Netexec Workshop (leHACK 2024)
Huge shout out to @ladhaAleem for creating this project and converting the leHACK 2024 workshop created by @mpgn_x64 to an ansible playbook and making it work with Ludus as well!
Description from leHACK 2024
Welcome to the NetExec Active Directory Lab! This lab is designed to teach you how to exploit Active Directory (AD) environments using the powerful tool NetExec.
Originally featured in the leHACK 2024 Workshop, this lab is now available for free to everyone! In this lab, you’ll explore how to use the powerful tool NetExec to efficiently compromise an Active Directory domain during an internal pentest.
The ultimate goal? Become Domain Administrator by following various attack paths, using nothing but NetExec and maybe BloodHound (Why not :P).
Obviously do not cheat by looking at the passwords and flags in the recipe files, the lab must start without user to full compromise
Note: One change has been made on this lab regarding the workshop, the part using msol module on nxc is replaced with a dump of lsass. The rest is identical.
Scenario
The Gallic camp was attacked by the Romans and it seems that a traitor made this attack possible! Two domains must be compromised to find it 🔥
Public Writeups
- https://www.rayanle.cat/lehack-2024-netexec-workshop-writeup/ by @rayanlecat
- https://blog.lasne.pro/posts/netexec-workshop-lehack2024/ by @0xFalafel
Deployment
1. Add the Windows 2019 template to Ludus
git clone https://gitlab.com/badsectorlabs/ludus
cd ludus/templates
ludus templates add -d win2019-server-x64
[INFO] Successfully added template
ludus templates build
[INFO] Template building started - this will take a while. Building 1 template(s) at a time.
# Wait until the templates finish building, you can monitor them with `ludus templates logs -f` or `ludus templates status`
ludus templates list
+----------------------------------------+-------+
| TEMPLATE | BUILT |
+----------------------------------------+-------+
| debian-11-x64-server-template | TRUE |
| debian-12-x64-server-template | TRUE |
| kali-x64-desktop-template | TRUE |
| win11-22h2-x64-enterprise-template | TRUE |
| win2022-server-x64-template | TRUE |
| win2019-server-x64-template | TRUE |
+----------------------------------------+-------+
2. Deploy VMs
Set and deploy the configuration for the lab.
git clone https://github.com/Pennyw0rth/NetExec-Lab
ludus range config set -f NetExec-Lab/LeHack-2024/ad/LEHACK/providers/ludus/config.yml
ludus range deploy
# Wait for the range to successfully deploy
# You can watch the logs with `ludus range logs -f`
# Or check the status with `ludus range status`
3. Install requirements
Install ansible and its requirements for the NetExec lab on your local machine.
# You can use a virtualenv here if you would like
python3 -m pip install ansible-core
python3 -m pip install pywinrm
git clone https://github.com/Pennyw0rth/NetExec-Lab
cd LeHack-2024/ansible
ansible-galaxy install -r requirements.yml
4. Setup the inventory files
The inventory file is already present in the providers folder and replace RANGENUMBER with your range number with sed (commands provided below)
- Linux
- macOS
cd LeHack-2024/ansible
# go the the ansible directory as above
export RANGENUMBER=$(ludus range list --json | jq '.rangeNumber')
# `sudo apt install jq` if you don't have jq
sed -i "s/RANGENUMBER/$RANGENUMBER/g" ../ad/LEHACK/providers/ludus/inventory.yml
sed -i "s/RANGENUMBER/$RANGENUMBER/g" ../ad/LEHACK/providers/ludus/inventory_disableludus.yml
cd LeHack-2024/ansible
# paste in the inventory file above
export RANGENUMBER=$(ludus range list --json | jq '.rangeNumber')
# `brew install jq` if you don't have jq
sed -i '' "s/RANGENUMBER/$RANGENUMBER/g" ../ad/LEHACK/providers/ludus/inventory.yml
sed -i '' "s/RANGENUMBER/$RANGENUMBER/g" ../ad/LEHACK/providers/ludus/inventory_disableludus.yml
5. Deploy the NetExec Workshop
If not running on the Ludus host, you must be connected to your Ludus wireguard VPN for these commands to work
- Linux
- macOS
cd LeHack-2024/ansible
# in the ansible folder perform the following
export ANSIBLE_COMMAND="ansible-playbook -i ../ad/LEHACK/data/inventory -i ../ad/LEHACK/providers/ludus/inventory.yml"
export LAB="LEHACK"
chmod +x ../scripts/provisionning.sh
../scripts/provisionning.sh
cd LeHack-2024/ansible
# In the ansible folder perform the following
export ANSIBLE_COMMAND="ansible-playbook -i ../ad/LEHACK/data/inventory -i ../ad/LEHACK/providers/ludus/inventory.yml"
export LAB="LEHACK"
export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES
../scripts/provisionning.sh
Now you wait. [WARNING] lines are ok, and some steps may take a long time, don't panic!
This will take a few hours. You'll know it is done when you see:
May the gods of Gaul guide you as you embark on this dangerous quest!
5. Disable localuser
Once install has finished disable localuser user to avoid using it and avoid unintended secrets stored (I'm looking at you Lsassy).
You must be connected to your Ludus wireguard VPN for these commands to work
# Still in the LeHack-2024/ansible directory
ansible-playbook -i ../ad/LEHACK/providers/ludus/inventory_disableludus.yml disable_localuser.yml reboot.yml
6. Snapshot VMs
Take snapshots via the proxmox web UI or SSH into ludus and as root run the following
export RANGEID=JD # <= change to your ID
vms=("$RANGEID-dc01" "$RANGEID-dc02" "$RANGEID-srv01" "$RANGEID-srv02" "$RANGEID-kali")
COMMENT="Clean NetExec Lab setup after ansible run"
# Loop over the array
for vm in "${vms[@]}"
do
echo "[+] Create snapshot for $vm"
id=$(qm list | grep $vm | awk '{print $1}')
echo "[+] VM id is : $id"
qm snapshot "$id" 'snapshot-'$(date '+%Y-%m-%d--%H-%M') --vmstate 1 --description "$COMMENT"
done
7. Hack!
Access your Kali machine at https://10.RANGENUMBER.10.99:8444 using the creds kali:password.
