Search
  • Kshitij Khakurdikar

The Auror Project - Challenge - Session 1

This post covers the walkthrough of a challenge for the first session of "The Auror Project".

A quick background


"The Auror Project" is an initiative by Sudarshan Pisupati for building a goal-driven InfoSec community.

The idea is to catch-up online during weekends and discuss/tutor on a pre-decided topic (not necessarily technical).

The goal of this project is to assist participants towards meeting their larger career goals in infosec, which I truly believe is helping many people who have associated with the initiative.

We also discuss other "operational" aspects of career-building process like interview preparations, salary negotiations, career paths, certifications, and many more.

My journey with this project has been super-exciting!

This is an awesome initiative and I highly encourage you to be a part of it, because together we rise higher and shine brighter!


3 Machines Labs Course


This course was announced under "The Auror Project" initiative, which is basically a series of live-learning sessions to cement your understanding of a key component present in most organizations: Active Directory. More on it here.


The format is challenge-based learning - where each session is followed by a challenge designed to cement your understanding of the core concepts.


I was super-excited for this one because I love experimenting with Active Directory and this was an opportunity to enhance and strengthen my foundation.


The first session was conducted on 16-April-2022, where we practically learned the concepts of Domains, Domain Controllers, Domain joining process and attributes. In short, the whole process would involve following steps -

  1. Setting up a Window 2016 server VM

  2. Promoting this server to Domain Controller

  3. Setting up a VM with a Windows OS

  4. Joining this VM to the domain as configured in Step 2

The challenge


We performed the above four steps manually. At the end of the session, we were given a challenge of automating the entire process and rebuild the entire lab. More details here .


Though the challenge seems easy, it does require some time and bit of a research. As hinted in the challenge details, I explored Vagrant


Wikipeda says -

"Vagrant is an open-source software product for building and maintaining portable virtual software development environments; e.g., for VirtualBox, KVM, Hyper-V, Docker containers, VMware, and AWS"

Looks like this is exactly what we need! While it supports many hypervisors, I am personally comfortable with VirtualBox.


Vagrant has published an excellent documentation on their website.


We need to install reload plugin to ensure smooth restarting of VMs. Below is the command to install the plugin -

vagrant plugin install vagrant-reload

Setting up Machine A


As per the challenge, Machine A is a domain controller. So, we first need to spin-up Windows Server 2016 in VirtualBox.

I used Vagrant Cloud for provisioning the server. Below is the link for the vagrant box that I used -

https://app.vagrantup.com/gusztavvargadr/boxes/windows-server


By default, vagrant uses winrm protocol to communicate with Windows VMs. For this, vagrant creates a local user account in Windows for interaction through winrm. The account credentials is vagrant/vagrant


The vagrant file for provisioning and configuring Machine A looks like below -

# -*- mode: ruby -*-
# vi: set ft=ruby :


Vagrant.configure("2") do | config |

	config.vagrant.plugins = ["vagrant-reload"]

	config.vm.define "MachineA" do | vm1 |
		vm1.vm.provider "virtualbox" do | vb |
			vb.memory = "3072"
			vb.name = "Machine A"
			vb.gui = true
		end
		vm1.vm.box = "gusztavvargadr/windows-server"
		vm1.vm.box_version = "1607.0.2112"
		vm1.winrm.transport = :plaintext
		vm1.winrm.basic_auth_only = true
		vm1.vm.hostname = "aurordc"
		vm1.vm.network "private_network", ip: "10.0.0.9"
		vm1.vm.provision "shell", path: "./scripts/setup_dc.ps1"
		vm1.vm.provision "reload"
		vm1.vm.boot_timeout = 6000				
	end
end

The above vagrant file would perform below operations -

  1. Assign appropriate memory to VM.

  2. Instruct vagrant to download and provision the Windows server through vagrant box on Vagrant Cloud.

  3. Configure winRM to use basic authentication over plaintext channel (for simplicity)

  4. Assign a network interface with private network IP address (as mentioned in challenge objective)

  5. Run our script to install domain service and promote the server to domain controller.

Note that we haven't specified winrm username and password explicitly, because after DC promo, the vagrant user gets promoted to Domain Users, which means it would also need "domain" while supplying the creds. So I let vagrant handle this situation


setup_dc.ps1 -

net user adam Pass@123 /add
net localgroup "Remote Desktop Users" adam /add

$domain_name  = "auror.local"
$netbios_name = "auror"
$mode  = "Win2012R2"
$password = "Vagrant@2022"
$sPassword = $password | ConvertTo-SecureString -AsPlainText -Force

Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools

Import-Module ADDSDeployment

$forestProperties = @{

    DomainName           = $domain_name
    DomainNetbiosName    = $netbios_name
    ForestMode           = $mode
    DomainMode           = $mode
    InstallDns           = $true
    SafeModeAdministratorPassword = $sPassword
    DatabasePath         = "C:\Windows\NTDS"
    LogPath              = "C:\Windows\NTDS"
    SysvolPath           = "C:\Windows\SYSVOL"
    Force                = $true
    NoRebootOnCompletion = $true
}

Install-ADDSForest @forestProperties

The above script would -

  1. Create user "adam" and add it to RDP users group (as mentioned in challenge objectives)

  2. Install domain services (including DNS server)

  3. Create a domain "auror.local"

Setting up Machine B


I used Windows 10 vagrant box for setting up Machine B -

https://app.vagrantup.com/gusztavvargadr/boxes/windows-10


The vagrant file for provisioning and configuring Machine B looks like below -

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do | config |

	config.vm.define "MachineB" do | vm2 |
	
		vm2.vm.provider "virtualbox" do | vb |
			vb.memory = "2048"
			vb.name = "Machine B"
			vb.gui = true
		end	
		vm2.vm.box = "gusztavvargadr/windows-10"
		vm2.vm.box_version = "2102.0.2204"
		vm2.winrm.transport = :plaintext
		vm2.winrm.basic_auth_only = true
		vm2.vm.hostname = "MachineB"
		vm2.vm.network "private_network", ip: "10.0.0.19"
		vm2.vm.provision "shell", path: "./scripts/domain_join.ps1"
		vm2.vm.provision "reload"
		vm2.vm.boot_timeout = 6000		
	end
end

The above vagrant file would perform below operations -

  1. Assign appropriate memory to VM.

  2. Instruct vagrant to download and provision the Windows 10 VM through vagrant box on Vagrant Cloud.

  3. Configure winRM to use basic authentication over plaintext channel (for simplicity)

  4. Assign a network interface with private network IP address (as mentioned in challenge objectives)

  5. Run our script to join this VM to domain "auror.local".

domain_join.ps1-

Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False
set-mppreference -disableioavprotection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableNetworkProtection 0 -DisableBehaviorMonitoring $true

$adapters = Get-WmiObject Win32_NetworkAdapterConfiguration
$adapters | ForEach-Object {$_.SetDNSServerSearchOrder("10.0.0.9")}

$username = "vagrant"
$password = "vagrant"
$sPassword = $password | ConvertTo-SecureString -AsPlainText -Force

$creds = New-Object System.Management.Automation.PSCredential $username, $sPassword

Add-Computer -DomainName auror.local -credential $creds

net localgroup "Administrators" auror\adam /add
 
Invoke-WebRequest "http://dl.google.com/chrome/install/375.126/chrome_installer.exe" -OutFile C:\\Windows\\Tasks\\chrome_setup.exe

Start-Process -FilePath C:\\Windows\\Tasks\\chrome_setup.exe -Args "/silent /install"

The above script would -

  1. Disable windows defender and windows firewall

  2. Assign IP address of Machine A as DNS server IP for the private interface.

  3. Configure domain name in computer properties

  4. Assign local administrator privileges to adam (as mentioned in challenge objectives).

  5. Download chrome and install it (as mentioned in challenge objectives).

The final vagrant file for setting up Machine A and Machine B would look like below -

# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do | config |

	config.vagrant.plugins = ["vagrant-reload"]

	config.vm.define "MachineA" do | vm1 |
		
		vm1.vm.provider "virtualbox" do | vb |
			vb.memory = "3072"
			vb.name = "Machine A"
			vb.gui = true
		end
		vm1.vm.box = "gusztavvargadr/windows-server"
		vm1.vm.box_version = "1607.0.2112"
		vm1.winrm.transport = :plaintext
		vm1.winrm.basic_auth_only = true
		vm1.vm.hostname = "aurordc"
		vm1.vm.network "private_network", ip: "10.0.0.9"
		vm1.vm.provision "shell", path: "./scripts/setup_dc.ps1"
		vm1.vm.provision "reload"
		vm1.vm.boot_timeout = 6000
		
						
	end
	
	config.vm.define "MachineB" do | vm2 |
	
		vm2.vm.provider "virtualbox" do | vb |
			vb.memory = "2048"
			vb.name = "Machine B"
			vb.gui = true
		end	
		vm2.vm.box = "gusztavvargadr/windows-10"
		vm2.vm.box_version = "2102.0.2204"
		vm2.winrm.transport = :plaintext
		vm2.winrm.basic_auth_only = true
		vm2.vm.hostname = "MachineB"
		vm2.vm.network "private_network", ip: "10.0.0.19"
		vm2.vm.provision "shell", path: "./scripts/domain_join.ps1"
		vm2.vm.provision "reload"
		vm2.vm.boot_timeout = 6000
			
	end
end

Note that we need to create "scripts" folder in the same directory where the vagrant file is placed. The scripts folder should have setup_dc.ps1 and domain_join.ps1 files


We can spin-up the entire lab with below command -

vagrant up

After few minutes, your lab should be provisioned.

As mentioned in the challenges, we need to check below test cases to ensure that the lab has been properly setup -

  • RDP into Machine B with user “Adam” should be successful

  • From Machine B as user Adam, the command “net use \\auror.local” should result in command completed successfully

  • Run script Powerview.ps1 function “Get-DomainUser” from Machine B should show Adam as a user

  • Chrome should be installed on Machine B

Test cases checked on Machine A -

Test cases checked on Machine B -

This completes our challenge! In this challenge, we automated 2-machine AD lab provisioning process using vagrant.


Many thanks to Sudarshan and "The Auror Project" team for the wonderful learning!


Hope you guys enjoyed the article! Happy Hacking!

374 views0 comments

Recent Posts

See All