The Auror Project - Challenge - Session 1
This post covers the walkthrough of a challenge for the first session of "The Auror Project".
A quick background
"The Auror Project" is an initiative by Sudarshan Pisupati for building a goal-driven InfoSec community.
The idea is to catch-up online during weekends and discuss/tutor on a pre-decided topic (not necessarily technical).
The goal of this project is to assist participants towards meeting their larger career goals in infosec, which I truly believe is helping many people who have associated with the initiative.
We also discuss other "operational" aspects of career-building process like interview preparations, salary negotiations, career paths, certifications, and many more.
My journey with this project has been super-exciting!
This is an awesome initiative and I highly encourage you to be a part of it, because together we rise higher and shine brighter!
3 Machines Labs Course
This course was announced under "The Auror Project" initiative, which is basically a series of live-learning sessions to cement your understanding of a key component present in most organizations: Active Directory. More on it here.
The format is challenge-based learning - where each session is followed by a challenge designed to cement your understanding of the core concepts.
I was super-excited for this one because I love experimenting with Active Directory and this was an opportunity to enhance and strengthen my foundation.
The first session was conducted on 16-April-2022, where we practically learned the concepts of Domains, Domain Controllers, Domain joining process and attributes. In short, the whole process would involve following steps -
Setting up a Window 2016 server VM
Promoting this server to Domain Controller
Setting up a VM with a Windows OS
Joining this VM to the domain as configured in Step 2
The challenge
We performed the above four steps manually. At the end of the session, we were given a challenge of automating the entire process and rebuild the entire lab. More details here .
Though the challenge seems easy, it does require some time and bit of a research. As hinted in the challenge details, I explored Vagrant
Wikipeda says -
"Vagrant is an open-source software product for building and maintaining portable virtual software development environments; e.g., for VirtualBox, KVM, Hyper-V, Docker containers, VMware, and AWS"
Looks like this is exactly what we need! While it supports many hypervisors, I am personally comfortable with VirtualBox.
Vagrant has published an excellent documentation on their website.
We need to install reload plugin to ensure smooth restarting of VMs. Below is the command to install the plugin -
vagrant plugin install vagrant-reloadSetting up Machine A
As per the challenge, Machine A is a domain controller. So, we first need to spin-up Windows Server 2016 in VirtualBox.
I used Vagrant Cloud for provisioning the server. Below is the link for the vagrant box that I used -
https://app.vagrantup.com/gusztavvargadr/boxes/windows-server
By default, vagrant uses winrm protocol to communicate with Windows VMs. For this, vagrant creates a local user account in Windows for interaction through winrm. The account credentials is vagrant/vagrant
The vagrant file for provisioning and configuring Machine A looks like below -
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do | config |
config.vagrant.plugins = ["vagrant-reload"]
config.vm.define "MachineA" do | vm1 |
vm1.vm.provider "virtualbox" do | vb |
vb.memory = "3072"
vb.name = "Machine A"
vb.gui = true
end
vm1.vm.box = "gusztavvargadr/windows-server"
vm1.vm.box_version = "1607.0.2112"
vm1.winrm.transport = :plaintext
vm1.winrm.basic_auth_only = true
vm1.vm.hostname = "aurordc"
vm1.vm.network "private_network", ip: "10.0.0.9"
vm1.vm.provision "shell", path: "./scripts/setup_dc.ps1"
vm1.vm.provision "reload"
vm1.vm.boot_timeout = 6000
end
endThe above vagrant file would perform below operations -
Assign appropriate memory to VM.
Instruct vagrant to download and provision the Windows server through vagrant box on Vagrant Cloud.
Configure winRM to use basic authentication over plaintext channel (for simplicity)
Assign a network interface with private network IP address (as mentioned in challenge objective)
Run our script to install domain service and promote the server to domain controller.
Note that we haven't specified winrm username and password explicitly, because after DC promo, the vagrant user gets promoted to Domain Users, which means it would also need "domain" while supplying the creds. So I let vagrant handle this situation
setup_dc.ps1 -
net user adam Pass@123 /add
net localgroup "Remote Desktop Users" adam /add
$domain_name = "auror.local"
$netbios_name = "auror"
$mode = "Win2012R2"
$password = "Vagrant@2022"
$sPassword = $password | ConvertTo-SecureString -AsPlainText -Force
Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
Import-Module ADDSDeployment
$forestProperties = @{
DomainName = $domain_name
DomainNetbiosName = $netbios_name
ForestMode = $mode
DomainMode = $mode
InstallDns = $true
SafeModeAdministratorPassword = $sPassword
DatabasePath = "C:\Windows\NTDS"
LogPath = "C:\Windows\NTDS"
SysvolPath = "C:\Windows\SYSVOL"
Force = $true
NoRebootOnCompletion = $true
}
Install-ADDSForest @forestPropertiesThe above script would -
Create user "adam" and add it to RDP users group (as mentioned in challenge objectives)
Install domain services (including DNS server)
Create a domain "auror.local"
Setting up Machine B
I used Windows 10 vagrant box for setting up Machine B -
https://app.vagrantup.com/gusztavvargadr/boxes/windows-10
The vagrant file for provisioning and configuring Machine B looks like below -
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do | config |
config.vm.define "MachineB" do | vm2 |
vm2.vm.provider "virtualbox" do | vb |
vb.memory = "2048"
vb.name = "Machine B"
vb.gui = true
end
vm2.vm.box = "gusztavvargadr/windows-10"
vm2.vm.box_version = "2102.0.2204"
vm2.winrm.transport = :plaintext
vm2.winrm.basic_auth_only = true
vm2.vm.hostname = "MachineB"
vm2.vm.network "private_network", ip: "10.0.0.19"
vm2.vm.provision "shell", path: "./scripts/domain_join.ps1"
vm2.vm.provision "reload"
vm2.vm.boot_timeout = 6000
end
endThe above vagrant file would perform below operations -
Assign appropriate memory to VM.
Instruct vagrant to download and provision the Windows 10 VM through vagrant box on Vagrant Cloud.
Configure winRM to use basic authentication over plaintext channel (for simplicity)
Assign a network interface with private network IP address (as mentioned in challenge objectives)
Run our script to join this VM to domain "auror.local".
domain_join.ps1-
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
set-mppreference -disableioavprotection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableNetworkProtection 0 -DisableBehaviorMonitoring $true
$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder("10.0.0.9")}
$username = "vagrant"
$password = "vagrant"
$sPassword = $password | ConvertTo-SecureString -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential $username, $sPassword
Add-Computer -DomainName auror.local -credential $creds
net localgroup "Administrators" auror\adam /add
Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile C:\\Windows\\Tasks\\chrome_setup.exe
Start-Process -FilePath C:\\Windows\\Tasks\\chrome_setup.exe -Args "/silent /install"The above script would -
Disable windows defender and windows firewall
Assign IP address of Machine A as DNS server IP for the private interface.
Configure domain name in computer properties
Assign local administrator privileges to adam (as mentioned in challenge objectives).
Download chrome and install it (as mentioned in challenge objectives).
The final vagrant file for setting up Machine A and Machine B would look like below -
# -*- mode: ruby -*-
# vi: set ft=ruby :
Vagrant.configure("2") do | config |
config.vagrant.plugins = ["vagrant-reload"]
config.vm.define "MachineA" do | vm1 |
vm1.vm.provider "virtualbox" do | vb |
vb.memory = "3072"
vb.name = "Machine A"
vb.gui = true
end
vm1.vm.box = "gusztavvargadr/windows-server"
vm1.vm.box_version = "1607.0.2112"
vm1.winrm.transport = :plaintext
vm1.winrm.basic_auth_only = true
vm1.vm.hostname = "aurordc"
vm1.vm.network "private_network", ip: "10.0.0.9"
vm1.vm.provision "shell", path: "./scripts/setup_dc.ps1"
vm1.vm.provision "reload"
vm1.vm.boot_timeout = 6000
end
config.vm.define "MachineB" do | vm2 |
vm2.vm.provider "virtualbox" do | vb |
vb.memory = "2048"
vb.name = "Machine B"
vb.gui = true
end
vm2.vm.box = "gusztavvargadr/windows-10"
vm2.vm.box_version = "2102.0.2204"
vm2.winrm.transport = :plaintext
vm2.winrm.basic_auth_only = true
vm2.vm.hostname = "MachineB"
vm2.vm.network "private_network", ip: "10.0.0.19"
vm2.vm.provision "shell", path: "./scripts/domain_join.ps1"
vm2.vm.provision "reload"
vm2.vm.boot_timeout = 6000
end
endNote that we need to create "scripts" folder in the same directory where the vagrant file is placed. The scripts folder should have setup_dc.ps1 and domain_join.ps1 files
We can spin-up the entire lab with below command -
vagrant up
After few minutes, your lab should be provisioned.
As mentioned in the challenges, we need to check below test cases to ensure that the lab has been properly setup -
RDP into Machine B with user “Adam” should be successful
From Machine B as user Adam, the command “net use \\auror.local” should result in command completed successfully
Run script Powerview.ps1 function “Get-DomainUser” from Machine B should show Adam as a user
Chrome should be installed on Machine B
Test cases checked on Machine A -
Test cases checked on Machine B -
This completes our challenge! In this challenge, we automated 2-machine AD lab provisioning process using vagrant.
Many thanks to Sudarshan and "The Auror Project" team for the wonderful learning!
Hope you guys enjoyed the article! Happy Hacking!