Redbot Security also found that the conference room next to Redbot Security’s conference room had a system present that used an account, “bdroom”, which performed an auto-login to the system. By performing a memory-dump on the system and analyzing it offline, Redbot Security obtained the credentials for the “bdroom” user. Redbot Security then used these credentials to access various file shares and to perform an attack called, “Kerberoasting”, which allowed Redbot Security to obtain password hashes from Service Principal Names on the network.
During the engagement, Redbot Security also notice that the Forescout user account would attempt to authenticate to Redbot Security using SMB anytime Redbot Security changed its MAC address while on the network. Redbot Security exploited this action to relay the SMB hash (NetNTLMv2 hash) to systems that did not have SMB signing required. As the Forescout user had local admin privileges over workstations on the network, Redbot Security could relay the Forescout hash to gain admin access to the system and extract local password hashes. However, commands could not be executed using this method against a majority of Windows 10 workstations, that had configured Microsoft’s Attack Surface Reduction (ASR) rules to prevent services and commands from being executed remotely via WMI and PSExec.
In addition to dumping local hashes, Redbot Security found several systems on the network that were missing the MS17-010 critical security update. This allowed Redbot Security to exploit the systems and gain IT administrator credentials from memory. Using the IT admin credentials, Redbot Security accessed the SolarWinds server and gained the “svcsolarwinds” domain admin credentials from the system.
Redbot Security used “svcsolarwinds” to extract the NTDS.dit from US domain controller. This file contained all user passwords in an NTLM format. Of 9800 NTLM hashes extracted, 1879 were cracked within 31 minutes, including passwords for privileged accounts such as a member of the RHEL_Admins group. Additionally, Redbot Security discovered that some credentials for critical service user accounts were stored with reversible encryption, allowing Redbot Security to obtain the password in cleartext without having to crack them.
Using the RHEL administrator credentials, Redbot Security accessed Splunk, Confluence, BitBucket, and Jenkins servers to gain additional information and access to other systems on the network. Documentation obtained from Confluence revealed the ECommerce environment architecture, including jump box host names, virtual center instances, and how to manage the environment. Due to excessive services enabled on the e-commerce Windows jump box, Redbot Security was able to bypass Duo two-factor requirements on RDP to obtain a reverse shell on the host, which was then used to disable Duo and RDP into the system. Afterwards, Redbot Security accessed the VMware vCenter/vSphere instance using a Domain Admin account added to the VMWare Admin domain group, permitting access to ECommerce hosts. Using the compromise RHEL admin credentials, Redbot Security gained access to the Power system, Payments system, production Jenkins systems, and simulated exfiltration of credit card data from the payments system through the Jenkins system out of the environment over DNS.