James Hay | OSCP | OSWE | CRTO

Hello, my friend. Stay a while and listen.

6 minute read

ADLAB is dead, long live ADLAB.

adlab

Initially I wanted a single use tool that would on its own deploy new VMs and then perform configurations upon them. The issue with this, is I was trying to force a PROVISIONER to perform CONFIGURATION. Vagrant creates the VMs, albeit in a slightly convoluted and messy manner. The simple, limited configuration I could force it to perform was like pulling teeth.

adlab

Hence the need for C.A.P.S.U.L.E.S. was born out of this frustration; a series of adaptable, easy to read and modify scripts to perform the configurations I was struggling with inside vagrant. Everything I wanted the lab to do was inside vague, hard to manipulate shell commands run with hacks and work arounds to hopefully not accidentally be terminated by a provision deployment reboot, or the lack of VMware tools or one of a fucking dozen other strange issues I encountered.

Once I had a rethink about the lab after I experienced a fucking MASSIVE multiple disk failure just before Christmas, I realised there’s absolutely zero point in using a provisioner for such a small lab. I am not interested in building CTF style scenarios, I like to build exercise labs. This privesc workshop was fundamental in my understanding of windows privilege escalation, and was a major reason I passed my OSCP. It’s also “"”boring”””. This is something I have written extensively about in my post on gamification and a general theme I have within the pivoting lab. Because of their small nature, using a provisioner is simply just the wrong sized sledgehammer to flatten my schnitzel.

hammer

Re-realising just how easy deploying new VMs is (I do it every second Monday when I begin a new test without even thinking or realising that I am doing it) reinforced that the AD lab project was way over engineered. The real value of that tool however, is the configuration side of it. And that’s an idea I wanted to stretch to the nth degree. Just how deep an environment can I automatically build, and, how much of it can I get the robot to build for me?

C.A.P.S.U.L.E.S. stands for Crafting Alternative PowerShell Scenarios Utilising Learning Environment Scripts. “Utilising Learning Environment Scripts” is the sort of secret here. Each of these, were at first, roughly produced with chatgpt. As one might imagine, it’s a backronym, just like all the cool black defence projects I have worked on. I knew I wanted this to be a series of modular kits, similar to CAPSULE CORP capsules from Dragon Ball Z, where a self-contained ecosystem can be contained in a capsule kit, or the capsules can be used standalone by themselves without the other capsules in the kit.

After how handily and easily chatgpt assembled my bash script to build my lemonsqueezy vulnhub box I assumed it would produce solid PowerShell scripts to handle the sorts of exercises I was trying to create. And produce scripts it sure did, but they were mostly absolutely fucking garbage and didn’t work. This is something very interesting; it handles bash and Linux a lot better than windows and PS. Out of a desire to force it to produce scripts, I spent way more time prompting the magic genie than it would have taken me to write them manually. I had started the project with intentions of making the linked list do the work for me, and like fuck I was going to be beaten by a rockem sockem robot.

What’s particularly interesting is the way chatgpt handles ACLs. It had no issues producing Linux chmod configurations that were correct, but really dropped the ball on ACLs and DACLs, just straight up inventing ones that didn’t exist, to make the result LOOK like it satisfied my query. It was fucking wild just how much bullshit the if/else backend would generate.

truth

So far the project has two kits available; one that will set up a domain, add some ACLs and DACLs and groups to practice some bouncing ball AD abuse techniques of varying manner. The second is a small script that will make a user reach out periodically to a UNC address, so you can collect responder hashes instead of doing it yourself. It’s something small, but it does add just a touch of realism to the responder practice. This is part of a larger idea to phase out my reliance on the sheepl toolkit to simulate users. I used to use this years ago to read emails when I was studying how to set up exchange servers in my lab when I was doing defence contracting. The next kit I want to develop will be standing up an SMTP server using PowerShell, and having a user read emails to try get phishing techniques to work.

fishing hardyharrharr hes fishing! This is a phishing/fishing pun because I am so clever!

And that’s the difference with the C.A.P.S.U.L.E.S. project; this isn’t a tool perse; it is (going to be) a suite of different scripts you can chop and change, drop in the sections you need to build the exercise you are after. I can’t find the vulnhub boxes with the scenarios and exercises on them I want, so Ill build them myself. The HTB prolabs come close, but I am sick to fucking death of every fuckhead going out of their way to ruin my experience on that platform. It ruined my experience in OFFSHORE having to combat not only the environment, not only the daily reverts in the middle of the fucking day, but people removing the accounts necessary to continue in the environment, leaving open shells or RDP sessions to spoil pathways, seeing other peoples CIDI scripts and knowing the pathway without learning how to discover it.

Eventually I want to create enough scripts covering enough varying scenarios and odd edge cases that I can have a realistic enough, functioning, living, and breathing environment that I can perform REAL adversary emulation. Because nothing on this earth gets me as hard as the term adversary emulation. My goodness, REAL adversary emulation, like the F-117 matchups occurring in the 5th gen battlespace (where the F-117 is playing aggressor roles against current air vehicles), is the most exciting, interesting, and just darn coolest thing in the world to me.

notanf117 Look at this motherfucker that is straight up out of Team Rockets hangar.

BUT I also require it not be “"”special”””. There is nothing more infuriating than having a “special” VM for testing, training etc that you slowly build up, slowly modify out of the ordinary, and then you fuck it up. Too many AMSI bypasses in a row COMPLETLEY fried defender on a windows 10 machine I was using; it was irreparable. I cannot explain HOW it happened, but from that point on defender would simply refuse to ever start again. This means the machines must be configurable via scripts that are easily deployed, so if one was to rm rf the entire machine or the drive yeets itself, its not a devastating loss; just run the scripts again.

I enjoyed putting this project together, it was a nice distraction from studying, as the OSWE fucking killed my mental drive to learn. Building projects is a great way for me to feel good again, even if they do fall apart under strain.

breadsticks

Anyway that is all for today, stay tuned for the next episode of my diatribes.

wolfcastle

You May Also Enjoy

The Price of Good

6 minute read

Alternative titles for this post I came up with included “What is premium?” and the exceedingly clever “Premium and the art of good enough”. This post wa...

GraphQL Denial of Service with DVGA

9 minute read

In an act of sheer irony, after passing my OSWE, I have been on all manner of odd, bespoke testing but not as much web work as I was doing before taking the ...

Crafting CSP Spells

7 minute read

Todays adventures take us down a rabbit hole I see pop up almost constantly in my testing; which developer doesnt care about Content Security Policy (CSP) th...

Diablo II HD

5 minute read

I will never forget the first time I came across the butcher in Diablo 1, and how it scared the absolute shit out of me as a kid. It was my first pirated gam...