator account. Great. So now we can start dropping in our proofs and cleaning up everything. So let's go ahead and reboot this machine, because we need to clear out the cache, so we can delete the delete me profile in User. Okay, and... Now we're logged on as Lucy. Same thing, display settings, 150%. Okay, this is just a limited local user, so immediately we're going to want to switch users. Go back to our .backslash administrator local admin account. And now we're going to go ahead and delete the delete me account and create our local.txt and proof.txt files. So right click, properties, advanced system settings, user profiles, delete, delete me. Then right click. manage local users users delete delete me all right then at this point we're ready to create some loot so if we go back to our cali box there's Relatively easy way to do this. So let's go ahead and clear the screen. So echo random. Every time you do an echo on random it will generate a new number. So let's echo that into MD5 some and that will give us a number. Now what's funny is if we do this again It'll give us the same thing because it gives it the same number. You have to actually say echo random again for it to change the number and give you a new MD5 sum. So kind of funny, kind of weird, but a little quirky. So what we're going to do is take this one, copy, echo. We're going to echo that into local.txt. go paste selection proof.txt let's go ahead and grab both of those so from here actually you know let's just generate them all let's go ahead and generate all of them so we'll just do echo random again MD5 that and echo random again MD5 that so we'll grab this one echo into proof2.text how about yeah proof2.text and echo proof3.text So you can see we've got three proofs and one local. And if we let's go ahead and cat star dot text. Sure enough we can see all four are different. So we go back to MSL1. as the local admin go back here to our setup let's grab all four of these copy them over so well first of all let's look at the file name extension local dot text that can go under Lucy's profile go under her desktop and then proof.txt can go to the admin desktop That's why we want that local administrator. Proof.2 and Proof.3 are going to go to MSO2 and DC01. So to do that, let's go ahead. MSO2. We're logged on as Lord Business, who is a domain admin. So let's go ahead. You can do this in command prompt, net use. Don't know why I used net use. It should have been dir. Oh, really? yeah okay did we stop sharing let's take a look here still shared with everyone A little odd, I guess just for giggles. We can stop this share and do it again. There we go. That was weird. So now we can just say copy MSL1 setup proof 2 to desktop. And let's go ahead and rename it to just proof. Bingo. All set there. So MSL2 is good to go. Let's go back over to DC01. And on here, similarly, we can go up here, MSL1, Grab Proof 3, copy it to the desktop, and get rid of 3. We now have loot on all of our machines. So at this point we are ready to clean up any remnants on MSL1. I believe MSO2 is good to go. So let's go ahead and verify. Delete me profile is still there. Let's make sure and get rid of that. Hmm. So it should have done that already. Let's go ahead and right click, hold shift, hit delete. It does a permanent delete. Setup is good. So the last thing we should do is go ahead and go back to computer management. And let's disable the administrator account. We don't need that anymore. And reboot. Alright MS01's rebooted. We are logged on as Lucy. Looks like this is good to go. So at this point, the last thing that we have to do is clean up our Kali box. We've got all these goodies sitting here. You can either basically throw this away and just deploy a new image when you're ready to practice the lab, or the easy way to do it is, since I created all this in one folder, just back off to the desktop. Remove. Let's do clear. Remove RF. AD setup, boom, it's gone. And let's go ahead and say mousepad. You can also use nano, but I'm using mousepad, and you'll see why here. .csh history. Oh, because we haven't closed. Okay, so watch this. So first it's empty. There's a reason. It's because it's in use by this. So once we close that and close that, and we can close our VPN. Oh, and close. Actually, you know what? Let's close Firefox as well. and then let's open firefox back up history clear recent history clear everything boom and then mouse pad you can click open here and the intention was actually we'll just go back mousepad zsh history now you'll see it's got all this goody stuff in here we want to delete all of that so delete save close what I should have done was ampersand Then it opens up in a second process. You can close this and it wouldn't... Okay, well it shouldn't have killed Mousepad. Either way, Mousepad, open the ZSH history, delete it, save it, good to go. Now there's no history there. So at this point, you're cleaned up, you're ready to go, and go ahead and reboot Kali and practice the lab. Have fun.

But we're going to have it connect through OpenVPN to an open... VPN server. I'm not going to cover that.

It's relatively straightforward, but if there is enough, I guess, requests, maybe I can show that too as an addendum. But ultimately, after we are VPNed in, we're going to have access to the outside subnet. And what I'm going to walk through now is building out two Windows workstations, Windows 10 specifically, MSO1 and MSO2, and our Active Directory domain controller, which will be server 2016 or 2019, 2019, I believe.

believe and it's going to be on the inside subnet so without further ado i do want to call out i am building this out i run well flip back over i run my cali box locally on my machine as a virtual machine just like i would on the lab exam and then what i'm doing is i'm actually running the open vpn server mso1 mso2 and dcl1 all on a intel nuc that is running es ESXi and specifically it's ESXi 6.7, but doesn't really matter what version and doesn't really matter What kind of hardware you're running it on? I just like ESXi as it allows me to centrally manage and control all of this stuff And it's not going to take up any of the resources on my box. They can be all allocated and dedicated to my Kali machine, so If we go over here and look at our virtual machines and just filter on OSCP You can see I've already got my open VPN box running now. We're going to going to start with, well, we'll start with building out about MSO1. It's going to be the most heavy duty of the machines.

So we'll create a new virtual machine. And if you're already familiar and comfortable with setting up a VM and setting, well, installing Windows, then you can skip past all this. But for anyone that's not familiar, we're going to cover it briefly. So we'll call this LCP-MSO1 Windows 10 64-bit.

Stick it on. SSD drive We'll give you two processors four gigs 32 gigs of hard drive space, but we're gonna thin provision that because I'm stingy and We're gonna our network interface one is gonna be on the outside I like to change it and use VMX net 3 a little bit more efficient. We need to add a second network adapter though because this is going to be a dual homed machine.

Right you can see here MSL1 is going to have an interface on the outside subnet. and another interface on the inside subnet. So first interface will be outside, second interface will be inside. Same thing, let's make that a VMX net 3. And then now, of course, we need to actually have an ISO image to...

install from so let's pick Windows 10 specifically I'm picking that build but generally speaking it doesn't matter what build you use it's just Windows 10 and the rest of this is fine nice summary that finishes go ahead and kick it off open up the console and reboot Yes, let's boot from the CD. Let's go ahead and make this full screen. Next, install now.

I do not have a product key. We're just going to run on trial licenses. Let's do Windows 10 Pro. do accept the terms just do custom install and take up the whole hard drive space and we'll go ahead and let that install and i'm going to go ahead and pause the recording and we'll resume once it finishes the install and here we can see it finished the install it's going to reboot Okay, now, this is pretty boring standard. In the US, well, that's where we are.

Yep, US keyboard, skip the layout. No, I don't have internet. Continue with limited setup.

I'll just use delete me as a username with no password so it automatically logs in and I remember to delete that account and profile before we're done. We're going to decline everything because it just reduces the amount of tracking and data and requests that Windows makes and now we wait for the user profile to finish being created. Okay, we have gotten to our desktop.

So first and foremost, let's do a couple basics like installing VMware tools or VM tools. So install VMware tools. Yes, please. Open up this PC and we'll see it mounts the VM tools on the CD drive here.

While it's doing that, let's go ahead and change the computer name. MSL1, yep, no, we'll reboot later. There's our VM tools, yes, yes, yes, yes, install.

Alright, finish and before it does that let's go ahead and change display for our sake. For recording let's make that 150%. Boom, it's all big again.

And we'll reboot. Okay, so now that we're back up let's start with our network settings, so let's go to change adapter options See we've got two adapters Start with Ethernet one. Let's check out the status To verify we're looking at the right one so a two three echo alpha two three echo if we go here Take a look outside interface is alpha two three echo so that looks good So let's go ahead and go to properties and let's disable IPv6, edit v4 and this will be the 192.168.100.201.24. We don't need any other settings. Just to confirm Yep, that is the outside.

192.168.100.201. Next, inside interface is going to be 10.10.1.201. So we'll go to properties, disable v6, double click v4, 10.10.1.201, 255.255.255, if you can type. And we don't need a gateway, but we are going to use our Active Directory domain controller as our DNS server once it's up. So this will be 10.10.1.200.

This guy. So, we'll go ahead and say OK, and OK, and our network settings are all set. Now, what we can do is, let's do some basic settings. So, System Settings, this, to take advantage of the vulnerable software, we're going to need to disable the screensaver, and disable Sleep Mode, keep this thing on. And then we're going to need to play with the security settings.

We need to do this on all of them, and that is to disable the tamper protection. So Windows Security, Virus Threat Protection, and Manage Settings. And then we go down here to Tamper Protection and turn that off, because we are going to have that tampered with. Close. And close.

Now what we need to do is add a route. Let's go ahead and open up our command prompt as admin to our VPN subnet so that way it's accessible. So to do that...

Let's make sure we can ping our OpenVPN server. It's going to be 100.199. 192.168.100.199.

Hooray, it's there. So now, let's take a look at our route table. We have no persistent routes, and we have no routes to the 172.16.

11 subnet, which is our VPN subnet here. So to get there we need to go through open VPN server. So let's add that route It's gonna be a route add sound to 16 11 0 mask 2 5 5 2 5 5 0 and It's gonna be available through or from 1 9 2 168, 100, 199. And we want to make this a persistent route, so we want to add a slash p.

And it tells us okay. And now we can do route print. Sure enough, there's our persistent route. 172, 16, 11 through 100, 199. Alright, that looks good.

So at this point... We are ready. Oh, we need to create a local user.

So a couple ways to do that, but let's just right click on this PC, say manage, open up our computer management, local users, and let's create a new user called Lucy. And let's make the password something easy. It doesn't really matter.

So password 123. And password never expires. Okay, Lucy is just going to be our local user. Limited privilege. Limited low privilege user.

Alright, and now we're at the point where we're ready to start moving some software over and installing some software on here. So, to do that, we're going to use our Kali box to transfer this because this is not connected to the internet. Let's do that.

Oh, we can go ahead and eject this So a couple things we need we need some vulnerable software. So for our Cali box that does have internet It's another interface coming off there. You can't see let's go ahead and go to exploit DB and I like to pick on something that is going to have an app. So let's just download the app Let's filter on, we need a remote exploit.

We need something for the Windows platform. And let's just take a look. So we've got some verified.

Let's take a look at the second page. Yeah, so I like this remote mouse, 3008, arbitrary remote command execution. So let's pick on that. Let's just download that vulnerable app.

And then we are going to need something for privilege escalation. Let's make that something different. So same thing, has app.

And I like to do, let's do something with an unquoted service path. Let's see what pops up here. Wise care.

Okay, wise care, I believe, has a longer path and we can abuse that. So this one works well. Let's use this guy. We're also going to need a few pieces of software like a web server. So let's download XAMPP.

It's an easy one. Go ahead and download that and use that. And we're also going to need autologon from sysinternals.

So let's autologon. Download. Let's pull that down as well. Now we're going to need for MS01 and MS02 to have some auto-logged on users. Okay, so now let's go ahead and stage those files.

We'll go ahead and open up command prompt, zoom this in a bit, and let's go to the desktop, make a directory called... We'll call it AD setup and in here let's go ahead and move Let's see if they're all done. They are.

Great. Alright, got it all over here and now we need to connect. So I'm gonna connect to our OpenVPN server which is 12.168.

from here it'd be 10 this is the outside interface that's not on the diagram how i vpn into it so that is 199 lscp and we're going to download the auto login profile there's our open vpn profile great Let's go ahead and open up a new instance because we're gonna run the open VPN and then move it to the background so Actually, let's just go to our downloads This is gonna get deleted anyway open VPN And here, sure enough, we can see our address that we get added to our tunnel interface is 172.16.11.11. And we'll minimize that. As you can see, that's our 172.16.11.11.

So now we should be able to get to MSL1. and MSL1 should be able to get to us more importantly. So, I like to use mpacket SMB server just because it makes things easy and it's more Windows native.

We'll add SMB to support and we'll call it setup. We'll share this directory. Alright, now that we're staged and we're set to give all those files over, let's go ahead and do that. So, to do this, we can just go up here to the address bar, backslash 172.16. 1111 there's our setup folder there's our files we'll copy and let's not go to downloads let's go to the C drive create a new folder called setup let's paste them in there Okay, so now let's go ahead and install some of these.

Let's start with Zamp. That's a hefty one. We don't need all of the pieces in here, so we're just going to install the essentials. Yeah, go ahead.

Bypass or disable UAC. It's always good security. Don't need MySQL or FTP or Tomcat or Perl.

We can leave PHP MyAdmin. That's fine. And next, install into C drive XAMPP.

So not in program files, which is not ideal, but that's fine. Doesn't matter for our purposes here. Now while that's running, let's go ahead and extract auto login or auto logon.

Can't say that properly. Don't need to show them. And I'll delete that. And we really only need.

The auto log on 64 is the ideal one since everything here is 64-bit. So we'll move that out here. We'll delete that.

This thing's still installing. Alright, looks like it's finishing. This is where we can enable access by poking holes in the firewall. Yes, definitely do that, otherwise it's a web server that's only available on the local host. And once this finishes...

Okay, and no I don't want to start it actually I'll show you why you can say no But if you do say yes It's gonna open up and you're gonna notice that these options are disabled because it didn't open as an admin so we want to close it and Then right click it and say more and run as admin Yes please. And then now you'll see there's a red X. We can click on that and it says, yep, do you want to install this as a service? We do. So now it says a service just for giggles.

Let's make sure it runs. Yes, it does. Process ID and ports. And just for giggles, actually, let's Actually, no, that's fine.

We'll leave this. Never mind. We're not going to touch that. We'll leave it as is. So, now that that's all set, we can install the rest of the software.

So let's install the Remote Mouse software. Just double-click on that. Yes.

Okay. Yes. And it's amazingly simple and easy to install.

No, we don't need any instructions. We know what we're doing. And then let's go ahead and install the WiseCare.

Yes. And in this case we're going to actually say custom install. We're going to show one of the reasons why you don't install to non-default or non-program files at locations. By putting it in apps it's even easier to take advantage of and exploit because it's more open on permissions. I'm going to go ahead and say install and sure you can go ahead and launch it.

We're not going to actually do anything with it but we just want to make sure it's there. Okay. That looks good.

And then at this point, we can delete the WiseCare. We can actually delete XAMPP as well. We don't need that.

The remote mouse installer, however, we're going to change the name and make it a little bit more ambiguous. We'll just leave it as this hash here. And then we'll say cut. And we're going to relocate it. We're going to put it up in the web server.

It's going to be part of our discovery process. So, htdocs, and then we'll create a folder called uploads, which is a word in the common as well as many other word lists that Durr Buster will use and they'll find it there. So, now we know once that file is found then it'll reveal some data on a vulnerable application that we might be able to take advantage of. And all we're left with is auto logon, which we will configure later. So at this point, we are ready to join this to the domain once the domain has been created.

So we'll return back to this once we are ready with the domain controller. Oh, I stand corrected. We have one more thing we need to do, which is actually more of just a reliability thing.

Go back to our computer management here, services, and... Our... where is it?

There we go, our Wyze boot assistant. So this generally will work just fine if you're on local connectivity. I did notice every once in a while it can be problematic over VPN just for timing. So if we change this from automatic to automatic delayed start, that's been much more reliable in some testing. So we're just going to make that last change to the service.

may not be necessary for your environment, but just for reliability and stability, that seems to make things a little bit easier. And now this thing is ready to be joined to the dummy. Now that we finished up with MS01, we're ready to build our domain controller. So we have something to join these machines to a domain.

So let's go ahead and create a new virtual machine. In this case we'll call it oscp-dc01-windows. In this case we'll be doing a Windows server 2016 or later.

Stick it on SSD again. Same thing, two processors, 4 gigs. A little bit more hard drive space, still thin provisioned because Darren is stingy. We're going to change the network adapter to VMXNet3.

Still just going to be on the inside though. And we'll choose Datastore ISO. You can also just mount yours.

And I'm going to pick this image and this build of server 2016. And we'll say next and finish. And then let's go ahead and run this bad boy. I'll make this full screen and similar you can skip ahead if you want to bypass you're familiar with installing Windows Server otherwise you'll see reinstall server 2019 and we're gonna go through the same process that we did with the Windows 10 workstation so make sure you choose standard eval desktop experience otherwise You're going to be left with the core, which is just basically a command shell. Next, custom, take the whole space, and go ahead and let it install.

We'll return after the reboot, and when it's ready to prompt us, first thing it's going to prompt us for is, of course, credentials. And now we're doing the reboot. Okay, and as promised, here we go. First thing it wants is a domain administrator, well, a server administrator password. So I'm going to go with a Lego theme.

So let's use Brickmaster. All right, let's log in. Alright, and first thing we're gonna do is some configuration, like changing that host name to DC01. Restart later, because before we restart, we would like to install some VMware tools as well.

Yes and yes and yes and please install it all. And similarly... Let's go ahead and change our resolution. Well, let's keep our resolution. Let's change the scale to 150% easier for visibility for everyone and Yes, let's restart And now that we're back up.

Let's go ahead and log in once more Good old Brickmaster. And can you guess what we're going to do next? If you guessed set some IP settings, you guessed correctly.

So let's right click, open network and internet settings, change adapter options, right click in properties, disable IPv6, edit v4, 10.10.1.200, slash 24, and here we're going to set DNS to itself, loopback address. And we're good there. So now what's next?

Let's promote this bad boy. Let's give him a job. Needs to do something other than just eat up compute power and electricity.

So we're going to choose DC01, the only server we have here. Actually, no, before we do that, it hasn't picked up on the IP change. So just because of that, let's go ahead and restart one more time.

Just because from a domain controller standpoint, if you don't have the right IP in there or the right DNS name, that can sometimes hose things. So just for giggles, we're going to reboot one more time. Make sure that it shows the proper IP address.

Back up. Okay, now let's go ahead and go add roles and features. Let's try this again.

Yep, there we go, 10.10.1.200, that's what I like to see. We're going to add Active Directory Domain Services. Next, next, next, restart if needed, which it won't be, but we'll give it the option. Who knows, you might have a different experience. Okay, it finished, configuration required, install succeeded, and sure enough it tells us...

we need to promote this server to a domain controller. Well, thank you. I think I'll do just that.

We're going to add a new forest called, in this case, oscp.lab. And it's going to ask us for the directory services restore mode password we want to set it to. I'm just going to use good old Brickmaster as well. Next. Here it's going to search for, does anybody have the OSCP NetBIOS domain name?

It's going to wait for a response. And then once it does not get a response, it'll say, okay, cool, I'm going to take it. And default paths here are good.

Prereq check. And sure enough, we pass. Click install to begin.

Thank you. I think I will. And go ahead and let it do the install and once it's done it will want to reboot on its own and we'll pick up where it leaves off with a freshly installed Active Directory Domain Controller asking us to log on is administrator at oscp.lab.

Sure enough, just as promised, it tells us we're gonna be rebooting and logging you out. Sure enough it does just that and we're up. Let's go ahead and log in as the domain admin with our favorite password.

And now one of the things we're going to do is start by creating some users. So we'll go in here to Active Directory Users. Actually, you know what?

Let's start with Group Policy. So go to Group Policy Management. There's a couple of basic things we need to fix on our machines as we join them to the domain.

So if you're not familiar with Group Policy, it's just a way of centrally managing some computer and user settings on all your machines. Here's all of our Group Policy objects. We've only got two. We're going to go ahead and create a new one, link it here.

We'll call it... OSCP lab policy and let's go ahead yep that's fine let's go ahead and edit that policy and here's the configuration and expand computer config policies Windows settings no I'm sorry administrative templates Windows components Let's go here to Windows Update, Configure Automatic Updates. We're going to disable.

Down here it says, if you set this policy to disable, any updates that are available on Windows Update must be downloaded and installed manually. So that's what we want. We do not want it to try and keep calling home. So that's now disabled. And the other one is Defender Antivirus, Real-Time Protection, Turn Off Real-Time Protection.

We're going to enable that. Sounds kind of weird. We're enabling turning off real-time protection.

So basically we're turning it off. That's the fundamentals we need there. That way AV doesn't get in the way because that's not part of the OSCP. That would be part of the OSCE is bypassing antivirus.

So now we've got a group policy applied to the whole domain so it'll affect everybody. We can close this. Now we're ready to start creating some users. So we'll open up...

Active Directory Users and Computers. You saw I did that here. Tools, Users, and Computers. And from in here, let's go ahead and expand out our Users folder.

And you can see here we have our list of default built-in users and groups. Put our users on top. See, we only have two users.

Guest is disabled. Administrator is baked in. We're going to add a bunch.

We're going to stick with the Lego theme. I have a PowerShell script that I... put together to just make my life a little easier and we're going to stage that back on our Kali box and then transfer it to MS01 and then transfer that over to DC01 since we kind of happen to move our way again put it on Kali stage it on MS01 and then transfer it over to DC01 so let's go ahead and create this real quick You can just say, well let's just do a new tab.

Normally I would split vertically but we don't need to do that here. And this is where we're staging our data. So we already have a share to this.

We can just say nano user add dot ps1. And I'm going to go ahead and just copy and paste. Problem is I can't copy and paste this directly into DCL1, otherwise I would.

What are the limits of running through virtual machines on a distant host? So paste clipboard. Because I'm running Kali locally on my machine, I can share clipboard. So here's our list of users we're going to create and passwords. And some of them are in RockU, most of them are not.

So some of these will be easily crackable. Some of them are not, just like you'd expect on the exam. So we'll save that, and then now we can go back over to MSL1. And let's go back to 72, 16, 11, setup, user add.

Copy that here. Let's go ahead and share this. And then from there, you should be able to copy this on over. So let's go ahead and go up here. 192, nope this will be 10. 10. 1. 2. 0. 1. And because it's not on the domain yet, we're gonna have to do .backslash.

Actually, this will be msl1.backslash. Let's use the Lucy account. password 123. Delete me won't work because it doesn't have a password set.

And we'll say okay. Sure enough, lets us in, copy, paste, and let's open up PowerShell as an admin. Let's go to setup and let's go ahead and run the user ad. Let's see if I butchered it or if...

Nope, looks like it worked. Theoretically it should have added 1, 2, 3, 4, 5, 6, 7, 8, 9 accounts. If we go back here to our users, refresh, we have 1, 4, 5, 6, 7, 8, 9 accounts.

Looks good! Now let's go ahead and compromise some of these accounts. We can do that by, well, first of all, we can make, let's organize this actually.

So let's go ahead and do new group. Call one of these service accounts because those definitely exist quite a bit in production. Members, add SVC IIS, check name.

It does exist. Okay. Okay, so we've added IIS as a service account group member.

Let's go ahead and create another one, another group, and let's call this IT Admins. Because IT Admins are always special people. Members, add.

Let's add Emmett. And let's add, we'll do a semicolon, Lord Business. Let's do Lord. That should autocomplete.

Check names. Yes. And one other thing is Lord Business is also going to be a member of... Da-da-da!

Domain Admins. He's going to be our path to compromise here. Alright, now we need... how about an AS Rep Roastable account?

Let's pick on Metal Beard account to make him Rep Roastable. Just say don't require Kerberos pre-authentication. Yeah, we don't need that. It's backwards compatible. And finally, let's go ahead and let's make a Kerberostable account.

So let's do set AD user. I know capitals don't always matter, but we'll be picky here. SVC IIS, let's add a service principal name.

Boy, I hope I spelled that right. At open bracket, add equals. Now we do our quotes.

Let's make it an HTTP service principal name. And then it can be anything we want. I'll just call it web server. You could call it bogus, doesn't matter.

OSCP.lab. Then let's close that. What?

Service Prince... Of course, it's because I can't spell. See, I told you I'd misspell it.

Prince Ippal. Boom. And now let's double check that with set SPN list service IIS. There it is. We have an SPN.

So now this is considered a service account by the fact that it has a service... principal name attached which means we can play Kerberosting. At this point, Active Directory is good to go.

There's one last thing that we want to make sure and do and that is to create the password file for the IT admins. So we're going to create a share, we'll call it backups. Let's go ahead and share this folder.

Everybody gets share permissions because security permissions are really what matters. We'll go to advanced. We're going to want to disable. Not everybody's going to have access to this because it's going to be a little bit secured, right? So let's disable inheritance.

We can convert them to explicit permissions. Say OK. Click on Edit. And let's delete or remove the users. But let's add the service accounts group that we made.

So service accounts can have modify permissions. for a backup share that would make sense and then on here what we need to do is create some type of a password file we're just going to use a text file with credentials in it and do a password zip it up in a password protected zip file but you could just as easily use something else you could use a password protected word file or pdf or keypass database there's a number of options here You're going to want to stage this once again though on Kali and then transfer it over. So to do that, let's go ahead and we're going to leak Emmet's credentials, but we've got some other ones that we can provide just for adding some confusion, a little bit of uncertainty out there. So we'll call this it-users.txt. Alright, so we've got some fake accounts in here, and it is a real account with the correct password.

Let's save that. Now let's zip it. So we'll say zip password, I believe is the flag.

We're going to use kind of with the theme, we'll stick with brick. I know this is a password that's in the rocku text file, so again should be easily crackable. And we'll call this IT.

We'll call it itusers.zip and we're going to include the itusers.txt file inside of it. Boom, done. And just to test it, we'll say 7zip test itusers.zip.

Now it says ask for a password. Great. What happens if we put in a bad password? So empty one. You get an error.

What happens if we give it the right password? t.brick14. Everything is okay.

So it looks good. Let's go ahead and remove Itusers.txt that just leaves us with the zip file and once again we can go back here to MSL1 copy the zip file put it into our Setup share. I'm going to delete that and then we can go Back to DC01 and sure enough we go back to our share 10.10.201. There's our IT user zip file and we'll drop that into, oops, that should not go into our setup. Cut.

We want to put that in backups. There it is, itusers.zip. We can go ahead and do show file name extensions. Okay, so now DC01 is good to go. It has a path to compromise, which is that share.

And if we want, we can go ahead and go c drive setup. We do not need that anymore, so let's go ahead and delete that as well. And make sure recycle bin is empty.

Alright, DC01 is all set. Now we're ready to join the machines to the domain. Alright, now that we've got MS01 and DC01, let's go ahead and do MS02. Keep this thing rolling. So create...

OSCP-MS02, Windows, Windows 10, SSD, two CPUs, thin provisioned hard drive, 4 gigs, OSCP inside, network, but change the network adapter, and datastore ISO file for me, and we're going to pick Windows 10. Different build this time. Finish. There's MSO2.

Let's kick it off. Let's get this full screen. Same thing. Skip ahead if you think you remember how to install Windows 10. Otherwise, watch along.

Next, install. I don't have a key. Windows 10 Pro. I agree to your silly terms. I do a custom install and I say take all the hard drive space.

And go ahead and let it push the files, expand them and install. We'll come back after it reboots and is asking us for the next step. Okay, once again, we're in the US.

US keyboard, skip additional layouts. I don't have internet. Limited setup. Delete me, no password, no on everything, thank you for asking. Alright we made it to the desktop.

Let's go ahead and change the computer name. MS02 and let's install our VMware Tools Next, next, install. Sure enough, finish and let's change our display 150% and yes we'll go ahead and reboot because we're overachievers.

And we're back. Let's go ahead and set our IP settings. So change adapter options. Right click properties, disable v6, modify v4, 10.10.1.2.0.2. slash 24 and DNS is 10.10.1.200.

Good old DC01. And we can confirm that shortly. and let's go ahead and also change a couple of settings here once again let's get rid of the screen and power savers and let's also turn off tamper protection which on this build might already be disabled Sure enough it is.

Okay, so that is all set. At this point we're ready to join this to the domain. So let's go ahead and right click properties. Change settings. Change domain.

In this case, we'll say oscp.lab. Okay. Prompts for give me some admin credentials to join you. We'll use our administrator and brick master to join this to the domain. Welcome to the domain.

And restart. Okay, and we're back. I'm going to log back in as delete me. so at this point what we need is the auto log on so we should be able to go to mso1 and go by dns name now no permission of course because we have blank password so to get around that let's use the lucy account so let's do cmd net use x 192 actually we can just say mso1 slash setup it doesn't like that believe yep there it is so we can do slash user mso1 lucy password123 There we go completed successfully so now It's not going to show up here as Lucy so we can do dir x and we can say Copy X auto logon to Actually we need a place to put it there it showed up x drive Set up Sure enough there it is Double click yes, we agree.

We want it to auto log on as Lord business and part of the oscp.lab domain and what was his password his pass oh yes his password was taco Tuesday see if that worked nope that was not right okay try that again Taco... ...tuesday It does not like that I like that one though Okay, third time's a charm So now that should auto log on as Lord Business who actually happens to be a domain admin so he'll have full admin privileges on here as well. And one other thing we want to do to make this vulnerable is actually we'll do it after it reboots.

So we need to add IT admins as local administrators. so let's go ahead and reboot all right we're live to logged on as lord business let's go ahead and increase our screen resolution well there's scale 150 and Also need to add Go here to manage the PC and then we're going to need to add the IT Oops local users, so we're gonna go to the local groups open up local administrators We're gonna add It's already set to LSP lab the IT admins group Check names boom Okay So now IT admins will also be able to compromise, in this case, the machine MSO2. At this point, we're ready to move back to joining MSO1 to the domain and getting it established. So I think the last thing we need to do to clean this up is right-click and go to Properties, Advanced System Settings. And user profiles, click on settings, and let's delete, delete me.

We do not need that account anymore or that profile. This just deletes the profile data. And then after that, we can actually go right back to manage local users and groups and delete, delete me. Yes. Okay.

So now if we go to the C drive, users, there is no delete me profile, there is no delete me account, it is gone. Oh one thing, let's go back actually, one thing we need to do is on the C drive, back on here, setup, we need to enable a share and this will be something we can take advantage of later. When we exploit this we want to be able to leverage SMB.

So Let's go ahead and just share the setup folder. Permissions can be everyone, that's fine. Or full for everyone.

There we go. That's all we needed to do. So now we actually have a share.

And the firewall will enable that as well. All set. MSO2 is ready to go.

And we're back on MSO1. Looking at let's clean up and delete our IT users zip file that should not be on MSL one at all Let's go ahead. See we are currently Still logging on as the local delete me account.

So at this point, let's go ahead and join this to the domain So let's say right click properties advance system settings computer name change domain OSCP.Lab, of course. So if you have a general network error, for the most part, it just means you need to restart. So let's go ahead and restart. Try that again when it comes back up. All right, so now we have gotten it rebooted.

Still logged on as delete me. Let's go ahead and try changing our name. So right click properties, change settings, change domain oscp.lab and sure enough it prompts us for credentials. So domain administrator and good old brick master.

Yes lets us on. Okay and see restart now. And we're back.

Let's go ahead and log on once more as delete me. Because we're not done with delete me yet. Alright, so we're logged on as delete me.

We are joined to the domain. There's a couple things we have left to do. One, first of all, let's go ahead and leave some breadcrumbs.

So if we go to the C drive and users, we'll notice there's just a good old delete me account. We need to create some breadcrumbs for lateral movement. For that we're going to use good old PowerShell. So, I like using PowerShell history sometimes. I always look for it.

It's a great wealth of information if you can find something in a CTF. So, here let's go ahead and run this as admin. Actually, I guess it didn't really matter.

Because what we're going to do, we don't have to run it as admin. We're going to say run as slash user lscp backslash wild style. What are we going to run? PowerShell. prompts us for credentials the awesome 24 bang password and Sure enough here.

We opened up PowerShell running as wild style who am I? wild style Now, let's go ahead, do a quick IP config, let's say host name. Now, let's leave a breadcrumb.

So let's say we wanted a PS remote or do a PS session into another box, right? For example, we can do password equals convert to secure string. Here's our password.

and as plain text enforce please great now let's create a cred variable that's going to be a new object oh get out of my way What kind of object is it? It's going to be a system management automation PS credential. Who is it?

It's wild style. Is that a DJ? And password. Oops.

Pass. For our variable. that looks good yep and then enter this will not work but we're just using it as the example breadcrumbs so computer we're going to try and PS session into a non-existent machine called mso3 using our credentials and sure enough failed when RM cannot process the request it verify that the computer exists on the network and that the name is spelled correctly cool that's it exit we now have breadcrumbs so if we look at users sure enough there's wild style and if we go to let's just go into wild style Derby star dot text.

There it is. And there it is. That looks good to me. I guess one thing we could change is we can get rid of that save it there we go all right okay now we need to start leaving some breadcrumbs to do this though we're going to need to enable the local administrator account whoops so let's right-click manage because we want to get the profile created local users we're going to go ahead and enable the local administrator account okay so we're gonna have to right click and say set password first i'm just gonna set it to good old password one two three super top secret And now let's go ahead and re-enable it so we can use that to create some breadcrumbs and do some cleanup.

The other thing we're going to do, since we have Lucy there, we are ready to do auto logon. So let's go ahead and go to setup, run auto logon, yes, as Lucy. The domain is msl1 because it's a local account. Use our password 123, yes. Okay so now we'll auto logon as Lucy when we reboot.

But we have our local administrator. So let's go ahead and sign out and log on as the local administrator. So .backslash, you'll see changes it to MS01. Administrator.

And the reason for this is I don't want it to... cache the domain admin credentials. So I want to be able to do this with the local admin.

Okay, same as usual. No, no, no, no, no. And display.

For everyone's sake, let's go back to 150. Okay, now at this point, we are logged on as the local admin. Go to C drive, Users, sure enough there's an administrator account. Great.

So now we can start dropping in our proofs and cleaning up everything. So let's go ahead and reboot this machine, because we need to clear out the cache, so we can delete the delete me profile in User. Okay, and... Now we're logged on as Lucy. Same thing, display settings, 150%.

Okay, this is just a limited local user, so immediately we're going to want to switch users. Go back to our .backslash administrator local admin account. And now we're going to go ahead and delete the delete me account and create our local.txt and proof.txt files. So right click, properties, advanced system settings, user profiles, delete, delete me.

Then right click. manage local users users delete delete me all right then at this point we're ready to create some loot so if we go back to our cali box there's Relatively easy way to do this. So let's go ahead and clear the screen. So echo random. Every time you do an echo on random it will generate a new number.

So let's echo that into MD5 some and that will give us a number. Now what's funny is if we do this again It'll give us the same thing because it gives it the same number. You have to actually say echo random again for it to change the number and give you a new MD5 sum. So kind of funny, kind of weird, but a little quirky. So what we're going to do is take this one, copy, echo.

We're going to echo that into local.txt. go paste selection proof.txt let's go ahead and grab both of those so from here actually you know let's just generate them all let's go ahead and generate all of them so we'll just do echo random again MD5 that and echo random again MD5 that so we'll grab this one echo into proof2.text how about yeah proof2.text and echo proof3.text So you can see we've got three proofs and one local. And if we let's go ahead and cat star dot text. Sure enough we can see all four are different. So we go back to MSL1.

as the local admin go back here to our setup let's grab all four of these copy them over so well first of all let's look at the file name extension local dot text that can go under Lucy's profile go under her desktop and then proof.txt can go to the admin desktop That's why we want that local administrator. Proof.2 and Proof.3 are going to go to MSO2 and DC01. So to do that, let's go ahead. MSO2. We're logged on as Lord Business, who is a domain admin.

So let's go ahead. You can do this in command prompt, net use. Don't know why I used net use.

It should have been dir. Oh, really? yeah okay did we stop sharing let's take a look here still shared with everyone A little odd, I guess just for giggles. We can stop this share and do it again. There we go.

That was weird. So now we can just say copy MSL1 setup proof 2 to desktop. And let's go ahead and rename it to just proof. Bingo.

All set there. So MSL2 is good to go. Let's go back over to DC01. And on here, similarly, we can go up here, MSL1, Grab Proof 3, copy it to the desktop, and get rid of 3. We now have loot on all of our machines. So at this point we are ready to clean up any remnants on MSL1.

I believe MSO2 is good to go. So let's go ahead and verify. Delete me profile is still there. Let's make sure and get rid of that. Hmm.

So it should have done that already. Let's go ahead and right click, hold shift, hit delete. It does a permanent delete. Setup is good. So the last thing we should do is go ahead and go back to computer management.

And let's disable the administrator account. We don't need that anymore. And reboot.

Alright MS01's rebooted. We are logged on as Lucy. Looks like this is good to go. So at this point, the last thing that we have to do is clean up our Kali box. We've got all these goodies sitting here.

You can either basically throw this away and just deploy a new image when you're ready to practice the lab, or the easy way to do it is, since I created all this in one folder, just back off to the desktop. Remove. Let's do clear. Remove RF.

AD setup, boom, it's gone. And let's go ahead and say mousepad. You can also use nano, but I'm using mousepad, and you'll see why here.

.csh history. Oh, because we haven't closed. Okay, so watch this.

So first it's empty. There's a reason. It's because it's in use by this. So once we close that and close that, and we can close our VPN. Oh, and close.

Actually, you know what? Let's close Firefox as well. and then let's open firefox back up history clear recent history clear everything boom and then mouse pad you can click open here and the intention was actually we'll just go back mousepad zsh history now you'll see it's got all this goody stuff in here we want to delete all of that so delete save close what I should have done was ampersand Then it opens up in a second process.

You can close this and it wouldn't... Okay, well it shouldn't have killed Mousepad. Either way, Mousepad, open the ZSH history, delete it, save it, good to go.

Now there's no history there. So at this point, you're cleaned up, you're ready to go, and go ahead and reboot Kali and practice the lab. Have fun.

Transcript for:Creating an Active Directory for OSCP Lab

Transcript for:
Creating an Active Directory for OSCP Lab