Skip to content

HoHo ... No Terminal Challenge

Elf Introduction

Help Eve Snowshoes in Santa's Office

Hey there, how's it going? I'm Eve Snowshoes.
Lately I've been spending a lot of cycles worrying about what's going on next door.
Before that, I was checking out Fail2Ban.
It's this slick log scanning tool for Apache web servers.
If you can complete this terminal challenge, I’d be happy to give you some things I’ve learned about Kerberoasting and Active Directory permissions!
Why don't you do some work with Fail2Ban on this Cranberry Pi terminal first, then we’ll talk Kerberoasting and Active Directory. OK?

Hints and Other Resources

Other Resources

KringleCon Talk
Automate Security Response by Creating Your Own "Naughty Lists - Andy Smith

Fail2ban Jails, Filters, and Actions
https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#General_settings

Open the Terminal

Open the HoHo ... No terminal in Santa's office

Screenshot

Solution

To complete this objective we need to create three Fail2ban configuration files, a jail, a filter, and an action.

Jail Configuration

This file contains the basic configuration of the jail, referencing the filter, action, log to be processed, and criteria to trigger the action (the filter being evaluated as true 10 times every 60 minutes)

/etc/fail2ban/jail.d/nutmeg-jail.conf
[nutmeg-jail]
enabled = true
filter = nutmeg-filter
action = nutmeg-action
logpath = /var/log/hohono.log
maxretry = 10
findtime = 60m

Action Configuration

This file contains the necessary actions to ban and unban an IP address as specified in the introduction.

/etc/fail2ban/action.d/nutmeg-action.conf
[Definition]
actionban = /root/naughtylist add <ip>
actionunban = /root/naughtylist del <ip>

Filter Configuration

Looking through the '/var/log/hohono.log' file we find that there are 4 types of entries in the fail that represent some kind of failure, which need to be added to the filter configuration file.

/etc/fail2ban/filter.d/nutmeg-filter.conf
[Definition]
failregex = Failed login from <HOST>
            Login from <HOST> rejected due to unknown user name
            <HOST> sent a malformed request
            Invalid heartbeat .+ from <HOST>$
Note that while the last line in the filter could be written excluding the trailing '$', this character should be included to avoid the potential of malicious input as described in the KringleCon Talk

Warning

In the Action and Filter configuration files, "Definition" and "ip" must match the case shown here.

Processing the log

After creating the three files, restart Fail2ban and refresh the log

service fail2ban restart
/root/naughtylist refresh

Screenshot

Completion

Talk to Eve to receive hints for Objective 8) Kerberoasting on an Open Fire

Fantastic! Thanks for the help!
Hey, would you like to know more about Kerberoasting and Active Directory permissions abuse?
There's a great talk by Chris Davis on this exact subject!
There are also plenty of resources available to learn more about Kerberoasting specifically.
If you have any trouble finding a domain controller, remember that, when not running as root, nmap default probing relies on connecting to TCP 80 and 443.
Got a hash that won't crack with your wordlist? OneRuleToRuleThemAll.rule is a great way to grow your keyspace.
Where'd you get your wordlist? CeWL might generate a great wordlist from the ElfU website, but it will ignore digits in terms by default.
So, apropos of nothing, have you ever known system administrators who store credentials in scripts? I know, I know, you understand the folly and would never do it!
The easy way to investigate Active Directory misconfigurations (for Blue and Red alike!) is with Bloodhound, but there are native methods as well.
Oh, and one last thing: once you've granted permissions to your user, it might take up to five minutes for it to propagate throughout the domain.